H3C S5510 Series, S3610 Series Command Manual
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches Table of Contents
Table of Contents
Chapter 1 AAA & RADIUS & HWTACACS Configuration Commands .....................................1-1
1.1 AAA Configuration Commands.......................................................................................... 1-1
1.1.1 access-limit.............................................................................................................. 1-1
1.1.2 accounting default ................................................................................................... 1-2
1.1.3 accounting lan-access............................................................................................. 1-3
1.1.4 accounting login ...................................................................................................... 1-4
1.1.5 accounting optional ................................................................................................. 1-5
1.1.6 attribute ................................................................................................................... 1-6
1.1.7 authentication default .............................................................................................. 1-7
1.1.8 authentication lan-access........................................................................................ 1-8
1.1.9 authentication login ................................................................................................. 1-9
1.1.10 authorization command....................................................................................... 1-11
1.1.11 authorization default............................................................................................ 1-11
1.1.12 authorization lan-access ..................................................................................... 1-13
1.1.13 authorization login ............................................................................................... 1-14
1.1.14 cut connection ..................................................................................................... 1-15
1.1.15 display connection............................................................................................... 1-16
1.1.16 display domain .................................................................................................... 1-17
1.1.17 display local-user ................................................................................................ 1-19
1.1.18 domain................................................................................................................. 1-20
1.1.19 domain default..................................................................................................... 1-21
1.1.20 idle-cut................................................................................................................. 1-22
1.1.21 level ..................................................................................................................... 1-23
1.1.22 local-user............................................................................................................. 1-24
1.1.23 local-user password-display-mode...................................................................... 1-25
1.1.24 password............................................................................................................. 1-25
1.1.25 self-service-url..................................................................................................... 1-26
1.1.26 service-type......................................................................................................... 1-27
1.1.27 service-type ftp.................................................................................................... 1-28
1.1.28 state..................................................................................................................... 1-29
1.2 RADIUS Configuration Commands ................................................................................. 1-30
1.2.1 data-flow-format .................................................................................................... 1-30
1.2.2 display local-server statistics................................................................................. 1-31
1.2.3 display radius ........................................................................................................ 1-32
1.2.4 display radius statistics ......................................................................................... 1-34
1.2.5 display stop-accounting-buffer .............................................................................. 1-35
1.2.6 key......................................................................................................................... 1-37
1.2.7 local-server............................................................................................................ 1-38
i
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches Table of Contents
1.2.8 local-server nas-ip................................................................................................. 1-39
1.2.9 nas-ip..................................................................................................................... 1-40
1.2.10 primary accounting.............................................................................................. 1-41
1.2.11 primary authentication......................................................................................... 1-42
1.2.12 radius client ......................................................................................................... 1-43
1.2.13 radius nas-ip........................................................................................................ 1-44
1.2.14 radius scheme..................................................................................................... 1-45
1.2.15 radius trap ........................................................................................................... 1-46
1.2.16 reset local-server statistics.................................................................................. 1-47
1.2.17 reset radius statistics........................................................................................... 1-47
1.2.18 reset stop-accounting-buffer ............................................................................... 1-48
1.2.19 retry ..................................................................................................................... 1-49
1.2.20 retry realtime-accounting..................................................................................... 1-50
1.2.21 retry stop-accounting........................................................................................... 1-51
1.2.22 secondary accounting ......................................................................................... 1-52
1.2.23 secondary authentication .................................................................................... 1-53
1.2.24 server-type .......................................................................................................... 1-54
1.2.25 state..................................................................................................................... 1-55
1.2.26 stop-accounting-buffer enable............................................................................. 1-56
1.2.27 timer quiet............................................................................................................ 1-57
1.2.28 timer realtime-accounting.................................................................................... 1-58
1.2.29 timer response-timeout ....................................................................................... 1-59
1.2.30 user-name-format................................................................................................ 1-60
1.3 HWTACACS Configuration Commands .......................................................................... 1-61
1.3.1 data-flow-format .................................................................................................... 1-61
1.3.2 display hwtacacs ................................................................................................... 1-62
1.3.3 display stop-accounting-buffer .............................................................................. 1-64
1.3.4 hwtacacs nas-ip..................................................................................................... 1-65
1.3.5 hwtacacs scheme.................................................................................................. 1-66
1.3.6 key......................................................................................................................... 1-67
1.3.7 nas-ip..................................................................................................................... 1-67
1.3.8 primary accounting................................................................................................ 1-68
1.3.9 primary authentication........................................................................................... 1-69
1.3.10 primary authorization........................................................................................... 1-70
1.3.11 reset hwtacacs statistics ..................................................................................... 1-71
1.3.12 reset stop-accounting-buffer ............................................................................... 1-72
1.3.13 retry stop-accounting........................................................................................... 1-73
1.3.14 secondary accounting ......................................................................................... 1-73
1.3.15 secondary authentication .................................................................................... 1-74
1.3.16 secondary authorization...................................................................................... 1-75
1.3.17 stop-accounting-buffer enable............................................................................. 1-76
1.3.18 timer quiet............................................................................................................ 1-77
ii
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches Table of Contents
1.3.19 timer realtime-accounting.................................................................................... 1-78
1.3.20 timer response-timeout ....................................................................................... 1-79
1.3.21 user-name-format................................................................................................ 1-79
iii
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1.1 AAA Configuration Commands
1.1.1 access-limit
Syntax
access-limit { disable | enable max-user-number }
undo access-limit
View
ISP domain view
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
Parameter
Description
Example
disable: Specifies not to limit the number of access users that can be contained in
current ISP domain.
