accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting default

In FIPS mode:

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo accounting default

Default

The default accounting method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default accounting method is used for all users who support this method and do not have an accounting method configured.

Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.

You can specify one primary default accounting method and multiple backup default accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# Configure the default accounting method for ISP domain test to use RADIUS scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting default radius-scheme rd local

Related commands

· hwtacacs scheme

· local-user

· radius scheme

accounting lan-access

Use accounting lan-access to configure the accounting method for LAN users.

Use undo accounting lan-access to restore the default.

Syntax

In non-FIPS mode:

accounting lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting lan-access

In FIPS mode:

accounting lan-access { local | radius-scheme radius-scheme-name [ local ] }

undo accounting lan-access

Default

The default accounting method for the ISP domain is used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local accounting for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access local

# In ISP domain test, perform RADIUS accounting for LAN users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access radius-scheme rd local

Related commands

· accounting default

· local-user

· radius scheme

accounting login

Use accounting login to specify the accounting method for login users.

Use undo accounting login to restore the default.

Syntax

In non-FIPS mode:

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting login

In FIPS mode:

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo accounting login

Default

The default accounting method of the ISP domain is used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Accounting is not supported for FTP, SFTP, and SCP users.

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local accounting for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login local

# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login radius-scheme rd local

Related commands

· accounting default

· hwtacacs scheme

· local-user

· radius scheme

accounting portal

Use accounting portal to specify the accounting method for portal users.

Use undo accounting portal to restore the default.

Syntax

In non-FIPS mode:

accounting portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting portal

In FIPS mode:

accounting portal { local | radius-scheme radius-scheme-name [ local ] }

undo accounting portal

Default

The default accounting method of the ISP domain is used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting portal radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local accounting for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal local

# In ISP domain test, perform RADIUS accounting for portal users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal radius-scheme rd local

Related commands

· accounting default

· local-user

· radius scheme

authentication default

Use authentication default to specify the default authentication method for an ISP domain.

Use undo authentication default to restore the default.

Syntax

In non-FIPS mode:

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication default

In FIPS mode:

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authentication default

Default

The default authentication method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authentication method is used for all users who support this method and do not have an authentication method configured.

You can specify one primary default authentication method and multiple backup default authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# Configure the default authentication method for ISP domain test to use RADIUS scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication default radius-scheme rd local

Related commands

· hwtacacs scheme

· ldap scheme

· local-user

· radius scheme

authentication lan-access

Use authentication lan-access to configure the authentication method for LAN users.

Use undo authentication lan-access to restore the default.

Syntax

In non-FIPS mode:

authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication lan-access

In FIPS mode:

authentication lan-access { ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] }

undo authentication lan-access

Default

The default authentication method for the ISP domain is used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access local

# In ISP domain test, perform RADIUS authentication for LAN users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access radius-scheme rd local

Related commands

· authentication default

· hwtacacs scheme

· ldap scheme

· local-user

· radius scheme

authentication login

Use authentication login to specify the authentication method for login users.

Use undo authentication login to restore the default.

Syntax

In non-FIPS mode:

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication login

In FIPS mode:

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authentication login

Default

The default authentication method of the ISP is used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login local

# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login radius-scheme rd local

Related commands

· authentication default

· hwtacacs scheme

· ldap scheme

· local-user

· radius scheme

authentication portal

Use authentication portal to specify the authentication method for portal users.

Use undo authentication portal to restore the default.

Syntax

In non-FIPS mode:

authentication portal { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication portal

In FIPS mode:

authentication portal { ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] }

undo authentication portal

Default

The default authentication method of the ISP domain is used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication portal radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal local

# In ISP domain test, perform RADIUS authentication for portal users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal radius-scheme rd local

Related commands

· authentication default

· ldap scheme

· local-user

· radius scheme

authentication super

Use authentication super to specify a method for user role authentication.

Use undo authentication super to restore the default.

Syntax

authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *

undo authentication super

Default

The default authentication method of the ISP domain is used for user role authentication.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.

If you specify a scheme to provide the method for user role authentication, the following rules apply:

· If an HWTACACS scheme is specified, the device uses the entered username for role authentication. The username must already exist on the HWTACACS server to represent the highest user level that a user can obtain. For example, to obtain a level-3 user role whose username is test, the device uses the string test@domain-name or test for role authentication, depending on whether the domain name is required.

· If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for role authentication of any usernames. The variable n represents a user role level. For example, to obtain a level-3 user role, the device uses the username string $enab3$.

For more information about user role authentication, see Fundamentals Configuration Guide.

Examples

# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.

<Sysname> system-view

[Sysname] super authentication-mode scheme

[Sysname] domain test

[Sysname-domain-test] authentication super hwtacacs-scheme tac

Related commands

· authentication default

· hwtacacs scheme

· radius scheme

authorization command

Use authorization command to specify the command authorization method.

Use undo authorization command to restore the default.

Syntax

In non-FIPS mode:

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }

undo authorization command

In FIPS mode:

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local }

undo authorization command

Default

The default authorization method of the ISP domain is used for command authorization.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.

Usage guidelines

Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted.

When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user role.

The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server. Access permission only controls whether the authorized user roles have access to the entered commands, but it does not control whether the user roles have obtained authorization to these commands. If a command is permitted by the access permission but denied by command authorization, this command cannot be executed.

You can specify one primary command authorization method and multiple backup command authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, configure the device to perform local command authorization.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command local

# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup authorization method.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

Related commands

· authorization accounting (Fundamentals Command Reference)

· hwtacacs scheme

· local-user

authorization default

Use authorization default to specify the default authorization method for an ISP domain.

Use undo authorization default to restore the default.

Syntax

In non-FIPS mode:

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization default

In FIPS mode:

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authorization default

Default

The default authorization method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

· Non-login users can access the network.

· Login users are assigned the default user role. For more information about the default user role feature, see Fundamentals Configuration Guide.

· FTP, SFTP, and SCP login users also have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authorization method is used for all users who support this method and do not have an authorization method configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# Configure the default authorization method for ISP domain test to use RADIUS scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization default radius-scheme rd local

Related commands

· hwtacacs scheme

· local-user

· radius scheme

authorization lan-access

Use authorization lan-access to configure the authorization method for LAN users.

Use undo authorization lan-access to restore the default.

Syntax

In non-FIPS mode:

authorization lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization lan-access

In FIPS mode:

authorization lan-access { local | radius-scheme radius-scheme-name [ local ] }

undo authorization lan-access

Default

The default authorization method for the ISP domain is used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization. An authenticated LAN user directly accesses the network.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access local

# In ISP domain test, perform RADIUS authorization for LAN users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access radius-scheme rd local

Related commands

· authorization default

· local-user

· radius scheme

authorization login

Use authorization login to configure the authorization method for login users.

Use undo authorization login to restore the default.

Syntax

In non-FIPS mode:

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization login

In FIPS mode:

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authorization login

Default

The default authorization method of the ISP domain is used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

· Login users are assigned the default user role. For more information about the default user role feature, see Fundamentals Configuration Guide.

· FTP, SFTP, and SCP login users also have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login local

# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login radius-scheme rd local

Related commands

· authorization default

· hwtacacs scheme

· local-user

· radius scheme

authorization portal

Use authorization portal to configure the authorization method for portal users.

Use undo authorization portal to restore the default.

Syntax

In non-FIPS mode:

authorization portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization portal

In FIPS mode:

authorization portal { local | radius-scheme radius-scheme-name [ local ] }

undo authorization portal

Default

The default authorization method of the ISP domain is used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization. An authenticated portal user directly accesses the network.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization portal radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal local

# In ISP domain test, perform RADIUS authorization for portal users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal radius-scheme rd local

Related commands

· authorization default

· local-user

· radius scheme

authorization-attribute (ISP domain view)

Use authorization-attribute to configure authorization attributes for users in an ISP domain.

Use undo authorization-attribute to restore the default of an authorization attribute.

Syntax

authorization-attribute { idle-cut minute [ flow ] | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | user-profile profile-name }

undo authorization-attribute { idle-cut | ip-pool | ipv6-pool | user-profile }

Default

No authorization attribute is configured for users in the ISP domain and the idle cut feature is disabled.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to 600. This option takes effect only on portal users.

flow: Specifies the minimum traffic that must be generated in the idle timeout period in bytes. The value range is 1 to 10240000, and the default value is 10240. This argument takes effect only on portal users.

ip-pool ipv4-pool-name: Specifies an IPv4 address pool for PPP users. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is not supported in the current software version.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for users. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is not supported in the current software version.

user-profile profile-name: Specifies an authorization user profile. The profile-name argument is a case-sensitive string of 1 to 31 characters. This option is not supported in the current software version.

Usage guidelines

When the idle cut feature is configured, the device periodically detects the traffic of each online user. The device logs out users who do not meet the minimum traffic requirement in the idle timeout period. When the idle cut feature is disabled on the device, the idle cut feature of the server takes effect. The server considers a user idle if the user's traffic is less than 10240 bytes in a configurable idle timeout period.

If you execute the command multiple times for the idle cut feature, the most recent configuration takes effect.

Examples

# Configure the idle cut feature for users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization-attribute idle-cut 30 10240

Related commands

display domain

Use display domain to display the ISP domain configuration.

Syntax

display domain [ isp-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 24 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.

