Use access-limit enable to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users are accepted.

Use undo access-limit enable to restore the default.

Syntax

access-limit enable max-user-number

undo access-limit enable

Default

There is no limit to the number of online users in an ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

max-user-number: Maximum number of online users that the ISP domain can accommodate, in the range of 1 to 2147483646.

Usage guidelines

System resources are limited, and user connections may compete for network resources when there are excessive users. Setting a proper limit to the number of online users helps provide reliable system performance.

Examples

# Set a limit of 500 user connections for ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] access-limit enable 500

Related commands

display domain

accounting command

Use accounting command to specify the command line accounting method.

Use undo accounting command to restore the default.

Syntax

accounting command hwtacacs-scheme hwtacacs-scheme-name

undo accounting command

Default

The default accounting method of the ISP domain is used for command line accounting.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The command line accounting function cooperates with the accounting server to record all commands that have been successfully executed on the device.

Command line accounting can use only a remote HWTACACS server.

Examples

# Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting command hwtacacs-scheme hwtac

Related commands

· accounting default

· command accounting (Fundamentals Command Reference)

· hwtacacs scheme

accounting default

Use accounting default to specify the default accounting method for an ISP domain.

Use undo accounting default to restore the default.

Syntax

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting default

Default

The default accounting method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default accounting method is used for all users who support this method and do not have a specific accounting method configured.

Local accounting is only used for monitoring and controlling the number of local user connections, but does not provide the statistics function that the accounting feature generally provides.

You can specify multiple default accounting methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup accounting methods, local accounting and no accounting. With this command, the device performs RADIUS accounting by default, performs local accounting when the RADIUS server is invalid, and does not perform accounting when both of the previous methods are invalid.

Examples

# Configure the default accounting method for ISP domain test to use RADIUS scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting default radius-scheme rd local

Related commands

· hwtacacs scheme

· local-user

· radius scheme

accounting login

Use accounting login to specify the accounting method for login users.

Use undo accounting login to restore the default.

Syntax

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting login

Default

The default accounting method of the ISP domain is used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Accounting is not supported for login users who use FTP.

You can specify multiple default accounting methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup accounting methods, local accounting and no accounting. With this command, the device performs RADIUS accounting by default, performs local accounting when the RADIUS server is invalid, and does not perform accounting when both of the previous methods are invalid.

Examples

# Configure ISP domain test to use local accounting for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login local

# Configure ISP domain test to use RADIUS scheme rd for login user accounting and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login radius-scheme rd local

Related commands

· accounting default

· hwtacacs scheme

· local-user

· radius scheme

authentication default

Use authentication default to specify the default authentication method for an ISP domain.

Use undo authentication default to restore the default.

Syntax

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication default

Default

The default authentication method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. The switch does not support this parameter.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authentication method is used for all users who support this method and do not have a specific authentication method configured.

You can specify multiple default authentication methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup authentication methods, local authentication and no authentication. With this command, the device performs RADIUS authentication by default, performs local authentication when the RADIUS server is invalid, and does not perform authentication when both of the previous methods are invalid.

Examples

# Configure the default authentication method for ISP domain test to use RADIUS scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication default radius-scheme rd local

Related commands

· hwtacacs scheme

· local-user

· radius scheme

authentication login

Use authentication login to specify the authentication method for login users.

Use undo authentication login to restore the default.

Syntax

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication login

Default

The default authentication method of the ISP is used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. The switch does not support this parameter.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify multiple default authentication methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup authentication methods, local authentication and no authentication. With this command, the device performs RADIUS authentication by default, performs local authentication when the RADIUS server is invalid, and does not perform authentication when both of the previous methods are invalid.

Examples

# Configure ISP domain test to use local authentication for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login local

# Configure ISP domain test to use RADIUS scheme rd for login users and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login radius-scheme rd local

Related commands

· authentication default

· hwtacacs scheme

· local-user

· radius scheme

authentication super

Use authentication super to specify the authentication method for user role switching.

Use undo authentication super to restore the default.

Syntax

authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *

undo authentication super

Default

The default authentication method of the ISP domain is used for user role switching authentication.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.

If you specify a scheme to provide the method for user role switching authentication, the method applies only to users whose user role is in the format of level-n.

· If an HWTACACS scheme is specified, the device uses the entered username for role switching authentication. The username must already exist on the HWTACACS server to represent the highest user level to be switched to. For example, to switch to a level-3 user role whose username is test, the device uses test@domain-name or test for role switching authentication, depending on whether the domain name is required.

· If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for role switching authentication, where n is the same as that in the target user role. For example, to switch to a level-3 user role whose username is test, the device uses $enab3@domain-name$ or $enab3$ for role switching authentication, depending on whether the domain name is required.

Examples

# Configure ISP domain test to use HWTACACS scheme tac for user role switching authentication.

<Sysname> system-view

[Sysname] super authentication-mode scheme

[Sysname] domain test

[Sysname-domain-test] authentication super hwtacacs-scheme tac

Related commands

· authentication default

· hwtacacs scheme

· radius scheme

authorization command

Use authorization command to specify the command authorization method.

Use undo authorization command to restore the default.

Syntax

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }

undo authorization command

Default

The default authorization method of the ISP domain is used for command authorization.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. An authenticated user gets the default user role. For more information about the default user role, see Fundamentals Configuration Guide.

Usage guidelines

Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted.

After login, users can access the command lines permitted by their authorized user roles.

You can specify one command authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup authorization methods, local authorization and no authorization. With this command, the device performs HWTACACS authorization by default, performs local authorization when the HWTACACS server is invalid, and does not perform command authorization when both of the previous methods are invalid.

Examples

# Configure ISP domain test to use local command authorization.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command local

# Configure ISP domain test to use HWTACACS scheme hwtac for command authorization and use local authorization as the backup authorization method.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

Related commands

· authorization accounting (Fundamentals Command Reference)

· hwtacacs scheme

· local-user

authorization default

Use authorization default to specify the default authorization method for an ISP domain.

Use undo authorization default to restore the default.

Syntax

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization default

Default

The default authorization method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authorization method is used for all users who support this method and do not have a specific authorization method are configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup authorization methods, local authorization and no authorization. With this command, the device performs RADIUS authorization by default, performs local authorization when the RADIUS server is invalid, and does not perform authorization when both of the previous methods are invalid.

Examples

# Configure the default authorization method for ISP domain test to use RADIUS scheme rd for user authorization and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization default radius-scheme rd local

Related commands

· hwtacacs scheme

· local-user

· radius scheme

authorization login

Use authorization login to configure the authorization method for login users.

Use undo authorization login to restore the default.

Syntax

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization login

Default

The default authorization method of the ISP domain is used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. After passing authentication, FTP users can access the root directory of the device, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup authorization methods, local authorization and no authorization. With this command, the device performs RADIUS authorization by default, performs local authorization when the RADIUS server is invalid, and does not perform authorization when both of the previous methods are invalid.

