Login
- Table of Contents
-
- 09-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-AAA commands
- 03-User identification commands
- 04-Password control commands
- 05-Public key management commands
- 06-PKI commands
- 07-SSH commands
- 08-SSL commands
- 09-ASPF commands
- 10-APR commands
- 11-Session management commands
- 12-Connection limit commands
- 13-Object group commands
- 14-Security policy commands
- 15-Attack detection and prevention commands
- 16-ARP attack protection commands
- 17-ND attack defense commands
- 18-uRPF commands
- 19-Crypto engine commands
- 20-Trusted access control commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-User identification commands | 184.57 KB |
display user-identity active-user-group
display user-identity online-user
display user-identity restful-server
display user-identity security-manage-server
display user-identity user-import-policy
reset user-identity dynamic-online-user
reset user-identity user-account
reset user-identity user-group
user-identity online-user import policy
user-identity online-user-name-match
user-identity security-manage-server
user-identity user-account auto-import policy
user-identity user-account export url
user-identity user-account import policy
user-identity user-account import url
user-identity user-import-policy
User identification commands
account-update-interval
Use account-update-interval to set the interval for automatic identity user account import.
Use undo account-update-interval to restore the default.
Syntax
account-update-interval interval
undo account-update-interval
Default
The interval is 24 hours for automatic identity user account import.
Views
Identity user import policy view
Predefined user roles
network-admin
context-admin
Parameters
interval: Specifies an interval in the range of 1 to 65536 hours.
Usage guidelines
After you enable automatic import for an identity user import policy, the device automatically imports identity user accounts from the servers specified in the policy at the specified interval. Periodic auto-import ensures account consistency between the device and the servers.
Examples
# Set the interval for automatic identity user account import to 12 hours for identity user import policy policy1.
<Sysname> system-view
[Sysname] user-identity user-import-policy policy1
[Sysname-identity-user-impt-policy-policy1] account-update-interval 12
Related commands
user-identity user-account auto-import policy
connection-detect
Use connection-detect to configure parameters for RESTful server reachability detection.
Use undo connection-detect to restore the default.
Syntax
connection-detect { interval interval | maximum max-times }
undo connection-detect { interval | maximum }
Default
The reachability detection interval is 5 minutes and the maximum number of probes per detection is 3.
Views
RESTful server view
Predefined user roles
network-admin
context-admin
Parameters
interval interval: Specifies the reachability detection interval, in minutes. The value range for the interval argument is 1 to 10.
maximum max-times: Specifies the maximum number of probes per detection, in the range of 1 to 5.
Usage guidelines
A smaller reachability detection interval and a larger number of probes provide more accurate detection results but increase the burden of the RESTful server. Considering the network connectivity requirement and the performance of the RESTful server, set reasonable values for the parameters.
Examples
# Configure reachability detection parameters for RESTful server rest1. Set the reachability detection interval to 2 minutes and the maximum number of probes per detection to 3.
<Sysname> system-view
[Sysname] user-identity restful-server rest1
[Sysname-restfulserver-rest1] connection-detect interval 2
[Sysname-restfulserver-rest1] connection-detect maximum 3
Related commands
connection-detect enable
display user-identity restful-server
login-name
uri
user-identity restful-server
connection-detect enable
Use connection-detect enable to enable RESTful server reachability detection.
Use undo connection-detect enable to disable RESTful server reachability detection.
Syntax
connection-detect enable
undo connection-detect enable
Default
RESTful server reachability detection is disabled.
Views
RESTful server view
Predefined user roles
network-admin
context-admin
Usage guidelines
Use this command to detect the reachability of a RESTful server. The detection results can be used as references to define user access control policies for other security modules.
Before you use this command, you must complete the following tasks:
· Specify the username and password used for logging in to the RESTful server by using the login-name command.
· Specify a URI for the RESTful server by using the uri command.
When RESTful server reachability detection is enabled, the device periodically starts a reachability detection and initiates probes within the detection interval.
· If the device receives a response from the RESTful server, it determines that the server is reachable and stops probe.
· If the device does not receive a response from the RESTful server after the maximum number of probes is reached, it determines that the server is unreachable.
The interval at which the device starts a detection and the maximum number of probes that the device can initiate per detection are set by using the connection-detect { interval interval | maximum max-times } command.
When RESTful server reachability detection is disabled, the device immediately stops detecting the reachability of the RESTful server.
Examples
# Enable reachability detection for RESTful server rest1.
<Sysname> system-view
[Sysname] user-identity restful-server rest1
[Sysname-restfulserver-rest1] connection-detect enable
Related commands
connection-detect
display user-identity restful-server
login-name
uri
user-identity restful-server
display user-identity
Use display user-identity to display information about the specified identity users or identity groups.
Syntax
display user-identity { domain domain-name | null-domain } { user [ user-name [ group ] ] | user-group [ group-name [ member { group | user } ] ] }
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
domain domain-name: Specifies an identity domain by its domain name, a case-insensitive string of 1 to 255 characters.
null-domain: Specifies identity users or identity groups that do not belong to any identity domain.
user: Displays identity user information.
user-name: Specifies an identity user by its name, a case-sensitive string of 1 to 55 characters. If you do not specify an identity user, this command displays information about all identity users.
group: Displays information about the identity groups to which the identity user belongs. If you do not specify this keyword, the command does not display identity group information.
user-group: Display identity group information.
group-name: Specifies an identity group by its group name, a case-insensitive string of 1 to 200 characters. If you do not specify an identity group, this command displays information about all identity groups.
member: Displays information about members in the specified identity group. If you do not specify this keyword, the command does not display member information.
group: Specifies identity group members in the specified identity group.
user: Specifies identity user members in the specified identity group.