Examples

# Display the configuration of all ISP domains.

<Sysname> display domain

Total 2 domains

Domain: system

State: Active

Default authentication scheme: Local

Default authorization scheme: Local

Default accounting scheme: Local

Session time: Exclude idle time

Authorization attributes :

Idle-cut: Disabled

Domain: dm

State: Active

Super authentication scheme: RADIUS=rad

PPP accounting scheme: RADIUS=r1, (RADIUS=r2), HWTACACS=tc, Local

Command authorization scheme: HWTACACS=hw

LAN access authentication scheme: RADIUS=r4

Portal authentication scheme: LDAP=ldp

Default authentication scheme: LDAP=rad, Local, None

Default authorization scheme: Local

Default accounting scheme: None

Session time: Exclude idle time

Authorization attributes :

Idle-cut : Enabled

Idle timeout: 2 minutes

Flow: 10240 bytes

IP pool: appy

Default domain name: system

Table 1 Command output

Field	Description
Domain	ISP domain name.
State	Status of the ISP domain.
Default authentication scheme	Default authentication method.
Default authorization scheme	Default authorization method.
Default accounting scheme	Default accounting method.
Session time	Online duration sent to the server for users who went offline due to connection failure or malfunction. The online duration does not include the idle cut period (or user online detection interval for portal users).
ADVPN authentication scheme	ADVPN is not supported in the current software version. The setting in this field is not effective.
ADVPN authorization scheme	ADVPN is not supported in the current software version. The setting in this field is not effective.
ADVPN accounting scheme	ADVPN is not supported in the current software version. The setting in this field is not effective.
Login authentication scheme	Authentication method for login users.
Login authorization scheme	Authorization method for login users.
Login accounting scheme	Accounting method for login users.
Authorization attributes	Authorization attributes for users in the ISP domain.
Idle-cut	Idle cut feature status: · Enabled—The feature is enabled. The device logs off users who do not meet the minimum traffic requirements in an idle timeout period. · Disabled—The feature is disabled. It is the default idle cut state.
Idle timeout	Idle timeout period, in minutes.
Flow	Minimum traffic that a login user must generate in an idle cut period, in bytes.
IP pool	In the current software version, the device does not support authorizing an IP pool to authenticated users. The setting in this field is not effective.
RADIUS	RADIUS scheme.
HWTACACS	HWTACACS scheme.
LDAP	LDAP scheme.
Local	Local scheme.
None	No authentication, no authorization, or no accounting.
Super authentication scheme	Authentication method for obtaining another user role without reconnecting to the device.
PPP authentication scheme	PPP is not supported in the current software version. The setting in this field is not effective.
PPP authorization scheme	PPP is not supported in the current software version. The setting in this field is not effective.
PPP accounting scheme	PPP is not supported in the current software version. The setting in this field is not effective.
Command authorization scheme	Command line authorization method.
Command accounting scheme	Command line accounting method.
LAN access authentication scheme	Authentication method for LAN users.
LAN access authorization scheme	Authorization method for LAN users.
LAN access accounting scheme	Accounting method for LAN users.
Portal authentication scheme	Authentication method for portal users.
Portal authorization scheme	Authorization method for portal users.
Portal accounting scheme	Accounting method for portal users.

domain

Use domain to create an ISP domain and enter ISP domain view.

Use undo domain to remove an ISP domain.

Syntax

domain isp-name

undo domain isp-name

Default

There is a system-defined ISP domain named system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. The name must meet the following requirements:

· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

· The name cannot be d, de, def, defa, defau, defaul, or default.

Usage guidelines

All ISP domains are in active state when they are created.

The system has a predefined ISP domain named system. You can modify but not remove its configuration.

An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.

Examples

# Create ISP domain test and enter ISP domain view.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test]

Related commands

· display domain

· domain default enable

· state (ISP domain view)

domain default enable

Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.

Use undo domain default enable to restore the default.

Syntax

domain default enable isp-name

undo domain default enable

Default

The default ISP domain is the system-defined ISP domain system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters.

Usage guidelines

There can be only one default ISP domain.

The specified ISP domain must already exist.

Examples

# Create an ISP domain named test, and configure the domain as the default ISP domain.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] quit

[Sysname] domain default enable test

Related commands

· display domain

· domain

nas-id bind vlan

Use nas-id bind vlan to bind a NAS-ID with a VLAN.

Use undo nas-id bind vlan to remove a NAS-ID and VLAN binding.

Syntax

nas-id nas-identifier bind vlan vlan-id

undo nas-id nas-identifier bind vlan vlan-id

Default

No NAS-ID and VLAN binding exists.

Views

NAS-ID profile view

Predefined user roles

network-admin

mdc-admin

Parameters

nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 31 characters.

vlan-id: Specifies a VLAN ID in the range of 1 to 4094.

Usage guidelines

You can configure multiple NAS-ID and VLAN bindings in a NAS-ID profile.

A NAS-ID can be bound with more than one VLAN, but a VLAN can be bound with only one NAS-ID. If you configure multiple bindings for the same VLAN, the most recent configuration takes effect.

Examples

# Bind NAS-ID 222 with VLAN 2 in NAS-ID profile aaa.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2

Related commands

· aaa nas-id profile

· port-security nas-id-profile

· portal nas-id-profile

state (ISP domain view)

Use state to set the status of an ISP domain.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

An ISP domain is in active state.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.

block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.

Usage guidelines

By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected.

Examples

# Place the ISP domain test in blocked state.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] state block

Related commands

display domain

Local user commands

access-limit

Use access-limit to set the maximum number of concurrent logins using the local user name.

Use undo access-limit to restore the default.

Syntax

access-limit max-user-number

undo access-limit

Default

The number of concurrent logins using the local user name is not limited.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.

Usage guidelines

This command takes effect only when local accounting is configured for the local user. The command does not apply to FTP, SFTP, or SCP users, who do not support accounting.

Examples

# Set the maximum number of concurrent logins to 5 using the local user name abc.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-manage-abc] access-limit 5

Related commands

display local-user

authorization-attribute (local user view/user group view)

Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.

Use undo authorization-attribute to restore the default.

Syntax

authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | user-profile profile-name | user-role role-name | vlan vlan-id | work-directory directory-name } *

undo authorization-attribute { acl | callback-number | idle-cut | ip-pool | ipv6-pool | user-profile | user-role role-name | vlan | work-directory } *

Default

FTP, SFTP, and SCP users have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory.

The local users created by a network-admin or level-15 user on the default MDC are assigned the network-operator user role. The local users created by an mdc-admin or level-15 user on a non-default MDC are assigned the mdc-operator user role.

Views

Local user view, user group view

Predefined user roles

network-admin

mdc-admin

Parameters

acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL.

callback-number callback-number: Specifies an authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user. This option is not supported in the current software version.

idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to 120. When the idle cut feature is enabled, an online user whose idle period exceeds the specified idle timeout period is logged out.

ip-pool ipv4-pool-name: Specifies an IPv4 address pool for the user. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is not supported in the current software version.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for the user. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is not supported in the current software version.

user-profile profile-name: Specifies an authorization user profile by its name. The profile-name argument is a case-sensitive string of 1 to 31 characters. The name can contain only letters, digits, and underscores (_). The user profile restricts the behavior of authenticated users. This option is not supported in the current software version.

user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. Up to 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.

vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.

work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.

Usage guidelines

Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.

· For portal users, only the following authorization attributes are effective: acl, idle-cut, and vlan.

· For LAN users, only the following authorization attributes are effective: acl and vlan.

· For HTTP, HTTPS, Telnet, and terminal users, only the authorization attribute user-role is effective.

· For SSH and FTP users, only the authorization attributes user-role and work-directory are effective.

· For other types of local users, no authorization attribute is effective.

Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.

To make sure FTP, SFTP, and SCP users can access the directory after an active/standby or master/subordinate switchover, do not specify slot information for the working directory.

To make the user have only the user role authorized by this command, use the undo authorization-attribute user-role command to remove the predefined user roles.

The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the security-audit user role, use the display role name security-audit command. For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see Fundamentals Configuration Guide.

When you configure the security-audit user role, follow these restrictions and guidelines:

· If the device has local users authorized as the security-audit user role, you cannot delete the last local user who has this user role.

· The user role security-audit is mutually exclusive with other user roles.

¡ When you assign the security-audit user role to a local user, the system requests confirmation for deleting all the other user roles of the user.

¡ When you assign other user roles to a local user who has the security-audit user role, the system requests confirmation for deleting the security-audit user role for the local user.

Examples

# Configure the authorized VLAN of the network access user abc as VLAN 2.

<Sysname> system-view

[Sysname] local-user abc class network

[Sysname-luser-network-abc] authorization-attribute vlan 2

# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc] authorization-attribute vlan 3

# Assign the security-audit user role to device management user xyz as the authorized user role.

<Sysname> system-view

[Sysname] local-user xyz class manage

[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit

This operation will delete all other roles of the user. Are you sure? [Y/N]:y

Related commands

· display local-user

· display user-group

bind-attribute

Use bind-attribute to configure binding attributes for a local user.

Use undo bind-attribute to remove binding attributes of a local user.

Syntax

bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *

undo bind-attribute { call-number | ip | location | mac | vlan } *

Default

No binding attribute is configured for a local user.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

call-number call-number: Specifies a calling number for PPP user authentication. The call-number argument is a string of 1 to 64 characters. This option is not supported in the current software version.

subcall-number: Specifies the subcalling number. The total length of the calling number and the subcalling number cannot be more than 62 characters. This argument is not supported in the current software version.

ip ip-address: Specifies the IP address to which the user is bound. This option applies only to 802.1X users.

location interface interface-type interface-number: Specifies the interface to which the user is bound. The interface-type argument represents the interface type, and the interface-number argument represents the interface number. To pass authentication, the user must access the network through the bound interface. This option applies only to LAN and portal users.

mac mac-address: Specifies the MAC address of the user in the format H-H-H. This option applies only to LAN and portal users.

vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to 4094. This option applies only to LAN and portal users.

Usage guidelines

Binding attributes are checked upon authentication of a local user. If the local user has a non-matching attribute or lacks a required attribute, user authentication fails.

When you configure binding attributes for a local user, verify the following items:

· The device can obtain from the user's packet all attributes for checking. For example, you can configure an IP address binding for an 802.1X user, because 802.1X authentication can include the user's IP address in the packet. However, you cannot configure IP address bindings for MAC authentication users, because MAC authentication does not use IP addresses.

· The binding interface type must meet the requirements of the local user. For example, you can bind an 802.1X user to a physical port. If you bind the 802.1X user to a logical interface (for example, a VLAN interface), the user will fail the local authentication.

Examples

# Bind IP address 3.3.3.3 with the network access user abc.

<Sysname> system-view

[Sysname] local-user abc class network

[Sysname-luser-network-abc] bind-attribute ip 3.3.3.3

Related commands

display local-user

Use display local-user to display the local user configuration and online user statistics.

Syntax

display local-user [ class { manage | network } | idle-cut { disable | enable } | service-type { advpn | ftp | http | https | ike | lan-access | pad | portal | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

class: Specifies the local user type.

· manage: Device management user.

· network: Network access user.

idle-cut { disable | enable }: Specifies local users with the idle cut feature disabled or enabled.

service-type: Specifies the local users who use a specific type of service.

· advpn: ADVPN tunnel users. This keyword is not supported in the current software version.

· ftp: FTP users.

· http: HTTP users.

· https: HTTPS users.

· ike: IKE users. This keyword is not supported in the current software version.

· lan-access: LAN users who typically access the network through an Ethernet, such as 802.1X users.

· pad: X.25 PAD users. This keyword is not supported in the current software version.

· portal: Portal users.

· ppp: PPP users. This keyword is not supported in the current software version.

· ssh: SSH users.

· telnet: Telnet users.

· terminal: Terminal users who log in through console ports.

state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.

user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters that does not contain the domain name.

vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to 4094.

