HP A5500 EI, A5500 SI Command Reference Manual

Download

HP A5500 EI & A5500 SI Switch Series

Part number: 5998-1723 Software version: Release 2208

Document version: 5W100-20110530

Security Command Reference

Abstract

This document describes the commands and command syntax options available for the HP A Series products.

This document is intended for network planners, field technical support and servicing engineers, and network administrators who work with HP A Series products.

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Contents

AAA configuration commands ······································································································································· 1

General AAA configuration commands ························································································································· 1

aaa nas-id profile (available only on the A5500 EI) ··························································································· 1 access-limit enable ··················································································································································· 1 accounting command ·············································································································································· 2 accounting default ···················································································································································· 3 accounting lan-access ·············································································································································· 3 accounting login ······················································································································································· 4 accounting optional ················································································································································· 5 accounting portal ····················································································································································· 6 authentication default ··············································································································································· 7 authentication lan-access ········································································································································· 7 authentication login ·················································································································································· 8 authentication portal ················································································································································ 9 authentication super ·············································································································································· 10 authorization command ········································································································································ 11 authorization default ············································································································································· 11 authorization lan-access ······································································································································· 12 authorization login ················································································································································ 13 authorization portal ··············································································································································· 14 authorization-attribute user-profile ······················································································································· 15 cut connection ························································································································································ 16 display connection ················································································································································ 17 display domain ······················································································································································ 19 domain ··································································································································································· 21 domain default enable ·········································································································································· 21 idle-cut enable ······················································································································································· 22 nas-id bind vlan (available only on the A5500 EI) ··························································································· 23 self-service-url enable ············································································································································ 24 state (ISP domain view)········································································································································· 24

Local user configuration commands ····························································································································· 25

access-limit ····························································································································································· 25 authorization-attribute (local user view/user group view) ················································································ 26 bind-attribute ·························································································································································· 27 display local-user ··················································································································································· 28 display user-group ················································································································································· 30 expiration-date (local user view) ·························································································································· 31 group ······································································································································································ 32 local-user ································································································································································ 33 local-user password-display-mode ······················································································································· 33 password ································································································································································ 34 service-type ···························································································································································· 35 state(local user view) ············································································································································· 36 user-group ······························································································································································ 36

RADIUS configuration commands ································································································································ 37

accounting-on enable············································································································································ 37 attribute 25 car ······················································································································································ 38 data-flow-format (RADIUS scheme view) ············································································································· 39 display radius scheme ·········································································································································· 39

iii

display radius statistics ········································································································································· 42 display stop-accounting-buffer ····························································································································· 45 key (RADIUS scheme view) ·································································································································· 46 nas device-id (available only on the A5500 EI) ································································································ 47 nas-backup-ip (available only on the A5500 EI) ······························································································· 48 nas-ip (RADIUS scheme view) ······························································································································ 49 primary accounting (RADIUS scheme view) ······································································································· 50 primary authentication (RADIUS scheme view) ·································································································· 51 radius client ···························································································································································· 52 radius nas-backup-ip (available only on the A5500 EI) ··················································································· 53 radius nas-ip ·························································································································································· 54 radius scheme ························································································································································ 55 radius trap ······························································································································································ 56 reset radius statistics·············································································································································· 57 reset stop-accounting-buffer ·································································································································· 57 retry ········································································································································································· 58 retry realtime-accounting ······································································································································ 59 retry stop-accounting (RADIUS scheme view) ····································································································· 60 secondary accounting (RADIUS scheme view) ··································································································· 60 secondary authentication (RADIUS scheme view) ····························································································· 62 security-policy-server ············································································································································· 64 server-type ······························································································································································ 64 state primary ·························································································································································· 65 state secondary ······················································································································································ 66 stop-accounting-buffer enable (RADIUS scheme view) ······················································································ 67 timer quiet (RADIUS scheme view) ······················································································································ 67 timer realtime-accounting (RADIUS scheme view) ····························································································· 68 timer response-timeout (RADIUS scheme view) ·································································································· 69 user-name-format (RADIUS scheme view) ··········································································································· 70 vpn-instance (RADIUS scheme view) (available only on the A5500 EI) ·························································· 71

HWTACACS configuration commands ······················································································································· 71

data-flow-format (HWTACACS scheme view) ···································································································· 71 display hwtacacs ··················································································································································· 72 display stop-accounting-buffer ····························································································································· 75 hwtacacs nas-ip ····················································································································································· 75 hwtacacs scheme ·················································································································································· 76 key (HWTACACS scheme view) ························································································································· 77 nas-ip (HWTACACS scheme view) ····················································································································· 78 primary accounting (HWTACACS scheme view) ······························································································ 78 primary authentication (HWTACACS scheme view) ························································································· 79 primary authorization ··········································································································································· 80 reset hwtacacs statistics ········································································································································ 81 reset stop-accounting-buffer ·································································································································· 82 retry stop-accounting (HWTACACS scheme view) ···························································································· 82 secondary accounting (HWTACACS scheme view) ·························································································· 83 secondary authentication (HWTACACS scheme view) ···················································································· 84 secondary authorization ······································································································································· 85 stop-accounting-buffer enable (HWTACACS scheme view) ············································································· 86 timer quiet (HWTACACS scheme view) ············································································································· 87 timer realtime-accounting (HWTACACS scheme view) ···················································································· 87 timer response-timeout (HWTACACS scheme view) ························································································· 88 user-name-format (HWTACACS scheme view) ·································································································· 89 vpn-instance (HWTACACS scheme view) (available only on the A5500 EI) ················································· 89

RADIUS server configuration commands ····················································································································· 90

authorization-attribute (RADIUS-server user view) ······························································································ 90

description (RADIUS-server user view) ················································································································ 91 expiration-date (RADIUS-server user view) ········································································································· 91 password (RADIUS-server user view) ·················································································································· 92 radius-server client-ip············································································································································· 93 radius-server user ··················································································································································· 94

802.1X configuration commands ································································································································ 96

display dot1x ························································································································································· 96 dot1x ······································································································································································ 99 dot1x authentication-method ······························································································································ 100 dot1x auth-fail vlan ············································································································································· 101 dot1x guest-vlan ·················································································································································· 102 dot1x handshake ················································································································································· 103 dot1x handshake secure ···································································································································· 104 dot1x mandatory-domain ··································································································································· 105 dot1x max-user ···················································································································································· 106 dot1x multicast-trigger ········································································································································ 107 dot1x port-control ················································································································································ 107 dot1x port-method ··············································································································································· 109 dot1x quiet-period ··············································································································································· 110 dot1x re-authenticate ·········································································································································· 110 dot1x retry ···························································································································································· 111 dot1x timer ··························································································································································· 112 dot1x unicast-trigger ··········································································································································· 113 reset dot1x statistics ············································································································································ 114

EAD fast deployment configuration commands ······································································································· 115

dot1x free-ip ························································································································································· 115 dot1x timer ead-timeout ······································································································································ 115 dot1x url ······························································································································································· 116

MAC authentication configuration commands ········································································································ 118

display mac-authentication ································································································································· 118 mac-authentication ·············································································································································· 120 mac-authentication domain ································································································································ 121 mac-authentication guest-vlan ···························································································································· 122 mac-authentication max-user ······························································································································ 123 mac-authentication timer ····································································································································· 123 mac-authentication user-name-format ················································································································ 124 reset mac-authentication statistics ······················································································································ 126

Portal configuration commands ································································································································· 127

display portal acl (available only on the A5500 EI) ······················································································· 127 display portal connection statistics (available only on the A5500 EI) ·························································· 129 display portal free-rule ········································································································································ 132 display portal interface ······································································································································· 133 display portal local-server ·································································································································· 135 display portal server (available only on the A5500 EI) ·················································································· 136 display portal server statistics (available only on the A5500 EI) ··································································· 137 display portal tcp-cheat statistics ······················································································································· 139 display portal user ··············································································································································· 141 portal auth-fail vlan ············································································································································· 142 portal auth-network (available only on the A5500 EI) ···················································································· 143 portal backup-group (available only on the A5500 EI) ·················································································· 144 portal delete-user ················································································································································· 144 portal domain ······················································································································································ 145 portal free-rule ····················································································································································· 146

portal local-server ················································································································································ 147 portal local-server enable ··································································································································· 148 portal local-server ip ··········································································································································· 149 portal max-user ···················································································································································· 149 portal move-mode auto ······································································································································· 150 portal nas-id-profile (available only on the A5500 EI) ···················································································· 151 portal nas-ip (available only on the A5500 EI) ······························································································· 152 portal nas-port-type (available only on the A5500 EI) ···················································································· 152 portal offline-detect interval ································································································································ 153 portal redirect-url ················································································································································· 154 portal server (available only on the A5500 EI) ······························································································· 154 portal server banner ············································································································································ 156 portal server method (available only on the A5500 EI) ················································································· 156 portal server server-detect (available only on the A5500 EI) ········································································· 157 portal server user-sync (available only on the A5500 EI) ··············································································· 159 portal web-proxy port ········································································································································· 160 reset portal connection statistics (available only on the A5500 EI) ······························································· 161 reset portal server statistics (available only on the A5500 EI) ······································································· 161 reset portal tcp-cheat statistics ···························································································································· 162

Port security configuration commands ······················································································································ 163

display port-security ············································································································································ 163 display port-security mac-address block ··········································································································· 166 display port-security mac-address security ········································································································ 167 port-security authorization ignore ······················································································································ 169 port-security enable ············································································································································· 170 port-security intrusion-mode ································································································································ 170 port-security mac-address security ····················································································································· 171 port-security max-mac-count ······························································································································· 173 port-security ntk-mode ········································································································································· 174 port-security oui ··················································································································································· 174 port-security port-mode ······································································································································· 175 port-security timer autolearn aging ···················································································································· 177 port-security timer disableport ···························································································································· 178 port-security trap ·················································································································································· 179

User profile configuration commands ······················································································································· 181

display user-profile ·············································································································································· 181 user-profile enable ··············································································································································· 182 user-profile ···························································································································································· 182

Password control configuration commands ············································································································· 184

display password-control ···································································································································· 184 display password-control blacklist ····················································································································· 185 password ······························································································································································ 186 password-control aging ······································································································································ 187 password-control alert-before-expire ················································································································· 188 password-control authentication-timeout ··········································································································· 189 password-control complexity ······························································································································ 189 password-control composition···························································································································· 190 password-control { aging | composition | history | length } enable ···························································· 191 password-control enable ···································································································································· 192 password-control expired-user-login ·················································································································· 192 password-control history ····································································································································· 193 password-control length ······································································································································ 194 password-control login idle-time ························································································································ 194

password-control login-attempt ·························································································································· 195 password-control password update interval ····································································································· 196 password-control super aging ···························································································································· 197 password-control super composition ················································································································· 198 password-control super length ··························································································································· 198 reset password-control blacklist ························································································································· 199 reset password-control history-record ················································································································ 199

HABP configuration commands ································································································································· 201

display habp ························································································································································ 201 display habp table ·············································································································································· 202 display habp traffic ············································································································································· 202 habp client vlan ··················································································································································· 203 habp enable ························································································································································ 204 habp server vlan ·················································································································································· 204 habp timer ···························································································································································· 205

Public key configuration commands ························································································································· 207

display public-key local public ··························································································································· 207 display public-key peer ······································································································································· 208 peer-public-key end ············································································································································· 210 public-key-code begin ········································································································································· 210 public-key-code end ············································································································································ 211 public-key local create ········································································································································ 212 public-key local destroy ······································································································································ 213 public-key local export dsa ································································································································ 213 public-key local export rsa ································································································································· 214 public-key peer ···················································································································································· 215 public-key peer import sshkey ···························································································································· 216

PKI configuration commands ····································································································································· 218

attribute ································································································································································ 218 ca identifier ·························································································································································· 219 certificate request entity ······································································································································ 219 certificate request from ······································································································································· 220 certificate request mode ····································································································································· 220 certificate request polling ··································································································································· 221 certificate request url ··········································································································································· 222 common-name······················································································································································ 223 country ·································································································································································· 223 crl check ······························································································································································· 224 crl update-period ················································································································································· 224 crl url ····································································································································································· 225 display pki certificate ·········································································································································· 225 display pki certificate access-control-policy ······································································································ 227 display pki certificate attribute-group ················································································································ 228 display pki crl domain ········································································································································ 229 fqdn ······································································································································································· 231 ip (PKI entity view) ··············································································································································· 231 ldap-server ···························································································································································· 232 locality ·································································································································································· 232 organization ························································································································································ 233 organization-unit ················································································································································· 233 pki certificate access-control-policy ··················································································································· 234 pki certificate attribute-group ····························································································································· 235 pki delete-certificate ············································································································································ 235

vii

pki domain ··························································································································································· 236 pki entity ······························································································································································· 236 pki import-certificate ············································································································································ 237 pki request-certificate domain ···························································································································· 238 pki retrieval-certificate ········································································································································· 238 pki retrieval-crl domain ······································································································································· 239 pki validate-certificate ········································································································································· 239 root-certificate fingerprint ··································································································································· 240 rule (PKI CERT ACP view) ··································································································································· 241 state······································································································································································· 241

IPsec configuration commands ·································································································································· 243

ah authentication-algorithm ································································································································ 243 display ipsec policy ············································································································································ 244 display ipsec proposal ········································································································································ 246 display ipsec sa ··················································································································································· 247 display ipsec statistics ········································································································································· 249 display ipsec tunnel ············································································································································· 251 encapsulation-mode ············································································································································ 253 esp authentication-algorithm ······························································································································ 253 esp encryption-algorithm ···································································································································· 254 ipsec policy ·························································································································································· 255 ipsec proposal ····················································································································································· 256 proposal ······························································································································································· 256 reset ipsec sa ······················································································································································· 257 reset ipsec statistics ············································································································································· 258 sa authentication-hex ·········································································································································· 258 sa encryption-hex ················································································································································ 259 sa spi ···································································································································································· 260 sa string-key ························································································································································· 261 transform ······························································································································································ 262

SSH2.0 configuration commands ····························································································································· 264

SSH2.0 server configuration commands ··················································································································· 264

display ssh server ················································································································································ 264 display ssh user-information ······························································································································· 265 ssh server authentication-retries ························································································································· 266 ssh server authentication-timeout ······················································································································· 267 ssh server compatible-ssh1x enable ·················································································································· 268 ssh server enable ················································································································································· 268 ssh server rekey-interval ······································································································································ 269 ssh user ································································································································································· 269

SSH2.0 client configuration commands ···················································································································· 271

display ssh client source ····································································································································· 271 display ssh server-info ········································································································································· 271 ssh client authentication server ·························································································································· 272 ssh client first-time enable ··································································································································· 273 ssh client ipv6 source ·········································································································································· 274 ssh client source ··················································································································································· 275 ssh2 ······································································································································································· 275 ssh2 ipv6 ······························································································································································ 276

SFTP configuration commands ·································································································································· 279

