This feature enables the system to record information about users that go offline normally. These records help the administrator analyze causes of user offline events. To display user normal offline records, use the display aaa normal-offline-record command.

This feature takes effect only when user offline recording is enabled.

The device can record a maximum of 32768 user normal offline records. When the maximum number is reached, a new record overwrites the oldest record.

To reduce the memory usage, you can disable this feature.

Examples

# Enable user normal offline recording.

<Sysname> system-view

[Sysname] aaa normal-offline-record enable

Related commands

aaa offline-record enable

display aaa normal-offline-record

aaa offline-record enable

Use aaa offline-record enable to enable user offline recording.

Use undo aaa offline-record enable to disable user offline recording.

Syntax

aaa offline-record enable

undo aaa offline-record enable

Default

User offline recording is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

You must enable this feature so that user abnormal offline recording and user normal offline recording can take effect. Then, the system can record information about users that go offline normally and abnormally. To display user offline records, use the display aaa offline-record command.

The device can record a maximum of 65536 user offline records. When the maximum number is reached, a new record overwrites the oldest record.

To reduce the memory usage, you can disable this feature.

Examples

# Enable user offline recording.

<Sysname> system-view

[Sysname] aaa offline-record enable

Related commands

aaa abnormal-offline-record enable

aaa normal-offline-record enable

display aaa offline-record

aaa online-fail-record enable

Use aaa online-fail-record enable to enable user online failure recording.

Use undo aaa online-fail-record enable to disable user online failure recording.

Syntax

aaa online-fail-record enable

undo aaa online-fail-record enable

Default

User online failure recording is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the system to record information about users that fail to come online. These records help the administrator identify causes of user online failures and check for malicious users. To display user online failure records, use the display aaa online-fail-record command.

The device can record a maximum of 32768 user online failure records. When the maximum number is reached, a new record overwrites the oldest record.

To reduce the memory usage, you can disable this feature.

Examples

# Enable user online failure recording.

<Sysname> system-view

[Sysname] aaa online-fail-record enable

Related commands

display aaa online-fail-record

aaa session-id mode

Use aaa session-id mode to specify the format for attribute Acct-Session-Id.

Use undo aaa session-id mode to restore the default.

Syntax

aaa session-id mode { common | simplified }

undo session-id mode

Default

The device uses the common mode for attribute Acct-Session-Id.

Views

System view

Predefined user roles

network-admin

Parameters

common: Specifies the common format for attribute Acct-Session-Id. In this format, the Acct-Session-Id attribute is a string of 37 characters. This string contains the prefix (indicating the access type), date and time, sequence number, LIP address of the access node, device ID, and job ID of the access process.

simplified: Specifies the simple format for attribute Acct-Session-Id. In this format, the Acct-Session-Id attribute is a string of 16 characters. This string contains the prefix (indicating the access type), month, sequence number, device ID, and LIP address of the access node.

Usage guidelines

Configure the format for attribute Acct-Session-Id to meet the requirements of the RADIUS servers.

Examples

# Specify the simple format for attribute Acct-Session-Id.

<Sysname> system-view

[Sysname] aaa session-id mode simplified

aaa session-limit

Use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method.

Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method.

Syntax

aaa session-limit { ftp | http | https | ssh | telnet } max-sessions

undo aaa session-limit { ftp | http | https | ssh | telnet }

Default

The maximum number of concurrent users is 32 for each user type.

Views

System view

Predefined user roles

network-admin

Parameters

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

ssh: SSH users.

telnet: Telnet users.

max-sessions: Specifies the maximum number of concurrent login users. The value range is 1 to 32 for SSH and Telnet services, and is 1 to 64 for FTP, HTTP, and HTTPS services.

Usage guidelines

After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type.

For HTTP and HTTPS services, the number of concurrent users of an application is separately limited. For example, if the maximum number of concurrent HTTP users is 20, a maximum of 20 concurrent users are allowed for each HTTP-based application, such as RESTful, Web, and NETCONF.

Examples

# Set the maximum number of concurrent FTP users to 4.

<Sysname> system-view

[Sysname] aaa session-limit ftp 4

accounting command

Use accounting command to specify the command line accounting method.

Use undo accounting command to restore the default.

Syntax

accounting command hwtacacs-scheme hwtacacs-scheme-name

undo accounting command

Default

The default accounting methods of the ISP domain are used for command line accounting.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The command line accounting feature works with the accounting server to record valid commands that have been successfully executed on the device.

· When the command line authorization feature is disabled, the accounting server records all valid commands that have been successfully executed.

· When the command line authorization feature is enabled, the accounting server records only authorized commands that have been successfully executed.

Command line accounting can use only a remote HWTACACS server.

Examples

# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting command hwtacacs-scheme hwtac

Related commands

accounting default

command accounting (Fundamentals Command Reference)

hwtacacs scheme

accounting default

Use accounting default to specify default accounting methods for an ISP domain.

Use undo accounting default to restore the default.

Syntax

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting default

Default

The default accounting method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default accounting method is used for all users that support this method and do not have an accounting method configured.

Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.

You can specify one primary default accounting method and multiple backup default accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when RADIUS accounting is invalid. The device does not perform accounting when both of the previous methods are invalid.

The remote accounting method is invalid in the following situations:

· The specified accounting scheme does not exist.

· Accounting packet sending fails.

· The device does not receive any accounting response packets from an accounting server.

The local accounting method is invalid if the device fails to find the matching local user configuration.

When the primary accounting method is local, the following rules apply to the accounting of a user:

· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:

¡ An exception occurs in the local accounting process.

¡ The user account is not configured on the device or the user is not allowed to use the access service.

· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default accounting method and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting default radius-scheme rd local

Related commands

hwtacacs scheme

local-user

radius scheme

accounting login

Use accounting login to specify accounting methods for login users.

Use undo accounting login to restore the default.

Syntax

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting login

Default

The default accounting methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Accounting is not supported for FTP, SFTP, and SCP users.

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when RADIUS accounting is invalid. The device does not perform accounting when both of the previous methods are invalid.

The remote accounting method is invalid in the following situations:

· The specified accounting scheme does not exist.

· Accounting packet sending fails.

· The device does not receive any accounting response packets from an accounting server.

The local accounting method is invalid if the device fails to find the matching local user configuration.

When the primary accounting method is local, the following rules apply to the accounting of a user:

· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:

¡ An exception occurs in the local accounting process.

¡ The user account is not configured on the device.

· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.

Examples

# In ISP domain test, perform local accounting for login users.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting login local

# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting login radius-scheme rd local

Related commands

accounting default

hwtacacs scheme

local-user

radius scheme

authentication default

Use authentication default to specify default authentication methods for an ISP domain.

Use undo authentication default to restore the default.

Syntax

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication default

Default

The default authentication method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authentication method is used for all users that support this method and do not have an authentication method configured.

You can specify one primary default authentication method and multiple backup default authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when RADIUS authentication is invalid. The device does not perform authentication when both of the previous methods are invalid.

The remote authentication method is invalid in the following situations:

· The specified authentication scheme does not exist.

· Authentication packet sending fails.

· The device does not receive any authentication response packets from an authentication server.

The local authentication method is invalid if the device fails to find the matching local user configuration.

When the primary authentication method is local, the following rules apply to the authentication of a user:

· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:

¡ An exception occurs in the local authentication process.

¡ The user account is not configured on the device or the user is not allowed to use the access service.

· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default authentication method and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authentication default radius-scheme rd local

Related commands

hwtacacs scheme

local-user

radius scheme

authentication login

Use authentication login to specify authentication methods for login users.

Use undo authentication login to restore the default.

Syntax

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication login

Default

The default authentication methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when RADIUS authentication is invalid. The device does not perform authentication when both of the previous methods are invalid.

The remote authentication method is invalid in the following situations:

· The specified authentication scheme does not exist.

· Authentication packet sending fails.

· The device does not receive any authentication response packets from an authentication server.

The local authentication method is invalid if the device fails to find the matching local user configuration.

When the primary authentication method is local, the following rules apply to the authentication of a user:

· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:

¡ An exception occurs in the local authentication process.

¡ The user account is not configured on the device or the user is not allowed to use the service for accessing the device.

· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.

Examples

# In ISP domain test, perform local authentication for login users.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authentication login local

# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authentication login radius-scheme rd local

Related commands

authentication default

hwtacacs scheme

local-user

radius scheme

authentication super

Use authentication super to specify a method for user role authentication.

Use undo authentication super to restore the default.

Syntax

authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *

undo authentication super

Default

The default authentication methods of the ISP domain are used for user role authentication.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

To enable a user to obtain another user role without reconnecting to the device, you must configure user role authentication. The device supports local and remote methods for user role authentication. For more information about user role authentication, see RBAC configuration in Fundamentals Configuration Guide.

You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.

Examples

# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.

<Sysname> system-view

[Sysname] super authentication-mode scheme

[Sysname] domain name test

[Sysname-isp-test] authentication super hwtacacs-scheme tac

Related commands

authentication default

hwtacacs scheme

radius scheme

authorization command

Use authorization command to specify command authorization methods.

Use undo authorization command to restore the default.

Syntax

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }

undo authorization command

Default

The default authorization methods of the ISP domain are used for command authorization.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.

Usage guidelines

Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether each entered command is permitted.

When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user roles.

The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server. Access permission only controls whether the authorized user roles have access to the entered commands, but it does not control whether the user roles have obtained authorization to these commands. If a command is permitted by the access permission but denied by command authorization, this command cannot be executed.

You can specify one primary command authorization method and multiple backup command authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.

The remote authorization method is invalid in the following situations:

· The specified authorization scheme does not exist.

· Authorization packet sending fails.

· The device does not receive any authorization response packets from an authorization server.

The local authorization method is invalid if the device fails to find the matching local user configuration.

Examples

# In ISP domain test, configure the device to perform local command authorization.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization command local

# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

Related commands

command authorization (Fundamentals Command Reference)

hwtacacs scheme

local-user

authorization default

Use authorization default to specify default authorization methods for an ISP domain.

Use undo authorization default to restore the default.

Syntax

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization default

Default

The default authorization method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

· Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and terminal users. Terminal users can access the device through the console port. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.

· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authorization method is used for all users that support this method and do not have an authorization method configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when RADIUS authorization is invalid. The device does not perform authorization when both of the previous methods are invalid.

The remote authorization method is invalid in the following situations:

· The specified authorization scheme does not exist.

· Authorization packet sending fails.

· The device does not receive any authorization response packets from an authorization server.

The local authorization method is invalid if the device fails to find the matching local user configuration.

When the primary authorization method is local, the following rules apply to the authorization of a user:

· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:

¡ An exception occurs in the local authorization process.

¡ The user account is not configured on the device or the user is not allowed to use the access service.

· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization default radius-scheme rd local

Related commands

hwtacacs scheme

local-user

radius scheme

authorization login

Use authorization login to specify authorization methods for login users.

Use undo authorization login to restore the default.

Syntax

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization login

Default

The default authorization methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when RADIUS authorization is invalid. The device does not perform authorization when both of the previous methods are invalid.

The remote authorization method is invalid in the following situations:

· The specified authorization scheme does not exist.

· Authorization packet sending fails.

· The device does not receive any authorization response packets from an authorization server.

The local authorization method is invalid if the device fails to find the matching local user configuration.

When the primary authorization method is local, the following rules apply to the authorization of a user:

· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:

¡ An exception occurs in the local authorization process.

¡ The user account is not configured on the device or the user is not allowed to use the service for accessing the device.

· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.

Examples

# In ISP domain test, perform local authorization for login users.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization login local

# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization login radius-scheme rd local

Related commands

authorization default

hwtacacs scheme

local-user

radius scheme

authorization-attribute (ISP domain view)

Use authorization-attribute to configure authorization attributes for users in an ISP domain.

Use undo authorization-attribute to restore the default of an authorization attribute.

Syntax

authorization-attribute user-group user-group-name

undo authorization-attribute user-group

Default

No other authorization attributes exist.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

user-group user-group-name: Specifies a user group for users. The user-group-name argument is a case-insensitive string of 1 to 32 characters. Authenticated users obtain all attributes of the user group.

Usage guidelines

If the server or NAS does not authorize any attributes to an authenticated user, the device authorizes the attributes in the ISP domain to the user.

When you specify an authorization ACL, the authorization ACL is invalid if it does not exist or does not contain rules.

Examples

# Specify user group abc as the authorization user group for users in ISP domain test.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization-attribute user-group abc

Related commands

display domain

display aaa normal-offline-record

Use display aaa normal-offline-record to display user normal offline records.

Syntax

display aaa normal-offline-record { access-type login | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | slot slot-number | username user-name [ fuzzy-match ] } * [ brief | count count ]

display aaa normal-offline-record time begin-time end-time [ date begin-date end-date ] [ brief ]

display aaa normal-offline-record

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

access-type: Specifies users by the access type.

domain domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

interface interface-type interface-number: Specifies an interface by its interface type and interface number.

ip ipv4-address: Specifies a user by its IPv4 address.

ipv6 ipv6-address: Specifies a user by its IPv6 address.

mac-address mac-address: Specifies a user by its MAC address in the format of H-H-H.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays user normal offline records for all cards.

s-vlan svlan-id: Specifies an SVLAN by its VLAN ID in the range of 1 to 4094.

c-vlan cvlan-id: Specifies a CVLAN by its VLAN ID in the range of 1 to 4094.

username user-name: Specifies users using the specified username, a case-sensitive string of 1 to 253 characters.

fuzzy-match: Matches the username in fuzzy mode. In fuzzy mode, a user matches if the user's username includes the specified username. If you do not specify this keyword, the device matches the username in exact mode. In exact mode, a user matches if the user's username is the same as the specified username.

time: Specifies user normal offline records generated in a time range.

begin-time: Specifies the start time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.

end-time: Specifies the end time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.

date: Specifies a date range. If you do not specify a date range, this command displays user abnormal offline records on the current day.

begin-date: Specifies the start date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

end-date: Specifies the end date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

brief: Displays brief information about user normal offline records. If you do not specify this keyword, the command displays detailed information about user normal offline records.

count count: Specifies the number of user normal offline records to be displayed. The value range for the count argument is 1 to 32768.

Usage guidelines

You can specify multiple query criteria to filter user normal offline records. This command displays the most recent user normal offline records that match the specified criteria in reverse chronological order.

If user normal offline records exist in the system, you can use this command to display the records regardless of whether user normal offline recording is enabled or not.

If you do not specify any parameters, this command displays detailed information about user normal offline records for all users.

If usernames that the server sends to the device include invisible characters, for the device to display the records for users with such usernames, you must specify the fuzzy-match keyword in this command.

Examples

# Display detailed information about normal offline records for all users.

<Sysname> display aaa normal-offline-record

Total count: 1

Username: jay

Domain: dm1

MAC address: -

Access type: Telnet

Access interface: HundredGigE1/0/1

SVLAN/CVLAN: -/-

IP address: 19.19.0.2

IPv6 address: -

Online request time: 2020/01/02 15:20:33

Offline time: 2020/02/28 15:20:56

Offline reason: User request.

# Display brief information about normal offline records for login users.

<Sysname> display aaa normal-offline-record access-type login brief

Username: jay

MAC address: -

IP address: 11.2.2.41

IPv6 address: -

Offline reason: User request.

Table 1 Command output

Field	Description
Total count	Total number of matching user normal offline records.
Username	Name of the user. This field does not display anything if the system failed to obtain the username.
Domain	Name of the ISP domain to which the user belongs. This field does not display anything if the system failed to obtain the ISP domain.
MAC address	MAC address of the user. This filed displays a hyphen (-) if the system failed to obtain the MAC address.
Access type	Access type of the user: · Telnet. · FTP. · SSH. · NETCONF over SOAP. · NETCONF over RESTful. · Terminal—Terminal login such as console login.
Access interface	Interface through which the user accesses the network. This field displays a hyphen (-) if the system failed to obtain the access interface.
SVLAN/CVLAN	SVLAN and CVLAN to which the user belongs. This field displays a hyphen (-) for the SVLAN or CVLAN in the following situations: · The user does not belong to an SVLAN. · The system failed to obtain the SVLAN or CVLAN of the user.
IP address	IPv4 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv4 address.
IPv6 address	IPv6 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv6 address.
Online request time	Time when the user requested to come online.
Offline time	Time when the user went offline.
Offline reason	This field is not supported in the current software version. Reason that the user went offline.