Usage guidelines
This command displays information about identity users or identity groups, including the information learned from the local user database and information imported from remote servers and .csv files.
Examples
# Display information about all identity groups in identity domain system.
<Sysname> display user-identity domain system user-group
Identity domain: system
Group ID Group name
0x888 abc
0x123 gp1
Total 2 records matched.
# Display information about identity group abc in identity domain system.
<Sysname> display user-identity domain system user-group abc
Identity domain: system
Group ID Group name
0x888 abc
Total 1 records matched.
# Display information about identity user members of identity group abc in identity domain system.
<Sysname> display user-identity domain system user-group abc member user
Identity domain: system
User ID Username
0x234 user1
0xffffffff user2
Total 2 records matched.
# Display information about identity group members of identity group abc in identity domain system.
<Sysname> display user-identity domain system user-group abc member group
Identity domain: system
Group ID Group name
0x567 group1
0x111 group2
Total 2 records matched.
# Display information about all identity users in identity domain system.
<Sysname> display user-identity domain system user
Identity domain: system
User ID Username
0x234 user1
0xffffffff user2
Total 2 records matched.
# Display information about identity user user1 in identity domain system.
<Sysname> display user-identity domain system user user1
Identity domain: system
User ID Username
0x234 user1
Total 1 records matched.
# Display information about identity groups to which identity user user1 belongs in identity domain system.
<Sysname> display user-identity domain system user user1 group
Identity domain: system
Group ID Group name
0x888 abc
0x123 gp1
Total 2 records matched.
# Display information about identity users that do not belong to any identity domain.
<Sysname> display user-identity null-domain user
User ID Username
0x1 test
0x3 jj
0x2 abc
Total 3 records matched.
Table 1 Command output
|
Field |
Description |
|
Identity domain |
Name of the identity domain to which identity users or identity groups belong. This field is not displayed if identity users or identity groups do not belong to any identity domain. |
|
User ID |
ID of the identity user. |
|
Username |
Name of the identity user. |
|
Group ID |
ID of the identity group. |
|
Group name |
Name of the identity group. |
|
Total n records matched. |
Total number of matching identity users or identity groups. |
Related commands
reset user-identity user-account
reset user-identity user-group
display user-identity active-user-group
Use display user-identity active-user-group to display information about active identity groups.
Syntax
display user-identity active-user-group { all | domain domain-name | null-domain }
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
all: Specifies all identity domains.
domain domain-name: Specifies an identity domain by its domain name, a case-insensitive string of 1 to 255 characters.
null-domain: Specifies active identity groups that do not belong to any identity domain.
Usage guidelines
An identity group is active only when it is used by a security module for network access control.
Examples
# Display information about active identity groups in identity domain system.
<Sysname> display user-identity active-user-group domain system
Identity domain: system
Group ID Group name
0x888 abc
0x123 gp1
Total 2 records matched.
Table 2 Command output
|
Field |
Description |
|
Identity domain |
Name of the identity domain to which active identity groups belong. This field is not displayed if active identity groups do not belong to any identity domain. |
|
Group ID |
ID of the active identity group. |
|
Group name |
Name of the active identity group. |
|
Total n records matched. |
Total number of matching active identity groups. |
Related commands
reset user-identity user-group
display user-identity all
Use display user-identity all to display information about all identity users or identity groups.
Syntax
display user-identity all { user | user-group }
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
user: Specifies identity users.
user-group: Specifies identity groups.
Usage guidelines
This command displays information about all identity users or identity groups, including information learned from the local user database and information obtained from remote servers and .csv files.
Examples
# Display information about all identity users.
<Sysname> display user-identity all user
Identity domain: system
User ID Username
0x121 test1
0x123 test2
Identity domain: 11
User ID Username
0x888 test3
0x899 test4
Total 4 records matched.
Table 3 Command output
|
Field |
Description |
|
Identity domain |
Name of the identity domain to which identity users belong. This field is not displayed if identity users do not belong to any identity domain. |
|
User ID |
ID of the identity user. |
|
Username |
Name of the identity user. |
|
Total n records matched. |
Total number of matching identity users. |
# Display information about all identity groups.
<Sysname> display user-identity all user-group
Identity domain: system
Group ID Group name
0x888 abc
0x123 gp1
Identity domain: 11
Group ID Group name
0x255 001
0x256 002
Total 4 records matched.
Table 4 Command output
|
Field |
Description |
|
Identity domain |
Name of the identity domain to which identity groups belong. This field is not displayed if identity groups do not belong to any identity domain. |
|
Group ID |
ID of the identity group. |
|
Group name |
Name of the identity group. |
|
Total n records matched. |
Total number of matching identity groups. |
Related commands
reset user-identity user-account
reset user-identity user-group
display user-identity online-user
Use display user-identity online-user to display online identity user information.
Syntax
display user-identity online-user { domain domain-name | null-domain } name user-name
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
domain domain-name: Specifies an identity domain by its domain name, a case-insensitive string of 1 to 255 characters.
null-domain: Specifies online identity users that do not belong to any identity domain.
name user-name: Specifies an online identity user by its username, a case-sensitive string of 1 to 55 characters. The username cannot contain the domain name.
Usage guidelines
This command displays information about online identity users, including static online identity users and dynamic online identity users.