SFTP server configuration commands ························································································································ 279

sftp server enable ················································································································································ 279 sftp server idle-timeout ········································································································································ 279

viii

SFTP client configuration commands·························································································································· 280

bye ········································································································································································ 280 cd ·········································································································································································· 280 cdup ······································································································································································ 281 delete ···································································································································································· 281 dir ·········································································································································································· 282 display sftp client source ···································································································································· 283 exit ········································································································································································ 283 get ········································································································································································· 284 help ······································································································································································· 284 ls ············································································································································································ 285 mkdir ····································································································································································· 286 put ········································································································································································· 286 pwd ······································································································································································· 287 quit ········································································································································································ 287 remove ·································································································································································· 288 rename ································································································································································· 288 rmdir ····································································································································································· 289 sftp ········································································································································································ 289 sftp client ipv6 source ········································································································································· 290 sftp client source ·················································································································································· 291 sftp ipv6 ································································································································································ 292

SSL configuration commands····································································································································· 294

ciphersuite ···························································································································································· 294 client-verify enable ·············································································································································· 295 close-mode wait ··················································································································································· 295 display ssl client-policy ······································································································································· 296 display ssl server-policy ······································································································································ 297 handshake timeout ·············································································································································· 298 pki-domain ··························································································································································· 299 prefer-cipher ························································································································································· 299 server-verify enable ············································································································································· 300 session ·································································································································································· 301 ssl client-policy ····················································································································································· 302 ssl server-policy ···················································································································································· 302 version ·································································································································································· 303

TCP attack protection configuration commands ······································································································ 304

display tcp status ················································································································································· 304 tcp syn-cookie enable ········································································································································· 305

IP source guard configuration commands ················································································································ 306

display ip check source ······································································································································ 306 display user-bind ················································································································································· 307 ip check source ···················································································································································· 309 user-bind (Layer 2 Ethernet port view)··············································································································· 310 user-bind (system view) ······································································································································· 311 user-bind uplink ··················································································································································· 312

ARP attack protection configuration commands ······································································································ 313

ARP defense against IP packet attacks configuration commands ··········································································· 313

arp resolving-route enable ·································································································································· 313 arp source-suppression enable ·························································································································· 313 arp source-suppression limit ······························································································································· 314 display arp source-suppression ·························································································································· 315

ARP packet rate limit configuration commands ········································································································ 316

arp rate-limit ························································································································································· 316 arp rate-limit information ···································································································································· 316

Source MAC address based ARP attack detection configuration commands ······················································· 317

arp anti-attack source-mac ································································································································· 317 arp anti-attack source-mac aging-time ·············································································································· 318 arp anti-attack source-mac exclude-mac ··········································································································· 318 arp anti-attack source-mac threshold ················································································································· 319 display arp anti-attack source-mac ···················································································································· 320

ARP packet source MAC address consistency check configuration commands ··················································· 321

arp anti-attack valid-check enable ····················································································································· 321

ARP active acknowledgement configuration commands ························································································· 321

arp anti-attack active-ack enable ······················································································································· 321

ARP detection configuration commands ···················································································································· 322

arp detection enable ··········································································································································· 322 arp detection trust ················································································································································ 323 arp detection validate ········································································································································· 323 arp restricted-forwarding enable ······················································································································· 324 display arp detection ·········································································································································· 324 display arp detection statistics ··························································································································· 325 reset arp detection statistics ······························································································································· 326

ARP automatic scanning and fixed ARP configuration commands ········································································· 327

arp fixup ······························································································································································· 327 arp scan ······························································································································································· 327

ARP gateway protection configuration commands ·································································································· 328

arp filter source···················································································································································· 328

ARP filtering configuration commands ······················································································································· 329

arp filter binding·················································································································································· 329

ND attack defense configuration commands··········································································································· 331

Source MAC consistency check commands ·············································································································· 331

ipv6 nd mac-check enable ································································································································· 331

ND detection configuration commands ····················································································································· 332

display ipv6 nd detection ··································································································································· 332 display ipv6 nd detection statistics ···················································································································· 333 ipv6 nd detection enable ··································································································································· 333 ipv6 nd detection trust ········································································································································ 334 reset ipv6 nd detection statistics ························································································································ 335

URPF configuration commands (available only on the A5500 EI) ········································································ 336

ip urpf ··································································································································································· 336

Support and other resources ····································································································································· 337

Contacting HP ······························································································································································ 337

Subscription service ············································································································································ 337

Related information ······················································································································································ 337

Documents ···························································································································································· 337 Websites ······························································································································································ 337

Conventions ·································································································································································· 338

Index ············································································································································································· 340

AAA configuration commands

NOTE:

The vpn-instance keyword and the vpn-instance

vpn-instance-name

command (in RADIUS or

HWTACACS scheme view) are available only on the A5500 EI Switch Series.

General AAA configuration commands

aaa nas-id profile (available only on the A5500 EI)

Syntax

aaa nas-id profile profile-name

undo aaa nas-id profile profile-name

View

System view

Default level

2: System level

Parameters

profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters.

Description

Use the aaa nas-id profile command to create a NAS ID profile and enter its view.

Use the undo aaa nas-id profile command to remove a NAS ID profile.

Related commands: nas-id bind vlan.

Examples

# Create a NAS ID profile named aaa.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa]

access-limit enable

Syntax

access-limit enable max-user-number

undo access-limit enable

View

ISP domain view

Default level

2: System level

Parameters

max-user-number: Maximum number of users, in the range 1 to 2147483646.

Description

Use the access-limit enable command to enable the limit on the number of users in an ISP domain and set the allowed maximum number. After the number of users reaches the maximum number allowed, no more users will be accepted.

Use the undo access-limit enable command to restore the default.

By default, there is no limit to the number of users in an ISP domain.

System resources are limited, and user connections may compete for network resources when there are many users. Setting a proper limit to the number of users helps provide reliable system performance.

Examples

# Set a limit of 500 user connections for ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] access-limit enable 500

accounting command

Syntax

accounting command hwtacacs-scheme hwtacacs-scheme-name

undo accounting command

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

Description

Use the accounting command command to specify the command line accounting method.

Use the undo accounting command command to restore the default.

By default, the default accounting method for the ISP domain is used for command line accounting.

The specified HWTACACS scheme must have been configured.

Examples

Command line accounting can use only a HWTACACS scheme.

Related commands: accounting default and hwtacacs scheme.

# Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting command hwtacacs-scheme hwtac

accounting default

Syntax

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting default

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the accounting default command to configure the default accounting method for an ISP domain.

Use the undo accounting default command to restore the default.

By default, the default accounting method of an ISP domain is local.

The specified RADIUS or HWTACACS scheme must have been configured.

The default accounting method will be used for all users for whom no specific accounting methods are configured.

Local accounting is only for monitoring and controlling the number of local user connections; it does not provide the statistics function that the accounting feature generally provides.

Related commands: hwtacacs scheme and radius scheme.

Examples

# Configure the default accounting method for ISP domain test to use RADIUS accounting scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting default radius-scheme rd local

accounting lan-access

Syntax

accounting lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }

undo accounting lan-access

View

ISP domain view

Default level

2: System level

Parameters

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the accounting lan-access command to configure the accounting method for LAN users.

Use the undo accounting lan-access command to restore the default.

By default, the default accounting method for the ISP domain is used for LAN users.

The specified RADIUS scheme must have been configured.

Related commands: local-user, accounting default, and radius scheme.

Examples

# Configure ISP domain test to use local accounting for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access local

# Configure ISP domain test to use RADIUS accounting scheme rd for LAN users and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access radius-scheme rd local

accounting login

Syntax

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting login

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

local: Performs local accounting. It is not used for charging purposes, but for collecting statistics on and limiting the number of local user connections.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the accounting login command to configure the accounting method for login users.

Use the undo accounting login command to restore the default.

By default, the default accounting method for the ISP domain is used for login users.

The specified RADIUS or HWTACACS scheme must have been configured.

Accounting is not supported for login users that use FTP.

Related commands: local-user, accounting default, hwtacacs scheme, and radius scheme.

Examples

# Configure ISP domain test to use local accounting for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login local

# Configure ISP domain test to use RADIUS accounting scheme rd for login users and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login radius-scheme rd local

accounting optional

Syntax

accounting optional

undo accounting optional

View

ISP domain view

Default level

2: System level

Parameters

None

Description

Use the accounting optional command to enable the accounting optional feature.

Use the undo accounting optional command to disable the feature.

By default, the feature is disabled.

After you configure the accounting optional command for a domain, a user that will be disconnected otherwise can continue to use the network resources when no accounting server is available or the communication with the current accounting server fails. However, the device will not send real-time accounting updates for the user anymore. The accounting optional feature applies to scenarios where accounting is not important.

NOTE:

After you configure the accounting optional command, the setting by the access-limit command in local user view is not effective.

Examples

# Enable the accounting optional feature for users in domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting optional

accounting portal

Syntax

accounting portal { local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting portal

View

ISP domain view

Default level

2: System level

Parameters

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the accounting portal command to configure the accounting method for portal users.

Use the undo accounting portal command to restore the default.

By default, the default accounting method for the ISP domain is used for portal users.

The specified RADIUS scheme must have been configured.

Related commands: local-user, accounting default, and radius scheme.

Examples

# Configure ISP domain test to use local accounting for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal local

# Configure ISP domain test to use RADIUS scheme rd for accounting on portal users and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal radius-scheme rd local

authentication default

Syntax

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radiusscheme radius-scheme-name [ local ] }

undo authentication default

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the authentication default command to configure the default authentication method for an ISP domain.

Use the undo authentication default command to restore the default.

By default, the default authentication method of an ISP domain is local.

The specified RADIUS or HWTACACS scheme must have been configured.

The default authentication method will be used for all users for whom no specific authentication methods are configured.

Related commands: local-user, hwtacacs scheme, and radius scheme.

Examples

# Configure the default authentication method for ISP domain test to use RADIUS authentication scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication default radius-scheme rd local

authentication lan-access

Syntax

authentication lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }

View

undo authentication lan-access

ISP domain view

Default level

2: System level

Parameters

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the authentication lan-access command to configure the authentication method for LAN users.

Use the undo authentication lan-access command to restore the default.

By default, the default authentication method for the ISP domain is used for LAN users.

The specified RADIUS scheme must have been configured.

Related commands: local-user, authentication default, and radius scheme.

Examples

# Configure ISP domain test to use local authentication for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access local

# Configure ISP domain test to use RADIUS authentication scheme rd for LAN users and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access radius-scheme rd local

authentication login

Syntax

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication login

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the authentication login command to configure the authentication method for login users (users logging in through the console or AUX port or accessing through Telnet or FTP).

Use the undo authentication login command to restore the default.

By default, the default authentication method for the ISP domain is used for login users.

The specified RADIUS or HWTACACS scheme must have been configured.

Related commands: local-user, authentication default, hwtacacs scheme, and radius scheme.

Examples

# Configure ISP domain test to use local authentication for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login local

# Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login radius-scheme rd local

authentication portal

Syntax

authentication portal { local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication portal

View

ISP domain view

Default level

2: System level

Parameters

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the authentication portal command to configure the authentication method for portal users.

Use the undo authentication portal command to restore the default.

Examples

By default, the default authentication method for the ISP domain is used for portal users.

The specified RADIUS scheme must have been configured.

Related commands: authentication default and radius scheme.

# Configure ISP domain test to use local authentication for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal local

# Configure ISP domain test to use RADIUS scheme rd for authentication of portal users and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal radius-scheme rd local

authentication super

Syntax

authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name }

undo authentication super

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-

insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Description

Use the authentication super command to configure the authentication method for user privilege level switching.

Use the undo authentication super command to restore the default.

By default, the default authentication method for the ISP domain is used for user privilege level switching authentication.

The specified RADIUS or HWTACACS authentication scheme must have been configured.

Related commands: hwtacacs scheme and radius scheme; super authentication-mode (Fundamentals Command Reference).

Examples

# Configure ISP domain test to use HWTACACS scheme tac for user privilege level switching authentication.

<Sysname> system-view

[Sysname] super authentication-mode scheme

[Sysname] domain test

[Sysname-domain-test] authentication super hwtacacs-scheme tac

authorization command

Syntax

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none }

undo authorization command

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization exchange. In this case, an authenticated user can access only

commands of Level 0.

Description

Use the authorization command command to configure the command line authorization method.

Use the undo authorization command command to restore the default.

By default, the default authorization method for the ISP domain is used for command line authorization.

The specified HWTACACS scheme must have been configured.

With command line authorization configured, a user who has logged in to the device can execute only the commands with a level lower than or equal to that of the local user.

Related commands: local-user, authorization default, and hwtacacs scheme.

Examples

# Configure ISP domain test to use local command line authorization.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command local

# Configure ISP domain test to use HWTACACS scheme hwtac for command line authorization and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

authorization default

Syntax

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization default

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization exchange. After passing authentication, non-login users can

access the network, FTP users can access the root directory of the device, and other login users can access only the commands of Level 0.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description ion

Use the authorization default command to configure the default authorization method for an ISP domain.

Use the undo authorization default command to restore the default.

By default, the default authorization method for the ISP domain of an ISP domain is local.

The specified RADIUS or HWTACACS scheme must have been configured.

The default authorization method will be used for all users for whom no specific authorization methods are configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

Related commands: local-user, authentication default, accounting default, hwtacacs scheme, and radius

scheme.

Examples

# Configure the default authorization method for ISP domain test to use RADIUS authorization scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization default radius-scheme rd local

authorization lan-access

Syntax

authorization lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }

undo authorization lan-access

View

ISP domain view

Default level

2: System level

Parameters

local: Performs local authorization.

none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access

the network directly.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization lan-access command to configure the authorization method for LAN users.

Use the undo authorization lan-access command to restore the default.

By default, the default authorization method for the ISP domain is used for LAN users.

The specified RADIUS scheme must have been configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

Related commands: local-user, authorization default, and radius scheme.

Examples

# Configure ISP domain test to use local authorization for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access local

# Configure ISP domain test to use RADIUS authorization scheme rd for LAN users and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access radius-scheme rd local

authorization login

Syntax

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization login

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization exchange. After passing authentication, FTP users can access

the root directory of the device, and other login users can access only the commands of Level 0.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization login command to configure the authorization method for login users (users logging in through the console or AUX port or accessing through Telnet or FTP).

Use the undo authorization login command to restore the default.

By default, the default authorization method for the ISP domain is used for login users.

The specified RADIUS or HWTACACS scheme must have been configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

Related commands: local-user, authorization default, hwtacacs scheme, and radius scheme.

Examples

# Configure ISP domain test to use local authorization for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login local

# Configure ISP domain test to use RADIUS authorization scheme rd for login users and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login radius-scheme rd local

authorization portal

Syntax

authorization portal { local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization portal

View

ISP domain view

Default level

2: System level

Parameters

local: Performs local authorization.

none: Does not perform any authorization exchange. In this case, an authenticated portal user can access

the network directly.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization portal command to configure the authorization method for portal users.

Use the undo authorization portal command to restore the default.

By default, the default authorization method for the ISP domain is used for portal users.

The specified RADIUS scheme must have been configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

Related commands: local-user, authorization default, and radius scheme.