Examples

# Configure ISP domain test to use local authorization for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login local

# Configure ISP domain test to use RADIUS scheme rd for login user authorization and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login radius-scheme rd local

Related commands

· authorization default

· hwtacacs scheme

· local-user

· radius scheme

display domain

Use display domain to display the ISP domain configuration.

Syntax

display domain [ isp-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters.

Usage guidelines

If no ISP domain is specified, the command displays the configuration of all ISP domains.

Examples

# Display the configuration of all ISP domains.

<Sysname> display domain

Total 2 domain(s)

Domain:system

State: Active

Access-limit: Disable

Access-Count: 0

default Authentication Scheme: local

default Authorization Scheme: local

default Accounting Scheme: local

Domain:bbb

State: Active

Access-limit: Disable

Access-Count: 0

default Authentication Scheme: local

default Authorization Scheme: local

default Accounting Scheme: local

Default Domain Name: system

Table 1 Command output

Field	Description
Domain	ISP domain name.
State	Status of the ISP domain.
Access-limit	Limit to the number of user connections. If the number is not limited, this field displays Disabled.
Access-Count	Number of online users.
Default authentication scheme	Default authentication method.
Default authorization scheme	Default authorization method.
Default accounting scheme	Default accounting method.
Login authentication scheme	Authentication method for login users.
Login authorization scheme	Authorization method for login users.
Login accounting scheme	Accounting method for login users.
radius	RADIUS scheme.
tacacs	HWTACACS scheme.
local	Local scheme.
none	No authentication, no authorization, or no accounting.
Command Authorization Scheme	Command line authorization method.
Command Accounting Scheme	Command line accounting method.
Super Authentication Scheme	Authentication method for user role switching.

domain

Use domain to create an ISP domain and enter its view.

Use undo domain to remove an ISP domain.

Syntax

domain isp-name

undo domain isp-name

Default

There is a system predefined ISP domain named system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain slash (/), back slash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

All ISP domains are in active state when they are created.

You cannot delete the system predefined ISP domain system, and can only modify its configuration.

To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command.

Examples

# Create ISP domain test and enter its view.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test]

Related commands

· display domain

· domain default enable

· state

domain default enable

Use domain default enable to specify the default ISP domain. Users without any domain name carried in the usernames are considered in the default domain.

Use undo domain default enable to restore the default.

Syntax

domain default enable isp-name

undo domain default enable

Default

The default ISP domain is the system predefined ISP domain system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters.

Usage guidelines

There can be only one default ISP domain.

The specified ISP domain must already exist.

To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command.

Examples

# Create an ISP domain named test, and configure it as the default ISP domain.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] quit

[Sysname] domain default enable test

Related commands

· display domain

· domain

state (ISP domain view)

Use state to set the status of an ISP domain.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

An ISP domain is in active state.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.

block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.

Usage guidelines

By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected.

Examples

# Place the ISP domain test to blocked state.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] state block

Related commands

display domain

Local user commands

authorization-attribute (local user view/user group view)

Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.

Use undo authorization-attribute to restore the default.

Syntax

authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | user-profile profile-name | user-role role-name | vlan vlan-id | work-directory directory-name } *

undo authorization-attribute { acl | callback-number | idle-cut | user-profile | user-role role-name | vlan | work-directory } *

Default

No authorization attribute is configured for a local user or user group.

Views

Local user view, user group view

Predefined user roles

network-admin

mdc-admin

Parameters

acl acl-number: Specifies an authorization ACL in the range of 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL.

callback-number callback-number: Specifies the authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user. The switch does not support this parameter.

idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user whose idle period exceeds the specified idle timeout period is logged out. The value range for the minute argument is 1 to 120 minutes.

user-profile profile-name: Specifies the authorization user profile. The profile-name argument is a case-sensitive string of 1 to 32 characters. It must start with an English letter and contain only English letters, digits, and underlines. After a user passes authentication and gets online, the device uses the settings in the user profile to restrict the access behavior of the user. For more information about user profiles, see Security Configuration Guide. The switch does not support this parameter.

user-role role-name: Specifies the authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. The default user role for a local user created by a network-admin user is network-operator, and the default user role for a local user created by an mdc-admin or level-15 user is mdc-operator. Up to 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.

vlan vlan-id: Specifies the authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After a passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.

work-directory directory-name: Specifies the work directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 512 characters. The directory must already exist. By default, an FTP, SFTP, or SCP user can access the root directory of the device.

Usage guidelines

Every configurable authorization attribute has its definite application environments and purposes. Consider the service types of users when assigning authorization attributes:

· For Telnet and terminal users, only the authorization attribute user-role is effective.

· For SSH and FTP users, only the authorization attributes user-role and work-directory are effective.

· For other types of local users, no authorization attribute is effective.

Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.

To make sure that FTP, SFTP, and SCP users can access the directory after a switchover between the main card and the backup card, do not specify slot information for the work directory.

To make the user have only the user role authorized by this command, use the undo authorization-attribute user-role command to remove the predefined user roles.

Examples

# Configure the authorized VLAN of the device management user abc as VLAN 2.

<Sysname> system-view

[Sysname] local-user abc class manage

[Sysname-luser-manage-abc] authorization-attribute vlan 2

# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc] authorization-attribute vlan 3

Related commands

· display local-user

· display user-group

display local-user

Use display local-user to display the local user configuration and online user statistics.

Syntax

display local-user [ class { manage | network } | idle-cut { disable | enable } | service-type { dvpn | ftp | lan-access | pad | portal | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

class: Specifies the local user type.

· manage: Device management user.

· network: Network access user. The switch does not support this keyword.

idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled.

service-type: Specifies the local users who use a specified type of service.

· dvpn: DVPN tunnel users. The switch does not support this keyword.

· ftp: FTP users.

· lan-access: LAN users, mainly users accessing the network through an Ethernet, such as 802.1X users. The switch does not support this keyword.

· pad: X.25 PAD users. The switch does not support this keyword.

· portal: Portal users. The switch does not support this keyword.

· ppp: PPP users. The switch does not support this keyword.

· ssh: SSH users.

· telnet: Telnet users.

· terminal: Terminal users, users logging in through a console or AUX port.

state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.

user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters that does not contain the domain name.

vlan vlan-id: Specifies all local users in a VLAN. The value range for the vlan-id argument is 1 to 4094.

Usage guidelines

If no parameter is specified, the command displays information about all local users.

Examples

# Display information about all local users

<Sysname> display local-user

Total 2 local users matched.