‌

Related commands

reset aaa normal-offline-record

display aaa offline-record

Use display aaa offline-record to display user offline records.

Syntax

display aaa offline-record { access-type login | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | slot slot-number | username user-name [ fuzzy-match ] } * [ brief | count count ]

display aaa offline-record time begin-time end-time [ date begin-date end-date ] [ brief ]

display aaa offline-record

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

access-type: Specifies users by the access type.

domain domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

interface interface-type interface-number: Specifies an interface by its interface type and interface number.

ip ipv4-address: Specifies a user by its IPv4 address.

ipv6 ipv6-address: Specifies a user by its IPv6 address.

mac-address mac-address: Specifies a user by its MAC address in the format of H-H-H.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays user offline records for all cards.

s-vlan svlan-id: Specifies an SVLAN by its VLAN ID in the range of 1 to 4094.

c-vlan cvlan-id: Specifies a CVLAN by its VLAN ID in the range of 1 to 4094.

username user-name: Specifies users using the specified username, a case-sensitive string of 1 to 253 characters.

time: Specifies user offline records generated in a time range.

begin-time: Specifies the start time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.

end-time: Specifies the end time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.

date: Specifies a date range. If you do not specify a date range, this command displays user abnormal offline records on the current day.

brief: Displays brief information about user offline records. If you do not specify this keyword, the command displays detailed information about user offline records.

count count: Specifies the number of user offline records to be displayed. The value range for the count argument is 1 to 32768.

Usage guidelines

You can specify multiple query criteria to filter user offline records. This command displays the most recent user offline records that match the specified criteria in reverse chronological order.

If user offline records exist in the system, you can use this command to display the records regardless of whether user offline recording is enabled or not.

If you do not specify any parameters, this command displays detailed information about user offline records for all users.

If the usernames that the server sends to the device include invisible characters, for the device to display records for users with such usernames, you must specify the fuzzy-match keyword in this command.

Examples

# Display detailed information about offline records for all users.

<Sysname> display aaa offline-record

Total count: 1

Username: jay

Domain: dm1

MAC address: -

Access type: Telnet

Access interface: HundredGigE1/0/1

SVLAN/CVLAN: -/-

IP address: 19.19.0.2

IPv6 address: -

Online request time: 2020/01/02 15:20:33

Offline time: 2020/02/28 15:20:56

Offline reason: User request

# Display brief information about offline records for login users

<Sysname> display aaa offline-record access-type login brief

Username: jay

MAC address: -

IP address: 20.20.20.1

IPv6 address: -

Offline reason: User request.

Username: test

MAC address: -

IP address: 20.20.20.3

IPv6 address: -

Offline reason: User request.

Table 2 Command output

Field	Description
Total count	Total number of matching user offline records.
Username	Name of the user. This field does not display anything if the system failed to obtain the username.
Domain	Name of the ISP domain to which the user belongs. This field does not display anything if the system failed to obtain the ISP domain.
MAC address	MAC address of the user. This filed displays a hyphen (-) if the system failed to obtain the MAC address.
Access type	Access type of the user: · Telnet. · FTP. · SSH. · NETCONF over SOAP. · NETCONF over RESTful. · Terminal—Terminal login such as console login.
Access interface	Interface through which the user accesses the network. This field displays a hyphen (-) if the system failed to obtain the access interface.
SVLAN/CVLAN	SVLAN and CVLAN to which the user belongs. This field displays a hyphen (-) for the SVLAN or CVLAN in the following situations: · The user does not belong to an SVLAN. · The system failed to obtain the SVLAN or CVLAN of the user.
IP address	IPv4 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv4 address.
IPv6 address	IPv6 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv6 address.
Online request time	Time when the user requested to come online.
Offline time	Time when the user went offline.
Offline reason	This field is not supported in the current software version. Reason that the user went offline.

‌

Related commands

reset aaa offline-record

display aaa online-fail-record

Use display aaa online-fail-record to display user online failure records.

Syntax

display aaa online-fail-record { access-type login | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | slot slot-number | username user-name [ fuzzy-match ] } * [ brief | count count ]

display aaa online-fail-record time begin-time end-time [ date begin-date end-date ] [ brief ]

display aaa online-fail-record

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

access-type: Specifies users by the access type.

domain domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

interface interface-type interface-number: Specifies an interface by its interface type and interface number.

ip ipv4-address: Specifies a user by its IPv4 address.

ipv6 ipv6-address: Specifies a user by its IPv6 address.

mac-address mac-address: Specifies a user by its MAC address in the format of H-H-H.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays user online failure records for all cards.

s-vlan svlan-id: Specifies an SVLAN by its VLAN ID in the range of 1 to 4094.

c-vlan cvlan-id: Specifies a CVLAN by its VLAN ID in the range of 1 to 4094.

username user-name: Specifies users using the specified username, a case-sensitive string of 1 to 253 characters.

time: Specifies user online failure records generated in a time range.

begin-time: Specifies the start time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.

end-time: Specifies the end time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.

date: Specifies a date range. If you do not specify a date range, this command displays user abnormal offline records on the current day.

brief: Displays brief information about user online failure records. If you do not specify this keyword, the command displays detailed information about user online failure records.

count count: Specifies the number of user online failure records to be displayed. The value range for the count argument is 1 to 32768.

Usage guidelines

You can specify multiple query criteria to filter user online failure records. This command displays the most recent user online failure records that match the specified criteria in reverse chronological order.

If user online failure records exist in the system, you can use this command to display the records regardless of whether user online failure recording is enabled or not.

If you do not specify any parameters, this command displays detailed information about user online failure records for all users.

Examples

# Display detailed information about the most recent two online failure records for login users that use the username aaa.

<Sysname> display aaa online-fail-record username aaa access-type login count 2

Username: aaa

Domain: test

MAC address: -

Access type: Telnet

Access interface: HundredGigE1/0/1

SVLAN/CVLAN: 100/-

IP address: 19.19.0.1

IPv6 address: -

Online request time: 2020/01/02 15:20:37

Online failure reason: Authentication failed.

Server reply message: no user exists.

Username: aaa

Domain: test

MAC address: -

Access type: Telnet

Access interface: HundredGigE1/0/1

SVLAN/CVLAN: -/-

IP address: 19.19.0.2

IPv6 address: -

Online request time: 2020/01/02 15:20:33

Online failure reason: Authentication failed.

Server reply message: no user exists.

# Display brief information about user online failure records generated from 2020-02-01 13:20:50 to 2020-02-02 17:20:30.

<Sysname> display aaa online-fail-record time 13:20:50 10:20:30 date 2020/2/1 2020/2/2 brief

Username: aaa

MAC address: -

IP address: 19.19.0.2

IPv6 address: -

Online failure reason: Authentication failed.

Server reply message: no user exists.

# Display detailed information about user online failure records generated from 2020-02-01 13:20:50 to 2020-02-02 17:20:30.

<Sysname> display aaa online-fail-record time 13:20:50 17:20:30 date 2020/2/1 2020/2/2

Username: aaa

Domain: test

MAC address: -

Access type: Telnet

Access interface: HundredGigE1/0/1

SVLAN/CVLAN: -/-

IP address: 19.19.0.1

IPv6 address: -

Online request time: 2020/02/02 16:20:33

Online failure reason: Authentication failed

Server reply message: no user exists.

Username: aaa

Domain: test

MAC address: -

Access type: Telnet

Access interface: HundredGigE1/0/1

SVLAN/CVLAN: -/-

IP address: 19.19.0.2

IPv6 address: -

Online request time: 2020/02/01 15:20:51

Online failure reason: Authentication failed.

Server reply message: no user exists.

Table 3 Command output

Field	Description
Total count	Total number of matching user online failure records.
Username	Name of the user. This field does not display anything if the system failed to obtain the username.
Domain	Name of the ISP domain to which the user belongs. This field does not display anything if the system failed to obtain the ISP domain.
MAC address	MAC address of the user. This filed displays a hyphen (-) if the system failed to obtain the user's MAC address.
Access type	Access type of the user: · Telnet. · FTP. · SSH. · NETCONF over SOAP. · NETCONF over RESTful. · Terminal—Terminal login such as console login.
Access interface	Interface through which the user accesses the network. This field displays a hyphen (-) if the system failed to obtain the access interface.
SVLAN/CVLAN	SVLAN and CVLAN to which the user belongs. This field displays a hyphen (-) for the SVLAN or CVLAN in the following situations: · The user does not belong to an SVLAN. · The system failed to obtain the SVLAN or CVLAN of the user.
IP address	IPv4 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv4 address.
IPv6 address	IPv6 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv6 address.
Online request time	Time when the user requested to come online.
Online failure reason	Reason that the user failed to come online.
Server reply message	This field is not supported in the current software version. Reason that the user went offline.

Related commands

reset aaa online-fail-record

display domain

Use display domain to display ISP domain configuration.

Syntax

display domain [ isp-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.

Examples

# Display the configuration of all ISP domains.

<Sysname> display domain

Total 2 domains

Domain: system

Current state: Active

State configuration: Active

Default authentication scheme: Local

Default authorization scheme: Local

Default accounting scheme: Local

Accounting start failure action: Online

Accounting update failure action: Online

Accounting quota out policy: Offline

Send accounting update:Yes

Service type: HSI

Session time: Exclude idle time

DHCPv6-follow-IPv6CP timeout: Not configured

Dual-stack accounting method: Merge

NAS-ID: N/A

Web server URL : Not configured

Web server URL parameters : Not configured

Web server IPv4 address : Not configured

Web server IPv6 address : Not configured

Authorization attributes:

Idle cut: Disabled

IGMP access limit: 4

MLD access limit: 4

Domain: dm

Current state: Active

State configuration: Blocked during specific time ranges

Time ranges:

Online-user logoff: Disabled

Super authentication scheme: RADIUS=rad

Command authorization scheme: HWTACACS=hw

Default authentication scheme: RADIUS=rad, Local, None

Default authorization scheme: Local

Default accounting scheme: None

Accounting start failure action: Online

Accounting update failure action: Online

Accounting quota out policy: Offline

Service type: HSI

Session time: Include idle time

Dual-stack accounting method: Merge

NAS-ID: test

Web server URL : Not configured

Web server URL parameters : Not configured

Web server IPv4 address : Not configured

Web server IPv6 address : Not configured

Authorization attributes:

Idle cut: Disabled

IGMP access limit: 4

MLD access limit: 4

User group: ugg

VPN instance: vpn1

IGMP access limit: 4

MLD access limit: 4

Default domain name: system

Table 4 Command output

Field	Description
Domain	ISP domain name.
Current state	Current state of the ISP domain: · Blocked. · Active.
State configuration	State settings of the ISP domain: · Active—The ISP domain is set to the active state. · Blocked during specific time ranges—The ISP domain is set to the blocked state during the listed time ranges. · Blocked—The ISP domain is set to the blocked state.
Time ranges	Time ranges during which the ISP domain is in blocked state.
Online-user logoff	This field is not supported in the current software version. Status for the feature of logging off online users when the state of the ISP domain changes to blocked: · Enabled. · Disabled.
Default authentication scheme	Default authentication methods.
Default authorization scheme	Default authorization methods.
Default accounting scheme	Default accounting methods.
Login authentication scheme	Authentication methods for login users.
Login authorization scheme	Authorization methods for login users.
Login accounting scheme	Accounting methods for login users.
Super authentication scheme	Authentication methods for obtaining another user role without reconnecting to the device.
Command authorization scheme	Command line authorization methods.
Command accounting scheme	Command line accounting method.
RADIUS	RADIUS scheme.
HWTACACS	HWTACACS scheme.
Local	Local scheme.
None	No authentication, no authorization, or no accounting.
Accounting start failure action	This field is not supported in the current software version. Access control for users that encounter accounting-start failures: · Online—Allows the users to stay online. · Offline—Logs off the users.
Accounting update failure max-times	This field is not supported in the current software version. Maximum number of consecutive accounting-update failures allowed by the device for each user in the domain.
Accounting update failure action	This field is not supported in the current software version. Access control for users that have failed all their accounting-update attempts: · Online—Allows the users to stay online. · Offline—Logs off the users.
Accounting quota out policy	This field is not supported in the current software version. Access control for users that have used up their accounting quotas: · Online—Allows the users to stay online. · Offline—Logs off the users.
Send accounting update	Whether to send accounting-update packets to refresh users' data quotas: · Yes. · No.
Service type	This field is not supported in the current software version. Service type of the ISP domain, including HSI, STB, and VoIP.
Session time	Online duration sent to the server for users that went offline due to connection failure or malfunction: · Include idle time—The online duration includes the idle timeout period. · Exclude idle time—The online duration does not include the idle timeout period.
DHCPv6-follow-IPv6CP timeout	This field is not supported in the current software version. IPv6 address wait timer (in seconds) that starts after IPv6CP negotiation for PPPoE and L2TP users. This field displays Not Configured if no IPv6 address wait timer is set for PPPoE or L2TP users.
NAS-ID	NAS-ID of the device. This field displays N/A if no NAS-ID is set in the ISP domain.
Web server URL	This field is not supported in the current software version. URL of the Web server.
Web server URL parameters	This field is not supported in the current software version. Parameters added to the URL of the Web server.
Web server IPv4 address	This field is not supported in the current software version. IPv4 address of the Web server.
Web server IPv6 address	This field is not supported in the current software version. IPv6 address of the Web server.
Authorization attributes	Authorization attributes for users in the ISP domain.
Idle cut	This field is not supported in the current software version. Idle cut feature status: · Enabled—The feature is enabled. The device logs off users that do not meet the minimum traffic requirements in an idle timeout period. · Disabled—The feature is disabled. It is the default idle cut state.
User group	Authorization user group for users.
VPN instance	Name of the authorization VPN instance for users.
IGMP access limit	This field is not supported in the current software version. Maximum number of IGMP groups that an IPv4 user is authorized to join concurrently.
MLD access limit	This field is not supported in the current software version. Maximum number of MLD groups that an IPv6 user is authorized to join concurrently.

‌

domain

Use domain to create an ISP domain and enter its view, or enter the view of an existing ISP domain.

Use undo domain to delete an ISP domain.

Syntax

Format 1:

domain name isp-name

undo domain name isp-name

Format 2:

domain isp-name

undo domain isp-name

Default

A system-defined ISP domain exists. The domain name is system.

Views

System view

Predefined user roles

network-admin

Parameters

Format 1:

name isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Format 2:

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

Usage guidelines

All ISP domains are in active state when they are created.

You can modify settings for the system-defined ISP domain system, but you cannot delete this domain.

An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.

Use short domain names to ensure that user names containing a domain name do not exceed the maximum name length required by different types of users.

Examples

# Create an ISP domain named test and enter ISP domain view.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test]

Related commands

display domain

domain default enable

domain if-unknown

state (ISP domain view)

domain default enable

Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.

Use undo domain default enable to restore the default.

Syntax

domain default enable isp-name

undo domain default enable

Default

The default ISP domain is the system-defined ISP domain system.

Views

System view

Predefined user roles

network-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The ISP domain must already exist.

Usage guidelines

The system has only one default ISP domain.

Examples

# Create an ISP domain named test, and configure the domain as the default ISP domain.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] quit

[Sysname] domain default enable test

Related commands

display domain

domain

domain if-unknown

Use domain if-unknown to specify an ISP domain to accommodate users that are assigned to nonexistent domains.

Use undo domain if-unknown to restore the default.

Syntax

domain if-unknown isp-name

undo domain if-unknown

Default

No ISP domain is specified to accommodate users that are assigned to nonexistent domains.

Views

System view

Predefined user roles

network-admin

Parameters

Usage guidelines

The device chooses an authentication domain for each user in the following order:

1. The authentication domain specified for the access module.

2. The ISP domain in the username.

3. The default ISP domain of the device.

If the chosen domain does not exist on the device, the device searches for the ISP domain that accommodates users assigned to nonexistent domains. If no such ISP domain is configured, user authentication fails.