Usage guidelines

If you do not specify any parameters, this command displays information about all local users.

Examples

# Display information about all local users.

<Sysname> display local-user

Total 2 local users matched.

Device management user root:

State: Active

Service type: SSH/Telnet/Terminal

Access limit: Enabled Max access number: 3

Current access number: 1

User group: system

Bind attributes:

Authorization attributes:

Work directory: flash:

User role list: network-admin

Password control configurations:

Password aging: Enabled (3 days)

Network access user jj:

State: Active

Service type: Lan-access

User group: system

Bind attributes:

IP address: 2.2.2.2

Location bound: GigabitEthernet1/0/1

MAC address: 0001-0001-0001

VLAN ID: 2

Calling number: 2:2

Authorization attributes:

Idle timeOut: 33 (min)

Work directory: flash:

ACL number: 2000

User role list: network-operator, level-0, level-3

Table 2 Command output

Field	Description
State	Status of the local user: active or blocked.
Service type	Service types that the local user can use, including FTP, HTTP, HTTPS, LAN access, portal, SSH, Telnet, and terminal.
Access limit	Whether the concurrent login limit is enabled.
Max access number	Maximum number of concurrent logins using the local user name.
Current access number	Current number of concurrent logins using the local user name.
User group	Group to which the local user belongs.
Bind attributes	Binding attributes of the local user.
IP address	IP address of the local user.
Location bound	Binding port of the local user.
MAC address	MAC address of the local user.
VLAN ID	Binding VLAN of the local user.
Calling number	PPP calling numbers are not supported in the current software version. The setting in this field is not effective.
Authorization attributes	Authorization attributes of the local user.
Idle timeOut	Idle timeout period of the user, in minutes.
Callback number	PPP callback numbers are not supported in the current software version. The setting in this field is not effective.
Work directory	Directory that the FTP, SFTP, or SCP user can access.
ACL number	Authorization ACL of the local user.
VLAN ID	Authorized VLAN of the local user.
User role list	Authorized roles of the local user.
Password control configurations	Password control attributes that are configured for the user.
Password aging	This field appears only when password aging is enabled. The aging time is displayed in parentheses.
Password length	This field appears only when password length control is enabled. The minimum password length is displayed in parentheses.
Password composition	This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: · Minimum number of character types that the password must contain. · Minimum number of characters from each type in the password.
Password complexity	This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: · Whether the password can contain the username or the reverse of the username. · Whether the password can contain any character repeated consecutively three or more times.
Maximum login attempts	Maximum number of consecutive failed login attempts.
Action for exceeding login attempts	Action to take on the user who failed to log in after using up all login attempts.

display user-group

Use display user-group to display the user group configuration.

Syntax

display user-group [ group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a user group, this command displays the configuration of all user groups.

Examples

# Display the configuration of all user groups.

<Sysname> display user-group

Total 2 user groups matched.

The contents of user group system:

Authorization attributes:

Work directory: flash:

The contents of user group jj:

Authorization attributes:

Idle timeOut: 2 (min)

Callback number: 2:2

Work directory: flash:/

ACL number: 2000

VLAN ID: 2

Password control configurations:

Password aging: Enabled (2 days)

Table 3 Command output

Field	Description
Idle timeOut	Idle timeout period, in minutes.
Callback number	PPP callback numbers are not supported in the current software version. The setting in this field is not effective.
Work directory	Directory that FTP, SFTP, or SCP users in the group can access.
ACL number	Authorization ACL.
VLAN ID	Authorized VLAN.
Password control configurations	Password control attributes that are configured for the user group.
Password aging	This field appears only when password aging is enabled. The aging time is displayed in parentheses.
Password length	This field appears only when password length control is enabled. The minimum password length is displayed in parentheses.
Password composition	This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: · Minimum number of character types that the password must contain. · Minimum number of characters from each type in the password.
Password complexity	This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: · Whether the password can contain the username or the reverse of the username. · Whether the password can contain any character repeated consecutively three or more times.
Maximum login attempts	Maximum number of consecutive failed login attempts.
Action for exceeding login attempts	Action to take on the user who failed to log in after using up all login attempts.

group

Use group to assign a local user to a user group.

Use undo group to restore the default.

Syntax

group group-name

undo group

Default

A local user belongs to the system-defined user group system.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Examples

# Assign device management user 111 to user group abc.

<Sysname> system-view

[Sysname] local-user 111 class manage

[Sysname-luser-manage-111] group abc

Related commands

display local-user

local-user

Use local-user to add a local user and enter local user view.

Use undo local-user to remove local users.

Syntax

local-user user-name [ class { manage | network } ]

undo local-user { user-name class { manage | network } | all [ service-type { advpn | ftp | http | https | ike | lan-access | pad | portal | ppp | ssh | telnet | terminal } | class { manage | network } ] }

Default

No local user exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

user-name: Specifies the local user name, a case-sensitive string of 1 to 55 characters that does not contain the domain name. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). The name also cannot be a, al, or all.

class: Specifies the local user type.

· manage: Device management user who can configure and monitor the device after login. Device management users can use FTP, HTTP, HTTPS, Telnet, SSH, and terminal services.

· network: Network access user who accesses network resources through the device. Network access users can use LAN access and portal services.

all: Specifies all users.

service-type: Specifies the local users who use a specific type of service.

· advpn: ADVPN tunnel users. This keyword is not supported in the current software version.

· ftp: FTP users.

· http: HTTP users.

· https: HTTPS users.

· ike: IKE users. This keyword is not supported in the current software version.

· lan-access: LAN users who typically access the network through an Ethernet, such as 802.1X users.

· pad: X.25 PAD users. This keyword is not supported in the current software version.

· portal: Portal users.

· ppp: PPP users. This keyword is not supported in the current software version.

· ssh: SSH users.

· telnet: Telnet users.

· terminal: Terminal users who log in through console ports.

Usage guidelines

If you do not specify the class { manage | network } option, this command adds a device management user.

Examples

# Add a device management user named user1.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1]

# Add a network access user named user2.

<Sysname> system-view

[Sysname] local-user user2 class network

[Sysname-luser-network-user2]

Related commands

· display local-user

· service-type

password

Use password to configure a password for a local user.

Use undo password to delete the password of a local user.

Syntax

In non-FIPS mode:

password [ { cipher | hash | simple } password ]

undo password

In FIPS mode:

password

Default

· In non-FIPS mode, there is no password configured for a local user. A local user can pass authentication after entering the correct username and passing attribute checks.

· In FIPS mode, there is no password configured for a local user. A local user cannot pass authentication.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

cipher: Sets a ciphertext password.

hash: Sets a hashed password.

simple: Sets a plaintext password.

password: Specifies the password string. This argument is case sensitive.

· In non-FIPS mode:

¡ A cipher password is a string of 1 to 117 characters.

¡ A hashed password is a string of 1 to 110 characters.

¡ A plaintext password is a string of 1 to 63 characters.

· In FIPS mode, the password is a plaintext string of 15 to 63 characters. The string must contain digits, uppercase letters, lowercase letters, and special characters (see "Password control commands").

Usage guidelines

If you do not specify any parameters or if the device operates in FIPS mode, you enter the interactive mode to set a plaintext password. Only device management users support passwords configured in interactive mode.

In non-FIPS mode, a non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user. In FIPS mode, only password-protected users can pass authentication.

Device management users support plaintext and hashed passwords. Network access users support plaintext and ciphertext passwords. For security purposes, all passwords, including passwords configured in plain text, are saved in ciphertext, hashed or encrypted.

Examples

# Set the password of the device management user user1 to 123456TESTplat&! in plain text.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] password simple 123456TESTplat&!

# Set the password of the device management user test in interactive mode.

<Sysname> system-view

[Sysname] local-user test class manage

[Sysname-luser-manage-test] password

Password:

Confirm :

# Set the password of the network access user user2 to 123456TESTuser&! in plain text.

<Sysname> system-view

[Sysname] local-user user2 class network

[Sysname-luser-network-user2] password simple 123456TESTuser&!

Related commands

· display local-user

· local-user password-display-mode

service-type

Use service-type to specify the service types that a local user can use.

Use undo service-type to delete service types configured for a local user.

Syntax

In non-FIPS mode:

service-type { advpn | ftp | ike | lan-access | { http | https | pad | ssh | telnet | terminal } * | portal | ppp }

undo service-type { advpn | ftp | ike | lan-access | { http | https | pad | ssh | telnet | terminal } * | portal | ppp }

In FIPS mode:

service-type { advpn | ike | lan-access | { https | pad | ssh | terminal } * | portal | ppp }

undo service-type { advpn | ike | lan-access | { https | pad | ssh | terminal } * | portal | ppp }

Default

A local user is not authorized to use any service.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

advpn: Authorizes the user to use the ADVPN service. This keyword is not supported in the current software version.

ftp: Authorizes the user to use the FTP service. By default, the user can use the root directory of the FTP, SFTP, or SCP server. The authorized directory can be modified by using the authorization-attribute work-directory command.

http: Authorizes the user to use the HTTP service.

https: Authorizes the user to use the HTTPS service.

ike: Authorizes the user to use the IKE service. This keyword is not supported in the current software version.

lan-access: Authorizes the user to use the LAN access service. The users are typically Ethernet users, for example, 802.1X users.

pad: Authorizes the user to use the PAD service. This keyword is not supported in the current software version.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service and log in from a console port.

portal: Authorizes the user to use the Portal service.

ppp: Authorizes the user to use the PPP service. This keyword is not supported in the current software version.

Usage guidelines

You can assign multiple service types to a user.

Examples

# Authorize the device management user user1 to use the Telnet and FTP services.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] service-type telnet

[Sysname-luser-manage-user1] service-type ftp

Related commands

display local-user

state (local user view)

Use state to set the status of a local user.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

A local user is in active state.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

active: Places the local user in active state to allow the local user to request network services.

block: Places the local user in blocked state to prevent the local user from requesting network services.

Usage guidelines

This command applies only to the local user.

Examples

# Place the device management user user1 in blocked state.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] state block

Related commands

display local-user

user-group

Use user-group to create a user group and enter user group view.

Use undo user-group to delete a user group.

Syntax

user-group group-name

undo user-group group-name

Default

There is a user group named system in the system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes are authorization attributes.

A user group with one or more local users cannot be deleted.

The system has a predefined user group named system. You can modify but not remove its configuration.

Examples

# Create a user group named abc and enter user group view.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc]

Related commands

display user-group

RADIUS commands

accounting-on enable

Use accounting-on enable to configure the accounting-on feature.

Use undo accounting-on enable to restore the default.