Examples

# Configure ISP domain test to use local authorization for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal local

# Configure ISP domain test to use RADIUS scheme rd for authorization of portal users and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal radius-scheme rd local

authorization-attribute user-profile

Syntax

authorization-attribute user-profile profile-name

undo authorization-attribute user-profile

View

ISP domain view

Default level

3: Manage level

Parameters

profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see the Security Configuration Guide.

Description

Use the authorization-attribute user-profile command to specify the default authorization user profile for an ISP domain.

Use the undo authorization-attribute user-profile command to restore the default.

By default, an ISP domain has no default authorization user profile.

After a user of an ISP domain passes authentication, if the server (or the access device in the case of local authentication) does not authorize any user profile to the ISP domain, the system uses the user profile specified by the authorization-attribute user-profile command as that of the ISP domain.

If you configure the authorization-attribute user-profile command repeatedly, only the last one takes effect.

Examples

# Specify the default authorization user profile for domain test as profile1.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization-attribute user-profile profile1

cut connection

Syntax

cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface

interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id } [ slot slot-number ]

View

System view

Default level

2: System level

Parameters

access-type: Specifies the user connections of the specified access type.

 dot1x: Indicates 802.1X authentication.  mac-authentication: Indicates MAC address authentication.  portal: Indicates portal authentication.

all: Specifies all user connections.

domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the

name of an existing ISP domain and is a string of 1 to 24 characters.

interface interface-type interface-number: Specifies user connections on an interface by the interface type and number.

ip ip-address: Specifies the user connections of an IP address.

mac mac-address: Specifies the user connections of a MAC address, with mac-address in the format H-H-

ucibindex ucib-index: Specifies a user connection by connection index. The value ranges from 0 to

4294967295.

user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system assumes that the user is in the default domain or the mandatory authentication domain.

vlan vlan-id: Specifies user connections of a VLAN, with vlan-id ranging from 1 to 4094.

slot slot-number: Specifies the member number of the switch in the IRF fabric, which you can display with

the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF fabric. If no IRF fabric exists, the slot-number argument is the current device number.

Description

Use the cut connection command to tear down the specified connections forcibly.

This command applies to only LAN and portal user connections.

For 802.1X users whose usernames carry the version number or contain spaces, you cannot cut the connections by username.

For 802.1X users whose usernames use a forward slash (/) or backward slash (\) as the domain name delimiter, you cannot cut their connections by username. For example, the cut connection user-name aaa\bbb command cannot cut the connections of the user aaa\bbb.

An interface that is configured with a mandatory authentication domain treats users of the corresponding access type as users in the mandatory authentication domain. For example, if you configure an 802.1X

mandatory authentication domain on an interface, the interface will use the domain’s AAA methods for

all its 802.1X users. To cut connections of such users, use the cut connection domain isp-name command and specify the mandatory authentication domain.

Related commands: display connection and service-type.

Examples

# Tear down all connections of ISP domain test.

<Sysname> system-view

[Sysname] cut connection domain test

display connection

Syntax

display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface

interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

access-type: Specifies the user connections of the specified access type.

 dot1x: Indicates 802.1X authentication.  mac-authentication: Indicates MAC address authentication.  portal: Indicates portal authentication.

domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters.

interface interface-type interface-number: Specifies user connections on an interface by the interface type and number.

ip ip-address: Specifies the user connections of an IP address.

mac mac-address: Specifies the user connections of a MAC address, with mac-address in the format H-H-

ucibindex ucib-index: Specifies all user connections using the specified connection index. The value ranges from 0 to 4294967295.

vlan vlan-id: Specifies user connections of a VLAN, with vlan-id ranging from 1 to 4094.

slot slot-number: Specifies the member number of the switch in the IRF fabric, which you can display with

|: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display connection command to display information about AAA user connections.

This command does not display information about FTP user connections.

With no parameter specified, this command displays brief information about all AAA user connections.

If you specify the ucibindex ucib-index combination, this command displays detailed information; otherwise, this command displays brief information.

If an interface is configured with a mandatory authentication domain (for example, an 802.1X mandatory authentication domain), users accessing the interface through the specified access type are treated as users in the mandatory authentication domain. To display connections of such users, specify the mandatory authentication domain for the display connection domain isp-name command.

For 802.1X users whose usernames use a forward slash (/) or backward slash (\) as the domain name delimiter, you cannot query the connections by username. For example, the display connection user-name

aaa\bbb command cannot display the connections of the user aaa\bbb.

Examples

Related commands: cut connection.

# Display information about all AAA user connections.

<Sysname> display connection

Slot: 1

Index=0 , Username=telnet@system

IP=10.0.0.1

IPv6=N/A

Total 1 connection(s) matched on slot 1.

Total 1 connection(s) matched.

# Display information about AAA user connections using the index of 0.

<Sysname> display connection ucibindex 0

Slot: 0

Index=0 , Username=telnet@system

IP=10.0.0.1

IPv6=N/A

Access=Admin ,AuthMethod=PAP

Port Type=Virtual ,Port Name=N/A

Initial VLAN=999, Authorized VLAN=20

ACL Group=Disable

User Profile=N/A

CAR=Disable

Priority=Disable

Start=2011-05-16 10:53:03 ,Current=2011-05-16 10:57:06 ,Online=00h04m03s

Total 1 connection matched.

Field

Description

Username

Username of the connection, in the format username@domain

IPv4 address of the user

IPv6

IPv6 address of the user

Access

User access type

ACL Group

Authorization ACL group. Disable means no authorization ACL group is assigned.

User Profile

Authorization user profile

CAR(kbps)

Authorized CAR parameters

UpPeakRate

Uplink peak rate

DnPeakRate

Downlink peak rate

UpAverageRate

Uplink average rate

DnAverageRate

Downlink average rate

Slot: 1

Total 0 connection matched.

Slot: 2

Total 0 connection matched.

Table 1 Output description

display domain

Syntax

display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

isp-name: Name of an existing ISP domain, a string of 1 to 24 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display domain command to display the configuration information of ISP domains.

Examples

Field

Description

Domain

Domain name

State

Status of the domain (active or block)

Access-limit

Limit on the number of user connections

Accounting method

Accounting method (either required or optional)

Default authentication scheme

Default authentication method

Default authorization scheme

Default authorization method

Default accounting scheme

Default accounting method

Lan-access authentication scheme

Authentication method for LAN users

Related commands: access-limit enable, domain, and state.

# Display the configuration information of all ISP domains.

<Sysname> display domain

0 Domain : system

State : Active

Access-limit : Disabled

Accounting method : Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Domain User Template:

Idle-cut : Disabled

Self-service : Disabled

Authorization attributes :

1 Domain : test

State : Active

Access-limit : Disabled

Accounting method : Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Lan-access authentication scheme : radius:test, local

Lan-access authorization scheme : hwtacacs:hw, local

Lan-access accounting scheme : local

Domain User Template:

Idle-cut : Disabled

Self-service : Disabled

Authorization attributes :

User-profile : profile1

Default Domain Name: system

Total 2 domain(s).

Table 2 Output description

Field

Description

Lan-access authorization scheme

Authentication method for LAN users

Lan-access accounting scheme

Accounting method for LAN users

Domain User Template

Template for users in the domain

Idle-cut

Whether idle cut is enabled

Self-service

Whether self service is enabled

User-profile

Default authorization user profile

domain

Syntax

domain isp-name

undo domain isp-name

View

System view

Default level

3: Manage level

Parameters

isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that contains no forward slash (/), backward slash (\), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or the @ sign.

Description

Use the domain isp-name command to create an ISP domain and enter ISP domain view.

Use the undo domain command to remove an ISP domain.

By default, there is a system predefined ISP domain named system in the system.

All ISP domains are in the active state when they are created.

The system predefined ISP domain system cannot be deleted; you can only modify its configuration.

Related commands: state and display domain.

Examples

# Create ISP domain test, and enter ISP domain view.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test]

domain default enable

Syntax

domain default enable isp-name

undo domain default enable

View

System view

Default level

3: Manage level

Parameters

isp-name: Name of the ISP domain, a string of 1 to 24 characters.

Description

Use the domain default enable command to specify the default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain.

Use the undo domain default enable command to restore the default.

By default, the default ISP domain is the system predefined ISP domain system.

There can be only one default ISP domain.

The specified domain must already exist; otherwise, users without any domain name carried in the username cannot pass authentication.

To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command.

Related commands: domain, state, and display domain.

Examples

# Create a new ISP domain named test, and configure it as the default ISP domain.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] quit

[Sysname] domain default enable test

idle-cut enable

Syntax

idle-cut enable minute [ flow ]

undo idle-cut enable

View

ISP domain view

Default level

2: System level

Parameters

minute: Maximum idle duration allowed, in the range 1 to 120 minutes.

flow: User idle threshold, which is in the range 1 to 10240000 bytes and defaults to 10240.

Description

Use the idle-cut enable command to enable the idle cut function and set the relevant parameters. With the idle cut function enabled for a domain, the system logs out any user in the domain whose traffic is less than the specified minimum traffic during the idle timeout period.

Use the undo idle-cut enable command to restore the default.

By default, the function is disabled.

You can also set the idle timeout period on the server to make the server log out users whose traffic during the idle timeout period is less than 10240 bytes, but your setting on the server takes effect only when you disable the idle cut function on the device.

Related commands: domain.

Examples

# Enable the idle cut function and set the idle timeout period to 50 minutes and the traffic threshold to 1024 bytes for ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] idle-cut enable 50 1024

nas-id bind vlan (available only on the A5500 EI)

Syntax

nas-id nas-identifier bind vlan vlan-id

undo nas-id nas-identifier bind vlan vlan-id

View

NAS ID profile view

Default level

2: System level

Parameters

nas-identifier: NAS ID, a case-sensitive string of 1 to 20 characters

vlan-id: ID of the VLAN to be bound with the NAS ID, in the range 1 to 4094.

Description

Use the nas-id bind vlan command to bind a NAS ID with a VLAN.

Use the undo nas-id bind vlan command to remove a NAS ID-VLAN binding.

By default, no NAS ID-VLAN binding exists.

In a NAS ID profile view, you can configure multiple NAS ID–VLAN bindings.

A NAS ID can be bound with more than one VLAN, but one VLAN can be bound with only one NAS ID. If you bind a VLAN with different NAS IDs, only the last binding takes effect.

Related commands: aaa nas-id profile.

Examples

# Bind NAS ID 222 with VLAN 2.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2

self-service-url enable

Syntax

self-service-url enable url-string

undo self-service-url enable

View

ISP domain view

Default level

2: System level

Parameters

url-string: URL of the self-service server for changing user password, a string of 1 to 64 characters. It must start with http:// and contain no question mark.

Description

Use the self-service-url enable command to enable the self-service server location function and specify the URL of the self-service server for changing user password.

Use the undo self-service-url enable command to restore the default.

By default, the function is disabled.

A self-service RADIUS server, for example, iMC, is required for the self-service server location function. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server.

After you configure the self-service-url enable command, a user can locate the self-service server by selecting [Service/Change Password] from the 802.1X client. The client software automatically launches the default browser, IE or Netscape, and opens the URL page of the self-service server for changing the user password. A user can change his or her password through the page.

Only authenticated users can select [Service/Change Password] from the 802.1X client. The option is gray and unavailable for unauthenticated users.

Examples

# For ISP domain test, enable the self-service server location function and specify the URL of the selfservice server for changing user password to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] self-service-url enable

http://10.153.89.94/selfservice/modPasswd1x.jsp|userName

state (ISP domain view)

Syntax

View

state { active | block }

undo state

ISP domain view, local user view

Default level

2: System level

Parameters

active: Places the ISP domain in the active state to allow the users in the ISP domain to request network

services.

block: Places the ISP domain in the blocked state to prevent users in the ISP domain from requesting network services.

Description

Use the state command to set the status of an ISP domain.

Use the undo state command to restore the default.

By default, an ISP domain is in the active state.

By blocking an ISP domain, you disable users of the domain that are offline from requesting network services. The online users are not affected.

Related commands: domain.

Examples

# Place the current ISP domain test to the state of blocked.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] state block

Local user configuration commands

access-limit

Syntax

access-limit max-user-number

undo access-limit

View

Local user view

Default level

3: Manage level

Parameters

max-user-number: Maximum number of concurrent users of the current local user account, in the range 1 to 1024.

Description

Use the access-limit command to limit the number of concurrent users of a local user account.

Use the undo access-limit command to remove the limitation.

By default, there is no limit to the number of users who concurrently use the same local user account.

This command takes effect only when local accounting is used for the user account.

This limit is not effective for FTP users because accounting is not available for FTP users.

Related commands: display local-user.

Examples

# Limit the maximum number of concurrent users of local user account abc to 5.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-abc] access-limit 5

authorization-attribute (local user view/user group view)

Syntax

authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | user-role security-audit | vlan vlan-id | work-directory directory-name } *

undo authorization-attribute { acl | callback-number | idle-cut | level | user-profile | user-role | vlan | work-directory } *

View

Local user view, user group view

Default level

3: Manage level

Parameters

acl acl-number: Specifies the authorization ACL. The ACL number must be in the range 2000 to 5999.

After passing authentication, a local user is authorized to access the network resources specified by this ACL.

callback-number callback-number: Specifies the authorization PPP callback number. callback-number is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the switch uses this number to call the user.

idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user whose idle period exceeds the specified idle timeout period will be logged out. minute indicates the idle timeout period, in the range 1 to 120 minutes.

level level: Specifies the user level, which can be 0 for visit level, 1 for monitor level, 2 for system level, and 3 for manage level. A smaller number means a lower level. If the user interfaces’ authentication mode is scheme, which commands users can use after login in depends on this argument. By default, the user level is 0, and users can use only commands of level 0 after login.

user-profile profile-name: Specifies the authorization user profile. profile-name is a case-sensitive string of 1 to 32 characters. It can consist of English letters, digits, and underlines, and must start with an English letter. After a user passes authentication and gets online, the switch uses the settings in the user profile to restrict the access behavior of the user.

user-role security-audit: Specifies the role of the local user as security-audit. Users with different roles can access different levels of commands. security-audit is used to specify the user as a security log administrator. After passing authentication, a security log administrator is allowed to perform operations to the security log files, such as saving operation. This attribute is supported in local user view only. For more information about the commands that a security log administrator can use, see the Network

Management and Monitoring Configuration Guide.

vlan vlan-id: Specifies the authorized VLAN. vlan-id is in the range 1 to 4094. After passing authentication, a local user can access the resources in this VLAN.

work-directory directory-name: Specifies the work directory, if the user or users use the FTP or SFTP service. directory-name is a case-insensitive string of 1 to 135 characters. The directory must already exist.

Description

Use the authorization-attribute command to configure authorization attributes for the local user or user group. After the local user or a local user of the user group passes authentication, the device will assign these attributes to the user.

Use the undo authorization-attribute command to remove authorization attributes.

By default, no authorization attribute is configured for a local user or user group.

Every configurable authorization attribute has its definite application environments and purposes. Consider the service types of users when assigning authorization attributes.

Authorization attributes configured for a user group are effective for all local users in the group. You can group local users to improve configuration and management efficiency.

An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view. If an authorization attribute is configured in user group view but not in local user view, the setting in user group view takes effect.

If only one user is playing the role of security log administrator in the system, you cannot delete the user account, or remove or change the user’s role, unless you configure another user as a security log administrator first.