Device management user root:

State: Active

Service Type: SSH/Telnet/Terminal

User Group: system

Bind Attributes:

Authorization Attributes:

Work Directory: flash:

User Role List: network-admin

Device management user jj:

State: Active

Service Type: FTP/SSH

User Group: system

Bind Attributes:

IP Address: 2.2.2.2

Location Bound: 3/0/2 (slot/subslot/port)

MAC Address: 0001-0001-0001

VLAN ID: 2

Authorization Attributes:

Idle TimeOut: 33 (min)

Work Directory: flash:

ACL Number: 2000

User Role List: network-operator, level-0, level-3

Table 2 Command output

Field	Description
State	Status of the local user: active or blocked.
Service Type	Service types that the local user can use, including FTP, SSH, Telnet, and terminal.
User Group	Group to which the local user belongs.
Bind attributes	Binding attributes of the local user.
Authorization attributes	Authorization attributes of the local user.
Idle TimeOut	Idle timeout period of the user, in minutes.
Work Directory	Directory that the FTP, SFTP, or SCP user can access.
ACL Number	Authorization ACL of the local user.
VLAN ID	Authorized VLAN of the local user.
User Role List	Authorized roles of the local user.

display user-group

Use display user-group to display the user group configuration.

Syntax

display user-group [ group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

If no user group name is specified, the command displays the configuration of all user groups.

Examples

# Display the configuration of all user groups.

<Sysname> display user-group

Total 2 user groups matched.

The contents of user group system:

Authorization Attributes:

Work Directory: flash:

The contents of user group jj:

Authorization Attributes:

Idle TimeOut: 2 (min)

Work Directory: flash:/

ACL Number: 2000

VLAN ID: 2

Table 3 Command output

Field	Description
Idle TimeOut	Idle timeout period, in minutes.
Work Directory	Directory that FTP/SFTP users in the group can access.
ACL Number	Authorization ACL.
VLAN ID	Authorized VLAN.

group

Use group to assign a local user to a user group.

Use undo group to restore the default.

Syntax

group group-name

undo group

Default

A local user belongs to the system predefined user group system.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

group-name: User group name, a case-insensitive string of 1 to 32 characters.

Examples

# Assign device management user 111 to user group abc.

<Sysname> system-view

[Sysname] local-user 111 class manage

[Sysname-luser-manage-111] group abc

Related commands

display local-user

local-user

Use local-user to add a local user and enter local user view.

Use undo local-user to remove local users.

Syntax

local-user user-name [ class { manage | network } ]

undo local-user { user-name class { manage | network } | all [ service-type { dvpn | ftp | lan-access | pad | portal | ppp | ssh | telnet | terminal } | class { manage | network } ] }

Default

No local user exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain back slash (\), slash (/), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@), and cannot be a, al, or all.

class: Specifies the local user type.

· manage: Device management user, who can configure and monitor the device after login. Device management users can use FTP, Telnet, SSH, and terminal services.

· network: Network access user, who accesses network resources through the device. Network access users can use DVPN, LAN, portal, and PPP services. The switch does not support this keyword.

all: Specifies all users.

service-type: Specifies the local users who use a specified type of service.

· dvpn: DVPN tunnel users. The switch does not support this keyword.

· ftp: FTP users.

· lan-access: LAN users, mainly users accessing the network through an Ethernet, such as 802.1X users. The switch does not support this keyword.

· pad: X.25 PAD users. The switch does not support this keyword.

· portal: Portal users. The switch does not support this keyword.

· ppp: PPP users. The switch does not support this keyword.

· ssh: SSH users.

· telnet: Telnet users.

· terminal: Terminal users, users logging in through a console or AUX port.

Examples

# Add a device management user named user1.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1]

Related commands

· display local-user

· service-type

password

Use password to configure a password for a local user.

Use undo password to delete the password of a local user.

Syntax

password [ { cipher | hash | simple } password ]

undo password

Default

There is no password configured for a local user and a local user can pass authentication after entering the correct username and passing attribute checks.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

cipher: Sets a ciphertext password. The switch does not support this keyword.

hash: Sets a hashed password.

simple: Sets a plaintext password.

password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 63 characters. If hash is specified, it must be a string of 1 to 110 characters. If cipher is specified, it must be a ciphertext string of 1 to 117 characters.

Usage guidelines

If none of the parameters is specified, you enter the interactive mode to set a plaintext password.

A local user with no password configured directly passes authentication after providing the valid local username and attributes. To enhance security, configure a password for each local user.

For secrecy, all passwords, including passwords configured in plain text, are saved in hashed cipher text.

Examples

# Set the password of the device management user user1 to 123456 in plain text.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] password simple 123456

# Set the password of the device management user test in interactive mode.

<Sysname> system-view

[Sysname] local-user test class manage

[Sysname-luser-manage-test] password

Password:

Confirm :

Updating user information. Please wait... ...

# Set the password of the network access user user2 to getapp in plain text.

<Sysname> system-view

[Sysname] local-user user2 class network

[Sysname-luser-network-user2] password simple getapp

Related commands

· display local-user

· local-user password-display-mode

service-type

Use service-type to specify the service types that a local user can use.

Use undo service-type to delete service types configured for a local user.

Syntax

service-type { dvpn | ftp | lan-access | { pad | ssh | telnet | terminal } * | portal | ppp }

undo service-type { dvpn | ftp | lan-access | { pad | ssh | telnet | terminal } * | portal | ppp }

Default

A local user is authorized with no service and cannot use any service.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

dvpn: Authorizes the user to use the DVPN service. The switch does not support this keyword.

ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default. The authorized directory can be modified by using the authorization-attribute work-directory command.

lan-access: Authorizes the user to use the LAN access service. Such users are mainly Ethernet users, for example, 802.1X users. The switch does not support this keyword.

pad: Authorizes the user to use the PAD service. The switch does not support this keyword.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service, allowing the user to log in from a console or AUX port.

portal: Authorizes the user to use the portal service. The switch does not support this keyword.

ppp: Authorizes the user to use the PPP service. The switch does not support this keyword.

Usage guidelines

You can assign multiple service types to a user.

Examples

# Authorize the device management user user1 to use the Telnet and FTP services.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] service-type telnet

[Sysname-luser-manage-user1] service-type ftp

Related commands

display local-user

state (local user view)

Use state to set the status of a local user.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

A local user is in active state.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

active: Places the local user in active state to allow the local user to request network services.

block: Places the local user in blocked state to prevent the local user from requesting network services.

Usage guidelines

This command only applies to the local user. It affects no other users.

Examples

# Place the device management user user1 to the blocked state.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] state block

Related commands

display local-user

user-group

Use user-group to create a user group and enter its view.

Use undo user-group to delete a user group.

Syntax

user-group group-name

undo user-group group-name

Default

There is a user group named system in the system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes are authorization attributes.

A user group with one or more local users cannot be deleted.

The system predefined user group system cannot be deleted but you can modify its configuration.

Examples

# Create a user group named abc and enter its view.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc]

Related commands

display user-group

RADIUS commands

accounting-on enable

Use accounting-on enable to configure the accounting-on feature.

Use undo accounting-on enable to disable the accounting-on feature.