NOTE:

Support for the authentication domain configuration depends on the access module.

Examples

# Specify ISP domain test to accommodate users that are assigned to nonexistent domains.

<Sysname> system-view

[Sysname] domain if-unknown test

Related commands

display domain

local-server log change-password-prompt

Use local-server log change-password-prompt to enable password change prompt logging.

Use undo local-server log change-password-prompt to disable password change prompt logging.

Syntax

local-server log change-password-prompt

undo local-server log change-password-prompt

Default

Password change prompt logging is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this feature to enhance the protection of passwords for Telnet, SSH, HTTP, HTTPS, NETCONF over SSH, and NETCONF over SOAP users and improve the system security.

This feature enables the device to generate logs to prompt users to change their weak passwords at an interval of 24 hours and at the users' login.

A password is a weak password if it does not meet the following requirements:

· Password composition restriction configured by using the password-control composition command.

· Minimum password length restriction set by using the password-control length command.

· Password complexity checking policy configured by using the password-control complexit command.

For a NETCONF over SSH or NETCONF over SOAP user, the device also generates a password change prompt log if any of the following conditions exists:

· The current password of the user is the default password or has expired.

· The user logs in to the device for the first time or uses a new password to log in after global password control is enabled.

The device will no longer generate password change prompt logs for a user when one of the following conditions exists:

· The password change prompt logging feature is disabled.

· The user has changed the password and the new password meets the password control requirements.

· The enabling status of a related password control feature has changed so the current password of the user meets the password control requirements.

· The password composition policy or the minimum password length has changed.

You can use the display password-control command to display password control configuration. For more information about password control commands, see "Password control commands."

Examples

# Enable password change prompt logging.

<Sysname> system-view

[Sysname] local-server log change-password-prompt

Related commands

display password-control

password-control composition

password-control length

nas-id

Use nas-id to set the NAS-ID in an ISP domain.

Use undo nas-id to delete the NAS-ID from an ISP domain.

Syntax

nas-id nas-identifier

undo nas-id

Default

No NAS-ID is set in an ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 253 characters.

Usage guidelines

During RADIUS authentication, the device uses a NAS-ID to set the NAS-Identifier attribute of RADIUS packets so that the RADIUS server can identify the access location of users.

Examples

# Set the NAS-ID to test for ISP domain test.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] nas-id test

reset aaa normal-offline-record

Use reset aaa normal-offline-record to clear all user normal offline records.

Syntax

reset aaa normal-offline-record

Views

User view

Predefined user roles

network-admin

Usage guidelines

The device saves user normal offline records in memory and does not automatically clear the records unless the device reboots. To prevent the records from overusing the memory, use this command to clear all user normal offline records.

Use this command with caution. Cleared records cannot be recovered.

Examples

# Clear all user normal offline records.

<Sysname> reset aaa normal-offline-record

Related commands

display aaa normal-offline-record

reset aaa offline-record

Use reset aaa offline-record to clear all user offline records.

Syntax

reset aaa offline-record

Views

User view

Predefined user roles

network-admin

Usage guidelines

The device saves user offline records in memory and does not automatically clear the records unless the device reboots. To prevent the records from overusing the memory, use this command to clear all user offline records.

Use this command with caution. Cleared records cannot be recovered.

Examples

# Clear all user offline records.

<Sysname> reset aaa offline-record

Related commands

display aaa offline-record

reset aaa online-fail-record

Use reset aaa online-fail-record to clear all user online failure records.

Syntax

reset aaa online-fail-record

Views

User view

Predefined user roles

network-admin

Usage guidelines

The device saves user online failure records in memory and does not automatically clear the records unless the device reboots. To prevent the records from overusing the memory, use this command to clear all user online failure records.

Use this command with caution. Cleared records cannot be recovered.

Examples

# Clear all user online failure records.

<Sysname> reset aaa online-fail-record

Related commands

display aaa online-fail-record

session-time include-idle-time

Use session-time include-idle-time to configure the device to include the idle timeout period in the user online duration sent to the server.

Use undo session-time include-idle-time to restore the default.

Syntax

session-time include-idle-time

undo session-time include-idle-time

Default

The device does not include the idle timeout period in the user online duration sent to the server.

Views

ISP domain view

Predefined user roles

network-admin

Usage guidelines

Whether to configure the device to include the idle timeout period in the user online duration sent to the server, depending on the accounting policy in your network. The idle timeout period is assigned to users by the authorization server after the users pass authentication.

If the user goes offline due to connection failure or malfunction, the user online duration sent to the server is not the same as the actual online duration.

· If the session-time include-idle-time command is used, the user's online duration sent to the server includes the idle timeout period. The online duration that is generated on the server is longer than the actual online duration of the user.

· If the undo session-time include-idle-time command is used, the user's online duration sent to the server excludes the idle timeout period. The online duration that is generated on the server is shorter than the actual online duration of the user.

Examples

# Configure the device to include the idle timeout period in the online duration sent to the server for users in ISP domain test.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] session-time include-idle-time

Related commands

display domain

state (ISP domain view)

Use state to set the status of an ISP domain.

Use undo state to restore the default.

Syntax

state { active | block [ time-range ] }

undo state

Default

An ISP domain is in active state.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.

block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. This keyword takes effect on all types of users except the SSH users that perform publickey authentication.

time-range: Places the ISP domain in blocked state based on time ranges. If you specify the block keyword but do not specify the time-range keyword, the ISP domain is always placed in blocked state.

Usage guidelines

To block an ISP domain based on time ranges, specify the time-range keyword in this command, and specify time ranges by using the state block time-range name command.

Examples

# Place ISP domain test in blocked state.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] state block

Related commands

display domain

state block time-range name

Use state block time-range name to specify time ranges during which an ISP domain is placed in blocked state.

Use undo state block time-range name to delete time ranges for placing an ISP domain in blocked state.

Syntax

state block time-range name time-range-name

undo state block time-range { all | name time-range-name }

Default

No time ranges are specified for placing an ISP domain in blocked state.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

time-range-name: Specifies a time range by its name, a case-insensitive string of 1 to 32 characters. The string must begin with a letter and cannot be all.

all: Specifies all time ranges.

Usage guidelines

The specified time ranges take effect only when the device is configured to block an ISP domain based on time ranges. To configure the device to block the ISP domain based on time ranges, use the state block time-range command.

You can repeat this command to specify multiple time ranges.

Examples

# Specify time ranges t1 and t2 for placing ISP domain test in blocked state.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] state block time-range name t1

[Sysname-isp-test] state block time-range name t2

Related commands

state

time-range (ACL and QoS Command Reference)

Local user commands

access-limit

Use access-limit to set the maximum number of concurrent logins using the local user name.

Use undo access-limit to restore the default.

Syntax

access-limit max-user-number

undo access-limit

Default

The number of concurrent logins using the local user name is not limited.

Views

Local user view

Predefined user roles

network-admin

Parameters

max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.

Usage guidelines

The command does not apply to FTP, SFTP, or SCP users. These users do not support accounting.

Examples

# Set the maximum number of concurrent logins to 5 for users using the local user name abc.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-manage-abc] access-limit 5

Related commands

display local-user

authorization-attribute (local user view/user group view)

Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.

Use undo authorization-attribute to restore the default of an authorization attribute.

Syntax

authorization-attribute { idle-cut minutes | user-role role-name | work-directory directory-name } *

undo authorization-attribute { idle-cut | user-role role-name | work-directory } *

Default

The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.

The local users created by a network-admin or level-15 user are assigned the network-operator user role.

Views

Local user view

User group view

Predefined user roles

network-admin

Parameters

idle-cut minutes: Specifies an idle timeout period in minutes. The value range for the minutes argument is 1 to 120. An online user is logged out if its idle period exceeds the specified idle timeout period.

user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. A maximum of 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.

work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.

Usage guidelines

Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.

For SSH, Telnet, and terminal users, only the authorization attributes idle-cut and user-role take effect.

For HTTP and HTTPS users, only the authorization attribute user-role takes effect.

For FTP users, only the authorization attributes user-role and work-directory take effect.

For other types of local users, no authorization attribute takes effect.

Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.

When you specify an authorization ACL, the authorization ACL is invalid if it does not exist or does not contain rules.

To make sure the user have only the user roles authorized by using this command, use the undo authorization-attribute user-role command to remove the default user role.

The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the security-audit user role, use the display role name security-audit command. For more information about security log management, see configuring the information center in System Management Configuration Guide. For more information about file system management, see Fundamentals Configuration Guide.

You cannot delete a local user if the local user is the only user that has the security-audit user role.

The security-audit user role is mutually exclusive with other user roles.

· When you assign the security-audit user role to a local user, the system requests confirmation for deleting all the other user roles of the user.

· When you assign other user roles to a local user that has the security-audit user role, the system requests confirmation for deleting the security-audit user role for the local user.

Examples

# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc] authorization-attribute vlan 3

# Assign the security-audit user role to device management user xyz as the authorized user role.

<Sysname> system-view

[Sysname] local-user xyz class manage

[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit

This operation will delete all other roles of the user. Are you sure? [Y/N]:y

Related commands

display local-user

display user-group

display local-user

Use display local-user to display the local user configuration and online user statistics.

Syntax

display local-user [ class manage | idle-cut { disable | enable } | service-type { ftp | http | https | ssh | telnet | terminal } | state { active | block } | user-name user-name class manage | vlan vlan-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

class: Specifies the local user type.

manage: Device management user.

idle-cut { disable | enable }: Specifies local users by the status of the idle cut feature.

service-type: Specifies the local users that use a specific type of service.

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

ssh: SSH users.

telnet: Telnet users.

terminal: Terminal users that log in through console ports.

state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.

user-name user-name: Specifies all local users using the specified username, a string of 1 to 80 characters. The specified username can be a pure username or contain a domain name (in the format of pure-username@domain-name).

· The pure username is a case-sensitive string and must meet the following requirements:

¡ Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

¡ Cannot be a, al, or all.

· The domain name is a case-insensitive string and cannot contain an at sign (@).

vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to 4094.

Usage guidelines

If you do not specify any parameters, this command displays information about all local users.

Examples

# Display information about all local users.

<Sysname> display local-user

Total 1 local users matched.

Device management user root:

State: Active

Service type: SSH/Telnet/Terminal

Access limit: Enabled

Max access number: 3

Current access number: 1

User group: system

Bind attributes:

Authorization attributes:

Work directory: flash:

User role list: network-admin

Password control configurations:

Password aging: 3 days

Password history was last reset: 0 days ago

Password remaining lifetime: 2 days 12 hours 30 minutes 30 seconds

Table 5 Command output

Field	Description
State	Status of the local user: active or blocked.
Service type	Service types that the local user can use.
Access limit	Whether the concurrent login limit is enabled.
Max access number	Maximum number of concurrent logins using the local user name.
Current access number	Current number of concurrent logins using the local user name.
User group	Group to which the local user belongs.
Bind attributes	Binding attributes of the local user.
Authorization attributes	Authorization attributes of the local user.
Idle timeout	Idle timeout period of the user, in minutes.
Work directory	Directory that the FTP, SFTP, or SCP user can access.
User role list	Authorized roles of the local user.
IP pool	IPv4 pool authorized to the local user.
VPN instance	Authorization VPN instance for the local user.
Password control configurations	Password control attributes that are configured for the local user.
Password aging	Password expiration time.
Password length	Minimum number of characters that a password must contain.
Password composition	Password composition policy: · Minimum number of character types that a password must contain. · Minimum number of characters from each type in a password.
Password complexity	Password complexity checking policy: · Reject a password that contains the username or the reverse of the username. · Reject a password that contains any character repeated consecutively three or more times.
Maximum login attempts	Maximum number of consecutive failed login attempts.
Action for exceeding login attempts	Action to take on the user that failed to log in after using up all login attempts.
Password history was last reset	The most recent time that the history password records were cleared.
Password remaining lifetime	Remaining aging time for the password.

display user-group

Use display user-group to display user group configuration.

Syntax

display user-group { all | name group-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all user groups.

name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

Examples

# Display the configuration of all user groups.

<Sysname> display user-group all

Total 2 user groups matched.

User group: system

Group ID: 1

Authorization attributes:

Work directory: flash:

User group: jj

Group ID: 2

Authorization attributes:

Idle timeout: 2 minutes

Work directory: flash:/

Password control configurations:

Password aging: 2 days

Table 6 Command output

Field	Description
User group	User group name.
Authorization attributes	Authorization attributes of the user group.
Idle timeout	Idle timeout period, in minutes.
Work directory	Directory that FTP, SFTP, or SCP users in the group can access.
IP pool	IPv4 pool authorized to the user group.
VPN instance	Authorization VPN instance for the user group.
Password control configurations	Password control attributes that are configured for the user group.
Password aging	Password expiration time.
Password length	Minimum number of characters that a password must contain.
Password composition	Password composition policy: · Minimum number of character types that a password must contain. · Minimum number of characters from each type in a password.
Password complexity	Password complexity checking policy: · Reject a password that contains the username or the reverse of the username. · Reject a password that contains any character repeated consecutively three or more times.
Maximum login attempts	Maximum number of consecutive failed login attempts.
Action for exceeding login attempts	Action to take on the user that failed to log in after using up all login attempts.

‌

group

Use group to assign a local user to a user group.

Use undo group to restore the default.

Syntax

group group-name

undo group

Default

A local user belongs to user group system.

Views

Local user view

Predefined user roles

network-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Examples

# Assign device management user 111 to user group abc.

<Sysname> system-view

[Sysname] local-user 111 class manage

[Sysname-luser-manage-111] group abc

Related commands

display local-user

local-user

Use local-user to add a local user and enter its view, or enter the view of an existing local user.

Use undo local-user to delete local users.

Syntax

local-user user-name [ class manage ]

undo local-user { user-name class manage | all [ class manage | service-type { ftp | http | https | ssh | telnet | terminal } ] }

Default

No local users exist.

Views

System view

Predefined user roles

network-admin

Parameters

user-name: Specifies the username of the local user, a string of 1 to 80 characters. The specified username can be a pure username or contain a domain name (in the format of pure-username@domain-name).

· The pure username is a case-sensitive string and must meet the following requirements:

¡ Cannot be a substring of all or auto-delete that starts with character a (for example, a, al, all, au, aut, auto, or auto-).

· The domain name is a case-insensitive string and cannot contain an at sign (@).

class: Specifies the local user type. If you do not specify this keyword, the command adds a device management user.

manage: Device management user that can configure and monitor the device after login. Device management users can use FTP, HTTP, HTTPS, Telnet, SSH, and terminal services.

all: Specifies all users.

service-type: Specifies the local users that use a specific type of service.

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

ssh: SSH users.

telnet: Telnet users.

terminal: Terminal users that log in through console ports.

Usage guidelines

In local authentication, a username and user type uniquely identifies a local user. The username is used to match the pure username parsed from the username entered by the user. The user type restricts the service types that can be used by the user.

The device supports multiple local users. The maximum number of device management users is 1024.

If the local username contains Chinese characters, make sure the endpoint software used at device login adopts the same character set encoding format as the device. If they use different encoding formats, the username cannot be correctly decoded on the device, which might cause local authentication failure. To view the encoding format used by the device, execute the display character-encoding command.

Examples

# Add a device management user named user1 and enter local user view.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1]

Related commands

display local-user

display character-encoding (Fundamentals Command Reference)

service-type

password

Use password to configure a password for a device management user.

Use undo password to restore the default.

Syntax

password [ { hash | simple } string ]

undo password

Default

A device management user does not have a password and can pass authentication after entering the correct username and passing attribute checks.

Views

Device management user view

Predefined user roles

network-admin

Parameters

hash: Specifies a password encrypted by the hash algorithm.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in hashed form.

string: Specifies the password string. This argument is case sensitive. The hashed form of the password is a string of 1 to 110 characters. The plaintext form of the password is a string of 1 to 63 characters. Supported characters are all visible characters except the question mark (?). Visible characters correspond to the ASCII codes in the range of 32 to 126. To contain a quotation mark (") or back slash (\) in the password, you must add an escape character (\) before the quotation mark or back slash. That is, enter \" to represent a quotation mark and enter \\ to represent a back slash. To contain spaces in the password, you must enclose the entire password string into a pair of quotation marks ("").