Examples
# Display information about online identity user user1 in identity domain system.
<Sysname> display user-identity online-user domain system name user1
User name: user1
Identity domain: system
IP : 199.199.0.15
MAC : 0001-0002-0003
Type: Static
Total 1 records matched.
Table 5 Command output
|
Field |
Description |
|
User name |
Name of the online identity user. |
|
Identity domain |
Name of the identity domain to which online identity users belong. This field is not displayed if online identity users do not belong to any identity domain. |
|
IP |
IP address of the online identity user. This field is not displayed if the device does not obtain the IP address. |
|
MAC |
MAC address of the online identity user. This field is not displayed if the MAC address of the online identity user is not obtained. |
|
Type |
Type of the online identity user: · Static. · Dynamic. |
|
Total n records matched. |
Total number of matching online identity users. |
Related commands
reset user-identity dynamic-online-user
user-identity static-user
display user-identity restful-server
Use display user-identity restful-server to display RESTful server configuration.
Syntax
display user-identity restful-server [ server-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
server-name: Specifies a RESTful server by its server name, a case-insensitive string of 1 to 31 characters. If you do not specify a RESTful server, this command displays configuration information for all RESTful servers.
Examples
# Display configuration information for RESTful server rest1.
<Sysname> display user-identity restful-server rest1
RESTful server name: rest1
Login name: u1
Vpn Instance: v1
Get User URI: http://1.1.1.1:8080/imcrs/ssm/imcuser/accessUser
Get User Group URI: http://1.1.1.1:8080/imcrs/ssm/imcuser/accessUserGroup
Get Online User URI: http://1.1.1.1:8080/imcrs/ssm/imcuser/onlineUser
Put Online User URI: http://1.1.1.1:8080/imcrs/ssm/imcuser/uploadOnlineUser
Put Offline User URI: http://1.1.1.1:8080/imcrs/ssm/imcuser/uploadOfflineUser
Connectivity detection: Enabled
Detection interval: 1 minutes
Connectivity status: Reachable
# Display configuration information for RESTful server rest2.
<Sysname> display user-identity restful-server rest2
RESTful server name: rest2
Login name: u2
Get User URI: http://1.1.1.1:8080/imcrs/uam/acmUser/acmUserList
Get User Group URI: http://1.1.1.1:8080/imcrs/uam/acmUser/userGroup
Get Online User URI: http://1.1.1.1:8080/imcrs/uam/online
Connectivity detection: Enabled
Detection interval: 1 minutes
Maximum times: 1
Connectivity status: Reachable
Table 6 Command output
|
Field |
Description |
|
Login name |
Username used to log in to the RESTful server. |
|
Vpn Instance |
MPLS L3VPN instance to which the RESTful server belongs. This field is not displayed if the RESTful server belongs to the public network. |
|
Get User URI |
URI used to request user account information. |
|
Get User Group URI |
URI used to request user group information. |
|
Get Online User URI |
URI used to request online user information. |
|
Put Online User URI |
URI used to upload online user information. |
|
Put Offline User URI |
URI used to upload offline user information. |
|
Connectivity detection |
Whether RESTful server reachability detection is enabled: Enabled or Disabled. |
|
Detection interval |
Interval at which the device detects the reachability of the RESTful server, in minutes. |
|
Maximum times |
Maximum number of probes per detection. |
|
Connectivity status |
Status of the RESTful server: · Reachable. · Unreachable. This field is not displayed if RESTful server reachability detection is disabled. |
Related commands
connection-detect
connection-detect enable
login-name
uri
user-identity restful-server
vpn-instance
display user-identity security-manage-server
Use display user-identity security-manage-server to display configuration information for security management server sets.
Syntax
display user-identity security-manage-server [ server-set-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
server-set-name: Specifies a security management server set by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a security management server set, this command displays configuration information for all security management server sets. The system supports only one security management server set.
Examples
# Display configuration information for security management server set sec1.
<Sysname> display user-identity security-manage-server sec1
Security management server set: sec1
IP addresses: 192.168.0.1,10.113.0.1
Listening port: 8200
Encryption algorithm: 3DES
Total 1 records matched
Table 7 Command output
|
Field |
Description |
|
Security management server set |
Name of the security management server set. |
|
IP addresses |
IP addresses of security management servers. |
|
Listening port |
Port for listening to security management servers. |
|
Encryption algorithm |
Algorithm for encrypting packets exchanged between the device and security management servers. |
|
Total n records matched |
Number of matched security management server sets. |
Related commands
encryption
ip
listen-port
user-identity security-manage-server
display user-identity user-import-policy
Use display user-identity user-import-policy to display identity user import policy information.
Syntax
display user-identity user-import-policy [ policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
policy-name: Specifies an identity user import policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify an identity user import policy, this command displays information about all identity user import policies.
Examples
# Display information about identity user import policy policy1.
<Sysname> display user-identity user-import-policy policy1
Policy name: policy1
Interval time: 24 hours
RESTful server name:
ser1
LDAP import type: All
LDAP scheme name:
ldap-scheme
Total 1 records matched.
Table 8 Command output
|
Field |
Description |
|
Policy name |
Name of the identity user import policy. |
|
Interval time |
Interval for automatic identity user account import, in hours. |
|
RESTful server name |
Name of the RESTful server. |
|
LDAP import type |
Type of user information imported from LDAP servers: · All—User and user group information. · User—User information. · Group—User group information. |
|
LDAP scheme name |
Name of an LDAP scheme. |
|
Total n records matched |
Total number of matching identity user import policies. |
Related commands
import-type
user-identity user-import-policy
encryption
Use encryption to configure the encryption algorithm and shared key for securing communication with security management servers.