Syntax

accounting-on enable [ interval seconds | send send-times ] *

undo accounting-on enable

Default

The accounting-on feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds, in the range of 1 to 15. The default setting is 3.

send send-times: Specifies the maximum number of accounting-on packet transmission attempts, in the range of 1 to 255. The default setting is 50.

Usage guidelines

The accounting-on feature enables the device to, after rebooting, automatically send an accounting-on packet to the RADIUS accounting server indicated by the RADIUS scheme to stop accounting for and log out online users.

After executing the accounting-on enable command, execute the save command to make sure that the command takes effect after the device reboots. For information about the save command, see Fundamentals Command Reference.

Parameters set with the accounting-on enable command take effect immediately.

Examples

# Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on enable interval 5 send 15

Related commands

display radius scheme

Use display radius scheme to display the configuration of RADIUS schemes.

Syntax

display radius scheme [ radius-scheme-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

If no RADIUS scheme is specified, the command displays the configuration of all RADIUS schemes.

Examples

# Display the configuration of all RADIUS schemes.

<Sysname> display radius scheme

Total 1 RADIUS schemes

------------------------------------------------------------------

RADIUS Scheme Name : radius1

Index : 0

Primary Auth Server:

IP : 2.2.2.2 Port: 1812 State: Active

VPN : vpn1

Primary Acct Server:

IP: 1.1.1.1 Port: 1813 State: Active

VPN : Not configured

Second Auth Server:

IP: Not configured Port: 1812 State: Block

VPN : vpn1

Second Acct Server:

IP: Not configured Port: 1813 State: Block

VPN : Not configured

Security Policy Server:

Server: 0 IP: 2.2.2.2 VPN: Not configured

Server: 1 IP: 3.3.3.3 VPN: 2

Accounting-On function : Enabled

retransmission times : 5

retransmission interval(seconds) : 2

Timeout Interval(seconds) : 3

Retransmission Times : 3

Retransmission Times for Accounting Update : 5

Server Quiet Period(minutes) : 5

Realtime Accounting Interval(minutes) : 22

NAS IP Address : 1.1.1.1

VPN : Not configured

------------------------------------------------------------------

Table 4 Command output

Field	Description
Index	Index number of the RADIUS scheme.
Primary Auth Server	Information about the primary authentication server.
Primary Acct Server	Information about the primary accounting server.
Second Auth Server	Information about the secondary authentication server.
Second Acct Server	Information about the secondary accounting server.
IP	IP address of the server. If no server is configured, this field displays Not configured.
Port	Service port number of the server. If no port number is specified, this field displays the default port number.
State	Status of the server: active or blocked.
VPN	VPN to which the server belongs. If no VPN is specified for the server, this field displays Not configured.
Server: n	Member ID of the security policy server.
IP	IP address of the security policy server.
VPN	VPN to which the security policy server belongs. If no VPN is specified for the server, this field displays Not configured.
Accounting-On function	Whether the accounting-on feature is enabled.
retransmission times	Number of accounting-on packet transmission attempts.
retransmission interval(seconds)	Interval at which the device retransmits accounting-on packets, in seconds.
Timeout Interval(seconds)	RADIUS server response timeout period, in seconds.
Retransmission times	Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.
Retransmission Times for Accounting Update	Maximum number of accounting attempts.
Server Quiet Period(minutes)	Quiet period for the servers, in minutes.
Realtime Accounting Interval(minutes)	Interval for sending real-time accounting updates, in minutes.
NAS IP Address	Source IP address for outgoing RADIUS packets.
VPN	VPN to which the RADIUS scheme belongs. If no VPN is specified for the server, this field displays Not configured.

display radius statistics

Use display radius statistics to display RADIUS packet statistics.

Syntax

display radius statistics

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Examples

# Display RADIUS packet statistics.

<Sysname> display radius statistics

Auth. Acct. SessCtrl.

Request Packet: 0 0 0

Retry Packet: 0 0 -

Timeout Packet: 0 0 -

Access Challenge: 0 - -

Account Start: - 0 -

Account Update: - 0 -

Account Stop: - 0 -

Terminate Request: - - 0

Set Policy: - - 0

Packet With Response: 0 0 0

Packet Without Response: 0 0 -

Access Rejects: 0 - -

Dropped Packet: 0 0 0

Check Failures: 0 0 0

Table 5 Command output

Field	Description
Auth.	Authentication packets.
Acct.	Accounting packets.
SessCtrl.	Session-control packets.
Request Packet	Number of request packets.
Retry Packet	Number of retransmitted request packets.
Timeout Packet	Number of request packets timed out.
Access Challenge	Number of access challenge packets.
Account Start	Number of start-accounting packets.
Account Update	Number of accounting update packets.
Account Stop	Number of stop-accounting packets.
Terminate Request	Number of packets for logging off users forcibly.
Set Policy	Number of packets for updating user authorization information.
Packet With Response	Number of packets for which responses were received.
Packet Without Response	Number of packets for which no responses were received.
Access Rejects	Number of Access-Reject packets.
Dropped Packet	Number of discarded packets.
Check Failures	Number of packets with checksum errors.

Related commands

reset radius statistics

key (RADIUS scheme view)

Use key to set the shared key for secure RADIUS communication.

Use undo key to restore the default.

Syntax

key { accounting | authentication } { cipher | simple } string

undo key { accounting | authentication }

Default

No shared key is configured.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the shared key for secure RADIUS accounting communication.

authentication: Sets the shared key for secure RADIUS authentication communication.

cipher: Sets a cipher text shared key.

simple: Sets a plain text shared key.

string: Specifies the shared key string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 64 characters. If cipher is specified, it must be a ciphertext string of 1 to 117 characters.

Usage guidelines

The shared keys configured by using this command apply to all servers in the scheme. The shared keys specified for specific RADIUS servers, if any, take precedence.

The shared keys configured on the device must match those configured on the RADIUS servers.

For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.

Examples

# For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting simple ok

Related commands

display radius scheme

nas-ip (RADIUS scheme view)

Use nas-ip to specify a source IP address for outgoing RADIUS packets.

Use undo nas-ip to delete a source IP address for outgoing RADIUS packets.

Syntax

nas-ip { ipv4-address | ipv6 ipv6-address }

undo nas-ip [ ipv6 ]

Default

The source IP address of an outgoing RADIUS packet is that specified by using the radius nas-ip command in system view. If the radius nas-ip command is not configured, the source IP address is the IP address of the outbound interface.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

The source IP address of the RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS. If yes, the server processes the packet. If not, the server drops the packet.

The setting configured by using the nas-ip command in RADIUS scheme view is effective only for the RADIUS scheme, whereas that configured by using the radius nas-ip command in system view is effective for all RADIUS schemes. The setting in RADIUS scheme view takes precedence.

If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. H3C recommends you to configure a loopback interface address as the source IP address for outgoing RADIUS packets.