Syntax

accounting-on enable [ interval seconds | send send-times ] *

undo accounting-on enable

Default

The accounting-on feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the seconds argument is 1 to 15, and the default setting is 3 seconds.

send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.

Usage guidelines

The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a card reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.

Execute the save command to make sure the accounting-on enable command takes effect at the next reboot. For information about the save command, see Fundamentals Command Reference.

Parameters set with the accounting-on enable command take effect immediately.

Examples

# Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on enable interval 5 send 15

Related commands

display radius scheme

algorithm loading-share enable

Use algorithm loading-share enable to enable the RADIUS server load sharing feature.

Use undo algorithm loading-share enable to disable the RADIUS server load sharing feature.

Syntax

algorithm loading-share enable

undo algorithm loading-share enable

Default

The RADIUS server load sharing feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Use the RADIUS server load sharing feature to dynamically distribute the workload over multiple servers regardless of their server roles. The device forwards an AAA request to the most appropriate server of all active servers in the scheme after it compares the weight values and numbers of currently served users. Specify a weight value for each RADIUS server based on the AAA capacity of the server. A larger weight value indicates a higher AAA capacity.

In RADIUS server load sharing, once the device sends a start-accounting request to a server for a user, it forwards all subsequent accounting requests of the user to the same server. If the accounting server is unreachable, the device returns an accounting failure message rather than searching for another active accounting server.

Examples

# Enable the RADIUS server load sharing feature for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] algorithm loading-share enable

Related commands

· primary authentication (RADIUS scheme view)

· primary accounting (RADIUS scheme view)

· secondary authentication (RADIUS scheme view)

· secondary accounting (RADIUS scheme view)

attribute 15 check-mode

Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users.

Use undo attribute 15 check-mode to restore the default.

Syntax

attribute 15 check-mode { loose | strict }

undo attribute 15 check-mode

Default

The strict check method applies for SSH, FTP, and terminal users.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.

strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.

Usage guidelines

Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.

Examples

# Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 15 check-mode loose

Related commands

display radius scheme

client

Use client to specify a RADIUS DAE client.

Use undo client to remove a RADIUS DAE client.

Syntax

client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

No RADIUS DAE clients are specified.

Views

RADIUS DAE server view

Predefined user roles

network-admin

mdc-admin

Parameters

ip ipv4-address: Specifies a DAE client by its IPv4 address.

ipv6 ipv6-address: Specifies a DAE client by its IPv6 address.

key { cipher | simple } string: Specifies the shared key for secure communication between the RADIUS DAE client and server. Make sure the shared key is the same as the key configured on the RADIUS DAE client. If the RADIUS DAE client does not have any shared key, do not specify this option.

· cipher string: Specifies a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 117 characters. In FIPS mode, the key is a string of 15 to 117 characters.

· simple string: Specifies a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 64 characters. In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the RADIUS DAE client belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

With the RADIUS DAE server feature, the device listens to the default or specified UDP port to receive DAE requests from the specified DAE clients. The device processes the requests and sends DAE responses to the DAE clients.

The device discards any DAE packets sent from DAE clients that are not specified for the DAE server.

You can execute the client command multiple times to specify multiple DAE clients for the DAE server.

For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

Examples

# Specify the DAE client as 10.110.1.2 in the MPLS L3VPN abc. Set the shared key to 123456 in plaintext form for secure communication between the DAE server and client.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server] client ip 10.110.1.2 key simple 123456 vpn-instance abc

Related commands

· radius dynamic-author server

· port

data-flow-format (RADIUS scheme view)

Use data-flow-format to set the data flow and packet measurement units for traffic statistics.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

Traffic is counted in bytes and packets.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Usage guidelines

The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting results might be incorrect.

Examples

# In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display radius scheme

Use display radius scheme to display the configuration of RADIUS schemes.

Syntax

display radius scheme [ radius-scheme-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, this command displays the configuration of all RADIUS schemes.

Examples

# Display the configuration of all RADIUS schemes.

<Sysname> display radius scheme

Total 1 RADIUS schemes

------------------------------------------------------------------

RADIUS Scheme Name : radius1

Index : 0

Primary Auth Server:

Host name: Not configured

IP : Not configured Port: 1812

State: Active

VPN : vpn1

Test profile: 132

Probe username: test

Probe interval: 60 minutes

Weight: 40

Primary Acct Server:

Host name: server1

IP : 1.1.1.1 Port: 1813

State: Active

VPN : Not configured

Weight: 40

Second Auth Server:

Host name: Not configured

IP : Not configured Port: 1812

State: Block

VPN : Not configured

Test profile: Not configured

Weight: 40

Second Acct Server:

Host name: Not configured

IP : Not configured Port: 1813

State: Block (Mandatory)

VPN : Not configured

Weight: 0

Security Policy Server:

Server: 0 IP: 2.2.2.2 VPN: Not configured

Server: 1 IP: 3.3.3.3 VPN: 2

Accounting-On function : Enabled

retransmission times : 5

retransmission interval(seconds) : 2

Timeout Interval(seconds) : 3

Retransmission Times : 3

Retransmission Times for Accounting Update : 5

Server Quiet Period(minutes) : 5

Realtime Accounting Interval(minutes) : 22

NAS IP Address : 1.1.1.1

VPN : Not configured

User Name Format : with-domain

Data flow unit : Million Byte

Packet unit : one

Attribute 15 check-mode : Strict

Algorithm : loading-share

------------------------------------------------------------------

Table 4 Command output

Field	Description
Index	Index number of the RADIUS scheme.
Primary Auth Server	Information about the primary authentication server.
Primary Acct Server	Information about the primary accounting server.
Second Auth Server	Information about the secondary authentication server.
Second Acct Server	Information about the secondary accounting server.
Host name	Hostname of the server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by IP address.
IP	IP address of the server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by hostname, and the hostname is not resolved.
Port	Service port number of the server. If no port number is specified, this field displays the default port number.
State	Status of the server: · Active—The server is in active state. · Block—The server is changed to blocked state automatically. · Block (Mandatory)—The server is set to blocked state manually.
VPN	VPN to which the server belongs. If no VPN is specified for the server, this field displays Not configured.
Test profile	Test profile used for RADIUS server status detection.
Probe username	Username used for RADIUS server status detection.
Probe interval	Server status detection interval, in minutes.
Weight	Weight value of the RADIUS server.
Server: n	Member ID of the security policy server.
IP	IP address of the security policy server.
VPN	VPN to which the security policy server belongs. If no VPN is specified for the server, this field displays Not configured.
Accounting-On function	Whether the accounting-on feature is enabled.
retransmission times	Number of accounting-on packet transmission attempts.
retransmission interval(seconds)	Interval at which the device retransmits accounting-on packets, in seconds.
Timeout Interval(seconds)	RADIUS server response timeout period, in seconds.
Retransmission times	Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.
Retransmission Times for Accounting Update	Maximum number of accounting attempts.
Server Quiet Period(minutes)	Quiet period for the servers, in minutes.
Realtime Accounting Interval(minutes)	Interval for sending realtime accounting updates, in minutes.
NAS IP Address	Source IP address for outgoing RADIUS packets.
VPN	VPN to which the RADIUS scheme belongs. If no VPN is specified for the server, this field displays Not configured.
User Name Format	Format for the usernames sent to the RADIUS server. Possible values include: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered.
Data flow unit	Measurement unit for data flow.
Packet unit	Measurement unit for packets.
Attribute 15 check-mode	RADIUS Login-Service attribute check method for SSH, FTP, and terminal users: · Strict—Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively. · Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.
Algorithm	Load sharing principle of RADIUS servers: · primary-secondary—The device forwards traffic to the server selected based on primary and secondary server roles. · loading-share—The device distributes traffic among multiple servers for load sharing.

display radius statistics

Use display radius statistics to display RADIUS packet statistics.

Syntax

display radius statistics

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Examples

# Display RADIUS packet statistics.

<Sysname> display radius statistics

Auth. Acct. SessCtrl.

Request Packet: 0 0 0

Retry Packet: 0 0 -

Timeout Packet: 0 0 -

Access Challenge: 0 - -

Account Start: - 0 -

Account Update: - 0 -

Account Stop: - 0 -

Terminate Request: - - 0

Set Policy: - - 0

Packet With Response: 0 0 0

Packet Without Response: 0 0 -

Access Rejects: 0 - -

Dropped Packet: 0 0 0

Check Failures: 0 0 0

Table 5 Command output

Field	Description
Auth.	Authentication packets.
Acct.	Accounting packets.
SessCtrl.	Session-control packets.
Request Packet	Number of request packets.
Retry Packet	Number of retransmitted request packets.
Timeout Packet	Number of request packets timed out.
Access Challenge	Number of access challenge packets.
Account Start	Number of start-accounting packets.
Account Update	Number of accounting update packets.
Account Stop	Number of stop-accounting packets.
Terminate Request	Number of packets for logging off users forcibly.
Set Policy	Number of packets for updating user authorization information.
Packet With Response	Number of packets for which responses were received.
Packet Without Response	Number of packets for which no responses were received.
Access Rejects	Number of Access-Reject packets.
Dropped Packet	Number of discarded packets.
Check Failures	Number of packets with checksum errors.

Related commands

reset radius statistics

key (RADIUS scheme view)

Use key to set the shared key for secure RADIUS communication.

Use undo key to restore the default.

Syntax

key { accounting | authentication } { cipher | simple } string

undo key { accounting | authentication }

Default

No shared key is configured.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the shared key for secure RADIUS accounting communication.

authentication: Sets the shared key for secure RADIUS authentication communication.

cipher: Sets a ciphertext shared key.

simple: Sets a plaintext shared key.

string: Specifies the shared key string. This argument is case sensitive.

· In non-FIPS mode:

¡ A ciphertext shared key is a string of 1 to 117 characters.

¡ A plaintext shared key is a string of 1 to 64 characters.

· In FIPS mode:

¡ A ciphertext shared key is a string of 15 to 117 characters.

¡ A plaintext shared key is a string of 15 to 64 characters that must contain digits, uppercase letters, lowercase letters, and special characters.

Usage guidelines

The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers.

The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.

For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

Examples

# For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting simple ok

Related commands

display radius scheme

nas-ip (RADIUS scheme view)

Use nas-ip to specify a source IP address for outgoing RADIUS packets.

Use undo nas-ip to delete a source IP address for outgoing RADIUS packets.

Syntax

nas-ip { ipv4-address | ipv6 ipv6-address }

undo nas-ip [ ipv6 ]

Default

The source IP address of an outgoing RADIUS packet is that specified by using the radius nas-ip command in system view.

If the radius nas-ip command is not configured, the source IP address is the IP address of the outbound interface.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.

· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

When you use both the nas-ip command and radius nas-ip command, the following guidelines apply:

· The setting configured by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

· The setting configured by using the radius nas-ip command in system view applies to all RADIUS schemes.

· The setting in RADIUS scheme view takes precedence over the setting in system view.

If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. As a best practice, configure a loopback interface address as the source IP address for outgoing RADIUS packets.

A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new address overwrites the old one.

Examples

# Set the source IP address for outgoing RADIUS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] nas-ip 10.1.1.1

Related commands

· display radius scheme

· radius nas-ip

port

Use port to specify the RADIUS DAE server port.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The RADIUS DAE server port number is 3799.

Views

RADIUS DAE server view

Predefined user roles

network-admin

mdc-admin

Parameters

port-number: Specifies a UDP port number in the range of 1 to 65535.

Usage guidelines

The destination port in DAE packets on the DAE client must be the same as the RADIUS DAE server port on the DAE server.

Examples

# Enable the RADIUS DAE server to listen to UDP port 3790 for DAE requests.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server] port 3790

Related commands

· client

· radius dynamic-author server

primary accounting (RADIUS scheme view)

Use primary accounting to specify the primary RADIUS accounting server.

Use undo primary accounting to remove the configuration.

Syntax

primary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name | weight weight-value ] *

undo primary accounting

Default

No primary RADIUS accounting server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server.

port-number: Specifies the service port number of the primary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.

key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS accounting server.

· cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 117 characters. In FIPS mode, the key is a string of 15 to 117 characters.

· simple string: Sets a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 64 characters. In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

weight weight-value: Specifies a weight value for the RADIUS server. The value range for the weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS server will not be used for load sharing. This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme. A larger weight value represents a higher capacity to process accounting requests.

Usage guidelines

Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, hostname, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 and IPv6 addresses. The resolved IPv4 addresses have higher priority than IPv6 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of the primary RADIUS accounting server must be the same as the settings configured on the server.

The shared key configured by using this command takes precedence over the shared key configured with the key accounting command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.

If you use the primary accounting command to modify or delete the primary accounting server to which the device is sending a start-accounting request, communication with the primary server times out.

· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for accounting.

· When the RADIUS server load sharing feature is enabled, the device returns an accounting failure message rather than searching for another active accounting server.

If you remove an actively used accounting server, the device no longer sends users' realtime accounting requests and stop-accounting requests. It does not buffer the stop-accounting requests. The device can generate incorrect accounting results.

Examples

# Specify the primary accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456TESTacct&! for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple 123456TESTacct&!

# Specify the primary accounting server with hostname server1, UDP port number 1813, and plaintext shared key 123456 for RADIUS scheme radius2.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] primary accounting server1 1813 key simple 123456

Related commands

· display radius scheme

· key (RADIUS scheme view)

· secondary accounting (RADIUS scheme view)

· vpn-instance (RADIUS scheme view)

primary authentication (RADIUS scheme view)

Use primary authentication to specify the primary RADIUS authentication server.

Use undo primary authentication to remove the configuration.

Syntax

primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value ] *

undo primary authentication

Default

No primary RADIUS authentication server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication server.

port-number: Specifies the service port number of the primary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.

key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS authentication server.

test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument is a case-sensitive string of 1 to 31 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The service port and shared key settings of the primary RADIUS authentication server must be the same as the settings configured on the server.

The shared key configured by this command takes precedence over the shared key configured with the key authentication command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

The server status detection is triggered for the server if the specified test profile exists on the device.

If you use the primary authentication command to modify or delete the primary authentication server during an authentication process, communication with the primary server times out.

· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for authentication.

· When the RADIUS server load sharing feature is enabled, the device performs the following operations:

a. Checks the weight value and number of currently served users for each active server.

b. Determines the most appropriate server in performance to receive an AAA request.

Examples

# Specify the primary authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key 123456TESTauth&! for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple 123456TESTauth&!

# Specify the primary authentication server with hostname server1, UDP port number 1812, and plaintext shared key 123456 for RADIUS scheme radius2.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] primary authentication server1 1812 key simple 123456

Related commands

· display radius scheme

· key (RADIUS scheme view)

· radius-server test-profile

· secondary authentication (RADIUS scheme view)

· vpn-instance (RADIUS scheme view)

radius dynamic-author server

Use radius dynamic-author server to enable the RADIUS DAE server feature and enter RADIUS DAE server view.

Use undo radius dynamic-author server to disable the RADIUS DAE server feature.

Syntax

radius dynamic-author server

undo radius dynamic-author server

Default

The RADIUS DAE server feature is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

After you enable the RADIUS DAE server feature, the device listens to the RADIUS DAE server port to receive DAE packets from specified DAE clients.

Examples

# Enable the RADIUS DAE server feature and enter RADIUS DAE server view.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server]

Related commands

· client

· port

radius nas-ip

Use radius nas-ip to specify a source IP address for outgoing RADIUS packets.

Use undo radius nas-ip to delete a source IP address for outgoing RADIUS packets.

Syntax

radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

undo radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IPv4 or IPv6 address belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IPv4 or IPv6 address, do not specify this option.

Usage guidelines

· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error.

You can specify up to 16 source IP addresses, including the following IP addresses:

· Zero or one public-network source IPv4 address.

· Zero or one public-network source IPv6 address.

· Private-network source IP addresses.

A newly specified public-network source IP address overwrites the previous one. Each VPN can have at most one private-network source IPv4 address and one private-network source IPv6 address.

When you use both the nas-ip command and radius nas-ip command, the following guidelines apply:

· The setting configured by the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

· The setting configured by the radius nas-ip command in system view applies to all RADIUS schemes.

· The setting in RADIUS scheme view takes precedence over the setting in system view.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

Related commands

nas-ip (RADIUS scheme view)

radius scheme

Use radius scheme to create a RADIUS scheme and enter RADIUS scheme view.

Use undo radius scheme to delete a RADIUS scheme.

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

Default

No RADIUS scheme is defined.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A RADIUS scheme can be referenced by more than one ISP domain at the same time.

The device supports a maximum of 16 RADIUS schemes.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

Related commands

display radius scheme

radius session-control enable

Use radius session-control enable to enable the RADIUS session-control feature.

Use undo radius session-control enable to restore the default.

Syntax

radius session-control enable

undo radius session-control enable

Default

The RADIUS session-control feature is disabled and the UDP port 1812 is closed.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The RADIUS session-control feature enables the device to receive RADIUS session-control packets on UDP port 1812 from a RADIUS server that runs on IMC.

Examples

# Enable the RADIUS session-control feature.

<Sysname> system-view

[Sysname] radius session-control enable

radius-server test-profile

Use radius-server test-profile to configure a test profile for detecting the RADIUS server status.

Use undo radius-server test-profile to delete a RADIUS test profile.

Syntax

radius-server test-profile profile-name username name [ interval interval ]

undo radius-server test-profile profile-name

Default

No RADIUS test profiles exist.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

profile-name: Specifies the name of the test profile, which is a case-sensitive string of 1 to 31 characters.

username name: Specifies the username in the detection packets. The name argument is a case-sensitive string of 1 to 253 characters.

interval interval: Specifies the interval for sending a detection packet, in minutes. The value range for the interval argument is 1 to 3600, and the default value is 60.

Usage guidelines

You can execute this command multiple times to configure multiple test profiles.

If you specify a nonexistent test profile for a RADIUS server, the device does not detect the status of the server until you create the test profile on the device.

When you delete a test profile, the device stops detecting the status of the RADIUS servers that use the test profile.

Examples

# Configure a test profile named abc for RADIUS server status detection. The detection packet uses admin as the username and is sent every 10 minutes.

<Sysname> system-view

[Sysname] radius-server test-profile abc username admin interval 10

Related commands

· primary authentication (RADIUS scheme view)

· secondary authentication (RADIUS scheme view)

reset radius statistics

Use reset radius statistics to clear RADIUS statistics.

Syntax

reset radius statistics

Views

User view

Predefined user roles

network-admin

mdc-admin

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

Related commands

display radius statistics

retry

Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.

Use undo retry to restore the default.

Syntax

retry retry-times

undo retry

Default

The maximum number of RADIUS packet transmission attempts is 3.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

retry-times: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.

Usage guidelines

Because RADIUS uses UDP packets to transmit data, the communication is not reliable.

· If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request.

· If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.

The maximum number of packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300.

Examples

# Set the maximum number of RADIUS packet transmission attempts to 5 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

Related commands

· radius scheme

· timer response-timeout (RADIUS scheme view)

retry realtime-accounting

Use retry realtime-accounting to set the maximum number of accounting attempts.

Use undo retry realtime-accounting to restore the default.

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

Default

The maximum number of accounting attempts is 5.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255.

Usage guidelines

Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a realtime accounting request for a user in the timeout period, it considers that a line or device failure has occurred. The server stops accounting for the user.

To work with the RADIUS server, the NAS needs to send realtime accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.

For example, the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the maximum number of RADIUS packet transmission attempts is three (set with the retry command), the realtime accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command). In this case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device cuts the user connection.

Examples

# Set the maximum number of accounting attempts to 10 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry realtime-accounting 10

Related commands

· retry

· timer realtime-accounting (RADIUS scheme view)

· timer response-timeout (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

Use secondary accounting to specify a secondary RADIUS accounting server.

Use undo secondary accounting to remove a secondary RADIUS accounting server.

Syntax

secondary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name | weight weight-value ] *

undo secondary accounting [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name | weight weight-value ] * ]

Default

No secondary RADIUS accounting server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server.

port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS accounting server.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure up to 16 secondary RADIUS accounting servers for a RADIUS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The port number and shared key settings of a secondary RADIUS accounting server must be the same as the settings configured on the server.

The shared key configured by this command takes precedence over the shared key configured with the key accounting command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out.

· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for accounting.

· When the RADIUS server load sharing feature is enabled, the device returns an accounting failure message rather than searching for another active accounting server.

If you remove an actively used accounting server, the device no longer sends users' realtime accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either.

Examples

# For RADIUS scheme radius1, specify a secondary accounting server with the IP address 10.110.1.1 and the UDP port 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

# For RADIUS scheme radius2, specify three secondary accounting servers by IP address or hostname. Set the UDP port number to 1813.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813

[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813

[Sysname-radius-radius2] secondary accounting server1 1813

Related commands

· display radius scheme

· key (RADIUS scheme view)

· primary accounting (RADIUS scheme view)

· vpn-instance (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

Use secondary authentication to specify a secondary RADIUS authentication server.

Use undo secondary authentication to remove a secondary RADIUS authentication server.