enable max-user-number: Specifies the maximum number of access users that can be
contained in current ISP domain. Where, max-user-number ranges from 1 to 1024.
Use the access-limit command to set the maximum number of access users that can
be contained in current ISP domain.
Use the undo access-limit command to restore the default maximum number.
By default, the number of access users that can be contained in current ISP domain is
unlimited.
Because resource contention may occur between access users, there is a need to
properly limit the number of access users in an ISP domain to provide reliable
performance to the users in the ISP domain.
# Allow ISP domain aabbc.net to contain at most 500 access users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname]domain aabbcc.net
[Sysname-isp-aabbcc.net] access-limit enable 500
1-1
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
1.1.2 accounting default
Syntax
accounting default { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo accounting default
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32
characters.
local: Local accounting.
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
Description
none: No accounting.
Use the accounting default command to configure an accounting scheme for all
users.
Use the undo accounting default command to restore the default accounting scheme
for all users.
By default, the local scheme is configured.
It should be noted that:
z The accounting scheme configured by the accounting default command is
applicable to all users. The priority of this configuration is lower than that of a
specific access mode.
z Local accounting is only used to support the management of local user
connections without real statistical function. The management of local connections
takes effect for local accounting rather than local authentication and authorization.
z In the login access mode, accounting is not supported for FTP services.
Related command: authentication default and authorization default.
Example
# In the default ISP domain named system, configure local as the default accounting
scheme for all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting default local
1-2
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
# In the default ISP domain named system, configure radius as the default accounting
scheme named rd for all users and local as backup accounting. Note that the rd
scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting default radius-scheme rd local
# In the default ISP domain named system, restore the default accounting scheme for
all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo accounting default
1.1.3 accounting lan-access
Syntax
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
View
Parameter
Description
accounting lan-access { radius-scheme radius-scheme-name [ local ] | local
| none }
undo accounting lan-access
ISP domain view
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
local: Local accounting.
none: No accounting.
Use the accounting lan-access command to configure accounting for a lan-access
user. Use the undo accounting lan-access command to remove accounting for a
lan-access user.
Related command: accounting default.
Example
# In the default ISP domain named system, configure local as the accounting scheme
for the lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
1-3
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
[Sysname] domain system
[Sysname-isp-system]accounting lan-access local
# In the default ISP domain named system, configure radius as the accounting scheme
named rd for the lan-access user and local as backup accounting. Note that the rd
scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting lan-access radius-scheme rd local
# In the default ISP domain named system, remove the accounting scheme for the
lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo accounting lan-access
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1.1.4 accounting login
Syntax
accounting login { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo accounting login
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32
characters.
local: Local accounting.
none: No accounting.
Description
Use the accounting login command to configure accounting for the login user.
Use the undo accounting login command to remove accounting for the login user.
Related command: accounting default.
1-4
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Example
# In the default ISP domain named system, configure local as the accounting scheme
for the login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting login local
# In the default ISP domain named system, configure radius as the accounting scheme
named rd for the login user and local as backup accounting. Note that the rd scheme
must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting login radius-scheme rd local
# In the default ISP domain named system, remove the accounting scheme for the login
user.