Use undo encryption to restore the default.
Syntax
encryption algorithm { 3des | aes128 } key { simple | cipher } string
undo encryption algorithm
Default
No encryption algorithm or shared key is configured for securing communication with security management servers.
Views
Security management server set view
Predefined user roles
network-admin
context-admin
Parameters
algorithm: Specifies the encryption algorithm.
3des: Specifies the 3DES algorithm.
aes128: Specifies the AES algorithm that uses a 128-bit key.
key: Specifies the shared key.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. The key string is case sensitive.
· If the encryption algorithm is 3DES, the plaintext form of the key is a string of 1 to 24 characters. The encrypted form of the key is a string of 1 to 65 characters.
· If the encryption algorithm is AES-128, the plaintext form of the key is a string of 1 to 16 characters. The encrypted form of the key is a string of 1 to 53 characters.
Usage guidelines
For the device to correctly exchange packets with security management servers, make sure the encryption algorithm and shared key are the same as those configured on the servers.
Examples
# Configure 3DES as the encryption algorithm and plaintext string 123 as the shared key for securing communication with security management servers in security management sever set sec1.
<Sysname> system-view
[Sysname] user-identity security-manage-server sec1
[Sysname-identity-sec-manage-server-sec1] encryption algorithm 3des key simple 123
Related commands
display user-identity security-manage-server
import-type
Use import-type to specify the type of user information to be imported from LDAP servers.
Use undo import-type to restore the default.
Syntax
import-type { all | group | user }
undo import-type
Default
The type of user information to be imported from LDAP servers is not specified. The device imports both user information and user group information from LDAP servers.
Views
Identity user import policy view
Predefined user roles
network-admin
context-admin
Parameters
all: Specifies both the user and user group types.
group: Specifies the user group type.
user: Specifies the user type.
Usage guidelines
The device imports only user information of the specified type from LDAP servers.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the device to import both user information and user group information from LDAP servers.
<Sysname> system-view
[Sysname] user-identity user-import-policy policy
[Sysname-identity-user-impt-policy-policy] import-type all
Related commands
display user-identity user-import-policy
ip
Use ip to specify IP addresses of security management servers.
Use undo ip to remove the specified IP addresses of security management servers.
Syntax
ip ip-address&<1-10>
undo ip { ip-address&<1-10> | all }
Default
No IP addresses of security management severs are specified.
Views
Security management server set view
Predefined user roles
network-admin
context-admin
Parameters
ip-address&<1-10>: Specifies a space-separated list of up to 10 IP addresses. The all-zero IP address is not allowed.
all: Specifies all the IP addresses of security management servers.
Usage guidelines
You can specify a maximum of 20 IP addresses of security management servers in a security management server set.
Examples
# Specify security management servers at 192.168.0.1 and 10.113.0.1 for security management server set sec1.
<Sysname> system-view
[Sysname] user-identity security-manage-server sec1
[Sysname-identity-sec-manage-server-sec1] ip 192.168.0.1 10.113.0.1
Related commands
display user-identity security-manage-server
ldap-scheme
Use ldap-scheme to specify an LDAP scheme.
Use undo ldap-scheme to restore the default.
Syntax
ldap-scheme ldap-scheme-name
undo ldap-scheme ldap-scheme-name
Default
No LDAP schemes are specified.
Views
Identity user import policy view
Predefined user roles
network-admin
context-admin
Parameters
ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
To import identity user account information from the LDAP server specified in the LDAP scheme, use the user-identity user-account import policy command. The device cannot import online identity user information from the LDAP server.
You can specify a maximum of 16 LDAP schemes in an identity user import policy for importing users from multiple LDAP servers in batch.
Examples
# Specify LDAP scheme ser2 for identity user import policy policy1.
<Sysname> system-view
[Sysname] user-identity user-import-policy policy1
[Sysname-identity-user-impt-policy-policy1] ldap-scheme ser2
Related commands
display user-identity user-import-policy
ldap scheme
listen-port
Use listen-port to set the port number for listening to security management servers.
Use undo listen-port to restore the default.
Syntax
listen-port port-num
undo listen-port
Default
The device listens to security management servers on port 8001.
Views
Security management server set view
Predefined user roles
network-admin
context-admin
Parameters
port-num: Specifies the UDP port number for listening to security management servers, in the range of 1 to 65535.
Usage guidelines
For the device to establish connections with security management servers, make sure the listening port is the same as the port that the servers use to send online user information.
Examples
# Set the port to 8048 for listening to security management servers in security management server set sec1.
<Sysname> system-view
[Sysname] user-identity security-manage-server sec1
[Sysname-identity-sec-manage-server-sec1] listen-port 8084
Related commands
display user-identity security-manage-server
login-name
Use login-name to specify the username and password used for logging in to the RESTful server.
Use undo login-name to restore the default.
Syntax
login-name user-name password { cipher | simple } string
undo login-name
Default
No username or password is specified for logging in to the RESTful server.
Views
RESTful server view
Predefined user roles
network-admin
context-admin
Parameters
user-name: Specifies a username, a case-sensitive string of 1 to 55 characters.
password: Specifies a password.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
The device uses the specified username and password to establish a connection with the RESTful server. If the device is authenticated as legitimate, the RESTful server permits the connection request of the device. Then, the device can request resources on the server.
The specified username and password must exist on the RESTful server.
Examples
# Configure the device to use username abc and plaintext password 123 to log in to the RESTful server.
<Sysname> system-view
[Sysname] user-identity restful-server rest1
[Sysname-restfulserver-rest1] login-name abc password simple 123
Related commands
display user-identity restful-server
user-identity restful-server
reset user-identity dynamic-online-user
Use reset user-identity dynamic-online-user to delete dynamic online identity users.