Usage guidelines

If you do not specify any parameters, you enter the interactive mode to set a plaintext password.

A device management user for which no password is specified can pass authentication after entering the correct username and passing attribute checks. To enhance security, configure a password for each device management user.

When global password control is enabled, the device handles passwords of device management users as follows:

· All passwords in the history records are saved in hashed form.

· If a user changes its own password in plaintext form, the system requests the user to enter the current plaintext password. The new password must be different from all passwords in the history records and the current password. In addition, the new password must have a minimum of four characters different from the current password.

· If a user changes the password for another user in plaintext form, the new password must be different from the latter user's all passwords in the history records and current password.

· If a user deletes its own password, the system requests the user to enter the current plaintext password.

· Except the above listed situations, the system does not request a user to enter the current plaintext password or compare the new password with passwords in the history records and the current password.

Examples

# Set the password to 123456TESTplat&! in plaintext form for device management user user1.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] password simple 123456TESTplat&!

# Configure the password in interactive mode for device management user test.

<Sysname> system-view

[Sysname] local-user test class manage

[Sysname-luser-manage-test] password

Password:

Confirm:

Related commands

display local-user

service-type

Use service-type to specify the service types that a local user can use.

Use undo service-type to remove service types configured for a local user.

Syntax

service-type { ftp | { http | https | ssh | telnet | terminal } * }

undo service-type { ftp | { http | https | ssh | telnet | terminal } * }

Default

A local user is not authorized to use any service.

Views

Local user view

Predefined user roles

network-admin

Parameters

ftp: Authorizes the user to use the FTP service. The authorized directory can be modified by using the authorization-attribute work-directory command.

http: Authorizes the user to use the HTTP service.

https: Authorizes the user to use the HTTPS service.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service and log in from a console port.

Usage guidelines

You can assign multiple service types to a user.

Examples

# Authorize device management user user1 to use the Telnet and FTP services.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] service-type telnet

[Sysname-luser-manage-user1] service-type ftp

Related commands

display local-user

state (local user view)

Use state to set the status of a local user.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

A local user is in active state.

Views

Local user view

Predefined user roles

network-admin

Parameters

active: Places the local user in active state to allow the local user to request network services.

block: Places the local user in blocked state to prevent the local user from requesting network services.

Examples

# Place device management user user1 in blocked state.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] state block

Related commands

display local-user

user-group

Use user-group to create a user group and enter its view, or enter the view of an existing user group.

Use undo user-group to delete a user group.

Syntax

user-group group-name

undo user-group group-name

Default

A system-defined user group exists. The group name is system.

Views

System view

Predefined user roles

network-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.

A user group that has local users cannot be deleted.

You can modify settings for the system-defined user group named system, but you cannot delete the user group.

Examples

# Create a user group named abc and enter user group view.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc]

Related commands

display user-group

RADIUS commands

aaa device-id

Use aaa device-id to configure the device ID.

Use undo aaa device-id to restore the default.

Syntax

aaa device-id device-id

undo aaa device-id

Default

The device ID is 0.

Views

System view

Predefined user roles

network-admin

Parameters

device-id: Specifies a device ID in the range of 1 to 255.

Usage guidelines

RADIUS uses the value of the Acct-Session-ID attribute as the accounting ID for a user. The device generates an Acct-Session-ID value that includes the device ID for each online user.

If you modify the device ID, the new device ID does not take effect on users that have been online during the change.

Examples

# Configure the device ID as 1.

<Sysname> system-view

[Sysname] aaa device-id 1

accounting-on enable

Use accounting-on enable to configure the accounting-on feature.

Use undo accounting-on enable to disable the accounting-on feature.

Syntax

accounting-on enable [ interval interval | send send-times ] *

undo accounting-on enable

Default

The accounting-on feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

interval interval: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the interval argument is 1 to 15, and the default setting is 3.

send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.

Usage guidelines

The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.

Execute the save command to ensure that the accounting-on enable command takes effect at the next device reboot. For information about the save command, see Fundamentals Command Reference.

Parameters set by using the accounting-on enable command take effect immediately.

Examples

# Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on enable interval 5 send 15

Related commands

display radius scheme

attribute 15 check-mode

Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users.

Use undo attribute 15 check-mode to restore the default.

Syntax

attribute 15 check-mode { loose | strict }

undo attribute 15 check-mode

Default

The strict check method applies for SSH, FTP, and terminal users.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.

strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.

Usage guidelines

Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.

Examples

# Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 15 check-mode loose

Related commands

display radius scheme

attribute 25 car

Use attribute 25 car to configure the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters.

Use undo attribute 25 car to restore the default.

Syntax

attribute 25 car

undo attribute 25 car

Default

The RADIUS class attribute is not interpreted as CAR parameters.

Views

RADIUS scheme view

Predefined user roles

network-admin

Usage guidelines

Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user-based traffic monitoring and control.

The device can interpret the RADIUS class attribute only in the format of string1string2string3string4 as CAR parameters. Each string contains eight characters and each character must be a digit from 0 to 9.

After the device interprets the RADIUS class attribute sent by a RADIUS server as CAR parameters, it carries the interpreted CAR parameters in the subsequent accounting packets sent to that server instead of carrying the original class attribute.

Examples

# In RADIUS scheme radius1, configure the device to interpret the RADIUS class attribute as CAR parameters.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 25 car

Related commands

display radius scheme

attribute 30 mac-format

Use attribute 30 mac-format to configure the format of the MAC address in the RADIUS Called-Station-Id attribute.

Use undo attribute 30 mac-format to restore the default.

Syntax

attribute 30 mac-format section { one | { six | three } separator separator-character } { lowercase | uppercase }

undo attribute 30 mac-format

Default

The MAC address in the RADIUS Called-Station-Id attribute is in the format of HH-HH-HH-HH-HH-HH. The MAC address is separated by hyphens (-) into six sections with letters in upper case.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

section: Specifies the number of sections that a MAC address contains.

one: Specifies the one-section format HHHHHHHHHHHH.

six: Specifies the six-section format HH-HH-HH-HH-HH-HH.

three: Specifies the three-section format HHHH-HHHH-HHHH.

separator separator-character: Specifies a case-sensitive character that separates the sections.

lowercase: Specifies the letters in a MAC address to be in lower case.

uppercase: Specifies the letters in a MAC address to be in upper case.

Usage guidelines

Configure the format of the MAC address in the RADIUS Called-Station-Id attribute to meet the requirements of the RADIUS servers.

Examples

# In RADIUS scheme radius1, specify hhhhhhhhhhhh as the format of the MAC address in the RADIUS Called-Station-Id attribute.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 30 mac-format section one lowercase

Related commands

display radius scheme

attribute 31 mac-format

Use attribute 31 mac-format to configure the format of the MAC address in the RADIUS Calling-Station-Id attribute.

Use undo attribute 31 mac-format to restore the default.

Syntax

attribute 31 mac-format section { one | six | three } separator separator-character { lowercase | uppercase }

undo attribute 31 mac-format

Default

The MAC address in the RADIUS Calling-Station-Id attribute (attribute 31) is in the format of HH-HH-HH-HH-HH-HH. The MAC address is separated by hyphens (-) into six sections with letters in upper case.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

section: Specifies the number of sections that a MAC address contains.

one: Specifies the one-section format HHHHHHHHHHHH.

six: Specifies the six-section format HH-HH-HH-HH-HH-HH.

three: Specifies the three-section format HHHH-HHHH-HHHH.

separator separator-character: Specifies a case-sensitive character that separates the sections.

lowercase: Specifies the letters in a MAC address to be in lower case.

uppercase: Specifies the letters in a MAC address to be in upper case.

Usage guidelines

Configure the format of the MAC address in the RADIUS Calling-Station-Id attribute to meet the requirements of the RADIUS servers.

Examples

# In RADIUS scheme radius1, specify hh:hh:hh:hh:hh:hh as the format of the MAC address in the RADIUS Calling-Station-Id attribute.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 31 mac-format section six separator : lowercase

Related commands

display radius scheme

attribute convert (RADIUS scheme view)

Use attribute convert to configure a RADIUS attribute conversion rule.

Use undo attribute convert to delete RADIUS attribute conversion rules.

Syntax

attribute convert src-attr-name to dest-attr-name { { access-accept | access-request | accounting } * | { received | sent } * }

undo attribute convert [ src-attr-name ]

Default

No RADIUS attribute conversion rules exist. The system processes RADIUS attributes according to the principles of the standard RADIUS protocol.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

src-attr-name: Specifies the source RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.

dest-attr-name: Specifies the destination RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.

access-accept: Specifies the RADIUS Access-Accept packets.

access-request: Specifies the RADIUS Access-Request packets.

accounting: Specifies the RADIUS accounting packets.

received: Specifies the received RADIUS packets.

sent: Specifies the sent RADIUS packets.

Usage guidelines

The device replaces the attribute in packets that match a RADIUS attribute conversion rule with the destination RADIUS attribute in the rule.

The conversion rules take effect only when the RADIUS attribute translation feature is enabled.

When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines:

· The source and destination RADIUS attributes in a rule must use the same data type.

· The source and destination RADIUS attributes in a rule cannot use the same name.

· A source RADIUS attribute can be converted only by one criterion, packet type or direction.

· One source RADIUS attribute cannot be converted to multiple destination attributes.

If you do not specify a source RADIUS attribute, the undo attribute convert command deletes all RADIUS attribute conversion rules.

Examples

# In RADIUS scheme radius1, configure a RADIUS attribute conversion rule to replace the Hw-Server-String attribute of received RADIUS packets with the Connect-Info attribute.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute convert Hw-Server-String to Connect-Info received

Related commands

attribute translate

attribute reject (RADIUS scheme view)

Use attribute reject to configure a RADIUS attribute rejection rule.

Use undo attribute reject to delete RADIUS attribute rejection rules.

Syntax

attribute reject attr-name { { access-accept | access-request | accounting } * | { received | sent } * }

undo attribute reject [ attr-name ]

Default

No RADIUS attribute rejection rules exist.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

attr-name: Specifies a RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.

access-accept: Specifies the RADIUS Access-Accept packets.

access-request: Specifies the RADIUS Access-Request packets.

accounting: Specifies the RADIUS accounting packets.

received: Specifies the received RADIUS packets.

sent: Specifies the sent RADIUS packets.

Usage guidelines

Configure RADIUS attribute rejection rules for the following purposes:

· Delete attributes from the RADIUS packets to be sent if the destination RADIUS server does not identify the attributes.

· Ignore unwanted attributes in the RADIUS packets received from a RADIUS server.

The RADIUS attribute rejection rules take effect only when the RADIUS attribute translation feature is enabled.

A RADIUS attribute can be rejected only by one criterion, packet type or direction.

If you do not specify a RADIUS attribute, the undo attribute reject command deletes all RADIUS attribute rejection rules.

Examples

# In RADIUS scheme radius1, configure a RADIUS attribute rejection rule to delete the Connect-Info attribute from the RADIUS packets to be sent.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute reject Connect-Info sent

Related commands

attribute translate

attribute remanent-volume

Use attribute remanent-volume to set the data measurement unit for the Remanent_Volume attribute.

Use undo attribute remanent-volume to restore the default.

Syntax

attribute remanent-volume unit { byte | giga-byte | kilo-byte | mega-byte }

undo attribute remanent-volume unit

Default

The data measurement unit is kilobyte for the Remanent_Volume attribute.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

byte: Specifies the unit as byte.

giga-byte: Specifies the unit as gigabyte.

kilo-byte: Specifies the unit as kilobyte.

mega-byte: Specifies the unit as megabyte.

Usage guidelines

Make sure the measurement unit is the same as the user data measurement unit on the RADIUS server.

Examples

# In RADIUS scheme radius1, set the data measurement unit to kilobyte for the Remanent_Volume attribute.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute remanent-volume unit kilo-byte

Related commands

display radius scheme

attribute translate

Use attribute translate to enable the RADIUS attribute translation feature.

Use undo attribute translate to disable the RADIUS attribute translation feature.

Syntax

attribute translate

undo attribute translate

Default

The RADIUS attribute translation feature is disabled.

Views

RADIUS DAS view

RADIUS scheme view

Predefined user roles

network-admin

Usage guidelines

To cooperate with RADIUS servers of different vendors, enable the RADIUS attribute translation feature. Configure RADIUS attribute conversion rules and rejection rules to ensure that RADIUS attributes in the packets exchanged between the device and the server are supported by both sides.

Examples

# Enable the RADIUS attribute translation feature for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute translate

Related commands

attribute convert (RADIUS DAS view)

attribute convert (RADIUS scheme view)

attribute reject (RADIUS DAS view)

attribute reject (RADIUS scheme view)

attribute vendor-id 2011 version

Use attribute vendor-id 2011 version to specify the version of the RADIUS servers with a vendor ID of 2011.

Use undo attribute vendor-id 2011 version to restore the default.

Syntax

attribute vendor-id 2011 version { 1.0 | 1.1 }

undo attribute vendor-id 2011 version

Default

The version is 1.0.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

1.0: Specifies version 1.0.

1.1: Specifies version 1.1.

Usage guidelines

For the device to correctly interpret RADIUS attributes from the servers with a vendor ID of 2011, specify a server version the same as the actual version of the RADIUS servers.

The following table shows the differences in the way that the device interprets the vendor-specific RADIUS attributes assigned by different versions of RADIUS servers with vendor ID 2011.

RADIUS attribute	RADIUS server with version 1.0	RADIUS server with version 1.1
HW_ARRT_26_1	Upstream peak rate	Upstream burst size
HW_ARRT_26_2	Upstream average rate	Upstream average rate
HW_ARRT_26_3	N/A	Upstream peak rate
HW_ARRT_26_4	Downstream peak rate	Downstream burst size
HW_ARRT_26_5	Downstream average rate	Downstream average rate
HW_ARRT_26_6	N/A	Downstream peak rate

Examples

# In RADIUS scheme radius1, specify the version of the RADIUS servers with a vendor ID of 2011 as version 1.1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute vendor-id 2011 version 1.1

Related commands

client

data-flow-format (RADIUS scheme view)

Use data-flow-format to set the data flow and packet measurement units for traffic statistics.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

Traffic is counted in bytes and packets.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

data: Specifies the unit for data flows.

byte: Specifies the unit as byte.

giga-byte: Specifies the unit as gigabyte.

kilo-byte: Specifies the unit as kilobyte.

mega-byte: Specifies the unit as megabyte.

packet: Specifies the unit for data packets.

giga-packet: Specifies the unit as giga-packet.

kilo-packet: Specifies the unit as kilo-packet.

mega-packet: Specifies the unit as mega-packet.

one-packet: Specifies the unit as one-packet.

Usage guidelines

The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting results might be incorrect.

Examples

# In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display radius scheme

Use display radius scheme to display RADIUS scheme configuration.

Syntax

display radius scheme [ radius-scheme-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, this command displays the configuration of all RADIUS schemes.