A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new one overwrites the old one.

Examples

# Set the source IP address for outgoing RADIUS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] nas-ip 10.1.1.1

Related commands

· display radius scheme

· radius nas-ip

primary accounting (RADIUS scheme view)

Use primary accounting to specify the primary RADIUS accounting server.

Use undo primary accounting to remove the configuration.

Syntax

primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo primary accounting

Default

No primary RADIUS accounting server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server.

port-number: Specifies the service port number of the primary RADIUS accounting server, a UDP port number in the range of 1 to 65535. The default setting is 1813.

key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS accounting server.

· cipher string: Sets a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters.

· simple string: Sets a plaintext shared key, a case-sensitive string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings.

The shared key configured by using this command takes precedence over that configured by using the key accounting command.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.

If you use the primary accounting command to modify or delete the primary accounting server to which the device is sending a start-accounting request, communication with the primary server times out, and the device looks for an active server with the highest priority for accounting.

If you remove an accounting server being used by online users, the device no longer sends real-time accounting requests and stop-accounting requests for the users and does not buffer the stop-accounting requests. The device can generate incorrect accounting results.

For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.

Examples

# Specify the primary accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple 123456

Related commands

· display radius scheme

· key (RADIUS scheme view)

· secondary accounting

· vpn-instance (RADIUS scheme view)

primary authentication (RADIUS scheme view)

Use primary authentication to specify the primary RADIUS authentication server.

Use undo primary authentication to remove the configuration.

Syntax

primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo primary authentication

Default

No primary RADIUS authentication server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication server.

port-number: Specifies the service port number of the primary RADIUS authentication server, a UDP port number in the range of 1 to 65535. The default setting is 1812.

key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS authentication server.

· cipher string: Sets a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters.

· simple string: Sets a plaintext shared key, a case-sensitive string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure that the service port and shared key settings of the primary RADIUS authentication server are the same as those configured on the server.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings.

The shared key configured by this command takes precedence over that configured by using the key authentication command.

If you use the primary authentication command to modify or delete the primary authentication server during an authentication process, communication with the primary server times out, and the device looks for an active server with the highest priority for authentication.

For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.

Examples

# Specify the primary authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key hello for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple hello

Related commands

· display radius scheme

· key (RADIUS scheme view)

· secondary authentication

· vpn-instance (RADIUS scheme view)

radius nas-ip

Use radius nas-ip to specify a source address for outgoing RADIUS packets.

Use undo radius nas-ip to delete a source address for outgoing RADIUS packets.

Syntax

radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

undo radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IPv4 address belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. To configure a public-network source IPv4 address, do not specify this option.

Usage guidelines

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS. If yes, the server processes the packet. If not, the server drops the packet.

If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error.

You can specify up to 16 source IP addresses, including zero or one public-network source IPv4 address, zero or one public-network source IPv6 address, and private-network source IP addresses. A newly specified public-network source IP address overwrites the previous one. Each VPN can have at most one private-network source IPv4 address and one private-network source IPv6 address.

The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

Related commands

nas-ip (RADIUS scheme view)

radius scheme

Use radius scheme to create a RADIUS scheme and enter its view.

Use undo radius scheme to delete a RADIUS scheme.

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

Default

No RADIUS scheme is defined.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A RADIUS scheme can be referenced by more than one ISP domain at the same time.

The switch supports at most 16 RADIUS schemes.

Examples

# Create a RADIUS scheme named radius1 and enter its view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

Related commands

display radius scheme

radius session-control enable

Use radius session-control enable to enable the session-control feature.

Use undo radius session-control enable to restore the default.

Syntax

radius session-control enable

undo radius session-control enable

Default

The session-control feature is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The session-control feature enables the device to receive RADIUS session-control packets on UDP port 1812 from a RADIUS server that runs on IMC.

Examples

# Enable the session-control feature.

<Sysname> system-view

[Sysname] radius session-control enable

reset radius statistics

Use reset radius statistics to clear RADIUS statistics.

Syntax

reset radius statistics

Views

User view

Predefined user roles

network-admin

mdc-admin

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

Related commands

display radius statistics

retry

Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.

Use undo retry to restore the default.

Syntax

retry retry-times

undo retry

Default

The maximum number of RADIUS packet transmission attempts is 3.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

retry-times: Maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.

Usage guidelines

Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request. If the number of transmission attempts exceeds the limit but the device still receives no response from the RADIUS server, the device considers the request a failure.

The maximum number of packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Examples

# Set the maximum number of RADIUS packet transmission attempts to 5 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

Related commands

· radius scheme

· timer response-timeout

retry realtime-accounting

Use retry realtime-accounting to set the maximum number of accounting attempts.

Use undo retry realtime-accounting to restore the default.

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

Default

The maximum number of accounting attempts is 5.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

retry-times: Maximum number of accounting attempts, in the range of 1 to 255.

Usage guidelines

A RADIUS accounting server usually checks whether a user is online by using a timeout timer. If it receives no real-time accounting request for a user in the timeout period from the NAS, it considers that there may be line or device failures and stops accounting for the user. This may happen when some unexpected failure occurs. To cooperate with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The maximum number of accounting attempts, together with some other parameters, controls how the NAS sends accounting requests and enables the NAS to disconnect the user when a failure occurs.

Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the maximum number of RADIUS packet transmission attempts is three (set with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is 5 (set with the retry realtime-accounting command). In this case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request 3 times, it considers the accounting attempt a failure, and makes another accounting attempt. If 5 consecutive accounting attempts fail, the device cuts the user connection.

Examples

# Set the maximum number of accounting attempts to 10 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry realtime-accounting 10

Related commands

· retry

· timer realtime-accounting

· timer response-timeout

secondary accounting (RADIUS scheme view)

Use secondary accounting to specify a secondary RADIUS accounting server.

Use undo secondary accounting to remove a secondary RADIUS accounting server.

Syntax

secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary RADIUS accounting server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server.

port-number: Specifies the service port number of the secondary RADIUS accounting server, a UDP port number in the range of 1 to 65535. The default setting is 1813.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS accounting server.

· cipher string: Sets a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters.

· simple string: Sets a plaintext shared key, a case-sensitive string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure that the port number and shared key settings of each secondary RADIUS accounting server are the same as those configured on the corresponding server.

You can configure up to 16 secondary RADIUS accounting servers for a RADIUS scheme. With the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary RADIUS accounting server configured earlier has a higher priority) and tries to communicate with it.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings.

The shared key configured by this command takes precedence over that configured by using the key accounting command.

If you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out, and the device looks for an active server with the highest priority for accounting.

If you remove an accounting server being used by online users, the device no longer sends real-time accounting requests and stop-accounting requests for the users, and does not buffer the stop-accounting requests.

For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.