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo accounting login
1.1.5 accounting optional
Syntax
accounting optional
undo accounting optional
View
ISP domain view
Parameter
None
Description
Use the accounting optional command to open the accounting-optional switch.
Use the undo accounting optional command to close the accounting-optional switch.
By default, the accounting-optional switch is closed.
Note that:
1-5
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
z When the system charges an online user but it does not find any available
RADIUS accounting server or fails to communicate with any RADIUS accounting
server, the user can continue the access to network resources if the accounting
optional command has been used; otherwise, the user is disconnected from the
system. The accounting optional command is often used in the cases where
only authentication is needed and no accounting is needed.
z With the accounting optional command executed, the system does not send real
time accounting updating packets and accounting-stop packets to all users in
RADIUS scheme.
Example
# Open the accounting-optional switch for the ISP domain named aabbcc.net.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
[Sysname-isp-aabbcc.net] accounting optional
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1.1.6 attribute
Syntax
attribute { ip ip-address | mac mac-address | idle-cut minute | access-limit
max-user-number | vlan vlan-id | location { nas-ip ip-address port portnum | port
portnum } } *
undo attribute { ip | mac | idle-cut | access-limit | vlan | location }*
View
Local user view
Parameter
ip ip-address: Sets the IP address of the user. The attribute ip command for a local
user only applies to H3C 802.1x clients. If you configure this command on a non-H3C
client, local authentication will fail.
mac mac-address: Sets the MAC address of the user. Where, mac-address is in H-H-H
format.
idle-cut minute: Allows the local user to enable the idle-cut function. Where, minute is
the idle time before cutting down, which ranges from 1 minutes to 120 minutes.
access-limit max-user-number: Sets the maximum number of users who can access
the switch with current user name. Where, max-user-number ranges from 1 to 1024.
vlan vlan-id: Sets the VLAN attribute of the user (that is, which VLAN the user belongs
to). Where, vlan-id is an integer ranging from 1 to 4094.
location: Sets the port binding attribute of the user.
1-6
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
nas-ip ip-address: Sets the IP address of the remote access server port to which the
user is bound to. Where, ip-address is in dotted decimal notation and is 127.0.0.1
(representing this device) by default. If the user is bound to a remote port, you must
specify the nas-ip parameter. If the user is bound to a local port, you need not specify
the nas-ip parameter.
port port-number: Sets the port bound with the user.
Description
Use the attribute command to set the attributes of a user whose service type is
lan-access.
Use the undo attribute command to cancel attribute settings of the user.
Related command: display local-user.
Example
# Set the IP address of user1 to 10.110.50.1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user user1
[Sysname-luser-user1] attribute ip 10.110.50.1
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1.1.7 authentication default
Syntax
authentication default { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo authentication default
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32
characters
local: Local authentication.
none: No authentication.
Description
Use the authentication default command to configure authentication scheme for all
users.
1-7
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Use the undo authentication default command to restore the default authentication
scheme for all users.
By default, the local authentication is used.
The authentication scheme configured by the authentication default command is
applicable to all users. But its priority is lower than that configured by a special access
mode.
Related command: authorization default and accounting default.
Example
# In the default ISP domain named system, configure local as the default
authentication for all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication default local
# In the default ISP domain named system, configure radius as the default
authentication scheme named rd for all users and local as backup authentication. Note
that the rd scheme must be already configured. Related command: radius scheme.
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication default radius-scheme rd local
# In the default ISP domain named system, restore the default authentication scheme
for all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authentication default
1.1.8 authentication lan-access
Syntax
authentication lan-access { radius-scheme radius-scheme-name [ local ] | local |
none }
undo authentication lan-access
View
ISP domain view
1-8
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
local: Local authentication.
none: No authentication.
Description
Use the authentication lan-access command to configure authentication scheme for
a lan-access user.
Use the undo authentication lan-access command to remove authentication scheme
for a lan-access user.
Related command: authentication default.
Example
# In the default ISP domain named system, configure local as the authentication
scheme for the lan-access user.
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication lan-access local
# In the default ISP domain named system, configure radius as the default
authentication named rd for the lan-access user and local as backup authentication.
Note that rd authentication must be already configured. Related command: radius
scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication lan-access radius-scheme rd local
# In the default ISP domain named system, remove the authentication scheme for the
lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authentication lan-access
1.1.9 authentication login
Syntax
authentication login { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
1-9
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
undo authentication login
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32
characters.
local: Local authentication.
none: No authentication.
Description
Use the authentication login command to configure authentication for a login user.