Examples

# Display the configuration of all RADIUS schemes.

<Sysname> display radius scheme

Total 1 RADIUS schemes

------------------------------------------------------------------

RADIUS scheme name: radius1

Index : 0

Primary authentication server:

Host name: Not configured

IP : 2.2.2.2 Port: 1812

VPN : vpn1

State: Active (duration: 0 weeks, 0 days, 0 hours, 0 minutes, 42 seconds)

Most recent blocked period: 2021/12/23 01:48:55 - 2021/12/23 01:49:03

Test profile: 132

Probe username: test

Probe interval: 60 minutes

Probe count : 5

Probe eap-profile: eap1

Weight: 40

Primary accounting server:

Host name: Not configured

IP : 1.1.1.1 Port: 1813

VPN : Not configured

State: Active (duration: 0 weeks, 0 days, 0 hours, 0 minutes, 42 seconds)

Most recent blocked period: 2021/12/23 01:48:55 - 2021/12/23 01:49:03

Weight: 40

Second authentication server:

Host name: Not configured

IP : 3.3.3.3 Port: 1812

VPN : Not configured

State: Blocked

Most recent blocked period: 2021/12/23 20:33:45 - now

Test profile: Not configured

Weight: 40

Second accounting server:

Host name: Not configured

IP : 3.3.3.3 Port: 1813

VPN : Not configured

State: Blocked (mandatory)

Most recent blocked period: 2021/12/23 20:33:45 - now

Weight: 0

Private authentication server:

IP : 3.3.3.3 Port: 1812

VPN : Not configured

State: Active (duration: 0 weeks, 0 days, 0 hours, 0 minutes, 42 seconds)

Most recent blocked period: 2022/03/10 01:48:55 - 2022/03/10 01:49:03

Private accounting server:

IP : 3.3.3.3 Port: 1813

VPN : Not configured

State: Blocked (mandatory)

Most recent blocked period: 2022/03/10 20:33:45 - now

Accounting-On function : Enabled

extended function : Disabled

retransmission times : 5

retransmission interval(seconds) : 2

Timeout Interval(seconds) : 3

Retransmission Times : 3

Retransmission Times for Accounting Update : 5

Server Quiet Period(minutes) : 5

Realtime Accounting Interval(seconds) : 22

Stop-accounting packets buffering : Enabled

Retransmission times : 500

NAS IP Address : 1.1.1.1

Local NAS IP Address : Not configured

Peer NAS IP Address : Not configured

Source IP Address : 1.1.1.1

VPN : Not configured

Username format : with-domain

Data flow unit : Megabyte

Packet unit : One

Attribute 15 check-mode : Strict

Attribute 17 carry old password : Disabled

Attribute 25 : CAR

Attribute 30 MAC format : hh:hh:hh:hh:hh:hh

Attribute 31 MAC format : hh:hh:hh:hh:hh:hh

Remanent-Volume threshold : 0

Attribute Remanent-Volume unit : Mega

RADIUS server version (vendor ID 2011) : 1.0

server-load-sharing : Enabled

Stop-accounting-packet send-force : Disabled

Authentication response pending limit : Not configured

Accounting response pending limit : Not configured

Username authorization : Applied

All-server-block action : Attempt the top-priority server

Attribute 218 of vendor ID 25506 : DHCP-Option 61

Format 1 (1-byte Type field)

Reauthentication server selection : Reselect

------------------------------------------------------------------

Table 7 Command output

Field	Description
Index	Index number of the RADIUS scheme.
Primary authentication server	Information about the primary authentication server.
Primary accounting server	Information about the primary accounting server.
Second authentication server	Information about the secondary authentication server.
Second accounting server	Information about the secondary accounting server.
Private authentication server	Information about the private authentication server.
Private accounting server	Information about the private accounting server.
Host name	Host name of the server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by IP address.
IP	IP address of the server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by hostname, and the hostname is not resolved.
Port	Service port number of the server. If no port number is specified, this field displays the default port number.
VPN	MPLS L3VPN instance to which the server or the RADIUS scheme belongs. If no VPN instance is specified for the server, this field displays Not configured.
State	Status of the server: · Active—The server is in active state. · Blocked—The server is changed to blocked state automatically. · Blocked (mandatory)—The server is set to blocked state manually.
duration	The duration of the current active state for the server. This field is displayed only when the server is in active state.
Most recent blocked period	Most recent blocking start time and end time when the server stayed in blocked state. If the server still remains in blocked state, now is displayed for the end time.
Most recent state changes	Most recent five state changes of the server.
Test profile	Test profile used for RADIUS server status detection.
Probe username	Username used for RADIUS server status detection.
Probe interval	Server status probe interval, in minutes.
Probe count	Number of consecutive probe intervals that the device takes to determine the reachability of a RADIUS server.
Probe eap-profile	EAP profile specified for RADIUS server status detection. This field is not available if no EAP profile is specified in the test profile for RADIUS server status detection.
Weight	Weight value of the RADIUS server.
Accounting-On function	Whether the accounting-on feature is enabled.
extended function	This field is not supported in the current software version. Whether the extended accounting-on feature is enabled.
retransmission times	Number of accounting-on packet transmission attempts.
retransmission interval(seconds)	Interval at which the device retransmits accounting-on packets, in seconds.
Timeout Interval(seconds)	RADIUS server response timeout period, in seconds.
Retransmission times	Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.
Retransmission Times for Accounting Update	Maximum number of accounting attempts.
Server Quiet Period(minutes)	Quiet period for the servers, in minutes.
Realtime Accounting Interval(seconds)	Interval for sending real-time accounting updates, in seconds.
Stop-accounting packets buffering	Whether buffering of nonresponded RADIUS stop-accounting requests is enabled.
Retransmission times	Maximum number of transmission attempts for individual RADIUS stop-accounting requests.
NAS IP Address	NAS IP address of RADIUS packets. This field displays Not configured if no NAS IP addresses are specified for RADIUS packets.
Local NAS IP Address	NAS IP address of RADIUS packets sent for users that access the network through M-LAG interfaces on the local M-LAG member device. If a source interface is specified to provide the NAS IP address, this field displays Provided by local interface xxx. This field displays Not configured if no local NAS IP address is configured.
Peer NAS IP Address	NAS IP address of RADIUS packets sent for users that access the network through M-LAG interfaces on the peer M-LAG member device. If a source interface is specified to provide the NAS IP address, this field displays Provided by peer interface xxx. This field displays Not configured if no peer NAS IP address is configured.
Source IP address	Source IP address for outgoing RADIUS packets. This field displays Not configured if no source IP addresses are specified.
Username format	Format for the usernames sent to the RADIUS server: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered.
Data flow unit	Measurement unit for data flow.
Packet unit	Measurement unit for packets.
Attribute 15 check-mode	RADIUS Login-Service attribute check method for SSH, FTP, and terminal users: · Strict—Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively. · Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.
Attribute 17 carry old password	Status of online user password change by using RADIUS attribute 17: · Enabled—Online user password change by using RADIUS attribute 17 is enabled. The device uses RADIUS attribute 17 to carry a user's old password. · Disabled—Online user password change by using RADIUS attribute 17 is disabled.
Attribute 25	RADIUS attribute 25 interpretation status: · Standard—The attribute is not interpreted as CAR parameters. · CAR—The attribute is interpreted as CAR parameters.
Attribute 30 MAC format	Format of the MAC address in the RADIUS Called-Station-Id attribute.
Attribute 31 MAC format	Format of the MAC address in the RADIUS Calling-Station-Id attribute.
Remanent-Volume threshold	Available data threshold. The unit for the threshold is the same as the data measurement unit for the RADIUS Remanent_Volume attribute.
Attribute Remanent-Volume unit	Data measurement unit for the RADIUS Remanent_Volume attribute.
RADIUS server version (vendor ID 2011)	This field is not supported in the current software version. Version of the RADIUS servers with a vendor ID of 2011: · 1.0. · 1.1.
server-load-sharing	Status of the RADIUS server load sharing feature: · Disabled—The feature is disabled. The device forwards traffic to the server selected based on primary and secondary server roles. · Enabled—The feature is enabled. The device distributes traffic among multiple servers for load sharing.
Stop-accounting-packet send-force	Whether the device is enabled to forcibly send stop-accounting packets when users for which no start-accounting packets are sent go offline.
Authentication response pending limit	Maximum number of pending authentication requests (requests for which no responses are received from the authentication server). If the maximum number of pending authentication requests is not set, this field displays Not configured.
Accounting response pending limit	Maximum number of pending accounting requests (requests for which no responses are received from the accounting server). If the maximum number of pending accounting requests is not set, this field displays Not configured.
Username authorization	Whether to allow the device to use the server-assigned usernames for AAA processes subsequent to authentication: · Applied—The device uses the server-assigned usernames for AAA processes subsequent to authentication. · Not applied—The device uses the usernames used in authentication for AAA processes subsequent to authentication.
All-server-block action	Action to take for AAA requests when all servers in the scheme are blocked: · Attempt the top-priority server. · Skip all servers in the scheme.
Attribute 218 vendor ID 25506	DHCP options encapsulated in subattribute 218 of vendor 25506 in RADIUS packets and the encapsulation format. · Format 1 (1-byte Type field)—The Type field of the encapsulated TLV is 1 byte long. Use this format when the device cooperates with most RADIUS servers. · Format 2 (2-byte Type field)—The Type field of the encapsulated TLV is 2 bytes long. Use this format when the device cooperates with HUAWEI RADIUS servers. This field is not displayed if the device is not configured to add subattribute 218 of vendor 25506 in RADIUS packets.
Reauthentication server selection	RADIUS server selection mode in reauthentication: · Inherit—The device uses the RADIUS server that performed authentication for a user to reauthenticate that user. · Reselect—The device searches for a reachable RADIUS server to reauthenticate a user.

display radius server-load statistics

Use display radius server-load statistics to display authentication and accounting load statistics for all RADIUS servers.

Syntax

display radius server-load statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

This command displays the following statistics:

· Last-5-second statistics—Total number of authentication or accounting requests sent to each RADIUS server in the last 5 seconds.

· History statistics—Total number of authentication or accounting requests sent to each RADIUS server since the device starts up.

The device collects the statistics as follows:

· Last-5-second statistics—From the device sends the first authentication or accounting request to a RADIUS server, the device counts the number of authentication or accounting requests sent to the server every 5 seconds. Then, the device updates the last-5-second authentication and accounting statistics for the server.

· History statistics—The device increases the history statistics for a RADIUS server by 1 each time it sends an authentication or accounting request to the server. The device does not decrease the history statistics even though users go offline or the server fails to response to a request within the timeout time.

Based on the statistics, you can adjust the load on RADIUS servers by changing the sequence in which the servers are configured or the weight values of the servers.

This command displays statistics only for RADIUS servers whose IP addresses are available or can be resolved from their hostnames.

The device deletes all statistics for a RADIUS server if the server is removed from a RADIUS scheme or the server's IP address, VPN instance, or service port number changes.

If an active/standby switchover occurs, the last-5-second statistics are deleted. However, the history statistics are not deleted. The history statistics might be inaccurate.

If the device reboots, both the last-5-seconds statistics and the history statistics are deleted.

Examples

# Display authentication and accounting load statistics for all RADIUS servers.

<Sysname> display radius server-load statistics

Authentication servers: 2

IP VPN Port Last 5 sec History

1.1.1.1 N/A 1812 20 100

2.2.2.2 ABC 1812 0 20

Accounting servers: 2

IP VPN Port Last 5 sec History

1.1.1.1 N/A 1813 20 100

2.2.2.2 ABC 1813 0 20

Table 8 Command output

Field	Description
Authentication servers	Total number of RADIUS authentication servers.
Accounting servers	Total number of RADIUS accounting servers.
IP	IP address of a RADIUS server.
VPN	MPLS L3VPN instance to which the RADIUS server belongs. This field displays N/A if no VPN instance is specified for the server.
Port	Service port number of the RADIUS server.
Last 5 sec	Total number of RADIUS authentication or accounting requests sent to the RADIUS server within the last 5 seconds.
History	Total number of RADIUS authentication or accounting requests sent to the RADIUS server since the device starts up.

Related commands

reset radius server-load statistics

display radius statistics

Use display radius statistics to display RADIUS packet statistics.

Syntax

display radius statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display RADIUS packet statistics.

<Sysname> display radius statistics

Auth. Acct. SessCtrl.

Request Packet: 0 0 0

Retry Packet: 0 0 -

Timeout Packet: 0 0 -

Access Challenge: 0 - -

Account Start: - 0 -

Account Update: - 0 -

Account Stop: - 0 -

Terminate Request: - - 0

Set Policy: - - 0

Packet With Response: 0 0 0

Packet Without Response: 0 0 -

Access Rejects: 0 - -

Dropped Packet: 0 0 0

Check Failures: 0 0 0

Table 9 Command output

Field	Description
Auth.	Authentication packets.
Acct.	Accounting packets.
SessCtrl.	Session-control packets.
Request Packet	Number of request packets.
Retry Packet	Number of retransmitted request packets.
Timeout Packet	Number of request packets timed out.
Access Challenge	Number of access challenge packets.
Account Start	Number of start-accounting packets.
Account Update	Number of accounting update packets.
Account Stop	Number of stop-accounting packets.
Terminate Request	Number of packets for logging off users forcibly.
Set Policy	Number of packets for updating user authorization information.
Packet With Response	Number of packets for which responses were received.
Packet Without Response	Number of packets for which no responses were received.
Access Rejects	Number of Access-Reject packets.
Dropped Packet	Number of discarded packets.
Check Failures	Number of packets with checksum errors.

Related commands

reset radius statistics

display stop-accounting-buffer (for RADIUS)

Use display stop-accounting-buffer to display information about buffered RADIUS stop-accounting requests to which no responses have been received.

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time end-time | user-name user-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

session-id session-id: Specifies a session by its ID. The session-id argument is a string of 1 to 64 characters and cannot contain a letter. A session ID uniquely identifies an online user for a RADIUS scheme.

time-range start-time end-time: Specifies a time range. The start time and end time must be in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

user-name user-name: Specifies a user by its name, a case-sensitive string of 1 to 255 characters. Whether the user-name argument should include the domain name depends on the setting configured by using the user-name-format command for the RADIUS scheme.

Examples

# Display information about nonresponded RADIUS stop-accounting requests buffered for user abc.

<Sysname> display stop-accounting-buffer user-name abc

Total entries: 2

Scheme Session ID Username First sending time Attempts

rad1 1000326232325010 abc 23:27:16-08/02/2020 19

aaa 1000326232326010 abc 23:33:01-08/02/2020 20

Table 10 Command output

Field	Description
Session ID	Session ID, which is the value of attribute Acct-Session-Id.
First sending time	Time when the stop-accounting request was first sent.
Attempts	Number of attempts that were made to send the stop-accounting request.

Related commands

reset stop-accounting-buffer (for RADIUS)

retry

retry stop-accounting (RADIUS scheme view)

stop-accounting-buffer enable (RADIUS scheme view)

user-name-format (RADIUS scheme view)

exclude

Use exclude to exclude an attribute from RADIUS requests.

Use undo exclude to cancel the configuration of excluding an attribute from RADIUS requests.

Syntax

exclude { accounting | authentication } name attribute-name

undo exclude { accounting | authentication } name attribute-name

Default

No attributes are configured to be excluded from RADIUS requests.

Views

RADIUS attribute test group view

Predefined user roles

network-admin

Parameters

accounting: Specifies RADIUS accounting requests.

authentication: Specifies RADIUS authentication requests.

name attribute-name: Specifies a RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The specified attribute must be an attribute that RADIUS requests carry by default. Attributes that you can exclude from RADIUS authentication requests include Service-Type, Framed-Protocol, NAS-Identifier, Acct-Session-Id, and NAS-Port-Type. Attributes that you can exclude from RADIUS accounting requests include NAS-Identifier, Acct-Delay-Time, Acct-Session-Id, and Acct-Terminate-Cause.

Usage guidelines

Use this command to exclude an attribute from RADIUS requests sent during an AAA test to help troubleshoot authentication or accounting failures.

Before you exclude an attribute that is already configured to be included in RADIUS requests, you must cancel the inclusion configuration by using the undo include command.

Examples

# In RADIUS attribute test group t1, exclude Service-Type attribute from RADIUS authentication requests.

<Sysname> system-view

[Sysname] radius attribute-test-group t1

[Sysname-radius-attr-test-grp-t1] exclude authentication name Service-Type

Related commands

include

test-aaa

include

Use include to include an attribute in RADIUS requests.

Use undo include to cancel the configuration of including an attribute in RADIUS requests.

Syntax

include { accounting | authentication } { name attribute-name | [ vendor vendor-id ] code attribute-code } type { binary | date | integer | interface-id | ip | ipv6 | ipv6-prefix | octets | string } value attribute-value

undo include { accounting | authentication} { name attribute-name | [ vendor vendor-id ] code attribute-code }

Default

No attributes are configured to be included in RADIUS authentication or accounting requests.

Views

RADIUS attribute test group view

Predefined user roles

network-admin

Parameters

accounting: Specifies RADIUS accounting requests.

authentication: Specifies RADIUS authentication requests.

name attribute-name: Specifies a standard RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters.

vendor vendor-id: Specifies a vendor by its ID in the range of 1 to 65535. If the attribute is a standard RADIUS attribute, do not specify this option.

code attribute-code: Specifies a RADIUS attribute by its code in the range of 1 to 255.

type: Specifies a data type for the attribute content.

binary: Binary type.

date: Date type.

integer: Integer type.

interface-id: Interface ID type.

ip: IPv4 address type.

ipv6: IPv6 address type.

ipv6-prefix: IPv6 address prefix type.

octets: Octet type.

string: String type.

value attribute-value: Specifies the value for the attribute of the data type. The value range of the attribute-value argument varies by data type.