Examples

# For RADIUS scheme radius1, specify a secondary accounting server with the IP address 10.110.1.1 and the UDP port 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

# For RADIUS scheme radius2, specify two secondary accounting servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813

[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813

Related commands

· display radius scheme

· key (RADIUS scheme view)

· primary accounting

· vpn-instance (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

Use secondary authentication to specify a secondary RADIUS authentication server.

Use undo secondary authentication to remove a secondary RADIUS authentication server.

Syntax

secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo secondary authentication [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary RADIUS authentication server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication server.

port-number: Sets the service port number of the secondary RADIUS authentication server, a UDP port number in the range of 1 to 65535. The default setting is 1812.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS authentication server.

· cipher string: Sets a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters.

· simple string: Sets a plaintext shared key, a case-sensitive string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure that the port number and shared key settings of each secondary RADIUS authentication server are the same as those configured on the corresponding server.

You can configure up to 16 secondary RADIUS authentication servers for a RADIUS scheme. With the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary RADIUS authentication server configured earlier has a higher priority) and tries to communicate with it.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings.

The shared key configured by this command takes precedence over that configured by using the key authentication command.

If you use the secondary authentication command to modify or delete a secondary authentication server during an authentication process, communication with the secondary server times out, and the device looks for an active server with the highest priority for authentication.

For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.

Examples

# For RADIUS scheme radius1, specify a secondary authentication server with the IP address 10.110.1.2 and the UDP port 1812.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

# Specify two secondary authentication servers for RADIUS scheme radius2, with the server IP addresses of 10.110.1.1 and 10.110.1.2, and the UDP port number of 1812.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812

[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812

Related commands

· display radius scheme

· key (RADIUS scheme view)

· primary authentication

· vpn-instance (RADIUS scheme view)

state primary

Use state primary to set the status of a primary RADIUS server.

Syntax

state primary { accounting | authentication } { active | block }

Default

The primary RADIUS server specified for a RADIUS scheme is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the status of the primary RADIUS accounting server.

authentication: Sets the status of the primary RADIUS authentication server.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Usage guidelines

During an authentication or accounting process, the device first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the device changes the status of the primary server to blocked, starts a quiet timer for the server, and then tries to communicate with a secondary server in active state (a secondary RADIUS server configured earlier has a higher priority). When the quiet timer of the primary server times out, the status of the server changes to active automatically. If you set the status of the server to blocked before the quiet timer times out, the status of the server cannot change back to active automatically unless you set the status to active manually.

When the primary server and all secondary servers are in blocked state, authentication or accounting fails.

Examples

# Set the status of the primary authentication server in RADIUS scheme radius1 to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state primary authentication block

Related commands

· display radius scheme

· state secondary

state secondary

Use state secondary to set the status of a secondary RADIUS server.

Syntax

state secondary { accounting | authentication } [ ip-address [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }

Default

Every secondary RADIUS server specified in a RADIUS scheme is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the status of a secondary RADIUS accounting server.

authentication: Sets the status of a secondary RADIUS authentication server.

ip-address: Specifies the IPv4 address of a secondary RADIUS server.

port-number: Service port number of a secondary RADIUS server, a UDP port number in the range of 1 to 65535. The default port number of a secondary accounting server is 1813 and that of a secondary authentication is 1812.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Usage guidelines

If no IP address is specified, this command changes the status of all configured secondary RADIUS servers.

If the device finds that a secondary server in active state is unreachable, the device changes the status of the secondary server to blocked, starts a quiet timer for the server, and continues to try to communicate with the next secondary server in active state (a secondary RADIUS server configured earlier has a higher priority). When the quiet timer of a server times out, the status of the server changes to active automatically. If you set the status of the server to blocked before the quiet timer times out, the status of the server cannot change back to active automatically unless you set the status to active manually. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.

Examples

# Set the status of all the secondary authentication servers in RADIUS scheme radius1 to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication block

Related commands

· display radius scheme

· state primary

timer quiet (RADIUS scheme view)

Use timer quiet to set the quiet timer for the servers specified in an RADIUS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet period is 5 minutes.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Server quiet period in minutes, in the range of 1 to 255.

Usage guidelines

Be sure to set the server quiet timer properly. Too short a quiet timer may result in frequent authentication or accounting failures because the device keeps trying to communicate with an unreachable server that is in active state.

Examples

# Set the quiet timer for the servers to 10 minutes.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer quiet 10

Related commands

display radius scheme

timer realtime-accounting (RADIUS scheme view)

Use timer realtime-accounting to set the real-time accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

Default

The real-time accounting interval is 12 minutes.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Real-time accounting interval in minutes, in the range of 0 to 60.

Usage guidelines

When the real-time accounting interval configured on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval. When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server (if any) or does not send online user accounting information.

Different real-time accounting intervals impose different performance requirements on the device and the RADIUS server. A shorter interval helps achieve higher accounting precision but requires higher performance. Use a longer interval when there are a large number of users (1000 or more).

Table 6 Recommended real-time accounting intervals

Number of users	Real-time accounting interval
1 to 99	3 minutes
100 to 499	6 minutes
500 to 999	12 minutes
1000 or more	15 minutes or longer

Examples

# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

Related commands

retry realtime-accounting

timer response-timeout (RADIUS scheme view)

Use timer response-timeout to set the RADIUS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The RADIUS server response timeout period is 3 seconds.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

seconds: RADIUS server response timeout period in seconds, in the range of 1 to 10.

Usage guidelines

If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Examples

# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

Related commands

· display radius scheme

· retry

user-name-format (RADIUS scheme view)

Use user-name-format to specify the format of the username to be sent to a RADIUS server.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the username.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

keep-original: Sends the username to the RADIUS server as it is entered.

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Usage guidelines

A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username sent to a RADIUS server.

If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain. The RADIUS server regards two users in different ISP domains but with the same userid as one.

Examples

# Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

Related commands

display radius scheme

vpn-instance (RADIUS scheme view)

Use vpn-instance to specify a VPN for a RADIUS scheme.

Use undo vpn-instance to remove the configuration.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

The RADIUS scheme belongs to the public network.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

vpn-instance-name: Name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The VPN specified here applies to all servers in the RADIUS scheme for which no VPN is specified.

Examples

# Specify VPN test for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] vpn-instance test

Related commands

display radius scheme

HWTACACS commands

display hwtacacs scheme

Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes.

Syntax

display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

statistics: Displays the HWTACACS service statistics. If this option is not specified, the command displays the configuration of the HWTACACS scheme.

Usage guidelines

If no HWTACACS scheme name is specified, the command displays the configuration of all HWTACACS schemes.