Use the undo authentication login command to remove authentication for a login
user.
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
Example
Related command: authentication default.
# In the default ISP domain named system, configure local as the authentication
scheme for the login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication login local
# In the default ISP domain named system, configure radius as the default
authentication named rd for the login user and local as backup authentication. Note
that the rd authentication must be already configured. Related command: radius
scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication login radius-scheme rd local
# In the default ISP domain named system, remove the authentication scheme for the
login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authentication login
1-10
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
1.1.10 authorization command
Syntax
authorization command hwtacacs-scheme hwtacacs-scheme-name
undo authorization command
View
ISP domain view
Parameter
hwtacacs-scheme-name: Name of a HWTACACS scheme, a string of up to 32
characters.
Description
Use the authorization command command to configure the authorization scheme for
a CLI user
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
Use the undo authorization command command to remove the authorization
scheme for a CLI user
Related command: authorization default.
Example
# In the default ISP domain named system, configure HWTACACS as the authorization
scheme named hw for the CLI user. Note that the hw authorization must be already
configured. Related command: hwtacacs scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization command hwtacacs-scheme hw
1.1.11 authorization default
Syntax
authorization default { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
View
Parameter
undo authorization default
ISP domain view
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
1-11
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32
characters.
local: Local authorization.
none: Direct authorization. In this case, the user passes the authentication directly, but
only owns the default rights.
Description
Use the authorization default command to configure the default authorization for all
users.
Use the undo authorization default command to restore the default authorization
scheme for all users.
By default, the local authorization is used.
It should be noted that:
z The authorization scheme configured by the authorization default command is
applicable to all users. Its priority is lower than that configured by a specified
access mode.
z As a special procedure, RADIUS authorization takes effect when the radius
schemes for authentication and authorization are similar. In case of failure to all
RADIUS authorization, the reason returned to NAS is that the Server did not
respond.
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
Example
Related command: authentication default and accounting default.
# In the default ISP domain named system, configure local as the default authorization
for all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization default local
# In the default ISP domain named system, configure radius as the default
authorization named rd for all users and local as backup authorization. Note that the rd
scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization default radius-scheme rd local
# In the default ISP domain named system, restore the default authorization scheme for
all users.
<Sysname>system-view
1-12
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authorization default
1.1.12 authorization lan-access
Syntax
authorization lan-access { radius-scheme radius-scheme-name [ local ] | local |
none }
undo authorization lan-access
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
Description
Example
local: Local authorization.
none: Direct authorization. In this case, the user passes the authentication directly, but
only owns the default rights.
Use the authorization lan-access command to configure authorization for a
lan-access user.
Use the undo authorization lan-access command to remove authorization for a
lan-access user.
Related command: authorization default.
# In the default ISP domain named system, configure local as the authorization
scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system]authorization lan-access local
# In the default ISP domain named system, configure radius as the authorization
scheme named rd for the lan-access user and local as backup authorization. Note that
the rd scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
1-13
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
[Sysname-isp-system] authorization lan-access radius-scheme rd local
# In the default ISP domain named system, remove the authorization scheme for the
lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authorization lan-access
1.1.13 authorization login
Syntax
authorization login { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo authorization login
View
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
Parameter
Description
Example
ISP domain view
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32
characters.
local: Local authorization.
none: Direct authorization. In this case, the user passes the authentication directly, but
only owns the default rights.
Use the authorization login command to configure authorization for a login user.
Use the undo authorization login command to remove authorization for a login user.
Related command: authorization default.
# In the default ISP domain named system, configure local as the authorization
scheme for the login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization login local
1-14
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
# In the default ISP domain named system, configure radius as the authorization
scheme named rd for the login user and local as backup authorization. Note that the rd
scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization login radius-scheme rd local
# In the default ISP domain named system, remove the authorization scheme for the
login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authorization login
1.1.14 cut connection
Syntax
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
View
Parameter
cut connection { all | access-type { dot1x | mac-authentication } | domain
domain-name | interface interface-type interface-number | ip ip-address | mac
mac-address | vlan vlan-id | ucibindex ucib-index | user-name user-name }
System view
all: Cuts down all user connections.
access-type { dot1x | mac-authentication }: Cuts down user connections using the
specified access method. dot1x is used to cut down all 802.1x user connections, and
mac-authentication is used to cut down all MAC authentication user connections.
domain isp-name: Cuts down all user connections in the specified ISP domain. Where,
isp-name is the name of an ISP domain. It is a character string of up to 24 characters.