Examples

# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc] authorization-attribute vlan 3

bind-attribute

Syntax

bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location port slot-number subslot-number port-number | mac mac-address | vlan vlan-id } *

undo bind-attribute { call-number | ip | location | mac | vlan } *

View

Local user view

Default level

3: Manage level

Parameters

call-number call-number: Specifies a calling number for ISDN user authentication. The call-number argument is a string of 1 to 64 characters.

subcall-number: Specifies the sub-calling number. The total length of the calling number and the subcalling number cannot be more than 62 characters.

ip ip-address: Specifies the IP address of the user. This keyword and argument combination is applicable to 802.1X users only.

location: Specifies the port binding attribute of the user. This keyword and argument combination is applicable to LAN users only.

port slot-number subslot-number port-number: Specifies the port to which the user is bound. The slot- number argument is in the range 0 to 255, the subslot-number argument is in the range 0 to 15 , and the port-number argument is in the range 0 to 255. Only the numbers make sense here; port types are not

taken into account. This keyword and argument combination is applicable to only LAN users.

mac mac-address: Specifies the MAC address of the user in the format H-H-H. This keyword and argument combination is applicable to LAN users only.

vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range 1 to

4094. This keyword and argument combination is applicable to LAN users only.

Description

Use the bind-attribute command to configure binding attributes for a local user.

Use the undo bind-attribute command to remove binding attributes of a local user.

By default, no binding attribute is configured for a local user.

Binding attributes are checked upon authentication of a local user. If the binding attributes of a local user do not match the configured ones, the user will fail the checking and the authentication.

Binding attribute checking does not take the service types of the users into account. A configured binding attribute is effective for all types of users. Be cautious when deciding which binding attributes should be configured for which type of local users. For example, an IP address binding is applicable to only 802.1X authentication that supports IP address upload. If you configure an IP address binding for an authentication method that does not support IP address upload, for example, MAC authentication, the local authentication will fail.

Examples

# Configure the bound IP of local user abc as 3.3.3.3.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-abc] bind-attribute ip 3.3.3.3

display local-user

Syntax

display local-user [ idle-cut { disable | enable } | service-type { ftp | lan-access | portal | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled.

service-type: Specifies the local users that use a specified type of service.

 ftp—FTP users.  lan-access—Users accessing the network through Ethernet, such as 802.1X users.  portal—Portal users.  ssh—SSH users.  telnet—Telnet users.  terminal—Users logging in through the console port or AUX port.

state { active | block }: Specifies local users in the state of active or blocked. A local user in the active state can access network services, but a local user in the blocked state cannot.

user-name user-name: Specifies all local users using the specified username. The username is a case- sensitive string of 1 to 55 characters and does not contain the domain name.

vlan vlan-id: Specifies all local users in a VLAN. The VLAN ID ranges from 1 to 4094.

slot slot-number: Specifies the member number of the switch in the IRF fabric, which you can display with

|: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display local-user command to display information about local users.

Related commands: local-user.

Examples

# Display the information of local user bbb on slot 1.

<Sysname> display local-user user-name bbb slot 1

Slot: 1

The contents of local user bbb:

State: Active

ServiceType: ftp

Access-limit: Enable Current AccessNum: 0

Max AccessNum: 300

User-group: system

Bind attributes:

IP address: 1.2.3.4

Bind location: 1/4/1 (SLOT/SUBSLOT/PORT)

MAC address: 0001-0002-0003

Vlan ID: 100

Authorization attributes:

Idle TimeOut: 10(min)

Work Directory: flash:/

User Privilege: 3

Acl ID: 2000

Field

Description

Slot

IRF member ID

State

Status of the local user, Active or Block

ServiceType

Service types that the local user can use, including FTP, LAN, Portal, SSH, Telnet, and terminal

Access-limit

Limit on the number of user connections using the current username

Current AccessNum

Current number of user connections using the current username

Max AccessNum

Maximum number of user connections using the current username

VLAN ID

VLAN to which the user is bound

User Profile

User profile for local user authorization

Calling Number

Calling number of the ISDN user

Authorization attributes

Authorization attributes of the local user

Idle TimeOut

Idle threshold of the user, in minutes.

Callback-number

Authorized PPP callback number of the local user

Work Directory

Directory accessible to the FTP user

VLAN ID

Authorized VLAN of the local user

Expiration date

Expiration time of the local user

Password-Aging

Aging time of the local user password

Password-Length

Minimum length of the local user password

Password-Composition

Password composition policy of the local user

Vlan ID: 100

User Profile: prof1

Expiration date: 12:12:12-2018/09/16

Password-Aging: Enabled(30 day(s))

Password-Length: Enabled(4 characters)

Password-Composition: Enabled(4 type(s), 2 character(s) per type)

Total 1 local user(s) matched.

Table 3 Output description

display user-group

Syntax

display user-group [ group-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

group-name: User group name, a case-insensitive string of 1 to 32 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display user-group command to display configuration information about one or all user groups.

Related commands: user-group.

Examples

# Display configuration information about user group abc.

<Sysname> display user-group abc

The contents of user group abc:

Authorization attributes:

Idle-cut: 120(min)

Work Directory: FLASH:

Level: 1

Acl Number: 2000

Vlan ID: 1

User-Profile: 1

Callback-number: 1

Password-Aging: Enabled(1 day(s))

Password-Length: Enabled(4 characters)

Password-Composition: Enabled(1 type(s), 1 character(s) per type)

Total 1 user group(s) matched.

expiration-date (local user view)

Syntax

expiration-date time

undo expiration-date

View

Local user view

Default level

3: Manage level

Parameters

time: Expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SSYYYY/MM/DD. HH:MM:SS indicates the time, where HH ranges from 0 to 23, MM and SS range from

0 to 59. YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2011/2/2 equals to 02:02:00-2011/02/02.

Description

Use the expiration-date command to configure the expiration time of a local user.

Use the undo expiration-date command to remove the configuration.

By default, a local user has no expiration time and no time validity checking is performed.

When some users need to access the network temporarily, create a guest account and specify an expiration time for the account. When a user uses the guest account for local authentication and passes the authentication, the access device checks whether the current system time is within the expiration time. If so, it permits the user to access the network. Otherwise, it denies the access request of the user.

If you change the system time manually or the system time is changed in any other way, the access device uses the new system time for time validity checking.

Examples

# Configure the expiration time of user abc to be 12:10:20 on May 31, 2011.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-abc] expiration-date 12:10:20-2011/05/31

group

Syntax

group group-name

undo group

View

Local user view

Default level

3: Manage level

Parameters

group-name: User group name, a case-insensitive string of 1 to 32 characters.

Description

Use the group command to assign a local user to a user group.

Use the undo group command to restore the default.

By default, a local user belongs to the system default user group system.

Examples

# Assign local user 111 to user group abc.

<Sysname> system-view

[Sysname] local-user 111

[Sysname-luser-111] group abc

local-user

Syntax

local-user user-name

undo local-user { user-name | all [ service-type { ftp | lan-access | portal | ssh | telnet | terminal } ] }

View

System view

Default level

3: Manage level

Parameters

user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any backward slash (\), forward slash (/), vertical line (|), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), and the @ sign and cannot be ―a‖, ―al‖, or ―all‖.

all: Specifies all users.

service-type: Specifies the users of a type.

 ftp—FTP users.  lan-access—Users accessing the network through an Ethernet, such as 802.1X users.  portal—Portal users.  ssh—SSH users.  telnet—Telnet users.  terminal—Users logging in through the console port or AUX port.

Description

Use the local-user command to add a local user and enter local user view.

Use the undo local-user command to remove the specified local users.

By default, no local user is configured.

Related commands: display local-user and service-type.

Examples

# Add a local user named user1.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1]

local-user password-display-mode

Syntax

View

local-user password-display-mode { auto | cipher-force }

undo local-user password-display-mode

System view

Default level

2: System level

Parameters

auto: Displays the password of a local user in the mode that is specified for the user by using the password command.

cipher-force: Displays the passwords of all local users in cipher text.

Description

Use the local-user password-display-mode command to set the password display mode for all local users.

Use the undo local-user password-display-mode command to restore the default.

The default mode is auto.

If you configure the local-user password-display-mode cipher-force command, all existing local user passwords will be displayed in cipher text, regardless of the configuration of the password command. If you also save the configuration and restart the device, all existing local user passwords will always be displayed in cipher text, no matter how you configure the local-user password-display-mode command or the password command. The passwords configured after you restore the display mode to auto by using the local-user password-display-mode auto command, however, are displayed as defined by the password command.

Related commands: display local-user and password.

Examples

# Specify to display the passwords of all users in cipher text.

<Sysname> system-view

[Sysname] local-user password-display-mode cipher-force

password

Syntax

password { cipher | simple } password

undo password

View

Local user view

Default level

2: System level

Parameters

cipher: Displays the password in cipher text.

simple: Displays the password in plain text.

password: Password for the local user, case sensitive. It must be in plain text if you specify the simple keyword and can be in plain or cipher text if you specify the cipher keyword. A password in plain text must be a string of 1 to 63 characters that contains no blank space, for example, aabbcc. A password in cipher text must be a string of 24 or 88 characters, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.

Description

Use the password command to configure a password for a local user and specify whether to display the password in cipher text or plain text.

Use the undo password command to delete the password of a local user.

With the cipher keyword specified, a password of up to 16 characters in plain text will be encrypted into a password of 24 characters in cipher text, and a password of 16 to 63 characters in plain text will be encrypted into a password of 88 characters in cipher text. For a password of 24 characters, if the system can decrypt the password, the system treats it as a password in cipher text. Otherwise, the system treats it as a password in plain text.

Related commands: display local-user.

Examples

# Set the password of user1 to 123456 and specify to display the password in plain text.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] password simple 123456

service-type

Syntax

service-type { ftp | lan-access | { ssh | telnet | terminal } * | portal }

undo service-type { ftp | lan-access | { ssh | telnet | terminal } * | portal }

View

Local user view

Default level

3: Manage level

Parameters

ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default.

lan-access: Authorizes the user to use the LAN access service. Such users are mainly Ethernet users, for example, 802.1X users.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service, allowing the user to login from the console, AUX

port.

portal: Authorizes the user to use the Portal service.

Description

Use the service-type command to specify the service types that a user can use.

Use the undo service-type command to delete one or all service types configured for a user.

By default, a user is authorized with no service.

Examples

# Authorize user user1 to use the Telnet service.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] service-type telnet

state(local user view)

Syntax

state { active | block }

undo state

View

ISP domain view, local user view

Default level

2: System level

Parameters

active: Places the local user in the active state to allow the local user to request network services.

block: Places the local user in the blocked state to prevent the local user from requesting network services.

Description

Use the state command to set the status of a local user.

Use the undo state command to restore the default.

By default, a local user is in the active state.

By blocking a user, you disable the user from requesting network services. No other users are affected.

Related commands: local-user.

Examples

# Place the current user user1 to the blocked state.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] state block

user-group

Syntax

user-group group-name

undo user-group group-name

View

System view

Default level

3: Manage level

Parameters

group-name: User group name, a case-insensitive string of 1 to 32 characters.

Description

Use the user-group command to create a user group and enter its view.

Use the undo user-group command to remove a user group.

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes include password control attributes and authorization attributes.

A user group with one or more local users cannot be removed.

The default system user group system cannot be removed, but you can change its configurations.

Related commands: display user-group.

Examples

# Create a user group named abc and enter its view.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc]

RADIUS configuration commands

accounting-on enable

Syntax

accounting-on enable [ interval seconds | send send-times ] *

undo accounting-on enable

View

RADIUS scheme view

Default level

2: System level

Parameters

seconds: Time interval for retransmitting an accounting-on packet in seconds, ranging from 1 to 15. The default is 3 seconds.

send-times: Maximum number of accounting-on packet transmission attempts, ranging from 1 to 255. The default is 5.

Description

NOTE:

When you execute the accounting-on enable command, if the accounting-on feature is already enabled for another authentication scheme, the command takes effect immediately. Otherwise, you must save the configuration by using the save command, so that the command takes effect after the device reboots. For more information about the save command, see the

Fundamentals Command

Reference.

Use the accounting-on enable command to enable the accounting-on feature and specify the retransmission interval and the maximum number of transmission attempts. After doing so, when the device reboots, an accounting-on message will be sent to the RADIUS server to log out the online users of the device.

Use the undo accounting-on enable command to disable the accounting-on feature.

By default, the accounting-on feature is disabled.

Parameters set with the accounting-on enable command take effect immediately.

Related commands: radius scheme.

Examples

# Enable the accounting-on feature for RADIUS authentication scheme rd, set the retransmission interval to 5 seconds, and set the transmission attempts to 15.

<Sysname> system-view

[Sysname] radius scheme rd

[Sysname-radius-rd] accounting-on enable interval 5 send 15

attribute 25 car

Syntax

attribute 25 car

undo attribute 25 car

View

RADIUS scheme view

Default level

2: System level

Parameters

None

Description

Use the attribute 25 car command to specify to interpret the RADIUS class attribute (attribute 25) as CAR parameters.

Use the undo attribute 25 car command to restore the default.

By default, RADIUS attribute 25 is not interpreted as CAR parameters.

Related commands: display radius scheme and display connection.

Examples

# Specify to interpret RADIUS attribute 25 as CAR parameters.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 25 car

data-flow-format (RADIUS scheme view)

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilopacket | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

View

RADIUS scheme view

Default level

2: System level

Parameters

data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets,

which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Description

Use the data-flow-format command to set the traffic statistics unit for data flows or packets.

Use the undo data-flow-format command to restore the default.

By default, the unit for data flows is byte and that for data packets is one-packet.

The unit for data flows and that for packets must be consistent with those on the RADIUS server. Otherwise, accounting cannot be performed correctly.

Related commands: display radius scheme.

Examples

# Set the traffic statistics unit for data flows and that for packets to kilobytes and kilo-packets respectively in RADIUS scheme radius1

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

display radius scheme

Syntax

View

display radius scheme [ radius-scheme-name ] [ slot slot-number ] [ | { begin | exclude | include }

regular-expression ]

Any view

Default level

2: System level

Parameters

radius-scheme-name: RADIUS scheme name.

slot slot-number: Specifies the member number of the switch in the IRF fabric, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF fabric. If no IRF fabric exists, the slot-number argument is the current device number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display radius scheme command to display the configuration information of RADIUS schemes.

If no RADIUS scheme is specified, the command displays the configuration information of all RADIUS schemes.

Examples

If no IRF member ID is specified, the command displays the configuration information of the RADIUS schemes on all members of an IRF fabric.

Related commands: radius scheme.