Syntax

secondary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value ] *

undo secondary authentication [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name | weight weight-value ] * ]

Default

No secondary RADIUS authentication server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication server.

port-number: Sets the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS authentication server.

test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument is a case-sensitive string of 1 to 31 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure up to 16 secondary RADIUS authentication servers for a RADIUS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The port number and shared key settings of a secondary RADIUS authentication server must be the same as the settings configured on the server.

The server status detection is triggered for a server if the specified test profile exists on the device.

If you use the secondary authentication command to modify or delete a secondary authentication server during an authentication process, communication with the secondary server times out.

· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for authentication.

· When the RADIUS server load sharing feature is enabled, the device performs the following operations:

a. Checks the weight value and number of currently served users for each active server.

b. Determines the most appropriate server in performance to receive an AAA request.

Examples

# For RADIUS scheme radius1, specify a secondary authentication server with the IP address 10.110.1.2 and the UDP port 1812.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

# For RADIUS scheme radius2, specify three secondary authentication servers by IP address or hostname. Set the UDP port number to 1812.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812

[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812

[Sysname-radius-radius2] secondary authentication server1 1812

Related commands

· display radius scheme

· key (RADIUS scheme view)

· primary authentication (RADIUS scheme view)

· radius-server test-profile

· vpn-instance (RADIUS scheme view)

security-policy-server

Use security-policy-server to specify a security policy server.

Use undo security-policy-server to remove a security policy server.

Syntax

security-policy-server { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

undo security-policy-server { { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] | all }

Default

No security policy server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies the IPv4 address of the security policy server.

ipv6 ipv6-address: Specifies the IPv6 address of the security policy server.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the security policy server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the security policy server is on the public network, do not specify this option.

all: Specifies all security policy servers.

Usage guidelines

You can specify up to eight security policy servers for a RADIUS scheme.

Examples

# Specify the security policy server 10.110.1.2 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] security-policy-server 10.110.1.2

Related commands

display radius scheme

snmp-agent trap enable radius

Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS.

Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.

Syntax

snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *

undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *

Default

All types of notifications for RADIUS are enabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting-server-down: Sends a notification when the RADIUS accounting server becomes unreachable.

accounting-server-up: Sends a notification when the RADIUS accounting server becomes reachable.

authentication-error-threshold: Sends a notification when the number of authentication failures exceeds the specified threshold. The threshold is represented by the ratio of the authentication failures to the total number of authentication attempts. The value range is 1 to 100, and the default value is 30. This threshold can only be configured through the MIB.

authentication-server-down: Sends a notification when the RADIUS authentication server becomes unreachable.

authentication-server-up: Sends a notification when the RADIUS authentication server becomes reachable.

Usage guidelines

If you do not specify any keywords, this command enables or disables all types of notifications for RADIUS.

When SNMP notifications for RADIUS are enabled, the SNMP agent supports the following notifications generated by RADIUS:

· RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.

· RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.

· Excessive authentication failures notification—The number of authentication failures to the total number of authentication attempts exceeds the specified threshold.

Examples

# Enable the SNMP agent to send RADIUS accounting server unreachable notifications.

<Sysname> system-view

[Sysname] snmp-agent trap enable radius accounting-server-down

state primary

Use state primary to set the status of a primary RADIUS server.

Syntax

state primary { accounting | authentication } { active | block }

Default

The primary RADIUS server specified for a RADIUS scheme is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the status of the primary RADIUS accounting server.

authentication: Sets the status of the primary RADIUS authentication server.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Usage guidelines

When the RADIUS server load sharing feature is disabled, the device first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the device performs the following operations:

· Changes the status of the primary server to blocked.

· Starts a quiet timer for the server.

· Tries to communicate with a secondary server in active state.

When the quiet timer of the primary server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active.

When the RADIUS server load sharing feature is enabled, the device checks the weight value and number of currently served users only for servers in active state. The most appropriate active server is selected for communication.

When the primary server and all secondary servers are in blocked state, the device only tries to communicate with the primary server.

This command can affect the RADIUS server status detection feature when a valid test profile is specified for a primary RADIUS authentication server.

· If you set the status of the server to blocked, the device stops detecting the status of the server.

· If you set the status of the server to active, the device starts to detect the status of the server.

Examples

# Set the status of the primary authentication server in RADIUS scheme radius1 to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state primary authentication block

Related commands

· display radius scheme

· radius-server test-profile

· state secondary

state secondary

Use state secondary to set the status of a secondary RADIUS server.

Syntax

state secondary { accounting | authentication } [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }

Default

Every secondary RADIUS server specified in a RADIUS scheme is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the status of a secondary RADIUS accounting server.

authentication: Sets the status of a secondary RADIUS authentication server.

host-name: Specifies the hostname of a secondary RADIUS server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of a secondary RADIUS server.

ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS server.

port-number: Sets the service port number of a secondary RADIUS server. The value range for the UDP port number is 1 to 65535. The default port numbers for authentication and accounting are 1812 and 1813, respectively.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Usage guidelines

If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers.

If the device finds that a secondary server in active state is unreachable, the device performs the following operations:

· Changes the status of the secondary server to blocked.

· Starts a quiet timer for the server.

· Tries to communicate with another secondary server in active state.

When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.

This command can affect the RADIUS server status detection feature when a valid test profile is specified for a secondary RADIUS authentication server.

· If you set the status of the server to blocked, the device stops detecting the status of the server.

· If you set the status of the server to active, the device starts to detect the status of the server.

Examples

# Set the status of all the secondary authentication servers in RADIUS scheme radius1 to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication block

Related commands

· display radius scheme

· radius-server test-profile

· state primary

timer quiet (RADIUS scheme view)

Use timer quiet to set the quiet timer for the servers specified in a RADIUS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet timer period is 5 minutes in a RADIUS scheme.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.

Usage guidelines

Make sure the server quiet timer is set correctly.

· A timer that is too short might result in frequent authentication or accounting failures. This is because the device will continue to attempt to communicate with an unreachable server that is in active state.

· A timer that is too long might temporarily block a reachable server that has recovered from a failure. This is because the server will remain in blocked state until the timer expires.

Examples

# Set the quiet timer for the servers to 10 minutes.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer quiet 10

Related commands

display radius scheme

timer realtime-accounting (RADIUS scheme view)

Use timer realtime-accounting to set the realtime accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting interval

undo timer realtime-accounting

Default

The realtime accounting interval is 12 minutes.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

interval: Specifies the realtime accounting interval in minutes, in the range of 0 to 60.

Usage guidelines

When the realtime accounting interval on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.

When the realtime accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the realtime accounting interval configured on the server. If the realtime accounting interval is not configured on the server, the device does not send online user accounting information.

A short interval helps improve accounting precision but requires many system resources.

Table 6 Recommended realtime accounting intervals

Number of users	Realtime accounting interval
1 to 99	3 minutes
100 to 499	6 minutes
500 to 999	12 minutes
1000 or more	15 minutes or longer

Examples

# Set the realtime accounting interval to 51 minutes for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

Related commands

retry realtime-accounting

timer response-timeout (RADIUS scheme view)

Use timer response-timeout to set the RADIUS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The RADIUS server response timeout period is 3 seconds.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds.

Usage guidelines

If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300.

Examples

# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

Related commands

· display radius scheme

· retry

user-name-format (RADIUS scheme view)

Use user-name-format to specify the format of the username to be sent to a RADIUS server.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the usernames sent to a RADIUS server.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

keep-original: Sends the username to the RADIUS server as the username is entered.

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Usage guidelines

A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username sent to a RADIUS server.

If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the RADIUS server will consider two users in different ISP domains but with the same userid as one user.

For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect. The device does not change the usernames from clients before forwarding them to the RADIUS server.

Examples

# Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

Related commands

display radius scheme

vpn-instance (RADIUS scheme view)

Use vpn-instance to specify a VPN for a RADIUS scheme.

Use undo vpn-instance to remove the configuration.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

The RADIUS scheme belongs to the public network.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

vpn-instance-name: Specifies the name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The VPN specified here applies to all servers in the RADIUS scheme for which no VPN is specified.

Examples

# Specify VPN test for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] vpn-instance test

Related commands

display radius scheme

HWTACACS commands

data-flow-format (HWTACACS scheme view)

Use data-flow-format to set the data flow and packet measurement units for traffic statistics.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

Traffic is counted in bytes and packets.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Usage guidelines

The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting results might be incorrect.

Examples

# In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display hwtacacs scheme

Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes.

Syntax

display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes.

statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the HWTACACS scheme.

Examples

# Displays the configuration of all HWTACACS schemes.

<Sysname> display hwtacacs scheme

Total 1 TACACS schemes

------------------------------------------------------------------

HWTACACS Scheme Name : hwtac

Index : 0

Primary Auth Server:

Host name: Not configured

IP : 2.2.2.2 Port: 49 State: Active

VPN Instance: 2

Single-connection: Enabled

Primary Author Server:

Host name: server1

IP : 2.2.2.2 Port: 49 State: Active

VPN Instance: 2

Single-connection: Disabled

Primary Acct Server:

Host name: Not configured

IP : Not Configured Port: 49 State: Block

VPN Instance: Not configured

Single-connection: Disabled

VPN Instance : 2

NAS IP Address : 2.2.2.3

Server Quiet Period(minutes) : 5

Realtime Accounting Interval(minutes) : 12

Response Timeout Interval(seconds) : 5

Username Format : with-domain

Data flow unit : Byte

Packet unit : one

------------------------------------------------------------------

Table 7 Command output

Field	Description
Index	Index number of the HWTACACS scheme.
Primary Auth Server	Primary HWTACACS authentication server.
Primary Author Server	Primary HWTACACS authorization server.
Primary Acct Server	Primary HWTACACS accounting server.
Secondary Auth Server	Secondary HWTACACS authentication server.
Secondary Author Server	Secondary HWTACACS authorization server.
Secondary Acct Server	Secondary HWTACACS accounting server.
Host name	Hostname of the HWTACACS server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by IP address.
IP	IP address of the HWTACACS server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by hostname, and the hostname is not resolved.
Port	Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number.
Single-connection	Single connection status: · Enabled—Establish only one TCP connection for all users to communicate with the server. · Disabled—Establish a TCP connection for each user to communicate with the server.
State	Status of the HWTACACS server: active or blocked.
VPN Instance	MPLS L3VPN to which the HWTACACS server or scheme belongs. If no VPN is specified for the server or scheme, this field displays Not configured.
NAS IP Address	Source IP address for outgoing HWTACACS packets.
Server Quiet Period(minutes)	Quiet period for the primary servers, in minutes.
Realtime Accounting Interval(minutes)	Realtime accounting interval, in minutes.
Response Timeout Interval(seconds)	HWTACACS server response timeout period, in seconds.
Username Format	Format for the usernames sent to the HWTACACS server. Possible values include: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered.
Data flow unit	Measurement unit for data flows.
Packet unit	Measurement unit for packets.