You can only specify an existing ISP domain.
interface interface-type interface-number: Cuts down all user connections under the
specified port. Where interface-type is the port type and interface-number is the port
number.
ip ip-address: Cuts down the connection of the user with the specified IP address.
mac mac-address: Cuts down the user connection with the specified MAC address.
Where, mac-address is in the H-H-H format.
vlan vlan-id: Cuts down all user connections of the specified VLAN. Where, vlan-id
ranges from 1 to 4094.
1-15
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
ucibindex ucib-index: Cuts down the user connection with the specified connection
index. Where, ucib-index ranges from 0 to 4294967295.
user-name user-name: Cuts down the user connection of the specified user. Where,
user-name is a character string of up to 80 characters. The string cannot contain the
following characters: /:*?<>. It can contain no more than one @ character. The pure
user name (user ID, that is, the part before @) cannot contain more than 55 characters,
Description
Use the cut connection command to cut down one user connection or one type of user
connections forcibly.
This command cannot cut down the connections of Telnet, SSH and FTP users.
Related command: display connection.
Example
# Cut down all user connections in the ISP domain named aabbcc.net.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] cut connection domain aabbcc.net
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1.1.15 display connection
Syntax
display connection [ access-type { dot1x | mac-authentication } | domain
domain-name | interface interface-type interface-number | ip ip-address | mac
mac-address | vlan vlan-id | ucibindex ucib-index | user-name user-name ]
View
Any view
Parameter
access-type { dot1x | mac-authentication }: Displays the user connections in
specified access mode. Where, dot1x is used to display all 802.1x user connections,
and mac-authentication is used to display all MAC authentication user connections.
domain isp-name: Displays all user connections under the specified ISP domain.
Where, isp-name is the name of an ISP domain, a character string of up to 24
characters. You can only specify an existing ISP domain.
interface interface-type interface-number: Displays all user connections on the
specified port.
ip ip-address: Displays all user connections with the specified IP address.
1-16
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
mac mac-address: Displays the connection of the user with the specified MAC address.
Where, mac-address is in dotted hexadecimal notation (in the form of H.H.H).
vlan vlan-id: Displays all user connections of the specified VLAN. Where, vlan-id
ranges from 1 to 4094.
ucibindex ucib-index: Displays the user connection with the specified connection
index. Where, ucib-index ranges from 0 to 4294967295.
user-name user-name: Displays the user connection with the specified user name.
Where, user-name is a character string in the format of pure-username@domain-name.
The pure-username cannot be longer than 55 characters, and the whole string cannot
be longer than 80 characters.
Description
Use the display connection command to display information about specified or all
user connections.
If you execute this command without specifying any parameter, all user connections will
be displayed.
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
This command cannot display information about the connections of the FTP users.
Related command: cut connection.
Example
# Display information about all user connections.
<Sysname> display connection
Total 0 connections matched ,0 listed.
1.1.16 display domain
Syntax
display domain [ isp-name ]
View
Any view
Parameter
isp-name: Name of an ISP domain, a character string of up to 24 characters. This must
be the name of an existing ISP domain.
Description
Use the display domain command to display the configuration information about one
specific or all ISP domains.
Related command: access-limit, domain and state.
1-17
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Example
# Display the configuration information about all ISP domains.
<Sysname>display domain
0 Domain = system
State = Active
Access-limit = Disable
Accounting method = Required
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Default Domain Name: system
Total 1 domain(s).
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
Table 1-1 Description on the fields of the display domain command
Field Description
Domain Domain name
State State
Access-Limit Limit on the number of access users
Accounting method Accounting method
default Authentication scheme default Authorization scheme
default Authorization scheme default Authorization scheme
default Accounting scheme default Accounting scheme
Domain User Template Domain user template
Idle-Cut State of the idle-cut function
Self-service State of the self service
Default Domain Name Default domain name
Total 1 domain(s) There is totally one domain
1-18
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
1.1.17 display local-user
Syntax
display local-user [ domain isp-name | idle-cut { disable | enable } | vlan vlan-id |
service-type { lan-access | telnet | ssh | terminal | ftp } | state { active | block } |
user-name user-name ]
View
Any view
Parameter
domain isp-name: Displays all local users belonging to the specified ISP domain.