# Display the configuration information of all RADIUS schemes.

<Sysname> display radius scheme

------------------------------------------------------------------

SchemeName : radius1

Index : 0 Type : extended

Primary Auth Server:

IP: 1.1.1.1 Port: 1812 State: active

Encryption Key : 345

VPN instance : 1

Primary Acct Server:

IP: 1.1.1.1 Port: 1813 State: active

Encryption Key : 345

VPN instance : 1

Second Auth Server:

IP: 1.1.2.1 Port: 1812 State: active

Encryption Key : N/A

VPN instance : N/A

IP: 1.1.3.1 Port: 1812 State: active

Encryption Key : N/A

VPN instance : N/A

Second Acct Server:

IP: 1.1.2.1 Port: 1813 State: block

Encryption Key : N/A

Field

Description

SchemeName

Name of the RADIUS scheme

Index

Index number of the RADIUS scheme

Type

Type of the RADIUS server

Primary Auth Server

Primary authentication server

Primary Acct Server

Primary accounting server

Second Auth Server

Secondary authentication server

Second Acct Server

Secondary accounting server

Encryption Key

Shared key for authentication or accounting packets

IP address of the server. N/A means not configured.

Port

Service port of the server. If no port configuration is performed, the default port number is displayed.

State

Status of the server, active or block

VPN instance

VPN of the server

Auth Server Encryption Key

Shared key of the authentication server

Acct Server Encryption Key

Shared key of the accounting server

Accounting-On packet disable

The accounting-on feature is disabled

send times

Retransmission times of accounting-on packets

interval

Interval to retransmit accounting-on packets

Interval for timeout(second)

Timeout time in seconds

Retransmission times for timeout

Times of retransmission in case of timeout

VPN instance : N/A

Auth Server Encryption Key : 123

Acct Server Encryption Key : N/A

Accounting-On packet disable, send times : 5 , interval : 3s

Interval for timeout(second) : 3

Retransmission times for timeout : 3

Interval for realtime accounting(minute) : 12

Retransmission times of realtime-accounting packet : 5

Retransmission times of stop-accounting packet : 500

Quiet-interval(min) : 5

Username format : without-domain

Data flow unit : Byte

Packet unit : one

NAS-IP address : 1.1.1.1

Attribute 25 : car

------------------------------------------------------------------

Total 1 RADIUS scheme(s).

Table 4 Output description

Field

Description

Interval for realtime accounting(minute)

Interval for realtime accounting in minutes

Retransmission times of realtime-accounting packet

Retransmission times of stopaccounting packet

Retransmission times of stop-accounting packet Quiet-interval(min)

Quiet interval for the primary server

Username format

Format of the usernames to be sent to the RADIUS server

Data flow unit

Unit of data flows

Packet unit

Unit of packets

NAS-IP address

Source IP address for outgoing RADIUS packets

Backup-NAS-IP address

Backup source IP address for outgoing RADIUS packets

Attribute 25

Interprets RADIUS attribute 25 as the CAR parameters

display radius statistics

Syntax

display radius statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

slot slot-number: Specifies the member number of the switch in the IRF fabric, which you can display with

|: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display radius statistics command to display statistics about RADIUS packets.

Related commands: radius scheme.

Examples

# Display statistics about RADIUS packets on slot 1.

<Sysname> display radius statistics slot 1

Slot 1:state statistic(total=4096):

DEAD = 18000 AuthProc = 0 AuthSucc = 0

AcctStart = 0 RLTSend = 0 RLTWait = 0

AcctStop = 0 OnLine = 0 Stop = 0

StateErr = 0

Received and Sent packets statistic:

Sent PKT total = 1547

Received PKT total = 23

Resend Times Resend total

1 508

2 508

Total 1016

RADIUS received packets statistic:

Code = 2 Num = 15 Err = 0

Code = 3 Num = 4 Err = 0

Code = 5 Num = 4 Err = 0

Code = 11 Num = 0 Err = 0

Running statistic:

RADIUS received messages statistic:

Normal auth request Num = 24 Err = 0 Succ = 24

EAP auth request Num = 0 Err = 0 Succ = 0

Account request Num = 4 Err = 0 Succ = 4

Account off request Num = 503 Err = 0 Succ = 503

PKT auth timeout Num = 15 Err = 5 Succ = 10

PKT acct_timeout Num = 1509 Err = 503 Succ = 1006

Realtime Account timer Num = 0 Err = 0 Succ = 0

PKT response Num = 23 Err = 0 Succ = 23

Session ctrl pkt Num = 0 Err = 0 Succ = 0

Normal author request Num = 0 Err = 0 Succ = 0

Set policy result Num = 0 Err = 0 Succ = 0

RADIUS sent messages statistic:

Auth accept Num = 10

Auth reject Num = 14

EAP auth replying Num = 0

Account success Num = 4

Account failure Num = 3

Server ctrl req Num = 0

RecError_MSG_sum = 0

SndMSG_Fail_sum = 0

Timer_Err = 0

Alloc_Mem_Err = 0

State Mismatch = 0

Other_Error = 0

No-response-acct-stop packet = 1

Discarded No-response-acct-stop packet for buffer overflow = 0

Table 5 Output description

Field

Description

slot

IRF member ID

state statistic

State statistics

DEAD

Number of idle users

AuthProc

Number of users waiting for authentication

AuthSucc

Number of users who have passed authentication

AcctStart

Number of users for whom accounting has been started

RLTSend

Number of users for whom the system sends realtime accounting packets

RLTWait

Number of users waiting for real-time accounting

AcctStop

Number of users in the state of accounting waiting stopped

OnLine

Number of online users

Stop

Number of users in the state of stop

StateErr

Number of users with unknown errors

Received and Sent packets statistic

Statistics of packets received and sent

Sent PKT total

Number of packets sent

Received PKT total

Number of packets received

Resend Times

Number of transmission attempts

Resend total

Number of packets retransmitted

RADIUS received packets statistic

Statistics of packets received by RADIUS

Code

Packet type

Num

Total number of packets

Err

Number of error packets

Running statistic

RADIUS operation message statistics

RADIUS received messages statistic

Number of messages received by RADIUS

Normal auth request

Number of normal authentication requests

EAP auth request

Number of EAP authentication requests

Account request

Number of accounting requests

Account off request

Number of stop-accounting requests

PKT auth timeout

Number of authentication timeout messages

PKT acct_timeout

Number of accounting timeout messages

Realtime Account timer

Number of realtime accounting requests

PKT response

Number of responses

Session ctrl pkt

Number of session control messages

Normal author request

Number of normal authorization requests

Field

Description

Succ

Number of acknowledgement messages

Set policy result

Number of responses to the Set policy packets

RADIUS sent messages statistic

Number of messages that have been sent by RADIUS

Auth accept

Number of accepted authentication packets

Auth reject

Number of rejected authentication packets

EAP auth replying

Number of replying packets of EAP authentication

Account success

Number of accounting succeeded packets

Account failure

Number of accounting failed packets

Server ctrl req

Number of server control requests

RecError_MSG_sum

Number of received packets in error

SndMSG_Fail_sum

Number of packets that failed to be sent out

Timer_Err

Number of timer errors

Alloc_Mem_Err

Number of memory errors

State Mismatch

Number of errors for mismatching status

Other_Error

Number of errors of other types

No-response-acct-stop packet

Number of times that no response was received for stop-accounting packets

Discarded No-response-acct-stop packet for buffer overflow

Number of stop-accounting packets that were buffered but then discarded due to full memory

display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range

start-time stop-time | user-name user-name } [ slot slot-number ] [ | { begin | exclude | include } regularexpression ]

View

Any view

Default level

2: System level

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

session-id session-id: Specifies a session by its ID. The ID is a string of 1 to 50 characters.

time-range start-time stop-time: Specifies a time range by its start time and end time in the format

HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD.

user-name user-name: Specifies a user by the username, a case-sensitive string of 1 to 80 characters.

NOTE:

If the device sends a stop-accounting request to a RADIUS server but receives no response, it retransmits it up to a certain number of times (defined by the retry command). If the device still receives no response, it considers the stop-accounting attempt a failure, buffers the request, and makes another stop-accounting attempt. The maximum number of the stop-accounting attempts is defined by the retry stop-accounting command. If all attempts fail, the device discards the request.

Whether the user-name argument should include the domain name depends on the setting by the username-format command for the RADIUS scheme.

slot slot-number: Specifies the member number of the switch in the IRF fabric, which you can display with

|: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display stop-accounting-buffer command to display information about the stop-accounting requests buffered in the device by scheme, session ID, time range, username, or slot.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, user-name-format,

retry, and retry stop-accounting.

Examples

# Display information about the buffered stop-accounting requests from 0:0:0 to 23:59:59 on March 31,

2011.

<Sysname> display stop-accounting-buffer time-range 0:0:0-03/31/2011 23:59:59-03/31/2011

Slot 1:

Total 0 record(s) Matched

key (RADIUS scheme view)

Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS scheme view

Default level

2: System level

Parameters

accounting: Sets the shared key for RADIUS accounting packets.

authentication: Sets the shared key for RADIUS authentication/authorization packets.

string: Shared key, a case-sensitive string of 1 to 64 characters.

Description

Use the key command to set the shared key for RADIUS authentication/authorization or accounting packets.

Use the undo key command to restore the default.

By default, no shared key is configured.

The shared key that is specified during the configuration of the RADIUS server, if any, takes precedence. A shared key configured in this task takes effect only if no shared key of the same type is specified during RADIUS server configuration.

You must ensure that the same shared key is set on the device and the RADIUS server.

Related commands: display radius scheme.

Examples

# Set the shared key for authentication/authorization packets to hello for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key authentication hello

# Set the shared key for accounting packets to ok for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting ok

nas device-id (available only on the A5500 EI)

Syntax

nas device-id device-id

undo nas device-id

View

System view

Default level

2: System level

Parameters

device-id: Device ID for the device, which can be 1 or 2.

Description

Use the nas device-id command to specify the device ID to be used in stateful failover mode. The two devices work in stateful failover mode use the device IDs of 1 and 2 respectively.

Use the undo nas device-id command to restore the default.

By default, a device works in standalone mode and has no device ID.

Configuring or changing the device ID of a device will log out all online users of the device.

The two devices work in stateful failover mode must use the device IDs of 1 and 2 respectively.

The device ID is the symbol for stateful failover mode. Do not configure any device ID for a device

NOTE:

The setting by the nas-backup-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas the setting by the radius nas-backup-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence.

working in standalone mode.

Examples

# Configure the device, which is intended to work in stateful failover mode, to use the device ID of 1.

<Sysname> system-view

[Sysname] nas device-id 1

Warning: This command will cut all user connections on this device. Continue? [Y

/N]

The other device for stateful failover must be configured to use the device ID of 2.

nas-backup-ip (available only on the A5500 EI)

Syntax

nas-backup-ip ip-address

undo nas-backup-ip

View

RADIUS scheme view

Default level

2: System level

Parameters

ip-address: Backup source IP address for RADIUS packets. It must be the source IP address for outgoing RADIUS packets that is configured on the other device for stateful failover and cannot be 0.0.0.0,

255.255.255.255, a class D address, a class E address, or a loopback address.

Description

Use the nas-backup-ip command to specify the backup source IP address for outgoing RADIUS packets.

Use the undo nas-backup-ip command to restore the default.

By default, a RADIUS scheme is configured with no backup source IP address for outgoing RADIUS packets.

After you configure the backup source IP address for RADIUS packets, the local device, if active, will send it to the RADIUS server so that the RADIUS server also sends unsolicited RADIUS packets to the standby device. This ensures that when the active device fails, the standby device can receive and process the RADIUS packets from the RADIUS server.

A RADIUS scheme can have only one backup source IP address. If you specify a new backup source IP address for the same RADIUS scheme, the new one will overwrites the old one.

Related commands: nas-ip and radius nas-ip.

Examples

NOTE:

The setting by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas the setting by the radius nas-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence.

# For the device working in stateful failover mode, specify the source IP address and backup source IP address for RADIUS packets as 2.2.2.2 and 3.3.3.3, respectively.

<Sysname> system-view

[Sysname] radius scheme aaa

[Sysname-radius-aaa] nas-ip 2.2.2.2

[Sysname-radius-aaa] nas-backup-ip 3.3.3.3

On the backup device, you need to specify the source IP address and backup source IP address for RADIUS packets as 3.3.3.3 and 2.2.2.2 respectively.

nas-ip (RADIUS scheme view)

Syntax

nas-ip { ip-address | ipv6 ipv6-address }

undo nas-ip

View

RADIUS scheme view

Default level

2: System level

Parameters

ip-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be

0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address. It must be an address of the device and must be a unicast address that is neither a loopback address nor a link-local address.

Description

Use the nas-ip command to specify a source IP address for outgoing RADIUS packets.

Use the undo nas-ip command to restore the default.

By default, the source IP address of an outgoing RADIUS packet is that configured with the radius nas-ip command in system view.

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.

The source IP address specified for outgoing RADIUS packets must be of the same IP version as the IP addresses of the RADIUS servers in the RADIUS scheme. Otherwise, the source IP address configuration does not take effect.

Related commands: radius nas-ip.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] radius scheme test1

[Sysname-radius-test1] nas-ip 10.1.1.1

primary accounting (RADIUS scheme view)

Syntax

primary accounting { ip-address [ port-number | key string | vpn-instance vpn-instance-name ] * | ipv6 ipv6-address [ port-number | key string ] * }

undo primary accounting

View

RADIUS scheme view

Default level

2: System level

Parameters

ip-address: IPv4 address of the primary accounting server.

ipv6 ipv6-address: IPv6 address of the primary accounting server.

port-number: UDP port number of the primary accounting server, which ranges from 1 to 65535 and

defaults to 1813.

key string: Specifies the shared key for exchanging accounting packets with the primary RADIUS accounting server. A shared key is a case-sensitive string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the primary RADIUS accounting server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this keyword and argument combination.

Description

Use the primary accounting command to specify the primary RADIUS accounting server.

Use the undo primary accounting command to remove the configuration.

By default, no primary RADIUS accounting server is specified.

The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

The shared key configured on the device for accounting packets and that configured on the RADIUS server must be consistent.

The IP addresses of the primary and secondary accounting servers must be of the same IP version.

The IP addresses of the accounting servers and those of the authentication/authorization servers must be of the same IP version.

The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.

If you change the primary accounting server when the device is already sending a start-accounting request to the server, the communication with the original primary server will time out, and then the

device will look for a server in active state from scratch: the new primary server is evaluated at first and

NOTE:

The shared key configured with this command takes precedence over that configured with the key accounting

string

command.

then the secondary servers according to the order in which they are configured.

If you remove an accounting server being used by online users, the device cannot send real-time accounting requests and stop-accounting requests anymore for the users, and does not buffer the stopaccounting requests.

Related commands: key, radius scheme, state, and vpn-instance (RADIUS scheme view).

Examples

# Specify the IP address of the primary accounting server for RADIUS scheme radius1 as 10.110.1. 2 and the UDP port of the server as 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813

primary authentication (RADIUS scheme view)

Syntax

primary authentication { ip-address [ port-number | key string | vpn-instance vpn-instance-name ] * | ipv6 ipv6-address [ port-number | key string ] * }

undo primary authentication

View

RADIUS scheme view

Default level

2: System level

Parameters

ip-address: IPv4 address of the primary authentication/authorization server.

ipv6 ipv6-address: IPv6 address of the primary authentication/authorization server.

port-number: UDP port number of the primary authentication/authorization server, which ranges from 1 to

65535 and defaults to 1812.

key string: Specifies the shared key for exchanging authentication and authorization packets with the primary RADIUS authentication/authorization server. A shared key is a case-sensitive string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the primary RADIUS authentication/authorization server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this keyword and argument combination.