Syntax
reset user-identity dynamic-online-user { all | { domain domain-name | null-domain } [ name user-name ] | { { ip ipv4-address | ipv6 ipv6-address } | mac mac-address } * }
Views
User view
Predefined user roles
network-admin
context-admin
Parameters
all: Specifies all dynamic online identity users.
domain domain-name: Specifies an identity domain by its domain name, a case-insensitive string of 1 to 255 characters.
null-domain: Specifies dynamic online identity users that do not belong to any identity domain.
name user-name: Specifies a dynamic online identity user by its username, a case-sensitive string of 1 to 55 characters. If you do not specify this option, the command deletes dynamic online identity users that belong to the specified domain or that do not belong to any domain.
ip ipv4-address: Specifies the IPv4 address of a dynamic online identity user.
ipv6 ipv6-address: Specifies the IPv6 address of a dynamic online identity user.
mac mac-address: Specifies the MAC address of a dynamic online identity user, in the format H-H-H. If you do not specify a MAC address, this command deletes dynamic online identity users that have the specified username regardless of their MAC addresses.
Usage guidelines
This command deletes dynamic online identity users created based on user information obtained from remote servers and it cannot delete static online identity users. To delete static online identity users, use the undo user-identity static-user command.
Examples
# Delete all dynamic online identity users.
<Sysname> reset user-identity dynamic-online-user all
# Delete dynamic online identity users in identity domain abc.
<Sysname> reset user-identity dynamic-online-user domain abc
# Delete dynamic online identity user user1 in identity domain dom1.
<Sysname> reset user-identity dynamic-online-user domain dom1 name user1
# Delete dynamic online identity users that use username user2 and do not belong to any identity domain.
<Sysname> reset user-identity dynamic-online-user null-domain name user2
# Delete the dynamic online identity user whose IP address is 1.2.3.4.
<Sysname> reset user-identity dynamic-online-user ip 1.2.3.4
# Delete the dynamic online identity user whose IP address is 1.2.3.4 and MAC address is 2222-3333-4444.
<Sysname> reset user-identity dynamic-online-user ip 1.2.3.4 mac 2222-3333-4444
# Delete the dynamic online identity user whose MAC address is 2222-3333-4444.
<Sysname> reset user-identity dynamic-online-user mac 2222-3333-4444
Related commands
display user-identity online-user
reset user-identity user-account
Use reset user-identity user-account to delete identity user accounts.
Syntax
reset user-identity user-account { all | { domain domain-name | null-domain } [ name user-name ] }
Views
User view
Predefined user roles
network-admin
context-admin
Parameters
all: Specifies all identity user accounts.
domain domain-name: Specifies an identity domain by its domain name, a case-insensitive string of 1 to 255 characters.
null-domain: Specifies identity user accounts that do not belong to any identity domain.
name user-name: Specifies an identity user account by its name, a case-sensitive string of 1 to 55 characters. If you do not specify an identity user account, this command deletes identity user accounts that belong to the specified domain or that do not belong to any domain.
Usage guidelines
This command deletes identity user accounts created based on the information obtained from remote servers and .csv files. It cannot delete identity user accounts learned from the local user database.
Examples
# Delete all identity user accounts.
<Sysname> reset user-identity user-account all
# Delete identity user account test in identity domain dom1.
<Sysname> reset user-identity user-account domain dom1 name test
Related commands
display user-identity all user
reset user-identity user-group
Use reset user-identity user-group to delete identity groups.
Syntax
reset user-identity user-group { all | { domain domain-name | null-domain } [ name group-name ] }
Views
User view
Predefined user roles
network-admin
context-admin
Parameters
all: Specifies all identity groups.
domain domain-name: Specifies an identity domain by its domain name, a case-insensitive string of 1 to 255 characters.
null-domain: Specifies identity groups that do not belong to any identity domain.
name group-name: Specifies an identity group by its group name, a case-insensitive string of 1 to 200 characters. If you do not specify an identity group, this command deletes identity groups that belong to the specified domain or that do not belong to any domain.
Usage guidelines
Use this command to delete identity groups created based on user group information obtained from remote servers and .csv files and it cannot delete identity groups learned from the local user database.
Examples
# Delete all identity groups.
<Sysname> reset user-identity user-group all
# Delete identity group g1 in identity domain dom1.
<Sysname> reset user-identity user-group domain dom1 name g1
Related commands
display user-identity all user-group
restful-server
Use restful-server to specify a RESTful server.
Use undo restful-server to restore the default.
Syntax
restful-server server-name
undo restful-server server-name
Default
No RESTful server is specified.
Views
Identity user import policy view
Predefined user roles
network-admin
context-admin
Parameters
server-name: Specifies a RESTful server by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
To import identity user accounts from the RESTful server, use the user-identity user-account import policy command. To import online identity user information from the RESTful server, use the user-identity online-user import policy command.
You can specify only one RESTful server. To specify a new RESTful server, first remove the currently specified RESTful server by using the undo restful-server command.
Examples
# Specify RESTful server ser1 for identity user import policy policy1.
<Sysname> system-view
[Sysname] user-identity user-import-policy policy1
[Sysname-identity-user-impt-policy-policy1] restful-server ser1
Related commands
display user-identity restful-server
display user-identity user-import-policy
user-identity restful-server
uri
Use uri to specify a URI for the RESTful server.