· For the binary type, the value is a string of 1 to 256 hexadecimal characters, which represents a binary number with a maximum of 128 bytes.

· For the date type, the value range is 0 to 4294967295.

· For the integer type, the value range is 0 to 4294967295.

· For the interface ID type, the value range is 1 to ffffffffffffffff.

· For the IPv6 address prefix type, the value is in the format of prefix/prefix-length.

· For the octet type, the value is a string of 1 to 256 hexadecimal characters, which represents an octet number with a maximum of 128 bytes.

· For the string type, the value of this argument is a string of 1 to 253 characters.

Usage guidelines

Use this command to add an attribute that RADIUS requests do not carry by default to the RADIUS requests. The undo form of this command removes the attribute from the RADIUS requests.

For an attribute that RADIUS requests carry by default, you can use this command to change its value. The undo form of this command restores the attribute value to the default.

Table 11 shows the attributes that RADIUS requests carry by default.

Table 11 Attributes that RADIUS requests carry by default

Packet type	Attributes that the type of packets carry by default
RADIUS authentication request	User-Name, CHAP-Password (or User-Password), CHAP-Challenge, NAS-IP-Address (or NAS-IPv6-Address), Service-Type, Framed-Protocol, NAS-Identifier, NAS-Port-Type, and Acct-Session-Id.
RADIUS accounting request	User-Name, Acct-Status-Type, NAS-IP-Address (or NAS-IPv6-Address), NAS-Identifier, Acct-Session-Id, Acct-Delay-Time, and Acct-Terminate-Cause.

For the accuracy of AAA tests, the value of an attribute must be of the data type specified for that attribute.

The attribute names of standard attributes saved in the configuration file will be converted to attribute codes.

Before you include an attribute that is already configured to be excluded from RADIUS requests, you must cancel the exclusion configuration by using the undo exclude command.

Plan the RADIUS attributes to be included in RADIUS requests. Besides the attributes carried by default, the device adds the specified attributes to RADIUS packets in the order that they are specified by using the include command. Additional attributes cannot be added to a RADIUS request if the length of the RADIUS request reaches 4096 bytes.

Examples

# In RADIUS attribute test group t1, include Calling-Station-Id attribute with value 08-00-27-00-34-D8 in RADIUS authentication requests.

<Sysname> system-view

[Sysname] radius attribute-test-group t1

[Sysname-radius-attr-test-grp-t1] include authentication name Calling-Station-Id type string value 08-00-27-00-34-d8

Related commands

exclude

test-aaa

include-attribute 218 vendor-id 25506

Use include-attribute 218 vendor-id 25506 to include subattribute 218 of vendor 25506 in RADIUS packets.

Use undo include-attribute 218 vendor-id 25506 to not include subattribute 218 of vendor 25506 in RADIUS packets.

Use undo include-attribute 218 vendor-id 25506 dhcp-option to restore the default.

Syntax

include-attribute 218 vendor-id 25506 dhcp-option { 55 | 61 } * { format1 | format2 }

undo include-attribute 218 vendor-id 25506 [ dhcp-option ]

Default

The device uses format 1 to encapsulate DHCP Option 61 in subattribute 218 of vendor 25506 in RADIUS packets.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

dhcp-option: Specifies a DHCP option to be encapsulated in subattribute 218.

· 55: Specifies DHCP Option 55.

· 61: Specifies DHCP Option 61.

format1: Specifies encapsulation format 1 for the subattribute, in which the Type field is 1 byte long. Use this format when the device cooperates with most RADIUS servers.

format2: Specifies encapsulation format 2 for the subattribute, in which the Type field is 2 bytes long. Use this format when the device cooperates with HUAWEI RADIUS servers.

Usage guidelines

The RADIUS Vendor-Specific attribute (attribute 26) allows vendors to define extended attributes to implement functions that the standard RADIUS protocol does not provide. Vendor 25506 defines subattribute 218 to carry user DHCP option information.

To send user DHCP option information to RADIUS servers, perform this task to include subattribute 218 of vendor 25506 in outgoing RADIUS start-accounting and update-accounting requests.

In the current software version, only DHCP Option 55 and DHCP Option 61 can be carried in the subattribute.

You can repeat this command to encapsulate both DHCP Option 55 and DHCP Option 61 in the subattribute. The length of each option is limited to 246 bytes.

If you repeat this command multiple times with the same DHCP option specified, the most recent configuration takes effect.

Examples

# In RADIUS scheme rad, configure the device to use format 2 to encapsulate DHCP Option 55 in subattribute 218 of vendor 25506 in RADIUS packets.

<Sysname> system-view

[Sysname] radius scheme rad

[Sysname-radius-rad] include-attribute 218 vendor-id 25506 dhcp-option 55 format2

Related commands

display radius scheme

key (RADIUS scheme view)

Use key to set the shared key for secure RADIUS authentication or accounting communication.

Use undo key to delete the shared key for secure RADIUS authentication or accounting communication.

Syntax

key { accounting | authentication } { cipher | simple } string

undo key { accounting | authentication }

Default

No shared key is configured for secure RADIUS authentication or accounting communication.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

accounting: Specifies the shared key for secure RADIUS accounting communication.

authentication: Specifies the shared key for secure RADIUS authentication communication.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.

Usage guidelines

The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers.

The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.

Examples

# In RADIUS scheme radius1, set the shared key to ok in plaintext form for secure accounting communication.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting simple ok

Related commands

display radius scheme

nas-ip (RADIUS scheme view)

Use nas-ip to specify a NAS IP address for RADIUS packets.

Use undo nas-ip to remove the NAS IP address of the specified type for RADIUS packets.

Syntax

nas-ip [ m-lag { local | peer } ] { ipv4-address | interface interface-type interface-number | ipv6 ipv6-address }

undo nas-ip [ m-lag { local | peer } ] [ interface | ipv6 ]

Default

The NAS IP address of a RADIUS packet is that specified by using the radius nas-ip command in system view.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

m-lag: Specifies the NAS IP address for RADIUS packets sent for users that access the network through M-LAG interfaces on an M-LAG system.

local: Specifies the local NAS IP address (the NAS IP address for RADIUS packets sent for users that access the network through local M-LAG interfaces).

peer: Specifies the peer NAS IP address (the NAS IP address for RADIUS packets sent for users that access the network through remote M-LAG interfaces). This NAS IP address is a backup NAS IP address on the local M-LAG member device.

ipv4-address: Specifies an IPv4 address. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

interface interface-type interface-number: Specifies an interface by its type and number. The device uses the primary IPv4 address or the IPv6 address of the interface as the NAS IP address of an outgoing RADIUS packet.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address and cannot be a loopback address or a link-local address.

Usage guidelines

Use this command to specify a NAS IP address for the NAS to carry in the NAS-IP-Address or NAS-IPv6-Address attribute in outgoing RADIUS packets. The NAS IP address must be unique for a RADIUS server to identify the NAS.

The NAS can also use the NAS IP address to match incoming RADIUS packets. For example, if the NAS receives a DAE request that contains a NAS IP address, it compares the NAS IP address in the request with the local NAS IP address. The NAS can process this request only when its NAS IP address is the same as the NAS IP address in the request.

As a best practice, specify a loopback interface address as the NAS IP address for outgoing RADIUS packets to avoid RADIUS packet loss caused by physical port errors.

On an M-LAG system, to make user traffic switchover caused by primary/secondary M-LAG member device switchover transparent to the RADIUS server, ensure that the NAS IP address for outgoing RADIUS packets remains unchanged. The NAS IP address configuration for outgoing RADIUS packets depends on the load sharing mode for user authentication on M-LAG interfaces:

· In centralized mode, you must specify the same local NAS IP address on both the M-LAG member devices.

When an M-LAG member device fails, the active M-LAG member device uses the local NAS IP address for outgoing RADIUS packets sent for users authenticated on the failed M-LAG member device.

· In distributed mode, you must specify a local and peer NAS IP address pair on both the M-LAG member devices. Make sure the peer NAS IP address on an M-LAG member device is the local NAS IP address on the other M-LAG member device.

When an M-LAG member device fails, the active M-LAG member device uses the peer NAS IP address for outgoing RADIUS packets sent for users authenticated on the failed M-LAG member device.

You can specify the NAS IP address in both RADIUS scheme view and system view.

· The NAS IP address specified by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

· The NAS IP address specified by using the radius nas-ip command in system view applies to all RADIUS schemes.

· The NAS IP address specified in RADIUS scheme view takes precedence over the NAS IP address specified in system view.

For a RADIUS scheme, the following restrictions apply:

· You can specify only one NAS IPv4 address and one NAS IPv6 address for RADIUS packets.

· You can specify only one interface to provide the NAS IP address for RADIUS packets. Make sure the route between the interface and the RADIUS server is reachable.

· The interface configuration and the IP address configuration overwrite each other.

If you do not specify the ipv6 keyword for the undo nas-ip command, the command removes the configured NAS IPv4 address for RADIUS packets.

On an M-LAG system, you must specify a virtual IP address as the NAS IP address of RADIUS packets. For more information about virtual IP addresses for the M-LAG system, see M-LAG configuration in Layer 2—LAN Switching Configuration Guide.

Examples

# In RADIUS scheme radius1, specify IP address 10.1.1.1 as the NAS IPv4 address of RADIUS packets.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] nas-ip 10.1.1.1

Related commands

display radius scheme

radius nas-ip

primary accounting (RADIUS scheme view)

Use primary accounting to specify the primary RADIUS accounting server.

Use undo primary accounting to restore the default.

Syntax

primary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name | weight weight-value ] *

undo primary accounting

Default

The primary RADIUS accounting server is not specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the host name of the primary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server.

port-number: Specifies the service port number of the primary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.

key: Specifies the shared key for secure communication with the primary RADIUS accounting server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

weight weight-value: Specifies a weight value for the RADIUS server. The value range for the weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS server will not be used for load sharing. This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme. A larger weight value represents a higher capacity to process accounting requests.

Usage guidelines

Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.

The shared key configured by using this command takes precedence over the shared key configured with the key accounting command.

If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.

If you modify or remove the accounting server to which the device is sending a start-accounting request, the accounting server might become unreachable. When communication with the unreachable server times out, the device performs the following operations:

· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for accounting.

· When the RADIUS server load sharing feature is enabled, the device selects an active server for accounting based on the weight values and current user counts on the active servers.

If you remove the accounting server to which the device has sent start-accounting requests successfully for an online user, the following events occur:

· If the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for subsequent accounting requests.

· If the RADIUS server load sharing feature is enabled, real-time accounting fails for that online user and the accounting result is not accurate for that online user. The reason is that the device can communicate only with the accounting server to which it has sent start-accounting requests successfully. As a result, the device cannot send real-time accounting requests or send and buffer stop-accounting requests for that online user.

Examples

# In RADIUS scheme radius1, specify the primary accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456TESTacct&!.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple 123456TESTacct&!

Related commands

display radius scheme

key (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

server-load-sharing enable

vpn-instance (RADIUS scheme view)

primary authentication (RADIUS scheme view)

Use primary authentication to specify the primary RADIUS authentication server.

Use undo primary authentication to restore the default.

Syntax

primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value ] *

undo primary authentication

Default

The primary RADIUS authentication server is not specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the host name of the primary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication server.

port-number: Specifies the service port number of the primary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.

key: Specifies the shared key for secure communication with the primary RADIUS authentication server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.

test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument is a case-sensitive string of 1 to 31 characters.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary RADIUS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure the service port and shared key settings of the primary RADIUS authentication server are the same as those configured on the server.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.

The shared key configured by this command takes precedence over the shared key configured with the key authentication command.

The server status detection is triggered for the server if the specified test profile exists on the device.

If the server in use becomes unreachable after you modify or remove it during an authentication process, the device performs the following operations when communication with the server times out:

· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for authentication.

· When the RADIUS server load sharing feature is enabled, the device selects an active server based on the weight values and current user counts on the active servers.

Examples

# In RADIUS scheme radius1, specify the primary authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key 123456TESTauth&!.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple 123456TESTauth&!

Related commands

display radius scheme

key (RADIUS scheme view)

radius-server test-profile

secondary authentication (RADIUS scheme view)

server-load-sharing enable

vpn-instance (RADIUS scheme view)

private accounting

Use private accounting to specify a private RADIUS accounting server.

Use undo private accounting to restore the default.

Syntax

private accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo private accounting

Default

No private RADIUS accounting server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the private RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the private RADIUS accounting server.

port-number: Specifies the UDP service port number of the private RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.

key: Specifies the shared key for secure communication with the private RADIUS accounting server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This string is case sensitive. The encrypted form of the key is a string of 1 to 117 characters, and the plaintext form of the key is a string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the private RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

This command is applicable to the scenario in which the accounting requests for users contain an accounting server address.

Operating mechanism

When the device receives an accounting request that contains an accounting server address, the device searches the applicable RADIUS scheme for that private server.

· If a match is found, the device communicates with the server for accounting. If the server does not exist or is unreachable, the accounting operation fails. The device will not try other servers in the scheme.

· If no match is found, the accounting operation fails.

An accounting request might contain an IPv4 server address, an IPv6 server address, or both.

· If the request contains an IPv4 server address and an IPv6 server address, the device preferentially exchanges information with the IPv6 server.

¡ If the IPv6 server has failed to respond before the timeout timer expires, the device tries the IPv4 server.

¡ If the IPv6 server is in blocked state, the device examines if the IPv4 server is active.

- If yes, the device communicates with the IPv4 server.

- If no, the device continues to communicate with the IPv6 server.

· If the request contains only an IPv4 or IPv6 server address, the device exchanges client information with the server at that IP address without checking its active state.

Restrictions and guidelines

When you specify a private RADIUS server, follow these restrictions and guidelines:

· Make sure the specified UDP port number and shared key are consistent with the configuration on the server.

· In a RADIUS scheme, you can specify a maximum of 16 private accounting servers.

· You can specify a shared key when specifying a private server. If no shared key is specified, the device uses the key configured for the RADIUS scheme by using the key accounting command to communicate with the server.

· If the private server resides in a MPLS VPN instance, you must specify the VPN instance for RADIUS packets to be forwarded to the private server successfully. The VPN instance specified for a private server takes precedence over the VPN instance specified for the scheme.

Examples

# In RADIUS scheme radius1, specify the private accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456TESTauth&!.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] private accounting 10.110.1.2 1812 key simple 123456TESTauth&!

Related commands

display radius scheme

key (RADIUS scheme view)

radius scheme

vpn-instance (RADIUS scheme view)

private authentication

Use private authentication to specify a private RADIUS authentication server.

Use undo private authentication to restore the default.

Syntax

private authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo private authentication

Default

No private RADIUS authentication server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the private RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the private RADIUS authentication server.

port-number: Specifies the UDP service port number of the private RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.

key: Specifies the shared key for secure communication with the private RADIUS authentication server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This string is case sensitive. The encrypted form of the key is a string of 1 to 117 characters, and the plaintext form of the key is a string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the private RADIUS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

This command is applicable to the scenario in which the authentication requests for users contain a private authentication server address.

Operating mechanism

When the device receives an authentication request that contains an authentication server address, the device searches the applicable RADIUS scheme for that private server.

· If a match is found, the device communicates with the server for client authentication. If the server does not exist or is unreachable, the authentication operation fails. The device will not try other servers in the scheme.

· If no match is found, the client authentication operation fails.

A client authentication request might contain an IPv4 server address, an IPv6 server address, or both.

· If the request contains an IPv4 server address and an IPv6 server address, the device preferentially exchanges information with the IPv6 server.

¡ If the IPv6 server has failed to respond before the timeout timer expires, the device tries the IPv4 server.

¡ If the IPv6 server is in blocked state, the device examines if the IPv4 server is active.