Description

Use the primary authentication command to specify the primary RADIUS authentication/authorization server.

Use the undo primary authentication command to remove the configuration.

By default, no primary RADIUS authentication/authorization server is specified.

NOTE:

The shared key configured by this command takes precedence over that configured by using the key authentication

string

command.

After creating a RADIUS scheme, you are supposed to configure the IP address and UDP port of each RADIUS server (primary/secondary authentication/authorization or accounting server). Ensure that at least one authentication/authorization server and one accounting server are configured, and that the RADIUS service port settings on the device are consistent with the port settings on the RADIUS servers.

The shared key configured on the device for authentication/authorization packets and that configured on the RADIUS server must be consistent.

The IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails.

The IP addresses of the primary and secondary authentication/authorization servers must be of the same IP version.

The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version.

The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.

In an authentication process, if you remove the primary authentication server, the communication with the original primary server will time out, and the device will look for a server in active state from scratch: the new primary server is evaluated at first and then the secondary servers according to the order in which they are configured.

Related commands: key, radius scheme, state, and vpn-instance (RADIUS scheme view).

Examples

# Specify the primary authentication/authorization server for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812

radius client

Syntax

radius client enable

undo radius client

View

System view

Default level

2: System level

Parameters

None

Description

Use the radius client enable command to enable the listening port of the RADIUS client.

Use the undo radius client command to disable the listening port of the RADIUS client.

By default, the listening port is enabled.

When the listening port of the RADIUS client is disabled:

 The RADIUS client can either accept authentication, authorization or accounting requests or process

timer messages. However, it fails to transmit and receive packets to and from the RADIUS server.

 The end account packets of online users cannot be sent out and buffered. This may cause a problem

that the RADIUS server still has the user record after a user goes offline for a period of time.

 The authentication, authorization and accounting turn to the local scheme after the RADIUS request

fails if the RADIUS scheme and the local authentication, authorization and accounting scheme are configured.

 The buffered accounting packets cannot be sent out and will be deleted from the buffer when the

configured maximum number of attempts is reached.

Examples

# Enable the listening port of the RADIUS client.

<Sysname> system-view

[Sysname] radius client enable

radius nas-backup-ip (available only on the A5500 EI)

Syntax

radius nas-backup-ip ip-address [ vpn-instance vpn-instance-name ]

undo radius nas-backup-ip

View

System view

Default level

2: System level

Parameters

ip-address: Backup source IP address for RADIUS packets. It must be the source IP address for outgoing RADIUS packets that is configured on the backup device for stateful failover and cannot be 0.0.0.0,

255.255.255.255, a class D address, a class E address, or a loopback address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the backup source IP address belongs to. vpn-instance-name is a case-sensitive string of 1 to 31 characters. With a VPN specified, the command

specifies a private-network backup source IP address. With no VPN specified, the command specifies a public-network backup source IP address.

Description

Use the radius nas-backup-ip command to specify a backup source IP address for outgoing RADIUS packets.

Use the undo radius nas-backup-ip command to restore the default.

By default, a device is configured with no backup source IP address for outgoing RADIUS packets.

With a backup source IP address configured for outgoing RADIUS packets, a device for stateful failover sends this address to the RADIUS server if it is the active device. When the active device fails, the RADIUS server can send unsolicited RADIUS packets to the backup device.

NOTE:

Examples

You can specify up to 16 backup source IP addresses, which can include one public-network IP address at most. A newly specified public-network backup source IP address overwrites the previous one. Each VPN can have only one private-network backup source IP address specified at most. A private-network backup source IP address newly specified for a VPN overwrites the previous one.

Related commands: nas-backup-ip.

# For the device working in stateful failover mode, specify the source IP address and backup source IP address for RADIUS packets as 2.2.2.2 and 3.3.3.3, respectively.

<Sysname> system-view

[Sysname] radius nas-ip 2.2.2.2

[Sysname] radius nas-backup-ip 3.3.3.3

On the backup device, you need to specify the source IP address and backup source IP address for RADIUS packets as 3.3.3.3 and 2.2.2.2 respectively.

radius nas-ip

Syntax

radius nas-ip { ip-address [ vpn-instance vpn-instance-name ] | ipv6 ipv6-address }

undo radius nas-ip { ip-address [ vpn-instance vpn-instance-name ] | ipv6 ipv6-address }

View

System view

Default level

2: System level

Parameters

ip-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be

0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the source IPv4 address belongs to. vpn- instance-name is a case-sensitive string of 1 to 31 characters. With a VPN specified, the command

specifies a private-network source IPv4 address. With no VPN specified, the command specifies a publicnetwork source IPv4 address.

ipv6 ipv6-address: Specifies an IPv6 address. It must be an address of the device and must be a unicast address that is neither a loopback address nor a link-local address.

Description

Use the radius nas-ip command to specify a source address for outgoing RADIUS packets.

Use the undo radius nas-ip command to remove the configuration.

By default, the source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.

NOTE:

Examples

Specifying a source address for outgoing RADIUS packets can avoid the situation where the packets sent back by the RADIUS server cannot reach the device as the result of a physical interface failure.

You can specify up to 16 source IP addresses, including one public-network IP address at most. A newly specified public-network source IP address overwrites the previous one. Each VPN can have only one private-network source IP address. A private-network source IP address newly specified for a VPN overwrites the previous one.

The source IP address specified for RADIUS packets must be of the same IP version as the IP addresses of the RADIUS servers in the RADIUS schemes that use the specified source IP address. Otherwise, the source IP address configuration will not take effect.

Related commands: nas-ip.

# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

radius scheme

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

View

System view

Default level

3: Manage level

Parameters

radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Description

Use the radius scheme command to create a RADIUS scheme and enter RADIUS scheme view.

Use the undo radius scheme command to delete a RADIUS scheme.

By default, no RADIUS scheme is defined.

The RADIUS protocol is configured scheme by scheme. Every RADIUS scheme must at least specify the IP addresses and UDP ports of the RADIUS authentication/authorization/accounting servers and the parameters necessary for a RADIUS client to interact with the servers.

A RADIUS scheme can be referenced by more than one ISP domain at the same time.

You cannot remove the RADIUS scheme being used by online users with the undo radius scheme command.

Related commands: display radius scheme.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

radius trap

Syntax

radius trap { accounting-server-down | authentication-error-threshold | authentication-server-down }

undo radius trap { accounting-server-down | authentication-error-threshold | authentication-serverdown }

View

System view

Default level

2: System level

Parameters

accounting-server-down: Sends traps when the reachability of the accounting server changes.

authentication-error-threshold: Sends traps when the number of authentication failures exceed the

specified threshold. The threshold is represented by the ratio of the number of failed request transmission attempts to the total number of transmission attempts. It ranges from 1% to 100% and defaults to 30%. This threshold can only be configured through the MIB.

authentication-server-down: Sends traps when the reachability of the authentication server changes.

Description

Use the radius trap command to enable the RADIUS trap function.

Use the undo radius trap command to disable the specified function.

By default, the RADIUS trap function is disabled.

With the trap function for RADIUS, a NAS sends a trap message in the following cases:

 The status of a RADIUS server changes. If a NAS sends a request but receives no response before

 The ratio of the number of failed transmission attempts to the total number of authentication request

the maximum number of attempts is exceeded, it sends a trap message. If a NAS receives a response from a RADIUS server it considered unreachable, it considers that the RADIUS server is reachable again and also sends a trap message.

transmission attempts reaches the threshold. This threshold ranges from 1% to 100%, and is 30% by default. You can configure this threshold only through MIB. This failure ratio is generally small. If a trap message is triggered due to a failure ratio larger than the threshold, check the configurations and communications between the NAS and the RADIUS server.

Examples

# Enable the RADIUS trap function for accounting servers.

<Sysname> system-view

[Sysname] radius trap accounting-server-down

reset radius statistics

Syntax

reset radius statistics [ slot slot-number ]

View

User view

Default level

2: System level

Parameters

slot slot-number: Specifies the member number of the switch in the IRF fabric, which you can display with

Description

Use the reset radius statistics command to clear RADIUS statistics.

Related commands: display radius scheme.

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ]

View

User view

Default level

2: System level

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a string of 1 to 32

characters.

session-id session-id: Specifies a session by its ID, a string of 1 to 50 characters.

time-range start-time stop-time: Specifies a time range by its start time and end time in the format

HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD.

user-name user-name: Specifies a username based on which to reset the stop-accounting buffer. The username is a case-sensitive string of 1 to 80 characters. The format of the user-name argument (for example, whether the domain name should be included) must comply with that specified for usernames to be sent to the RADIUS server in the RADIUS scheme.

members and numbering conditions in the current IRF fabric. If no IRF fabric exists, the slot-number argument is the current device number.

Description

Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests for which no responses have been received.

Related commands: stop-accounting-buffer enable, retry stop-accounting, user-name-format, and display

stop-accounting-buffer.

Examples

# Clear the buffered stop-accounting requests for user user0001@test.

<Sysname> reset stop-accounting-buffer user-name user0001@test

# Clear the buffered stop-accounting requests in the time range from 0:0:0 to 23:59:59 on March 31,

2011.

<Sysname> reset stop-accounting-buffer time-range 0:0:0-03/31/2011 23:59:59-03/31/2011

retry

Syntax

retry retry-times

undo retry

View

RADIUS scheme view

Default level

2: System level

Parameters

retry-times: Maximum number of transmission attempts, in the range 1 to 20.

Description

Use the retry command to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.

Use the undo retry command to restore the default.

By default, the maximum number of RADIUS packet transmission attempts is 3.

Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request. If the number of transmission attempts exceeds the limit but the device still receives no response from the RADIUS server, the device considers the request a failure.

The maximum number of packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Examples

Related commands: radius scheme and timer response-timeout.

# Set the maximum number of RADIUS request transmission attempts to 5 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

retry realtime-accounting

NOTE:

The maximum number of accounting attempts, together with some other parameters, controls how the NAS sends accounting request packets.

Suppose that the RADIUS server response timeout period is three seconds (set with the timer response-

timeout command), the maximum number of RADIUS packet transmission attempts is three (set with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtimeaccounting command). In this case, the device generates an accounting request every 12 minutes, and

retransmits the request if it sends the request but receives no response within three seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device cuts the user connection.

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS scheme view

Default level

2: System level

Parameters

retry-times: Maximum number of accounting attempts, in the range 1 to 255.

Description

Use the retry realtime-accounting command to set the maximum number of accounting attempts.

Use the undo retry realtime-accounting command to restore the default.

By default, the maximum number of accounting attempts is 5.

A RADIUS server usually checks whether a user is online by a timeout timer. If it receives no real-time accounting request for a user in the timeout period from the NAS, it considers that there may be line or device failures and stops accounting for the user. This may happen when some unexpected failure occurs. To cooperate with this feature of the RADIUS server, the NAS needs to disconnect the user in accordance. The maximum number of accounting attempts, together with some other parameters, enables the NAS to disconnect the user in time.

Related commands: radius scheme and timer realtime-accounting.

Examples

# Set the maximum number of accounting attempts to 10 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry realtime-accounting 10

retry stop-accounting (RADIUS scheme view)

NOTE:

The maximum number of stop-accounting attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets.

Suppose that the RADIUS server response timeout period is three seconds (set with the timer response- timeout command), the maximum number of transmission attempts is five (set with the retry command), and the maximum number of stop-accounting attempts is 20 (set with the retry stop-accounting command). For each stop-accounting request, if the device receives no response within three seconds, it retransmits the request. If it receives no responses after retransmitting the request five times, it considers the stop-accounting attempt a failure, buffers the request, and makes another stop-accounting attempt. If 20 consecutive attempts fail, the device discards the request.

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

RADIUS scheme view

Default level

2: System level

Parameters

retry-times: Maximum number of stop-accounting attempts, in the range 10 to 65535.

Description

Use the retry stop-accounting command to set the maximum number of stop-accounting attempts.

Use the undo retry stop-accounting command to restore the default.

By default, the maximum number of stop-accounting attempts is 500.

Related commands: reset stop-accounting-buffer, radius scheme, and display stop-accounting-buffer.

Examples

# Set the maximum number of stop-accounting attempts to 1000 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry stop-accounting 1000

secondary accounting (RADIUS scheme view)

Syntax

secondary accounting { ipv4-address [ port-number | key string | vpn-instance vpn-instance-name ] * | ipv6 ipv6-address [ port-number | key string ] * }

undo secondary accounting [ ipv4-address | ipv6 ipv6-address ]

View

RADIUS scheme view

Default level

2: System level

Parameters

ipv4-address: IPv4 address of the secondary accounting server, in dotted decimal notation. The default is

0.0.0.0.

ipv6 ipv6-address: IPv6 address of the secondary accounting server.

port-number: UDP port number of the secondary accounting server, which ranges from 1 to 65535 and

defaults to 1813.

key string: Specifies the shared key for exchanging accounting packets with the secondary RADIUS accounting server. A shared key is a case-sensitive string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the secondary RADIUS accounting server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this keyword and argument combination.

Description

Use the secondary accounting command to specify secondary RADIUS accounting servers for a RADIUS scheme.

Use the undo secondary accounting command to remove the configuration.

By default, no secondary RADIUS accounting server is specified.

To configure multiple secondary RADIUS accounting servers, execute this command repeatedly. After the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary RADIUS accounting server configured earlier has a higher priority) and tries to communicate with it.

A RADIUS scheme supports up to 16 secondary RADIUS accounting servers.

All accounting servers, primary or secondary, must use IP addresses of the same IP version.

The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, the configuration fails.

The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

The shared keys configured on the device for accounting packets and that configured on the RADIUS server must be consistent.

If the specified server resides on an MPLS VPN, you also need to specify that VPN by using the vpn- instance vpn-instance-name keyword and argument combination to ensure normal communication with the server.

The IP addresses of the accounting servers and those of the authentication/authorization servers must be of the same IP version.

The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.

If you remove a secondary accounting server when the device is already sending a start-accounting request to the server, the communication with the secondary server will time out, and then the device will look for a server in active state from scratch: the new primary server is evaluated at first and then the secondary servers according to the order in which they are configured.

NOTE:

The shared key configured by this command takes precedence over that configured by the key accounting

string

command.

Related commands: key, radius scheme, state, and vpn-instance (RADIUS scheme view).

Examples

# Specify the secondary accounting server and UDP port number for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

# Specify two secondary accounting servers for RADIUS scheme radius2, with the server IP addresses of

10.110.1.1 and 10.110.1.2, and the UDP port number of 1813.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813

[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813

secondary authentication (RADIUS scheme view)

Syntax

secondary authentication { ipv4-address [ port-number | key string | vpn-instance vpn-instance-name ] * | ipv6 ipv6-address [ port-number | key string ] * }

undo secondary authentication [ ipv4-address | ipv6 ipv6-address ]

View

RADIUS scheme view

Default level

2: System level

Parameters

ipv4-address: IPv4 address of the secondary authentication/authorization server, in dotted decimal notation. The default is 0.0.0.0.

ipv6 ipv6-address: IPv6 address of the secondary authentication/authorization server.

port-number: UDP port number of the secondary authentication/authorization server, which ranges from 1

to 65535 and defaults to 1812.

key string: Specifies the shared key for exchanging authentication/authorization packets with the secondary RADIUS authentication/authorization server. A shared key is a case-sensitive string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the secondary RADIUS authentication/authorization server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this keyword and argument combination.

