Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-AAA commands | 1.66 MB |
Contents
authen-radius-unavailable online domain
authorization-attribute (ISP domain view)
if-match vpn-instance critical-microsegment
if-match vpn-instance microsegment
local-server log change-password-prompt
redirect move-temporarily enable
service-type (ISP domain view)
session-time include-idle-time
snmp-agent trap enable local-server
access-user email authentication
authorization-attribute (local user view/user group view)
display local-guest waiting-approval
display local-user access-count
local-user-export class network
local-user-export class network guest
local-user-import class network
local-user-import class network guest
password (device management user view)
password (network access user view)
reset local-guest waiting-approval
service-type (local user view)
attribute 182 vendor-id 25506 vlan
attribute convert (RADIUS DAS view)
attribute convert (RADIUS scheme view)
attribute reject (RADIUS DAS view)
attribute reject (RADIUS scheme view)
attribute vendor-id 2011 version
data-flow-format (RADIUS scheme view)
display radius server-load statistics
display stop-accounting-buffer (for RADIUS)
include-attribute 218 vendor-id 25506
primary accounting (RADIUS scheme view)
primary authentication (RADIUS scheme view)
radius-server authen-state-check interval
reauthentication server-select
reset radius server-load statistics
secondary accounting (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
timer quiet (RADIUS scheme view)
timer realtime-accounting (RADIUS scheme view)
timer response-timeout (RADIUS scheme view)
user-name-format (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
data-flow-format (HWTACACS scheme view)
primary accounting (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
secondary accounting (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
server-block-action (HWTACACS view)
timer quiet (HWTACACS scheme view)
timer realtime-accounting (HWTACACS scheme view)
timer response-timeout (HWTACACS scheme view)
user-name-format (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
display radius-proxy statistics
Connection recording policy commands
AAA commands
General AAA commands
aaa author-profile
Use aaa author-profile to create an authorization profile and enter its view, or enter the view of an existing authorization profile.
Use undo aaa author-profile to delete an authorization profile.
Syntax
aaa author-profile profile-name
undo aaa author-profile profile-name
Default
No authorization profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies the name of the authorization profile, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Application scenarios
A user in an ISP domain can use the following authorization attributes:
· Attributes assigned by the server.
· Attributes configured in the authentication domain.
· Attributes defined in the authorization profile applied to the authentication domain.
The priorities of the attributes are in descending order.
An authorization profile defines a set of authorization attributes and can be used to authorize network resources on a VPN basis, for example, assigning different microsegments to different VPN users. If you apply an authorization profile to an authentication domain, all users in the domain can obtain network resources defined in the profile.
Restrictions and guidelines
You can configure a maximum of 16 authorization profiles.
Deleting or changing an authorization profile does not affect users that are using the profile. The configuration change takes effect only on new clients that come online afterward.
Examples
# Create authorization profile abc and enter its view.
<Sysname> system-view
[Sysname] aaa author-profile abc
[Sysname-author-profile-abc]
Related commands
display aaa author-profile
aaa critical-profile
Use aaa critical-profile to create a critical profile and enter its view, or enter the view of an existing critical profile.
Use undo aaa critical-profile to delete a critical profile.
Syntax
aaa critical-profile profile-name
undo aaa critical-profile profile-name
Default
No critical profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies the name of the critical profile, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A critical profile applied to a port allows users on the port to access network resources in the profile when all authentication servers in the ISP domain of the users are unreachable.
The system supports a maximum of 16 critical profiles.
Examples
# Create critical profile abc and enter its view.
<Sysname> system-view
[Sysname] aaa critical-profile abc
[Sysname-critical-profile-abc]
Related commands
dot1x critical profile
mac-authentication critical profile
aaa nas-id
Use aaa nas-id to set the NAS-ID on an interface.
Use undo aaa nas-id to restore the default.
Syntax
aaa nas-id nas-identifier
undo aaa nas-id
Default
No NAS-ID is set on an interface.
Views
Layer 3 interface view
Predefined user roles
network-admin
Parameters
nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 253 characters.
Usage guidelines
You can configure a NAS-ID in NAS-ID profile view, in interface view, or in ISP domain view. The device selects the NAS-ID for the NAS-Identifier attribute in the following order:
1. NAS-ID bound with VLANs in a NAS-ID profile.
2. NAS-ID on an interface.
3. NAS-ID in an ISP domain.
If no NAS-ID is selected, the device uses the device name as the NAS-ID.
The NAS-ID on an interface is applicable only to portal and PPP users.
Examples
# Set the NAS-ID to test on Ten-GigabitEthernet 0/0/6.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 0/0/6
[Sysname-Ten-GigabitEthernet0/0/6] aaa nas-id test
Related commands
aaa nas-id profile
nas-id
aaa nas-id profile
Use aaa nas-id profile to create a NAS-ID profile and enter its view, or enter the view of an existing NAS-ID profile.
Use undo aaa nas-id profile to delete a NAS-ID profile.
Syntax
aaa nas-id profile profile-name
undo aaa nas-id profile profile-name
Default
No NAS-ID profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies the NAS-ID profile name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Configure a NAS-ID profile to maintain NAS-ID and VLAN bindings on the device.
During RADIUS authentication, the device uses a NAS-ID to set the NAS-Identifier attribute of RADIUS packets so that the RADIUS server can identify the access location of users.
The device selects the NAS-ID for the NAS-Identifier attribute in the following order:
4. NAS-ID bound with VLANs in a NAS-ID profile.
5. NAS-ID on an interface.
6. NAS-ID in an ISP domain.
Examples
# Create a NAS-ID profile named aaa and enter its view.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa]
Related commands
aaa nas-id
aaa nas-id-profile
nas-id bind
port-security nas-id-profile
portal nas-id-profile
aaa nas-id-profile
Use aaa nas-id-profile to specify a NAS-ID profile for an interface.
Use undo aaa nas-id-profile to restore the default.
Syntax
aaa nas-id-profile profile-name
undo aaa nas-id-profile
Default
No NAS-ID profile is specified for an interface.
Views
Layer 3 interface view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a NAS-ID profile by its name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
This command takes effect only on portal and PPP users.
For portal users on an interface, the NAS-ID profile specified by using the portal nas-id-profile command takes priority over that specified by using the aaa nas-id-profile command. For more information about the portal nas-id-profile command, see "Portal commands."
Examples
# Specify NAS-ID profile bbb for Ten-GigabitEthernet 0/0/6.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 0/0/6
[Sysname–Ten-GigabitEthernet0/0/6] aaa nas-id-profile bbb
Related commands
aaa nas-id profile
nas-id bind
portal nas-id-profile
aaa session-id mode
Use aaa session-id mode to specify the format for attribute Acct-Session-Id.
Use undo aaa session-id mode to restore the default.
Syntax
aaa session-id mode { common | simplified }
undo session-id mode
Default
The device uses the common mode for attribute Acct-Session-Id.
Views
System view
Predefined user roles
network-admin
Parameters
common: Specifies the common format for attribute Acct-Session-Id. In this format, the Acct-Session-Id attribute is a string of 37 characters. This string contains the prefix (indicating the access type), date and time, sequence number, LIP address of the access node, device ID, and job ID of the access process.
simplified: Specifies the simple format for attribute Acct-Session-Id. In this format, the Acct-Session-Id attribute is a string of 16 characters. This string contains the prefix (indicating the access type), month, sequence number, device ID, and LIP address of the access node.
Usage guidelines
Configure the format for attribute Acct-Session-Id to meet the requirements of the RADIUS servers.
Examples
# Specify the simple format for attribute Acct-Session-Id.
<Sysname> system-view
[Sysname] aaa session-id mode simplified
aaa session-limit
Use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method.
Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method.
Syntax
aaa session-limit { ftp | http | https | ssh | telnet } max-sessions
undo aaa session-limit { ftp | http | https | ssh | telnet }
Default
The maximum number of concurrent users is 32 for each user type.
Views
System view
Predefined user roles
network-admin
Parameters
ftp: FTP users.
http: HTTP users.
https: HTTPS users.
ssh: SSH users.
telnet: Telnet users.
max-sessions: Specifies the maximum number of concurrent login users. The value range is 1 to 32 for SSH and Telnet services, and is 1 to 64 for FTP, HTTP, and HTTPS services.
Usage guidelines
After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type.
For HTTP and HTTPS services, the number of concurrent users of an application is separately limited. For example, if the maximum number of concurrent HTTP users is 20, a maximum of 20 concurrent users are allowed for each HTTP-based application, such as RESTful, Web, and NETCONF.
Examples
# Set the maximum number of concurrent FTP users to 4.
<Sysname> system-view
[Sysname] aaa session-limit ftp 4
accounting 5g
Use accounting 5g to specify accounting methods for 5G users.
Use undo accounting 5g to restore the default.
Syntax
accounting 5g { none | radius-scheme radius-scheme-name [ none ] }
undo accounting 5g
Default
The default accounting methods are used for 5G users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
To have the AAA module perform RADIUS accounting first and then not perform accounting when RADIUS accounting is invalid, execute the accounting 5g radius-scheme radius-scheme-name none command.
Examples
# Configure ISP domain test not to perform accounting for 5G users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting 5g none
# Configure ISP domain test to perform RADIUS accounting for 5G users based on scheme rd and not to perform accounting when RADIUS accounting is invalid.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting 5g radius-scheme rd none
Related commands
display domain
radius scheme
accounting advpn
Use accounting advpn to specify accounting methods for ADVPN users.
Use undo accounting advpn to restore the default.
Syntax
accounting advpn { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting advpn
Default
The default accounting methods of the ISP domain are used for ADVPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting advpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when RADIUS accounting is invalid. The device does not perform accounting when both of the previous methods are invalid.
The remote accounting method is invalid in the following situations:
· The specified accounting scheme does not exist.
· Accounting packet sending fails.
· The device does not receive any accounting response packets from an accounting server.
The local accounting method is invalid if the device fails to find the matching local user configuration.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the ADVPN service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, perform local accounting for ADVPN users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting advpn local
# In ISP domain test, perform RADIUS accounting for ADVPN users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting advpn radius-scheme rd local
Related commands
accounting default
local-user
radius scheme
accounting command
Use accounting command to specify the command line accounting method.
Use undo accounting command to restore the default.
Syntax
accounting command hwtacacs-scheme hwtacacs-scheme-name
undo accounting command
Default
The default accounting methods of the ISP domain are used for command line accounting.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The command line accounting feature works with the accounting server to record valid commands that have been successfully executed on the device.
· When the command line authorization feature is disabled, the accounting server records all valid commands that have been successfully executed.
· When the command line authorization feature is enabled, the accounting server records only authorized commands that have been successfully executed.
Command line accounting can use only a remote HWTACACS server.
Examples
# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting command hwtacacs-scheme hwtac
Related commands
accounting default
command accounting (Fundamentals Command Reference)
hwtacacs scheme
accounting default
Use accounting default to specify default accounting methods for an ISP domain.
Use undo accounting default to restore the default.
Syntax
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting default
Default
The default accounting method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default accounting method is used for all users that support this method and do not have an accounting method configured.
Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.
You can specify one primary default accounting method and multiple backup default accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when RADIUS accounting is invalid. The device does not perform accounting when both of the previous methods are invalid.
The remote accounting method is invalid in the following situations:
· The specified accounting scheme does not exist.
· Accounting packet sending fails.
· The device does not receive any accounting response packets from an accounting server.
The local accounting method is invalid if the device fails to find the matching local user configuration.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the access service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, use RADIUS scheme rd as the primary default accounting method and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting default radius-scheme rd local
Related commands
hwtacacs scheme
local-user
radius scheme
accounting lan-access
Use accounting lan-access to specify accounting methods for LAN users.
Use undo accounting lan-access to restore the default.
Syntax
accounting lan-access { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting lan-access
Default
The default accounting methods of the ISP domain are used for LAN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
broadcast: Broadcasts accounting requests to servers in RADIUS schemes.
radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when RADIUS accounting is invalid. The device does not perform accounting when both of the previous methods are invalid.
The remote accounting method is invalid in the following situations:
· The specified accounting scheme does not exist.
· Accounting packet sending fails.
· The device does not receive any accounting response packets from an accounting server.
The local accounting method is invalid if the device fails to find the matching local user configuration.
The following guidelines apply to broadcast accounting:
· The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the real-time accounting interval set in the primary broadcast RADIUS scheme. If the primary server is unavailable in a scheme, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.
· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the LAN access service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, perform local accounting for LAN users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting lan-access local
# In ISP domain test, perform RADIUS accounting for LAN users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting lan-access radius-scheme rd local
# In ISP domain test, broadcast accounting requests of LAN users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting lan-access broadcast radius-scheme rd1 radius-scheme rd2 local
accounting default
local-user
radius scheme
timer realtime-accounting
accounting login
Use accounting login to specify accounting methods for login users.
Use undo accounting login to restore the default.
Syntax
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting login
Default
The default accounting methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
Accounting is not supported for FTP, SFTP, and SCP users.
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when RADIUS accounting is invalid. The device does not perform accounting when both of the previous methods are invalid.
The remote accounting method is invalid in the following situations:
· The specified accounting scheme does not exist.
· Accounting packet sending fails.
· The device does not receive any accounting response packets from an accounting server.
The local accounting method is invalid if the device fails to find the matching local user configuration.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, perform local accounting for login users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting login local
# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting login radius-scheme rd local
Related commands
accounting default
hwtacacs scheme
local-user
radius scheme
accounting portal
Use accounting portal to specify accounting methods for portal users.
Use undo accounting portal to restore the default.
Syntax
accounting portal { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting portal
Default
The default accounting methods of the ISP domain are used for portal users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
broadcast: Broadcasts accounting requests to servers in RADIUS schemes.
radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting portal radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when RADIUS accounting is invalid. The device does not perform accounting when both of the previous methods are invalid.
The remote accounting method is invalid in the following situations:
· The specified accounting scheme does not exist.
· Accounting packet sending fails.
· The device does not receive any accounting response packets from an accounting server.
The local accounting method is invalid if the device fails to find the matching local user configuration.
The following guidelines apply to broadcast accounting:
· The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the real-time accounting interval set in the primary broadcast RADIUS scheme. If the primary server is unavailable in a scheme, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.
· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the portal service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, perform local accounting for portal users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting portal local
# In ISP domain test, perform RADIUS accounting for portal users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting portal radius-scheme rd local
# In ISP domain test, broadcast accounting requests of portal users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting portal broadcast radius-scheme rd1 radius-scheme rd2 local
Related commands
accounting default
local-user
radius scheme
timer realtime-accounting
accounting ppp
Use accounting ppp to specify accounting methods for PPP users.
Use undo accounting ppp to restore the default.
Syntax
accounting ppp { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] | hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting ppp
Default
The default accounting methods of the ISP domain are used for PPP users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
broadcast: Broadcasts accounting requests to servers in RADIUS schemes.
radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when RADIUS accounting is invalid. The device does not perform accounting when both of the previous methods are invalid.
The remote accounting method is invalid in the following situations:
· The specified accounting scheme does not exist.
· Accounting packet sending fails.
· The device does not receive any accounting response packets from an accounting server.
The local accounting method is invalid if the device fails to find the matching local user configuration.
The following guidelines apply to broadcast accounting:
· The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the real-time accounting interval set in the primary broadcast RADIUS scheme. If the primary server is unavailable for a scheme, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.
· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the PPP service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, perform local accounting for PPP users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting ppp local
# In ISP domain test, perform RADIUS accounting for PPP users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting ppp radius-scheme rd local
# In ISP domain test, broadcast accounting requests of PPP users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting ppp broadcast radius-scheme rd1 radius-scheme rd2 local
Related commands
accounting default
hwtacacs scheme
local-user
radius scheme
timer realtime-accounting
accounting start-fail
Use accounting start-fail to configure access control for users that encounter accounting-start failures.
Use undo accounting start-fail to restore the default.
Syntax
accounting start-fail { offline | online }
undo accounting start-fail
Default
The device allows users that encounter accounting-start failures to stay online.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
offline: Logs off users that encounter accounting-start failures.
online: Allows users that encounter accounting-start failures to stay online.
Examples
# In ISP domain test, configure the device to allow users that encounter accounting-start failures to stay online.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting start-fail online
accounting update-fail
Use accounting update-fail to configure access control for users that have failed all their accounting-update attempts.
Use undo accounting update-fail to restore the default.
Syntax
accounting update-fail { [ max-times max-times ] offline | online }
undo accounting update-fail
Default
The device allows users that have failed all their accounting-update attempts to stay online.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
max-times max-times: Specifies the maximum number of consecutive accounting-update failures allowed by the device for each user. The value range for the times argument is 1 to 255, and the default value is 1. The setting for this parameter takes effect only on PPP and portal users. Its value is fixed at 1 for other types of users, regardless of the setting for this parameter.
offline: Logs off users that have failed all their accounting-update attempts.
online: Allows users that have failed all their accounting-update attempts to stay online.
Usage guidelines
For an PPP and portal user, the NAS takes the action specified by using this command when the maximum number of consecutive accounting-update failures is reached.
For any other types of users, the device takes the action specified by using this command immediately after an accounting-update fails.
The device determines the failure of an accounting-update attempt based on the following factors:
· Maximum number of transmission attempts for a RADIUS packet (set by using the retry command).
· Real-time accounting interval (set by using the timer realtime-accounting command).
· Maximum number of real-time accounting request attempts (set by using the retry realtime-accounting command).
The following information describes the process that the device uses to determine the failure of an accounting-update failure:
1. The device sends accounting request packets at real-time accounting intervals set by using the timer realtime-accounting command.
2. If the device has not received a response to a request packet when the response timeout timer expires, the device resends the request packet.
3. When the number of consecutive transmission attempts for the request reaches the limit set by using the retry command, the device determines that the real-time accounting request fails.
4. When the number of consecutive real-time accounting request failures reaches the limit set by using the retry realtime-accounting command, the device determines that an accounting-update fails.
5. The system determines the action to take upon an accounting-update failure depending on the user type:
¡ For an PPP and portal user, the system will count the failure. If the number of consecutive accounting-update failures reaches the limit set by using the accounting update-fail command, it takes the action specified by using the same command.
¡ For other users, the system immediately takes the action specified by using the accounting update-fail command.
Examples
# In ISP domain test, configure the device to allow users that have failed all their accounting-update attempts to stay online.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting update-fail online
Related commands
retry
retry realtime-accounting
timer realtime-accounting
authen-fail
Use authen-fail to configure the authentication failure policy for users in an ISP domain.
Use undo authen-fail to restore the default.
Syntax
authen-fail { offline | online domain new-isp-name no-authen }
undo authen-fail
Default
The device logs out users in an ISP domain if the users fail authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
offline: Logs out users that fail authentication.
online: Enables the authen-fail online feature to allow users that fail authentication to stay online.
domain new-isp-name: Specifies an authentication-fail (auth-fail) domain to accommodate users that fail authentication. The new-isp-name argument represents the name of the auth-fail domain, a case-insensitive string of 1 to 255 characters. The specified domain must already exist. The domain name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
no-authen: Enables the user to join the auth-fail domain without reauthentication. The system will only do reauthorization and accounting for them.
Usage guidelines
By default, users cannot come online if they fail authentication. To have authentication-failed users in an authentication domain stay online and access a limited set of network resources, specify an auth-fail domain to accommodate them. In the auth-fail domain, you can specify a set of authorization and accounting schemes to assign resources to the authentication-failed users.
You cannot delete an ISP domain if it is used as the auth-fail domain for an authentication domain. To delete it, you must first execute the undo authen-fail command to remove its binding with the authentication domain.
The authen-fail online feature is available only for wired port security users.
The authen-fail online feature does not apply to users that fail authentication for one of the following reasons:
· Authentication times out, for example, because no authentication servers respond.
· The authentication ISP domain is in blocked state or is a denied domain.
Examples
# Specify ISP domain dm1 as the auth-fail domain to accommodate users that fail authentication in ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authen-fail online domain dm1 no-authen
Related commands
display domain
authen-radius-recover
Use authen-radius-recover to specify an action to take on users in the critical domain when a RADIUS server becomes available.
Use undo authen-radius-recover to restore the default.
Syntax
authen-radius-recover { offline | online domain new-isp-name | re-authen }
undo authen-radius-recover
Default
No action is specified to take on users in the critical domain when a RADIUS server becomes available.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
offline: Logs off users in the critical domain.
online: Allows users in the critical domain to stay online and assigns the users to the recovery domain.
domain new-isp-name: Specifies a recovery domain to accommodate users in the critical domain when a RADIUS server becomes available. The new-isp-name argument represents the domain name, a case-insensitive string of 1 to 255 characters. The name must exist and cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
re-authen: Reauthenticates the users in the original authentication domain. This keyword is applicable only to 802.1X and MAC authentication users.
Usage guidelines
This command takes effect only on 802.1X authentication, Web authentication, and MAC authentication users.
Depending on the network requirements, specify the action to take on users in the critical domain when a RADIUS server in the users' original authentication domain becomes available.
· To perform authentication, authorization, and accounting for the users, log off the users.
· To allow the users to stay online without being authenticated, specify a recovery domain. When a RADIUS server becomes available, the users are assigned to the recovery domain from the critical domain.
· To reauthenticate users in the original authentication domain without users being aware of the process, specify the reauthentication action.
When you use the online domain new-isp-name option to specify a recovery domain, the device does not immediately assign users in the critical domain to the specified recovery domain. The device assigns these users to the recovery domain when a RADIUS server becomes available.
When you specify a recovery domain for an ISP domain, follow these restrictions and guidelines:
· If the none method is configured as the backup authentication method in the original authentication domain before the users are assigned to the critical domain, the users are still assigned to the recovery domain when a RADIUS server becomes available.
· As a best practice to accurately identify whether a RADIUS authentication server is available and the recovery configuration can take effect in time, configure RADIUS server status detection.
· To delete the ISP domain that has been specified as a recovery domain, you must first use the undo authen-radius-recover command to remove the recovery domain setting from the ISP domain.
· In the current software version, you can specify only an ISP domain as its own recovery domain in the view of the ISP domain.
Examples
# In ISP domain test, log off users in the critical domain when a RADIUS server becomes available.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authen-radius-recover offline
Related commands
authen-radius-unavailable online domain
display domain
radius-server test-profile
authen-radius-unavailable online domain
Use authen-radius-unavailable online domain to specify a critical domain (also known as fail-permit domain) for an ISP domain to accommodate users that access the ISP domain when all RADIUS servers are unavailable.
Use undo authen-radius-unavailable online domain to restore the default.
Syntax
authen-radius-unavailable online domain new-isp-name
undo authen-radius-unavailable online domain
Default
No critical domain is specified for an ISP domain to accommodate users that access the ISP domain when all RADIUS servers are unavailable.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
new-isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. The name must exist and cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Usage guidelines
This command takes effect only on 802.1X authentication, Web authentication, and MAC authentication users.
Users in an ISP domain cannot come online correctly if no responses are received for the RADIUS authentication requests sent by the device when all RADIUS authentication servers are unavailable. To resolve this issue, specify a critical domain for this ISP domain to accommodate users that access this ISP domain when all RADIUS servers are unavailable. The users can come online in the critical domain without being authenticated when all RADIUS servers are unavailable.
Users assigned to the critical domain are removed from the critical domain only when the following requirements are met:
· A RADIUS authentication server in the original authentication domain becomes available.
· A recovery domain is specified for the original authentication domain.
When you specify a critical domain for an ISP domain, follow these restrictions and guidelines:
· If an ISP domain has been specified as a critical domain, do not specify a critical domain for that ISP domain. If you do so, the critical domain specified for that ISP domain cannot take effect.
· If a critical domain has been specified for an ISP domain, do not specify that ISP domain as a critical domain. If you do so, that ISP domain cannot act as a critical domain.
· To delete the ISP domain that has been specified as a critical domain, you must first use the undo authen-radius-unavailable online domain command to remove the critical domain setting from the ISP domain.
· If non-none authentication, authorization, or accounting methods are configured in the critical domain for an ISP domain, the non-none authentication or authorization methods cannot take effect on users. However, the non-none accounting methods in the critical domain can take effect on users. As a best practice to reduce user management cost, do not configure non-none authentication, authorization, or accounting methods in the critical domain.
Examples
# Specify critical domain dm1 to accommodate users that access ISP domain test when all RADIUS servers are unavailable.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authen-radius-unavailable online domain dm1
Related commands
authen-radius-recover
display domain
authentication 5g
Use authentication 5g to specify authentication methods for 5G users.
Use undo authentication 5g to restore the default.
Syntax
authentication 5g { none | radius-scheme radius-scheme-name [ none ] }
undo authentication 5g
Default
The default authentication methods are used for 5G users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
To have the AAA module perform RADIUS authentication first and then not perform authentication for 5G users when RADIUS authentication is invalid, execute the authentication 5g radius-scheme radius-scheme-name none command.
Examples
# Configure ISP domain test not to perform authentication for 5G users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication 5g none
# Configure ISP domain test to perform RADIUS authentication for 5G users based on scheme rd and not to perform authentication when RADIUS accounting is invalid.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication 5g radius-scheme rd none
Related commands
display domain
radius scheme
authentication advpn
Use authentication advpn to specify authentication methods for ADVPN users.
Use undo authentication advpn to restore the default.
Syntax
authentication advpn { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication advpn
Default
The default authentication methods of the ISP domain are used for ADVPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication advpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when RADIUS authentication is invalid. The device does not perform authentication when both of the previous methods are invalid.
The remote authentication method is invalid in the following situations:
· The specified authentication scheme does not exist.
· Authentication packet sending fails.
· The device does not receive any authentication response packets from an authentication server.
The local authentication method is invalid if the device fails to find the matching local user configuration.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the ADVPN service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for ADVPN users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication advpn local
# In ISP domain test, perform RADIUS authentication for ADVPN users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication advpn radius-scheme rd local
Related commands
authentication default
local-user
radius scheme
authentication default
Use authentication default to specify default authentication methods for an ISP domain.
Use undo authentication default to restore the default.
Syntax
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | local [ ldap-scheme ldap-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication default
Default
The default authentication method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default authentication method is used for all users that support this method and do not have an authentication method configured.
You can specify one primary default authentication method and multiple backup default authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when RADIUS authentication is invalid. The device does not perform authentication when both of the previous methods are invalid.
The remote authentication method is invalid in the following situations:
· The specified authentication scheme does not exist.
· Authentication packet sending fails.
· The device does not receive any authentication response packets from an authentication server.
The local authentication method is invalid if the device fails to find the matching local user configuration.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the access service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, use RADIUS scheme rd as the primary default authentication method and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication default radius-scheme rd local
Related commands
hwtacacs scheme
ldap scheme
local-user
radius scheme
authentication ike
Use authentication ike to specify extended authentication methods for IKE users.
Use undo authentication ike to restore the default.
Syntax
authentication ike { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication ike
Default
The default authentication methods of the ISP domain are used for IKE extended authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ike radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when RADIUS authentication is invalid. The device does not perform authentication when both of the previous methods are invalid.
The remote authentication method is invalid in the following situations:
· The specified authentication scheme does not exist.
· Authentication packet sending fails.
· The device does not receive any authentication response packets from an authentication server.
The local authentication method is invalid if the device fails to find the matching local user configuration.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the IKE service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, configure the device to perform local authentication through IKE extended authentication.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication ike local
# In ISP domain test, perform IKE extended authentication based on RADIUS scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication ike radius-scheme rd local
Related commands
authentication default
local-user
radius scheme
authentication lan-access
Use authentication lan-access to specify authentication methods for LAN users.
Use undo authentication lan-access to restore the default.
Syntax
authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ ldap-scheme ldap-scheme-name | radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication lan-access
Default
The default authentication methods of the ISP domain are used for LAN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when RADIUS authentication is invalid. The device does not perform authentication when both of the previous methods are invalid.
The remote authentication method is invalid in the following situations:
· The specified authentication scheme does not exist.
· Authentication packet sending fails.
· The device does not receive any authentication response packets from an authentication server.
The local authentication method is invalid if the device fails to find the matching local user configuration.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the LAN access service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for LAN users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication lan-access local
# In ISP domain test, perform RADIUS authentication for LAN users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication lan-access radius-scheme rd local
authentication default
ldap scheme
local-user
radius scheme
authentication login
Use authentication login to specify authentication methods for login users.
Use undo authentication login to restore the default.
Syntax
authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | local [ ldap-scheme ldap-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication login
Default
The default authentication methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when RADIUS authentication is invalid. The device does not perform authentication when both of the previous methods are invalid.
The remote authentication method is invalid in the following situations:
· The specified authentication scheme does not exist.
· Authentication packet sending fails.
· The device does not receive any authentication response packets from an authentication server.
The local authentication method is invalid if the device fails to find the matching local user configuration.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the service for accessing the device.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for login users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication login local
# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication login radius-scheme rd local
Related commands
authentication default
hwtacacs scheme
ldap scheme
local-user
radius scheme
authentication portal
Use authentication portal to specify authentication methods for portal users.
Use undo authentication portal to restore the default.
Syntax
authentication portal { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ ldap-scheme ldap-scheme-name | radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication portal
Default
The default authentication methods of the ISP domain are used for portal users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication portal radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when RADIUS authentication is invalid. The device does not perform authentication when both of the previous methods are invalid.
The remote authentication method is invalid in the following situations:
· The specified authentication scheme does not exist.
· Authentication packet sending fails.
· The device does not receive any authentication response packets from an authentication server.
The local authentication method is invalid if the device fails to find the matching local user configuration.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the portal service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for portal users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication portal local
# In ISP domain test, perform RADIUS authentication for portal users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication portal radius-scheme rd local
Related commands
authentication default
ldap scheme
local-user
radius scheme
authentication ppp
Use authentication ppp to specify authentication methods for PPP users.
Use undo authentication ppp to restore the default.
Syntax
authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication ppp
Default
The default authentication methods of the ISP domain are used for PPP users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when RADIUS authentication is invalid. The device does not perform authentication when both of the previous methods are invalid.
The remote authentication method is invalid in the following situations:
· The specified authentication scheme does not exist.
· Authentication packet sending fails.
· The device does not receive any authentication response packets from an authentication server.
The local authentication method is invalid if the device fails to find the matching local user configuration.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the PPP service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for PPP users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication ppp local
# In ISP domain test, perform RADIUS authentication for PPP users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication ppp radius-scheme rd local
Related commands
authentication default
hwtacacs scheme
local-user
radius scheme
authentication super
Use authentication super to specify a method for user role authentication.
Use undo authentication super to restore the default.
Syntax
authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *
undo authentication super
Default
The default authentication methods of the ISP domain are used for user role authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
To enable a user to obtain another user role without reconnecting to the device, you must configure user role authentication. The device supports local and remote methods for user role authentication. For more information about user role authentication, see RBAC configuration in Fundamentals Configuration Guide.
You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.
Examples
# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.
<Sysname> system-view
[Sysname] super authentication-mode scheme
[Sysname] domain name test
[Sysname-isp-test] authentication super hwtacacs-scheme tac
Related commands
authentication default
hwtacacs scheme
radius scheme
authorization 5g
Use authorization 5g to specify authorization methods for 5G users.
Use undo authorization 5g to restore the default.
Syntax
authorization 5g { none | radius-scheme radius-scheme-name [ none ] }
undo authorization 5g
Default
The default authorization methods are used for 5G users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
none: Does not perform authorization.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
To have the AAA module perform RADIUS authorization first and then not perform authorization when RADIUS authorization is invalid, execute the authorization 5g radius-scheme radius-scheme-name none command.
Examples
# Configure ISP domain test not to perform authorization for 5G users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization 5g none
# Configure ISP domain test to perform RADIUS authorization for 5G users based on scheme rd and not to perform authorization when RADIUS authorization is invalid.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization 5g radius-scheme rd none
Related commands
display domain
radius scheme
authorization advpn
Use authorization advpn to specify authorization methods for ADVPN users.
Use undo authorization advpn to restore the default.
Syntax
authorization advpn { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization advpn
Default
The default authorization methods of the ISP domain are used for ADVPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization advpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when RADIUS authorization is invalid. The device does not perform authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
· The specified authorization scheme does not exist.
· Authorization packet sending fails.
· The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user configuration.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the ADVPN service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for ADVPN users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization advpn local
# In ISP domain test, perform RADIUS authorization for ADVPN users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization advpn radius-scheme rd local
Related commands
authorization default
local-user
radius scheme
authorization command
Use authorization command to specify command authorization methods.
Use undo authorization command to restore the default.
Syntax
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }
undo authorization command
Default
The default authorization methods of the ISP domain are used for command authorization.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.
Usage guidelines
Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether each entered command is permitted.
When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user roles.
The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server. Access permission only controls whether the authorized user roles have access to the entered commands, but it does not control whether the user roles have obtained authorization to these commands. If a command is permitted by the access permission but denied by command authorization, this command cannot be executed.
You can specify one primary command authorization method and multiple backup command authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
· The specified authorization scheme does not exist.
· Authorization packet sending fails.
· The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user configuration.
Examples
# In ISP domain test, configure the device to perform local command authorization.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization command local
# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local
Related commands
command authorization (Fundamentals Command Reference)
hwtacacs scheme
local-user
authorization default
Use authorization default to specify default authorization methods for an ISP domain.
Use undo authorization default to restore the default.
Syntax
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization default
Default
The default authorization method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The following default authorization information applies after users pass authentication:
· Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and terminal users. Terminal users can access the device through the console port. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.
· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.
· Non-login users can access the network.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default authorization method is used for all users that support this method and do not have an authorization method configured.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when RADIUS authorization is invalid. The device does not perform authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
· The specified authorization scheme does not exist.
· Authorization packet sending fails.
· The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user configuration.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the access service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization default radius-scheme rd local
Related commands
hwtacacs scheme
local-user
radius scheme
authorization ike
Use authorization ike to specify authorization methods for IKE extended authentication.
Use undo authorization ike to restore the default.
Syntax
authorization ike { local [ none ] | none }
undo authorization ike
Default
The default authorization methods of the ISP domain are used for IKE extended authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization.
Usage guidelines
You can specify one primary authorization method and one backup authorization method.
When the primary method is invalid, the device attempts to use the backup method.
Examples
# In ISP domain test, perform local authorization for IKE extended authentication.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization ike local
Related commands
authorization default
local-user
authorization lan-access
Use authorization lan-access to specify authorization methods for LAN users.
Use undo authorization lan-access to restore the default.
Syntax
authorization lan-access { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization lan-access
Default
The default authorization methods of the ISP domain are used for LAN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization. An authenticated LAN user directly accesses the network.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when RADIUS authorization is invalid. The device does not perform authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
· The specified authorization scheme does not exist.
· Authorization packet sending fails.
· The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user configuration.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the LAN access service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for LAN users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization lan-access local
# In ISP domain test, perform RADIUS authorization for LAN users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization lan-access radius-scheme rd local
authorization default
local-user
radius scheme
authorization login
Use authorization login to specify authorization methods for login users.
Use undo authorization login to restore the default.
Syntax
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization login
Default
The default authorization methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The following default authorization information applies after users pass authentication:
· Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and terminal users. Terminal users can access the device through the console port. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.
· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when RADIUS authorization is invalid. The device does not perform authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
· The specified authorization scheme does not exist.
· Authorization packet sending fails.
· The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user configuration.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the service for accessing the device.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for login users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization login local
# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization login radius-scheme rd local
Related commands
authorization default
hwtacacs scheme
local-user
radius scheme
authorization portal
Use authorization portal to specify authorization methods for portal users.
Use undo authorization portal to restore the default.
Syntax
authorization portal { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization portal
Default
The default authorization methods of the ISP domain are used for portal users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization. An authenticated portal user directly accesses the network.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization portal radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when RADIUS authorization is invalid. The device does not perform authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
· The specified authorization scheme does not exist.
· Authorization packet sending fails.
· The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user configuration.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the portal service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for portal users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization portal local
# In ISP domain test, perform RADIUS authorization for portal users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization portal radius-scheme rd local
Related commands
authorization default
local-user
radius scheme
authorization ppp
Use authorization ppp to specify authorization methods for PPP users.
Use undo authorization ppp to restore the default.
Syntax
authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization ppp
Default
The default authorization methods of the ISP domain are used for PPP users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when RADIUS authorization is invalid. The device does not perform authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
· The specified authorization scheme does not exist.
· Authorization packet sending fails.
· The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user configuration.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the PPP service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for PPP users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization ppp local
# In ISP domain test, perform RADIUS authorization for PPP users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization ppp radius-scheme rd local
Related commands
authorization default
hwtacacs scheme
local-user
radius scheme
authorization-attribute (ISP domain view)
Use authorization-attribute to configure authorization attributes for users in an ISP domain.
Use undo authorization-attribute to restore the default of an authorization attribute.
Syntax
authorization-attribute { acl acl-number | car inbound cir committed-information-rate [ pir peak-information-rate ] outbound cir committed-information-rate [ pir peak-information-rate ] | idle-cut minutes [ flow ] | igmp max-access-number max-access-number | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | mld max-access-number max-access-number | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-group-profile session-group-profile-name | session-timeout timeout | url url-string | user-group user-group-name | user-profile profile-name | vpn-instance vpn-instance-name }
undo authorization-attribute { acl | car | idle-cut | igmp | ip-pool | ipv6-pool | ipv6-prefix | mld | { primary-dns | secondary-dns } { ip | ipv6 }| session-group-profile | session-timeout | url | user-group | user-profile | vpn-instance }
Default
The idle cut feature is disabled.
An IPv4 user can concurrently join a maximum of four IGMP multicast groups.
An IPv6 user can concurrently join a maximum of four MLD multicast groups.
No other authorization attributes exist.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
acl acl-number: Specifies an ACL to filter traffic for users. The value range for the acl-number argument varies by device model. This option is applicable only to portal and LAN users. The device processes the traffic that matches the rules in the authorization ACL based on the permit or deny statement in the rules.
author-profile profile-name: Specifies the name of an authorization profile, a case-insensitive string of 1 to 31 characters. An authorization profile defines a set of authorization attributes and can be used to authorize network resources on a VPN basis. This option takes effect only on 802.1X, MAC, and Web authentication users. For Web authorization users, only the microsegments and the VPN instances defined in an authorization profile takes effect, and the VSI configuration is not supported.
car: Specifies a CAR action for users. Typically, the attribute applies to authenticated users. If you configure the attribute in a portal preauthentication domain, the CAR action applies before portal authentication. This keyword is applicable only to portal and PPP users.
inbound: Specifies the upload rate of users.
outbound: Specifies the download rate of users.
cir committed-information-rate: Specifies the committed information rate in kbps. The value range for this argument is 8 to 10000000.
pir peak-information-rate: Specifies the peak information rate in kbps. The peak information rate cannot be smaller than the committed information rate. If you do not specify this option, the CAR action does not restrict users by peak information rate. The value range for this argument varies is 8 to 10000000.
idle-cut minutes: Specifies an idle timeout period in minutes. The value range for the minutes argument is 1 to 129600. This option is applicable only to wireless LAN users and PPP users.
flow: Specifies the minimum traffic that must be generated in the idle timeout period in bytes. The value range is 1 to 10240000, and the default value is 10240.
igmp max-access-number max-access-number: Specifies the maximum number of IGMP groups that an IPv4 user can join concurrently. The value range for the max-access-number argument is 1 to 64. This option is applicable only to portal and PPP users.
ip-pool ipv4-pool-name: Specifies an IPv4 pool for users. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to PPP, IKE, and portal users.
ipv6-pool ipv6-pool-name: Specifies an IPv6 pool for users. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to portal and PPP users.
ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix for users. The value range for the prefix-length argument is 1 to 128. This option is applicable only to PPP users.
microsegment microsegment-id: Specifies an authorization microsegment for users. The microsegment-id argument represents a microsegment ID in the range of 1 to 65535. This attribute takes effect only on 802.1X and MAC authentication users.
mld max-access-number max-access-number: Specifies the maximum number of MLD groups that an IPv6 user can join concurrently. The value range for the max-access-number argument is 1 to 64. This option is applicable only to portal and PPP users.
primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for users. This option is applicable only to PPP users.
primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for users. This option is applicable only to PPP users.
secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for users. This option is applicable only to PPP users.
secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for users. This option is applicable only to PPP users.
session-group-profile session-group-profile-name: Specifies an authorization session group profile for users. The session-group-profile-name argument is a case-sensitive string of 1 to 31 characters and can contain only letters, digits, underscores (_), minus signs (-), and dots (.). The string can begin with a letter or a digit, but it cannot be all digits. Typically, the attribute applies to authenticated users. If you configure the attribute in a portal preauthentication domain, the session group profile applies before portal authentication. This option is applicable only to portal and PPP users.
session-timeout timeout: Sets the session timeout timer for users, in seconds. The value range for the timeout argument is 1 to 4294967294. The device logs out a user when the session timeout timer expires for that user. If the RADIUS server assigns that user the Session-Timeout attribute, the value in the assigned attribute takes precedence over the session timeout timer set on the device. The session timeout timer attribute is applicable only to PPP, portal, and LAN users.
url url-string: Specifies a redirect URL for users. The url-string argument is a case-sensitive string of 1 to 255 characters. The URL must start with http:// or https://. You can configure the redirect URL attribute to push advertisements or notifications to users after the users pass authentication or push bill overdue notifications to users. This option is applicable only to IPoE and LAN users. For IPoE users, you must specify a URL with port number 80 or 443.
user-group user-group-name: Specifies a user group for users. The user-group-name argument is a case-insensitive string of 1 to 32 characters. Authenticated users obtain all attributes of the user group.
user-profile profile-name: Specifies an authorization user profile by its name. The profile-name argument is a case-sensitive string of 1 to 31 characters. Valid characters include letters, digits, underscores (_), minus signs (-), and dots (.). The string can begin with a letter or digit, but it cannot be all digits. Typically, the attribute applies to authenticated users. If you configure the attribute in a portal preauthentication domain, the user profile applies before portal authentication. This option is applicable only to PPP, portal, and LAN users.
vlan vlan-id: Specifies an authorization VLAN for users. The vlan-id argument represents a VLAN ID in the range of 1 to 4094. This attribute takes effect only on wired 802.1X, Web authentication, and MAC authentication users.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the users belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. When a user passes authentication, it has permission to access the network resources in the specified VPN. This option is applicable only to PPP users.
vsi vsi-name: Specifies an authorization VSI for users. The vsi-name represents a VSI name, a case-sensitive string of 1 to 31 characters. This attribute takes effect only on wired 802.1X and MAC authentication users.
Usage guidelines
When the idle cut feature is configured, the device periodically detects the traffic of each online user. The device logs out users that do not meet the minimum traffic requirement in the idle timeout period. When the idle cut feature is disabled on the device, the idle cut feature of the server takes effect. The server considers a user idle if the user's traffic is less than 10240 bytes in a configurable idle timeout period.
If the server or NAS does not authorize any attributes to an authenticated user, the device authorizes the attributes in the ISP domain to the user. However, if the server authorizes the CAR action attribute only for one direction, the device does not authorize the CAR action attribute of the ISP domain for the other direction.
You can configure multiple authorization attributes for users in an ISP domain. If you execute the command multiple times with the same attribute specified, the most recent configuration takes effect.
When you specify an authorization ACL, the following restrictions apply:
· The authorization ACL is invalid if it does not exist or does not contain rules. If strict checking on authorization ACLs is enabled for portal users in this situation, portal users will be forced offline.
· Support for the VPN instance parameter in the ACL rules for LAN users depends on the device model.
· Support for the VPN instance parameter in the ACL rules for portal users depends on the device model.
· For portal users to come online after passing authentication, make sure ACLs assigned to portal users do not have rules specified with a source IP or MAC address.
To avoid user logoff caused by authorization attribute conflicts, do not assign an authorization VSI and an authorization VLAN at the same time. The conflict occurs in the following cases:
· The server authorizes a VSI through session control or CoA messages to an online user that is authorized with a VLAN at association.
· The server authorizes a VLAN through session control or CoA messages to an online user that is authorized with a VSI at association.
· The server authorizes a VSI through session control or CoA messages to an online user that uses the default authorization VLAN because no VLAN or VSI is authorized at association.
Examples
# Specify user group abc as the authorization user group for users in ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization-attribute user-group abc
Related commands
display domain
basic-service-ip-type
Use basic-service-ip-type to specify the types of IP addresses that PPPoE and L2TP users must rely on to use the basic services.
Use undo basic-service-ip-type to restore the default.
Syntax
basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } *
undo basic-service-ip-type
Default
PPPoE and L2TP users do not rely on any types of IP addresses to use the basic services.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ipv4: Specifies the IPv4 address type.
ipv6: Specifies the IPv6 address type.
ipv6-pd: Specifies the IPv6-PD address type. This type of IPv6 addresses are generated based on the DHCPv6 server-assigned prefix.
Usage guidelines
This command takes effect only when the device acts as a PPPoE server or L2TP LNS.
A PPPoE or L2TP user might request multiple services of different IP address types. The device logs off the user if the user does not obtain the IP addresses of all types for the services. This command enables the device to allow the user to come online if the user has obtained IP addresses of the specified types for the basic services.
The device does not allow a PPPoE or L2TP user to come online if the user does not obtain IP addresses of all the specified types for the basic services. For example, if you execute the basic-service-ip-type ipv6 command, the device does not allow a PPPoE or L2TP user to come online if the user does not obtain an IPv6 address.
If you specify both the ipv6 and ipv6-pd keywords, the device does not allow a PPPoE or L2TP user that fails IPv6 address negotiation or PD negotiation to come online.
Examples
# In ISP domain test, specify PPPoE and L2TP users to rely on IPv4 addresses to use the basic services.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] basic-service-ip-type ipv4
Related commands
display domain
default critical-microsegment
Use default critical-microsegment to specify the default critical microsegment for a critical profile.
Use undo default critical-microsegment to restore the default.
Syntax
default critical-microsegment microsegment-id [ vsi vsi-name ] [ url-user-logoff ]
undo default critical-microsegment
Default
No default critical microsegment is specified for a critical profile.
Views
Critical profile view
Predefined user roles
network-admin
Parameters
microsegment-id: Specifies a microsegment by its ID in the range of 1 to 65535.
vsi vsi-name: Specifies a VSI by its name, a case-sensitive string of 1 to 31 characters. This option is applicable only to VXLAN networks. You can specify this option as needed.
url-user-logoff: Forcibly logs off all MAC authentication users that have been assigned with a redirect URL before accommodating the users to the critical microsegment. If you do not specify this keyword, the device allows the MAC authentication users to stay online until the MAC authentication offline detection feature logs off the users. This option is applicable only to MAC authentication users.
Usage guidelines
During authentication, if all authentication servers in the ISP domain are unreachable, the device will accommodate users on a port to the critical microsegment for the critical profile applied to the port.
For users in a VPN instance, the device preferentially accommodates the users to the critical microsegment specified for the VPN instance. If no critical microsegment is specified for the VPN instance, the device accommodates the users to the default critical microsegment in the critical profile.
You can specify only one default critical microsegment for a critical profile. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify microsegment with ID 66 as the default critical microsegment for critical profile abc.
<Sysname> system-view
[Sysname] aaa critical-profile abc
[Sysname-critical-profile-abc] default critical-microsegment 66
Related commands
if-match vpn-instance critical-microsegment
default microsegment
Use default microsegment to specify the default microsegment for an authorization profile.
Use undo default microsegment to restore the default.
Syntax
default microsegment microsegment-id [ vsi vsi-name ]
undo default microsegment
Default
No default microsegment is specified for an authorization profile.
Views
Authorization profile view
Predefined user roles
network-admin
Parameters
microsegment-id: Specifies a microsegment by its ID in the range of 1 to 65535.
vsi vsi-name: Specifies a VSI by its name, a case-sensitive string of 1 to 31 characters. This option is applicable only to VXLAN networks. You can specify this option as needed.
Usage guidelines
The system authorizes the default microsegment to non-VPN users and VPN users that do not match any VPN instance specified by the if-match vpn-instance microsegment command.
You can specify only one default microsegment for an authorization profile. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify microsegment with ID 66 as the default microsegment for authorization profile abc.
<Sysname> system-view
[Sysname] aaa author-profile abc
[Sysname-author-profile-abc] default microsegment 66
Related commands
display aaa author-profile
if-match vpn-instance critical-microsegment
dhcpv6-follow-ipv6cp
Use dhcpv6-follow-ipv6cp to set the IPv6 address wait timer for PPPoE and L2TP users.
Use undo dhcpv6-follow-ipv6cp to restore the default.
Syntax
dhcpv6-follow-ipv6cp timeout delay-time
undo dhcpv6-follow-ipv6cp
Default
No IPv6 address wait timer is set for PPPoE and L2TP users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
timeout delay-time: Sets the IPv6 address wait timer, in the range of 30 to 1000 seconds.
Usage guidelines
This command takes effect only when the device acts as a PPPoE server or L2TP LNS.
The IPv6 address wait timer defines the maximum amount of time that a user can wait before the device determines that the user fails to obtain an IPv6 address or PD prefix.
The device starts an IPv6 address wait timer for a user after it finishes IPv6CP negotiation with the user. If the user's basic service relies on an IPv6 address or PD prefix but it fails to obtain any IPv6 address or PD prefix when the timer expires, the user cannot come online.
As a best practice, increase the IPv6 address wait timer in the following situations:
· The network connectivity is unstable.
· The device uses DHCPv6 to assign IPv6 addresses to users.
· The ISP domain serves a large number of PPPoE and L2TP users.
Examples
# In ISP domain test, set the IPv6 address wait timer to 90 seconds for PPPoE and L2TP users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] dhcpv6-follow-ipv6cp timeout 90
Related commands
basic-service-ip-type
display domain
display aaa author-profile
Use display aaa author-profile to display authorization profile information.
Syntax
display aaa author-profile [ name profile-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name profile-name: Specifies an authorization profile by its name, a case-insensitive string of 1 to 31 characters. If you do not specify this option, this command displays information about all authorization profiles.
Examples
# Display information about all authorization profiles.
<Sysname> display aaa author-profile
Total 2 aaa author-profiles
aaa author-profile: a
default microsegment 1 vsi 1
Total 3 match criteria.
if match vpn-instance 2 microsegment 2 vsi 2
if match vpn-instance 3 microsegment 3 vsi 3
if match vpn-instance 4 microsegment 3 vsi 4
aaa author-profile: b
default microsegment 1 vsi 1
Total 2 match criteria.
if match vpn-instance 2 microsegment 2 vsi 2
if match vpn-instance 3 microsegment 3 vsi 3
# Display information about authorization profile a.
<Sysname> display aaa author-profile a
aaa author-profile: a
default microsegment 1 vsi 1
Total 3 match criteria.
if match vpn-instance 2 microsegment 2 vsi 2
if match vpn-instance 3 microsegment 3 vsi 3
if match vpn-instance 4 microsegment 3 vsi 4
Table 1 Command output
|
Field |
Description |
|
aaa author-profile |
Authorization profile name. |
|
default microsegment xxx vsi xxx |
Default microsegment and the corresponding VSI. |
|
Total xx match criteria. |
Number of VPN and microsegment bindings in the profile. |
|
if match vpn-instance xxx microsegment xxx vsi xxx |
VPN instance, the corresponding microsegment, and the corresponding VSI. |
Related commands
aaa author-profile
display domain
Use display domain to display ISP domain configuration.
Syntax
display domain [ isp-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.
Examples
# Display the configuration of all ISP domains.
<Sysname> display domain
Total 2 domains
Domain: system
Current state: Active
State configuration: Active
Default authentication scheme: Local
Default authorization scheme: Local
Default accounting scheme: Local
Accounting start failure action: Online
Accounting update failure action: Online
Accounting quota out policy: Offline
Send accounting update:Yes
Service type: HSI
Session time: Exclude idle time
DHCPv6-follow-IPv6CP timeout: Not configured
Dual-stack accounting method: Merge
NAS-ID: N/A
Web server URL : Not configured
Web server URL parameters : Not configured
Web server IPv4 address : Not configured
Web server IPv6 address : Not configured
Authorization attributes:
Idle cut: Disabled
IGMP access limit: 4
MLD access limit: 4
Authen-fail action: Offline
Authen-radius-unavailable: Not configured
Authen-radius-recover: Not configured
Temporary redirect: Disabled
Domain: dm
Current state: Active
State configuration: Blocked during specific time ranges
Time ranges:
t1
t2
Online-user logoff: Disabled
Login authentication scheme: RADIUS=rad
Login authorization scheme: HWTACACS=hw
Super authentication scheme: RADIUS=rad
PPP accounting scheme: RADIUS=r1, (RADIUS=r2), HWTACACS=tc, Local
Command authorization scheme: HWTACACS=hw
LAN access authentication scheme: RADIUS=r4
Portal authentication scheme: LDAP=ldp
5G authentication scheme: RADIUS=rad, None
Default authentication scheme: RADIUS=rad, Local, None
Default authorization scheme: Local
Default accounting scheme: None
Accounting start failure action: Online
Accounting update failure action: Online
Accounting quota out policy: Offline
Service type: HSI
Session time: Include idle time
Dual-stack accounting method: Merge
NAS-ID: test
Web server URL : Not configured
Web server URL parameters : Not configured
Web server IPv4 address : Not configured
Web server IPv6 address : Not configured
Authorization attributes:
Idle cut : Enabled
Idle timeout: 2 minutes
Flow: 10240 bytes
Traffic direction: Both
IP pool: appy
User profile: test
Session group profile: abc
Inbound CAR: CIR 64000 bps PIR 640000 bps
Outbound CAR: CIR 64000 bps PIR 640000 bps
ACL number: 3000
User group: ugg
IPv6 prefix: 1::1/34
IPv6 pool: ipv6pool
Primary DNS server: 6.6.6.6
Secondary DNS server: 3.6.2.3
URL: http://test
VPN instance: vpn1
IGMP access limit: 4
MLD access limit: 4
Authen-fail action: Online in domain dm1 without authentication
Authen-radius-unavailable: Online domain dm2
Authen-radius-recover: Offline
Temporary redirect: Disabled
Default domain name: system
Table 2 Command output
|
Field |
Description |
|
Domain |
ISP domain name. |
|
Current state |
Current state of the ISP domain: · Blocked. · Active. |
|
State configuration |
State settings of the ISP domain: · Active—The ISP domain is set to the active state. · Blocked during specific time ranges—The ISP domain is set to the blocked state during the listed time ranges. · Blocked—The ISP domain is set to the blocked state. |
|
Time ranges |
Time ranges during which the ISP domain is in blocked state. |
|
Online-user logoff |
Status for the feature of logging off online users when the state of the ISP domain changes to blocked: · Enabled. · Disabled. |
|
Default authentication scheme |
Default authentication methods. |
|
Default authorization scheme |
Default authorization methods. |
|
Default accounting scheme |
Default accounting methods. |
|
ADVPN authentication scheme |
Authentication methods for ADVPN users. |
|
ADVPN authorization scheme |
Authorization methods for ADVPN users. |
|
ADVPN accounting scheme |
Accounting methods for ADVPN users. |
|
Login authentication scheme |
Authentication methods for login users. |
|
Login authorization scheme |
Authorization methods for login users. |
|
Login accounting scheme |
Accounting methods for login users. |
|
Super authentication scheme |
Authentication methods for obtaining another user role without reconnecting to the device. |
|
PPP authentication scheme |
Authentication methods for PPP users. |
|
PPP authorization scheme |
Authorization methods for PPP users. |
|
PPP accounting scheme |
Accounting methods for PPP users. |
|
Command authorization scheme |
Command line authorization methods. |
|
Command accounting scheme |
Command line accounting method. |
|
LAN access authentication scheme |
Authentication methods for LAN users. |
|
LAN access authorization scheme |
Authorization methods for LAN users. |
|
LAN access accounting scheme |
Accounting methods for LAN users. |
|
Portal authentication scheme |
Authentication methods for portal users. |
|
Portal authorization scheme |
Authorization methods for portal users. |
|
Portal accounting scheme |
Accounting methods for portal users. |
|
IKE authentication scheme |
IKE extended authentication methods. |
|
IKE authorization scheme |
Authorization methods for IKE extended authentication. |
|
5G authentication scheme |
Authentication methods for 5G users. |
|
5G authorization scheme |
Authorization methods for 5G users. |
|
5G accounting scheme |
Accounting methods for 5G users. |
|
RADIUS |
RADIUS scheme. |
|
HWTACACS |
HWTACACS scheme. |
|
LDAP |
LDAP scheme. |
|
Local |
Local scheme. |
|
None |
No authentication, no authorization, or no accounting. |
|
Accounting start failure action |
Access control for users that encounter accounting-start failures: · Online—Allows the users to stay online. · Offline—Logs off the users. |
|
Accounting update failure max-times |
Maximum number of consecutive accounting-update failures allowed by the device for each user in the domain. |
|
Accounting update failure action |
Access control for users that have failed all their accounting-update attempts: · Online—Allows the users to stay online. · Offline—Logs off the users. |
|
Accounting quota out policy |
Access control for users that have used up their accounting quotas: · Online—Allows the users to stay online. · Offline—Logs off the users. · Redirect—Redirects the users to the specified URL. |
|
Redirect URL |
URL to which users are redirected when the users have used up their data quotas. |
|
Stop accounting |
Whether to send stop-accounting packets for users that have used up their data quotas. |
|
User profile |
Name of the user profile assigned to users that have used up their data quotas. |
|
Send accounting update |
Whether to send accounting-update packets to refresh users' data quotas: · Yes. · No. |
|
Service type |
Service type of the ISP domain, including HSI, STB, and VoIP. |
|
Session time |
Online duration sent to the server for users that went offline due to connection failure or malfunction: · Include idle time—The online duration includes the idle timeout period. · Exclude idle time—The online duration does not include the idle timeout period. |
|
User address type |
Type of IP addresses for users in the ISP domain. This field is not available if no user address type is specified in the ISP domain. |
|
User basic service IP type |
Types of IP addresses that PPPoE and L2TP users rely on to use the basic services: · IPv4. · IPv6. · IPv6-PD. |
|
DHCPv6-follow-IPv6CP timeout |
IPv6 address wait timer (in seconds) that starts after IPv6CP negotiation for PPPoE and L2TP users. This field displays Not Configured if no IPv6 address wait timer is set for PPPoE or L2TP users. |
|
Dual-stack accounting method |
Accounting method for dual-stack users: · Merge—Merges IPv4 data with IPv6 data for accounting. · Separate—Separates IPv4 data from IPv6 data for accounting. |
|
NAS-ID |
NAS-ID of the device. This field displays N/A if no NAS-ID is set in the ISP domain. |
|
Web server URL |
URL of the Web server. |
|
Web server URL parameters |
Parameters added to the URL of the Web server. |
|
Web server IPv4 address |
IPv4 address of the Web server. |
|
Web server IPv6 address |
IPv6 address of the Web server. |
|
Authorization attributes |
Authorization attributes for users in the ISP domain. |
|
Idle cut |
Idle cut feature status: · Enabled—The feature is enabled. The device logs off users that do not meet the minimum traffic requirements in an idle timeout period. · Disabled—The feature is disabled. It is the default idle cut state. |
|
Idle timeout |
Idle timeout period, in minutes. |
|
Flow |
Minimum traffic that a login user must generate in an idle timeout period, in bytes. |
|
Traffic direction |
Traffic direction for the idle cut feature: · Both. · Inbound. · Outbound. |
|
IP pool |
Name of the authorization IPv4 pool. |
|
User profile |
Name of the authorization user profile. |
|
Session group profile |
Name of the authorization session group profile. |
|
Inbound CAR |
Authorization inbound CAR: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. If no inbound CAR is authorized, this field displays N/A. |
|
Outbound CAR |
Authorization outbound CAR: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. If no outbound CAR is authorized, this field displays N/A. |
|
ACL number |
Authorization ACL for users. |
|
User group |
Authorization user group for users. |
|
IPv6 prefix |
Authorization IPv6 address prefix for users. |
|
IPv6 pool |
Name of the authorization IPv6 pool for users. |
|
Primary DNS server |
IPv4 address of the authorization primary DNS server for users. |
|
Secondary DNS server |
IPv4 address of the authorization secondary DNS server for users. |
|
Primary DNSV6 server |
IPv6 address of the authorization primary DNS server for users. |
|
Secondary DNSV6 server |
IPv6 address of the authorization secondary DNS server for users. |
|
URL |
Authorization redirect URL for users. |
|
VPN instance |
Name of the authorization VPN instance for users. |
|
IGMP access limit |
Maximum number of IGMP groups that an IPv4 user is authorized to join concurrently. |
|
MLD access limit |
Maximum number of MLD groups that an IPv6 user is authorized to join concurrently. |
|
Inbound user priority |
Authorization user priority for users' upstream packets. |
|
Outbound user priority |
Authorization user priority for users' downstream packets. |
|
User session timeout |
Authorization session timeout time for users, in seconds. |
|
VSI name |
Authorization VSI name. |
|
VLAN ID |
Authorization VLAN ID. |
|
Microsegment ID |
Authorization microsegment ID. |
|
Author profile |
Authorization profile name. |
|
Authen-fail action |
Authentication failure policy for users that fail authentication in the ISP domain: · Offline—Logs out the users. · Online in domain isp-name without authentication—Allows the users to stay online and assigns the users to the auth-fail domain (represented by the isp-domain argument) without reauthentication. The system will only do reauthorization and accounting for them. |
|
Authen-radius-unavailable |
Critical domain to accommodate users when all RADIUS authentication servers are unavailable. |
|
Authen-radius-recover |
Action to take on users in the critical domain when a RADIUS authentication server becomes available. · Offline—Logs off the users. · Online in domain isp-name—Allows the users to stay online in the recovery domain. · Reauthen—Reauthenticate the users in the original authentication ISP domain. |
|
Temporary redirect |
Status of temporary redirection. · Enabled—Temporary redirection is enabled. The HTTP/HTTPS redirection packets sent to users carry status code 302. · Disabled—Temporary redirection is enabled. The HTTP/HTTPS redirection packets sent to users carry status code 200. |
|
Default domain name |
Default ISP domain name. |
display mubm record
Use display mubm record to display user MAC and UUID binding entries.
Syntax
display mubm record [ mac mac-address ] [ interface interface-type interface-number | slot slot-number ] [ access-type { dot1x | mac-auth | wlan } ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
mac mac-address: Specifies a user MAC address in the format of H-H-H. If you do not specify a user MAC address, this command displays MAC and UUID binding entries for all user MAC addresses.
interface interface-type interface-number: Specifies the user's access interface by its type and number. If you do not specify an interface, this command displays MAC and UUID binding entries on all interfaces.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays MAC and UUID binding entries on the active MPU.
access-type: Specifies the user access type. If you do not specify a user access type, this command displays MAC and UUID binding entries for all user access types.
dot1x: Specifies 802.1X authentication access.
mac-auth: Specifies MAC authentication access.
wlan: Specifies wireless 802.1X and MAC authentication access.
Usage guidelines
If you do not specify any parameters, this command displays all user MAC and UUID binding entries.
To help administrators identify whether a universally unique identifier (UUID) has been assigned to a user and maintain the MAC and UUID binding entries for users, use this command.
In some scenarios, administrators configure and manage MAC address and UUID binding entries for users on the authentication server, depending on the user access control policies. The binding entries will be assigned to the users after they pass authentication. The device automatically generates the MAC and UUID binding entry of a user when the user comes online and automatically deletes the binding entry when the user goes offline.
When a user's client requests the DHCP server to assign or release an IP address, the DHCP snooping module first searches for the UUID bound to the client MAC address. Then, the device replaces the value of Option 61 (client ID) in the client's DHCP packets with the UUID and forwards the DHCP packets to the DHCP server. The DHCP server will assign or reclaim an IP address based on the UUID in the received DHCP packets. UUID-based IP address assignment flexibly meets the IP address requirements of different scenarios.
Examples
# Display UUID information bound to user MAC address 0C-DA-41-1D-1E-EF.
<Sysname> display mubm record mac 0C-DA-41-1D-1E-EF
Mac Address Access Type Interface UUID
0CDA-411D-1EEF Dot1x XGE0/0/6 ff ff ff ff
0CDA-411D-1EEF MAC-auth XGE0/0/7 41 41 41 41 42 42 42
0CDA-411D-1EEF WLAN N/A 41 41 41 41 42 42 43
Table 3 Command output
|
Field |
Description |
|
Mac Address |
User MAC address. |
|
Access Type |
User access type: · Dot1x—802.1X authentication. · MAC-auth—MAC authentication. · WLAN—Wireless authentication. |
|
Interface |
Interface through which the user accesses the device. If the user accesses the device through a wireless network, this field displays N/A. |
|
UUID |
UUID bound to the user MAC address. The UUID value and format subject to the actual situation. |
domain
Use domain to create an ISP domain and enter its view, or enter the view of an existing ISP domain.
Use undo domain to delete an ISP domain.
Syntax
Format 1:
domain name isp-name
undo domain name isp-name
Format 2:
domain isp-name
undo domain isp-name
Default
A system-defined ISP domain exists. The domain name is system.
Views
System view
Predefined user roles
network-admin
Parameters
Format 1:
name isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Format 2:
isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.
Usage guidelines
All ISP domains are in active state when they are created.
You can modify settings for the system-defined ISP domain system, but you cannot delete this domain.
An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.
Use short domain names to ensure that user names containing a domain name do not exceed the maximum name length required by different types of users.
Examples
# Create an ISP domain named test and enter ISP domain view.
<Sysname> system-view
[Sysname] domain name test
Related commands
display domain
domain default enable
domain if-unknown
state (ISP domain view)
domain default enable
Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.
Use undo domain default enable to restore the default.
Syntax
domain default enable isp-name
undo domain default enable
Default
The default ISP domain is the system-defined ISP domain system.
Views
System view
Predefined user roles
network-admin
Parameters
isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The ISP domain must already exist.
Usage guidelines
The system has only one default ISP domain.
An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.
Examples
# Create an ISP domain named test, and configure the domain as the default ISP domain.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] quit
[Sysname] domain default enable test
Related commands
display domain
domain
domain if-unknown
Use domain if-unknown to specify an ISP domain to accommodate users that are assigned to nonexistent domains.
Use undo domain if-unknown to restore the default.
Syntax
domain if-unknown isp-name
undo domain if-unknown
Default
No ISP domain is specified to accommodate users that are assigned to nonexistent domains.
Views
System view
Predefined user roles
network-admin
Parameters
isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Usage guidelines
The device chooses an authentication domain for each user in the following order:
1. The authentication domain specified for the access module.
2. The ISP domain in the username.
3. The default ISP domain of the device.
If the chosen domain does not exist on the device, the device searches for the ISP domain that accommodates users assigned to nonexistent domains. If no such ISP domain is configured, user authentication fails.
|
|
NOTE: Support for the authentication domain configuration depends on the access module. |
Examples
# Specify ISP domain test to accommodate users that are assigned to nonexistent domains.
<Sysname> system-view
[Sysname] domain if-unknown test
Related commands
display domain
if-match vpn-instance critical-microsegment
Use if-match vpn-instance critical-microsegment to specify a critical microsegment for a VPN instance.
Use undo if-match vpn-instance critical-microsegment to restore the default.
Syntax
if-match vpn-instance vpn-instance-name critical-microsegment microsegment-id [ vsi vsi-name ] [ url-user-logoff ]
undo if-match vpn-instance vpn-instance-name critical-microsegment
Default
No critical microsegment is specified for a VPN instance.
Views
Critical profile view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance, a case-sensitive string of 1 to 31 characters.
microsegment-id: Specifies a microsegment by its ID in the range of 1 to 65535.
vsi vsi-name: Specifies a VSI by its name, a case-sensitive string of 1 to 31 characters. This option is applicable only to VXLAN networks. You can specify this option as needed.
url-user-logoff: Forcibly logs off all MAC authentication users that have been assigned with a redirect URL before accommodating users in the critical microsegment. If you do not specify this keyword, the device allows the MAC authentication users to stay online until MAC authentication offline detection logs off the users. This option is applicable only to MAC authentication users.
Usage guidelines
During authentication, if all authentication servers in the ISP domain are unreachable, the device will accommodate users on a port to the critical microsegment for the critical profile applied to the port.
For users in a VPN instance, the device preferentially accommodates the users to the critical microsegment specified for the VPN instance. If no critical microsegment is specified for the VPN instance, the device accommodates the users to the default critical microsegment in the critical profile.
In a critical profile, you can configure a maximum of 128 bindings of critical microsegments to VPN instances.
If you specify multiple critical microsegments for the same VPN instance, the most recent configuration takes effect.
Examples
# Specify microsegment with ID 123 for VPN instance test in critical profile abc.
<Sysname> system-view
[Sysname] aaa critical-profile abc
[Sysname-critical-profile-abc] if-match vpn-instance test critical-microsegment 123
Related commands
default critical-microsegment
if-match vpn-instance microsegment
Use if-match vpn-instance microsegment to specify a VPN instance and microsegment binding for an authorization profile.
Use undo if-match vpn-instance microsegment to delete the specified VPN instance and microsegment binding for an authorization profile.
Syntax
if-match vpn-instance vpn-instance-name microsegment microsegment-id [ vsi vsi-name ]
undo if-match vpn-instance vpn-instance-name microsegment
Default
No VPN instance and microsegment binding exists for an authorization profile.
Views
Authorization profile view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
microsegment-id: Specifies a microsegment by its ID in the range of 1 to 65535.
vsi vsi-name: Specifies a VSI by its name, a case-sensitive string of 1 to 31 characters. This option is applicable only to VXLAN networks. You can specify this option as needed.
Usage guidelines
If an authentication domain is applied with an authorization profile, the system assigns the default microsegment to non-VPN users in the domain, and the microsegment of the matching VPN to VPN users. If no matching VPN exists for a VPN user, the default microsegment is authorized.
For an authorization profile, you can configure a maximum of 128 VPN instance and microsegment bindings.
You can bind a VPN instance only to one microsegment but a microsegment to multiple VPN instances.
If you specify multiple authorization microsegments for the same VPN instance, the most recent configuration takes effect.
Examples
# Specify microsegment with ID 123 for VPN instance test in authorization profile abc.
<Sysname> system-view
[Sysname] aaa author-profile abc
[Sysname-author-profile-abc] if-match vpn-instance test microsegment 123
Related commands
default critical-microsegment
display aaa author-profile
local-server log change-password-prompt
Use local-server log change-password-prompt to enable password change prompt logging.
Use undo local-server log change-password-prompt to disable password change prompt logging.
Syntax
local-server log change-password-prompt
undo local-server log change-password-prompt
Default
Password change prompt logging is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use this feature to enhance the protection of passwords for Telnet, SSH, HTTP, HTTPS, NETCONF over SSH, and NETCONF over SOAP users and improve the system security.
This feature enables the device to generate logs to prompt users to change their weak passwords at an interval of 24 hours and at the users' login.
A password is a weak password if it does not meet the following requirements:
· Password composition restriction configured by using the password-control composition command.
· Minimum password length restriction set by using the password-control length command.
· Password complexity checking policy configured by using the password-control complexit command.
For a NETCONF over SSH or NETCONF over SOAP user, the device also generates a password change prompt log if any of the following conditions exists:
· The current password of the user is the default password or has expired.
· The user logs in to the device for the first time or uses a new password to log in after global password control is enabled.
The device will no longer generate password change prompt logs for a user when one of the following conditions exists:
· The password change prompt logging feature is disabled.
· The user has changed the password and the new password meets the password control requirements.
· The enabling status of a related password control feature has changed so the current password of the user meets the password control requirements.
· The password composition policy or the minimum password length has changed.
You can use the display password-control command to display password control configuration. For more information about password control commands, see "Password control commands."
Examples
# Enable password change prompt logging.
<Sysname> system-view
[Sysname] local-server log change-password-prompt
Related commands
display password-control
password-control composition
password-control length
nas-id
Use nas-id to set the NAS-ID in an ISP domain.
Use undo nas-id to delete the NAS-ID from an ISP domain.
Syntax
nas-id nas-identifier
undo nas-id
Default
No NAS-ID is set in an ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 253 characters.
Usage guidelines
During RADIUS authentication, the device uses a NAS-ID to set the NAS-Identifier attribute of RADIUS packets so that the RADIUS server can identify the access location of users.
You can configure a NAS-ID in NAS-ID profile view, in interface view, or in ISP domain view. The device selects the NAS-ID for the NAS-Identifier attribute in the following order:
4. NAS-ID bound with VLANs in a NAS-ID profile.
5. NAS-ID on an interface.
6. NAS-ID in an ISP domain.
If no NAS-ID is selected, the device uses the device name as the NAS-ID.
The NAS-ID on an interface is applicable only to portal and PPP users that access the network through the interface.
Examples
# Set the NAS-ID to test for ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] nas-id test
Related commands
aaa nas-id
aaa nas-id profile
nas-id bind
Use nas-id bind to configure a NAS-ID and VLAN binding.
Use undo nas-id bind to remove a NAS-ID and VLAN binding.
Syntax
nas-id nas-identifier bind { { c-vid vlan-id | s-vid vlan-id } * | vlan vlan-id }
undo nas-id nas-identifier bind { { c-vid vlan-id | s-vid vlan-id } * | vlan vlan-id }
Default
No NAS-ID and VLAN bindings exist.
Views
NAS-ID profile view
Predefined user roles
network-admin
Parameters
nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 253 characters.
c-vid vlan-id: Specifies an inner VLAN ID in the range of 1 to 4094.
s-vid vlan-id: Specifies an outer VLAN ID in the range of 1 to 4094.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
Usage guidelines
You can configure multiple NAS-ID and VLAN bindings in a NAS-ID profile.
In a QinQ network, specify an inner VLAN ID, outer VLAN ID, or both in a binding as a best practice. In a non-QinQ network, you can specify only a VLAN ID in a binding by specifying the vlan vlan-id option.
If you specify an inner VLAN ID or outer VLAN ID in a binding of a NAS-ID profile, you can specify this profile only for an interface by using the aaa nas-id-profile command.
A NAS-ID can be bound with more than one VLAN. A VLAN can be bound with only one NAS-ID. If you configure multiple bindings for the same VLAN, the most recent configuration takes effect.
The device selects a NAS-ID and VLAN binding for double-tagged packets in the following order:
1. NAS-ID with both matching outer VLAN ID and inner VLAN ID.
2. NAS-ID with a matching outer VLAN ID.
3. NAS-ID with a matching inner VLAN ID.
Examples
# Bind NAS-ID 222 with VLAN 2 in NAS-ID profile aaa.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2
Related commands
aaa nas-id profile
redirect move-temporarily enable
Use redirect move-temporarily enable to enable the temporary redirect feature.
Use undo redirect move-temporarily enable to disable the temporary redirect feature.
Syntax
redirect move-temporarily enable
undo redirect move-temporarily enable
Default
The temporary redirect feature is disabled.
Views
ISP domain view
Predefined user roles
network-admin
Usage guidelines
Typically, the device carries the redirect URL coded in JavaScript in HTTP or HTTPS responses sent to users, and the status code in the responses is 200. The users obtain the redirect URL by parsing the JavaScript codes. If the endpoint of a user (application, for example) does not support JavaScript, the user will fail to be redirected.
To resolve this issue, enable the temporary redirect feature. This feature enables the device to send HTTP or HTTPS responses with status code 302 to users so that the users can obtain the redirect URL.
This feature takes effect only on wired 802.1X and MAC authentication users authorized with a redirection URL.
If you change the temporary redirect setting, the change takes effect only on users that come online afterwards or users that are reauthorized.
Examples
# In ISP domain test, enable the temporary redirect feature.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] redirect move-temporarily enable
Related commands
display domain
service-type (ISP domain view)
Use service-type to specify the service type for users in an ISP domain.
Use undo service-type to restore the default.
Syntax
service-type { hsi | stb | voip }
undo service-type
Default
The service type is hsi for users in an ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hsi: Specifies the High Speed Internet (HSI) service. This service is applicable to users that access the network through PPP or 802.1X.
stb: Specifies the Set Top Box (STB) service. This service is applicable to users that access the network through STB.
voip: Specifies the Voice over IP (VoIP) service. This service is applicable to users that access the network through IP phones.
Usage guidelines
When the HSI service is specified, the multicast feature of the access module is disabled to save system resources.
When the STB service is specified, the multicast feature of the access module is enabled to improve the performance of the multicast module.
When the VoIP service is specified, the QoS module increases the priority of voice traffic to reduce the transmission delay for IP phone users.
Forand PPP (excluding PPPoE), and 802.1X users, the system uses the HSI service forcibly even if the STB or VoIP service is specified.
You can configure only one service type for an ISP domain.
Examples
# Specify the STB service for users in ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] service-type stb
session-time include-idle-time
Use session-time include-idle-time to configure the device to include the idle timeout period in the user online duration sent to the server.
Use undo session-time include-idle-time to restore the default.
Syntax
session-time include-idle-time
undo session-time include-idle-time
Default
The device does not include the idle timeout period in the user online duration sent to the server.
Views
ISP domain view
Predefined user roles
network-admin
Usage guidelines
Whether to configure the device to include the idle timeout period in the user online duration sent to the server, depending on the accounting policy in your network. The idle timeout period is assigned to users by the authorization server after the users pass authentication. For portal users, the device includes the idle timeout period set for the online portal user detection feature in the user online duration. For more information about online detection for portal users, see portal authentication configuration in User Access and Authentication Configuration Guide.