- If yes, the device communicates with the IPv4 server.

- If no, the device continues to communicate with the IPv6 server.

· If the request contains only an IPv4 or IPv6 server address, the device exchanges client information with the server at that IP address without checking its active state.

Restrictions and guidelines

When you specify a private RADIUS server, follow these restrictions and guidelines:

· Make sure the specified UDP port number and shared key are consistent with the configuration on the server.

· In a RADIUS scheme, you can specify a maximum of 16 private authentication servers.

· You can specify a shared key when specifying a private server. If no shared key is specified, the device uses the key configured for the RADIUS scheme by using the key authentication command to communicate with the server.

Examples

# In RADIUS scheme radius1, specify the private authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key 123456TESTauth&!.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] private authentication 10.110.1.1 1812 key simple 123456TESTauth&!

Related commands

display radius scheme

key (RADIUS scheme view)

radius scheme

vpn-instance (RADIUS scheme view)

radius attribute extended

Use radius attribute extended to define an extended RADIUS attribute.

Use undo radius attribute extended to delete user-defined extended RADIUS attributes.

Syntax

radius attribute extended attribute-name [ vendor vendor-id ] code attribute-code type { binary | date | integer | interface-id | ip | ipv6 | ipv6-prefix | octets | string }

undo radius attribute extended [ attribute-name ]

Default

No user-defined extended RADIUS attributes exist.

Views

System view

Predefined user roles

network-admin

Parameters

attribute-name: Specifies the RADIUS attribute name, a case-insensitive string of 1 to 63 characters. The name must be unique among all RADIUS attributes, including the standard and extended RADIUS attributes.

vendor vendor-id: Specifies a vendor ID in the range of 1 to 65535. If you do not specify a vendor ID, the device processes the RADIUS attribute as a standard RADIUS attribute. Table 12 shows the vendor IDs of supported vendors.

Table 12 Supported vendors and vendor IDs

Vendor	Vendor ID	Vendor	Vendor ID	Vendor	Vendor ID
HUAWEI	2011	H3C	25506	Microsoft	311
3COM	43	DSL Forum	3561	China Telecom	20942
Wi-Fi Alliance	40808	Juniper	2636	CMCC	28357
Cisco	9

code attribute-code: Specifies the ID of the RADIUS attribute in the attribute set. The value range for the attribute-code argument is 1 to 255.

type: Specifies a data type for the attribute content.

binary: Binary type.

date: Date type.

integer: Integer type.

interface-id: Interface ID type.

ip: IPv4 address type.

ipv6: IPv6 address type.

ipv6-prefix: IPv6 address prefix type.

octets: Octet type.

string: String type.

Usage guidelines

To support the proprietary RADIUS attributes of other vendors, perform the following tasks:

4. Use this command to define the attributes as extended RADIUS attributes.

5. Use the attribute convert command to map the extended RADIUS attributes to attributes supported by the system.

6. Use the attribute translate command to enable the RADIUS attribute translation feature for the mappings to take effect.

To cooperate with RADIUS servers of a third-party vendor, map attributes that cannot be identified by the server to server-supported attributes.

Two RADIUS attributes cannot have the same combination of attribute name, vendor ID, and attribute ID.

If you do not specify a RADIUS attribute name, the undo radius attribute extended command deletes all user-defined extended RADIUS attributes.

Examples

# Define a string-type extended RADIUS attribute with attribute name Owner-Password, vendor ID 122, and attribute ID 80.

<Sysname> system-view

[Sysname] radius attribute extended Owner-Password vendor 122 code 80 type string

Related commands

attribute convert (RADIUS DAS view)

attribute convert (RADIUS scheme view)

attribute reject (RADIUS DAS view)

attribute reject (RADIUS scheme view)

attribute translate

radius attribute-test-group

Use radius attribute-test-group to create a RADIUS attribute test group and enter its view, or enter the view of an existing RADIUS attribute test group.

Use undo radius attribute-test-group to remove a RADIUS attribute test group.

Syntax

radius attribute-test-group attr-test-group-name

undo radius attribute-test-group attr-test-group-name

Default

No RADIUS attribute test groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

attr-test-group-name: Specifies the name of a RADIUS attribute test group, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A RADIUS attribute test group is a collection of RADIUS attributes that will be included in or excluded from RADIUS requests.

The system can have multiple RADIUS attribute test groups.

Examples

# Create a RADIUS attribute test group named t1 and enter its view.

<Sysname> system-view

[Sysname] radius attribute-test-group t1

[Sysname-radius-attr-test-grp-t1]

Related commands

exclude

include

test-aaa

radius dscp

Use radius dscp to change the DSCP priority of RADIUS packets.

Use undo radius dscp to restore the default.

Syntax

radius [ ipv6 ] dscp dscp-value

undo radius [ ipv6 ] dscp

Default

The DSCP priority of RADIUS packets is 0.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 RADIUS packets. If you do not specify this keyword, the command sets the DSCP priority for the IPv4 RADIUS packets.

dscp-value: Specifies the DSCP priority of RADIUS packets, in the range of 0 to 63. A larger value represents a higher priority.

Usage guidelines

Use this command to set the DSCP priority in the ToS field of IPv4 RADIUS packets or in the Traffic Class field of IPv6 RADIUS packets for changing their transmission priority.

Examples

# Set the DSCP priority of IPv4 RADIUS packets to 10.

<Sysname> system-view

[Sysname] radius dscp 10

radius enable

Use radius enable to enable the RADIUS service.

Use undo radius enable to disable the RADIUS service.

Syntax

radius enable

undo radius enable

Default

The RADIUS service is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

By default, the RADIUS service is enabled. The device can send and receive RADIUS packets. Attackers might use RADIUS session-control and DAE ports to attack the device. To protect the device when such an attack occurs, disable the RADIUS service temporarily on the device. After the network is secure, re-enable the RADIUS service.

If settings on the RADIUS servers require modification or the RADIUS servers cannot provide services temporarily, you can temporarily disable the RADIUS service on the device.

When the RADIUS service is disabled, the device stops sending and receiving RADIUS packets. If a new user comes online, the device uses the backup authentication, authorization, or accounting method to process that user. If the device has not finished requesting authentication or accounting for a user before the RADIUS service is disabled, it uses the following rules to process that user:

· If the device has sent RADIUS authentication requests for that user to a RADIUS server, the device processes that user depending on whether it receives a response from the RADIUS server.

¡ If the device receives a response from the RADIUS server, it uses the response to determine whether that user has passed authentication. If that user has passed authentication, the device assigns authorization information to that user according to the response.

¡ If the device does not receive any response from the RADIUS server, it attempts to use the backup authentication method to authenticate that user.

· If the device has sent RADIUS start-accounting requests for that user to a RADIUS server, the device processes that user depending on whether it receives a response from the RADIUS server.

¡ If the device receives a response from the RADIUS server, it allows that user to come online. However, the device cannot send out accounting-update or stop-accounting requests to the RADIUS server. It cannot buffer the accounting requests, either. When that user goes offline, the RADIUS server cannot log off that user in time. The accounting result might be inaccurate.

¡ If the device does not receive any response from the RADIUS server, it attempts to use the backup accounting method.

The authentication, authorization, and accounting processes undertaken by other methods are not switched to RADIUS when you re-enable the RADIUS service.

Examples

# Enable the RADIUS service.

<Sysname> system-view

[Sysname] radius enable

radius nas-ip

Use radius nas-ip to specify a NAS IP address for RADIUS packets.

Use undo radius nas-ip to remove the NAS IP address of the specified type for RADIUS packets.

Syntax

radius nas-ip { interface interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

undo radius nas-ip { interface | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

Default

The NAS IP address of RADIUS packets is the primary IPv4 address or the IPv6 address of the outbound interface.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the NAS IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network NAS IP address, do not specify this option.

Usage guidelines

As a best practice, specify a loopback interface address as the NAS IP address for outgoing RADIUS packets to avoid RADIUS packet loss caused by physical port errors.

You can specify the NAS IP address in both RADIUS scheme view and system view.

· The NAS IP address specified by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

· The NAS IP address specified by using the radius nas-ip command in system view applies to all RADIUS schemes.

· The NAS IP address specified in RADIUS scheme view takes precedence over the NAS IP address specified in system view.

You can specify a maximum of 16 NAS IP addresses in system view, including:

· Zero or one public-network NAS IPv4 address.

· Zero or one public-network NAS IPv6 address.

· Private-network NAS IP addresses.

Each VPN instance can have only one private-network NAS IPv4 address and one private-network NAS IPv6 address in system view.

You can specify only one interface to provide the NAS IP address for outgoing RADIUS packets. Make sure the route between the interface and the RADIUS server is reachable.

The interface configuration and the IP address configuration overwrite each other.

Examples

# Specify IP address 129.10.10.1 as the NAS IP address of RADIUS packets.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

Related commands

nas-ip (RADIUS scheme view)

radius scheme

Use radius scheme to create a RADIUS scheme and enter its view, or enter the view of an existing RADIUS scheme.

Use undo radius scheme to delete a RADIUS scheme.

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

Default

No RADIUS schemes exist.

Views

System view

Predefined user roles

network-admin

Parameters

radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A RADIUS scheme can be used by more than one ISP domain at the same time.

The device supports a maximum of 16 RADIUS schemes.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

Related commands

display radius scheme

radius session-control client

Use radius session-control client to specify a RADIUS session-control client.

Use undo radius session-control client to remove the specified RADIUS session-control clients.

Syntax

radius session-control client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo radius session-control client { all | { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

Default

No RADIUS session-control clients are specified.

Views

System view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies a session-control client by its IPv4 address.

ipv6 ipv6-address: Specifies a session-control client by its IPv6 address.

key: Specifies the shared key for secure communication with the session-control client.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the RADIUS session-control client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the client is on the public network, do not specify this option.

all: Specifies all session-control clients.

Usage guidelines

To verify the session-control packets sent from a RADIUS server running on IMC, specify the RADIUS server as a session-control client to the device. The device matches a session-control packet to a session-control client based on the IP address and VPN instance, and then uses the shared key of the matched client to validate the packet.

The device searches the session-control client settings prior to searching all RADIUS scheme settings for a server with matching settings. This process narrows the search scope for finding the matched RADIUS server.

The session-control client settings take effect only when the RADIUS session-control feature is enabled.

The session-control client settings must be the same as the corresponding settings of the RADIUS server.

You can specify multiple session-control clients on the device.

Examples

# Specify a session-control client with IP address 10.110.1.2 and shared key 12345 in plaintext form.

<Sysname> system-view

[Sysname] radius session-control client ip 10.110.1.2 key simple 12345

Related commands

radius session-control enable

Use radius session-control enable to enable the RADIUS session-control feature.

Use undo radius session-control enable to disable the RADIUS session-control feature.

Syntax

radius session-control enable

undo radius session-control enable

Default

The RADIUS session-control feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

An H3C IMC RADIUS server uses session-control packets to deliver dynamic authorization change requests or disconnection requests to the device. The session-control feature enables the device to receive the RADIUS session-control packets on UDP port 1812.

This feature must work with H3C IMC servers.

Examples

# Enable the RADIUS session-control feature.

<Sysname> system-view

[Sysname] radius session-control enable

radius source-ip

Use radius source-ip to specify a source IP address for outgoing RADIUS packets.

Use undo radius source-ip to remove the source IP address of the specified type for outgoing RADIUS packets.

Syntax

radius source-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

undo radius source-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

No IP address is specified as the source IP address of outgoing RADIUS packets.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the source IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IP address, do not specify this option.

Usage guidelines

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks the source IP address of the packet.

· If the source IP address belongs to a managed NAS, the server processes the packet.

· If the source IP address does not belong to a managed NAS, the server drops the packet.

As a best practice to avoid RADIUS packet loss caused by physical port errors, specify a loopback interface address as the source IP address of outgoing RADIUS packets.

The device selects a source IP address for outgoing RADIUS packets in the following order:

7. The source IP address specified by using the source-ip command in RADIUS scheme view.

8. The source IP address specified by using the radius source-ip command in system view.

9. The NAS IP address specified by using the nas-ip command in RADIUS scheme view.

10. The NAS IP address specified by using the radius nas-ip command in system view.

11. The IP address of the outbound interface for the outgoing RADIUS packets.

The source IP address specified in system view applies to all RADIUS schemes.

You can specify a maximum of 16 source IP addresses in system view, including:

· Zero or one public-network source IPv4 address.

· Zero or one public-network source IPv6 address.

· Private-network source IP addresses.

Each VPN instance can have only one private-network source IPv4 address and one private-network source IPv6 address in system view.

Examples

# Specify IP address 129.10.10.1 as the source IPv4 address of outgoing RADIUS packets.

<Sysname> system-view

[Sysname] radius source-ip 129.10.10.1

Related commands

nas-ip (RADIUS scheme view)

radius nas-ip

source-ip (RADIUS scheme view)

radius-server test-profile

Use radius-server test-profile to configure a test profile for detecting the RADIUS server status.

Use undo radius-server test-profile to delete a RADIUS test profile.

Syntax

radius-server test-profile profile-name username name [ password { cipher | simple } string ] [ interval interval ] [ probe-count count ] [ eap-profile eap-profile-name ]

undo radius-server test-profile profile-name

Default

No RADIUS test profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies the name of the test profile, which is a case-sensitive string of 1 to 31 characters.

username name: Specifies the username in the probe packets. The name argument is a case-sensitive string of 1 to 253 characters.

password: Specifies the user password in the probe packets. If you do not specify a user password, the device randomly generates a user password for each probe packet. As a best practice, specify a user password. RADIUS server might mistake probe packets that contain randomly generated passwords as attack packets.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

interval interval: Specifies the interval for sending a probe packet, in minutes. The value range for the interval argument is 1 to 3600, and the default value is 60.

probe-count count: Specifies the number of consecutive probe intervals that the device takes to determine the reachability of a RADIUS server. The value range for the count argument is 1 to 10, and the default value is 1.

eap-profile eap-profile-name: Specifies an EAP profile by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

The device starts detecting the status of a RADIUS server only if the test profile specified for the server exists. If you specify a nonexistent test profile for a RADIUS server, the device does not detect the status of the server until you create the test profile on the device.

To perform EAP-based status detection for a RADIUS server, you must specify a test profile that contains an EAP profile for the RADIUS server.

EAP-based detection provides more reliable detection results than simple detection. As a best practice, configure EAP-based detection on a network environment where EAP authentication is configured.

If you specify a nonexistent EAP profile in a test profile, the device performs simple detection for the RADIUS servers that use the test profile. After the EAP profile is configured, the device will start EAP-based detection at the next detection interval.

When the network is unstable, increase the value for the probe-count count option to improve accuracy of RADIUS server state information.

When the network is stable, reduce the value for the probe-count count option. This operation ensures that the device can obtain the real status of a RADIUS server in time.

When you delete a test profile, the device stops detecting the status of RADIUS servers that use the test profile.

You can execute this command multiple times to configure multiple test profiles.

Examples

# Configure a test profile named abc for RADIUS server status detection. A probe packet that uses username admin and plaintext password abc123 is sent every 10 minutes. The device takes two consecutive probe intervals to determine the reachability of a RADIUS server.

<Sysname> system-view

[Sysname] radius-server test-profile abc username admin password simple abc123 interval 10 probe-count 2

Related commands

eap-profile

primary authentication (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

reauthentication server-select

Use reauthentication server-select to specify a RADIUS server selection mode for reauthentication.

Use undo reauthentication server-select to restore the default.

Syntax

reauthentication server-select { inherit | reselect }

undo reauthentication server-select

Default

The inherit mode is used.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

inherit: Uses the RADIUS server that performed authentication for reauthentication.

reselect: Reselects a RADIUS server for reauthentication.

Usage guidelines

Use this command to configure the RADIUS server selection mechanism in reauthentication. Use one of the following modes depending on the network condition:

· Inherit—The device uses the RADIUS server that performed authentication for a user to reauthenticate that user. This mode reduces the amount of time used in reauthentication. However, if the RADIUS server is unreachable, the reauthentication will fail.