Description

Use the secondary authentication command to specify secondary RADIUS authentication/authorization servers for a RADIUS scheme.

Use the undo secondary authentication command to remove the configuration.

NOTE:

The shared key configured by this command takes precedence over that configured by the key accounting

string

command.

By default, no secondary RADIUS authentication/authorization server is specified.

To configure multiple secondary RADIUS authentication/authorization servers, execute this command repeatedly. After the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary RADIUS authentication/authorization server configured earlier has a higher priority) and tries to communicate with it.

A RADIUS scheme supports up to 16 secondary RADIUS authentication/authorization servers.

All authentication/authorization servers, primary or secondary, must use IP addresses of the same IP version.

The IP addresses of the primary and secondary authentication/authorization servers must be different from each other. Otherwise, the configuration fails.

The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

The shared keys configured on the device for authentication/authorization packets and that configured on the RADIUS server must be consistent.

The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version.

Examples

The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.

If you remove a secondary authentication server in use in the authentication process, the communication with the secondary server will time out, and the device will look for a server in active state from scratch: the new primary server is evaluated at first and then the secondary servers according to the order in which they are configured.

Related commands: key, radius scheme, state, and vpn-instance (RADIUS scheme view).

# Specify the secondary authentication/authorization server for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

# Specify two secondary authentication/authorization servers for RADIUS scheme radius2, with the server IP addresses of 10.110.1.1 and 10.110.1.2, and the UDP port number of 1813.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812

[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812

security-policy-server

Syntax

security-policy-server ip-address

undo security-policy-server { ip-address | all }

View

RADIUS scheme view

Default level

2: System level

Parameters

ip-address: Specifies a security policy server by its IP address.

all: Specifies all security policy servers.

Description

Use the security-policy-server command to specify a security policy server for a RADIUS scheme.

Use the undo security-policy-server command to remove one or all security policy servers for a RADIUS scheme.

By default, no security policy server is specified for a RADIUS scheme.

You can specify up to eight security policy servers for a RADIUS scheme.

You can change security policy servers for a RADIUS scheme only when no user is using the scheme.

Related commands: radius nas-ip.

Examples

# Specify security policy server 10.110.1.2 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] security-policy-server 10.110.1.2

server-type

Syntax

server-type { extended | standard }

undo server-type

View

RADIUS scheme view

Default level

2: System level

Parameters

extended: Specifies the extended RADIUS server (generally iMC), which requires the RADIUS client and

RADIUS server to interact according to the procedures and packet formats provisioned by the proprietary RADIUS protocol.

standard: Specifies the standard RADIUS server, which requires the RADIUS client end and RADIUS server to interact according to the regulation and packet format of the standard RADIUS protocol (RFC 2865/2866 or newer).

Description

Use the server-type command to configure the RADIUS server type.

Use the undo server-type command to restore the default.

By default, the supported RADIUS server type is standard.

Related commands: radius scheme.

Examples

# Configure the RADIUS server type of RADIUS scheme radius1 as standard.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] server-type standard

state primary

Syntax

state primary { accounting | authentication } { active | block }

View

RADIUS scheme view

Default level

2: System level

Parameters

accounting: Sets the status of the primary RADIUS accounting server.

authentication: Sets the status of the primary RADIUS authentication/authorization server.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Description

Use the state primary command to set the status of a primary RADIUS server.

By default, the primary RADIUS server specified for a RADIUS scheme is in the active state.

During an authentication or accounting process, the device first tries to communicate with the primary server if the primary server is in the active state. If the primary server is unavailable, the device changes the status of the primary server to blocked, starts a quiet timer for the server, and then tries to communicate with a secondary server in the active state (a secondary RADIUS server configured earlier has a higher priority). When the quiet timer of the primary server times out, the status of the server changes to active automatically. If you set the status of the server to blocked before the quiet timer times out, the status of the server cannot change back to active automatically unless you set the status to active manually.

When the primary server and secondary servers are both in the blocked state, the device communicates with the primary server.

Related commands: display radius scheme and state secondary.

Examples

# Set the status of the primary server in RADIUS scheme radius1 to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state primary authentication block

state secondary

Syntax

state secondary { accounting | authentication } [ ip ipv4-address | ipv6 ipv6-address ] { active | block }

View

RADIUS scheme view

Default level

2: System level

Parameters

accounting: Sets the status of the secondary RADIUS accounting server.

authentication: Sets the status of the secondary RADIUS authentication/authorization server.

ip ipv4-address: Specifies the IPv4 address of the secondary RADIUS server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS server.

active: Specifies the active state, the normal operation state.

block: specifies the blocked state, the out-of-service state.

Description

Use the state secondary command to set the status of a secondary RADIUS server.

By default, every secondary RADIUS server specified in a RADIUS scheme is in the active state.

If no IP address is specified, this command changes the status of all configured secondary servers for authentication/authorization or accounting.

If the device finds that a secondary server in the active state is unreachable, the device changes the status of the secondary server to blocked, starts a quiet timer for the server, and continues to try to communicate with the next secondary server in the active state (a secondary RADIUS server configured earlier has a higher priority). When the quiet timer of a server times out, the status of the server changes to active automatically. If you set the status of the server to blocked before the quiet timer times out, the status of the server cannot change back to active automatically unless you set the status to active manually. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.

Related commands: display radius and state primary.

Examples

# Set the status of all the secondary servers in RADIUS scheme radius1 to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication block

stop-accounting-buffer enable (RADIUS scheme view)

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

RADIUS scheme view

Default level

2: System level

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests getting no responses.

Use the undo stop-accounting-buffer enable command to disable the device from buffering stopaccounting requests getting no responses.

By default, the device is enabled to buffer stop-accounting requests getting no responses.

Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every stopaccounting request to the RADIUS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission attempts reaches the configured limit. In the latter case, the NAS discards the packet. However, if you have removed the accounting server, stop-accounting messages are not buffered.

Related commands: reset stop-accounting-buffer, radius scheme, and display stop-accounting-buffer.

Examples

# In RADIUS scheme radius1, enable the device to buffer the stop-accounting requests getting no responses.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] stop-accounting-buffer enable

timer quiet (RADIUS scheme view)

Syntax

timer quiet minutes

undo timer quiet

View

RADIUS scheme view

Default level

2: System level

Parameters

minutes: Server quiet period in minutes, in the ranges from 0 to 255.

Description

Use the timer quiet command to set the quiet timer for the servers, that is, the duration that the status of the servers stay blocked before resuming the active state.

Use the undo timer quiet command to restore the default.

By default, the server quiet period is 5 minutes.

You can use the command to adjust the duration during which a server must stay quiet, and control whether the device changes the status of an unreachable server. For example, if you determine that the primary server is unreachable because the device’s port connected to the server is out of service temporarily or the server is busy, you can set the server quiet period to 0 so that the device uses the primary server whenever possible.

Be sure to set the server quiet timer properly. Too short a quiet timer may result in frequent authentication or accounting failures because the device has to repeatedly try to communicate with an unreachable server that is in the active state.

Related commands: display radius scheme.

Examples

# Set the quiet timer for the servers to 10 minutes.

<Sysname> system-view

[Sysname] radius scheme test1

[Sysname-radius-test1] timer quiet 10

timer realtime-accounting (RADIUS scheme view)

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

RADIUS scheme view

Default level

2: System level

Parameters

minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range 3 to 60.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default.

By default, the real-time accounting interval is 12 minutes.

For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command sets the interval.

Number of users

Real-time accounting interval (minute)

1 to 99

100 to 499

500 to 999

1000 or more

15 or more

Examples

When the real-time accounting interval on the device is zero, the device will send online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server (if any) or will not send online user accounting information.

Different real-time accounting intervals impose different performance requirements on the NAS and the RADIUS server. A shorter interval helps achieve higher accounting precision but requires higher performance. Use a longer interval when there are a large number of users (1000 or more).

Table 6 Recommended real-time accounting intervals

Related commands: retry realtime-accounting and radius scheme.

# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

timer response-timeout (RADIUS scheme view)

Syntax

timer response-timeout seconds

undo timer response-timeout

View

RADIUS scheme view

Default level

2: System level

Parameters

seconds: RADIUS server response timeout period in seconds, in the range 1 to 10.

Description

Use the timer response-timeout command to set the RADIUS server response timeout timer.

Use the undo timer command to restore the default.

By default, the RADIUS server response timeout period is 3 seconds.

If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it has to resend the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

A proper value for the RADIUS server response timeout timer can help improve the system performance. Set the timer based on the network conditions.

The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Related commands: radius scheme and retry.

Examples

# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

user-name-format (RADIUS scheme view)

Syntax

user-name-format { keep-original | with-domain | without-domain }

View

RADIUS scheme view

Default level

2: System level

Parameters

keep-original: Sends the username to the RADIUS server as it is input.

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Description

Use the user-name-format command to specify the format of the username to be sent to a RADIUS server.

By default, the ISP domain name is included in the username.

A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to a RADIUS server.

If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one.

For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect and the device does not change the usernames from clients before forwarding them to the RADIUS server.

If the RADIUS scheme is for roaming wireless users, specify the keep-original keyword. Otherwise, authentication of the wireless users may fail.

Examples

Related commands: radius scheme.

# Specify the device to remove the domain name in the username sent to the RADIUS servers for the RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

vpn-instance (RADIUS scheme view) (available only on the A5500 EI)

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

View

RADIUS scheme view

Default level

2: System level

Parameters

vpn-instance-name: Name of a VPN instance, a string of 1 to 31 case-sensitive characters.

Description

Use the vpn-instance command to specify a VPN instance for the RADIUS scheme.

Use the undo vpn-instance command to remove the configuration.

The VPN instance specified here applies to for all IPv4 servers in the RADIUS scheme for which no specific VPN instance is specified. The VPN instance specified here is not effective for IPv6 RADIUS servers.

Related commands: radius scheme and display radius scheme.

Examples

# Specify VPN instance test for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] vpn-instance test

HWTACACS configuration commands

data-flow-format (HWTACACS scheme view)

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilopacket | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

View

HWTACACS scheme view

Default level

2: System level

Parameters

data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte,

kilobyte, megabyte, or gigabyte.

packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Description

Use the data-flow-format command to set the traffic statistics unit for data flows or packets.

Use the undo data-flow-format command to restore the default.

By default, the unit for data flows is byte and that for data packets is one-packet.

Related commands: display hwtacacs.

Examples

# Set the traffic statistics unit for data flows and that for packets to kilobytes and kilo-packets respectively in HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet

display hwtacacs

Syntax

display hwtacacs [ hwtacacs-scheme-name [ statistics ] ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

hwtacacs-scheme-name: HWTACACS scheme name.

statistics: Displays detailed statistics about the HWTACACS server.

slot slot-number: Specifies the member number of the switch in the IRF fabric, which you can display with

|: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display hwtacacs command to display the configuration information or statistics of HWTACACS schemes.

If no HWTACACS scheme is specified, the command displays the configuration information of all HWTACACS schemes.

If no slot number is specified, the command displays the configuration information of the HWTACACS scheme on the main processing unit.

If no IRF member ID is specified, the command displays the configuration information of the HWTACACS schemes on all members of an IRF fabric.

Related commands: hwtacacs scheme.

Examples

# Display configuration information about HWTACACS scheme gy.

<Sysname> display hwtacacs gy

--------------------------------------------------------------------

HWTACACS-server template name : gy

Primary-authentication-server : 172.31.1.11:49

VPN instance : vpn1

Primary-authorization-server : 172.31.1.11:49

VPN instance : vpn1

Primary-accounting-server : 172.31.1.11:49

VPN instance : vpn1

Secondary-authentication-server : 0.0.0.0:0

VPN instance : -

Secondary-authorization-server : 0.0.0.0:0

VPN instance : -

Secondary-accounting-server : 0.0.0.0:0

VPN instance : -

Current-authentication-server : 172.31.1.11:49

Current-authorization-server : 172.31.1.11:49

Current-accounting-server : 172.31.1.11:49

NAS-IP-address : 0.0.0.0

key authentication : 790131

key authorization : 790131

key accounting : 790131

VPN instance : -

Quiet-interval(min) : 5

Realtime-accounting-interval(min) : 12

Response-timeout-interval(sec) : 5

Acct-stop-PKT retransmit times : 100

Username format : with-domain

Data traffic-unit : B

Packet traffic-unit : one-packet

--------------------------------------------------------------------

Table 7 Output description

Field

Description

HWTACACS-server template name

Name of the HWTACACS scheme

Primary-authentication-server

IP address and port number of the primary authentication server. If no primary authentication server is specified, the value of this field is

0.0.0.0:0. This rule is also applicable to the following eight fields.

Primary-authorization-server

IP address and port number of the primary authorization server

Primary-accounting-server

IP address and port number of the primary accounting server

Secondary-authentication-server

IP address and port number of the secondary authentication server

Secondary-authorization-server

IP address and port number of the secondary authorization server

Secondary-accounting-server

IP address and port number of the secondary accounting server

Current-authentication-server

IP address and port number of the currently used authentication server

Current-authorization-server

IP address and port number of the currently used authorization server

Current-accounting-server

IP address and port number of the currently used accounting server

VPN instance

VPN instance of the server

NAS-IP-address

IP address of the NAS.

If no NAS is specified, the value of this field is

0.0.0.0.

key authentication

Key for authentication

key authorization

Key for authorization

key accounting

Key for accounting

Quiet-interval

Quiet interval for the primary server

Realtime-accounting-interval

Real-time accounting interval

Response-timeout-interval

Server response timeout period

Acct-stop-PKT retransmit times

Number of stop-accounting packet transmission attempts

Username format

Format of the usernames to be sent to the HWTACACS server

Data traffic-unit

Unit for data flows

Packet traffic-unit

Unit for data packets

display stop-accounting-buffer

Syntax

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a string of 1 to

32 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display stop-accounting-buffer command to display information about the stop-accounting requests buffered in the device.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, and retry stop-

accounting.

Examples

# Display information about the buffered stop-accounting requests for HWTACACS scheme hwt1.

<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1

Slot 1:

Total 0 record(s) Matched

hwtacacs nas-ip

Syntax

hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ]

View

undo hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ]

System view

Default level

NOTE:

The setting by the nas-ip command in HWTACACS scheme view is only for the HWTACACS scheme, whereas the setting by the hwtacacs nas-ip command in system view is for all HWTACACS schemes. The setting in HWTACACS scheme view takes precedence.

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be

0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the source IP address belongs to. vpn- instance-name is a case-sensitive string of 1 to 31 characters. With a VPN specified, the command

specifies a private-network source IP address. With no VPN specified, the command specifies a publicnetwork source IP address.

Description

Use the hwtacacs nas-ip command to specify a source IP address for outgoing HWTACACS packets.

Use the undo hwtacacs nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound interface.

The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.