Use undo uri to delete a URI specified for the RESTful server.
Syntax
uri { get-online-user | get-user-database | get-user-group-database | put-offline-user | put-online-user } uri-string
undo uri { get-online-user | get-user-database | get-user-group-database | put-offline-user | put-online-user }
Default
No URIs are specified for the RESTful server.
Views
RESTful server view
Predefined user roles
network-admin
context-admin
Parameters
get-online-user: Specifies the URI used to request online network access user information.
get-user-database: Specifies the URI used to request network access user account information.
get-user-group-database: Specifies the URI used to request user group information.
put-offline-user: Specifies the URI used to upload offline user information.
put-online-user: Specifies the URI used to upload online user information.
uri-string: Specifies a URI, a case-insensitive string of 1 to 255 characters.
Usage guidelines
The specified URIs must be the same as those provided by the RESTful server. Otherwise, user information interaction will fail.
If the device adds or deletes an identity user that is not imported from the RESTful server, the device uploads the online or offline user information to the RESTful server.
You can repeat this command to specify multiple URIs for the RESTful server.
Examples
# Specify http://1.1.1.1:8080/imcrs/ssm/imcuser/onlineUser as the URI used to request online network access user information from RESTful server rest1.
<Sysname> system-view
[Sysname] user-identity restful-server rest1
[Sysname-restfulserver-rest1] uri get-online-user http://1.1.1.1:8080/imcrs/ssm/imcuser/onlineUser
# Specify http://1.1.1.1:8080/imcrs/ssm/imcuser/accessUser as the URI used to request network access user account information from RESTful server rest1.
<Sysname> system-view
[Sysname] user-identity restful-server rest1
[Sysname-restfulserver-rest1] uri get-user-database http://1.1.1.1:8080/imcrs/ssm/imcuser/accessUser
# Specify http://1.1.1.1:8080/imcrs/ssm/imcuser/accessUserGroup as the URI used to request user group information from RESTful server rest1.
<Sysname> system-view
[Sysname] user-identity restful-server rest1
[Sysname-restfulserver-rest1] uri get-user-group-database http://1.1.1.1:8080/imcrs/ssm/imcuser/accessUserGroup
# Specify http://1.1.1.1:8080/imcrs/ssm/imcuser/uploadOfflineUser as the URI used to upload offline user information to RESTful server rest1.
<Sysname> system-view
[Sysname] user-identity restful-server rest1
[Sysname-restfulserver-rest1] uri put-offline-user http://1.1.1.1:8080/imcrs/ssm/imcuser/uploadOfflineUser
# Specify http://1.1.1.1:8080/imcrs/ssm/imcuser/uploadOnlineUser as the URI used to upload online user information to RESTful server rest1.
<Sysname> system-view
[Sysname] user-identity restful-server rest1
[Sysname-restfulserver-rest1] uri put-online-user http://1.1.1.1:8080/imcrs/ssm/imcuser/uploadOnlineUser
# Specify http://1.1.1.1:8080/imcrs/uam/online as the URI used to request online network access user information from the EIA component of RESTful server rest2.
<Sysname> system-view
[Sysname] user-identity restful-server rest2
[Sysname-restfulserver-rest1] uri get-online-user http://1.1.1.1:8080/imcrs/uam/online
# Specify http://1.1.1.1:8080/imcrs/uam/acmUser/acmUserList as the URI used to request network access user account information from the EIA component of RESTful server rest2.
<Sysname> system-view
[Sysname] user-identity restful-server rest2
[Sysname-restfulserver-rest1] uri get-user-database http:// 1.1.1.1:8080/imcrs/uam/acmUser/acmUserList
# Specify http://1.1.1.1:8080/imcrs/uam/acmUser/userGroup as the URI used to request user group information from the EIA component of RESTful server rest2.
<Sysname> system-view
[Sysname] user-identity restful-server rest2
[Sysname-restfulserver-rest1] uri get-user-group-database http:// 1.1.1.1:8080/imcrs/uam/acmUser/userGroup
Related commands
display user-identity restful-server
user-identity restful-server
user-identity enable
Use user-identity enable to enable the user identification feature.
Use undo user-identity enable to disable the user identification feature.
Syntax
user-identity enable
undo user-identity enable
Default
The user identification feature is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
With the user identification feature, the device learns online user information from the user access modules. The device uses the obtained information for user identification and works with other security features for identity-based network access control.
Examples
# Enable the user identification feature.
<Sysname> system-view
[Sysname] user-identity enable
user-identity online-user import policy
Use user-identity online-user import policy to import online identity users from a server.
Syntax
user-identity online-user import policy policy-name
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
policy-name: Specifies an identity user import policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
After this command is executed, the device initiates a connection request to the server specified in the identity user import policy. Then, the device imports online network access user information from the server. The information includes the username, identity domain name, user group name, IP address, and MAC address of the users.
Before you execute this command, make sure the user identification feature is enabled.
Examples
# Import online identity users from the server specified in identity user import policy policy1.
<Sysname> system-view
[Sysname] user-identity online-user import policy policy1
Loading...Done.
Related commands
user-identity user-account auto-import policy
user-identity user-import-policy
user-identity online-user-name-match
Use user-identity online-user-name-match to specify username match mode for user identification.
Use undo user-identity online-user-name-match to restore the default.