If the user goes offline due to connection failure or malfunction, the user online duration sent to the server is not the same as the actual online duration.
· If the session-time include-idle-time command is used, the user's online duration sent to the server includes the idle timeout period. The online duration that is generated on the server is longer than the actual online duration of the user.
· If the undo session-time include-idle-time command is used, the user's online duration sent to the server excludes the idle timeout period. The online duration that is generated on the server is shorter than the actual online duration of the user.
Examples
# Configure the device to include the idle timeout period in the online duration sent to the server for users in ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] session-time include-idle-time
Related commands
display domain
snmp-agent trap enable local-server
Use snmp-agent trap enable local-server to enable SNMP notifications for password changes of local users.
Use undo snmp-agent trap enable local-server to disable SNMP notifications for password changes of local users.
Syntax
snmp-agent trap enable local-server [ manage-password-change | network-password-change ] *
undo snmp-agent trap enable local-server [ manage-password-change | network-password-change ] *
Default
All SNMP notifications are disabled for password changes of local users.
Views
System view
Predefined user roles
network-admin
Parameters
manage-password-change: Specifies password changes of device management users.
network-password-change: Specifies password changes of network access users.
Usage guidelines
With SNMP notifications enabled for password changes of local users, the system generates alarms when one of the following cases occurs:
· The password of a local user is configured or changed from the CLI.
· The password of a local user is changed through NETCONF or MIB, or from the Web interface.
· The password of a portal or SSL VPN user is changed online on the login page.
For RADIUS SNMP notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.
If you do not specify any keywords, the command enables SNMP notifications for password changes of both device management users and network access users.
Examples
# Enable SNMP notifications for password changes of local users.
<Sysname> system-view
[Sysname] snmp-agent trap enable local-server manage-password-change
state (ISP domain view)
Use state to set the status of an ISP domain.
Use undo state to restore the default.
Syntax
state { active | block [ time-range ] [ offline ] }
undo state
Default
An ISP domain is in active state.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.
block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. This keyword takes effect on all types of users except the SSH users that perform publickey authentication.
time-range: Places the ISP domain in blocked state based on time ranges. If you specify the block keyword but do not specify the time-range keyword, the ISP domain is always placed in blocked state.
offline: Logs off online users (including 802.1X, MAC authentication, portal, and PPP users) in the ISP domain when the state of the ISP domain changes to blocked. If you specify the block keyword but do not specify the offline keyword, the users in the ISP domain stay online when the state of the ISP domain changes to blocked.
Usage guidelines
To block an ISP domain based on time ranges, specify the time-range keyword in this command, and specify time ranges by using the state block time-range name command.
Examples
# Place ISP domain test in blocked state.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] state block
Related commands
display domain
state block time-range name
user-address-type
Use user-address-type to specify the user address type in the ISP domain.
Use undo user-address-type to restore the default.
Syntax
user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 }
undo user-address-type
Default
No user address type is specified for the ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ds-lite: Specifies the DS-Lite address type.
ipv6: Specifies the IPv6 address type.
nat64: Specifies the NAT64 address type.
private-ds: Specifies the private-DS address type.
private-ipv4: Specifies the private IPv4 address type.
public-ds: Specifies the public-DS address type.
public-ipv4: Specifies the public IPv4 address type.
Usage guidelines
Specify the address type for users in an ISP domain according to the actual customer network environment and address assignment policies for the users.
On a CGN network, make sure the correct address type is specified on the device and users obtain private IP addresses of the specified type. Then, the device can cooperate with NAT to implement public IP address assignment, port block assignment, and user tracking after the users pass authentication. For more information about NAT, see NAT Configuration Guide.
Any change to the user address type does not affect online users.
Examples
# Specify the private IPv4 address type for users in ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] user-address-type private-ipv4
Related commands
display domain
Local user commands
access-limit
Use access-limit to set the maximum number of concurrent logins using the local user name.
Use undo access-limit to restore the default.
Syntax
access-limit max-user-number
undo access-limit
Default
The number of concurrent logins using the local user name is not limited.
Views
Local user view
Predefined user roles
network-admin
Parameters
max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.
Usage guidelines
The command does not apply to FTP, SFTP, or SCP users. These users do not support accounting.
As a best practice to ensure accuracy for this command on network access users, execute the accounting start-fail offline command in the view of the users' ISP domain.
Examples
# Set the maximum number of concurrent logins to 5 for users using the local user name abc.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-manage-abc] access-limit 5
Related commands
accounting start-fail offline
display local-user
access-user email authentication
Use access-user email authentication to specify the username and password used to log in to the SMTP server that sends email notifications to network access users.
Use undo access-user email authentication to restore the default.
Syntax
access-user email authentication username user-name password { cipher | simple } string
undo access-user email authentication
Default
No SMTP server username or password is specified.
Views
System view
Predefined user roles
network-admin
Parameters
username user-name: Specifies the username, a case-sensitive string of 1 to 63 characters.
password: Specifies the password.
cipher: Specifies the password in encrypted form.
simple: Specifies the password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
If the SMTP server requires a username and password for login, you must use this command to specify the username and password on the device.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the username to abc and the password to 123 for logging in to the SMTP server that sends email notifications to network access users.
<Sysname> system-view
[Sysname] access-user email authentication username abc password simple 123
Related commands
access-user email format
access-user email sender
access-user email smtp-server
access-user email format
Use access-user email format to configure the subject and body for the email notifications to send to network access users.
Use undo access-user email format to restore the default.
Syntax
access-user email format { body body-string | subject sub-string }
undo access-user email format { body | subject }
Default
The email subject is Password reset notification.
The email body is as follows:
A random password has been generated for your account.
Username: xxx
Password: yyy
Validity: YYYY/MM/DD hh:mm:ss to YYYY/MM/DD hh:mm:ss
The xxx string represents the username, the yyy string represents the password, and the YYYY/MM/DD hh:mm:ss to YYYY/MM/DD hh:mm:ss string represents the validity period.
Views
System view
Predefined user roles
network-admin
Parameters
body body-string: Configures the body content. The body-string argument is a case-sensitive string of 1 to 255 characters.
subject sub-string: Configures the email subject. The sub-string argument is a case-sensitive string of 1 to 127 characters.
Usage guidelines
You can configure the device to generate a random password for a network access user on the Web interface. The random password is sent to the user by email. Use this command to configure the email subject and body content.
The email body includes the string configured by using the body-string argument and the following information:
Username: xxx
Password: yyy
Validity: YYYY/MM/DD hh:mm:ss to YYYY/MM/DD hh:mm:ss
The xxx string represents the username, the yyy string represents the password, and the YYYY/MM/DD hh:mm:ss to YYYY/MM/DD hh:mm:ss string represents the validity period.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the subject and body for the email notifications to send to network access users.
<Sysname> system-view
[Sysname] access-user email format subject new password setting
[Sysname] access-user email format body The username, password, and validity period of the account are given below.
Related commands
access-user email authentication
access-user email sender
access-user email smtp-server
access-user email sender
Use access-user email sender to configure the email sender address in email notifications sent by the device to network access users.
Use undo access-user email sender to restore the default.
Syntax
access-user email sender email-address
undo access-user email sender
Default
No email sender address is configured for the email notifications sent by the device to network access users.
Views
System view
Predefined user roles
network-admin
Parameters
email-address: Specifies the email sender address, a case-sensitive string of 1 to 255 characters. The string must contain an at sign (@), and it can contain only one at sign (@). In addition, the string cannot contain only the at sign (@).
Usage guidelines
If you do not specify the email sender address, the device cannot send email notifications to any network access users.
The device supports only one email sender address for network access users. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the email sender address as [email protected] for email notifications of network access users.
<Sysname> system-view
[Sysname] access-user email sender [email protected]
Related commands
access-user email authentication
access-user email format
access-user email smtp-server
access-user email smtp-server
Use access-user email smtp-server to specify an SMTP server to send email notifications of network access users.
Use undo access-user email smtp-server to restore the default.
Syntax
access-user email smtp-server url-string
undo access-user email smtp-server
Default
No SMTP server is specified to send email notifications of network access users.
Views
System view
Predefined user roles
network-admin
Parameters
url-string: Specifies the path of the SMTP server, a case-sensitive string of 1 to 255 characters. The path must comply with the standard SMTP protocol and start with smtp://.
Usage guidelines
You can specify only one SMTP server to send email notifications of network access users.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the SMTP server at smtp://www.example.com/smtp to send email notifications of network access users.
<Sysname> system-view
[Sysname] access-user email smtp-server smtp://www.example.com/smtp
Related commands
access-user email authentication
access-user email format
access-user email sender
authorization-attribute (local user view/user group view)
Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.
Use undo authorization-attribute to restore the default of an authorization attribute.
Syntax
authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minutes | ip ipv4-address | ip-pool ipv4-pool-name | ipv6 ipv6-address | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-timeout minutes | url url-string | user-profile profile-name | user-role role-name | vlan vlan-id | vpn-instance vpn-instance-name | work-directory directory-name } *
undo authorization-attribute { acl | callback-number | idle-cut | ip | ip-pool | ipv6 | ipv6-pool | ipv6-prefix | primary-dns | secondary-dns | session-timeout | subscriber-id | url | user-profile | user-role role-name | vlan | vpn-instance | work-directory } *
Default
The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.
The local users created by a network-admin or level-15 user are assigned the network-operator user role.
Views
Local user view
User group view
Predefined user roles
network-admin
Parameters
acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument varies by device model. The device processes the traffic that matches the rules in the authorization ACL based on the permit or deny statement in the rules.
callback-number callback-number: Specifies an authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user.
idle-cut minutes: Specifies an idle timeout period in minutes. The value range for the minutes argument is 1 to 120. An online user is logged out if its idle period exceeds the specified idle timeout period.
ip ipv4-address: Assigns a static IPv4 address to the user after it passes authentication. You can specify this option only in local user view. This option is not supported in user group view.
ip-pool ipv4-pool-name: Specifies an IPv4 pool for the user. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters.
ipv6 ipv6-address: Assigns a static IPv6 address to the user after it passes authentication. You can specify this option only in local user view. This option is not supported in user group view.
ipv6-pool ipv6-pool-name: Specifies an IPv6 pool for the user. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters.
ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix for the user. The value range for the prefix-length argument is 1 to 128.
primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for the user.
primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for the user.
secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for the user.
secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for the user.
session-timeout minutes: Specifies the session timeout timer for the user, in minutes. The value range for the minutes argument is 1 to 1440. The device logs off the user after the timer expires.
url url-string: Specifies a redirect URL for wireless MAC authentication users and wireless 802.1X users and specifies a PPPoE Active Discovery Message (PADM) URL for PPPoE users. The url-string argument is a case-sensitive string of 1 to 255 characters. For wireless MAC authentication and 802.1X users, you can configure the redirect URL to push advertisements or notifications to the users after they pass authentication or push bill overdue notifications to the users. In addition, the URL must start with http:// or https://. For PPPoE users, you must specify a URL that uses port number 80 or 8080.
user-group user-group-name: Specifies the name of a local user group, a case-insensitive string of 1 to 32 characters. This option is available only in local user view. Do not specify this option in user group view.
user-profile profile-name: Specifies an authorization user profile by its name. The profile-name argument is a case-sensitive string of 1 to 31 characters. Valid characters include letters, digits, underscores (_), minus signs (-), and dots (.). The string can begin with a letter or digit, but it cannot be all digits. The user profile restricts the behavior of authenticated users. For more information, see User Access and Authentication Configuration Guide.
user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. A maximum of 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.
vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the user belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. After passing authentication, the user has permission to access the network resources in the specified VPN.
wlan-vlan wlan-vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094. This option takes effect only on wireless users.
wlan-vlan-group wlan-vlan-group-name: Specifies a VLAN group by its name, a case-sensitive string of 1 to 32 characters. The name must start with a letter. This option takes effect only on wireless users.
work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.
Usage guidelines
Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.
For PPP users, only the following authorization attributes take effect: callback-number, idle-cut, ip, ipv6, ip-pool, ipv6-pool, ipv6-prefix, primary-dns, secondary-dns, session-group-profile, session-timeout, subscriber-id, user-profile, vpn-instance, user-group, and url.
For portal users, only the following authorization attributes take effect: acl, ip-pool, ipv6-pool, user-group, user-profile, and session-timeout. The user-group attribute takes effect only on wireless users.
For LAN users, only the following authorization attributes take effect: acl, idle-cut, session-timeout, url, user-group, user-profile, wlan-vlan, wlan-vlan-group, and vlan. The idle-cut, wlan-vlan, wlan-vlan-group, user-group, and url authorization attributes take effect only on wireless users.
For SSH, Telnet, and terminal users, only the authorization attributes idle-cut and user-role take effect.
For HTTP and HTTPS users, only the authorization attribute user-role takes effect.
For FTP users, only the authorization attributes user-role and work-directory take effect.
For IKE users, only the authorization attributes ip-pool, ip, and ipv6 take effect.
For other types of local users, no authorization attribute takes effect.
Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.
When you specify an authorization ACL, the following restrictions apply:
· The authorization ACL is invalid if it does not exist or does not contain rules. If strict checking on authorization ACLs is enabled for portal users in this situation, portal users will be forced offline.
· Support for the VPN instance parameter in the ACL rules for LAN users depends on the device model.
· Support for the VPN instance parameter in the ACL rules for portal users depends on the device model.
· For portal users to come online after passing authentication, make sure ACLs assigned to portal users do not have rules specified with a source IP or MAC address.
To make sure FTP, SFTP, and SCP users can access the directory after an active/standby switchover, do not specify chassis or slot information for the working directory.
To make sure the user have only the user roles authorized by using this command, use the undo authorization-attribute user-role command to remove the default user role.
The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the security-audit user role, use the display role name security-audit command. For more information about security log management, see configuring the information center in System Management Configuration Guide. For more information about file system management, see Fundamentals Configuration Guide.
You cannot delete a local user if the local user is the only user that has the security-audit user role.
The security-audit user role is mutually exclusive with other user roles.
· When you assign the security-audit user role to a local user, the system requests confirmation for deleting all the other user roles of the user.
· When you assign other user roles to a local user that has the security-audit user role, the system requests confirmation for deleting the security-audit user role for the local user.
Examples
# Configure the authorized VLAN of network access user abc as VLAN 2.
<Sysname> system-view
[Sysname] local-user abc class network
[Sysname-luser-network-abc] authorization-attribute vlan 2
# Configure the authorized VLAN of user group abc as VLAN 3.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc] authorization-attribute vlan 3
# Assign the security-audit user role to device management user xyz as the authorized user role.
<Sysname> system-view
[Sysname] local-user xyz class manage
[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit
This operation will delete all other roles of the user. Are you sure? [Y/N]:y
Related commands
display local-user
display user-group
bind-attribute
Use bind-attribute to configure binding attributes for a local user.
Use undo bind-attribute to remove binding attributes of a local user.
Syntax
bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *
undo bind-attribute { call-number | ip | location | mac | vlan } *
Default
No binding attributes are configured for a local user.
Views
Local user view
Predefined user roles
network-admin
Parameters
call-number call-number: Specifies a calling number for PPP user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users.
subcall-number: Specifies the subcalling number. The total length of the calling number and the subcalling number cannot be more than 62 characters.
ip ip-address: Specifies the IP address to which the user is bound. This option applies only to 802.1X users.
location interface interface-type interface-number: Specifies the interface to which the user is bound. The interface-type argument represents the interface type, and the interface-number argument represents the interface number. To pass authentication, the user must access the network through the bound interface. This option applies only to LAN, PPP, and portal users.
mac mac-address: Specifies the MAC address of the user in the format H-H-H. This option applies only to LAN, PPP, and portal users.
vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to 4094. This option applies only to LAN, PPP, and portal users.
Usage guidelines
To perform local authentication of a user, the device matches the actual user attributes with the configured binding attributes. If the user has a non-matching attribute or lacks a required attribute, the user will fail authentication.
Binding attribute check takes effect on all access services. Configure the binding attributes for a user based on the access services and make sure the device can obtain all attributes to be checked from the user's packet. For example, you can configure an IP address binding for an 802.1X user, because 802.1X authentication can include the user's IP address in the packet. However, you cannot configure IP address bindings for MAC authentication users, because MAC authentication does not use IP addresses.
The binding interface type must meet the requirements of the local user. Configure the binding interface based on the service type of the user.
· If the user is an 802.1X user, specify the 802.1X-enabled Layer 2 Ethernet interface or Layer 2 aggregate interface.
· If the user is a MAC authentication user, specify the MAC authentication-enabled Layer 2 Ethernet interface or Layer 2 aggregate interface.
· If the user is a portal user, specify the portal-enabled interface. Specify the Layer 2 Ethernet interface if portal is enabled on a VLAN interface and the portal roaming enable command is not configured.
Examples
# Bind MAC address 11-11-11 with network access user abc.
<Sysname> system-view
[Sysname] local-user abc class network
[Sysname-luser-network-abc] bind-attribute mac 11-11-11
Related commands
display local-user
company
Use company to specify the company of a local guest.
Use undo company to restore the default.
Syntax
company company-name
undo company
Default
No company is specified for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
company-name: Specifies the company name, a case-sensitive string of 1 to 255 characters.
Examples
# Specify company yyy for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] company yyy
Related commands
display local-user
description
Use description to configure a description for a network access user.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for a network access user.
Views
Network access user view
Predefined user roles
network-admin
Parameters
text: Configures a description, case-sensitive string of 1 to 255 characters.
Usage guidelines
To mark a network access user for special displaying or management purposes, configure description #user_from_server# for the user. The purposes depend on the implementation of the management side.
Examples
# Configure a description for network access user 123.
<Sysname> system-view
[Sysname] local-user 123 class network
[Sysname-luser-network-123] description Manager of MSC company
Related commands
display local-user
display local-guest waiting-approval
Use display local-guest waiting-approval to display pending registration requests for local guests.
Syntax
display local-guest waiting-approval [ user-name user-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
user-name user-name: Specifies a local guest by the username, a string of 1 to 80 characters. If you do not specify a guest, this command displays pending registration requests for all local guests. The username of the specified guest can be a pure username or contain a domain name (in the format of pure-username@domain-name).
· The pure username is a case-sensitive string and must meet the following requirements:
¡ Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
¡ Cannot be a, al, or all.
· The domain name is a case-insensitive string and cannot contain an at sign (@).
Usage guidelines
On the Web registration page, users submit local guest registration requests for approval. The guest manager can add supplementary information to the guest accounts and approves the requests. The device then creates local guest accounts based on the approved requests.
Examples
# Display all pending registration requests for local guests.
<Sysname> display local-guest waiting-approval
Total 1 guest entries matched.
Guest user Smith:
Full name : Smith Li
Company : YYY
Email : [email protected]
Phone : 139189301033
Description: The employee of YYY company
Table 4 Command output
|
Field |
Description |
|
Total 1 guest entries matched. |
Number of local guests that have pending registration requests. |
|
Full name |
Full name of the local guest. |
|
Company |
Company name of the local guest. |
|
|
Email address of the local guest. |
|
Phone |
Phone number of the local guest. |
|
Description |
Description of the local guest. |
Related commands
reset local-guest waiting-approval
display local-user
Use display local-user to display the local user configuration and online user statistics.
Syntax
display local-user [ class { manage | network [ guest ] } | idle-cut { disable | enable } | service-type { advpn | ftp | http | https | ike | lan-access | portal | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name class { manage | network [ guest ] } | vlan vlan-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
class: Specifies the local user type.
manage: Device management user.
network: Network access user.
guest: Guest user account.
idle-cut { disable | enable }: Specifies local users by the status of the idle cut feature.
service-type: Specifies the local users that use a specific type of service.
advpn: ADVPN tunnel users.
ftp: FTP users.
http: HTTP users.
https: HTTPS users.
ike: IKE users that access the network through IKE extended authentication.
lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.
portal: Portal users.
ppp: PPP users.
ssh: SSH users.
telnet: Telnet users.
terminal: Terminal users that log in through console ports.
state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.
user-name user-name: Specifies all local users using the specified username, a string of 1 to 80 characters. The specified username can be a pure username or contain a domain name (in the format of pure-username@domain-name).
· The pure username is a case-sensitive string and must meet the following requirements:
¡ Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
¡ Cannot be a, al, or all.
· The domain name is a case-insensitive string and cannot contain an at sign (@).
vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to 4094.
Usage guidelines
If you do not specify any parameters, this command displays information about all local users.
Examples
# Display information about all local users.
<Sysname> display local-user
Total 3 local users matched.
Device management user root:
State: Active
Service type: SSH/Telnet/Terminal
Access limit: Enabled
Max access number: 3
Current access number: 1
User group: system
Bind attributes:
Authorization attributes:
Work directory: flash:
User role list: network-admin
Password control configurations:
Password aging: 3 days
Password history was last reset: 0 days ago
Password remaining lifetime: 2 days 12 hours 30 minutes 30 seconds
Network access user jj:
State: Active
Service type: LAN-access
User group: system
Bind attributes:
IP address: 2.2.2.2
Location bound: Ten-GigabitEthernet0/0/6
MAC address: 0001-0001-0001
VLAN ID: 2
Authorization attributes:
Idle timeout: 33 minutes
Work directory: flash:
ACL number: 2000
User profile: pp
User role list: network-operator, level-0, level-3
Description: A network access user from company cc
Validity period:
Start date and time: 2020/01/01-00:01:01
Expiration date and time: 2020/01/01-01:01:01
Password control configurations:
Password length: 4 characters
Network access guest user1:
State: Active
Service type: LAN-access/Portal
User group: guest1
Full name: Jack
Company: cc
Email: [email protected]
Phone: 131129237
Sponsor full name: Sam
Sponsor department: security
Sponsor email: [email protected]
Description: A guest from company cc
Validity period:
Start date and time: 2020/02/01-08:00:00
Expiration date and time: 2020/02/03-18:00:00
Table 5 Command output
|
Field |
Description |
|
State |
Status of the local user: active or blocked. |
|
Service type |
Service types that the local user can use. |
|
Access limit |
Whether the concurrent login limit is enabled. |
|
Max access number |
Maximum number of concurrent logins using the local user name. |
|
Current access number |
Current number of concurrent logins using the local user name. |
|
User group |
Group to which the local user belongs. |
|
Bind attributes |
Binding attributes of the local user. |
|
IP address |
IP address of the local user. |
|
Location bound |
Binding port of the local user. |
|
MAC address |
MAC address of the local user. |
|
VLAN ID |
Binding VLAN of the local user. |
|
WLAN VLAN ID |
Authorization VLAN of the local wireless user. |
|
WLAN VLAN group name |
Authorization VLAN group of the local wireless user. |
|
Calling number |
Calling number of the ISDN user. |
|
Authorization attributes |
Authorization attributes of the local user. |
|
Idle timeout |
Idle timeout period of the user, in minutes. |
|
Session-timeout |
Session timeout timer for the user, in minutes. |
|
Callback number |
Authorized PPP callback number of the local user. |
|
Work directory |
Directory that the FTP, SFTP, or SCP user can access. |
|
ACL number |
Authorization ACL of the local user. |
|
VLAN ID |
Authorized VLAN of the local user. |
|
User profile |
Authorization user profile of the local user. |
|
User role list |
Authorized roles of the local user. |
|
IP pool |
IPv4 pool authorized to the local user. |
|
IP address |
IPv4 address authorized to the local user. |
|
IPv6 address |
IPv6 address authorized to the local user. |
|
IPv6 prefix |
IPv6 address prefix authorized to the local user. |
|
IPv6 pool |
IPv6 pool authorized to the local user. |
|
Primary DNS server |
IPv4 address of the primary DNS server for the local user. |
|
Secondary DNS server |
IPv4 address of the secondary DNS server for the local user. |
|
Primary DNSV6 server |
IPv6 address of the primary DNS server for the local user. |
|
Secondary DNSV6 server |
IPv6 address of the secondary DNS server for the local user. |
|
URL |
Authorization PADM URL for the local user. |
|
VPN instance |
Authorization VPN instance for the local user. |
|
Subscriber ID |
Subscriber ID of the local user. |
|
Session group profile |
Session group profile of the local user. |
|
User group |
User group of the local user. |
|
Password control configurations |
Password control attributes that are configured for the local user. |
|
Password aging |
This field displays the password aging time if local user password aging is enabled. If the feature is disabled, this field displays Disabled. |
|
Password length |
Minimum number of characters that a password must contain. |
|
Password composition |
Password composition policy: · Minimum number of character types that a password must contain. · Minimum number of characters from each type in a password. |
|
Password complexity |
Password complexity checking policy: · Reject a password that contains the username or the reverse of the username. · Reject a password that contains any character repeated consecutively three or more times. |
|
Maximum login attempts |
Maximum number of consecutive failed login attempts. |
|
Action for exceeding login attempts |
Action to take on the user that failed to log in after using up all login attempts. |
|
Password history was last reset |
The most recent time that the history password records were cleared. |
|
Password remaining lifetime |
Remaining aging time for the password. |
|
Full name |
Name of the local guest. |
|
Company |
Company name of the local guest. |
|
|
Email address of the local guest. |
|
Phone |
Phone number of the local guest. |
|
Sponsor full name |
Name of the guest sponsor. |
|
Sponsor department |
Department of the guest sponsor. |
|
Sponsor email |
Email address of the guest sponsor. |
|
Description |
Description of the network access user. |
|
Validity period |
Validity period of the network access user. |
|
Start date and time |
Date and time from which the network access user begins to take effect. |
|
Expiration date and time |
Date and time at which the network access user expires. |
display local-user access-count
Use display local-user access-count to display access statistics for a local user.
Syntax
display local-user user-name user-name class { manage | network } access-count
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
user-name user-name: Specifies all local users using the specified username. The username is a string of 1 to 55 characters. The username cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), or right angle bracket (>). It also cannot be a, al, or all.
class: Specifies the local user type.
manage: Specifies the device management user.
network: Specifies the network access user.
Examples
# Display access statistics for device management user admin.
<Sysname> display local-user user-name admin class manage access-count
Device management user admin:
Configured access limit: 30
Current access count: 15
Access method Slot Access count
Telnet 1 10
SSH 1 5
Table 6 Command output
|
Field |
Description |
|
Configured access limit |
Maximum number of concurrent logins using the local user name. |
|
Current access count |
Current number of concurrent logins using the local user name. |
|
Access method |
Access type of the user: · ADVPN. · Telnet. · SSH. · HTTP. · HTTPS. · Terminal. · IPoE. · LAN access. · Portal. · PPP. · SSL VPN. |
|
Access count |
Current number of concurrent logins of the specified access type that use the specified local username. |
Related commands
access-limit
display user-group
Use display user-group to display user group configuration.
Syntax
display user-group { all | name group-name }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Specifies all user groups.
name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.
Examples
# Display the configuration of all user groups.
<Sysname> display user-group all
Total 2 user groups matched.
User group: system
Group ID: 1
Authorization attributes:
Work directory: flash:
User-Isolation: Not configured
User group: jj
Group ID: 2
Authorization attributes:
Idle timeout: 2 minutes
Callback number: 2:2
Work directory: flash:/
ACL number: 2000
VLAN ID: 2
User profile: pp
User-Isolation: Intra-group
Password control configurations:
Password aging: 2 days
Table 7 Command output
|
Field |
Description |
|
User group |
User group name. |
|
Authorization attributes |
Authorization attributes of the user group. |
|
Idle timeout |
Idle timeout period, in minutes. |
|
Session-timeout |
Session timeout timer, in minutes. |
|
Callback number |
Authorized PPP callback number. |
|
Work directory |
Directory that FTP, SFTP, or SCP users in the group can access. |
|
ACL number |
Authorization ACL. |
|
VLAN ID |
Authorized VLAN. |
|
User profile |
Authorization user profile. |
|
IP pool |
IPv4 pool authorized to the user group. |
|
IPv6 prefix |
IPv6 address prefix authorized to the user group. |
|
IPv6 pool |
IPv6 pool authorized to the user group. |
|
Primary DNS server |
IPv4 address of the primary DNS server authorized to the user group. |
|
Secondary DNS server |
IPv4 address of the secondary DNS server authorized to the user group. |
|
Primary DNSV6 server |
IPv6 address of the primary DNS server authorized to the user group. |
|
Secondary DNSV6 server |
IPv6 address of the secondary DNS server authorized to the user group. |
|
URL |
Authorization PADM URL for the user group. |
|
VPN instance |
Authorization VPN instance for the user group. |
|
User isolation |
User group-based user isolation policy. Options include: · Intra-group—Intra-group isolation. · Inter-group—Inter-group isolation. |
|
Password control configurations |
Password control attributes that are configured for the user group. |
|
Password aging |
Password expiration time. |
|
Password length |
Minimum number of characters that a password must contain. |
|
Password composition |
Password composition policy: · Minimum number of character types that a password must contain. · Minimum number of characters from each type in a password. |
|
Password complexity |
Password complexity checking policy: · Reject a password that contains the username or the reverse of the username. · Reject a password that contains any character repeated consecutively three or more times. |
|
Maximum login attempts |
Maximum number of consecutive failed login attempts. |
|
Action for exceeding login attempts |
Action to take on the user that failed to log in after using up all login attempts. |
Use email to configure an email address for a local guest.
Use undo email to restore the default.
Syntax
email email-string
undo email
Default
No email address is configured for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
email-string: Specifies the email address for the local guest, a case-sensitive string of 1 to 255 characters. For example, [email protected]. The address must comply with RFC 822.
Usage guidelines
The local guest uses the email address to receive notifications from the device.
Examples
# Configure the email address as [email protected] for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] email [email protected]
Related commands
display local-user
full-name
Use full-name to configure the name of a local guest.
Use undo full-name to restore the default.
Syntax
full-name name-string
undo full-name
Default
No name is configured for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
name-string: Specifies the local guest name, a case-sensitive string of 1 to 255 characters.
Examples
# Configure the name as abc Snow for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] full-name abc Snow
Related commands
display local-user
group
Use group to assign a local user to a user group.
Use undo group to restore the default.
Syntax
group group-name
undo group
Default
A local user belongs to user group system.
Views
Local user view
Predefined user roles
network-admin
Parameters
group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Examples
# Assign device management user 111 to user group abc.
<Sysname> system-view
[Sysname] local-user 111 class manage
[Sysname-luser-manage-111] group abc
Related commands
display local-user
local-guest email format
Use local-guest email format to configure the subject and body for the email notifications of local guest information.
Use undo local-guest email format to delete the configured subject or body for the email notifications of local guest information.
Syntax
local-guest email format to { guest | manager | sponsor } { body body-string | subject sub-string }
undo local-guest email format to { guest | manager | sponsor } { body | subject }
Default
No subject or body is configured for the email notifications of local guest information.
Views
System view
Predefined user roles
network-admin
Parameters
to: Specifies the email recipient.
guest: Specifies the local guest.
manager: Specifies the guest manager.
sponsor: Specifies the guest sponsor.
body body-string: Configures the body content. The body-string argument is a case-sensitive string of 1 to 255 characters.
subject sub-string: Configures the email subject. The sub-string argument is a case-sensitive string of 1 to 127 characters.
Usage guidelines
Email notifications need to be sent to notify the local guests, guest sponsors, or guest managers of the guest account information or guest registration requests. Use this command to configure the subject and body for the email notifications to be sent by the device.
You can configure one subject and one body for each email recipient. If you configure the subject or body content multiple times for the same recipient, the most recent configuration takes effect.
You must configure both the subject and body for each recipient.
Examples
# Configure the subject and body for the email notifications to send to the local guest.
<Sysname> system-view
[Sysname] local-guest email format to guest subject Guest account information
[Sysname] local-guest email format to guest body A guest account has been created for you. The username, password, and validity period of the account are given below.
Related commands
local-guest email sender
local-guest email smtp-server
local-guest manager-email
local-guest send-email
local-guest email sender
Use local-guest email sender to configure the email sender address in email notifications of local guests sent by the device.
Use undo local-guest email sender to restore the default.
Syntax
local-guest email sender email-address
undo local-guest email sender
Default
No email sender address is configured for the email notifications of local guests sent by the device.
Views
System view
Predefined user roles
network-admin
Parameters
email-address: Specifies the email sender address, a case-sensitive string of 1 to 255 characters.
Usage guidelines
If you do not specify the email sender address, the device cannot send email notifications.
The device supports only one email sender address. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the email sender address as [email protected] for email notifications of local guests.
<Sysname> system-view
[Sysname] local-guest email sender [email protected]
Related commands
local-guest email format
local-guest email smtp-server
local-guest manager-email
local-guest send-email
local-guest email smtp-server
Use local-guest email smtp-server to specify an SMTP server to send email notifications of local guests.
Use undo local-guest email smtp-server to restore the default.
Syntax
local-guest email smtp-server url-string
undo local-guest email smtp-server
Default
No SMTP server is specified to send email notifications of local guests.
Views
System view
Predefined user roles
network-admin
Parameters
url-string: Specifies the path of the SMTP server, a case-sensitive string of 1 to 255 characters. The path must comply with the standard SMTP protocol and start with smtp://.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the SMTP server at smtp://www.test.com/smtp to send local guest email notifications.
<Sysname> system-view
[Sysname] local-guest email smtp-server smtp://www.test.com/smtp
Related commands
local-guest email format
local-guest email sender
local-guest manager-email
local-guest send-email
local-guest generate
Use local-guest generate to create local guests in batch.
Syntax
local-guest generate username-prefix name-prefix [ password-prefix password-prefix ] suffix suffix-number [ group group-name ] count user-count validity-datetime start-date start-time to expiration-date expiration-time
Views
System view
Predefined user roles
network-admin
Parameters
username-prefix name-prefix: Specifies the name prefix. The name-prefix argument is a case-sensitive string of 1 to 70 characters. The prefix cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
password-prefix password-prefix: Specifies a prefix for the plaintext password. The password-prefix argument is a case-sensitive string of 1 to 53 characters. If you do not specify a password prefix, the device randomly generates passwords for the local guests.
suffix suffix-number: Specifies the start suffix number of the username and password. The suffix-number argument is a numeric string of 1 to 10 digits.
group group-name: Specifies a user group by the name. The group-name argument is a case-sensitive string of 1 to 32 characters. If you do not specify a user group, the guests are assigned to the system-defined user group system.
count user-count: Specifies the number of local guests to be created. The value range for the user-count argument is 1 to 256.
validity-datetime: Specifies the validity period of the local guests.
start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
to: Specifies the end date and time of the validity period.
expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
Usage guidelines
Account names of batch created local guests start with the same string specified by the name prefix, and end with a different number as the suffix. The system increases the start suffix number by 1 for each new local guest created in the batch.
The device generates plaintext passwords by using the password prefix and suffix number in the same way it batch creates the local guest names.
Consider the system resources when you specify the number of local guests to create. The device might fail to create all accounts for a large batch of local guests because of insufficient resources.
If a local guest to be created has the same name as an existing local guest on the device, the new guest overrides the existing guest.
Examples
# Create 20 local guests in batch with user names abc01 through abc20 for user group visit. The user accounts are effective from 2020/01/01 00:00:00 to 2020/02/02 12:00:00.
<Sysname> system-view
[Sysname] local-guest generate username-prefix abc suffix 01 group visit count 20 validity-datetime 2020/01/01 00:00:00 to 2020/02/02 12:00:00
Related commands
local-user
display local-user
local-guest manager-email
Use local-guest manager-email to configure the email address of the guest manager.
Use undo local-guest manager-email to restore the default.
Syntax
local-guest manager-email email-address
undo local-guest manager-email
Default
No email address is configured for the guest manager.
Views
System view
Predefined user roles
network-admin
Parameters
email-address: Specifies the email address, a case-sensitive string of 1 to 255 characters. For example, [email protected]. The address must comply with RFC 822.
Usage guidelines
Use this command to specify the email address to which the device sends the local guest registration requests for approval.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the email address of the guest manager as [email protected].
<Sysname> system-view
[Sysname] local-guest manager-email [email protected]
Related commands
local-guest email format
local-guest email sender
local-guest email smtp-server
local-guest send-email
local-guest send-email
Use local-guest send-email to send emails to a local guest or guest sponsor.
Syntax
local-guest send-email user-name user-name to { guest | sponsor }
Views
User view
Predefined user roles
network-admin
Parameters
user-name user-name: Specifies a local guest by the username, a string of 1 to 80 characters. The username of the specified guest can be a pure username or contain a domain name (in the format of pure-username@domain-name).
· The pure username is a case-sensitive string and must meet the following requirements:
¡ Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
¡ Cannot be a, al, or all.
· The domain name is a case-insensitive string and cannot contain an at sign (@).
to: Specifies the email recipient.
guest: Specifies the local guest.
sponsor: Specifies the guest sponsor.
Usage guidelines
Device managers can use this command to inform local guests or guest sponsors of the guest password and validity period information.
Examples
# Send an email to notify local guest abc of the guest password and validity period information.
<Sysname> local-guest send-email user-name abc to guest
sponsor-email
local-guest timer
Use local-guest timer to set the waiting-approval timeout timer for local guests.
Syntax
local-guest timer waiting-approval time-value
undo local-guest timer waiting-approval
Default
The setting is 24 hours.
Views
System view
Predefined user roles
network-admin
Parameters
time-value: Specifies the waiting-approval timeout timer in the range of 1 to 720, in hours.
Usage guidelines
The waiting-approval timeout timer starts when the registration request of a local guest is sent for approval. If the request is not approved within the timer, the device deletes the registration request.
Examples
# Set the waiting-approval timeout timer to 12 hours.
<Sysname> system-view
[Sysname] local-guest timer waiting-approval 12
local-user
Use local-user to add a local user and enter its view, or enter the view of an existing local user.
Use undo local-user to delete local users.
Syntax
local-user user-name [ class { manage | network [ guest ] } ]
undo local-user { user-name class { manage | network [ guest ] } | all [ class { manage | network [ guest ] } |service-type { advpn | ftp | http | https | ike | lan-access | portal | ppp | ssh | telnet | terminal } ] }
Default
No local users exist.
Views
System view
Predefined user roles
network-admin
Parameters
user-name: Specifies the username of the local user, a string of 1 to 80 characters. The specified username can be a pure username or contain a domain name (in the format of pure-username@domain-name).
· The pure username is a case-sensitive string and must meet the following requirements:
¡ Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
¡ Cannot be a substring of all or auto-delete that starts with character a (for example, a, al, all, au, aut, auto, or auto-).