Where, isp-name is the name of an ISP domain, a character string of up to 24
characters. You can only specify an existing ISP domain.
idle-cut { disable | enable }: Displays the local users who are inhibited from enabling
the idle-cut function, or the local users who are allowed to enable the idle-cut function.
Where, disable specifies the inhibited local users and enable specifies the allowed
local users.
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
Description
vlan vlan-id: Displays the local users belonging to the specified VLAN. Where, vlan-id
ranges from 1 to 4094.
service-type: Displays the local users of the specified type. You can specify one of the
following user types: lan-access (generally, this type of users are Ethernet access
users, for example, 802.1x users), telnet (for Telnet users), ssh (for SSH users),
terminal (this type of users are terminal users who log into the switch through the
Console port), and ftp for FTP users.
state { active | block }: Displays the local users in the specified state. Where active
represents the users allowed to request network services, and block represents the
users inhibited to request network services.
user-name user-name: Displays the local user who has the specified user name.
Where, user-name is a character string of up to 80 characters. The string cannot
contain the following characters: /:*?<>. It can contain no more than one @ character.
The pure user name (user ID, that is, the part before @) cannot be longer than 55
characters.
Use the display local-user command to display information about specified or all local
users.
Example
Related command: local-user.
# Display information about all local users.
1-19
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
<Sysname> display local-user
The contents of local user user1:
State: Active
ServiceType: lan-access/telnet
Idle-cut: Disable
Access-limit: Disable Current AccessNum: 0
Bind location: Disable
Vlan ID: Disable
IP address: Disable
MAC address: Disable
User Privilege: 3
Total 1 local user(s) Matched,1 listed..
Table 1-2 Description on the fields of the display local-user command
Field Description
State State of the local user: Active or Block
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
ServiceType
ServiceType (ftp, lan-access, ssh,
telnet, or terminal)
Idle-Cut State of the idle-cut function
Access-Limit Limit on the number of access users
Current AccessNum Number of current access users
Bind location Whether or not bound to a port
Vlan ID VLAN of the user
IP address IP address of the user
MAC address MAC address of the user
User Privilege User Privilege
Note:
When the local RADIUS authentication server (local-server) is enabled, the value of
“Current AccessNum” may be inconsistent with the actual number of accessed users
and the displayed value here is just for reference.
1.1.18 domain
Syntax
domain isp-name
1-20
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
undo domain isp-name
View
System view
Parameter
isp-name: Name of a ISP domain, a character string of 1 to than 24 characters
(case-insensitive). This string cannot contain the following characters: /:*?<>@.
default: Manually configures the default ISP domain, which is "system" by default.
There is one and only one default ISP domain.
disable: Disables the configured default ISP domain.
enable: Enables the configured default ISP domain.
Description
Use the domain command to create an ISP domain and enter its view, or enter the view
of an existing ISP domain, or configure the default ISP domain.
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
Use the undo domain command to delete a specified ISP domain.
After you execute the domain command, the system creates an ISP domain if the
specified ISP domain does not exist. Once an ISP domain is created, it is in the active
state.
Related command: state, display domain.
Example
# Create a new ISP domain "aabbcc.net" and enter its view.
<Sysname> system-view
[Sysname] domain aabbcc.net
[Sysname-isp-aabbcc.net]
1.1.19 domain default
Syntax
domain default { disable | enable isp-name }
View
Parameter
System view
disable: Disables the specified ISP domain from being configured as the default.
enable: Configures the specified ISP domain as the default.
isp-name: ISP domain name.
1-21
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Description
Use the domain default command to configure the default ISP domain manually.
The default ISP domain is "system".
Note that:
z There is one and only one default ISP domain.
z You can manually configure only an existing domain as the default ISP domain.
z To remove the default ISP domain defined, you need to use the domain default
disable command first.
Related command: state, display domain
Example
# Create a new ISP domain with the name "aabbcc.net" and configure it as the default
ISP domain.
<Sysname> system-view
[Sysname] domain aabbcc.net
[Sysname-isp-aabbcc.net] quit
[Sysname] domain default enable aabbcc.net
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1.1.20 idle-cut
Syntax
idle-cut { disable | enable minute }
View
ISP domain view
Parameter
disable: Inhibits users from enabling the idle-cut function.
enable: Allows users to enable the idle-cut function.
minute: Maximum idle time, ranging from 1 minute to 120 minutes.
Description
Use the idle-cut command to set the user idle-cut function in current ISP domain.
By default, this function is disabled.
Related command: domain.
1-22
Loading...