Syntax
user-identity online-user-name-match { keep-original | with-domain | without-domain }
undo user-identity online-user-name-match
Default
The username match mode for user identification is keep-original.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
keep-original: Uses the username entered by a user to perform username match. For example, if the authentication domain is abc and the entered username is test@123, the device searches username test@123 in local user accounts.
with-domain: Uses the username that includes the authentication domain name of a user to perform username match. For example, if the authentication domain is abc and the entered username is test@123, the device searches username test@abc in local user accounts.
without-domain: Uses the username that excludes the domain name of a user to perform username match. For example, if the authentication domain is abc and the entered username is test@123, the device searches username test in local user accounts that do not join any identity domains.
Usage guidelines
This command specifies the username match mode for user identification. The device creates online identity users only for online users whose usernames can match the usernames in the local identity user accounts.
This command takes effect only on online identity users that access the current device.
Examples
# Specify with-domain as the username match mode for user identification.
<Sysname> system-view
[Sysname] user-identity online-user-name-match with-domain
user-identity restful-server
Use user-identity restful-server to create a RESTful server and enter its view, or enter the view of an existing RESTful server.
Use undo user-identity restful-server to delete a RESTful server.
Syntax
user-identity restful-server server-name
undo user-identity restful-server server-name
Default
No RESTful server exists.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
server-name: Specifies the name of a RESTful server. The RESTful server name is a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can configure parameters of the RESTful server in RESTful server view. The parameters include the URIs of the server and the login account.
You can create only one RESTful server.
Examples
# Create a RESTful server named rest1 and enter its view.
<Sysname> system-view
[Sysname] user-identity restful-server rest1
[Sysname-restfulserver-rest1]
Related commands
display user-identity restful-server
login-name
uri
user-identity user-import-policy
user-identity security-manage-server
Use user-identity security-manage-server to create a security management server set and enter its view, or enter the view of an existing security management server set.
Use undo user-identity security-manage-server to delete a security management server set.
Syntax
user-identity security-manage-server server-set-name
undo user-identity security-manage-server server-set-name
Default
No security management server set exists.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
server-set-name: Specifies the name of the security management server set, a case-insensitive string of 1 to 31 characters.
Usage guidelines
The security management server set view defines the related parameters of security management servers. The parameters include the IP addresses of the servers, the port number for listening to the servers, and the shared key to secure communication between the device and the servers.
You can create only one security management server set.
Examples
# Create a security management server set named sec1 and enter its view.
<Sysname> system-view
[Sysname] user-identity security-manage-server sec
[Sysname-identity-sec-manage-server-sec1]
Related commands
display user-identity security-manage-server
encryption
ip
listen-port
user-identity static-user
Use user-identity static-user to configure a static identity user.
Use undo user-identity static-user to delete a static identity user.
Syntax
user-identity static-user user-name [ domain domain-name ] bind { ipv4 ipv4-address | ipv6 ipv6-address } | mac mac-address } *
undo user-identity static-user user-name [ domain domain-name ] [ bind { { ipv4 ipv4-address | ipv6 ipv6-address } | mac mac-address } * ]
Default
No static identity users exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
user-name: Specifies the name of the static identity user, a case-sensitive string of 1 to 55 characters.
domain domain-name: Specifies the identity domain to which the static identity user belongs. The domain-name argument represents an identity domain name, a case-insensitive string of 1 to 255 characters. If you do not specify an identity domain, the static identity user does not belong to any identity domain.
bind: Specifies address attributes bound to the static identity user.
ipv4 ipv4-address: Specifies an IPv4 address. The IPv4 address cannot be an all-zero address, all-one address, or multicast address.
ipv6 ipv6-address: Specifies an IPv6 address. The IPv6 address cannot be an all-zero address, multicast address, loopback address, or link local address.
mac mac-address: Specifies a MAC address in the format of H-H-H. If you do not specify a MAC address, the static identity user can use any MAC address.
Usage guidelines
To allow users to access the network without identity authentication and to use security features to control their access to the network, configure the users as static identity users.
If you do not specify the bind keyword in the undo form of this command, all static identity users that use the specified username are deleted.
Execute this command multiple times to add multiple static identity users.
You can bind one username with multiple IP addresses, multiple MAC addresses, or multiple IP-MAC address combinations. You cannot bind one IP address, one MAC address, or one IP-MAC address combination with multiple usernames.
Only when the user identification feature is enabled and static identity users match local identity user accounts, the device can generate corresponding static online identity user entries.
Examples
# Configure a static identity user of which the username is test, the identity domain is dom1, and the IP address is 109.15.0.15.
<Sysname> system-view
[Sysname] user-identity static-user test domain dom1 bind ipv4 109.15.0.15
# Configure a static identity user of which the username is abc, the identity domain is dom1, and the MAC address is 1-1-1.
<Sysname> system-view
[Sysname] user-identity static-user abc domain dom1 bind mac 1-1-1
Related commands
display user-identity online-user
user-identity enable
user-identity user-account auto-import policy
Use user-identity user-account auto-import policy to enable automatic identity user account import.
Use undo user-identity user-account auto-import policy to disable automatic identity user account import.
Syntax
user-identity user-account auto-import policy policy-name
undo user-identity user-account auto-import policy policy-name
Default
Automatic identity user account import is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
policy-name: Specifies an identity user import policy by its policy name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
After this feature is enabled, the device first imports all identity user accounts and online identity user information from the servers specified in the identity user import policy. Then, the device periodically imports identity user accounts from the servers at the interval set by the account-update-interval command.
For this feature to take effect, make sure the user identification feature is enabled. To enable the user identification feature, use the user-identity enable command.
Examples
# Enable automatic identity user account import for identity user import policy policy1.
<Sysname> system-view
[Sysname] user-identity user-account auto-import policy policy1
Related commands
account-update-interval
user-identity user-import-policy
user-identity user-account export url
Use user-identity user-account export url to export identity user accounts to a .csv file.