· The domain name is a case-insensitive string and cannot contain an at sign (@).
class: Specifies the local user type. If you do not specify this keyword, the command adds a device management user.
manage: Device management user that can configure and monitor the device after login. Device management users can use FTP, HTTP, HTTPS, Telnet, SSH, and terminal services.
network: Network access user that accesses network resources through the device. Network access users can use ADVPN, IKE, LAN access, portal, and PPP services.
guest: Guest that can access network resources through the device during a specific validity period. Guests can use LAN access and portal services.
all: Specifies all users.
service-type: Specifies the local users that use a specific type of service.
advpn: ADVPN tunnel users.
ftp: FTP users.
http: HTTP users.
https: HTTPS users.
ike: IKE users that access the network through IKE extended authentication.
lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.
portal: Portal users.
ppp: PPP users.
ssh: SSH users.
telnet: Telnet users.
terminal: Terminal users that log in through console ports.
Usage guidelines
In local authentication, a username and user type uniquely identifies a local user. The username is used to match the pure username parsed from the username entered by the user. The user type restricts the service types that can be used by the user.
The device supports multiple local users. The maximum number of device management users varies by device model. The maximum number of network access users varies by device model.
If the local username contains Chinese characters, make sure the endpoint software used at device login adopts the same character set encoding format as the device. If they use different encoding formats, the username cannot be correctly decoded on the device, which might cause local authentication failure. To view the encoding format used by the device, execute the display character-encoding command.
Some device models do not suppor creating a local management user with the same name as the default user.
Examples
# Add a device management user named user1 and enter local user view.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1]
# Add a network access user named user2 and enter local user view.
<Sysname> system-view
[Sysname] local-user user2 class network
[Sysname-luser-network-user2]
# Add a local guest named user3 and enter local guest view.
Sysname> system-view
[Sysname] local-user user3 class network guest
[Sysname-luser-network(guest)-user3]
Related commands
display local-user
display character-encoding (Fundamentals Command Reference)
service-type (local user view)
local-user-export class network
Use local-user-export class network to export network access user account information to a .csv file.
Syntax
local-user-export class network url url-string [ from { group group-name | user user-name } ]
Views
System view
Predefined user roles
network-admin
Parameters
url url-string: Specifies the URL of the destination file, a case-insensitive string of 1 to 255 characters.
from: Specifies the range of users to be exported. If you do not specify this keyword, the command exports all network access users on the device.
group group-name: Specifies a user group by the name, a case-insensitive string of 1 to 32 characters.
user user-name: Specifies a user by the name, a string of 1 to 80 characters. The specified username can be a pure username or contain a domain name (in the format of pure-username@domain-name).
· The pure username is a case-sensitive string and must meet the following requirements:
¡ Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
¡ Cannot be a, al, or all.
· The domain name is a case-insensitive string and cannot contain an at sign (@).
Usage guidelines
You can import the user account information back to the device or to other devices that support the local-user-import class network command. Before the import, you can edit the .csv file as needed. However, you must follow the restrictions in "local-user-import class network."
The device supports TFTP and FTP file transfer modes. Table 8 describes the valid URL formats of the .csv file.
|
Protocol |
URL format |
Description |
|
TFTP |
tftp://server/path/filename |
Specify a TFTP server by IP address or hostname. The path parameter represents the relative path of the TFTP working directory. For example, specify the file path as tftp://1.1.1.1/user/user.csv. |
|
FTP |
· With FTP user name and password: · Without FTP user name and password: |
Specify an FTP server by IP address or hostname. The path parameter represents the relative path of the FTP working directory. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:[email protected]/user/user.csv or ftp://1.1.1.1/user/user.csv. |
Examples
# Export network access user account information to the identityuser.csv file in the ftp://1.1.1.1/user/ path.
<Sysname> system-view
[Sysname] local-user-export class network url ftp://1.1.1.1/user/identityuser.csv
Related commands
display local-user
local-user-import class network
local-user-export class network guest
Use local-user-export class network guest to export local guest account information to a .csv file.
Syntax
local-user-export class network guest url url-string
Views
System view
Predefined user roles
network-admin
Parameters
url url-string: Specifies the URL of the destination file, a case-insensitive string of 1 to 255 characters.
Usage guidelines
You can import the user account information back to the device or to other devices that support the local-user-import class network guest command. Before the import, you can edit the .csv file as needed. However, you must follow the restrictions in "local-user-import class network guest."
The device supports TFTP and FTP file transfer modes. Table 9 describes the valid URL formats of the .csv file.
|
Protocol |
URL format |
Description |
|
TFTP |
tftp://server/path/filename |
Specify a TFTP server by IP address or hostname. The path parameter represents the relative path of the TFTP working directory. For example, specify the file path as tftp://1.1.1.1/user/user.csv. |
|
FTP |
· With FTP user name and password: · Without FTP user name and password: |
Specify an FTP server by IP address or hostname. The path parameter represents the relative path of the FTP working directory. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:[email protected]/user/user.csv or ftp://1.1.1.1/user/user.csv. |
Examples
# Export local guest account information to the guest.csv file in the ftp://1.1.1.1/user/ path.
<Sysname> system-view
[Sysname] local-user-export class network guest url ftp://1.1.1.1/user/guest.csv
Related commands
display local-user
local-user-import class network guest
local-user-import class network
Use local-user-import class network to import user information from a .csv file and create network access users based on the imported information.
Syntax
local-user-import class network url url-string [ auto-create-group | override | start-line line-number ] *
Views
System view
Predefined user roles
network-admin
Parameters
url url-string: Specifies the URL of the source file, a case-insensitive string of 1 to 255 characters.
auto-create-group: Enables the device to automatically create user groups for the imported network access users if the groups do not exist on the device. If you do not specify this keyword, the device ignores the nonexistent user groups of the network access users and assigns the users to the predefined user group system.
override: Specifies the device to override the existing account with the same name as a user account to be imported. If you do not specify this keyword, the device retains the existing account information.
start-line line-number: Specifies the number of the line at which the account import begins. The value range for the line-number argument is 1 to 1048576. If you do not specify this option, the command imports information about all user accounts in the file.
Usage guidelines
The .csv file contains multiple parameters for each account and the parameters must be strictly arranged in the following order:
· Username—The username cannot be empty and is a string of 1 to 80 characters. The username can be a pure username or contain a domain name (in the format of pure-username@domain-name).
¡ The pure username is a case-sensitive string and must meet the following requirements:
- Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
- Cannot be a, al, or all.
¡ The domain name is a case-insensitive string and cannot contain an at sign (@).
|
|
IMPORTANT: Any invalid character results in account import failure and interruption. |
· Password form—Plaintext or encrypted form. If the parameter is empty, the password is in encrypted form.
· Password—The encrypted form is a case-sensitive string of 1 to 117 characters. The plaintext form is a case-sensitive string of 1 to 64 characters. If the device fails to parse the password or the password is empty, the device imports the account without a password.
· Authorization user group—User group to which the user belongs after the user passes local authentication. The group name is a case-insensitive string of 1 to 32 characters. If the parameter is empty, the device assigns the user to the default user group system.
· Identity groups—Groups for identity-based access control. A user can belong to multiple identity groups. An identity group name is a case-insensitive string of 1 to 32 characters. Separate identity group names by the string 0x0A. If the parameter is empty, the user does not belong to any identity group.
· Service types—Services to assign to the user. Available services include portal, PPP, LAN access, ADVPN, and IKE. A service name is case insensitive. Separate service types by the string 0x0A. If the parameter is empty, the user cannot use any service.
· Max concurrent logins—The maximum number of online users with the same user name. The value range is 1 to 1024. If the parameter is empty, the device does not restrict the number of online users with the same user name.
Separate different accounts by a carriage return and separate each parameter value of the same account by a comma (,). For example,
Jack,$c$3$uM6DH5empTfbsx341Qk/ORGozkbxNE0=,author-group1,parent-group1(0x0A)parent-group2,portal(0x0A)lan-access,1024
When you edit the .csv file, follow these restrictions and guidelines:
· Start lines with pound signs (#) to contain explanation information for usage guidelines. The device does not import the lines as user account information.
· Separate parameter values by a comma (,). If the value of a parameter contains a comma (,), you must enclose the value into single quotation marks (') to avoid ambiguity. For example, if the authorization user group of a user is named as author,group, you must specify the authorization user group name as 'author,group' in the .csv file.
The device supports TFTP and FTP file transfer modes. Table 11 describes the valid URL formats of the .csv file.
Table 10 URL formats
|
Protocol |
URL format |
Description |
|
TFTP |
tftp://server/path/filename |
Specify a TFTP server by IP address or hostname. The path parameter represents the relative path of the TFTP working directory. For example, specify the file path as tftp://1.1.1.1/user/user.csv. |
|
FTP |
· With FTP user name and password: · Without FTP user name and password: |
Specify an FTP server by IP address or hostname. The path parameter represents the relative path of the FTP working directory. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:[email protected]/user/user.csv or ftp://1.1.1.1/user/user.csv. |
Examples
# Import user account information from the localuser.csv file in the ftp://1.1.1.1/user/ path, and create network access users based on the imported information. Specify the device to ignore the accounts that have the same name as the existing accounts on the device. Enable the device to automatically create the user group of an imported network access user if the user group does not exist on the device.
<Sysname> system-view
[Sysname] local-user-import class network url ftp://1.1.1.1/user/localuser.csv auto-create-group
Related commands
local-user-export class network
local-user-import class network guest
Use local-user-import class network guest to import local guest account information from a .csv file to create local guests based on the imported information.
Syntax
local-user-import class network guest url url-string validity-datetime start-date start-time to expiration-date expiration-time [ auto-create-group | override | start-line line-number ] *
Views
System view
Predefined user roles
network-admin
Parameters
url url-string: Specifies the source file path. The url-string argument is a case-insensitive string of 1 to 255 characters.
validity-datetime: Specifies the guest validity period of the local guests.
start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
to: Specifies the end date and time of the validity period.
expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
auto-create-group: Enables the device to automatically create user groups for the imported local guests if the groups in the imported information do not exist on the device. If you do not specify this keyword, the device adds all imported local guests to the system-defined user group named system.
override: Enables the device to override the existing account with the same name as an imported guest account. If you do not specify this keyword, the device retains the existing account and does not import the local guest with the same name.
start-line line-number: Specifies the number of the line at which the account import begins. If you do not specify a line number, this command imports all accounts in the .csv file.
Usage guidelines
The .csv file contains multiple parameters for each account and the parameters must be strictly arranged in the following order:
· Username—User name of the guest account. The user name cannot be empty.
· Password—Password of the guest account in plaintext form. If the password is empty, the device generates a random password in encrypted form for the guest.
· User group—User group to which the guest belongs. If the user group is empty, the device assigns the guest to the system-defined user group named system.
· Guest full name—Name of the guest.
· Guest company—Company of the guest.
· Guest email—Email address of the guest.
· Guest phone—Phone number of the guest.
· Guest description—Description of the guest.
· Sponsor full name—Name of the guest sponsor.
· Sponsor department—Department of the guest sponsor.
· Sponsor email—Email address of the guest sponsor.
The value of each parameter in the file must meet the requirements of the local user attributes on the device. Any violation results in account import failure and interruption. The system displays the number of the line where the account import is interrupted.
Separate different account entries by a carriage return and separate each parameter value in an account entry by a comma (,). If the value of a parameter contains a comma (,), you must enclose the value within a pair of quotation marks ("") to avoid ambiguity. For example,
Jack,abc,visit,Jack Chen,ETP,[email protected],1399899,"The manager of ETP, come from TP.",Sam Wang,Ministry of personnel,[email protected]
The device supports TFTP and FTP file transfer modes. Table 11 describes the valid URL formats of the .csv file.
|
Protocol |
URL format |
Description |
|
TFTP |
tftp://server/path/filename |
Specify a TFTP server by IP address or hostname. The path parameter represents the relative path of the TFTP working directory. For example, specify the file path as tftp://1.1.1.1/user/user.csv. |
|
FTP |
· With FTP user name and password: · Without FTP user name and password: |
Specify an FTP server by IP address or hostname. The path parameter represents the relative path of the FTP working directory. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:[email protected]/user/user.csv or ftp://1.1.1.1/user/user.csv. |
Examples
# Import guest account information from the ftp://1.1.1.1/user/guest.csv file and specify a validity period for the imported guests.
<Sysname> system-view
[Sysname] local-user-import class network guest url ftp://1.1.1.1/user/guest.csv validity-datetime 2020/02/01 00:00:00 to 2020/02/02 12:00:00
Related commands
display local-user
local-user-export class network guest
password (device management user view)
Use password to configure a password for a device management user.
Use undo password to restore the default.
Syntax
password [ { hash | simple } string ]
undo password
Default
A device management user does not have a password and can pass authentication after entering the correct username and passing attribute checks.
Views
Device management user view
Predefined user roles
network-admin
Parameters
hash: Specifies a password encrypted by the hash algorithm.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in hashed form.
string: Specifies the password string. This argument is case sensitive. The hashed form of the password is a string of 1 to 110 characters. The plaintext form of the password is a string of 1 to 63 characters. Available characters include all visible characters except the question mark (?). Visible characters correspond to the ASCII codes in the range of 32 to 126. To contain a quotation mark (") or back slash (\) in the password, you must add an escape character (\) before the quotation mark or back slash. That is, enter \" to represent a quotation mark and enter \\ to represent a back slash. To contain spaces in the password, you must enclose the entire password string into a pair of quotation marks ("").
Usage guidelines
If you do not specify any parameters, you enter the interactive mode to set a plaintext password.
A device management user for which no password is specified can pass authentication after entering the correct username and passing attribute checks. To enhance security, configure a password for each device management user.
When global password control is enabled, the device handles passwords of device management users as follows:
· All passwords in the history records are saved in hashed form.
· If a user changes its own password in plaintext form, the system requests the user to enter the current plaintext password. The new password must be different from all passwords in the history records and the current password. In addition, the new password must have a minimum of four characters different from the current password.
· If a user changes the password for another user in plaintext form, the new password must be different from the latter user's all passwords in the history records and current password.
· If a user deletes its own password, the system requests the user to enter the current plaintext password.
· Except the above listed situations, the system does not request a user to enter the current plaintext password or compare the new password with passwords in the history records and the current password.
Examples
# Set the password to 123456TESTplat&! in plaintext form for device management user user1.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] password simple 123456TESTplat&!
# Configure the password in interactive mode for device management user test.
<Sysname> system-view
[Sysname] local-user test class manage
[Sysname-luser-manage-test] password
Password:
Confirm:
Related commands
display local-user
password (network access user view)
Use password to configure a password for a network access user.
Use undo password to restore the default.
Syntax
password { cipher | simple } string
undo password
Default
A network access user does not have a password and can pass authentication after entering the correct username and passing attribute checks.
Views
Network access user view
Predefined user roles
network-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
As a best practice to enhance security, configure a password for each network access user.
When password control is enabled globally for network access users, the device neither displays the passwords of the users nor retains the passwords in the running configuration. To enable password control globally for network access users, use the password-control enable network-class command.
Examples
# Set the password to 123456TESTuser&! in plaintext form for network access user user1.
<Sysname> system-view
[Sysname] local-user user1 class network
[Sysname-luser-network-user1] password simple 123456TESTuser&!
Related commands
display local-user
password-control enable
phone
Use phone to specify the phone number of a local guest.
Use undo phone to restore the default.
Syntax
phone phone-number
undo phone
Default
No phone number is specified for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
phone-number: Specifies the phone number, a string of 1 to 32 characters.
Examples
# Specify the phone number as 13813723920 for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] phone 13813723920
display local-user
reset local-guest waiting-approval
Use reset local-guest waiting-approval to clear pending registration requests for local guests.
Syntax
reset local-guest waiting-approval [ user-name user-name ]
Views
User view
Predefined user roles
network-admin
Parameters
user-name user-name: Specifies a local guest by the username, a string of 1 to 80 characters. If you do not specify a local guest, this command clears information about all registration requests for all local guests. The username of the specified local guest can be a pure username or contain a domain name (in the format of pure-username@domain-name).
· The pure username is a case-sensitive string and must meet the following requirements:
¡ Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
¡ Cannot be a, al, or all.
· The domain name is a case-insensitive string and cannot contain an at sign (@).
Examples
# Clear information about all registration requests for local guests.
<Sysname> reset local-guest waiting-approval
Related commands
display local-guest waiting-approval
service-type (local user view)
Use service-type to specify the service types that a local user can use.
Use undo service-type to remove service types configured for a local user.
Syntax
service-type { advpn | ftp | ike | lan-access | { http | https | ssh | telnet | terminal } * | portal | ppp }
undo service-type { advpn | ftp | ike | lan-access | { http | https | ssh | telnet | terminal } * | portal | ppp }
Default
A local user is not authorized to use any service.
Views
Local user view
Predefined user roles
network-admin
Parameters
advpn: Authorizes the user to use the ADVPN service.
ftp: Authorizes the user to use the FTP service. The authorized directory can be modified by using the authorization-attribute work-directory command.
http: Authorizes the user to use the HTTP service.
https: Authorizes the user to use the HTTPS service.
ike: Authorizes the user to use the IKE extended authentication service.
lan-access: Authorizes the user to use the LAN access service. The users are typically Ethernet users, for example, 802.1X users.
ssh: Authorizes the user to use the SSH service.
telnet: Authorizes the user to use the Telnet service.
terminal: Authorizes the user to use the terminal service and log in from a console port.
portal: Authorizes the user to use the portal service.
ppp: Authorizes the user to use the PPP service.
Usage guidelines
You can assign multiple service types to a user.
Examples
# Authorize device management user user1 to use the Telnet and FTP services.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] service-type telnet
[Sysname-luser-manage-user1] service-type ftp
Related commands
display local-user
sponsor-department
Use sponsor-department to specify the department of the guest sponsor for a local guest.
Use undo sponsor-department to restore the default.
Syntax
sponsor-department department-string
undo sponsor-department
Default
No department is specified for the guest sponsor of a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
department-string: Specifies the department name, a case-sensitive string of 1 to 127 characters.
Examples
# Specify the department as test for the guest sponsor of local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] sponsor-department test
display local-user
sponsor-email
Use sponsor-email to specify the email address of the guest sponsor for a local guest.
Use undo sponsor-email to restore the default.
Syntax
sponsor-email email-string
undo sponsor-email
Default
No email address is specified for the guest sponsor.
Views
Local guest view
Predefined user roles
network-admin
Parameters
email-string: Specifies the email address, a case-sensitive string of 1 to 255 characters. The address must comply with RFC 822.
Examples
# Specify the email address as [email protected] for the guest sponsor of local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] sponsor-email [email protected]
display local-user
sponsor-full-name
Use sponsor-full-name to specify the guest sponsor name for a local guest.
Use undo sponsor-full-name to restore the default.
Syntax
sponsor-full-name name-string
undo sponsor-full-name
Default
No guest sponsor name is specified for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
name-string: Specifies the guest sponsor name, a case-sensitive string of 1 to 255 characters.
Examples
# Specify the guest sponsor name as Sam Li for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] sponsor-full-name Sam Li
Related commands
display local-user
state (local user view)
Use state to set the status of a local user.
Use undo state to restore the default.
Syntax
state { active | block }
undo state
Default
A local user is in active state.
Views
Local user view
Predefined user roles
network-admin
Parameters
active: Places the local user in active state to allow the local user to request network services.
block: Places the local user in blocked state to prevent the local user from requesting network services.
Examples
# Place device management user user1 in blocked state.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] state block
Related commands
display local-user
user-group
Use user-group to create a user group and enter its view, or enter the view of an existing user group.
Use undo user-group to delete a user group.
Syntax
user-group group-name
undo user-group group-name
Default
A system-defined user group exists. The group name is system.
Views
System view
Predefined user roles
network-admin
Parameters
group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.
A user group that has local users cannot be deleted.
You can modify settings for the system-defined user group named system, but you cannot delete the user group.
Examples
# Create a user group named abc and enter user group view.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc]
Related commands
display user-group
user-isolation
Use user-isolation to configure the user group-based isolation policy.
Use undo user-isolation to remove the configured user group-based isolation policy.
Syntax
user-isolation { intra-group | inter-group } *
undo user-isolation { intra-group | inter-group } *
Default
No user group-based isolation policy is configured.
Views
User group view
Predefined user roles
network-admin
Parameters
intra-group: Specifies intra-group isolation. With this policy configured, users in this group cannot reach each other at Layer 2 or Layer 3.
inter-group: Specifies inter-group isolation. With this policy configured, users in this group cannot communicate with users in other groups.
Usage guidelines
To isolate wireless services by user group, you can authorize user groups to wireless users and configure user group-based isolation in user group view.
When you configure user group-based isolation, follow these restrictions and guidelines:
· User group-based user isolation takes effect only on unicast packets in a WLAN enabled with centralized forwarding.
· If wireless users are in different service VLANs, you must deploy the gateway on the AC to use the user group-based isolation feature.
· If a user in a user group has obtained the user group-based isolation policy, do not delete or edit the group as a best practice. If you delete or edit such a user group, isolation policy chaos might occur.
Examples
# Configure inter-group isolation for user group test.
<Sysname> system-view
[Sysname] user-group test
[Sysname-ugroup-test] user-isolation inter-group
Related commands
display user-group
validity-datetime
Use validity-datetime to specify the validity period for a network access user.
Use undo validity-datetime to restore the default.
Syntax
In network access user view:
validity-datetime { from start-date start-time to expiration-date expiration-time | from start-date start-time | to expiration-date expiration-time }
undo validity-datetime
In local guest view:
validity-datetime from start-date start-time to expiration-date expiration-time
undo validity-datetime
Default
The validity period for a local user does not expire.
Views
Network access user view
Local guest view
Predefined user roles
network-admin
Parameters
from: Specifies the validity start date and time for the user. If you do not specify this option, the command defines only the expiration date and time of the user.
start-date: Specifies the date on which the user becomes effective. The date is in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
start-time: Specifies the time on the day when the user becomes effective. The time is in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
to: Specifies the expiration date and time for the user. If you do not specify this option, the command defines only the validity start date and time of the user.
expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
Usage guidelines
Expired network access user accounts cannot be used for authentication.
When both from and to options are specified, the expiration date and time must be later than the validity start date and time.
When only the from option is specified, the user is valid since the specified date and time. When only the to option is specified, the user is valid until the specified date and time.
When the RADIUS server feature is enabled on the device, the RADIUS user data for authentication is automatically generated from the network access user configuration. The device ignores the validity start date and time of the RADIUS users.
Examples
# Specify the validity period for network access user 123.
<Sysname> system-view
[Sysname] local-user 123 class network
[Sysname-luser-network-123] validity-datetime from 2020/01/01 00:00:00 to 2020/02/02 12:00:00
Related commands
display local-user
RADIUS commands
aaa device-id
Use aaa device-id to configure the device ID.
Use undo aaa device-id to restore the default.
Syntax
aaa device-id device-id
undo aaa device-id
Default
The device ID is 0.
Views
System view
Predefined user roles
network-admin
Parameters
device-id: Specifies a device ID in the range of 1 to 255.
Usage guidelines
RADIUS uses the value of the Acct-Session-ID attribute as the accounting ID for a user. The device generates an Acct-Session-ID value that includes the device ID for each online user.
If you modify the device ID, the new device ID does not take effect on users that have been online during the change.
Examples
# Configure the device ID as 1.
<Sysname> system-view
[Sysname] aaa device-id 1
accounting-on enable
Use accounting-on enable to configure the accounting-on feature.
Use undo accounting-on enable to disable the accounting-on feature.
Syntax
accounting-on enable [ interval interval | send send-times ] *
undo accounting-on enable
Default
The accounting-on feature is disabled.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
interval interval: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the interval argument is 1 to 15, and the default setting is 3.
send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.
Usage guidelines
After you enable the accounting-on feature in RADIUS scheme view, the device automatically monitors the link reachability status of all RADIUS accounting servers used by the scheme after restarting. Upon the corresponding link becoming reachable, the device sends an accounting-on message to the server and logs out all online users so they can log in again through the device.
Execute the save command to ensure that the accounting-on enable command takes effect at the next device reboot. For information about the save command, see Fundamentals Command Reference.
Parameters set by using the accounting-on enable command take effect immediately.
Examples
# Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] accounting-on enable interval 5 send 15
Related commands
display radius scheme
accounting-on extended
Use accounting-on extended to enable the extended accounting-on feature.
Use undo accounting-on extended to disable the extended accounting-on feature.
Syntax
accounting-on extended
undo accounting-on extended
Default
The extended accounting-on feature is disabled.
Views
RADIUS scheme view
Predefined user roles
network-admin
network-operator
Usage guidelines
The extended accounting-on feature enhances the accounting-on feature by applying to a distributed architecture. For the extended accounting-on feature to take effect, the RADIUS server must run on IMC and the accounting-on feature must be enabled.
The extended accounting-on feature is applicable to LAN and PPP (L2TP LAC-side) users. The user data is saved to the cards through which the users access the device.
When this feature is enabled, the device automatically sends an accounting-on packet to the RADIUS server after a card reboots (device not reboot). The packet contains the card identifier. Upon receiving the accounting-on packet, the RADIUS server logs out all online users that access the device through the card. If no users have come online through the card, the device does not send an accounting-on packet to the RADIUS server after the card reboots.
The device uses the packet retransmission interval and maximum transmission attempts set by using the accounting-on enable command for this feature.
Execute the save command to ensure that the accounting-on extended command takes effect at the next card reboot. For information about the save command, see Fundamentals Command Reference.
Examples
# Enable the extended accounting-on feature for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] accounting-on extended
Related commands
accounting-on enable
display radius scheme
attribute 5 format
Use attribute 5 format to configure the format of the RADIUS NAS-Port attribute.
Use undo attribute 5 format to restore the default.
Syntax
attribute 5 format port
undo attribute 5 format
Default
The NAS-Port attribute contains the following portions:
· 8-bit slot number.
· 4-bit subslot number.
· 8-bit interface index.
· 12-bit VLAN ID.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
port: Specifies the port format.
Usage guidelines
RADIUS servers of different types might have different requirements for the format of the NAS-Port attribute. To ensure correct RADIUS packet exchange, make sure the format of the NAS-Port attribute meets the requirements of the RADIUS servers.
If you specify the port format, the NAS-Port attribute contains the last segment for the interface number of the interface through which a user accesses the device. For example, if a user accesses the device through Ten-GigabitEthernet 0/0/7, 2 is used as the value for the RADIUS NAS-Port attribute.
This command does not distinguish user access types and takes effect on RADIUS packets for all users.
Examples
# Configure the format of the RADIUS NAS-Port attribute as the port format in RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 5 format port
Related commands
display radius scheme
attribute 15 check-mode
Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users.
Use undo attribute 15 check-mode to restore the default.
Syntax
attribute 15 check-mode { loose | strict }
undo attribute 15 check-mode
Default
The strict check method applies for SSH, FTP, and terminal users.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, HTTP, HTTPS, and terminal services.
strict: Matches the extended Login-Service attribute values for the following types of users:
· 50—SSH.
· 51—FTP.
· 52—Terminal.
· 53—HTTP.
· 54—HTTPS.
Usage guidelines
Use the loose check method only when the server does not issue Login-Service attribute values for SSH, FTP, HTTP, HTTPS, and terminal users.
Examples
# Configure the Login-Service attribute check method as loose for users in RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 15 check-mode loose
Related commands
display radius scheme
attribute 25 car
Use attribute 25 car to configure the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters.
Use undo attribute 25 car to restore the default.
Syntax
attribute 25 car
undo attribute 25 car
Default
The RADIUS class attribute is not interpreted as CAR parameters.
Views
RADIUS scheme view
Predefined user roles
network-admin
Usage guidelines
Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user-based traffic monitoring and control.
The device can interpret the RADIUS class attribute only in the format of string1string2string3string4 as CAR parameters. Each string contains eight characters and each character must be a digit from 0 to 9.
After the device interprets the RADIUS class attribute sent by a RADIUS server as CAR parameters, it carries the interpreted CAR parameters in the subsequent accounting packets sent to that server instead of carrying the original class attribute.
Examples
# In RADIUS scheme radius1, configure the device to interpret the RADIUS class attribute as CAR parameters.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 25 car
Related commands
display radius scheme
attribute 30 mac-format
Use attribute 30 mac-format to configure the format of the MAC address in the RADIUS Called-Station-Id attribute.
Use undo attribute 30 mac-format to restore the default.
Syntax
attribute 30 mac-format section { one | { six | three } separator separator-character } { lowercase | uppercase }
undo attribute 30 mac-format
Default
The MAC address in the RADIUS Called-Station-Id attribute is in the format of HH-HH-HH-HH-HH-HH. The MAC address is separated by hyphens (-) into six sections with letters in upper case.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
section: Specifies the number of sections that a MAC address contains.
one: Specifies the one-section format HHHHHHHHHHHH.
six: Specifies the six-section format HH-HH-HH-HH-HH-HH.
three: Specifies the three-section format HHHH-HHHH-HHHH.
separator separator-character: Specifies a case-sensitive character that separates the sections.
lowercase: Specifies the letters in a MAC address to be in lower case.
uppercase: Specifies the letters in a MAC address to be in upper case.
Usage guidelines
Configure the format of the MAC address in the RADIUS Called-Station-Id attribute to meet the requirements of the RADIUS servers.
Examples
# In RADIUS scheme radius1, specify hhhhhhhhhhhh as the format of the MAC address in the RADIUS Called-Station-Id attribute.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 30 mac-format section one lowercase
Related commands
display radius scheme
attribute 87 format
Use attribute 87 format to configure the format of the RADIUS NAS-Port-Id attribute (attribute 87).
Use undo attribute 87 format to restore the default.
Syntax
attribute 87 format interface-name
undo attribute 87 format
Default
The default format varies by user access type.
· For portal users, the NAS-Port-Id attribute contains the following portions:
¡ 2-bit slot number.
¡ 2-bit 0s.
¡ 3-bit interface index.
¡ 9-bit VLAN ID.
· For IPoE and PPP users, the NAS-Port-Id attribute is in the format of slot=xx;subslot=xx;port=xx;vlanid=xx;vlanid2=xx.
¡ slot—Slot number.
¡ subslot—Subslot number.
¡ port—Interface index.
¡ vlanid—Outer VLAN ID.
¡ vlanid2—Inner VLAN ID.
· For 802.1X and MAC authentication users, the NAS-Port-Id attribute is in the format of slot=xx;subslot=xx;port=xx;vlanid=xx.
¡ slot—Slot number.
¡ subslot—Subslot number.
¡ port—Interface index.
¡ vlanid—VLAN ID.
· For login users, the NAS-Port-Id attribute is not included in RADIUS packets.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
interface-name: Specifies the interface name format.
Usage guidelines
RADIUS servers of different types might have different requirements for the format of the NAS-Port-Id attribute. To ensure correct RADIUS packet exchange, configure the format of the NAS-Port-Id attribute to meet the requirements of the RADIUS servers.
If you specify the interface name format, the NAS-Port-Id attribute contains the name of the interface through which a user accesses the device. For example, if a user accesses the device through Ten-GigabitEthernet 0/0/6, Ten-GigabitEthernet 0/0/6 is used as the value for the RADIUS NAS-Port-Id attribute.
This command does not distinguish user access types and takes effect on RADIUS packets for all users.
Examples
# Configure the format of the RADIUS NAS-Port-Id attribute as the interface name format in RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 87 format interface-name
Related commands
display radius scheme
attribute 182 vendor-id 25506 vlan
Use attribute 182 vendor-id 25506 vlan to enable the device to interpret the Microsegment-Id attribute to an authorization VLAN.
Use undo attribute 182 vendor-id 25506 vlan to disable the device from interpreting the Microsegment-Id attribute to an authorization VLAN.
Syntax
attribute 182 vendor-id 25506 vlan
undo attribute 182 vendor-id 25506 vlan
Default
The device is disabled from interpreting the Microsegment-Id attribute to an authorization VLAN.
Views
RADIUS scheme view
Predefined user roles
network-admin
Usage guidelines
Use this command only when the RADIUS server uses authorization microsegment IDs for granular user access control and the access device uses authorization VLANs to implement microsegment-based access control.
This feature enables the device to interpret the RADIUS Microsegment-Id attribute (attribute 182 with vendor ID 25506) assigned by the RADIUS server to an authorization VLAN.
· If the attribute value is an integer, the device interprets this attribute to a VLAN ID.
· If the attribute value is not an integer, the device interprets this attribute to a VLAN name.
If the RADIUS server uses a RADIUS attribute other than the Microsegment-Id attribute to assign microsegment IDs, you must first convert the attribute to the Microsegment-Id attribute. To enable RADIUS attribute translation feature, use the attribute translate command.
Examples
# In RADIUS scheme radius1, enable the device to interpret the Microsegment-Id attribute to an authorization VLAN.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 182 vendor-id 25506 vlan
Related commands
attribute translate
display radius scheme
attribute convert (RADIUS DAS view)
Use attribute convert to configure a RADIUS attribute conversion rule.
Use undo attribute convert to delete RADIUS attribute conversion rules.
Syntax
attribute convert src-attr-name to dest-attr-name { { coa-ack | coa-request } * | { received | sent } * }
undo attribute convert [ src-attr-name ]
Default
No RADIUS attribute conversion rules exist. The system processes RADIUS attributes according to the principles of the standard RADIUS protocol.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
src-attr-name: Specifies the source RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
dest-attr-name: Specifies the destination RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
coa-ack: Specifies the CoA acknowledgment packets.
coa-request: Specifies the CoA request packets.
received: Specifies the received DAE packets.
sent: Specifies the sent DAE packets.
Usage guidelines
The device replaces the attribute in packets that match a RADIUS attribute conversion rule with the destination RADIUS attribute in the rule.
The conversion rules take effect only when the RADIUS attribute translation feature is enabled.
When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines:
· The source and destination RADIUS attributes in a rule must use the same data type.
· The source and destination RADIUS attributes in a rule cannot use the same name.
· A source RADIUS attribute can be converted only by one criterion, packet type or direction.
· One source RADIUS attribute cannot be converted to multiple destination attributes.
If you do not specify a source RADIUS attribute, the undo attribute convert command deletes all RADIUS attribute conversion rules.
Examples
# In RADIUS DAS view, configure a RADIUS attribute conversion rule to replace the Hw-Server-String attribute in the received DAE packets with the Connect-Info attribute.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] attribute convert Hw-Server-String to Connect-Info received
Related commands
attribute translate
attribute convert (RADIUS scheme view)
Use attribute convert to configure a RADIUS attribute conversion rule.
Use undo attribute convert to delete RADIUS attribute conversion rules.
Syntax
attribute convert src-attr-name to dest-attr-name { { access-accept | access-request | accounting } * | { received | sent } * }
undo attribute convert [ src-attr-name ]
Default
No RADIUS attribute conversion rules exist. The system processes RADIUS attributes according to the principles of the standard RADIUS protocol.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
src-attr-name: Specifies the source RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
dest-attr-name: Specifies the destination RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
access-accept: Specifies the RADIUS Access-Accept packets.
access-request: Specifies the RADIUS Access-Request packets.
accounting: Specifies the RADIUS accounting packets.
received: Specifies the received RADIUS packets.
sent: Specifies the sent RADIUS packets.
Usage guidelines
The device replaces the attribute in packets that match a RADIUS attribute conversion rule with the destination RADIUS attribute in the rule.
The conversion rules take effect only when the RADIUS attribute translation feature is enabled.
When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines:
· The source and destination RADIUS attributes in a rule must use the same data type.
· The source and destination RADIUS attributes in a rule cannot use the same name.
· A source RADIUS attribute can be converted only by one criterion, packet type or direction.
· One source RADIUS attribute cannot be converted to multiple destination attributes.
If you do not specify a source RADIUS attribute, the undo attribute convert command deletes all RADIUS attribute conversion rules.
Examples
# In RADIUS scheme radius1, configure a RADIUS attribute conversion rule to replace the Hw-Server-String attribute of received RADIUS packets with the Connect-Info attribute.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute convert Hw-Server-String to Connect-Info received
Related commands
attribute translate
attribute reject (RADIUS DAS view)
Use attribute reject to configure a RADIUS attribute rejection rule.
Use undo attribute reject to delete RADIUS attribute rejection rules.
Syntax
attribute reject attr-name { { coa-ack | coa-request } * | { received | sent } * }
undo attribute reject [ attr-name ]
Default
No RADIUS attribute rejection rules exist.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
attr-name: Specifies a RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
coa-ack: Specifies the CoA acknowledgment packets.
coa-request: Specifies the CoA request packets.
received: Specifies the received DAE packets.
sent: Specifies the sent DAE packets.
Usage guidelines
Configure RADIUS attribute rejection rules for the following purposes:
· Delete attributes from the RADIUS packets to be sent if the destination RADIUS server does not identify the attributes.
· Ignore unwanted attributes in the RADIUS packets received from a RADIUS server.
The RADIUS attribute rejection rules take effect only when the RADIUS attribute translation feature is enabled.
A RADIUS attribute can be rejected only by one criterion, packet type or direction.
If you do not specify a RADIUS attribute, the undo attribute reject command deletes all RADIUS attribute rejection rules.
Examples
# In RADIUS DAS view, configure a RADIUS attribute rejection rule to delete the Connect-Info attribute from the DAE packets to be sent.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] attribute reject Connect-Info sent
Related commands
attribute translate
attribute reject (RADIUS scheme view)
Use attribute reject to configure a RADIUS attribute rejection rule.
Use undo attribute reject to delete RADIUS attribute rejection rules.
Syntax
attribute reject attr-name { { access-accept | access-request | accounting } * | { received | sent } * }
undo attribute reject [ attr-name ]
Default
No RADIUS attribute rejection rules exist.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
attr-name: Specifies a RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
access-accept: Specifies the RADIUS Access-Accept packets.
access-request: Specifies the RADIUS Access-Request packets.
accounting: Specifies the RADIUS accounting packets.
received: Specifies the received RADIUS packets.
sent: Specifies the sent RADIUS packets.
Usage guidelines
Configure RADIUS attribute rejection rules for the following purposes:
· Delete attributes from the RADIUS packets to be sent if the destination RADIUS server does not identify the attributes.
· Ignore unwanted attributes in the RADIUS packets received from a RADIUS server.
The RADIUS attribute rejection rules take effect only when the RADIUS attribute translation feature is enabled.
A RADIUS attribute can be rejected only by one criterion, packet type or direction.
If you do not specify a RADIUS attribute, the undo attribute reject command deletes all RADIUS attribute rejection rules.
Examples
# In RADIUS scheme radius1, configure a RADIUS attribute rejection rule to delete the Connect-Info attribute from the RADIUS packets to be sent.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute reject Connect-Info sent
Related commands
attribute translate
attribute remanent-volume
Use attribute remanent-volume to set the data measurement unit for the Remanent_Volume attribute.
Use undo attribute remanent-volume to restore the default.
Syntax
attribute remanent-volume unit { byte | giga-byte | kilo-byte | mega-byte }
undo attribute remanent-volume unit
Default
The data measurement unit is kilobyte for the Remanent_Volume attribute.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
byte: Specifies the unit as byte.
giga-byte: Specifies the unit as gigabyte.
kilo-byte: Specifies the unit as kilobyte.
mega-byte: Specifies the unit as megabyte.