Examples

# Displays the configuration of all HWTACACS schemes.

<Sysname> display hwtacacs scheme

Total 1 TACACS schemes

------------------------------------------------------------------

HWTACACS Scheme Name : hwtac

Index : 0

Primary Auth Server:

IP : 2.2.2.2 Port: 49 State: Active

VPN Instance: 2

Primary Author Server:

IP : 2.2.2.2 Port: 49 State: Active

VPN Instance: 2

Primary Acct Server:

IP : Not Configured Port: 49 State: Block

VPN Instance: Not configured

VPN Instance : 2

NAS IP Address : 2.2.2.3

Server Quiet Period(minutes) : 5

Realtime Accounting Interval(minutes) : 12

Response Timeout Interval(seconds) : 5

Username Format : with-domain

------------------------------------------------------------------

Table 7 Command output

Field	Description
Index	Index number of the HWTACACS scheme.
Primary Auth Server	Primary HWTACACS authentication server.
Primary Author Server	Primary HWTACACS authorization server.
Primary Acct Server	Primary HWTACACS accounting server.
Secondary Auth Server	Secondary HWTACACS authentication server.
Secondary Author Server	Secondary HWTACACS authorization server.
Secondary Acct Server	Secondary HWTACACS accounting server.
IP	IP address of the HWTACACS server. If no server is configured, this field displays Not configured.
Port	Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number.
State	Status of the HWTACACS server: active or blocked.
VPN Instance	MPLS L3VPN to which the HWTACACS server or scheme belongs. If no VPN is specified for the server or scheme, this field displays Not configured.
NAS IP Address	Source IP address for outgoing HWTACACS packets.
Server Quiet Period	Quiet period for the primary servers, in minutes.
Realtime Accounting Interval(minutes)	Real-time accounting interval, in minutes.
Response Timeout Interval	HWTACACS server response timeout period, in seconds.
Username Format	Format for the usernames sent to the HWTACACS server. Possible values include: · With-domain—Includes the domain name. · Without-domain—Excludes the domain name. · Keep-original—Forwards the username as it is entered.

Related commands

reset hwtacacs statistics

hwtacacs nas-ip

Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets.

Syntax

hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

undo hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

The source IP address of a packet sent to the server is the IP address of the outbound interface.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. To configure a public-network source IPv4 address, do not specify this option.

Usage guidelines

The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS. If yes, the server processes the packet. If not, the server drops the packet.

The setting configured by using the nas-ip command in HWTACACS scheme view is only for the HWTACACS scheme, whereas that configured by using the hwtacacs nas-ip command in system view is for all HWTACACS schemes. The setting in HWTACACS scheme view takes precedence.

Examples

# Set the IP address for the device to use as the source address for HWTACACS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] hwtacacs nas-ip 129.10.10.1

Related commands

nas-ip

hwtacacs scheme

Use hwtacacs scheme to create an HWTACACS scheme and enter its view.

Use undo hwtacacs scheme to delete an HWTACACS scheme.

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

Default

No HWTACACS scheme exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

An HWTACACS scheme can be referenced by more than one ISP domain at the same time.

You can configure up to 16 HWTACACS schemes.

Examples

# Create an HWTACACS scheme named hwt1 and enter its view.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.

Use undo key to remove the configuration.

Syntax

key { accounting | authentication | authorization } { cipher | simple } string

undo key { accounting | authentication | authorization } string

Default

No shared key is configured.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the shared key for secure HWTACACS accounting communication.

authentication: Sets the shared key for secure HWTACACS authentication communication.

authorization: Sets the shared key for secure HWTACACS authorization communication.

cipher: Sets a ciphertext shared key.

simple: Sets a plaintext shared key.

string: Specifies the shared key string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 255 characters. If cipher is specified, it must be a ciphertext string of 1 to 373 characters.

Usage guidelines

The shared keys configured on the device must match those configured on the HWTACACS servers.

For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.

Examples

# Set the shared key for secure HWTACACS authentication communication to 123456 in plain text for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key authentication simple 123456

# Set the shared key for secure HWTACACS authorization communication to ok in plain text.

[Sysname-hwtacacs-hwt1] key authorization simple ok

# Set the shared key for secure HWTACACS accounting communication to hello in plain text.

[Sysname-hwtacacs-hwt1] key accounting simple hello

Related commands

display hwtacacs scheme

nas-ip (HWTACACS scheme view)

Use nas-ip to specify a source address for outgoing HWTACACS packets.

Use undo nas-ip to delete a source address for outgoing HWTACACS packets.

Syntax

nas-ip { ipv4-address | ipv6 ipv6-address }

undo nas-ip [ ipv6 ]

Default

The source IP address of an outgoing HWTACACS packet is that configured by using the hwtacacs nas-ip command in system view. If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound interface.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

The source IP address of the HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS. If yes, the server processes the packet. If not, the server drops the packet.

The setting configured by using the nas-ip command in HWTACACS scheme view is effective only for the HWTACACS scheme, whereas that configured by using the hwtacacs nas-ip command in system view is effective for all HWTACACS schemes. The setting in HWTACACS scheme view takes precedence.

If you execute the command multiple times, the most recent configuration takes effect.

Examples

# Set the source address for outgoing HWTACACS packets to 10.1.1.1 for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

Related commands

hwtacacs nas-ip

primary accounting (HWTACACS scheme view)

Use primary accounting to specify the primary HWTACACS accounting server.

Use undo primary accounting to remove the configuration.

Syntax

primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo primary accounting

Default

No primary HWTACACS accounting server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address of the primary HWTACACS accounting server.

ipv6 ipv6-address: Specifies an IPv6 address of the primary HWTACACS accounting server.

port-number: Specifies the service port number of the primary HWTACACS accounting server, a TCP port number in the range of 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS accounting server.

· cipher string: Sets a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters.

· simple string: Sets a plaintext shared key, a case-sensitive string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure that the port number and shared key settings of the primary HWTACACS accounting server are the same as those configured on the server.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.

Examples

# Specify the primary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456 for HWTACACS scheme test1.

<Sysname> system-view

[Sysname] hwtacacs scheme test1

[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 key simple 123456

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· secondary accounting

· vpn-instance (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

Use primary authentication to specify the primary HWTACACS authentication server.

Use undo primary authentication to remove the configuration.

Syntax

primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo primary authentication

Default

No primary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server.

port-number: Specifies the service port number of the primary HWTACACS authentication server, a TCP port number in the range of 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authentication server.

· cipher string: Sets a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters.

· simple string: Sets a plaintext shared key, a case-sensitive string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure that the port number and shared key settings of the primary HWTACACS authentication server are the same as those configured on the server.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings.

You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.

For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.

Examples

# Specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key abc for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple abc

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· secondary authentication

· vpn-instance (HWTACACS scheme view)

primary authorization

Use primary authorization to specify the primary HWTACACS authorization server.

Use undo primary authorization to remove the configuration.

Syntax

primary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo primary authorization

Default

No primary HWTACACS authorization server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authorization server.

port-number: Specifies the service port number of the primary HWTACACS authorization server, a TCP port number in the range of 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authorization server.

· cipher string: Sets a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters.