Syntax
user-identity user-account export url url-string [ { domain domain-name | null-domain } [ user user-name ] | template ] [ vpn-instance vpn-instance-name ]
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
url-string: Specifies a URL, a case-insensitive string of 1 to 255 characters.
domain domain-name: Specifies an identity domain by its domain name, a case-insensitive string of 1 to 255 characters.
null-domain: Specifies identity user accounts that do not belong to any identity domain.
user user-name: Specifies an identity user account by its account name, a case-sensitive string of 1 to 55 characters. If you do not specify an identity user account, this command exports all identity user accounts.
template: Exports a standard .csv file template. You can use this file template as a reference when editing .csv files.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance where the .csv file will be saved. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the .csv file will be saved on the public network, do not specify this option.
Usage guidelines
You must save the exported identity user account information to a .csv file.
If you do not specify any parameters, the device exports all identity user account information to a .csv file.
The device supports TFTP and FTP file transfer modes. Table 9 describes the valid URL formats of the .csv file.
|
Protocol |
URL format |
Description |
|
TFTP |
tftp://server/path/filename |
Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv. |
|
FTP |
· With FTP username and password: · Without FTP username and password: |
Specify an FTP server by IP address or hostname. The device ignores the domain name in the FTP username. For example, specify the file path as ftp://1:[email protected]/user/user.csv or ftp://1.1.1.1/user/user.csv. |
For identity user account information to be correctly exported by using FTP, follow the input formats in Table 10 when you use special characters in the URL.
Table 10 Input formats for special characters
|
Special character |
Input format |
|
\ |
\\ |
|
" |
\" |
|
/ |
%2F |
|
: |
%3A |
|
@ |
%40 |
If this command is successfully executed, a .csv file with the specified file name will be created on the specified server. If you execute this command with the same parameters multiple times, the new file will override the old file.
Examples
# Export all identity user accounts in identity domain dom1 to a .csv file and save the file to the path tftp://1.1.1.1/user.csv.
<Sysname> system-view
[Sysname] user-identity user-account export url tftp://1.1.1.1/user.csv domain dom1
Related commands
user-identity user-account import url
user-identity user-account import policy
Use user-identity user-account import policy to import identity user accounts from servers.
Syntax
user-identity user-account import policy policy-name
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
policy-name: Specifies an identity user import policy by its policy name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
After you execute this command, the device initiates an identity user account information request to the servers specified in the identity user import policy. Then, the device imports identity user account information from the servers.
Examples
# Import identity user accounts from the servers specified in identity user import policy policy1.
<Sysname> system-view
[Sysname] user-identity user-account import policy policy1
Related commands
user-identity user-import-policy
user-identity user-account import url
Use user-identity user-account import url to import identity user accounts from a .csv file.
Syntax
user-identity user-account import url url-string [ vpn-instance vpn-instance-name ] [ auto-create-group | override | start-line line-number ] *
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
url-string: Specifies the URL of the .csv file. The URL is a case-insensitive string of 1 to 255 characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance where the .csv file will be saved. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the .csv file will be saved on the public network, do not specify this option.
auto-create-group: Enables the device to automatically create an identity group for an account if the identity group to which the account belongs does not exist on the device. If you do not specify this keyword, the device does not create nonexistent identity groups.
override: Enables the device to override the existing identity user account with the same name as an identity user account to be imported. If you do not specify this keyword, the device retains the existing identity user account.
start-line line-number: Specifies the number of the line at which the account import begins. If you do not specify this option, the command imports identity user account information from the first line.
Usage guidelines
The file from which identity user accounts are imported must be a .csv file.
You can use the user-identity user-account export url command to export a standard .csv file template.
Examples
# Import identity user accounts from the second line of the user.csv file in path ftp://1.1.1.1/newpath.
<Sysname> system-view
[Sysname] user-identity user-account import url ftp://1.1.1.1/newpath/user.csv start-line 2
Related commands
user-identity user-account export url
user-identity user-import-policy
Use user-identity user-import-policy to create an identity user import policy and enter its view, or enter the view of an existing identity user import policy.
Use undo user-identity user-import-policy to delete an identity user import policy.
Syntax
user-identity user-import-policy policy-name
undo user-identity user-import-policy policy-name
Default
No identity user import policy exists.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
policy-name: Specifies an identity user import policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
An identity user import policy determines the policy that the user identification feature uses to import identity user information from servers. The imported user information includes information about identity user accounts and online identity users. Supported servers include H3C IMC servers and LDAP servers.
You can create only one identity user import policy. Before you create a new identity user import policy, first delete the existing identity user import policy by using the undo form of this command.
Examples
# Create an identity user import policy named policy1 and enter its view.
<Sysname> system-view
[Sysname] user-identity user-import-policy policy1
[Sysname-identity-user-impt-policy-policy1]
Related commands
display user-identity user-import-policy
vpn-instance
Use vpn-instance to specify an MPLS L3VPN instance for a RESTful server.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The RESTful server belongs to the public network.
Views
RESTful server view
Predefined user roles
network-admin
context-admin
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
Use this command to specify the VPN instance of the interfaces that the device and the RESTful server use to communicate with each other.
Examples
# Specify VPN instance v1 for RESTful server r1.
<Sysname> system-view
[Sysname] user-identity restful-server r1
[Sysname-restfulserver-r1] vpn-instance v1
Related commands
display user-identity restful-server
user-identity restful-server