Usage guidelines
Make sure the measurement unit is the same as the user data measurement unit on the RADIUS server.
Examples
# In RADIUS scheme radius1, set the data measurement unit to kilobyte for the Remanent_Volume attribute.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute remanent-volume unit kilo-byte
Related commands
display radius scheme
attribute translate
Use attribute translate to enable the RADIUS attribute translation feature.
Use undo attribute translate to disable the RADIUS attribute translation feature.
Syntax
attribute translate
undo attribute translate
Default
The RADIUS attribute translation feature is disabled.
Views
RADIUS DAS view
RADIUS scheme view
Predefined user roles
network-admin
Usage guidelines
To cooperate with RADIUS servers of different vendors, enable the RADIUS attribute translation feature. Configure RADIUS attribute conversion rules and rejection rules to ensure that RADIUS attributes in the packets exchanged between the device and the server are supported by both sides.
Examples
# Enable the RADIUS attribute translation feature for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute translate
Related commands
attribute convert (RADIUS DAS view)
attribute convert (RADIUS scheme view)
attribute reject (RADIUS DAS view)
attribute reject (RADIUS scheme view)
attribute vendor-id 2011 version
Use attribute vendor-id 2011 version to specify the version of the RADIUS servers with a vendor ID of 2011.
Use undo attribute vendor-id 2011 version to restore the default.
Syntax
attribute vendor-id 2011 version { 1.0 | 1.1 }
undo attribute vendor-id 2011 version
Default
The version is 1.0.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
1.0: Specifies version 1.0.
1.1: Specifies version 1.1.
Usage guidelines
For the device to correctly interpret RADIUS attributes from the servers with a vendor ID of 2011, specify a server version the same as the actual version of the RADIUS servers.
The following table shows the differences in the way that the device interprets the vendor-specific RADIUS attributes assigned by different versions of RADIUS servers with vendor ID 2011.
|
RADIUS attribute |
RADIUS server with version 1.0 |
RADIUS server with version 1.1 |
|
HW_ARRT_26_1 |
Upstream peak rate |
Upstream burst size |
|
HW_ARRT_26_2 |
Upstream average rate |
Upstream average rate |
|
HW_ARRT_26_3 |
N/A |
Upstream peak rate |
|
HW_ARRT_26_4 |
Downstream peak rate |
Downstream burst size |
|
HW_ARRT_26_5 |
Downstream average rate |
Downstream average rate |
|
HW_ARRT_26_6 |
N/A |
Downstream peak rate |
Examples
# In RADIUS scheme radius1, specify the version of the RADIUS servers with a vendor ID of 2011 as version 1.1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute vendor-id 2011 version 1.1
Related commands
client
client
Use client to specify a RADIUS DAC.
Use undo client to remove a RADIUS DAC.
Syntax
client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vendor-id 2011 version { 1.0 | 1.1 } | vpn-instance vpn-instance-name ] *
undo client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
No RADIUS DACs are specified.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies a DAC by its IPv4 address.
ipv6 ipv6-address: Specifies a DAC by its IPv6 address.
key: Specifies the shared key for secure communication between the RADIUS DAC and server. Make sure the shared key is the same as the key configured on the RADIUS DAC. If the RADIUS DAC does not have any shared key, do not specify this option.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
vendor-id 2011: Specifies the vendor-ID of the DAC as 2011.
version: Specifies the version of the DAC.
1.0: Specifies the DAC version as version 1.0.
1.1: Specifies the DAC version as version 1.1.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the RADIUS DAC belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
With the RADIUS DAS feature, the device listens to the default or specified UDP port to receive DAE requests from the specified DACs. The device processes the requests and sends DAE responses to the DACs.
The device discards any DAE packets sent from DACs that are not specified for the DAS.
You can execute the client command multiple times to specify multiple DACs for the DAS.
To work with a DAC with vendor-ID 2011 and version 1.0, you do not need to specify the vendor-ID or version attribute. To work with a DAC with vendor-ID 2011 and version 1.1, you must specify the vendor-id 2011 version 1.1 keywords.
Examples
# Specify the DAC as 10.110.1.2. Set the shared key to 123456 in plaintext form for secure communication between the DAS and DAC.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] client ip 10.110.1.2 key simple 123456
Related commands
attribute vendor-id 2011 version
radius dynamic-author server
port
data-flow-format (RADIUS scheme view)
Use data-flow-format to set the data flow and packet measurement units for traffic statistics.
Use undo data-flow-format to restore the default.
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
Default
Traffic is counted in bytes and packets.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
data: Specifies the unit for data flows.
byte: Specifies the unit as byte.
giga-byte: Specifies the unit as gigabyte.
kilo-byte: Specifies the unit as kilobyte.
mega-byte: Specifies the unit as megabyte.
packet: Specifies the unit for data packets.
giga-packet: Specifies the unit as giga-packet.
kilo-packet: Specifies the unit as kilo-packet.
mega-packet: Specifies the unit as mega-packet.
one-packet: Specifies the unit as one-packet.
Usage guidelines
The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting results might be incorrect.
Examples
# In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet
display radius scheme
display radius scheme
Use display radius scheme to display RADIUS scheme configuration.
Syntax
display radius scheme [ radius-scheme-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, this command displays the configuration of all RADIUS schemes.
Examples
# Display the configuration of all RADIUS schemes.
<Sysname> display radius scheme
Total 1 RADIUS schemes
------------------------------------------------------------------
RADIUS scheme name: radius1
Index : 0
Primary authentication server:
Host name: Not configured
IP : 2.2.2.2 Port: 1812
VPN : vpn1
State: Active (duration: 0 weeks, 0 days, 0 hours, 0 minutes, 42 seconds)
Most recent blocked period: 2021/12/23 01:48:55 - 2021/12/23 01:49:03
Test profile: 132
Probe username: test
Probe interval: 60 minutes
Probe count : 5
Probe eap-profile: eap1
Weight: 40
Primary accounting server:
Host name: Not configured
IP : 1.1.1.1 Port: 1813
VPN : Not configured
State: Active (duration: 0 weeks, 0 days, 0 hours, 0 minutes, 42 seconds)
Most recent blocked period: 2021/12/23 01:48:55 - 2021/12/23 01:49:03
Weight: 40
Second authentication server:
Host name: Not configured
IP : 3.3.3.3 Port: 1812
VPN : Not configured
State: Blocked
Most recent blocked period: 2021/12/23 20:33:45 - now
Test profile: Not configured
Weight: 40
Second accounting server:
Host name: Not configured
IP : 3.3.3.3 Port: 1813
VPN : Not configured
State: Blocked (mandatory)
Most recent blocked period: 2021/12/23 20:33:45 - now
Weight: 0
Private authentication server:
IP : 3.3.3.3 Port: 1812
VPN : Not configured
State: Active (duration: 0 weeks, 0 days, 0 hours, 0 minutes, 42 seconds)
Most recent blocked period: 2022/03/10 01:48:55 - 2022/03/10 01:49:03
Private accounting server:
IP : 3.3.3.3 Port: 1813
VPN : Not configured
State: Blocked (mandatory)
Most recent blocked period: 2022/03/10 20:33:45 - now
Accounting-On function : Enabled
extended function : Disabled
retransmission times : 5
retransmission interval(seconds) : 2
Timeout Interval(seconds) : 3
Retransmission Times : 3
Retransmission Times for Accounting Update : 5
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(seconds) : 22
Stop-accounting packets buffering : Enabled
Retransmission times : 500
NAS IP Address : 1.1.1.1
Local NAS IP Address : Not configured
Peer NAS IP Address : Not configured
Source IP Address : 1.1.1.1
VPN : Not configured
Username format : with-domain
Data flow unit : Megabyte
Packet unit : One
Attribute 5 format : Port
Attribute 15 check-mode : Strict
Attribute 17 carry old password : Disabled
Attribute 25 : CAR
Attribute 30 format : hh:hh:hh:hh:hh:hh:SSID
Attribute 30 MAC format : hh:hh:hh:hh:hh:hh
Attribute 31 MAC format : hh:hh:hh:hh:hh:hh
Attribute 87 format : Interface name
Remanent-Volume threshold : 0
Attribute Remanent-Volume unit : Mega
RADIUS server version (vendor ID 2011) : 1.0
server-load-sharing : Enabled
Stop-accounting-packet send-force : Disabled
Authentication response pending limit : Not configured
Accounting response pending limit : Not configured
Username authorization : Applied
All-server-block action : Attempt the top-priority server
Attribute 182 vendor-ID 25506 VLAN : Disabled
Attribute 218 of vendor ID 25506 : DHCP-Option 61
Format 1 (1-byte Type field)
Reauthentication server selection : Reselect
------------------------------------------------------------------
Table 12 Command output
|
Field |
Description |
|
Index |
Index number of the RADIUS scheme. |
|
Primary authentication server |
Information about the primary authentication server. |
|
Primary accounting server |
Information about the primary accounting server. |
|
Second authentication server |
Information about the secondary authentication server. |
|
Second accounting server |
Information about the secondary accounting server. |
|
Private authentication server |
Information about the private authentication server. |
|
Private accounting server |
Information about the private accounting server. |
|
Host name |
Host name of the server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by IP address. |
|
IP |
IP address of the server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by hostname, and the hostname is not resolved. |
|
Port |
Service port number of the server. If no port number is specified, this field displays the default port number. |
|
VPN |
MPLS L3VPN instance to which the server or the RADIUS scheme belongs. If no VPN instance is specified for the server, this field displays Not configured. |
|
State |
Status of the server: · Active—The server is in active state. · Blocked—The server is changed to blocked state automatically. · Blocked (mandatory)—The server is set to blocked state manually. |
|
duration |
The duration of the current active state for the server. This field is displayed only when the server is in active state. |
|
Most recent blocked period |
Most recent blocking start time and end time when the server stayed in blocked state. If the server still remains in blocked state, now is displayed for the end time. |
|
Most recent state changes |
Most recent five state changes of the server. |
|
Test profile |
Test profile used for RADIUS server status detection. |
|
Probe username |
Username used for RADIUS server status detection. |
|
Probe interval |
Server status probe interval, in minutes. |
|
Probe count |
Number of consecutive probe intervals that the device takes to determine the reachability of a RADIUS server. |
|
Probe eap-profile |
EAP profile specified for RADIUS server status detection. This field is not available if no EAP profile is specified in the test profile for RADIUS server status detection. |
|
Weight |
Weight value of the RADIUS server. |
|
Accounting-On function |
Whether the accounting-on feature is enabled. |
|
extended function |
Whether the extended accounting-on feature is enabled. |
|
retransmission times |
Number of accounting-on packet transmission attempts. |
|
retransmission interval(seconds) |
Interval at which the device retransmits accounting-on packets, in seconds. |
|
Timeout Interval(seconds) |
RADIUS server response timeout period, in seconds. |
|
Retransmission times |
Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. |
|
Retransmission Times for Accounting Update |
Maximum number of accounting attempts. |
|
Server Quiet Period(minutes) |
Quiet period for the servers, in minutes. |
|
Realtime Accounting Interval(seconds) |
Interval for sending real-time accounting updates, in seconds. |
|
Stop-accounting packets buffering |
Whether buffering of nonresponded RADIUS stop-accounting requests is enabled. |
|
Retransmission times |
Maximum number of transmission attempts for individual RADIUS stop-accounting requests. |
|
NAS IP Address |
NAS IP address of RADIUS packets. This field displays Not configured if no NAS IP addresses are specified for RADIUS packets. |
|
Local NAS IP Address |
This field is not supported in the current software version. NAS IP address of RADIUS packets sent for users that access the network through M-LAG interfaces on the local M-LAG member device. If a source interface is specified to provide the NAS IP address, this field displays Provided by local interface xxx. This field displays Not configured if no local NAS IP address is configured. |
|
Peer NAS IP Address |
This field is not supported in the current software version. NAS IP address of RADIUS packets sent for users that access the network through M-LAG interfaces on the peer M-LAG member device. If a source interface is specified to provide the NAS IP address, this field displays Provided by peer interface xxx. This field displays Not configured if no peer NAS IP address is configured. |
|
Source IP address |
Source IP address for outgoing RADIUS packets. This field displays Not configured if no source IP addresses are specified. |
|
Username format |
Format for the usernames sent to the RADIUS server: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered. |
|
Data flow unit |
Measurement unit for data flow. |
|
Packet unit |
Measurement unit for packets. |
|
Attribute 5 format |
Format of RADIUS Attribute 5. Options: · Port—Use the port number encapsulation format. · Default—Use the default encapsulation format. |
|
Attribute 15 check-mode |
RADIUS Login-Service attribute check method for SSH, FTP, and terminal users: · Strict—Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively. · Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services. |
|
Attribute 17 carry old password |
Status of online user password change by using RADIUS attribute 17: · Enabled—Online user password change by using RADIUS attribute 17 is enabled. The device uses RADIUS attribute 17 to carry a user's old password. · Disabled—Online user password change by using RADIUS attribute 17 is disabled. |
|
Attribute 25 |
RADIUS attribute 25 interpretation status: · Standard—The attribute is not interpreted as CAR parameters. · CAR—The attribute is interpreted as CAR parameters. |
|
Attribute 30 format |
Format of the RADIUS Called-Station-Id attribute. |
|
Attribute 30 MAC format |
Format of the MAC address in the RADIUS Called-Station-Id attribute. |
|
Attribute 31 MAC format |
Format of the MAC address in the RADIUS Calling-Station-Id attribute. |
|
Attribute 87 format |
Format of RADIUS Attribute 87. Options: · Interface name—Use the interface name encapsulation format. · Default—Use the default encapsulation format. |
|
Remanent-Volume threshold |
Available data threshold. The unit for the threshold is the same as the data measurement unit for the RADIUS Remanent_Volume attribute. |
|
Attribute Remanent-Volume unit |
Data measurement unit for the RADIUS Remanent_Volume attribute. |
|
RADIUS server version (vendor ID 2011) |
Version of the RADIUS servers with a vendor ID of 2011: · 1.0. · 1.1. |
|
server-load-sharing |
Status of the RADIUS server load sharing feature: · Disabled—The feature is disabled. The device forwards traffic to the server selected based on primary and secondary server roles. · Enabled—The feature is enabled. The device distributes traffic among multiple servers for load sharing. |
|
Stop-accounting-packet send-force |
Whether the device is enabled to forcibly send stop-accounting packets when users for which no start-accounting packets are sent go offline. |
|
Authentication response pending limit |
Maximum number of pending authentication requests (requests for which no responses are received from the authentication server). If the maximum number of pending authentication requests is not set, this field displays Not configured. |
|
Accounting response pending limit |
Maximum number of pending accounting requests (requests for which no responses are received from the accounting server). If the maximum number of pending accounting requests is not set, this field displays Not configured. |
|
Username authorization |
Whether to allow the device to use the server-assigned usernames for AAA processes subsequent to authentication: · Applied—The device uses the server-assigned usernames for AAA processes subsequent to authentication. · Not applied—The device uses the usernames used in authentication for AAA processes subsequent to authentication. |
|
All-server-block action |
Action to take for AAA requests when all servers in the scheme are blocked: · Attempt the top-priority server. · Skip all servers in the scheme. |
|
Attribute 182 vendor-ID 25506 VLAN |
The vendor-specific attribute number 182 from Vendor ID 25506 is interpreted as indicating the status of the enabling status of the authorization VLAN feature. |
|
Attribute 218 vendor ID 25506 |
DHCP options encapsulated in subattribute 218 of vendor 25506 in RADIUS packets and the encapsulation format. · Format 1 (1-byte Type field)—The Type field of the encapsulated TLV is 1 byte long. Use this format when the device cooperates with most RADIUS servers. · Format 2 (2-byte Type field)—The Type field of the encapsulated TLV is 2 bytes long. Use this format when the device cooperates with HUAWEI RADIUS servers. This field is not displayed if the device is not configured to add subattribute 218 of vendor 25506 in RADIUS packets. |
|
Reauthentication server selection |
RADIUS server selection mode in reauthentication: · Inherit—The device uses the RADIUS server that performed authentication for a user to reauthenticate that user. · Reselect—The device searches for a reachable RADIUS server to reauthenticate a user. |
display radius server-load statistics
Use display radius server-load statistics to display authentication and accounting load statistics for all RADIUS servers.
Syntax
display radius server-load statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
This command displays the following statistics:
· Last-5-second statistics—Total number of authentication or accounting requests sent to each RADIUS server in the last 5 seconds.
· History statistics—Total number of authentication or accounting requests sent to each RADIUS server since the device starts up.
The device collects the statistics as follows:
· Last-5-second statistics—From the device sends the first authentication or accounting request to a RADIUS server, the device counts the number of authentication or accounting requests sent to the server every 5 seconds. Then, the device updates the last-5-second authentication and accounting statistics for the server.
· History statistics—The device increases the history statistics for a RADIUS server by 1 each time it sends an authentication or accounting request to the server. The device does not decrease the history statistics even though users go offline or the server fails to response to a request within the timeout time.
Based on the statistics, you can adjust the load on RADIUS servers by changing the sequence in which the servers are configured or the weight values of the servers.
This command displays statistics only for RADIUS servers whose IP addresses are available or can be resolved from their hostnames.
The device deletes all statistics for a RADIUS server if the server is removed from a RADIUS scheme or the server's IP address, VPN instance, or service port number changes.
If an active/standby switchover occurs, the last-5-second statistics are deleted. However, the history statistics are not deleted. The history statistics might be inaccurate.
If the device reboots, both the last-5-seconds statistics and the history statistics are deleted.
Examples
# Display authentication and accounting load statistics for all RADIUS servers.
<Sysname> display radius server-load statistics
Authentication servers: 2
IP VPN Port Last 5 sec History
1.1.1.1 N/A 1812 20 100
2.2.2.2 ABC 1812 0 20
Accounting servers: 2
IP VPN Port Last 5 sec History
1.1.1.1 N/A 1813 20 100
2.2.2.2 ABC 1813 0 20
Table 13 Command output
|
Field |
Description |
|
Authentication servers |
Total number of RADIUS authentication servers. |
|
Accounting servers |
Total number of RADIUS accounting servers. |
|
IP |
IP address of a RADIUS server. |
|
VPN |
MPLS L3VPN instance to which the RADIUS server belongs. This field displays N/A if no VPN instance is specified for the server. |
|
Port |
Service port number of the RADIUS server. |
|
Last 5 sec |
Total number of RADIUS authentication or accounting requests sent to the RADIUS server within the last 5 seconds. |
|
History |
Total number of RADIUS authentication or accounting requests sent to the RADIUS server since the device starts up. |
Related commands
reset radius server-load statistics
display radius statistics
Use display radius statistics to display RADIUS packet statistics.
Syntax
display radius statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display RADIUS packet statistics.
<Sysname> display radius statistics
Auth. Acct. SessCtrl.
Request Packet: 0 0 0
Retry Packet: 0 0 -
Timeout Packet: 0 0 -
Access Challenge: 0 - -
Account Start: - 0 -
Account Update: - 0 -
Account Stop: - 0 -
Terminate Request: - - 0
Set Policy: - - 0
Packet With Response: 0 0 0
Packet Without Response: 0 0 -
Access Rejects: 0 - -
Dropped Packet: 0 0 0
Check Failures: 0 0 0
Table 14 Command output
|
Field |
Description |
|
Auth. |
Authentication packets. |
|
Acct. |
Accounting packets. |
|
SessCtrl. |
Session-control packets. |
|
Request Packet |
Number of request packets. |
|
Retry Packet |
Number of retransmitted request packets. |
|
Timeout Packet |
Number of request packets timed out. |
|
Access Challenge |
Number of access challenge packets. |
|
Account Start |
Number of start-accounting packets. |
|
Account Update |
Number of accounting update packets. |
|
Account Stop |
Number of stop-accounting packets. |
|
Terminate Request |
Number of packets for logging off users forcibly. |
|
Set Policy |
Number of packets for updating user authorization information. |
|
Packet With Response |
Number of packets for which responses were received. |
|
Packet Without Response |
Number of packets for which no responses were received. |
|
Access Rejects |
Number of Access-Reject packets. |
|
Dropped Packet |
Number of discarded packets. |
|
Check Failures |
Number of packets with checksum errors. |
Related commands
reset radius statistics
display stop-accounting-buffer (for RADIUS)
Use display stop-accounting-buffer to display information about buffered RADIUS stop-accounting requests to which no responses have been received.
Syntax
display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time end-time | user-name user-name }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
session-id session-id: Specifies a session by its ID. The session-id argument is a string of 1 to 64 characters and cannot contain a letter. A session ID uniquely identifies an online user for a RADIUS scheme.
time-range start-time end-time: Specifies a time range. The start time and end time must be in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.
user-name user-name: Specifies a user by its name, a case-sensitive string of 1 to 255 characters. Whether the user-name argument should include the domain name depends on the setting configured by using the user-name-format command for the RADIUS scheme.
Examples
# Display information about nonresponded RADIUS stop-accounting requests buffered for user abc.
<Sysname> display stop-accounting-buffer user-name abc
Total entries: 2
Scheme Session ID Username First sending time Attempts
rad1 1000326232325010 abc 23:27:16-08/02/2020 19
aaa 1000326232326010 abc 23:33:01-08/02/2020 20
Table 15 Command output
|
Field |
Description |
|
Session ID |
Session ID, which is the value of attribute Acct-Session-Id. |
|
First sending time |
Time when the stop-accounting request was first sent. |
|
Attempts |
Number of attempts that were made to send the stop-accounting request. |
Related commands
reset stop-accounting-buffer (for RADIUS)
retry
retry stop-accounting (RADIUS scheme view)
stop-accounting-buffer enable (RADIUS scheme view)
user-name-format (RADIUS scheme view)
exclude
Use exclude to exclude an attribute from RADIUS requests.
Use undo exclude to cancel the configuration of excluding an attribute from RADIUS requests.
Syntax
exclude { accounting | authentication } name attribute-name
undo exclude { accounting | authentication } name attribute-name
Default
No attributes are configured to be excluded from RADIUS requests.
Views
RADIUS attribute test group view
Predefined user roles
network-admin
Parameters
accounting: Specifies RADIUS accounting requests.
authentication: Specifies RADIUS authentication requests.
name attribute-name: Specifies a RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The specified attribute must be an attribute that RADIUS requests carry by default. Attributes that you can exclude from RADIUS authentication requests include Service-Type, Framed-Protocol, NAS-Identifier, Acct-Session-Id, and NAS-Port-Type. Attributes that you can exclude from RADIUS accounting requests include NAS-Identifier, Acct-Delay-Time, Acct-Session-Id, and Acct-Terminate-Cause.
Usage guidelines
Use this command to exclude an attribute from RADIUS requests sent during an AAA test to help troubleshoot authentication or accounting failures.
Before you exclude an attribute that is already configured to be included in RADIUS requests, you must cancel the inclusion configuration by using the undo include command.
Examples
# In RADIUS attribute test group t1, exclude Service-Type attribute from RADIUS authentication requests.
<Sysname> system-view
[Sysname] radius attribute-test-group t1
[Sysname-radius-attr-test-grp-t1] exclude authentication name Service-Type
Related commands
include
test-aaa
include
Use include to include an attribute in RADIUS requests.
Use undo include to cancel the configuration of including an attribute in RADIUS requests.
Syntax
include { accounting | authentication } { name attribute-name | [ vendor vendor-id ] code attribute-code } type { binary | date | integer | interface-id | ip | ipv6 | ipv6-prefix | octets | string } value attribute-value
undo include { accounting | authentication} { name attribute-name | [ vendor vendor-id ] code attribute-code }
Default
No attributes are configured to be included in RADIUS authentication or accounting requests.
Views
RADIUS attribute test group view
Predefined user roles
network-admin
Parameters
accounting: Specifies RADIUS accounting requests.
authentication: Specifies RADIUS authentication requests.
name attribute-name: Specifies a standard RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters.
vendor vendor-id: Specifies a vendor by its ID in the range of 1 to 65535. If the attribute is a standard RADIUS attribute, do not specify this option.
code attribute-code: Specifies a RADIUS attribute by its code in the range of 1 to 255.
type: Specifies a data type for the attribute content.
binary: Binary type.
date: Date type.
integer: Integer type.
interface-id: Interface ID type.
ip: IPv4 address type.
ipv6: IPv6 address type.
ipv6-prefix: IPv6 address prefix type.
octets: Octet type.
string: String type.
value attribute-value: Specifies the value for the attribute of the data type. The value range of the attribute-value argument varies by data type.
· For the binary type, the value is a string of 1 to 256 hexadecimal characters, which represents a binary number with a maximum of 128 bytes.
· For the date type, the value range is 0 to 4294967295.
· For the integer type, the value range is 0 to 4294967295.
· For the interface ID type, the value range is 1 to ffffffffffffffff.
· For the IPv6 address prefix type, the value is in the format of prefix/prefix-length.
· For the octet type, the value is a string of 1 to 256 hexadecimal characters, which represents an octet number with a maximum of 128 bytes.
· For the string type, the value of this argument is a string of 1 to 253 characters.
Usage guidelines
Use this command to add an attribute that RADIUS requests do not carry by default to the RADIUS requests. The undo form of this command removes the attribute from the RADIUS requests.
For an attribute that RADIUS requests carry by default, you can use this command to change its value. The undo form of this command restores the attribute value to the default.
Table 16 shows the attributes that RADIUS requests carry by default.
Table 16 Attributes that RADIUS requests carry by default
|
Packet type |
Attributes that the type of packets carry by default |
|
RADIUS authentication request |
User-Name, CHAP-Password (or User-Password), CHAP-Challenge, NAS-IP-Address (or NAS-IPv6-Address), Service-Type, Framed-Protocol, NAS-Identifier, NAS-Port-Type, and Acct-Session-Id. |
|
RADIUS accounting request |
User-Name, Acct-Status-Type, NAS-IP-Address (or NAS-IPv6-Address), NAS-Identifier, Acct-Session-Id, Acct-Delay-Time, and Acct-Terminate-Cause. |
For the accuracy of AAA tests, the value of an attribute must be of the data type specified for that attribute.
The attribute names of standard attributes saved in the configuration file will be converted to attribute codes.
Before you include an attribute that is already configured to be excluded from RADIUS requests, you must cancel the exclusion configuration by using the undo exclude command.
Plan the RADIUS attributes to be included in RADIUS requests. Besides the attributes carried by default, the device adds the specified attributes to RADIUS packets in the order that they are specified by using the include command. Additional attributes cannot be added to a RADIUS request if the length of the RADIUS request reaches 4096 bytes.
Examples
# In RADIUS attribute test group t1, include Calling-Station-Id attribute with value 08-00-27-00-34-D8 in RADIUS authentication requests.
<Sysname> system-view
[Sysname] radius attribute-test-group t1
[Sysname-radius-attr-test-grp-t1] include authentication name Calling-Station-Id type string value 08-00-27-00-34-d8
Related commands
exclude
test-aaa
include-attribute 218 vendor-id 25506
Use include-attribute 218 vendor-id 25506 to include subattribute 218 of vendor 25506 in RADIUS packets.
Use undo include-attribute 218 vendor-id 25506 to not include subattribute 218 of vendor 25506 in RADIUS packets.
Use undo include-attribute 218 vendor-id 25506 dhcp-option to restore the default.
Syntax
include-attribute 218 vendor-id 25506 dhcp-option { 55 | 61 } * { format1 | format2 }
undo include-attribute 218 vendor-id 25506 [ dhcp-option ]
Default
The device uses format 1 to encapsulate DHCP Option 61 in subattribute 218 of vendor 25506 in RADIUS packets.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
dhcp-option: Specifies a DHCP option to be encapsulated in subattribute 218.
· 55: Specifies DHCP Option 55.
· 61: Specifies DHCP Option 61.
format1: Specifies encapsulation format 1 for the subattribute, in which the Type field is 1 byte long. Use this format when the device cooperates with most RADIUS servers.
format2: Specifies encapsulation format 2 for the subattribute, in which the Type field is 2 bytes long. Use this format when the device cooperates with HUAWEI RADIUS servers.
Usage guidelines
The RADIUS Vendor-Specific attribute (attribute 26) allows vendors to define extended attributes to implement functions that the standard RADIUS protocol does not provide. Vendor 25506 defines subattribute 218 to carry user DHCP option information.
To send user DHCP option information to RADIUS servers, perform this task to include subattribute 218 of vendor 25506 in outgoing RADIUS start-accounting and update-accounting requests.
In the current software version, only DHCP Option 55 and DHCP Option 61 can be carried in the subattribute.
You can repeat this command to encapsulate both DHCP Option 55 and DHCP Option 61 in the subattribute. The length of each option is limited to 246 bytes.
If you repeat this command multiple times with the same DHCP option specified, the most recent configuration takes effect.
Examples
# In RADIUS scheme rad, configure the device to use format 2 to encapsulate DHCP Option 55 in subattribute 218 of vendor 25506 in RADIUS packets.
<Sysname> system-view
[Sysname] radius scheme rad
[Sysname-radius-rad] include-attribute 218 vendor-id 25506 dhcp-option 55 format2
Related commands
display radius scheme
key (RADIUS scheme view)
Use key to set the shared key for secure RADIUS authentication or accounting communication.
Use undo key to delete the shared key for secure RADIUS authentication or accounting communication.
Syntax
key { accounting | authentication } { cipher | simple } string
undo key { accounting | authentication }
Default
No shared key is configured for secure RADIUS authentication or accounting communication.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
accounting: Specifies the shared key for secure RADIUS accounting communication.
authentication: Specifies the shared key for secure RADIUS authentication communication.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
Usage guidelines
The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers.
The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.
Examples
# In RADIUS scheme radius1, set the shared key to ok in plaintext form for secure accounting communication.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] key accounting simple ok
Related commands
display radius scheme
microsegment associate
Use microsegment associate to associate a microsegment with a VSI.
Use undo microsegment to remove the association between a microsegment and a VSI.
Syntax
microsegment microsegment-id associate vsi vsi-name
undo microsegment { microsegment-id | all }
Default
No VSI is associated with a microsegment.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
microsegment-id: Specifies a microsegment by its ID in the range of 1 to 65535.
vsi vsi-name: Specifies a VSI by its name, a case-sensitive string of 1 to 31 characters.
all: Specifies all microsegments associated with VSIs.
Usage guidelines
Use this command when microsegment-based access control is deployed on a VXLAN network.
When the RADIUS server assigns the microsegment and VSI attributes to a user, the device directly assigns the microsegment and VSI to the user so the user can access the related VXLAN resources.
When the RADIUS server assigns only the microsegment attribute but no VSI attribute to a user, the device will search for a VSI associated with the microsegment.
· If the device finds an associated VSI, it assigns the microsegment and the VSI to the user.
· If the device does not find an associated VSI, it assigns only the microsegment to the user.
You can repeat this command to create multiple microsegment-VSI associations. The maximum of microsegment-VSI associations supported by the system varies by device model.
In a RADIUS scheme, a microsegment can be associated with only one VSI. Multiple microsegments can be associated with the same VSI. If you repeat this command to associate a microsegment with different VSIs, the most recent configuration takes effect.
This command takes effect only on new users that come online after this command is executed.
Make sure the device can interpret microsegment IDs assigned by the RADIUS server. If the device cannot directly interpret microsegment IDs, use the attribute translation feature so the device can translate the server-assigned microsegment ID attribute to the H3C-Microsegment-Id attribute.
Examples
# In RADIUS scheme radius1, associate microsegment 123 with VSI test.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] microsegment 123 associate vsi test
Related commands
attribute convert
nas-ip (RADIUS scheme view)
Use nas-ip to specify a NAS IP address for RADIUS packets.
Use undo nas-ip to remove the NAS IP address of the specified type for RADIUS packets.
Syntax
nas-ip { ipv4-address | interface interface-type interface-number | ipv6 ipv6-address }
undo nas-ip [ interface | ipv6 ]
Default
The NAS IP address of a RADIUS packet is that specified by using the radius nas-ip command in system view.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
interface interface-type interface-number: Specifies an interface by its type and number. The device uses the primary IPv4 address or the IPv6 address of the interface as the NAS IP address of an outgoing RADIUS packet.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address and cannot be a loopback address or a link-local address.
Usage guidelines
Use this command to specify a NAS IP address for the NAS to carry in the NAS-IP-Address or NAS-IPv6-Address attribute in outgoing RADIUS packets. The NAS IP address must be unique for a RADIUS server to identify the NAS.
The NAS can also use the NAS IP address to match incoming RADIUS packets. For example, if the NAS receives a DAE request that contains a NAS IP address, it compares the NAS IP address in the request with the local NAS IP address. The NAS can process this request only when its NAS IP address is the same as the NAS IP address in the request.
As a best practice, specify a loopback interface address as the NAS IP address for outgoing RADIUS packets to avoid RADIUS packet loss caused by physical port errors.
You can specify the NAS IP address in both RADIUS scheme view and system view.
· The NAS IP address specified by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.
· The NAS IP address specified by using the radius nas-ip command in system view applies to all RADIUS schemes.
· The NAS IP address specified in RADIUS scheme view takes precedence over the NAS IP address specified in system view.
For a RADIUS scheme, the following restrictions apply:
· You can specify only one NAS IPv4 address and one NAS IPv6 address for RADIUS packets.
· You can specify only one interface to provide the NAS IP address for RADIUS packets. Make sure the route between the interface and the RADIUS server is reachable.
· The interface configuration and the IP address configuration overwrite each other.
If you do not specify the ipv6 keyword for the undo nas-ip command, the command removes the configured NAS IPv4 address for RADIUS packets.
Examples
# In RADIUS scheme radius1, specify IP address 10.1.1.1 as the NAS IPv4 address of RADIUS packets.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] nas-ip 10.1.1.1
Related commands
display radius scheme
radius nas-ip
port
Use port to specify the RADIUS DAS port.
Use undo port to restore the default.
Syntax
port port-number
undo port
Default
The RADIUS DAS port number is 3799.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
port-number: Specifies a UDP port number in the range of 1 to 65535.
Usage guidelines
The destination port in DAE packets on the DAC must be the same as the RADIUS DAS port on the DAS.
Examples
# Enable the RADIUS DAS to listen to UDP port 3790 for DAE requests.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] port 3790
Related commands
client
radius dynamic-author server
primary accounting (RADIUS scheme view)
Use primary accounting to specify the primary RADIUS accounting server.
Use undo primary accounting to restore the default.
Syntax
primary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo primary accounting
Default
The primary RADIUS accounting server is not specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
host-name: Specifies the host name of the primary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server.
port-number: Specifies the service port number of the primary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.
key: Specifies the shared key for secure communication with the primary RADIUS accounting server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.
The shared key configured by using this command takes precedence over the shared key configured with the key accounting command.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.
If you modify or remove the accounting server to which the device is sending a start-accounting request, the accounting server might become unreachable. Once communication with the unreachable server times out, the device performs the following operations:
· The device tries to communicate with an active server that has the highest priority for accounting.
If you remove the accounting server to which the device has sent start-accounting requests successfully for an online user, the following events occur:
· If the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for subsequent accounting requests.
· If the RADIUS server load sharing feature is enabled, real-time accounting fails for that online user and the accounting result is not accurate for that online user. The reason is that the device can communicate only with the accounting server to which it has sent start-accounting requests successfully. As a result, the device cannot send real-time accounting requests or send and buffer stop-accounting requests for that online user.
Examples
# In RADIUS scheme radius1, specify the primary accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456TESTacct&!.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple 123456TESTacct&!
Related commands
display radius scheme
key (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
primary authentication (RADIUS scheme view)
Use primary authentication to specify the primary RADIUS authentication server.
Use undo primary authentication to restore the default.
Syntax
primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name ] *
undo primary authentication
Default
The primary RADIUS authentication server is not specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
host-name: Specifies the host name of the primary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication server.
port-number: Specifies the service port number of the primary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.
key: Specifies the shared key for secure communication with the primary RADIUS authentication server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument is a case-sensitive string of 1 to 31 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary RADIUS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the service port and shared key settings of the primary RADIUS authentication server are the same as those configured on the server.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.
The shared key configured by this command takes precedence over the shared key configured with the key authentication command.
The server status detection is triggered for the server if the specified test profile exists on the device.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.
If modify or remove the server in use, the server might become unreachable during an authentication process. Once communication with the server times out, the device tries to communicate with an active server that has the highest priority for authentication.
Examples
# In RADIUS scheme radius1, specify the primary authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key 123456TESTauth&!.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple 123456TESTauth&!
Related commands
display radius scheme
key (RADIUS scheme view)
radius-server test-profile
secondary authentication (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
private accounting
Use private accounting to specify a private RADIUS accounting server.
Use undo private accounting to restore the default.
Syntax
private accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo private accounting
Default
No private RADIUS accounting server is specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the private RADIUS accounting server.
ipv6 ipv6-address: Specifies the IPv6 address of the private RADIUS accounting server.
port-number: Specifies the UDP service port number of the private RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.
key: Specifies the shared key for secure communication with the private RADIUS accounting server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This string is case sensitive. The encrypted form of the key is a string of 1 to 117 characters, and the plaintext form of the key is a string of 1 to 64 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the private RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
This command is applicable to the scenario in which the accounting requests for users contain an accounting server address.
Operating mechanism
When the device receives an accounting request that contains an accounting server address, the device searches the applicable RADIUS scheme for that private server.
· If a match is found, the device communicates with the server for accounting. If the server does not exist or is unreachable, the accounting operation fails. The device will not try other servers in the scheme.
· If no match is found, the accounting operation fails.
An accounting request might contain an IPv4 server address, an IPv6 server address, or both.
· If the request contains an IPv4 server address and an IPv6 server address, the device preferentially exchanges information with the IPv6 server.
¡ If the IPv6 server has failed to respond before the timeout timer expires, the device tries the IPv4 server.
¡ If the IPv6 server is in blocked state, the device examines if the IPv4 server is active.
- If yes, the device communicates with the IPv4 server.
- If no, the device continues to communicate with the IPv6 server.
· If the request contains only an IPv4 or IPv6 server address, the device exchanges client information with the server at that IP address without checking its active state.
Restrictions and guidelines
When you specify a private RADIUS server, follow these restrictions and guidelines:
· Make sure the specified UDP port number and shared key are consistent with the configuration on the server.
· In a RADIUS scheme, you can specify a maximum of 16 private accounting servers.
· You can specify a shared key when specifying a private server. If no shared key is specified, the device uses the key configured for the RADIUS scheme by using the key accounting command to communicate with the server.
· If the private server resides in a MPLS VPN instance, you must specify the VPN instance for RADIUS packets to be forwarded to the private server successfully. The VPN instance specified for a private server takes precedence over the VPN instance specified for the scheme.