· simple string: Sets a plaintext shared key, a case-sensitive string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authorization server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure that the port number and shared key settings of the primary HWTACACS authorization server are the same as those configured on the server.

Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.

Examples

# Specify the primary accounting server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key abc for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple abc

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· secondary authorization

· vpn-instance (HWTACACS scheme view)

reset hwtacacs statistics

Use reset hwtacacs statistics to clear HWTACACS statistics.

Syntax

reset hwtacacs statistics { accounting | all | authentication | authorization }

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Clears the HWTACACS accounting statistics.

all: Clears all HWTACACS statistics.

authentication: Clears the HWTACACS authentication statistics.

authorization: Clears the HWTACACS authorization statistics.

Examples

# Clear all HWTACACS statistics.

<Sysname> reset hwtacacs statistics all

Related commands

display hwtacacs scheme

secondary accounting (HWTACACS scheme view)

Use secondary accounting to specify a secondary HWTACACS accounting server.

Use undo secondary accounting to remove a secondary HWTACACS accounting server.

Syntax

secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary HWTACACS accounting server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS accounting server.

port-number: Specifies the service port number of the secondary HWTACACS accounting server, a TCP port number in the range of 1 to 65535. The default setting is 49.

key { cipher | simple } string: Specifies the shared key for secure communication with the secondary HWTACACS accounting server.

· cipher string: Sets a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters.

· simple string: Sets a plaintext shared key, a case-sensitive string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure that the port number and shared key settings of the secondary HWTACACS accounting server are the same as those configured on the server.

You can configure up to 16 secondary HWTACACS accounting servers for an HWTACACS scheme. With the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary HWTACACS accounting server configured earlier has a higher priority) and tries to communicate with it.

If you use the undo secondary accounting command without specifying any parameter, the command removes all secondary accounting servers.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.

Examples

# Specify a secondary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key abc for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple abc

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· primary accounting

· vpn-instance (HWTACACS scheme view)

secondary authentication (HWTACACS scheme view)

Use secondary authentication to specify a secondary HWTACACS authentication server.

Use undo secondary authentication to remove a secondary HWTACACS authentication server.

Syntax

secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo secondary authentication [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ]* ]

Default

No secondary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authentication server.

port-number: Specifies the service port number of the secondary HWTACACS authentication server, a TCP port number in the range of 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authentication server.

· cipher string: Sets a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters.

· simple string: Sets a plaintext shared key, a case-sensitive string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure that the port number and shared key settings of each secondary HWTACACS authentication server are the same as those configured on the corresponding server.

You can configure up to 16 secondary HWTACACS authentication servers for an HWTACACS scheme. With the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary HWTACACS authentication server configured earlier has a higher priority) and tries to communicate with it.

If you use the undo secondary authentication command without specifying any parameter, the command removes all secondary authentication servers.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings.

For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.

Examples

# Specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key abc for HWTACACS scheme hwt1

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple abc

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· primary authentication

· vpn-instance (HWTACACS scheme view)

secondary authorization

Use secondary authorization to specify a secondary HWTACACS authorization server.

Use undo secondary authorization to remove a secondary HWTACACS authorization server.

Syntax

secondary authorization { ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo secondary authorization [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ]* ]

Default

No secondary HWTACACS authorization server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authorization server.

port-number: Specifies the service port number of the secondary HWTACACS authorization server, a TCP port number in the range of 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authorization server.

· cipher string: Sets a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters.

· simple string: Sets a plaintext shared key, a case-sensitive string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authorization server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure that the port number and shared key settings of the secondary HWTACACS authorization server are the same as those configured on the server.

You can configure up to 16 secondary HWTACACS authorization servers for an HWTACACS scheme. With the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary HWTACACS authorization server configured earlier has a higher priority) and tries to communicate with it.

If you use the undo secondary authorization command without specifying any parameter, the command removes all secondary authorization servers.

Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.

Examples

# Specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key abc for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple abc

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· primary authorization

· vpn-instance (HWTACACS scheme view)

timer quiet (HWTACACS scheme view)

Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet period is 5 minutes.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Server quiet period in minutes, in the range of 1 to 255.

Examples

# Set the server quiet timer to 10 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet 10

Related commands

display hwtacacs scheme

timer realtime-accounting (HWTACACS scheme view)

Use timer realtime-accounting to set the real-time accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

Default

The real-time accounting interval is 12 minutes.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.

Usage guidelines

For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is used to set the interval.

Different real-time accounting intervals impose different performance requirements on the device and the HWTACACS server. A shorter interval helps achieve higher accounting precision but requires higher performance. Use a longer interval when there are a large number of users (1000 or more).

Number of users	Real-time accounting interval
1 to 99	3 minutes
100 to 499	6 minutes
500 to 999	12 minutes
1000 or more	15 minutes or longer

Examples

# Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

Related commands

display hwtacacs scheme

timer response-timeout (HWTACACS scheme view)

Use timer response-timeout to set the HWTACACS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The HWTACACS server response timeout time is 5 seconds.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

seconds: HWTACACS server response timeout time in seconds, in the range of 1 to 300.

Usage guidelines

HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.

Examples

# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

Related commands

display hwtacacs scheme

user-name-format (HWTACACS scheme view)

Use user-name-format to specify the format of the username to be sent to an HWTACACS server.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the username.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

keep-original: Sends the username to the HWTACACS server as it is entered.

with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.

without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.

Usage guidelines

A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. However, some HWTACACS servers cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.

If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain. The HWTACACS server regards two users in different ISP domains but with the same userid as one.

Examples

# Configure the device to remove the ISP domain name from the username sent to the HWTACACS servers specified in HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

Related commands

display hwtacacs scheme

vpn-instance (HWTACACS scheme view)

Use vpn-instance to specify a VPN for an HWTACACS scheme.

Use undo vpn-instance to remove the configuration.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

The HWTACACS scheme belongs to the public network.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

vpn-instance-name: Name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The VPN specified here takes effect for all servers in the HWTACACS scheme for which no VPN is specified.

Examples

# Specify VPN test for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] vpn-instance test

Related commands

display hwtacacs scheme

10-Security Command Reference

AAA commands

access-limit enable

accounting command

authentication default

domain

domain default enable

authorization-attribute (local user view/user group view)

display user-group

group

RADIUS commands

display radius scheme

display radius statistics

key (RADIUS scheme view)

primary accounting (RADIUS scheme view)

primary authentication (RADIUS scheme view)

radius nas-ip

secondary accounting (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

state secondary

timer realtime-accounting (RADIUS scheme view)

timer response-timeout (RADIUS scheme view)

user-name-format (RADIUS scheme view)

HWTACACS commands

display hwtacacs scheme

primary accounting (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

timer quiet (HWTACACS scheme view)

timer response-timeout (HWTACACS scheme view)

user-name-format (HWTACACS scheme view)

vpn-instance (HWTACACS scheme view)

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us