Related commands

reset hwtacacs statistics

hwtacacs nas-ip

Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets.

Syntax

hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

undo hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

The source IP address of an HWTACACS packet sent to the server is the IP address of the outbound interface.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IP address, do not specify this option.

Usage guidelines

The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.

· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

You can specify up to 16 source IP addresses, including the following IP addresses:

· Zero or one public-network source IPv4 address.

· Zero or one public-network source IPv6 address.

· Private-network source IP addresses.

A newly specified public-network source IP address overwrites the previous one. Each VPN can have at most one private-network source IPv4 address and one private-network source IPv6 address.

When you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:

· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.

· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.

· The setting in HWTACACS scheme view takes precedence over the setting in system view.

Examples

# Set the IP address for the device to use as the source address for HWTACACS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] hwtacacs nas-ip 129.10.10.1

Related commands

nas-ip (HWTACACS scheme view)

hwtacacs scheme

Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view.

Use undo hwtacacs scheme to delete an HWTACACS scheme.

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

Default

No HWTACACS scheme exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

An HWTACACS scheme can be referenced by more than one ISP domain at the same time.

You can configure up to 16 HWTACACS schemes.

Examples

# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.

Use undo key to remove the configuration.

Syntax

key { accounting | authentication | authorization } { cipher | simple } string

undo key { accounting | authentication | authorization }

Default

No shared key is configured.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the shared key for secure HWTACACS accounting communication.

authentication: Sets the shared key for secure HWTACACS authentication communication.

authorization: Sets the shared key for secure HWTACACS authorization communication.

cipher: Sets a ciphertext shared key.

simple: Sets a plaintext shared key.

string: Specifies the shared key string. This argument is case sensitive.

· In non-FIPS mode:

¡ A ciphertext shared key is a string of 1 to 373 characters.

¡ A plaintext shared key is a string of 1 to 255 characters.

· In FIPS mode:

¡ A ciphertext shared key is a string of 15 to 373 characters.

¡ A plaintext shared key is a string of 15 to 255 characters that must contain digits, uppercase letters, lowercase letters, and special characters.

Usage guidelines

The shared keys configured on the device must match those configured on the HWTACACS servers.

For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

Examples

# Set the shared key for secure HWTACACS authentication communication to 123456TESTauth&! in plain text for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&!

# Set the shared key for secure HWTACACS authorization communication to 123456TESTautr&! in plain text.

[Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&!

# Set the shared key for secure HWTACACS accounting communication to 123456TESTacct&! in plain text.

[Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&!

Related commands

display hwtacacs scheme

nas-ip (HWTACACS scheme view)

Use nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo nas-ip to delete a source IP address for outgoing HWTACACS packets.

Syntax

nas-ip { ipv4-address | ipv6 ipv6-address }

undo nas-ip [ ipv6 ]

Default

The source IP address of an outgoing HWTACACS packet is that configured by using the hwtacacs nas-ip command in system view.

If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound interface.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

When you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:

· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.

· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.

· The setting in HWTACACS scheme view takes precedence over the setting in system view.

If you execute the command multiple times, the most recent configuration takes effect.

Examples

# Set the source address for outgoing HWTACACS packets to 10.1.1.1 for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

Related commands

hwtacacs nas-ip

primary accounting (HWTACACS scheme view)

Use primary accounting to specify the primary HWTACACS accounting server.

Use undo primary accounting to remove the configuration.

Syntax

primary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary accounting

Default

No primary HWTACACS accounting server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies an IPv4 address of the primary HWTACACS accounting server.

ipv6 ipv6-address: Specifies an IPv6 address of the primary HWTACACS accounting server.

port-number: Specifies the service port number of the primary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS accounting server.

· cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 373 characters. In FIPS mode, the key is a string of 15 to 373 characters.

· simple string: Sets a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the primary HWTACACS accounting server use the same TCP connection to exchange accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the primary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The port number and shared key settings of the primary HWTACACS accounting server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

Examples

# Specify the primary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&! for HWTACACS scheme test1.

<Sysname> system-view

[Sysname] hwtacacs scheme test1

[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 key simple 123456TESTacct&!

# Specify the primary accounting server with hostname server1, TCP port number 49, and plaintext shared key 123456 for HWTACACS scheme test2.

<Sysname> system-view

[Sysname] hwtacacs scheme test2

[Sysname-hwtacacs-test2] primary accounting server1 49 key simple 123456

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· secondary accounting (HWTACACS scheme view)

· vpn-instance (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

Use primary authentication to specify the primary HWTACACS authentication server.

Use undo primary authentication to remove the configuration.

Syntax

primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary authentication

Default

No primary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server.

port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authentication server.

single-connection: The device and the primary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the primary authentication server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The port number and shared key settings of the primary HWTACACS authentication server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.

Examples

# Specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple 123456TESTauth&!

# Specify the primary authentication server with hostname server1, TCP port number 49, and plaintext shared key 123456 for HWTACACS scheme hwt2.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt2

[Sysname-hwtacacs-hwt2] primary authentication server1 49 key simple 123456

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· secondary authentication (HWTACACS scheme view)

· vpn-instance (HWTACACS scheme view)

primary authorization

Use primary authorization to specify the primary HWTACACS authorization server.

Use undo primary authorization to remove the configuration.

Syntax

primary authorization { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary authorization

Default

No primary HWTACACS authorization server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authorization server.

port-number: Specifies the service port number of the primary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authorization server.

single-connection: The device and the primary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the primary authorization server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authorization server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two authorization servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The port number and shared key settings of the primary HWTACACS authorization server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

Examples

# Specify the primary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple 123456TESTautr&!

# Specify the primary authorization server with hostname server1, TCP port number 49, and plaintext shared key 123456 for HWTACACS scheme hwt2.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt2

[Sysname-hwtacacs-hwt2] primary authorization server1 49 key simple 123456

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· secondary authorization

· vpn-instance (HWTACACS scheme view)

reset hwtacacs statistics

Use reset hwtacacs statistics to clear HWTACACS statistics.

Syntax

reset hwtacacs statistics { accounting | all | authentication | authorization }

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Clears the HWTACACS accounting statistics.

all: Clears all HWTACACS statistics.

authentication: Clears the HWTACACS authentication statistics.

authorization: Clears the HWTACACS authorization statistics.

Examples

# Clear all HWTACACS statistics.

<Sysname> reset hwtacacs statistics all

Related commands

display hwtacacs scheme

secondary accounting (HWTACACS scheme view)

Use secondary accounting to specify a secondary HWTACACS accounting server.

Use undo secondary accounting to remove a secondary HWTACACS accounting server.

Syntax

secondary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary accounting [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary HWTACACS accounting server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS accounting server.

port-number: Specifies the service port number of the secondary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Specifies the shared key for secure communication with the secondary HWTACACS accounting server.

single-connection: The device and the secondary HWTACACS accounting server use the same TCP connection to exchange all accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the secondary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure up to 16 secondary HWTACACS accounting servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary accounting command, the command removes all secondary accounting servers.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The port number and shared key settings of a secondary HWTACACS accounting server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

Examples

# Specify a secondary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple 123456TESTacct&!

# Specify a secondary accounting server with hostname server1, TCP port number 49, and plaintext shared key 123456 for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting server1 49 key simple 123456

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· primary accounting (HWTACACS scheme view)

· vpn-instance (HWTACACS scheme view)

secondary authentication (HWTACACS scheme view)

Use secondary authentication to specify a secondary HWTACACS authentication server.

Use undo secondary authentication to remove a secondary HWTACACS authentication server.

Syntax

secondary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary authentication [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ]* ]

Default

No secondary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authentication server.

port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authentication server.

single-connection: The device and the secondary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure up to 16 secondary HWTACACS authentication servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary authentication command, the command removes all secondary authentication servers.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The port number and shared key settings of a secondary HWTACACS authentication server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

Examples

# Specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple 123456TESTauth&!

# Specify a secondary authentication server with hostname server1, TCP port number 49, and plaintext shared key 123456 for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication server1 49 key simple 123456

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· primary authentication (HWTACACS scheme view)

· vpn-instance (HWTACACS scheme view)

secondary authorization

Use secondary authorization to specify a secondary HWTACACS authorization server.

Use undo secondary authorization to remove a secondary HWTACACS authorization server.

Syntax

secondary authorization { host-name | ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary authorization [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ]* ]

Default

No secondary HWTACACS authorization server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authorization server.

port-number: Specifies the service port number of the secondary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authorization server.

single-connection: The device and the secondary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authorization server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure up to 16 secondary HWTACACS authorization servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary authorization command, the command removes all secondary authorization servers.

Two authorization servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The port number and shared key settings of a secondary HWTACACS authorization server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

Examples

# Specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&!

# Specify a secondary authorization server with hostname server1, TCP port number 49, and plaintext shared key 123456 for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization server1 49 key simple 123456

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· primary authorization

· vpn-instance (HWTACACS scheme view)

timer quiet (HWTACACS scheme view)

Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet timer period is 5 minutes in an HWTACACS scheme.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.

Examples

# Set the server quiet timer to 10 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet 10

Related commands

display hwtacacs scheme

timer realtime-accounting (HWTACACS scheme view)

Use timer realtime-accounting to set the realtime accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

Default

The realtime accounting interval is 12 minutes.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Specifies the realtime accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.

Usage guidelines

For realtime accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is used to set the interval.

A short interval helps improve accounting precision but requires many system resources.

Number of users	Realtime accounting interval
1 to 99	3 minutes
100 to 499	6 minutes
500 to 999	12 minutes
1000 or more	15 minutes or longer

Examples

# Set the realtime accounting interval to 51 minutes for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

Related commands

display hwtacacs scheme

timer response-timeout (HWTACACS scheme view)

Use timer response-timeout to set the HWTACACS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The HWTACACS server response timeout time is 5 seconds.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds.

Usage guidelines

HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.

Examples

# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

Related commands

display hwtacacs scheme

user-name-format (HWTACACS scheme view)

Use user-name-format to specify the format of the username to be sent to an HWTACACS server.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the usernames sent to an HWTACACS server.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

keep-original: Sends the username to the HWTACACS server as the username is entered.

with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.

without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.

Usage guidelines

A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. However, some HWTACACS servers cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.