Examples
# In RADIUS scheme radius1, specify the private accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456TESTauth&!.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] private accounting 10.110.1.2 1812 key simple 123456TESTauth&!
Related commands
display radius scheme
key (RADIUS scheme view)
radius scheme
vpn-instance (RADIUS scheme view)
private authentication
Use private authentication to specify a private RADIUS authentication server.
Use undo private authentication to restore the default.
Syntax
private authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo private authentication
Default
No private RADIUS authentication server is specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the private RADIUS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of the private RADIUS authentication server.
port-number: Specifies the UDP service port number of the private RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.
key: Specifies the shared key for secure communication with the private RADIUS authentication server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This string is case sensitive. The encrypted form of the key is a string of 1 to 117 characters, and the plaintext form of the key is a string of 1 to 64 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the private RADIUS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
This command is applicable to the scenario in which the authentication requests for users contain a private authentication server address.
Operating mechanism
When the device receives an authentication request that contains an authentication server address, the device searches the applicable RADIUS scheme for that private server.
· If a match is found, the device communicates with the server for client authentication. If the server does not exist or is unreachable, the authentication operation fails. The device will not try other servers in the scheme.
· If no match is found, the client authentication operation fails.
A client authentication request might contain an IPv4 server address, an IPv6 server address, or both.
· If the request contains an IPv4 server address and an IPv6 server address, the device preferentially exchanges information with the IPv6 server.
¡ If the IPv6 server has failed to respond before the timeout timer expires, the device tries the IPv4 server.
¡ If the IPv6 server is in blocked state, the device examines if the IPv4 server is active.
- If yes, the device communicates with the IPv4 server.
- If no, the device continues to communicate with the IPv6 server.
· If the request contains only an IPv4 or IPv6 server address, the device exchanges client information with the server at that IP address without checking its active state.
Restrictions and guidelines
When you specify a private RADIUS server, follow these restrictions and guidelines:
· Make sure the specified UDP port number and shared key are consistent with the configuration on the server.
· In a RADIUS scheme, you can specify a maximum of 16 private authentication servers.
· You can specify a shared key when specifying a private server. If no shared key is specified, the device uses the key configured for the RADIUS scheme by using the key authentication command to communicate with the server.
· If the private server resides in a MPLS VPN instance, you must specify the VPN instance for RADIUS packets to be forwarded to the private server successfully. The VPN instance specified for a private server takes precedence over the VPN instance specified for the scheme.
Examples
# In RADIUS scheme radius1, specify the private authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key 123456TESTauth&!.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] private authentication 10.110.1.1 1812 key simple 123456TESTauth&!
Related commands
display radius scheme
key (RADIUS scheme view)
radius scheme
vpn-instance (RADIUS scheme view)
radius attribute extended
Use radius attribute extended to define an extended RADIUS attribute.
Use undo radius attribute extended to delete user-defined extended RADIUS attributes.
Syntax
radius attribute extended attribute-name [ vendor vendor-id ] code attribute-code type { binary | date | integer | interface-id | ip | ipv6 | ipv6-prefix | octets | string }
undo radius attribute extended [ attribute-name ]
Default
No user-defined extended RADIUS attributes exist.
Views
System view
Predefined user roles
network-admin
Parameters
attribute-name: Specifies the RADIUS attribute name, a case-insensitive string of 1 to 63 characters. The name must be unique among all RADIUS attributes, including the standard and extended RADIUS attributes.
vendor vendor-id: Specifies a vendor ID in the range of 1 to 65535. If you do not specify a vendor ID, the device processes the RADIUS attribute as a standard RADIUS attribute. Table 17 shows the vendor IDs of supported vendors.
Table 17 Supported vendors and vendor IDs
|
Vendor |
Vendor ID |
Vendor |
Vendor ID |
Vendor |
Vendor ID |
|
HUAWEI |
2011 |
H3C |
25506 |
Microsoft |
311 |
|
3COM |
43 |
DSL Forum |
3561 |
China Telecom |
20942 |
|
Wi-Fi Alliance |
40808 |
Juniper |
2636 |
CMCC |
28357 |
|
Cisco |
9 |
|
|
|
|
code attribute-code: Specifies the ID of the RADIUS attribute in the attribute set. The value range for the attribute-code argument is 1 to 255.
type: Specifies a data type for the attribute content.
binary: Binary type.
date: Date type.
integer: Integer type.
interface-id: Interface ID type.
ip: IPv4 address type.
ipv6: IPv6 address type.
ipv6-prefix: IPv6 address prefix type.
octets: Octet type.
string: String type.
Usage guidelines
To support the proprietary RADIUS attributes of other vendors, perform the following tasks:
4. Use this command to define the attributes as extended RADIUS attributes.
5. Use the attribute convert command to map the extended RADIUS attributes to attributes supported by the system.
6. Use the attribute translate command to enable the RADIUS attribute translation feature for the mappings to take effect.
To cooperate with RADIUS servers of a third-party vendor, map attributes that cannot be identified by the server to server-supported attributes.
Two RADIUS attributes cannot have the same combination of attribute name, vendor ID, and attribute ID.
If you do not specify a RADIUS attribute name, the undo radius attribute extended command deletes all user-defined extended RADIUS attributes.
Examples
# Define a string-type extended RADIUS attribute with attribute name Owner-Password, vendor ID 122, and attribute ID 80.
<Sysname> system-view
[Sysname] radius attribute extended Owner-Password vendor 122 code 80 type string
Related commands
attribute convert (RADIUS DAS view)
attribute convert (RADIUS scheme view)
attribute reject (RADIUS DAS view)
attribute reject (RADIUS scheme view)
attribute translate
radius attribute-test-group
Use radius attribute-test-group to create a RADIUS attribute test group and enter its view, or enter the view of an existing RADIUS attribute test group.
Use undo radius attribute-test-group to remove a RADIUS attribute test group.
Syntax
radius attribute-test-group attr-test-group-name
undo radius attribute-test-group attr-test-group-name
Default
No RADIUS attribute test groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
attr-test-group-name: Specifies the name of a RADIUS attribute test group, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A RADIUS attribute test group is a collection of RADIUS attributes that will be included in or excluded from RADIUS requests.
The system can have multiple RADIUS attribute test groups.
Examples
# Create a RADIUS attribute test group named t1 and enter its view.
<Sysname> system-view
[Sysname] radius attribute-test-group t1
[Sysname-radius-attr-test-grp-t1]
Related commands
exclude
include
test-aaa
radius dscp
Use radius dscp to change the DSCP priority of RADIUS packets.
Use undo radius dscp to restore the default.
Syntax
radius [ ipv6 ] dscp dscp-value
undo radius [ ipv6 ] dscp
Default
The DSCP priority of RADIUS packets is 0.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 RADIUS packets. If you do not specify this keyword, the command sets the DSCP priority for the IPv4 RADIUS packets.
dscp-value: Specifies the DSCP priority of RADIUS packets, in the range of 0 to 63. A larger value represents a higher priority.
Usage guidelines
Use this command to set the DSCP priority in the ToS field of IPv4 RADIUS packets or in the Traffic Class field of IPv6 RADIUS packets for changing their transmission priority.
Examples
# Set the DSCP priority of IPv4 RADIUS packets to 10.
<Sysname> system-view
[Sysname] radius dscp 10
radius dynamic-author server
Use radius dynamic-author server to enable the RADIUS DAS feature and enter RADIUS DAS view.
Use undo radius dynamic-author server to disable the RADIUS DAS feature.
Syntax
radius dynamic-author server
undo radius dynamic-author server
Default
The RADIUS DAS feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
After you enable the RADIUS DAS feature, the device listens to the RADIUS DAS port to receive DAE packets from specified DACs. Based on the DAE packet type and contents, the device performs one of the following operations:
· Log off online users.
· Change online user authorization information.
· Shut down or reboot online users' access ports.
· Reauthenticate online users.
Examples
# Enable the RADIUS DAS feature and enter RADIUS DAS view.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server]
Related commands
client
port
radius enable
Use radius enable to enable the RADIUS service.
Use undo radius enable to disable the RADIUS service.
Syntax
radius enable
undo radius enable
Default
The RADIUS service is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
By default, the RADIUS service is enabled. The device can send and receive RADIUS packets. Attackers might use RADIUS session-control and DAE ports to attack the device. To protect the device when such an attack occurs, disable the RADIUS service temporarily on the device. After the network is secure, re-enable the RADIUS service.
If settings on the RADIUS servers require modification or the RADIUS servers cannot provide services temporarily, you can temporarily disable the RADIUS service on the device.
When the RADIUS service is disabled, the device stops sending and receiving RADIUS packets. If a new user comes online, the device uses the backup authentication, authorization, or accounting method to process that user. If the device has not finished requesting authentication or accounting for a user before the RADIUS service is disabled, it uses the following rules to process that user:
· If the device has sent RADIUS authentication requests for that user to a RADIUS server, the device processes that user depending on whether it receives a response from the RADIUS server.
¡ If the device receives a response from the RADIUS server, it uses the response to determine whether that user has passed authentication. If that user has passed authentication, the device assigns authorization information to that user according to the response.
¡ If the device does not receive any response from the RADIUS server, it attempts to use the backup authentication method to authenticate that user.
· If the device has sent RADIUS start-accounting requests for that user to a RADIUS server, the device processes that user depending on whether it receives a response from the RADIUS server.
¡ If the device receives a response from the RADIUS server, it allows that user to come online. However, the device cannot send out accounting-update or stop-accounting requests to the RADIUS server. It cannot buffer the accounting requests, either. When that user goes offline, the RADIUS server cannot log off that user in time. The accounting result might be inaccurate.
¡ If the device does not receive any response from the RADIUS server, it attempts to use the backup accounting method.
Disabling the RADIUS service does not affect the RADIUS server feature of the device.
The authentication, authorization, and accounting processes undertaken by other methods are not switched to RADIUS when you re-enable the RADIUS service.
Examples
# Enable the RADIUS service.
<Sysname> system-view
[Sysname] radius enable
radius nas-ip
Use radius nas-ip to specify a NAS IP address for RADIUS packets.
Use undo radius nas-ip to remove the NAS IP address of the specified type for RADIUS packets.
Syntax
radius nas-ip { interface interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
undo radius nas-ip { interface | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
Default
The NAS IP address of RADIUS packets is the primary IPv4 address or the IPv6 address of the outbound interface.
Views
System view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. The device uses the primary IPv4 address or the IPv6 address of the interface as the NAS IP address of an outgoing RADIUS packet.
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the NAS IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network NAS IP address, do not specify this option.
Usage guidelines
Use this command to specify a NAS IP address for the NAS to carry in the NAS-IP-Address or NAS-IPv6-Address attribute in outgoing RADIUS packets. The NAS IP address must be unique for a RADIUS server to identify the NAS.
The NAS can also use the NAS IP address to match incoming RADIUS packets. For example, if the NAS receives a DAE request that contains a NAS IP address, it compares the NAS IP address in the request with the local NAS IP address. The NAS can process this request only when its NAS IP address is the same as the NAS IP address in the request.
As a best practice, specify a loopback interface address as the NAS IP address for outgoing RADIUS packets to avoid RADIUS packet loss caused by physical port errors.
You can specify the NAS IP address in both RADIUS scheme view and system view.
· The NAS IP address specified by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.
· The NAS IP address specified by using the radius nas-ip command in system view applies to all RADIUS schemes.
· The NAS IP address specified in RADIUS scheme view takes precedence over the NAS IP address specified in system view.
You can specify a maximum of 16 NAS IP addresses in system view, including:
· Zero or one public-network NAS IPv4 address.
· Zero or one public-network NAS IPv6 address.
· Private-network NAS IP addresses.
Each VPN instance can have only one private-network NAS IPv4 address and one private-network NAS IPv6 address in system view.
You can specify only one interface to provide the NAS IP address for outgoing RADIUS packets. Make sure the route between the interface and the RADIUS server is reachable.
The interface configuration and the IP address configuration overwrite each other.
Examples
# Specify IP address 129.10.10.1 as the NAS IP address of RADIUS packets.
<Sysname> system-view
[Sysname] radius nas-ip 129.10.10.1
Related commands
nas-ip (RADIUS scheme view)
radius scheme
Use radius scheme to create a RADIUS scheme and enter its view, or enter the view of an existing RADIUS scheme.
Use undo radius scheme to delete a RADIUS scheme.
Syntax
radius scheme radius-scheme-name
undo radius scheme radius-scheme-name
Default
No RADIUS schemes exist.
Views
System view
Predefined user roles
network-admin
Parameters
radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
A RADIUS scheme can be used by more than one ISP domain at the same time.
The device supports a maximum of 16 RADIUS schemes.
Examples
# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1]
Related commands
display radius scheme
radius session-control client
Use radius session-control client to specify a RADIUS session-control client.
Use undo radius session-control client to remove the specified RADIUS session-control clients.
Syntax
radius session-control client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo radius session-control client { all | { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
Default
No RADIUS session-control clients are specified.
Views
System view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies a session-control client by its IPv4 address.
ipv6 ipv6-address: Specifies a session-control client by its IPv6 address.
key: Specifies the shared key for secure communication with the session-control client.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the RADIUS session-control client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the client is on the public network, do not specify this option.
all: Specifies all session-control clients.
Usage guidelines
To verify the session-control packets sent from a RADIUS server running on IMC, specify the RADIUS server as a session-control client to the device. The device matches a session-control packet to a session-control client based on the IP address and VPN instance, and then uses the shared key of the matched client to validate the packet.
The device searches the session-control client settings prior to searching all RADIUS scheme settings for a server with matching settings. This process narrows the search scope for finding the matched RADIUS server.
The session-control client settings take effect only when the RADIUS session-control feature is enabled.
The session-control client settings must be the same as the corresponding settings of the RADIUS server.
You can specify multiple session-control clients on the device.
Examples
# Specify a session-control client with IP address 10.110.1.2 and shared key 12345 in plaintext form.
<Sysname> system-view
[Sysname] radius session-control client ip 10.110.1.2 key simple 12345
Related commands
radius session-control enable
radius session-control enable
Use radius session-control enable to enable the RADIUS session-control feature.
Use undo radius session-control enable to disable the RADIUS session-control feature.
Syntax
radius session-control enable
undo radius session-control enable
Default
The RADIUS session-control feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
An H3C IMC RADIUS server uses session-control packets to deliver dynamic authorization change requests or disconnection requests to the device. The session-control feature enables the device to receive the RADIUS session-control packets on UDP port 1812.
This feature must work with H3C IMC servers.
For RADIUS session control to operate normally, make sure the device's function as a RADIUS server is disabled.
Examples
# Enable the RADIUS session-control feature.
<Sysname> system-view
[Sysname] radius session-control enable
radius-server authen-state-check interval
Use radius-server authen-state-check interval to set the interval at which the device detects the status of RADIUS authentication servers.
Use undo radius-server authen-state-check interval to restore the default.
Syntax
radius-server authen-state-check interval interval
undo radius-server authen-state-check interval
Default
The device detects the status of RADIUS authentication servers at intervals of 10 minutes.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Sets the detection interval, in minutes. The value range is 1 to 120.
Usage guidelines
This command takes effect only on 802.1X authentication, Web authentication, and MAC authentication users.
The device detects the status of RADIUS authentication servers in each RADIUS scheme at intervals as configured. It notifies access modules to remove users that use a RADIUS scheme from the critical domain when that RADIUS scheme has reachable RADIUS servers.
If the device cannot detect the status changes of RADIUS authentication servers in time, it cannot timely change server status or handle users. The following situations exist:
· When RADIUS server status detection is enabled, a too long detection interval might cause the device to falsely record a RADIUS server active after the server becomes unavailable. However, users are assigned to the critical domain.
· When RADIUS server status detection is disabled, the device assigns a user to the critical domain if it has not received any responses from a RADIUS server for the user before the server response timeout time expires. However, if the device has received authentication responses from that server for other users during the server response timeout period, the device does not set the state of that server to blocked. If the server is always available for subsequent users, the device always records that server active.
In the above situations, the device cannot remove users in the critical domain from the critical domain after the RADIUS server becomes available. To resolve the issue, use this command to set an appropriate interval for the device to detect the status of RADIUS authentication servers.
A too short detection interval consumes too many system resources for access services. A too long detection interval cannot detect server status changes in time.
As a best practice, consider the processing efficiency for access services and the accuracy for fail-permit and recovery when a large number of users come online in a short time.
Examples
# Configure the device to detect the status of RADIUS authentication servers at intervals of 2 minutes.
<Sysname> system-view
[Sysname] radius-server authen-state-check interval 2
Related commands
authen-radius-unavailable online domain
radius-server test-profile
Use radius-server test-profile to configure a test profile for detecting the RADIUS server status.
Use undo radius-server test-profile to delete a RADIUS test profile.
Syntax
radius-server test-profile profile-name username name [ password { cipher | simple } string ] [ interval interval ] [ probe-count count ] [ eap-profile eap-profile-name ]
undo radius-server test-profile profile-name
Default
No RADIUS test profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies the name of the test profile, which is a case-sensitive string of 1 to 31 characters.
username name: Specifies the username in the probe packets. The name argument is a case-sensitive string of 1 to 253 characters.
password: Specifies the user password in the probe packets. If you do not specify a user password, the device randomly generates a user password for each probe packet. As a best practice, specify a user password. RADIUS server might mistake probe packets that contain randomly generated passwords as attack packets.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
interval interval: Specifies the interval for sending a probe packet, in minutes. The value range for the interval argument is 1 to 3600, and the default value is 60.
probe-count count: Specifies the number of consecutive probe intervals that the device takes to determine the reachability of a RADIUS server. The value range for the count argument is 1 to 10, and the default value is 1.
eap-profile eap-profile-name: Specifies an EAP profile by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
The device starts detecting the status of a RADIUS server only if the test profile specified for the server exists. If you specify a nonexistent test profile for a RADIUS server, the device does not detect the status of the server until you create the test profile on the device.
To perform EAP-based status detection for a RADIUS server, you must specify a test profile that contains an EAP profile for the RADIUS server.
EAP-based detection provides more reliable detection results than simple detection. As a best practice, configure EAP-based detection on a network environment where EAP authentication is configured.
If you specify a nonexistent EAP profile in a test profile, the device performs simple detection for the RADIUS servers that use the test profile. After the EAP profile is configured, the device will start EAP-based detection at the next detection interval.
When the network is unstable, increase the value for the probe-count count option to improve accuracy of RADIUS server state information.
When the network is stable, reduce the value for the probe-count count option. This operation ensures that the device can obtain the real status of a RADIUS server in time.
When you delete a test profile, the device stops detecting the status of RADIUS servers that use the test profile.
You can execute this command multiple times to configure multiple test profiles.
Examples
# Configure a test profile named abc for RADIUS server status detection. A probe packet that uses username admin and plaintext password abc123 is sent every 10 minutes. The device takes two consecutive probe intervals to determine the reachability of a RADIUS server.
<Sysname> system-view
[Sysname] radius-server test-profile abc username admin password simple abc123 interval 10 probe-count 2
Related commands
eap-profile
primary authentication (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
reauthentication server-select
Use reauthentication server-select to specify a RADIUS server selection mode for reauthentication.
Use undo reauthentication server-select to restore the default.
Syntax
reauthentication server-select { inherit | reselect }
undo reauthentication server-select
Default
The inherit mode is used.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
inherit: Uses the RADIUS server that performed authentication for reauthentication.
reselect: Reselects a RADIUS server for reauthentication.
Usage guidelines
Use this command to configure the RADIUS server selection mechanism in reauthentication. Use one of the following modes depending on the network condition:
· Inherit—The device uses the RADIUS server that performed authentication for a user to reauthenticate that user. This mode reduces the amount of time used in reauthentication. However, if the RADIUS server is unreachable, the reauthentication will fail.
· Reselect—The device searches for a reachable RADIUS server to reauthenticate a user. This mode requires more time than the inherit mode. However, this mode ensures that the device uses the optimal reachable RADIUS server for reauthentication. The following factors affect the RADIUS server selection:
¡ Server configuration in the RADIUS scheme, including the configuration order.
¡ Enabling status of the RADIUS server load sharing feature.
¡ Status of the RADIUS servers in the RADIUS scheme.
Examples
# In RADIUS scheme radius1, set the RADIUS server selection mode to reselect for reauthentication.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] reauthentication server-select reselect
Related commands
display radius scheme
reset radius server-load statistics
Use reset radius server-load statistics to clear history authentication and accounting load statistics for all RADIUS servers.
Syntax
reset radius server-load statistics
Views
User view
Predefined user roles
network-admin
Usage guidelines
This command does not clear authentication and accounting load statistics in the last 5 seconds.
Examples
# Clear history authentication and accounting load statistics for all RADIUS servers.
<Sysname> reset radius server-load statistics
Related commands
display radius server-load statistics
reset radius statistics
Use reset radius statistics to clear RADIUS statistics.
Syntax
reset radius statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clear RADIUS statistics.
<Sysname> reset radius statistics
Related commands
display radius statistics
retry
Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.
Use undo retry to restore the default.
Syntax
retry retries
undo retry
Default
The maximum number of RADIUS packet transmission attempts is 3.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.
Usage guidelines
Because RADIUS uses UDP packets to transmit data, the communication is not reliable.
If the device does not receive a response to its request from the RADIUS server within the response timeout period, the device retransmits the RADIUS request. To set the response timeout period, use the timer response-timeout command.
If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.
If the client times out during the authentication process, the user is immediately logged off. To avoid user logoffs, the value multiplied by the following items cannot be larger than the client timeout period defined by the access module:
· The maximum number of RADIUS packet transmission attempts.
· The RADIUS server response timeout period.
· The number of RADIUS authentication servers in the RADIUS scheme.
When the device sends a RADIUS request to a new RADIUS server, it checks the total amount of time it has taken to transmit the RADIUS packet. If the amount of time has reached 300 seconds, the device stops sending the RADIUS request to the next RADIUS server. As a best practice, consider the number of RADIUS servers when you configure the maximum number of packet transmission attempts and the RADIUS server response timeout period.
Examples
# In RADIUS scheme radius1, set the maximum number of RADIUS packet transmission attempts to 5.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry 5
Related commands
radius scheme
timer response-timeout (RADIUS scheme view)
retry realtime-accounting
Use retry realtime-accounting to set the maximum number of accounting attempts.
Use undo retry realtime-accounting to restore the default.
Syntax
retry realtime-accounting retries
undo retry realtime-accounting
Default
The maximum number of accounting attempts is 5.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum number of accounting attempts, in the range of 1 to 255.
Usage guidelines
Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period, it considers that a line or device failure has occurred. The server considers the accounting attempt a failure and then decides whether to cut the user connection based on the accounting update failure policy (configured by using accounting update-fail).
To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.
For example, for a LAN user, the following conditions exist:
· The RADIUS server response timeout period is 3 seconds (set by using the timer response-timeout command).
· The maximum number of RADIUS packet transmission attempts is 3 (set by using the retry command).
· The real-time accounting interval is 12 minutes (set by using the timer realtime-accounting command).
· The maximum number of accounting attempts is 5 (set by using the retry realtime-accounting command).
In the above case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device considers that the accounting attempt failed.
Examples
# In RADIUS scheme radius1, set the maximum number of accounting attempts to 10.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry realtime-accounting 10
Related commands
accounting update-fail
retry
timer realtime-accounting (RADIUS scheme view)
timer response-timeout (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
Use secondary accounting to specify a secondary RADIUS accounting server.
Use undo secondary accounting to remove a secondary RADIUS accounting server.
Syntax
secondary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name | weight weight-value ] *
undo secondary accounting [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary RADIUS accounting servers are specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
host-name: Specifies the host name of a secondary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of a secondary RADIUS accounting server.
ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS accounting server.
port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.
key: Specifies the shared key for secure communication with the secondary RADIUS accounting server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
weight weight-value: Specifies a weight value for the RADIUS server. The value range for the weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS server will not be used for load sharing. This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme. A larger weight value represents a higher capacity to process accounting requests.
Usage guidelines
Make sure the port number and shared key settings of each secondary RADIUS accounting server are the same as those configured on the corresponding server.
A RADIUS scheme supports a maximum of 16 secondary RADIUS accounting servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.
The shared key configured by this command takes precedence over the shared key configured with the key accounting command.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.
If you modify or remove the accounting server to which the device is sending a start-accounting request, the accounting server might become unreachable. When communication with the unreachable server times out, the device performs the following operations:
· The device tries to communicate with an active server that has the highest priority for accounting.
If you remove the accounting server to which the device has sent start-accounting requests successfully for an online user, the following events occur:
· If the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for subsequent accounting requests.
· If the RADIUS server load sharing feature is enabled, real-time accounting fails for that online user and the accounting result is not accurate for that online user. The reason is that the device can communicate only with the accounting server to which it has sent start-accounting requests successfully. As a result, the device cannot send real-time accounting requests or send and buffer stop-accounting requests for that online user.
Examples
# In RADIUS scheme radius1, specify a secondary accounting server with IP address 10.110.1.1 and UDP port 1813.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813
# In RADIUS scheme radius2, specify two secondary accounting servers with IP addresses 10.110.1.1 and 10.110.1.2 and UDP port 1813.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813
[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813
Related commands
display radius scheme
key (RADIUS scheme view)
primary accounting (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
Use secondary authentication to specify a secondary RADIUS authentication server.
Use undo secondary authentication to remove a secondary RADIUS authentication server.
Syntax
secondary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name ] *
undo secondary authentication [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary RADIUS authentication servers are specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
host-name: Specifies the host name of a secondary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of a secondary RADIUS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS authentication server.
port-number: Specifies the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.
key: Specifies the shared key for secure communication with the secondary RADIUS authentication server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument is a case-sensitive string of 1 to 31 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary RADIUS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of each secondary RADIUS authentication server are the same as those configured on the corresponding server.
A RADIUS scheme supports a maximum of 16 secondary RADIUS authentication servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
The server status detection is triggered for a server if the specified test profile exists on the device.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.
The shared key configured by this command takes precedence over the shared key configured with the key authentication command.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.
If the server in use becomes unreachable after you modify or remove it during an authentication process, the device tries to communicate with an active server that has the highest priority for authentication.
Examples
# In RADIUS scheme radius1, specify a secondary authentication server with IP address 10.110.1.2 and UDP port 1812.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812
# In RADIUS scheme radius2, specify two secondary authentication servers with IP addresses 10.110.1.1 and 10.110.1.2 and UDP port 1812.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812
[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812
Related commands
display radius scheme
key (RADIUS scheme view)
primary authentication (RADIUS scheme view)
radius-server test-profile
vpn-instance (RADIUS scheme view)
snmp-agent trap enable radius
Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS.
Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.
Syntax
snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *
undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *
Default
All RADIUS SNMP notifications are disabled.
Views
System view
Predefined user roles
network-admin
Parameters
accounting-server-down: Specifies notifications to be sent when the RADIUS accounting server becomes unreachable.
accounting-server-up: Specifies notifications to be sent when the RADIUS accounting server becomes reachable.
authentication-error-threshold: Specifies notifications to be sent when the number of authentication failures exceeds the specified threshold. The threshold is represented by the ratio of the authentication failures to the total number of authentication attempts. The value range is 1 to 100, and the default value is 30. This threshold can only be configured through the MIB.
authentication-server-down: Specifies notifications to be sent when the RADIUS authentication server becomes unreachable.
authentication-server-up: Specifies notifications to be sent when the RADIUS authentication server becomes reachable.
Usage guidelines
If you do not specify any keywords, this command enables or disables all types of notifications for RADIUS.
When SNMP notifications for RADIUS are enabled, the device supports the following notifications generated by RADIUS:
· RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.
· RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.
· Excessive authentication failures notification—RADIUS generates this notification when the number of authentication failures to the total number of authentication attempts exceeds the specified threshold.
Examples
# Enable the device to send RADIUS accounting server unreachable notifications.
<Sysname> system-view
[Sysname] snmp-agent trap enable radius accounting-server-down
state primary
Use state primary to set the status of a primary RADIUS server.
Syntax
state primary { accounting | authentication } { active | block }
Default
A primary RADIUS server is in active state.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
accounting: Specifies the primary RADIUS accounting server.
authentication: Specifies the primary RADIUS authentication server.
active: Specifies the active state, the normal operation state.
block: Specifies the blocked state, the out-of-service state.
Usage guidelines
When the RADIUS server load sharing feature is disabled, the device first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the device performs the following operations:
· Changes the status of the primary server to blocked.
· Starts a quiet timer for the server.
· Tries to communicate with a secondary server in active state.
When the quiet timer of the primary server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active.
When the RADIUS server load sharing feature is enabled, the device checks the weight value and number of currently served users only for servers in active state. The most appropriate active server is selected for communication.
When the primary server and all secondary servers are in blocked state, the device tries to communicate with the primary server.
This command can affect the RADIUS server status detection feature when a valid test profile is specified for a primary RADIUS authentication server.
· If you set the status of the server to blocked, the device stops detecting the status of the server.
· If you set the status of the server to active, the device starts to detect the status of the server.
Examples
# In RADIUS scheme radius1, set the status of the primary authentication server to blocked.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state primary authentication block
Related commands
display radius scheme
radius-server test-profile
server-load-sharing enable
state secondary
state private
Use state private to set the state of a private RADIUS server.
Syntax
state private { accounting | authentication } [ { ipv4-address | ipv6 ipv6-address } ] { active | block }
Default
A private RADIUS server is in active state.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
accounting: Specifies a private RADIUS accounting server.
authentication: Specifies a private RADIUS authentication server.
ipv4-address: Specifies the IPv4 address of a private RADIUS server.
ipv6 ipv6-address: Specifies the IPv6 address of a private RADIUS server.
port-number: Specifies the UDP service port number of a private RADIUS server. The value range for the UDP port number is 1 to 65535. The default port numbers for authentication and accounting are 1812 and 1813, respectively.
active: Specifies the active state. The device sends requests to a private server when it is in active state.
block: Specifies the blocked state. The device does not send requests to a private server when it is in blocked state.
Usage guidelines
The device automatically detects reachability of a private server and changes its state from active to blocked if the server is unreachable. The blocked state persists only for the period set by using the timer quiet command. When the quiet timer expires, the state of the server automatically changes to active.
To prevent the server state automatically changes from blocked to active, use this command to manually place the server in blocked state before the quiet timer expires. To restore the active state of a manually blocked server, you must also use this command.
If you do not specify a server IP address, this command changes the state of all private RADIUS accounting or authentication servers specified in the scheme.
Examples
# Block all private authentication servers in RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state private authentication block
Related commands
display radius scheme
state secondary
Use state secondary to set the status of a secondary RADIUS server.
Syntax
state secondary { accounting | authentication } [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }
Default
A secondary RADIUS server is in active state.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
accounting: Specifies a secondary RADIUS accounting server.
authentication: Specifies a secondary RADIUS authentication server.
host-name: Specifies the host name of the secondary RADIUS server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of a secondary RADIUS server.
ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS server.
port-number: Specifies the service port number of a secondary RADIUS server. The value range for the UDP port number is 1 to 65535. The default port numbers for authentication and accounting are 1812 and 1813, respectively.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary RADIUS server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
active: Specifies the active state, the normal operation state.
block: Specifies the blocked state, the out-of-service state.
Usage guidelines
If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers.
If the device finds that a secondary server in active state is unreachable, the device performs the following operations:
· Changes the status of the secondary server to blocked.
· Starts a quiet timer for the server.
· Tries to communicate with another secondary server in active state.
When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.
When the RADIUS server load sharing feature is enabled, the device checks the weight value and number of currently served users only for servers in active state. The most appropriate active server is selected for communication.
This command can affect the RADIUS server status detection feature when a valid test profile is specified for a secondary RADIUS authentication server.
· If you set the status of the server to blocked, the device stops detecting the status of the server.
· If you set the status of the server to active, the device starts to detect the status of the server.
Examples
# In RADIUS scheme radius1, set the status of all the secondary authentication servers to blocked.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state secondary authentication block
Related commands
display radius scheme
radius-server test-profile
server-load-sharing enable
state primary
test-aaa
Use test-aaa to perform an AAA test.
Syntax
test-aaa user user-name password password radius-scheme radius-scheme-name [ radius-server { ipv4-address | ipv6 ipv6-address } port-number [ vpn-instance vpn-instance-name ] ] [ chap | pap ] [ attribute-test-group attr-test-group-name ] [ trace ]
Views
User view
Predefined user roles
network-admin
Parameters
user user-name: Specifies the test username, a string of 1 to 80 characters. The username can be a pure username or contain a domain name. The format for a username containing a domain name is pure-username@domain-name. The pure username is case sensitive and the domain name is case insensitive.
password password: Specifies the password of the test user, a case-sensitive string of 1 to 63 characters.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-server: Specifies a RADIUS server.
ipv4-address: Specifies the IPv4 address of the RADIUS server.
ipv6 ipv6-address: Specifies the IPv6 address of the RADIUS server.
port-number: Specifies the UDP port number of the RADIUS server, in the range of 1 to 65535.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the RADIUS server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
chap: Specifies the CHAP authentication method (the default).
pap: Specifies the PAP authentication method.
attribute-test-group attr-test-group-name: Specifies a RADIUS attribute test group by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a RADIUS attribute test group or the specified RADIUS attribute test group does not exist, the device does not change the attributes carried in authentication or accounting requests.
trace: Displays detailed information about RADIUS packets exchanged during the AAA test. If you do not specify this keyword, the command displays brief information about the AAA test, including the sent and received packets and the test result.
Usage guidelines
Use this command to identify the reasons for the failure of interaction between the device and the AAA servers.
The device might communicate with the AAA servers incorrectly during an AAA test. Make sure no users come online or go offline during an AAA text.
If the configuration of the specified RADIUS scheme changes, the new configuration does not affect the current AAA test. The modification will take effect in the next test.
The system can have only one AAA test at a time. Another AAA test can be performed only after the current test finishes.
Examples
# Perform an AAA test and display detailed information about the test. The test uses username user1, password 123456, the CHAP authentication method, and RADIUS scheme test.
<Sysname> test-aaa user user1 password 123456 radius-scheme test chap trace
Sent a RADIUS authentication request.
Server IP : 192.168.1.110
Source IP : 192.168.1.166
VPN instance : N/A
Server port : 1812
Packet type : Authentication request
Packet length: 118 bytes
Packet ID : 0
Attribute list:
[User-Name(1)] [6] [user1]
[CHAP-Password(3)] [19] [******]
[NAS-IP-Address(4)] [6] [192.168.1.166]
[Service-Type(6)] [6] [2] [Framed]
[Framed-Protocol(7)] [6] [1] [PPP]
[NAS-Identifier(32)] [5] [Sysname]
[Acct-Session-Id(44)] [40] [00000008201707241008280000000c16100171]
[CHAP-Challenge(60)] [18] [******]
[NAS-Port-Type(61)] [6] [15] [Ethernet]
Received a RADIUS authentication response.
Server IP : 192.168.1.110
Source IP : 192.168.1.166
VPN instance : N/A
Server port : 1812
Packet type : Access-Reject
Packet length: 20 bytes
Packet ID : 0
Reply-Message: "E63032: Incorrect password. You can retry 9 times."
Sent a RADIUS start-accounting request.
Server IP : 192.168.1.110
Source IP : 192.168.1.166
VPN instance : N/A
Server port : 1813
Packet type : Start-accounting request
Packet length: 63 bytes
Packet ID : 1
Attribute list:
[User-Name(1)] [6] [user1]
[Acct-Status-Type(40)] [6] [1] [Start]
[NAS-IP-Address(4)] [6] [192.168.1.166]
[NAS-Identifier(32)] [5] [Sysname]
[Acct-Session-Id(44)] [40] [00000008201707241008280000000c16100171]
Received a RADIUS start-accounting response.
Server IP : 192.168.1.110
Source IP : 192.168.1.166
VPN instance : N/A
Server port : 1813
Packet type : Start-accounting response
Packet length: 20 bytes
Packet ID : 1
Sent a RADIUS stop-accounting request.
Server IP : 192.168.1.110
Source IP : 192.168.1.166
VPN instance : N/A
Server port : 1813
Packet type : Stop-accounting request
Packet length: 91 bytes
Packet ID : 1
Attribute list:
[User-Name(1)] [6] [user1]
[Acct-Status-Type(40)] [6] [2] [Stop]
[NAS-IP-Address(4)] [6] [192.168.1.166]
[NAS-Identifier(32)] [5] [Sysname]
[Acct-Delay-Time(41)] [6] [0]
[Acct-Session-Id(44)] [40] [00000008201707241008280000000c16100171]
[Acct-Terminate-Cause(49)] [6] [1] [User Request]
Received a RADIUS stop-accounting response.
Server IP : 192.168.1.110
Source IP : 192.168.1.166
VPN instance : N/A
Server port : 1813
Packet type : Stop-accounting response
Packet length: 20 bytes
Packet ID : 1
Test result: Failed
# Perform an AAA test and display brief information about the test. The test uses username user1, password 123456 and the CHAP authentication method to test RADIUS server at 192.168.1.110 in RADIUS scheme test.
<Sysname> test-aaa user user1 password 123456 radius-scheme test radius-server 192.168.1.110 1812
Sent a RADIUS authentication request.
Received a RADIUS authentication response.
Test result: Successful
Table 18 Command output
|
Field |
Description |
|
Server IP |
IP address of the server. |
|
Source IP |
Source IP address of the RADIUS packet. |
|
VPN instance |
MPLS L3VPN instance to which the server belongs. This field displays N/A if the server belongs to the public network. |
|
Server port |
UDP port number of the server. |
|
Packet type |
Type of the RADIUS packet: · Authentication request. · Access-Accept. · Access-Reject. · Start-accounting request. · Start-accounting response. · Stop-accounting request. · Stop-accounting response. |
|
Packet length |
Total length of the RADIUS packet, in bytes. |
|
Packet ID |
ID of the RADIUS packet. This field is used to identity a pair of request and response packets. |
|
[attribute-name (code)] [length] [value] [description] |
Information about a RADIUS attribute: · attribute-name—Name of the attribute. · code—Code of the attribute. · length—Length of the attribute, in bytes. · value—Value of the attribute. · description—Description of the attribute. |
|
Reply-Message: |
The RADIUS server rejected the authentication request and replied a message. |
|
Test result |
Result of the AAA test: · Successful—The test has succeeded. · Failed—The test has failed. If any request is rejected, the test fails. |
Related commands
radius attribute-test-group
radius scheme
timer quiet (RADIUS scheme view)
Use timer quiet to set the quiet timer for the servers specified in a RADIUS scheme.
Use undo timer quiet to restore the default.
Syntax
timer quiet minutes
undo timer quiet
Default
The server quiet timer period is 5 minutes in a RADIUS scheme.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.
Usage guidelines
Make sure the server quiet timer is set correctly.