You can specify up to 16 source IP addresses, which can include one public-network IP address at most. A newly specified public-network source IP address overwrites the previous one. Each VPN can have only one private-network source IP address specified. A private-network source IP address newly specified for a VPN overwrites the previous one.

Related commands: nas-ip.

Examples

# Set the IP address for the device to use as the source address of the HWTACACS packets to

129.10.10.1.

<Sysname> system-view

[Sysname] hwtacacs nas-ip 129.10.10.1

hwtacacs scheme

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

View

System view

Default level

3: Manage level

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.

Description

Use the hwtacacs scheme command to create an HWTACACS scheme and enter HWTACACS scheme view.

Use the undo hwtacacs scheme command to delete an HWTACACS scheme.

By default, no HWTACACS scheme exists.

You cannot delete an HWTACACS scheme with online users.

Examples

# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

key (HWTACACS scheme view)

Syntax

key { accounting | authentication | authorization } string

undo key { accounting | authentication | authorization } string

View

HWTACACS scheme view

Default level

2: System level

Parameters

accounting: Sets the shared key for HWTACACS accounting packets.

authentication: Sets the shared key for HWTACACS authentication packets.

authorization: Sets the shared key for HWTACACS authorization packets.

string: Shared key, a case-sensitive string of 1 to 64 characters.

Description

Use the key command to set the shared key for HWTACACS authentication, authorization, or accounting packets.

Use the undo key command to remove the configuration.

By default, no shared key is configured.

Related commands: display hwtacacs.

Examples

# Set the shared key for HWTACACS accounting packets to hello for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key accounting hello

nas-ip (HWTACACS scheme view)

NOTE:

Syntax

nas-ip ip-address

undo nas-ip

View

HWTACACS scheme view

Default level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be

0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

Description

Use the nas-ip command to specify a source address for outgoing HWTACACS packets.

Use the undo nas-ip command to remove the configuration.

By default, the source IP address of an outgoing HWTACACS packet is the IP address of the outbound interface.

If you configure the command repeatedly, only the last configuration takes effect.

Related commands: hwtacacs nas-ip.

Examples

# Set the source address for outgoing HWTACACS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

primary accounting (HWTACACS scheme view)

Syntax

primary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] *

undo primary accounting

View

HWTACACS scheme view

Default level

2: System level

Parameters

ip-address: IP address of the primary HWTACACS accounting server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the primary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the primary HWTACACS accounting server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this keyword and argument combination.

Description

Use the primary accounting command to specify the primary HWTACACS accounting server.

Use the undo primary accounting command to remove the configuration.

By default, no primary HWTACACS accounting server is specified.

The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

If the server to be specified resides on an MPLS VPN, you also need to specify that VPN by using the vpn-instance vpn-instance-name keyword and argument combination to ensure normal communication with the server. The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.

If you configure the command repeatedly, only the last configuration takes effect.

You can remove an accounting server only when it is not used by any active TCP connection to send accounting packets.

Related commands: display hwtacacs, hwtacacs scheme, and vpn-instance (HWTACACS scheme view).

Examples

# Specify the IP address and port number of the primary accounting server for HWTACACS scheme test1 as 10.163.155.12 and 49.

<Sysname> system-view

[Sysname] hwtacacs scheme test1

[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49

primary authentication (HWTACACS scheme view)

Syntax

primary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] *

undo primary authentication

View

HWTACACS scheme view

Default level

2: System level

Parameters

ip-address: IP address of the primary HWTACACS authentication server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the primary HWTACACS authentication server. It ranges from 1 to 65535 and defaults to 49.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the primary HWTACACS authentication server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this keyword and argument combination.

Description

Use the primary authentication command to specify the primary HWTACACS authentication server.

Use the undo primary authentication command to remove the configuration.

By default, no primary HWTACACS authentication server is specified.

The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.

The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

If you configure the command repeatedly, only the last configuration takes effect.

You can remove an authentication server only when it is not used by any active TCP connection to send authentication packets.

Related commands: display hwtacacs, hwtacacs scheme, and vpn-instance (HWTACACS scheme view).

Examples

# Specify the IP address and port number of the primary authentication server for HWTACACS scheme hwt1 as 10.163.155.13 and 49.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49

primary authorization

Syntax

primary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] *

undo primary authorization

View

HWTACACS scheme view

Default level

2: System level

Parameters

ip-address: IP address of the primary HWTACACS authorization server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the primary HWTACACS authorization server. It ranges from 1 to 65535 and defaults to 49.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the primary HWTACACS authorization server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this keyword and argument combination.

Description

Use the primary authorization command to specify the primary HWTACACS authorization server.

Use the undo primary authorization command to remove the configuration.

By default, no primary HWTACACS authorization server is specified.

The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.

The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

If you configure the command repeatedly, only the last configuration takes effect.

You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets.

Related commands: display hwtacacs, hwtacacs scheme, and vpn-instance (HWTACACS scheme view).

Examples

# Configure the IP address and port number of the primary authorization server for HWTACACS scheme hwt1 as 10.163.155.13 and 49.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49

reset hwtacacs statistics

Syntax

reset hwtacacs statistics { accounting | all | authentication | authorization } [ slot slot-number ]

View

User view

Default level

1: Monitor level

Parameters

accounting: Clears HWTACACS accounting statistics.

all: Clears all HWTACACS statistics.

authentication: Clears HWTACACS authentication statistics.

authorization: Clears HWTACACS authorization statistics.

Description

Use the reset hwtacacs statistics command to clear HWTACACS statistics.

Related commands: display hwtacacs.

Examples

# Clear all HWTACACS statistics.

<Sysname> reset hwtacacs statistics all

reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ]

View

User view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a string of 1 to

32 characters.

Description

Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests that get no responses.

Related commands: stop-accounting-buffer enable, retry stop-accounting, and display stop-accounting-

buffer.

Examples

# Clear the buffered stop-accounting requests for HWTACACS scheme hwt1.

<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1

retry stop-accounting (HWTACACS scheme view)

Syntax

View

retry stop-accounting retry-times

undo retry stop-accounting

HWTACACS scheme view

Default level

2: System level

Parameters

retry-times: Maximum number of stop-accounting request transmission attempts, in the range 1 to 300.

Description

Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts.

Use the undo retry stop-accounting command to restore the default.

By default, the maximum number of stop-accounting request transmission attempts is 100.

Related commands: reset stop-accounting-buffer, hwtacacs scheme, and display stop-accounting-buffer.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 50.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] retry stop-accounting 50

secondary accounting (HWTACACS scheme view)

Syntax

secondary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] *

undo secondary accounting

View

HWTACACS scheme view

Default level

2: System level

Parameters

ip-address: IP address of the secondary HWTACACS accounting server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the secondary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the secondary HWTACACS accounting server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this keyword and argument combination.

Description

Use the secondary accounting command to specify the secondary HWTACACS accounting server.

Use the undo secondary accounting command to remove the configuration.

By default, no secondary HWTACACS accounting server is specified.

The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

If you configure the command repeatedly, only the last configuration takes effect.

You can remove an accounting server only when it is not used by any active TCP connection to send accounting packets.

Related commands: display hwtacacs, hwtacacs scheme, and vpn-instance (HWTACACS scheme view).

Examples

# Specify the IP address and port number of the secondary accounting server for HWTACACS scheme hwt1 as 10.163.155.12 with TCP port number 49.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49

secondary authentication (HWTACACS scheme view)

Syntax

secondary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] *

undo secondary authentication

View

HWTACACS scheme view

Default level

2: System level

Parameters

ip-address: IP address of the secondary HWTACACS authentication server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the secondary HWTACACS authentication server. It ranges from 1 to 65535 and defaults to 49.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the secondary HWTACACS authentication server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this keyword and argument combination.

Description

Use the secondary authentication command to specify the secondary HWTACACS authentication server.

Use the undo secondary authentication command to remove the configuration.

By default, no secondary HWTACACS authentication server is specified.

The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.

The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

If you configure the command repeatedly, only the last configuration takes effect.

You can remove an authentication server only when it is not used by any active TCP connection to send authentication packets is using it.

Related commands: display hwtacacs, hwtacacs scheme, and vpn-instance (HWTACACS scheme view).

Examples

# Specify the IP address and port number of the secondary authentication server for HWTACACS scheme hwt1 as 10.163.155.13 with TCP port number 49.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49

secondary authorization

Syntax

secondary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] *

undo secondary authorization

View

HWTACACS scheme view

Default level

2: System level

Parameters

ip-address: IP address of the secondary HWTACACS authorization server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the secondary HWTACACS authorization server. It ranges from 1 to 65535 and defaults to 49.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the secondary HWTACACS authorization server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this keyword and argument combination.

Description

Use the secondary authorization command to specify the secondary HWTACACS authorization server.

Use the undo secondary authorization command to remove the configuration.

By default, no secondary HWTACACS authorization server is specified.

The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.

The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

If you configure the command repeatedly, only the last configuration takes effect.

You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets.

Related commands: display hwtacacs, hwtacacs scheme, and vpn-instance (HWTACACS scheme view).

Examples

# Configure the secondary authorization server 10.163.155.13 with TCP port number 49.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49

stop-accounting-buffer enable (HWTACACS scheme view)

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

HWTACACS scheme view

Default level

2: System level

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests to which no responses are received.

Use the undo stop-accounting-buffer enable command to disable the buffering function.

By default, the device buffers stop-accounting requests to which no responses are received.

Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every stopaccounting request to the HWTACACS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission attempts reaches the configured limit. In the latter case, the NAS discards the packet.

Related commands: reset stop-accounting-buffer, hwtacacs scheme, and display stop-accounting-buffer.

Examples

# In HWTACACS scheme hwt1, enable the device to buffer the stop-accounting requests getting no responses.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] stop-accounting-buffer enable

timer quiet (HWTACACS scheme view)

Syntax

timer quiet minutes

undo timer quiet

View

HWTACACS scheme view

Default level

2: System level

Parameters

minutes: Primary server quiet period, in minutes. It ranges from 1 to 255.

Description

Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state.

Use the undo timer quiet command to restore the default.

Related commands: display hwtacacs.

Examples

# Set the quiet timer for the primary server to 10 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet 10

timer realtime-accounting (HWTACACS scheme view)

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

HWTACACS scheme view

Default level

2: System level

Parameters

minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range 3 to 60. A value of zero means ―Do not send online user accounting information to the HWTACACS server.‖

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default.

By default, the real-time accounting interval is 12 minutes.

For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is for setting the interval.

The setting of the real-time accounting interval somewhat depends on the performance of the NAS and

Number of users

Real-time accounting interval (minute)

1 to 99

100 to 499

500 to 999

1000 or more

15 or more

the HWTACACS server. A shorter interval requires higher performance. Use a longer interval when there are a large number of users (more than 1000, inclusive).

Table 8 Recommended real-time accounting intervals

Examples

# Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

timer response-timeout (HWTACACS scheme view)

Syntax

timer response-timeout seconds

undo timer response-timeout

View

HWTACACS scheme view

Default level

2: System level

Parameters

seconds: HWTACACS server response timeout period in seconds, in the range 1 to 300.

Description

Use the timer response-timeout command to set the HWTACACS server response timeout timer.

Use the undo timer command to restore the default.

By default, the HWTACACS server response timeout time is 5 seconds.

HWTACACS is based on TCP. If the server response timeout timer or the TCP timeout timer times out, the device will be disconnected from the HWTACACS server.

Related commands: display hwtacacs.

Examples

# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

user-name-format (HWTACACS scheme view)

Syntax

user-name-format { keep-original | with-domain | without-domain }

View

HWTACACS scheme view

Default level

2: System level

Parameters

keep-original: Sends the username to the HWTACACS server as it is input.

with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.

without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.

Description

Use the user-name-format command to specify the format of the username to be sent to an HWTACACS server.

By default, the ISP domain name is included in the username.

A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier HWTACACS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.

If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain, avoiding the confused situation where the HWTACACS server regards two users in different ISP domains but with the same userid as one.

If the HWTACACS scheme is for wireless users, specify the keep-original keyword. Otherwise, authentication of the wireless users may fail.

Related commands: hwtacacs scheme.

Examples

# Specify the device to remove the ISP domain name in the username sent to the HWTACACS servers for the HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

vpn-instance (HWTACACS scheme view) (available only on the A5500 EI)

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

View

HWTACACS scheme view

Default level

2: System level

Parameters

vpn-instance-name: Name of a VPN instance, a string of 1 to 31 case-sensitive characters.

Description

Use the vpn-instance command to specify a VPN instance for the HWTACACS scheme.

Use the undo vpn-instance command to remove the configuration.

The VPN specified here takes effect for all servers in the HWTACACS scheme for which no specific VPN instance is specified.

Related commands: hwtacacs scheme and display hwtacacs scheme.

Examples

# Specify VPN instance test for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] vpn-instance test

RADIUS server configuration commands

authorization-attribute (RADIUS-server user view)

Syntax

authorization-attribute { acl acl-number | vlan vlan-id } *

undo authorization-attribute { acl | vlan } *

View

RADIUS-server user view

Default level

2: System level

Parameters

acl acl-number: Specifies the number of an ACL in the range 2000 to 5999.

vlan vlan-id: Specifies the ID of a VLAN in the range 1 to 4094.

Description

Use the authorization-attribute command to specify the authorization attributes (ACL and VLAN) that the RADIUS server will assign to the RADIUS client in a response message after the RADIUS user passes RADIUS authentication. The RADIUS client uses the assigned authorization attributes to control the access of the RADIUS user.

Use the undo authorization-attribute command to remove the configuration.

By default, no authorization attribute is configured.

HP A5500 EI, A5500 SI Command Reference Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

AAA configuration commands

General AAA configuration commands

aaa nas-id profile (available only on the A5500 EI)

access-limit enable

accounting command

accounting default

accounting lan-access

accounting login

accounting optional

accounting portal

authentication default

authentication lan-access

authentication login

authentication portal

authentication super

authorization command

authorization default

authorization lan-access

authorization login

authorization portal

authorization-attribute user-profile

cut connection

display connection

display domain

domain

domain default enable

idle-cut enable

nas-id bind vlan (available only on the A5500 EI)

self-service-url enable

state (ISP domain view)

Local user configuration commands

access-limit

authorization-attribute (local user view/user group view)

bind-attribute

display local-user

display user-group

expiration-date (local user view)

group

local-user

local-user password-display-mode

password

service-type

state(local user view)

user-group

RADIUS configuration commands

accounting-on enable

attribute 25 car

data-flow-format (RADIUS scheme view)

display radius scheme

display radius statistics

display stop-accounting-buffer

key (RADIUS scheme view)

nas device-id (available only on the A5500 EI)

nas-backup-ip (available only on the A5500 EI)

nas-ip (RADIUS scheme view)

primary accounting (RADIUS scheme view)

primary authentication (RADIUS scheme view)

radius client

radius nas-backup-ip (available only on the A5500 EI)

radius nas-ip

radius scheme

radius trap

reset radius statistics

reset stop-accounting-buffer

retry

retry realtime-accounting

retry stop-accounting (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

security-policy-server

server-type

state primary

state secondary

stop-accounting-buffer enable (RADIUS scheme view)

timer quiet (RADIUS scheme view)

timer realtime-accounting (RADIUS scheme view)