If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the HWTACACS server will consider two users in different ISP domains but with the same userid as one user.

Examples

# Configure the device to remove the ISP domain name from the username sent to the HWTACACS servers specified in HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

Related commands

display hwtacacs scheme

vpn-instance (HWTACACS scheme view)

Use vpn-instance to specify a VPN for an HWTACACS scheme.

Use undo vpn-instance to remove the configuration.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

The HWTACACS scheme belongs to the public network.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

vpn-instance-name: Name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The VPN specified here takes effect for all servers in the HWTACACS scheme for which no VPN is specified.

Examples

# Specify VPN test for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] vpn-instance test

Related commands

display hwtacacs scheme

LDAP commands

authentication-server

Use authentication-server to specify the LDAP authentication server for an LDAP scheme.

Use undo authentication-server to remove the LDAP authentication server.

Syntax

authentication-server server-name

undo authentication-server server-name

Default

No LDAP authentication server is specified.

Views

LDAP scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters.

Usage guidelines

For an LDAP scheme, you can only specify one LDAP authentication server. If you execute the command for an LDAP scheme multiple times, the most recent configuration takes effect.

Examples

# Specify the LDAP authentication server as ccc.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] authentication-server ccc

Related commands

· display ldap scheme

· ldap server

display ldap scheme

Use display ldap scheme to display the LDAP scheme configuration.

Syntax

display ldap scheme [ scheme-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an LDAP scheme, this command displays the configuration of all LDAP schemes.

Examples

# Display the configuration of all LDAP schemes.

<Sysname> display ldap scheme

Total 1 LDAP schemes

------------------------------------------------------------------

LDAP Scheme Name : ldap-sch

Authentication Server : cc

IP : 2.2.2.2

Port : 389

VPN Instance : 2

LDAP Protocol Version : LDAPv2

Server Timeout Interval : 10 (seconds)

Base DN : ll

Search Scope : single-level

User Searching Parameters:

User Object Class : Not configured

Username Attribute : cn

Username Format : with-domain

------------------------------------------------------------------

Table 9 Command output

Field	Description
Index	Index number of the LDAP scheme.
Authentication Server	Name of the LDAP authentication server. If no server is configured, this field displays Not configured.
IP	IP address of the LDAP authentication server. If no authentication server is specified, this field displays Not configured.
Port	Port number of the authentication server. If no port number is specified, this field displays the default port number.
VPN Instance	VPN to which the LDAP server belongs. If no VPN is specified, this field displays Not configured.
LDAP Protocol Version	LDAP version, LDAPv2 or LDAPv3.
Server Timeout Interval	LDAP server timeout period, in seconds.
Login Account DN	DN of the administrator.
Base DN	Base DN for user search.
Search Scope	User DN search scope, including: · all-level—All subdirectories. · single-level—Next lower level of subdirectories under the base DN.
User Searching Parameters	User search parameters.
User Object Class	User object class for user DN search. If no user object class is configured, this field displays Not configured.
Username Attribute	User account attribute for login.
Username Format	Format for the username sent to the server.

ip

Use ip to configure the IP address and port number of the LDAP server.

Use undo ip to delete the LDAP server IP address and port number.

Syntax

ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ]

undo ip

Default

An LDAP server does not have an IP address.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

ip-address: Specifies the IP address of the LDAP server.

port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the LDAP server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

The LDAP service port configured on the device must be consistent with the service port of the LDAP server.

If you change the IP address and port number of the LDAP server, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the IP address and port number of the LDAP authentication server as 192.168.0.10 and 4300, respectively.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] ip 192.168.0.10 port 4300

Related commands

ldap server

ipv6

Use ipv6 to configure the IPv6 address and port number of the LDAP server.

Use undo ipv6 to delete the LDAP server IPv6 address and port number.

Syntax

ipv6 ipv6-address [ port port-number ] [ vpn-instance vpn-instance-name ]

undo ipv6

Default

An LDAP server does not have an IPv6 address.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv6-address: Specifies the IPv6 address of the LDAP server.

port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.

Usage guidelines

The LDAP service port configured on the device must be consistent with the service port of the LDAP server.

If you change the IP address and port number of the LDAP server, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the IPv6 address and port number of the LDAP authentication server as 1:2::3:4 and 4300, respectively.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] ipv6 1:2::3:4 port 4300

Related commands

ldap server

ldap scheme

Use ldap scheme to create an LDAP scheme and enter LDAP scheme view.

Use undo ldap scheme to delete an LDAP scheme.

Syntax

ldap scheme ldap-scheme-name

undo ldap scheme ldap-scheme-name

Default

No LDAP scheme is defined.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ldap-scheme-name: LDAP scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

An LDAP scheme can be referenced by more than one ISP domain at the same time.

You can configure up to 16 LDAP schemes.

Examples

# Create an LDAP scheme named ldap1 and enter LDAP scheme view.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1]

Related commands

display ldap scheme

ldap server

Use ldap server to create an LDAP server and enter LDAP server view.

Use undo ldap server to delete an LDAP server.

Syntax

ldap server server-name

undo ldap server server-name

Default

No LDAP server exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

server-name: LDAP server name, a case-insensitive string of 1 to 64 characters.

Examples

# Create an LDAP server ccc and enter LDAP server view.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc]

Related commands

display ldap scheme

login-dn

Use login-dn to specify the administrator DN.

Use undo login-dn to remove the configuration.

Syntax

undo login-dn

Default

No administrator DN is specified.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

dn-string: Administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server.

If you change the administrator DN, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the administrator DN as uid=test, ou=people, o=example, c=city.

<Sysname> system-view

[Sysname] ldap server ldap1

[Sysname-ldap-server-ldap1] login-dn uid=test,ou=people,o=example,c=city

Related commands

display ldap scheme

login-password

Use login-password to configure the administrator password for binding with the LDAP server during LDAP authentication.

Use undo login-password to restore the default.

Syntax

undo login-password

Default

No administrator password is configured.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

cipher: Sets a ciphertext password.

simple: Sets a plaintext password.

password: Specifies the password string. This argument is case sensitive.

· If the simple keyword is specified, the password must be a string of 1 to 128 characters.

· If the cipher keyword is specified, the password must be a ciphertext string of 1 to 201 characters.

Usage guidelines

This command is effective only after the login-dn command is configured.

For security purposes, all passwords, including passwords configured in plain text, are saved in ciphertext.

Examples

# Configure the administrator password to abcdefg in plain text.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] login-password simple abcdefg

Related commands

· display ldap scheme

· login-dn

protocol-version

Use protocol-version to specify the LDAP version.

Use undo protocol-version to restore the default.

Syntax

protocol-version { v2 | v3 }

undo protocol-version

Default

The LDAP version is LDAPv3.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

v2: Specifies the LDAP version LDAPv2.

v3: Specifies the LDAP version LDAPv3.

Usage guidelines

For successful LDAP authentication, the LDAP version used by the device must be consistent with the version used by the LDAP server.

If you change the LDAP version, the change is effective only on the LDAP authentication that occurs after the change.

A Microsoft LDAP server supports only LDAPv3.

Examples

# Specify the LDAP version as LDAPv2.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] protocol-version v2

Related commands

display ldap scheme

search-base-dn

Use search-base-dn to specify the base DN for user search.

Use undo search-base-dn to restore the default.

Syntax

search-base-dn base-dn

undo search-base-dn

Default

No base DN is specified for user search.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters.

Examples

# Specify the base DN for user search as dc=ldap,dc=com.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] search-base-dn dc=ldap,dc=com

Related commands

· display ldap scheme

· ldap server

search-scope

Use search-scope to specify the user search scope.

Use undo search-scope to restore the default.

Syntax

search-scope { all-level | single-level }

undo search-scope

Default

The user search scope is all-level.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

all-level: Specifies that the search goes through all subdirectories of the base DN.

single-level: Specifies that the search goes through only the next lower level of subdirectories under the base DN.

Examples

# Specify the search scope for the LDAP authentication as all subdirectories of the base DN.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] search-scope all-level

Related commands

· display ldap scheme

· ldap server

server-timeout

Use server-timeout to set the LDAP server timeout period, the maximum time that the device waits for an LDAP response.

Use undo server-timeout to restore the default.

Syntax

server-timeout time-interval

undo server-timeout

Default

The LDAP server timeout period is 10 seconds.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

time-interval: Specifies the LDAP server timeout period in the range of 5 to 20 seconds.

Usage guidelines

If you change the LDAP server timeout period, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Set the LDAP server timeout period to 15 seconds.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] server-timeout 15

Related commands

display ldap scheme

user-parameters

Use user-parameters to configure LDAP user attributes, including the username attribute, username format, and user-defined user object class.

Use undo user-parameters to restore the default.

Syntax

user-parameters { user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name }

undo user-parameters { user-name-attribute | user-name-format | user-object-class }

Default

The LDAP username attribute is cn and the username format is without-domain. No user object class is specified and the default user object class of the LDAP server is used.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

user-name-attribute { name-attribute | cn | uid }: Specifies the username attribute. The name-attribute argument represents an attribute value, a case-insensitive string of 1 to 64 characters. The cn keyword represents the user account attribute of common name, and the uid keyword represents the user account attribute of user ID.

user-name-format { with-domain | without-domain }: Specifies the format of the username to be sent to the server. The with-domain keyword means that the username contains the domain name, and the without-domain keyword means that the username does not contain the domain name.

user-object-class object-class-name: Specifies the user object class for user search. The object-class-name argument represents a class value, a case-insensitive string of 1 to 64 characters.

Usage guidelines

If the username on the LDAP server does not contain the domain name, specify the without-domain keyword. If the username contains the domain name, specify the with-domain keyword.

Examples

# Set the user object class to person.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] user-parameters user-object-class person

Related commands

· display ldap scheme

· login-dn

10-Security Command Reference

AAA commands

aaa nas-id profile

accounting command

accounting portal

domain

domain default enable

authorization-attribute (local user view/user group view)

display user-group

group

RADIUS commands

algorithm loading-share enable

display radius scheme

display radius statistics

key (RADIUS scheme view)

primary accounting (RADIUS scheme view)

primary authentication (RADIUS scheme view)

radius dynamic-author server

secondary accounting (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

state secondary

timer realtime-accounting (RADIUS scheme view)

timer response-timeout (RADIUS scheme view)

user-name-format (RADIUS scheme view)

HWTACACS commands

display hwtacacs scheme

primary accounting (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

timer quiet (HWTACACS scheme view)

timer response-timeout (HWTACACS scheme view)

user-name-format (HWTACACS scheme view)

vpn-instance (HWTACACS scheme view)

LDAP commands

ip

search-scope

server-timeout

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us