A timer that is too short might result in frequent authentication or accounting failures. This is because the device will continue to attempt to communicate with an unreachable server that is in active state.
A timer that is too long might temporarily block a reachable server that has recovered from a failure. This is because the server will remain in blocked state until the timer expires.
Examples
# In RADIUS scheme radius1, set the quiet timer to 10 minutes for the servers.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer quiet 10
Related commands
display radius scheme
timer realtime-accounting (RADIUS scheme view)
Use timer realtime-accounting to set the real-time accounting interval.
Use undo timer realtime-accounting to restore the default.
Syntax
timer realtime-accounting interval [ second ]
undo timer realtime-accounting
Default
The real-time accounting interval is 12 minutes.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
interval: Specifies the real-time accounting interval in the range of 0 to 71582.
second: Specifies the measurement unit as second. If you do not specify this keyword, the real-time accounting interval is measured in minutes.
Usage guidelines
When the real-time accounting interval on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.
When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server. If the real-time accounting interval is not configured on the server, the device does not send online user accounting information.
If a user uses RADIUS accounting but not RADIUS authentication and authorization, the device performs real-time accounting for that user only based on the real-time accounting interval set in the user's RADIUS accounting scheme. The real-time accounting interval assigned by the RADIUS accounting server does not take effect.
A short interval helps improve accounting precision but requires many system resources.
Table 19 Recommended real-time accounting intervals
|
Number of users |
Real-time accounting interval |
|
1 to 99 |
3 minutes |
|
100 to 499 |
6 minutes |
|
500 to 999 |
12 minutes |
|
1000 or more |
15 minutes or longer |
The device sends a start-accounting packet for a dual-stack user after the user obtains an IP address of one stack. No matter how long the real-time accounting interval is, the device sends an update-accounting packet for the user immediately after the user obtains an IP address of another stack.
Examples
# In RADIUS scheme radius1, set the real-time accounting interval to 51 minutes.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer realtime-accounting 51
Related commands
retry realtime-accounting
timer response-timeout (RADIUS scheme view)
Use timer response-timeout to set the RADIUS server response timeout timer.
Use undo timer response-timeout to restore the default.
Syntax
timer response-timeout seconds
undo timer response-timeout
Default
The RADIUS server response timeout period is 3 seconds.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds.
Usage guidelines
If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
If the client times out during the authentication process, the user is immediately logged off. To avoid user logoffs, the value multiplied by the following items cannot be larger than the client timeout period defined by the access module:
· The maximum number of RADIUS packet transmission attempts.
· The RADIUS server response timeout period.
· The number of RADIUS servers in the RADIUS scheme.
When the device sends a RADIUS request to a new RADIUS server, it checks the total amount of time it has taken to transmit the RADIUS packet. If the amount of time has reached 300 seconds, the device stops sending the RADIUS request to the next RADIUS server. As a best practice, consider the number of RADIUS servers when you configure the maximum number of packet transmission attempts and the RADIUS server response timeout period.
Examples
# In RADIUS scheme radius1, set the RADIUS server response timeout timer to 5 seconds.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer response-timeout 5
Related commands
display radius scheme
retry
user-name-format (RADIUS scheme view)
Use user-name-format to specify the format of the username to be sent to a RADIUS server.
Use undo user-name-format to restore the default.
Syntax
user-name-format { keep-original | with-domain | without-domain }
undo user-name-format
Default
The ISP domain name is included in the usernames sent to a RADIUS server.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
keep-original: Sends the username to the RADIUS server as the username is entered.
with-domain: Includes the ISP domain name in the username sent to the RADIUS server.
without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.
Usage guidelines
A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username sent to a RADIUS server.
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the RADIUS server will consider two users in different ISP domains but with the same userid as one user.
For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect. The device does not change the usernames from clients before forwarding them to the RADIUS server.
If the RADIUS scheme is used for roaming wireless users, specify the keep-original keyword. Otherwise, authentication of the wireless users might fail.
Examples
# In RADIUS scheme radius1, configure the device to remove the domain name from the usernames sent to the RADIUS servers.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] user-name-format without-domain
Related commands
display radius scheme
vpn-instance (RADIUS scheme view)
Use vpn-instance to specify an MPLS L3VPN instance for a RADIUS scheme.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The RADIUS scheme belongs to the public network.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The VPN instance specified for a RADIUS scheme applies to all authentication and accounting servers in that scheme. If a VPN instance is also configured for an individual RADIUS server, the VPN instance specified for the RADIUS scheme does not take effect on that server.
Examples
# Specify VPN instance test for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] vpn-instance test
Related commands
display radius scheme
EAP profile commands
ca-file
Use ca-file to specify a CA certificate file for EAP authentication.
Use undo ca-file to restore the default.
Syntax
ca-file file-name
undo ca-file
Default
No CA certificate is specified for EAP authentication.
Views
EAP profile view
Predefined user roles
network-admin
Parameters
file-name: Specifies a CA certificate file by its name, a case-sensitive string of 1 to 91 characters. Only CA certificate files in PEM format are supported.
Usage guidelines
You must specify a CA certificate file for the RADIUS server to authenticate certificates of RADIUS clients if the PEAP-GTC, PEAP-MSCHAPv2, TTLS-GTC, or TTLS-MSCHAPv2 EAP authentication method is used.
Before you specify a CA certificate file, you must use FTP or TFTP to transfer the file to the root directory of the default storage medium on the device.
You can specify only one CA certificate file in an EAP profile. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In EAP profile eap1, specify CA certificate file ca.pem for EAP authentication.
<Sysname> system-view
[Sysname] eap-profile eap1
[Sysname-eap-profile-eap1] ca-file ca.pem
Related commands
certificate-file
certificate-file
Use certificate-file to specify a local certificate file for EAP authentication.
Use undo certificate-file to restore the default.
Syntax
certificate-file file-name
undo certificate-file
Default
No local certificate file is specified for EAP authentication.
Views
EAP profile view
Predefined user roles
network-admin
Parameters
file-name: Specifies a certificate file by its name, a case-sensitive string of 1 to 91 characters. Only certificate files in PEM format are supported.
Usage guidelines
You must specify a local certificate file if the PEAP-GTC, PEAP-MSCHAPv2, TTLS-GTC, TTLS-MSCHAPv2, or TLS EAP authentication method is used and RADIUS clients request to authenticate the certificate of the RADIUS server.
Before you specify a local certificate file, you must use FTP or TFTP to transfer the file to the root directory of the default storage medium on the device.
You can specify only one local certificate file in an EAP profile. If you execute this command multiple times, the most recent configuration takes effect.
For the RADIUS server to start up, you must specify a local certificate file.
Examples
# In EAP profile eap1, specify certificate file server.pem as the local certificate file for EAP authentication.
<Sysname> system-view
[Sysname] eap-profile eap1
[Sysname-eap-profile-eap1] certificate-file server.pem
Related commands
private-key-file
eap-profile
Use eap-profile to create an EAP profile and enter its view, or enter the view of an existing EAP profile.
Use undo eap-profile to delete an EAP profile.
Syntax
eap-profile eap-profile-name
undo eap-profile eap-profile-name
Default
No EAP profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
eap-profile-name: Specifies the EAP profile name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
An EAP profile is a collection of EAP authentication settings, including the EAP authentication method and authentication parameters used by the RADIUS server to perform authentication.
You can configure a maximum of 16 EAP profiles.
If an EAP profile is applied to the local RADIUS server, all settings in the EAP profile take effect only after the RADIUS server configuration is activated by using the radius-server activate command.
Examples
# Create an EAP profile named eap1 and enter its view.
<Sysname> system-view
[Sysname] eap-profile eap1
[Sysname-eap-profile-eap1]
Related commands
display radius-server active-eap-profile
radius-server activate
radius-server test-profile
method
Use method to specify the default EAP authentication method.
Use undo method to restore the default.
Syntax
method { md5 | peap-gtc | peap-mschapv2 | tls | ttls-gtc | ttls-mschapv2 }
undo method
Default
The default EAP authentication method is the MD5-challenge method.
Views
EAP profile view
Predefined user roles
network-admin
Parameters
md5: Specifies the MD5-challenge method.
peap-gtc: Specifies the PEAP-GTC method.
peap-mschapv2: Specifies the PEAP-MSCHAPv2 method.
tls: Specifies the TLS method.
ttls-gtc: Specifies the TTLS-GTC method.
ttls-mschapv2: Specifies the TTLS-MSCHAPv2 method.
Usage guidelines
You can specify only one default EAP authentication method in an EAP profile. If you execute this command multiple times, the most recent configuration takes effect.
The device supports multiple EAP authentication methods. When the device initiates an authentication request to the peer, it preferentially uses the default EAP authentication method in the EAP profile. If the peer uses a different EAP authentication method, it will notify the device of its supported EAP authentication methods. The device will select a method that is supported both locally and by the peer to re-initiate the authentication request. However, if the access device uses the EAP termination mode in authentication for wireless clients, you can specify only the PEAP-GTC as the default EAP authentication method.
Examples
# In EAP profile eap1, specify PEAP-GTC as the default EAP authentication method.
<Sysname> system-view
[Sysname] eap-profile eap1
[Sysname-eap-profile-eap1] method peap-gtc
Related commands
display radius-server active-eap-profile
private-key-file
Use private-key-file to specify a private key file for the local certificate.
Use undo private-key-file to restore the default.
Syntax
private-key-file file-name
undo private-key-file
Default
No private key file is specified for the local certificate.
Views
EAP profile view
Predefined user roles
network-admin
Parameters
file-name: Specifies a private key file by its name, a case-sensitive string of 1 to 91 characters. Only private key files in PEM format are supported.
Usage guidelines
You must specify a private key file for the RADIUS server to decrypt information encrypted by RADIUS clients if the PEAP-GTC, PEAP-MSCHAPv2, TTLS-GTC, TTLS-MSCHAPv2, or TLS EAP authentication method is used.
If the local certificate file for EAP authentication includes a private key, specify the local certificate file as the private key file.
Before you specify a private key file, you must use FTP or TFTP to transfer the file to the root directory of the default storage medium on the device.
You can specify only one private key file in an EAP profile. If you execute this command multiple times, the most recent configuration takes effect.
For the RADIUS server to start up, you must specify a private key file.
Examples
# In EAP profile eap1, specify private key file server.pem for the local certificate.
<Sysname> system-view
[Sysname] eap-profile eap1
[Sysname-eap-profile-eap1] private-key-file server.pem
Related commands
certificate-file
display radius-server active-eap-profile
private-key-password
Use private-key-password to specify a private key password for the local certificate.
Use undo private-key-password to restore the default.
Syntax
private-key-password { cipher | simple } string
undo private-key-password
Default
No private key password is specified for the local certificate.
Views
EAP profile view
Predefined user roles
network-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its encrypted form is a case-sensitive string of 1 to 117 characters. Its plaintext form is a case-sensitive string of 1 to 63 characters.
Usage guidelines
The private key password must be provided when the device imports or uses the private key of the local certificate. Make sure the private key password specified by using this command is the same as the private key password provided when the private key is imported to the device.
You can specify only one private key password in an EAP profile. If you execute this command multiple times, the most recent configuration takes effect.
For the RADIUS server to start up, you must specify a private key password.
Examples
# In EAP profile eap1, specify plaintext password 123 as the private key password for the local certificate.
<Sysname> system-view
[Sysname] eap-profile eap1
[Sysname-eap-profile-eap1] private-key-password simple 123
Related commands
private-key-file
ssl-server-policy
Use ssl-server-policy to specify an SSL server policy for EAP authentication.
Use undo ssl-server-policy to restore the default.
Syntax
ssl-server-policy policy-name
undo ssl-server-policy
Default
No SSL server policy is specified for EAP authentication.
Views
EAP profile view
Predefined user roles
network-admin
Parameters
policy-name: Specifies an SSL server policy name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Before you execute this command, you must complete the configuration of the specified SSL server policy and the PKI domain to be specified for this policy. For more information about SSL server policies and PKI domains, see SSL configuration and PKI configuration in Security Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In EAP profile eap1, specify SSL server policy tls-server for EAP authentication.
<Sysname> system-view
[Sysname] eap-profile aprf1
[System-eap-prof-aprf1] ssl-server-policy tls-server
Related commands
pki-domain (Security Command Reference)
ssl server-policy (Security Command Reference)
HWTACACS commands
data-flow-format (HWTACACS scheme view)
Use data-flow-format to set the data flow and packet measurement units for traffic statistics.
Use undo data-flow-format to restore the default.
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
Default
Traffic is counted in bytes and packets.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
data: Specifies the unit for data flows.
byte: Specifies the unit as byte.
giga-byte: Specifies the unit as gigabyte.
kilo-byte: Specifies the unit as kilobyte.
mega-byte: Specifies the unit as megabyte.
packet: Specifies the unit for data packets.
giga-packet: Specifies the unit as giga-packet.
kilo-packet: Specifies the unit as kilo-packet.
mega-packet: Specifies the unit as mega-packet.
one-packet: Specifies the unit as one-packet.
Usage guidelines
The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting results might be incorrect.
Examples
# In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet
display hwtacacs scheme
display hwtacacs scheme
Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes.
Syntax
display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes.
statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the specified HWTACACS scheme.
Examples
# Displays the configuration of all HWTACACS schemes.
<Sysname> display hwtacacs scheme
Total 1 HWTACACS schemes
------------------------------------------------------------------
HWTACACS Scheme Name : hwtac
Index : 0
Primary Auth Server:
Host name: Not configured
IP : 2.2.2.2 Port: 49 State: Active
VPN Instance: 2
Single-connection: Enabled
Track ID: 1
Primary Author Server:
Host name: Not configured
IP : 2.2.2.2 Port: 49 State: Active
VPN Instance: 2
Single-connection: Disabled
Track ID: 1
Primary Acct Server:
Host name: Not configured
IP : Not Configured Port: 49 State: Block
VPN Instance: Not configured
Single-connection: Disabled
VPN Instance : 2
NAS IP Address : 2.2.2.3
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(minutes) : 12
Stop-accounting packets buffering : Enabled
Retransmission times : 100
Response Timeout Interval(seconds) : 5
Username Format : with-domain
Data flow unit : Byte
Packet unit : one
------------------------------------------------------------------
Table 20 Command output
|
Field |
Description |
|
Index |
Index number of the HWTACACS scheme. |
|
Primary Auth Server |
Primary HWTACACS authentication server. |
|
Primary Author Server |
Primary HWTACACS authorization server. |
|
Primary Acct Server |
Primary HWTACACS accounting server. |
|
Secondary Auth Server |
Secondary HWTACACS authentication server. |
|
Secondary Author Server |
Secondary HWTACACS authorization server. |
|
Secondary Acct Server |
Secondary HWTACACS accounting server. |
|
Host name |
Host name of the server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by IP address. |
|
IP |
IP address of the server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by hostname, and the hostname is not resolved. |
|
Port |
Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number. |
|
State |
Status of the HWTACACS server: active or blocked. |
|
VPN Instance |
MPLS L3VPN instance to which the HWTACACS server or scheme belongs. If no VPN instance is specified for the server or scheme, this field displays Not configured. |
|
Single-connection |
Single connection status: · Enabled—Establish only one TCP connection for all users to communicate with the server. · Disabled—Establish a TCP connection for each user to communicate with the server. |
|
Track ID |
ID of the track entry associated with the server. This field is not available if the server is not associated with a track entry. |
|
NAS IP Address |
Source IP addresses or source interface for outgoing HWTACACS packets. This field displays Not configured if no source interface or source IP addresses are specified for outgoing HWTACACS packets. |
|
Server Quiet Period(minutes) |
Quiet period for the primary servers, in minutes. |
|
Realtime Accounting Interval(minutes) |
Real-time accounting interval, in minutes. |
|
Stop-accounting packets buffering |
Whether buffering of nonresponded HWTACACS stop-accounting requests is enabled. |
|
Retransmission times |
Maximum number of transmission attempts for individual HWTACACS stop-accounting requests. |
|
Response Timeout Interval(seconds) |
HWTACACS server response timeout period, in seconds. |
|
Username Format |
Format for the usernames sent to the HWTACACS server: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered. |
|
Data flow unit |
Measurement unit for data flows. |
|
Packet unit |
Measurement unit for packets. |
# Display statistics for HWTACACS scheme tac.
<Sysname> display hwtacacs scheme tac statistics
HWTACACS scheme name: tac
Primary authentication server: 111.8.0.244 (Port: 49, VPN instance: -)
Round trip time: 20 seconds
Request packets: 1
Login request packets: 1
Change-password request packets: 0
Request packets including plaintext passwords: 0
Request packets including ciphertext passwords: 0
Response packets: 2
Pass response packets: 1
Failure response packets: 0
Get-data response packets: 0
Get-username response packets: 0
Get-password response packets: 1
Restart response packets: 0
Error response packets: 0
Follow response packets: 0
Malformed response packets: 0
Continue packets: 1
Continue-abort packets: 0
Pending request packets: 0
Timeout packets: 0
Unknown type response packets: 0
Dropped response packets: 0
Primary authorization server :111.8.0.244 (Port: 49, VPN instance: -)
Round trip time: 1 seconds
Request packets: 1
Response packets: 1
PassAdd response packets: 1
PassReply response packets: 0
Failure response packets: 0
Error response packets: 0
Follow response packets: 0
Malformed response packets: 0
Pending request packets: 0
Timeout packets: 0
Unknown type response packets: 0
Dropped response packets: 0
Primary accounting server :111.8.0.244 (Port: 49, VPN instance: -)
Round trip time: 0 seconds
Request packets: 2
Accounting start request packets: 1
Accounting stop request packets: 1
Accounting update request packets: 0
Pending request packets: 0
Response packets: 2
Success response packets: 2
Error response packets: 0
Follow response packets: 0
Malformed response packets: 0
Timeout response packets: 0
Unknown type response packets: 0
Dropped response packets: 0
Table 21 Command output
|
Field |
Description |
|
Primary authentication server |
Primary HWTACACS authentication server. |
|
Primary authorization server |
Primary HWTACACS authorization server. |
|
Primary accounting server |
Primary HWTACACS accounting server. |
|
Secondary authentication server |
Secondary HWTACACS authentication server. |
|
Secondary authorization server |
Secondary HWTACACS authorization server. |
|
Secondary accounting server |
Secondary HWTACACS accounting server. |
|
Port |
Port number of the HWTACACS server. |
|
VPN instance |
VPN instance to which the HWTACACS server or scheme belongs. If the HWTACACS server or scheme belongs to the public network, this field displays a hyphen (-). |
|
Round trip time |
The time interval during which the device processed a pair of request and response. The unit is second. |
|
Request packets |
Total number of sent request packets. |
|
Login request packets |
Number of sent login request packets. |
|
Change-password request packets |
Number of sent request packets for changing passwords. |
|
Request packets including plaintext passwords |
Number of request packets that include plaintext passwords. |
|
Request packets including ciphertext passwords |
Number of request packets that include ciphertext passwords. |
|
Response packets |
Total number of received response packets. |
|
Pass response packets |
Number of response packets indicating successful authentication. |
|
Failure response packets |
Number of response packets indicating authentication or authorization failure. |
|
Get-data response packets |
Number of response packets for obtaining user data. |
|
Get-username response packets |
Number of response packets for obtaining usernames. |
|
Get-password response packets |
Number of response packets for obtaining passwords. |
|
Restart response packets |
Number of response packets for reauthentication. |
|
Error response packets |
Number of error-type response packets. |
|
Follow response packets |
Number of follow-type response packets. |
|
Malformed response packets |
Number of malformed response packets. |
|
Continue packets |
Number of sent Continue packets. |
|
Continue-abort packets |
Number of sent Continue-abort packets. |
|
Pending request packets |
Number of request packets waiting for a response. |
|
Timeout packets/Timeout response packets |
Number of timeout response packets. |
|
Unknown type response packets |
Number of unknown-type response packets. |
|
Dropped response packets |
Number of dropped response packets. |
|
PassAdd response packets |
Number of received PassAdd response packets. The packets indicate that all requested authorization attributes are assigned and additional authorization attributes are added. |
|
PassReply response packets |
Number of received PassReply response packets. The device uses the specified authorization attributes in the packets to replace the requested authorization attributes. |
|
Accounting start request packets |
Number of accounting start request packets. |
|
Accounting stop request packets |
Number of accounting stop request packets. |
|
Accounting update request packets |
Number of accounting update request packets. |
|
Success response packets |
Number of accounting success response packets. |
Related commands
reset hwtacacs statistics
hwtacacs dscp
Use hwtacacs dscp to change the DSCP priority of HWTACACS packets.
Use undo hwtacacs dscp to restore the default.
Syntax
hwtacacs [ ipv6 ] dscp dscp-value
undo hwtacacs [ ipv6 ] dscp
Default
The DSCP priority of HWTACACS packets is 0.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies IPv6 HWTACACS packets. If you do not specify this keyword, the command sets the DSCP priority for IPv4 HWTACACS packets.
dscp-value: Specifies the DSCP priority of HWTACACS packets, in the range of 0 to 63. A larger value represents a higher priority.
Usage guidelines
To change the transmission priority of HWTACACS packets, change the DSCP priority for them.
DSCP priority is contained in the ToS field of the IPv4 header and in the Traffic Class field of the IPv6 header.
Examples
# Set the DSCP priority of IPv4 HWTACACS packets to 10.
<Sysname> system-view
[Sysname] hwtacacs dscp 10
hwtacacs nas-ip
Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.
Use undo hwtacacs nas-ip to delete the specified source IP address for outgoing HWTACACS packets.
Syntax
hwtacacs nas-ip { interface interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
undo hwtacacs nas-ip { interface | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
Default
The source IP address of an HWTACACS packet sent to the server is the primary IPv4 address or the IPv6 address of the outbound interface.
Views
System view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies a source interface by its type and number. The device uses the primary IPv4 address or the IPv6 address of the interface as the source IP address of an outgoing HWTACACS packet.
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the source IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IP address, do not specify this option.
Usage guidelines
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, the HWTACACS server checks the source IP address of the packet.
· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
As a best practice to avoid HWTACACS packet loss caused by physical port errors, specify a loopback interface address as the source IP address for outgoing HWTACACS packets.
If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:
· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.
· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.
· The setting in HWTACACS scheme view takes precedence over the setting in system view.
You can specify a maximum of 16 source IP addresses in system view, including:
· Zero or one public-network source IPv4 address.
· Zero or one public-network source IPv6 address.
· Private-network source IP addresses.
Each VPN instance can have only one private-network source IPv4 address and one private-network source IPv6 address in system view.
You can specify only one source interface to provide the source IP address for outgoing HWTACACS packets. Make sure the route between the source interface and the HWTACACS server is reachable.
The source interface configuration and the source IP address configuration overwrite each other.
Examples
# Specify IP address 129.10.10.1 as the source IP address for HWTACACS packets.
<Sysname> system-view
[Sysname] hwtacacs nas-ip 129.10.10.1
Related commands
nas-ip (HWTACACS scheme view)
hwtacacs scheme
Use hwtacacs scheme to create an HWTACACS scheme and enter its view, or enter the view of an existing HWTACACS scheme.
Use undo hwtacacs scheme to delete an HWTACACS scheme.
Syntax
hwtacacs scheme hwtacacs-scheme-name
undo hwtacacs scheme hwtacacs-scheme-name
Default
No HWTACACS schemes exist.
Views
System view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme-name: Specifies the HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
An HWTACACS scheme can be used by more than one ISP domain at the same time.
You can configure a maximum of 16 HWTACACS schemes.
Examples
# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1]
Related commands
display hwtacacs scheme
hwtacacs server-probe track
Use hwtacacs server-probe track to associate an HWTACACS server with a track entry.
Use undo hwtacacs server-probe track to remove the association between an HWTACACS server and a track entry.
Syntax
hwtacacs server-probe { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-number ] track track-entry-number
undo hwtacacs server-probe { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-number ] track
Default
An HWTACACS server is not associated with any track entry.
Views
System view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies an HWTACACS server by its IPv4 address.
ipv6 ipv6-address: Specifies an HWTACACS server by its IPv6 address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the HWTACACS server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
port port-number: Specifies the service port number of the HWTACACS server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
track-entry-number: Specifies a track entry by its ID, in the range of 1 to 1024.
Usage guidelines
Use this command on a network that has high real-time requirements for HWTACACS authentication, authorization, and accounting.
By default, the device does not actively detect the status of an HWTACACS server. It changes the state of an HWTACACS server to active or blocked based on the server response timeout timer and the server quiet timer. This timer-based state transition mechanism needs time to determine the server state, and it cannot ensure that the device obtains the actual server state in time. To resolve this issue, associate the server with a track entry and associate the track entry with a TCP-type NQA operation. This HWTACACS server-Track-NQA collaboration can actively detect the reachability of the server in real time.
By using HWTACACS server-Track-NQA collaboration, the device determines the status of an HWTACACS server only based on the detection result.
1. The NQA operation starts to detect the reachability of the server and obtains the result. NQA sends the detection result to the Track module for the Track module to set the state of the track entry.
¡ If the server is reachable, the Track module sets the state of the track entry to Positive.
¡ If the server is unreachable, the Track module sets the state of the track entry to Negative.
¡ If the Track-NQA collaboration does not take effect, the Track module keeps the track entry in NotReady state or changes its state to NotReady.
2. AAA sets the status of the server based on the track entry state.
¡ If the track entry is in Positive state, AAA sets the state of the server to active.
¡ If the track entry is in Negative state, AAA sets the state of the server to blocked and disables the quiet timer for the server.
¡ If the track entry stays in NotReady state or its state changes to NotReady, AAA sets the state of the server to active.
To start the NQA operation to detect the reachability of the server, use the nqa schedule command with appropriate settings for the scheduling parameters. For more information about associating Track with NQA, see Track configuration in High Availability Configuration Guide. For more information about configuring a TCP-type NQA operation and scheduling the NQA operation, see NQA configuration in Network Management and Monitoring Configuration Guide.
Examples
# Associate HWTACACS server that uses IP address 10.163.155.13 and TCP port number 49 with track entry 1.
<Sysname> system-view
[Sysname] hwtacacs server-probe ip 10.163.155.13 port 49 track 1
Related commands
display hwtacacs scheme
nqa schedule (Network Monitoring and Management Command Reference)
track nqa (High Availability Command Reference)
key (HWTACACS scheme view)
Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.
Use undo key to delete the shared key for secure HWTACACS authentication, authorization, or accounting communication.
Syntax
key { accounting | authentication | authorization } { cipher | simple } string
undo key { accounting | authentication | authorization }
Default
No shared key is configured for secure HWTACACS authentication, authorization, or accounting communication.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
accounting: Specifies the shared key for secure HWTACACS accounting communication.
authentication: Specifies the shared key for secure HWTACACS authentication communication.
authorization: Specifies the shared key for secure HWTACACS authorization communication.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
Usage guidelines
The shared keys configured on the device must match those configured on the HWTACACS servers.
Examples
# In HWTACACS scheme hwt1, set the shared key to 123456TESTauth&! in plaintext form for secure HWTACACS authentication communication.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&!
# Set the shared key to 123456TESTautr&! in plaintext form for secure HWTACACS authorization communication.
[Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&!
# Set the shared key to 123456TESTacct&! in plaintext form for secure HWTACACS accounting communication.
[Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&!
Related commands
display hwtacacs scheme
nas-ip (HWTACACS scheme view)
Use nas-ip to specify a source IP address for outgoing HWTACACS packets.
Use undo nas-ip to delete the specified source IP address for outgoing HWTACACS packets.
Syntax
nas-ip { ipv4-address | interface interface-type interface-number | ipv6 ipv6-address }
undo nas-ip [ interface | ipv6 ]
Default
The source IP address of an outgoing HWTACACS packet is that configured by using the hwtacacs nas-ip command in system view.
If the hwtacacs nas-ip command is not used, the source IP address is the primary IP address of the outbound interface.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies a source interface by its type and number. The device uses the primary IPv4 address or the IPv6 address of the interface as the source IP address of an outgoing HWTACACS packet.
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
Usage guidelines
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, the HWTACACS server checks the source IP address of the packet.
· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
As a best practice to avoid HWTACACS packet loss caused by physical port errors, specify a loopback interface address as the source IP address for outgoing HWTACACS packets.
If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:
· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.
· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.
· The setting in HWTACACS scheme view takes precedence over the setting in system view.
For an HWTACACS scheme, the following restrictions apply:
· You can specify only one source IPv4 address and one source IPv6 address for outgoing HWTACACS packets.
· You can specify only one source interface to provide the source IP address for outgoing HWTACACS packets. Make sure the route between the source interface and the HWTACACS server is reachable.
· The source interface configuration and the source IP address configuration overwrite each other.
If you do not specify any parameter for the undo nas-ip command, the command deletes the configured source IPv4 address for outgoing HWTACACS packets.
Examples
# In HWTACACS scheme hwt1, specify IP address 10.1.1.1 as the source address for outgoing HWTACACS packets.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1
Related commands
display hwtacacs scheme
hwtacacs nas-ip
primary accounting (HWTACACS scheme view)
Use primary accounting to specify the primary HWTACACS accounting server.
Use undo primary accounting to restore the default.
Syntax
primary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary accounting
Default
The primary HWTACACS accounting server is not specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
host-name: Specifies the host name of the primary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies an IPv4 address of the primary HWTACACS accounting server.
ipv6 ipv6-address: Specifies an IPv6 address of the primary HWTACACS accounting server.
port-number: Specifies the service port number of the primary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the primary HWTACACS accounting server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
single-connection: The device and the primary HWTACACS accounting server use the same TCP connection to exchange accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the primary accounting server for a user.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the primary HWTACACS accounting server are the same as those configured on the server.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.
As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify the primary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary accounting 10.163.155.12 49 key simple 123456TESTacct&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
secondary accounting (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
Use primary authentication to specify the primary HWTACACS authentication server.
Use undo primary authentication to restore the default.
Syntax
primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary authentication
Default
The primary HWTACACS authentication server is not specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
host-name: Specifies the host name of the primary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server.
port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the primary HWTACACS authentication server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
single-connection: The device and the primary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection at each authentication.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the primary HWTACACS authentication server are the same as those configured on the server.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.
As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple 123456TESTauth&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
primary authorization
Use primary authorization to specify the primary HWTACACS authorization server.
Use undo primary authorization to restore the default.
Syntax
primary authorization { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary authorization
Default
The primary HWTACACS authorization server is not specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
host-name: Specifies the host name of the primary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authorization server.
port-number: Specifies the service port number of the primary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the primary HWTACACS authorization server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
single-connection: The device and the primary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the primary authorization server for a user.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the primary HWTACACS authorization server are the same as those configured on the server.
Two authorization servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.
As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify the primary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple 123456TESTautr&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
secondary authorization (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
reset hwtacacs statistics
Use reset hwtacacs statistics to clear HWTACACS statistics.
Syntax
reset hwtacacs statistics { accounting | all | authentication | authorization }
Views
User view
Predefined user roles
network-admin
Parameters
accounting: Clears the HWTACACS accounting statistics.
all: Clears all HWTACACS statistics.
authentication: Clears the HWTACACS authentication statistics.
authorization: Clears the HWTACACS authorization statistics.
Examples
# Clear all HWTACACS statistics.
<Sysname> reset hwtacacs statistics all
Related commands
display hwtacacs scheme
secondary accounting (HWTACACS scheme view)
Use secondary accounting to specify a secondary HWTACACS accounting server.
Use undo secondary accounting to remove a secondary HWTACACS accounting server.
Syntax
secondary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary accounting [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS accounting servers are specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
host-name: Specifies the host name of a secondary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of a secondary HWTACACS accounting server.
ipv6 ipv6-address: Specifies the IPv6 address of a secondary HWTACACS accounting server.
port-number: Specifies the service port number of the secondary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the secondary HWTACACS accounting server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
single-connection: The device and the secondary HWTACACS accounting server use the same TCP connection to exchange all accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the secondary accounting server for a user.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the secondary HWTACACS accounting server are the same as those configured on the server.
An HWTACACS scheme supports a maximum of 16 secondary HWTACACS accounting servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary accounting command, the command removes all secondary accounting servers.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.
As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify a secondary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple 123456TESTacct&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
primary accounting (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
Use secondary authentication to specify a secondary HWTACACS authentication server.
Use undo secondary authentication to remove a secondary HWTACACS authentication server.
Syntax
secondary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary authentication [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS authentication servers are specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
host-name: Specifies the host name of a secondary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of a secondary HWTACACS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of a secondary HWTACACS authentication server.
port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the secondary HWTACACS authentication server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
single-connection: The device and the secondary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of each secondary HWTACACS authentication server are the same as those configured on the corresponding server.
An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authentication servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary authentication command, the command removes all secondary authentication servers.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.
As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple 123456TESTauth&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
secondary authorization
Use secondary authorization to specify a secondary HWTACACS authorization server.
Use undo secondary authorization to remove a secondary HWTACACS authorization server.
Syntax
secondary authorization { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary authorization [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS authorization servers are specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
host-name: Specifies the host name of a secondary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of a secondary HWTACACS authorization server.
ipv6 ipv6-address: Specifies the IPv6 address of a secondary HWTACACS authorization server.
port-number: Specifies the service port number of the secondary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the secondary HWTACACS authorization server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
single-connection: The device and the secondary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the secondary HWTACACS authorization server are the same as those configured on the server.
An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authorization servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary authorization command, the command removes all secondary authorization servers.
Two authorization servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.
As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
primary authorization (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
server-block-action (HWTACACS view)
Use server-block-action to specify the action to take for AAA requests if all servers in an HWTACACS scheme are blocked.
Use undo server-block-action to restore the default.
Syntax
server-block-action { attempt | skip }
undo server-block-action
Default
The device attempts to connect to the server with the highest priority in an HWTACACS scheme upon receiving AAA requests if all servers in the scheme are blocked.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
attempt: Attempts to connect to the server that has the highest priority in the scheme. Typically, the highest-priority server is the primary server. If no primary server is specified, it is the firstly configured secondary server (except for the servers manually set in block state). If the device fails to connect to the server, it turns to the backup method.
skip: Skips all servers in the scheme and turns to the backup method.
Usage guidelines
The attempt action gives the device a chance to use the scheme in case the server with the highest priority in the scheme might be available. However, the attempt to communicate with an unavailable server increases the response time for AAA requests. As a best practice, specify the skip action in scenarios that require quick responses to AAA requests.
When processing an AAA request, the device does not turn back to a skipped scheme even though the state of the servers in the scheme changes from blocked to active.
Examples
# In HWTACACS scheme hwt1, configure the device to skip all servers in the scheme upon receiving AAA requests if all servers in the scheme are blocked.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] server-block-action skip
Related commands
display hwtacacs scheme
timer quiet (HWTACACS scheme view)
Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme.
Use undo timer quiet to restore the default.
Syntax
timer quiet minutes
undo timer quiet
Default
The server quiet period is 5 minutes.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.
Examples
# In HWTACACS scheme hwt1, set the server quiet timer to 10 minutes.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer quiet 10
Related commands
display hwtacacs scheme
timer realtime-accounting (HWTACACS scheme view)
Use timer realtime-accounting to set the real-time accounting interval.
Use undo timer realtime-accounting to restore the default.
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
Default
The real-time accounting interval is 12 minutes.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.
Usage guidelines
For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is used to set the interval.
A short interval helps improve accounting precision but requires many system resources.
Table 22 Recommended real-time accounting intervals
|
Number of users |
Real-time accounting interval |
|
1 to 99 |
3 minutes |
|
100 to 499 |
6 minutes |
|
500 to 999 |
12 minutes |
|
1000 or more |
15 minutes or longer |
The device sends a start-accounting packet for a dual-stack user after the user obtains an IP address of one stack. No matter how long the real-time accounting interval is, the device sends an update-accounting packet for the user immediately after the user obtains an IP address of another stack.
Examples
# In HWTACACS scheme hwt1, set the real-time accounting interval to 51 minutes.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer realtime-accounting 51
Related commands
display hwtacacs scheme
timer response-timeout (HWTACACS scheme view)
Use timer response-timeout to set the HWTACACS server response timeout timer.
Use undo timer response-timeout to restore the default.
Syntax
timer response-timeout seconds
undo timer response-timeout
Default
The HWTACACS server response timeout time is 5 seconds.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds.
Usage guidelines
HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.
The client timeout period of the associated access module cannot be shorter than the total response timeout timer of all HWTACACS servers in the scheme. Any violation will result in user logoffs before the authentication, authorization, or accounting process is complete.
Examples
# In HWTACACS scheme hwt1, set the HWTACACS server response timeout timer to 30 seconds.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer response-timeout 30
Related commands
display hwtacacs scheme
user-name-format (HWTACACS scheme view)
Use user-name-format to specify the format of the username to be sent to an HWTACACS server.
Use undo user-name-format to restore the default.
Syntax
user-name-format { keep-original | with-domain | without-domain }
undo user-name-format
Default
The ISP domain name is included in the usernames sent to an HWTACACS server.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
keep-original: Sends the username to the HWTACACS server as the username is entered.
with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.
without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.
Usage guidelines
A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. However, some HWTACACS servers cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.
If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the HWTACACS server will consider two users in different ISP domains but with the same userid as one user.
If the HWTACACS scheme is used for wireless users, specify the format of the username to be sent from the access device to the HWTACACS server as keep-original. Otherwise, authentication of the wireless users might fail.
Examples
# In HWTACACS scheme hwt1, configure the device to remove the ISP domain name from the usernames sent to the HWTACACS servers.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] user-name-format without-domain
Related commands
display hwtacacs scheme
vpn-instance (HWTACACS scheme view)
Use vpn-instance to specify an MPLS L3VPN instance for an HWTACACS scheme.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The HWTACACS scheme belongs to the public network.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The VPN instance specified for an HWTACACS scheme applies to all servers in that scheme. If a VPN instance is also configured for an individual HWTACACS server, the VPN instance specified for the HWTACACS scheme does not take effect on that server.
Examples
# Specify VPN instance test for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] vpn-instance test
Related commands
display hwtacacs scheme
LDAP commands
attribute-map
Use attribute-map to specify the LDAP attribute map in an LDAP scheme.
Use undo attribute-map to restore the default.
Syntax
attribute-map map-name
undo attribute-map
Default
An LDAP scheme does not use an LDAP attribute map.
Views
LDAP scheme view
Predefined user roles
network-admin
Parameters
map-name: Specifies an LDAP attribute map by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
When the LDAP scheme used for authorization contains an LDAP attribute map, the device converts server-assigned LDAP attributes to device-recognizable AAA attributes based on the mapping entries.
You can specify only one LDAP attribute map in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
If you specify another attribute map or change the mapping entries, the new settings take effect only on the LDAP authorization that occurs after your operation.
Examples
# Specify LDAP attribute map map1 in LDAP scheme ldap1.
<Sysname> system-view
[Sysname] ldap scheme ldap1
[Sysname-ldap-ldap1] attribute-map map1
Related commands
display ldap scheme
ldap attribute-map
authentication-server
Use authentication-server to specify the LDAP authentication server for an LDAP scheme.
Use undo authentication-server to restore the default.
Syntax
authentication-server server-name
undo authentication-server
Default
No LDAP authentication server is specified for an LDAP scheme.
Views
LDAP scheme view
Predefined user roles
network-admin
Parameters
server-name: Specifies the name of an LDAP server, a case-insensitive string of 1 to 64 characters.
Usage guidelines
You can specify only one LDAP authentication server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In LDAP scheme ldap1, specify the LDAP authentication server as ccc.
<Sysname> system-view
[Sysname] ldap scheme ldap1
[Sysname-ldap-ldap1] authentication-server ccc
Related commands
display ldap scheme
ldap server
authorization-server
Use authorization-server to specify the LDAP authorization server for an LDAP scheme.
Use undo authorization-server to restore the default.
Syntax
authorization-server server-name
undo authorization-server
Default
No LDAP authorization server is specified for an LDAP scheme.
Views
LDAP scheme view
Predefined user roles
network-admin
Parameters
server-name: Specifies the name of an LDAP server, a case-insensitive string of 1 to 64 characters.
Usage guidelines
You can specify only one LDAP authorization server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In LDAP scheme ldap1, specify the LDAP authorization server as ccc.
<Sysname> system-view
[Sysname] ldap scheme ldap1
[Sysname-ldap-ldap1] authorization-server ccc
Related commands
display ldap scheme
ldap server
display ldap scheme
Use display ldap scheme to display LDAP scheme configuration.
Syntax
display ldap scheme [ ldap-scheme-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an LDAP scheme, this command displays the configuration of all LDAP schemes.
Examples
# Display the configuration of all LDAP schemes.
<Sysname> display ldap scheme
Total 1 LDAP schemes
------------------------------------------------------------------
LDAP scheme name : aaa
Authentication server : aaa
IP : 1.1.1.1
Port : 111
VPN instance : Not configured
LDAP protocol version : LDAPv3
Server timeout interval : 10 seconds
Login account DN : Not configured
Base DN : Not configured
Search scope : all-level
User searching parameters:
User object class : Not configured
Username attribute : cn
Username format : with-domain
Group filter : (objectclass=group)
Authorization server : aaa
IP : 1.1.1.1
Port : 111
VPN instance : Not configured
LDAP protocol version : LDAPv3
Server timeout interval : 10 seconds
Login account DN : Not configured
Base DN : Not configured
Search scope : all-level
User searching parameters:
User object class : Not configured
Username attribute : cn
Username format : with-domain
Group filter : (objectclass=group)
Attribute map : map1
------------------------------------------------------------------
Table 23 Command output
|
Field |
Description |
|
Authentication server |
Name of the LDAP authentication server. If no server is configured, this field displays Not configured. |
|
Authorization server |
Name of the LDAP authorization server. If no server is configured, this field displays Not configured. |
|
IP |
IP address of the LDAP server. If no server is specified, this field displays Not configured. |
|
Port |
Port number of the server. If no port number is specified, this field displays the default port number. |
|
VPN instance |
MPLS L3VPN instance to which the LDAP server belongs. If no VPN instance is specified, this field displays Not configured. |
|
LDAP protocol version |
LDAP version, LDAPv2 or LDAPv3. |
|
Server timeout interval |
LDAP server timeout period, in seconds. |
|
Login account DN |
DN of the administrator. |
|
Base DN |
Base DN for user search. |
|
Search scope |
User DN search scope, including: · all-level—All subdirectories. · single-level—Next lower level of subdirectories under the base DN. |
|
User searching parameters |
User search parameters. |
|
User object class |
User object class for user DN search. If no user object class is configured, this field displays Not configured. |
|
Username attribute |
User account attribute for login. |
|
Username format |
Format for the username sent to the server. |
|
Group filter |
User group filter. |
|
Attribute map |
LDAP attribute map used by the scheme. If no LDAP attribute map is used, this field displays Not configured. |
group-filter
Use group-filter to configure the user group filter.
Use undo group-filter to restore the default.
Syntax
group-filter group-filter
undo group-filter
Default
The user group filter is (objectclass=group).
Views
LDAP server view
Predefined user roles
network-admin
Parameters
group-filter: Specifies the user group filter, a case-sensitive string of 1 to 127 characters. The syntax of the filter must meet the filter syntax requirements defined by LDAP servers.
Usage guidelines
When the device requests to import user group information from an LDAP server, the LDAP server sends only user groups that match the user group filter to the device.
Examples
# Configure the user group filter as (&(objectclass=group)(name=group1)) for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] group-filter (&(objectclass=group)(name=group1))
Related commands
display ldap scheme
ip
Use ip to configure the IP address of the LDAP server.
Use undo ip to restore the default.
Syntax
ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ]
undo ip
Default
An LDAP server does not have an IP address.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IP address of the LDAP server.
port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the LDAP server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
The LDAP service port configured on the device must be consistent with the service port of the LDAP server.
If you change the IP address and port number of the LDAP server, the change takes effect only on the LDAP authentication that occurs after the change.
Examples
# Specify the IP address and port number as 192.168.0.10 and 4300 for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] ip 192.168.0.10 port 4300
Related commands
ldap server
ipv6
Use ipv6 to configure the IPv6 address of the LDAP server.
Use undo ipv6 to restore the default.
Syntax
ipv6 ipv6-address [ port port-number ] [ vpn-instance vpn-instance-name ]
undo ipv6
Default
An LDAP server does not have an IPv6 address.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies the IPv6 address of the LDAP server.
port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the LDAP server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
The LDAP service port configured on the device must be consistent with the service port of the LDAP server.
If you change the IP address and port number of the LDAP server, the change takes effect only on the LDAP authentication that occurs after the change.
Examples
# Specify the IPv6 address and port number as 1:2::3:4 and 4300 for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] ipv6 1:2::3:4 port 4300
Related commands
ldap server
ldap attribute-map
Use ldap attribute-map to create an LDAP attribute map and enter its view, or enter the view of an existing LDAP attribute map.
Use undo ldap attribute-map to delete an LDAP attribute map.
Syntax
ldap attribute-map map-name
undo ldap attribute-map map-name
Default
No LDAP attribute maps exist.
Views
System view
Predefined user roles
network-admin
Parameters
map-name: Specifies the name of the LDAP attribute map, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Execute this command multiple times to create multiple LDAP attribute maps. You can add multiple mapping entries to an LDAP attribute map. Each entry defines the mapping between an LDAP attribute and an AAA attribute.
Examples
# Create an LDAP attribute map named map1 and enter LDAP attribute map view.
<Sysname> system-view
[Sysname] ldap attribute-map map1
[Sysname-ldap-map-map1]
Related commands
attribute-map
ldap scheme
map
ldap scheme
Use ldap scheme to create an LDAP scheme and enter its view, or enter the view of an existing LDAP scheme.
Use undo ldap scheme to delete an LDAP scheme.
Syntax
ldap scheme ldap-scheme-name
undo ldap scheme ldap-scheme-name
Default
No LDAP schemes exist.
Views
System view
Predefined user roles
network-admin
Parameters
ldap-scheme-name: Specifies the LDAP scheme name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
An LDAP scheme can be used by more than one ISP domain at the same time.
You can configure a maximum of 16 LDAP schemes.
Examples
# Create an LDAP scheme named ldap1 and enter LDAP scheme view.
<Sysname> system-view
[Sysname] ldap scheme ldap1
[Sysname-ldap-ldap1]
Related commands
display ldap scheme
ldap server
Use ldap server to create an LDAP server and enter its view, or enter the view of an existing LDAP server.
Use undo ldap server to delete an LDAP server.
Syntax
ldap server server-name
undo ldap server server-name
Default
No LDAP servers exist.
Views
System view
Predefined user roles
network-admin
Parameters
server-name: Specifies the LDAP server name, a case-insensitive string of 1 to 64 characters.
Examples
# Create an LDAP server named ccc and enter LDAP server view.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc]
Related commands
display ldap scheme
login-dn
Use login-dn to specify the administrator DN.
Use undo login-dn to restore the default.
Syntax
login-dn dn-string
undo login-dn
Default
No administrator DN is specified.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
dn-string: Specifies the administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters.
Usage guidelines
The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server.
If you change the administrator DN, the change takes effect only on the LDAP authentication that occurs after the change.
Examples
# Specify the administrator DN as uid=test, ou=people, o=example, c=city for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] login-dn uid=test,ou=people,o=example,c=city
Related commands
display ldap scheme
login-password
Use login-password to configure the administrator password for binding with the LDAP server during LDAP authentication.
Use undo login-password to restore the default.
Syntax
login-password { cipher | simple } string
undo login-password
Default
No administrator password is configured.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 128 characters. Its encrypted form is a case-sensitive string of 1 to 201 characters.
Usage guidelines
This command takes effect only after the login-dn command is used.
Examples
# Specify the administrator password as abcdefg in plaintext form for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] login-password simple abcdefg
Related commands
display ldap scheme
login-dn
map
Use map to configure a mapping entry in an LDAP attribute map.
Use undo map to delete the specified mapping entries from the LDAP attribute map.
Syntax
map ldap-attribute ldap-attribute-name [ prefix prefix-value delimiter delimiter-value ] aaa-attribute { user-group | user-profile }
undo map [ ldap-attribute ldap-attribute-name ]
Default
An LDAP attribute map does not contain mapping entries.
Views
LDAP attribute map view
Predefined user roles
network-admin
Parameters
ldap-attribute ldap-attribute-name: Specifies an LDAP attribute by its name. The ldap-attribute-name argument is a case-insensitive string of 1 to 63 characters.
prefix prefix-value delimiter delimiter-value: Specifies a partial value string of the LDAP attribute for attribute mapping. The prefix-value argument represents the position where the partial string starts. The prefix is a case-insensitive string of 1 to 7 characters, such as cn=. The delimiter-value argument represents the position where the partial string ends, such as a comma (,). If you do not specify the prefix prefix-value delimiter delimiter-value option, the mapping entry uses the entire value string of the LDAP attribute.
aaa-attribute: Specifies an AAA attribute.
user-group: Specifies the user group attribute.
user-profile: Specifies the user profile attribute.
Usage guidelines
Because the device ignores unrecognized LDAP attributes, configure the mapping entries to include important LDAP attributes that should not be ignored.
An LDAP attribute can be mapped only to one AAA attribute. Different LDAP attributes can be mapped to the same AAA attribute.
If you do not specify an LDAP attribute for the undo map command, the command deletes all mapping entries from the LDAP attribute map.
Examples
# In LDAP attribute map map1, map a partial value string of the LDAP attribute named memberof to AAA attribute named user-group.
<Sysname> system-view
[Sysname] ldap attribute-map map1
[Sysname-ldap-map-map1] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group
Related commands
ldap attribute-map
user-group
user-profile
protocol-version
Use protocol-version to specify the LDAP version.
Use undo protocol-version to restore the default.
Syntax
protocol-version { v2 | v3 }
undo protocol-version
Default
The LDAP version is LDAPv3.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
v2: Specifies the LDAP version LDAPv2.
v3: Specifies the LDAP version LDAPv3.
Usage guidelines
For successful LDAP authentication, the LDAP version used by the device must be consistent with the version used by the LDAP server.
If you change the LDAP version, the change takes effect only on the LDAP authentication that occurs after the change.
A Microsoft LDAP server supports only LDAPv3.
Examples
# Specify the LDAP version as LDAPv2 for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] protocol-version v2
Related commands
display ldap scheme
search-base-dn
Use search-base-dn to specify the base DN for user search.
Use undo search-base-dn to restore the default.
Syntax
search-base-dn base-dn
undo search-base-dn
Default
No base DN is specified for user search.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters.
Examples
# Specify the base DN for user search as dc=ldap,dc=com for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] search-base-dn dc=ldap,dc=com
Related commands
display ldap scheme
ldap server
search-scope
Use search-scope to specify the user search scope.
Use undo search-scope to restore the default.
Syntax
search-scope { all-level | single-level }
undo search-scope
Default
The user search scope is all-level.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
all-level: Specifies that the search goes through all subdirectories of the base DN.
single-level: Specifies that the search goes through only the next lower level of subdirectories under the base DN.
Examples
# Specify the search scope for the LDAP authentication as all subdirectories of the base DN for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] search-scope all-level
Related commands
display ldap scheme
ldap server
server-timeout
Use server-timeout to set the LDAP server timeout period, the maximum time that the device waits for an LDAP response.
Use undo server-timeout to restore the default.
Syntax
server-timeout time-interval
undo server-timeout
Default
The LDAP server timeout period is 10 seconds.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
time-interval: Specifies the LDAP server timeout period in the range of 5 to 20 seconds.
Usage guidelines
If you change the LDAP server timeout period, the change takes effect only on the LDAP authentication that occurs after the change.
Examples
# Set the LDAP server timeout period to 15 seconds for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] server-timeout 15
Related commands
display ldap scheme
user-parameters
Use user-parameters to configure LDAP user attributes, including the username attribute, username format, and user-defined user object class.
Use undo user-parameters to restore the default of an LDAP user attribute.
Syntax
user-parameters { user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name }
undo user-parameters { user-name-attribute | user-name-format | user-object-class }
Default
The LDAP username attribute is cn and the username format is without-domain. No user object class is specified and the default user object class of the LDAP server is used.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
user-name-attribute { name-attribute | cn | uid }: Specifies the username attribute. The name-attribute argument represents an attribute value, a case-insensitive string of 1 to 64 characters. The cn keyword represents the user account attribute of common name, and the uid keyword represents the user account attribute of user ID.
user-name-format { with-domain | without-domain }: Specifies the format of the username to be sent to the server. The with-domain keyword means that the username contains the domain name, and the without-domain keyword means that the username does not contain the domain name.
user-object-class object-class-name: Specifies the user object class for user search. The object-class-name argument represents a class value, a case-insensitive string of 1 to 64 characters.
Usage guidelines
If the username on the LDAP server does not contain the domain name, specify the without-domain keyword. If the username contains the domain name, specify the with-domain keyword.
Examples
# Set the user object class to person for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] user-parameters user-object-class person
Related commands
display ldap scheme
login-dn
RADIUS proxy commands
client
Use client to specify a RADIUS client.
Use undo client to remove a RADIUS client.
Syntax
client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] radius-scheme radius-scheme-name [ key { cipher | simple } string ] [ authentication-port authentication-port-num ] [ accounting-port accounting-port-num ] [ dae-server-port dae-server-port-num ] [ description text ]
undo client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
No RADIUS clients are specified.
Views
RADIUS proxy view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the RADIUS client by its IPv4 address.
ipv6 ipv6-address: Specifies the RADIUS client by its IPv6 address.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the RADIUS client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the RADIUS client is on the public network, do not specify this option.
key: Specifies the shared key for secure communication with the RADIUS client. The specified shared key must be the same as the authentication and accounting shared key configured on the RADIUS client. If the RADIUS client does not have a shared key, do not specify this keyword.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. The encrypted form of the key is a string of 1 to 117 characters and the plaintext form of the key is a string of 1 to 64 characters.
authentication-port authentication-port-num: Specifies the UDP port that listens for authentication request packets from the RADIUS client. The value range for the authentication-port-num argument is 1 to 65535 and the default value is 1812.
accounting-port accounting-port-num: Specifies the UDP port that listens for accounting request packets from the RADIUS client. The value range for the accounting-port-num argument is 1 to 65535 and the default value is 1813.
dae-server-port dae-server-port-num: Specifies the destination UDP port that the RADIUS proxy uses to forward DAE packets to the RADIUS client (acts as a DAS). The value range for the dae-server-port-num argument is 1 to 65535 and the default value is 3799.
description text: Specifies a description for the RADIUS client, a case-sensitive string of 1 to 80 characters.
Usage guidelines
Operating mechanism
With the RADIUS proxy feature, the device listens for and processes authentication and accounting request packets from the specified RADIUS clients.
· When the device receives an authentication request packet from a RADIUS client, it first matches the source IP address and VPN instance of the packet with local RADIUS client settings.
¡ If no matching RADIUS client is found or no RADIUS client has been specified on the device , the device discards the packet.
¡ If a matching RADIUS client is found, the device uses the shared key of the matching RADIUS client to validate the packet. If the packet fails the validation, the device discards the packet. If the packet passes the validation, the device forwards the packet to the RADIUS server in the RADIUS scheme specified by using the radius-scheme radius-scheme-name option. Then, the device listens for the response to the request packet and forwards the response to the RADIUS client.
· When the device receives an accounting request packet from a RADIUS client, it first validates the packet in the same way the authentication request packet was validated. After the packet passes validation, the device searches for the local proxy user entry based on the packet source MAC address and the local RADIUS client configuration.
¡ If the local proxy user entry does not exist, the device cannot obtain the Acct-Session-Id attribute of the interaction packets between the RADIUS proxy and the RADIUS server. The device generates a new Acct-Session-Id attribute value and sends an accounting request to the RADIUS server. After receiving the accounting request, the RADIUS server might not respond or might carry a Session-Timeout attribute with a value of 0 in the response, notifying the device to force the user to go offline, because it cannot find a user corresponding to the new Acct-Session-Id attribute value.
¡ If the local proxy user entry exists, the validated packet will be forwarded to the specified RADIUS server according to the radius-scheme specified in the RADIUS client configuration. The server's response will be forwarded to the RADIUS client.
Restrictions and guidelines
· Make sure a RADIUS client uses the same RADIUS scheme for wireless client authentication, authorization, and accounting. This configuration ensures that the RADIUS proxy can listen for the stop-accounting request packets of wireless online users from the RADIUS client. As a result, the RADIUS proxy can clear local proxy user entries in time to release memory space. In addition, execute the stop-accounting-packet send-force command on the RADIUS client. This command forces the RADIUS client to send a RADIUS stop-accounting request packet to the RADIUS proxy when a wireless client goes offline. The residual user information of the wireless client will be cleared in time from the RADIUS proxy.
· For a RADIUS client, make sure the authentication and accounting ports configured on the RADIUS proxy are the same as the destination UDP ports of authentication and accounting packets sent by the RADIUS client, respectively. In addition, the authentication and accounting ports must be different.
· Execute this command multiple times to specify multiple RADIUS clients. The device supports a maximum of 10000 RADIUS clients.
· If you specify a RADIUS client that has the same IP address and VPN instance as an existing RADIUS client, the most recent configuration overwrites the previous configuration.
· Make sure the RADIUS proxy and a RADIUS client use the same port to forward DAE packets. On the RADIUS proxy, the port is the destination UDP port that the RADIUS proxy uses to forward DAE packets to the RADIUS client (acts as a DAS). On the RADIUS client, the port is the RADIUS DAS port configured by using the port command in RADIUS DAS view.
Examples
# Specify the RADIUS client at 3.3.3.3 for the RADIUS proxy and set the shared key to 123456 in plaintext form for secure RADIUS communication with the RADIUS client. The RADIUS proxy uses the RADIUS servers in RADIUS scheme rs1 for the users from the RADIUS client.
<Sysname> system-view
[Sysname] radius-proxy
[Sysname-radius-proxy] client ip 3.3.3.3 radius-scheme rs1 key simple 123456
Related commands
port
stop-accounting-packet send-force
display radius-proxy statistics
Use display radius-proxy statistics to display RADIUS proxy packet statistics and local proxy user statistics.
Syntax
display radius-proxy statistics [ all | client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Specifies all the RADIUS clients.
client: Specifies a RADIUS client.
ip ipv4-address: Specifies the RADIUS client by its IPv4 address.
ipv6 ipv6-address: Specifies the RADIUS client by its IPv6 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the RADIUS client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the RADIUS client is on the public network, do not specify this option.
Usage guidelines
If you specify no keyword, the command displays RADIUS proxy packet statistics and local proxy user statistics for all RADIUS clients in sequence.
Examples
# Display RADIUS proxy packet statistics and local proxy user statistics for the RADIUS client with IP address 169.168.92.1 in VPN instance v1.
<Sysname> display radius-proxy statistics client ip 169.168.92.1 vpn-instance v1
Authentication packets:
Requests : 10 Accept responses : 2
Challenge packets : 8 Reject responses : 0
Bad authenticators : 0 Dropped requests : 0
Failed to send responses : 0 Request retransmissions: 0
Pending requests : 0 Packet timeouts : 0
Malformed requests : 0 No MAC found requests : 0
Invalid port requests : 0
Accounting packets:
Requests : 2 Responses : 2
Bad authenticators : 0 Dropped requests : 0
Start requests : 0 Realtime requests : 0
Stop requests : 0 Accounting-on requests : 0
Accounting-off requests : 0 Malformed requests : 0
No MAC found requests : 0 Invalid port requests : 0
DAE packets:
Requests : 1 ACKs : 1
NAKs : 0
Residual session context removed : 1
Invalid EAP packets (ignored) : 0
Unsupported attribute : 0 Missing attribute : 0
NAS identification mismatch: 0 Invalid request : 0
Unsupported service : 0 Unsupported extension : 0
Invalid attribute value : 0
Administratively prohibited : 0
Request not routable (proxy) : 0
Session context not found : 0
Session context not removable : 0
Other proxy processing error : 0
Resources unavailable : 0 Request initiated : 0
Multiple session selection unsupported : 0
Deleted local proxy user entries:
Accounting stop : 1 Aging : 1
Accounting-on : 0 Reset : 0
Accounting-off : 0 Roaming : 0
# Display RADIUS proxy packet statistics and local proxy user statistics for all RADIUS clients.
<Sysname> display radius-proxy statistics all
Authentication packets:
Requests : 10 Accept responses : 2
Challenge packets : 8 Reject responses : 0
Bad authenticators : 0 Dropped requests : 0
Failed to send responses : 0 Request retransmissions: 0
Pending requests : 0 Packet timeouts : 0
Malformed requests : 0 No MAC found requests : 0
Invalid port requests : 0 Invalid client requests: 0
Accounting packets:
Requests : 2 Responses : 2
Bad authenticators : 0 Dropped requests : 0
Start requests : 0 Realtime requests : 0
Stop requests : 0 Accounting-on requests : 0
Accounting-off requests : 0 Malformed requests : 0
No MAC found requests : 0 Invalid port requests : 0
Invalid client requests : 0
DAE packets:
Requests : 1 ACKs : 1
NAKs : 0
Residual session context removed : 1
Invalid EAP packets (ignored) : 0
Unsupported attribute : 0 Missing attribute : 0
NAS identification mismatch: 0 Invalid request : 0
Unsupported service : 0 Unsupported extension : 0
Invalid attribute value : 0
Administratively prohibited : 0
Request not routable (proxy) : 0
Session context not found : 0
Session context not removable : 0
Other proxy processing error : 0
Resources unavailable : 0 Request initiated : 0
Multiple session selection unsupported : 0
Deleted local proxy user entries:
Accounting stop : 1 Aging : 1
Accounting-on : 0 Reset : 0
Accounting-off : 0 Roaming : 0
Table 24 Command output
|
Field |
Description |
|
Client IP |
Client IP address. |
|
Client VPN |
VPN in which the client resides. This field displays - if the client belongs to the public network. |
|
Authentication packets |
Number of authentication packets. |
|
Accounting packets |
Number of accounting packets. |
|
DAE packets |
Number of DAE packets. |
|
Deleted local proxy user entries |
Information about the deleted local proxy user entries. |
|
Requests |
Number of request packets. |
|
Accept responses |
Number of Access-Accept packets. |
|
Challenge packets |
Number of Access-Challenge packets. |
|
Reject responses |
Number of Access-Reject packets. |
|
Responses |
Number of accounting response packets. |
|
Bad authenticators |
Number of packets with incorrect authenticators. |
|
Dropped requests |
Number of dropped request packets. |
|
ACKs |
Number of DAE request ACK packets. |
|
NAKs |
Number of DAE request NAK packets. |
|
Failed to send responses |
Number of authentication responses failed to be sent. |
|
Request retransmissions |
Number of retransmitted authentication requests. |
|
Pending requests |
Number of pending timed-out authentication requests. |
|
Packet timeouts |
Number of authentication request timeouts. |
|
Malformed requests |
Number of authentication/accounting requests with invalid a length. |
|
No MAC found requests |
Number of abnormal authentication/accounting requests that do not carry user MAC addresses. |
|
Invalid port requests |
Number of authentication/accounting requests with invalid port numbers. |
|
Start requests |
Number of accounting-start requests. |
|
Realtime requests |
Number of real-time accounting requests. |
|
Stop requests |
Number of accounting-stop requests. |
|
Accounting-on requests |
Number of accounting-on requests. |
|
Accounting-off requests |
Number of accounting-off requests. |
|
Invalid client requests |
Number of authentication/accounting requests that carry invalid RADIUS client information or mismatching client information from existing RADIUS client configuration. |
|
Residual session context removed |
Number of DAE responses with an Error-Cause attribute of 201, which indicates successful deletion of inactive sessions. |
|
Invalid EAP packets (ignored) |
Number of DAE responses with an Error-Cause attribute of 202, which indicates invalid EAP packets. |
|
Unsupported attribute |
Number of DAE responses with an Error-Cause attribute of 401, which indicates that the request carries unsupported attributes. |
|
Missing attribute |
Number of DAE responses with an Error-Cause attribute of 402, which indicates that the request lacks critical attributes. |
|
NAS identification mismatch |
Number of DAE responses with an Error-Cause attribute of 403, which indicates NAS ID mismatching. |
|
Invalid request |
Number of DAE responses with an Error-Cause attribute of 404, which indicates invalid request. |
|
Unsupported service |
Number of DAE responses with an Error-Cause attribute of 405, which indicates that the requested service type is not supported. |
|
Unsupported extension |
Number of DAE responses with an Error-Cause attribute of 406, which indicates that the requested extension application, such as CoA and DM, is not supported. |
|
Invalid attribute value |
Number of DAE responses with an Error-Cause attribute of 407, which indicates that an attribute value in the request is not supported. |
|
Administratively prohibited |
Number of DAE responses with an Error-Cause attribute of 501, which indicates that DAE packets from specific user sessions are not allowed. |
|
Request not routable (proxy) |
Number of DAE responses with an Error-Cause attribute of 502, which indicates that the route used to forward the request is unavailable. |
|
Session context not found |
Number of DAE responses with an Error-Cause attribute of 503, which indicates that the user session is not found. |
|
Session context not removable |
Number of DAE responses with an Error-Cause attribute of 504, which indicates that the session cannot be deleted. |
|
Other proxy processing error |
Number of DAE responses with an Error-Cause attribute of 505, which indicates proxy processing errors of other types. |
|
Resources unavailable |
Number of DAE responses with an Error-Cause attribute of 506, which indicates that the system resources are unavailable. |
|
Request initiated |
Number of DAE responses with an Error-Cause attribute of 507, which indicates that the CoA request is not accepted by the RADIUS client and the RADIUS client is sending authentication requests that carry Authorize Only to the server. |
|
Multiple session selection unsupported |
Number of DAE responses with an Error-Cause attribute of 508, which indicates that DAE requests applied to multiple sessions are not supported. |
|
Accounting stop |
Number of local proxy user entries deleted by accounting-stop packets. |
|
Aging |
Number of local proxy user entries deleted by the aging timer. |
|
Accounting-on |
Number of local proxy user entries deleted by accounting-on packets. |
|
Reset |
Number of local proxy user entries deleted by execution of the reset radius-proxy user command. These entries remain on the RADIUS proxy but do not exist on the RADIUS client. |
|
Accounting-off |
Number of local proxy user entries deleted by accounting-off packets. |
|
Roaming |
Number of deleted local proxy user entries for the corresponding inter-AC roaming users. |
Related commands
reset radius-proxy statistics
display radius-proxy user
Use display radius-proxy user to display RADIUS proxy user information for RADIUS clients.
Syntax
display radius-proxy user [ client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
client: Specifies a RADIUS client. If you do not specify a RADIUS client, this command displays RADIUS proxy user information for all RADIUS clients.
ip ipv4-address: Specifies the RADIUS client by its IPv4 address.
ipv6 ipv6-address: Specifies the RADIUS client by its IPv6 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the RADIUS client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the RADIUS client is on the public network, do not specify this option.
count: Displays only the number of RADIUS proxy users. If you do not specify this keyword, the command displays detailed information about RADIUS proxy users.
Examples
# Display RADIUS proxy user information for the RADIUS client with IP address 3.3.3.3.
<Sysname> display radius-proxy user client ip 3.3.3.3
Username MAC address IP address Client IP Client VPN
Yyy1 1-1-1 2.2.2.2 3.3.3.3 abc
Yyy2 1-1-2 - 3.3.3.3 -
# Display the number of RADIUS proxy users on the RADIUS client with IP address 3.3.3.3.
<Sysname> display radius-proxy user client ip 3.3.3.3 count
Total RADIUS users: 2
# Display the number of RADIUS proxy users on all RADIUS clients.
<Sysname> display radius-proxy user count
Total RADIUS users: 102
Client IP Client VPN User count
1.1.1.1 abc 2
1.1.1.3 - 100
Table 25 Command output
|
Field |
Description |
|
MAC address |
MAC address of the user. |
|
IP address |
IP address of the user. If no IP address of the user is obtained, this field displays a hyphen (-). If both the IPv4 and IPv6 addresses of the user are obtained, this field displays only the IPv4 address. |
|
Client IP |
IP address of the RADIUS client that the user accesses. |
|
Client VPN |
Name of the VPN instance to which the RADIUS client belongs. If the RADIUS client belongs to the public network, this field displays a hyphen (-). |
|
Total RADIUS users |
Number of proxy users on the RADIUS client. |
Related commands
reset radius-proxy user
radius-proxy
Use radius-proxy to enable the RADIUS proxy feature and enter RADIUS proxy view.
Use undo radius-proxy to disable the RADIUS proxy feature.
Syntax
radius-proxy
undo radius-proxy
Default
The RADIUS proxy feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Application scenarios
In a wireless network, if the authentication location for clients is on APs, the APs act as the authentication device and process the authentication procedure. When a large number of APs exist or the number of APs frequently changes, device management can be complex because each AP requires direct interaction with the RADIUS server for authentication, authorization, and accounting. By deploying a RADIUS proxy on the AC, the above issues can be effectively avoided.
Operating mechanism
With the RADIUS proxy feature enabled on the AC:
1. The RADIUS proxy listens for authentication requests sent by the specified RADIUS client and forwards them to the RADIUS server. Then, the proxy forwards the authentication responses sent by the RADIUS server to the RADIUS client. During this process, the AC also generates a local proxy user entry for the user, which records the following information:
¡ User's username, IP address, and MAC address.
¡ RADIUS client IP address and VPN.
¡ Acct-Session-Id attribute value of the interaction packets between the RADIUS client and the RADIUS proxy.
¡ Acct-Session-Id attribute value of the interaction packets between the RADIUS proxy and the RADIUS server.
2. The RADIUS proxy listens for accounting requests sent by the specified RADIUS client and forwards them to the RADIUS server. Then, the proxy forwards the accounting responses sent by the RADIUS server back to the RADIUS client. Upon receiving an accounting start request or an accounting update request from the RADIUS server, the RADIUS proxy updates the aging time of the local proxy user entry to the currently configured aging time based on the user's MAC address, RADIUS client IP address, and VPN. When the RADIUS proxy receives an accounting stop request from the RADIUS server, it deletes the local proxy user entry based on the user's MAC address, RADIUS client IP address, and VPN.
Restrictions and guidelines
Currently, the RADIUS proxy function only supports access users who meet certain conditions. The RADIUS proxy function can take effect only when the RADIUS client sends authentication/accounting requests that carry the private RADIUS attribute h3c-ip-host-addr or the standard RADIUS attribute calling-station-id, and these attributes contain the user's MAC address.
By default, the RADIUS proxy feature and the RADIUS session-control feature use UDP port 1812 to listen for authentication request packets and session-control packets, respectively. If you use both the RADIUS proxy and RADIUS session-control features, make sure the two features use different ports to listen for packets.
Disabling the RADIUS proxy feature deletes all settings from RADIUS proxy view.
Examples
# Enable the RADIUS proxy feature and enter RADIUS proxy view.
<Sysname> system-view
[Sysname] radius-proxy
[Sysname-radius-proxy]
Related commands
client
reset radius-proxy statistics
Use reset radius-proxy statistics to clear RADIUS proxy packet statistics for RADIUS clients.
Syntax
reset radius-proxy statistics [ client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ]
Views
User view
Predefined user roles
network-admin
Parameters
client: Specifies a RADIUS client.
ip ipv4-address: Specifies the RADIUS client by its IPv4 address.
ipv6 ipv6-address: Specifies the RADIUS client by its IPv6 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the RADIUS client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the RADIUS client is on the public network, do not specify this option.
Usage guidelines
If you do not specify any parameters, this command clears RADIUS proxy packet statistics for all RADIUS clients.
Examples
# Clear RADIUS proxy packet statistics for the RADIUS client with IP address 3.3.3.3.
<Sysname> reset radius-proxy statistics client ip 3.3.3.3
Related commands
display radius-proxy statistics
reset radius-proxy user
Use reset radius-proxy user to clear RADIUS proxy user information.
Syntax
reset radius-proxy user { mac mac-address [ client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] | client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
Views
User view
Predefined user roles
network-admin
Parameters
mac mac-address: Specifies a proxy user by its MAC address, in the format of H-H-H.
client: Specifies a RADIUS client.
ip ipv4-address: Specifies the RADIUS client by its IPv4 address.
ipv6 ipv6-address: Specifies the RADIUS client by its IPv6 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the RADIUS client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the RADIUS client is on the public network, do not specify this option.
Usage guidelines
Application scenarios
If residual user information exists on the RADIUS proxy, meaning the number of proxy users saved on the RADIUS proxy is greater than the number of online users on the RADIUS client, you can use this command to clear the proxy user information for the specified client on the RADIUS proxy.
Operating mechanism
After you execute this command, the RADIUS proxy sends a packet to the RADIUS client to forcibly log off the user. If the RADIUS client replies to the RADIUS proxy that the user no longer exists, the RADIUS proxy deletes the corresponding proxy user information.
Restrictions and guidelines
To avoid user authentication failures caused by improper information clearing, make sure the information to clear are about offline users before executing this command.
For this command to take effect, you must also enable the DAS function on the RADIUS client.
Examples
# Clear RADIUS proxy user information for the RADIUS client with IP address 3.3.3.3.
<Sysname> reset radius-proxy user client ip 3.3.3.3
Related commands
display radius-proxy user
timer aging
timer aging
Use timer aging to set the aging time of local proxy user entries
Use undo timer aging to restore the default.
Syntax
timer aging aging-time
undo timer aging
Default
The aging time of local proxy user entries varies by device model.
Views
RADIUS proxy view
Predefined user roles
network-admin
Parameters
aging-time: Specifies the aging time in the range of 0 to 65535 minutes. Setting the value to 0 indicates that the local proxy user entries will not age out.
Usage guidelines
Application scenarios
The aging mechanism for local proxy user entries is used to address the issue of residual local proxy user entries caused by users not sending accounting stop requests in exceptional circumstances.
Operating mechanism
After creating a local proxy user entry for a successfully authenticated user, the RADIUS proxy immediately starts an aging timer for that entry. Subsequently, each time the RADIUS proxy receives an accounting start response or accounting update response from the RADIUS server, it restarts the aging timer for that entry based on the current configuration of this command. The local proxy user entry will be deleted either after the aging time has elapsed or after the RADIUS proxy receives an accounting stop response from the RADIUS server.
Restrictions and guidelines
If you change the aging time, the change does not affect running aging timers. It affects only newly created local proxy entries and restarted aging timers.
As a best practice, do not set the aging time to 0. Value 0 is applicable only to scenarios with fixed clients. After you change the aging time from 0 to a non-zero value, examine if residual entries of offline users exist on the device as a best practice and clear the residual entries. To clear the residual entries, use the reset radius-proxy user command.
If the RADIUS proxy process restarts or master/backup switchover occurs, the system restarts all aging timers for local proxy user entries based on the command setting.
The new aging time takes effect immediately in the following cases:
· An accounting start response or accounting update response is received from the server.
· An 802.11X user passes reauthentication.
Examples
# Set the aging time of local proxy user entries to 60 minutes.
<Sysname> system-view
[Sysname] radius-proxy
[Sysname-radius-proxy] timer aging 60
Related commands
display radius-proxy user
reset radius-proxy user
Connection recording policy commands
aaa connection-recording policy
Use aaa connection-recording policy to create a connection recording policy and enter its view, or enter the view of an existing connection recording policy.
Use aaa connection-recording policy to delete the connection recording policy.
Syntax
aaa connection-recording policy
undo aaa connection-recording policy
Default
The connection recording policy does not exist.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use this feature on scenarios where the device acts as an FTP, SSH, SFTP, or Telnet login client to establish a connection with a login server. This feature enables the device to provide an accounting server with the connection start and termination information. When the login client establishes a connection with the login server, the system sends a start-accounting request to the accounting server. When the connection is terminated, the system sends a stop-accounting request to the accounting server.
Examples
# Create a connection recording policy and enter its view.
<Sysname> system-view
[Sysname] aaa connection-recording policy
[sysname-connection-recording-policy]
Related commands
accounting hwtacacs-scheme
display aaa connection-recording policy
accounting hwtacacs-scheme
Use accounting hwtacacs-scheme to specify the accounting method for the connection recording policy.
Use undo accounting to restore the default.
Syntax
accounting hwtacacs-scheme hwtacacs-scheme-name
undo accounting
Default
No accounting method is specified for the connection recording policy. No accounting is performed on the connections initiated by the device as a login client.
Views
Connection recording policy view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
If the accounting method is changed, the new method takes effect only on subsequent connections initiated by the device as a login client.
For a connection, once the device sends the start-accounting request to an HWTACACS server, it sends the connection's stop-accounting packet to the same server.
If you execute this command multiple times, the most recent configuration takes effect.
The device includes the username entered by a user in the accounting packets to be sent to the AAA server for connection recording. The username format configured by using the user-name-format command in the accounting scheme does not take effect.
Examples
# Create a connection recording policy, and specify HWTACACS scheme tac as the accounting method.
<Sysname> system-view
[Sysname] aaa connection-recording policy
[sysname-connection-recording-policy] accounting hwtacacs-scheme tac
Related commands
aaa connection-recording policy
display aaa connection-recording policy
display aaa connection-recording policy
Use display aaa connection-recording policy to display the connection recording policy configuration.
Syntax
display aaa connection-recording policy
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the connection recording policy configuration.
<Sysname> display aaa connection-recording policy
Connection-recording policy:
Accounting scheme: HWTACACS=tac1
Related commands
aaa connection-recording policy
accounting hwtacacs-scheme