· Reselect—The device searches for a reachable RADIUS server to reauthenticate a user. This mode requires more time than the inherit mode. However, this mode ensures that the device uses the optimal reachable RADIUS server for reauthentication. The following factors affect the RADIUS server selection:

¡ Server configuration in the RADIUS scheme, including the configuration order.

¡ Enabling status of the RADIUS server load sharing feature.

¡ Status of the RADIUS servers in the RADIUS scheme.

Examples

# In RADIUS scheme radius1, set the RADIUS server selection mode to reselect for reauthentication.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] reauthentication server-select reselect

Related commands

display radius scheme

reset radius server-load statistics

Use reset radius server-load statistics to clear history authentication and accounting load statistics for all RADIUS servers.

Syntax

reset radius server-load statistics

Views

User view

Predefined user roles

network-admin

Usage guidelines

This command does not clear authentication and accounting load statistics in the last 5 seconds.

Examples

# Clear history authentication and accounting load statistics for all RADIUS servers.

<Sysname> reset radius server-load statistics

Related commands

display radius server-load statistics

reset radius statistics

Use reset radius statistics to clear RADIUS statistics.

Syntax

reset radius statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

Related commands

display radius statistics

reset stop-accounting-buffer (for RADIUS)

Use reset stop-accounting-buffer to clear buffered RADIUS stop-accounting requests to which no responses have been received.

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time end-time | user-name user-name }

Views

User view

Predefined user roles

network-admin

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

time-range start-time end-time: Specifies a time range. The start time and end time must be in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

Examples

# Clear nonresponded RADIUS stop-accounting requests buffered for user user0001@test.

<Sysname> reset stop-accounting-buffer user-name user0001@test

# Clear nonresponded RADIUS stop-accounting requests buffered from 0:0:0 to 23:59:59 on January 31, 2020.

<Sysname> reset stop-accounting-buffer time-range 0:0:0-01/31/2020 23:59:59-01/31/2020

Related commands

display stop-accounting-buffer (for RADIUS)

stop-accounting-buffer enable (RADIUS scheme view)

retry

Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.

Use undo retry to restore the default.

Syntax

retry retries

undo retry

Default

The maximum number of RADIUS packet transmission attempts is 3.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.

Usage guidelines

Because RADIUS uses UDP packets to transmit data, the communication is not reliable.

If the device does not receive a response to its request from the RADIUS server within the response timeout period, the device retransmits the RADIUS request. To set the response timeout period, use the timer response-timeout command.

If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.

If the client times out during the authentication process, the user is immediately logged off. To avoid user logoffs, the value multiplied by the following items cannot be larger than the client timeout period defined by the access module:

· The maximum number of RADIUS packet transmission attempts.

· The RADIUS server response timeout period.

· The number of RADIUS authentication servers in the RADIUS scheme.

When the device sends a RADIUS request to a new RADIUS server, it checks the total amount of time it has taken to transmit the RADIUS packet. If the amount of time has reached 300 seconds, the device stops sending the RADIUS request to the next RADIUS server. As a best practice, consider the number of RADIUS servers when you configure the maximum number of packet transmission attempts and the RADIUS server response timeout period.

Examples

# In RADIUS scheme radius1, set the maximum number of RADIUS packet transmission attempts to 5.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

Related commands

radius scheme

timer response-timeout (RADIUS scheme view)

retry realtime-accounting

Use retry realtime-accounting to set the maximum number of accounting attempts.

Use undo retry realtime-accounting to restore the default.

Syntax

retry realtime-accounting retries

undo retry realtime-accounting

Default

The maximum number of accounting attempts is 5.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of accounting attempts, in the range of 1 to 255.

Usage guidelines

Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period, it considers that a line or device failure has occurred. The server considers the accounting attempt a failure and then decides whether to cut the user connection based on the accounting update failure policy (configured by using accounting update-fail).

To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.

For example, for a LAN user, the following conditions exist:

· The RADIUS server response timeout period is 3 seconds (set by using the timer response-timeout command).

· The maximum number of RADIUS packet transmission attempts is 3 (set by using the retry command).

· The real-time accounting interval is 12 minutes (set by using the timer realtime-accounting command).

· The maximum number of accounting attempts is 5 (set by using the retry realtime-accounting command).

In the above case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device considers that the accounting attempt failed.

Examples

# In RADIUS scheme radius1, set the maximum number of accounting attempts to 10.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry realtime-accounting 10

Related commands

accounting update-fail

retry

timer realtime-accounting (RADIUS scheme view)

timer response-timeout (RADIUS scheme view)

retry stop-accounting (RADIUS scheme view)

Use retry stop-accounting to set the maximum number of transmission attempts for individual RADIUS stop-accounting requests.

Use undo retry stop-accounting to restore the default.

Syntax

retry stop-accounting retries

undo retry stop-accounting

Default

The maximum number of transmission attempts is 500 for individual RADIUS stop-accounting requests.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of transmission attempts. The value range is 10 to 65535.

Usage guidelines

The maximum number of stop-accounting request transmission attempts controls the transmission of stop-accounting requests together with the following parameters:

· RADIUS server response timeout timer (set by using the timer response-timeout command).

· Maximum number of times to transmit a RADIUS packet per round (set by using the retry command).

For example, the following settings exist:

· The RADIUS server response timeout timer is 3 seconds.

· The maximum number of times to transmit a RADIUS packet per round is five.

· The maximum number of stop-accounting request transmission attempts is 20.

A stop-accounting request is retransmitted if the device does not receive a response within 3 seconds. When all five transmission attempts in this round are used, the device buffers the request and starts another round of retransmission. If 20 consecutive rounds of attempts fail, the device discards the request.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 1000 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry stop-accounting 1000

Related commands

display stop-accounting-buffer (for RADIUS)

retry

timer response-timeout (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

Use secondary accounting to specify a secondary RADIUS accounting server.

Use undo secondary accounting to remove a secondary RADIUS accounting server.

Syntax

secondary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name | weight weight-value ] *

undo secondary accounting [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary RADIUS accounting servers are specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the host name of a secondary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of a secondary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS accounting server.

port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.

key: Specifies the shared key for secure communication with the secondary RADIUS accounting server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure the port number and shared key settings of each secondary RADIUS accounting server are the same as those configured on the corresponding server.

A RADIUS scheme supports a maximum of 16 secondary RADIUS accounting servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.

The shared key configured by this command takes precedence over the shared key configured with the key accounting command.

· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for accounting.

· When the RADIUS server load sharing feature is enabled, the device selects an active server for accounting based on the weight values and current user counts on the active servers.

If you remove the accounting server to which the device has sent start-accounting requests successfully for an online user, the following events occur:

· If the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for subsequent accounting requests.

Examples

# In RADIUS scheme radius1, specify a secondary accounting server with IP address 10.110.1.1 and UDP port 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

# In RADIUS scheme radius2, specify two secondary accounting servers with IP addresses 10.110.1.1 and 10.110.1.2 and UDP port 1813.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813

[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813

Related commands

display radius scheme

key (RADIUS scheme view)

primary accounting (RADIUS scheme view)

vpn-instance (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

Use secondary authentication to specify a secondary RADIUS authentication server.

Use undo secondary authentication to remove a secondary RADIUS authentication server.

Syntax

secondary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value ] *

undo secondary authentication [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary RADIUS authentication servers are specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the host name of a secondary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of a secondary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS authentication server.

port-number: Specifies the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.

key: Specifies the shared key for secure communication with the secondary RADIUS authentication server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.

test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument is a case-sensitive string of 1 to 31 characters.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary RADIUS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure the port number and shared key settings of each secondary RADIUS authentication server are the same as those configured on the corresponding server.

A RADIUS scheme supports a maximum of 16 secondary RADIUS authentication servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

The server status detection is triggered for a server if the specified test profile exists on the device.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.

The shared key configured by this command takes precedence over the shared key configured with the key authentication command.

If the server in use becomes unreachable after you modify or remove it during an authentication process, the device performs the following operations when communication with the server times out:

· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for authentication.

· When the RADIUS server load sharing feature is enabled, the device selects an active server based on the weight values and current user counts on the active servers.

Examples

# In RADIUS scheme radius1, specify a secondary authentication server with IP address 10.110.1.2 and UDP port 1812.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

# In RADIUS scheme radius2, specify two secondary authentication servers with IP addresses 10.110.1.1 and 10.110.1.2 and UDP port 1812.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812

[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812

Related commands

display radius scheme

key (RADIUS scheme view)

primary authentication (RADIUS scheme view)

radius-server test-profile

vpn-instance (RADIUS scheme view)

server-block-action (RADIUS scheme view)

Use server-block-action to specify the action to take for AAA requests if all servers in a RADIUS scheme are blocked.

Use undo server-block-action to restore the default.

Syntax

server-block-action { attempt | skip }

undo server-block-action

Default

The device attempts to connect to the server with the highest priority in a RADIUS scheme upon receiving AAA requests if all servers in the scheme are blocked.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

attempt: Attempts to connect to a server (except for servers manually set in block state) in the scheme.

skip: Skips all servers in the scheme and turns to the backup method.

Usage guidelines

The attempt action gives the device a chance to use the scheme in case the server with the highest priority in the scheme might be available. However, the attempt to communicate with an unavailable server increases the response time for AAA requests. As a best practice, specify the skip action in scenarios that require quick responses to AAA requests.

When processing an AAA request, the device does not turn back to a skipped scheme even though the state of the servers in the scheme changes from blocked to active.

Examples

# In RADIUS scheme radius1, configure the device to skip all servers in the scheme upon receiving AAA requests if all servers in the scheme are blocked.

<Sysname> system-view

[Sysname] radius scheme hwt1

[Sysname-radius-radius1] server-block-action skip

Related commands

display radius scheme

retry

timer response-timeout (RADIUS scheme view)

server-load-sharing enable

Use server-load-sharing enable to enable the RADIUS server load sharing feature.

Use undo server-load-sharing enable to disable the RADIUS server load sharing feature.

Syntax

server-load-sharing enable

undo server-load-sharing enable

Default

The RADIUS server load sharing feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

Usage guidelines

Use the RADIUS server load sharing feature to dynamically distribute the AAA requests over multiple servers regardless of their server roles. The device forwards an AAA request to the most appropriate server of all active servers in the scheme after it compares the weight values and numbers of currently served users. Specify a weight value for each RADIUS server based on the AAA capacity of the server. A larger weight value indicates a higher AAA capacity.

In RADIUS server load sharing, once the device sends a start-accounting request to a server for a user, it forwards all subsequent accounting requests of the user to the same server. If the accounting server is unreachable, the device returns an accounting failure message rather than searching for another active accounting server.

Examples

# Enable the RADIUS server load sharing feature for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] server-load-sharing enable

Related commands

primary authentication (RADIUS scheme view)

primary accounting (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

snmp-agent trap enable radius

Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS.

Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.

Syntax

snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *

undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *

Default

All RADIUS SNMP notifications are disabled.

Views

System view

Predefined user roles

network-admin

Parameters

accounting-server-down: Specifies notifications to be sent when the RADIUS accounting server becomes unreachable.

accounting-server-up: Specifies notifications to be sent when the RADIUS accounting server becomes reachable.

authentication-error-threshold: Specifies notifications to be sent when the number of authentication failures exceeds the specified threshold. The threshold is represented by the ratio of the authentication failures to the total number of authentication attempts. The value range is 1 to 100, and the default value is 30. This threshold can only be configured through the MIB.

authentication-server-down: Specifies notifications to be sent when the RADIUS authentication server becomes unreachable.

authentication-server-up: Specifies notifications to be sent when the RADIUS authentication server becomes reachable.

Usage guidelines

If you do not specify any keywords, this command enables or disables all types of notifications for RADIUS.

When SNMP notifications for RADIUS are enabled, the device supports the following notifications generated by RADIUS:

· RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.

· RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.

· Excessive authentication failures notification—RADIUS generates this notification when the number of authentication failures to the total number of authentication attempts exceeds the specified threshold.

Examples

# Enable the device to send RADIUS accounting server unreachable notifications.

<Sysname> system-view

[Sysname] snmp-agent trap enable radius accounting-server-down

source-ip

Use source-ip to specify a source IP address for outgoing RADIUS packets.

Use undo source-ip to remove the source IP address of the specified type for outgoing RADIUS packets.

Syntax

source-ip { ipv4-address | ipv6 ipv6-address }

undo source-ip [ ipv6 ]

Default

The source IP address of an outgoing RADIUS packet is that specified by using the radius source-ip command in system view.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

· If the source IP address belongs to a managed NAS, the server processes the packet.

· If the source IP address does not belong to a managed NAS, the server drops the packet.

As a best practice to avoid RADIUS packet loss caused by physical port errors, specify a loopback interface address as the source IP address of outgoing RADIUS packets.

The device selects a source IP address for outgoing RADIUS packets in the following order:

12. The source IP address specified by using the source-ip command in RADIUS scheme view.

13. The source IP address specified by using the radius source-ip command in system view.

14. The NAS IP address specified by using the nas-ip command in RADIUS scheme view.

15. The NAS IP address specified by using the radius nas-ip command in system view.

16. The IP address of the outbound interface for the outgoing RADIUS packets.

A RADIUS scheme can have only one source IPv4 address and one source IPv6 address for outgoing RADIUS packets.

If you do not specify the ipv6 keyword for the undo source-ip command, the command removes the configured source IPv4 address for outgoing RADIUS packets.

Examples

# In RADIUS scheme radius1, specify IP address 10.1.1.1 as the source IPv4 address of outgoing RADIUS packets.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] source-ip 10.1.1.1

Related commands

display radius scheme

nas-ip (RADIUS scheme view)

radius nas-ip

radius source-ip

state primary

Use state primary to set the status of a primary RADIUS server.

Syntax

state primary { accounting | authentication } { active | block }

Default

A primary RADIUS server is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

accounting: Specifies the primary RADIUS accounting server.

authentication: Specifies the primary RADIUS authentication server.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Usage guidelines

When the RADIUS server load sharing feature is disabled, the device first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the device performs the following operations:

· Changes the status of the primary server to blocked.

· Starts a quiet timer for the server.

· Tries to communicate with a secondary server in active state.

When the quiet timer of the primary server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active.

When the RADIUS server load sharing feature is enabled, the device checks the weight value and number of currently served users only for servers in active state. The most appropriate active server is selected for communication.

When the primary server and all secondary servers are in blocked state, the device tries to communicate with the primary server.

This command can affect the RADIUS server status detection feature when a valid test profile is specified for a primary RADIUS authentication server.

· If you set the status of the server to blocked, the device stops detecting the status of the server.

· If you set the status of the server to active, the device starts to detect the status of the server.

Examples

# In RADIUS scheme radius1, set the status of the primary authentication server to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state primary authentication block

Related commands

display radius scheme

radius-server test-profile

server-load-sharing enable

state secondary

state private

Use state private to set the state of a private RADIUS server.

Syntax

state private { accounting | authentication } [ { ipv4-address | ipv6 ipv6-address } ] { active | block }

Default

A private RADIUS server is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

accounting: Specifies a private RADIUS accounting server.

authentication: Specifies a private RADIUS authentication server.

ipv4-address: Specifies the IPv4 address of a private RADIUS server.

ipv6 ipv6-address: Specifies the IPv6 address of a private RADIUS server.

port-number: Specifies the UDP service port number of a private RADIUS server. The value range for the UDP port number is 1 to 65535. The default port numbers for authentication and accounting are 1812 and 1813, respectively.

active: Specifies the active state. The device sends requests to a private server when it is in active state.

block: Specifies the blocked state. The device does not send requests to a private server when it is in blocked state.

Usage guidelines

The device automatically detects reachability of a private server and changes its state from active to blocked if the server is unreachable. The blocked state persists only for the period set by using the timer quiet command. When the quiet timer expires, the state of the server automatically changes to active.

To prevent the server state automatically changes from blocked to active, use this command to manually place the server in blocked state before the quiet timer expires. To restore the active state of a manually blocked server, you must also use this command.

If you do not specify a server IP address, this command changes the state of all private RADIUS accounting or authentication servers specified in the scheme.

Examples

# Block all private authentication servers in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state private authentication block

Related commands

display radius scheme

state secondary

Use state secondary to set the status of a secondary RADIUS server.

Syntax

state secondary { accounting | authentication } [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }

Default

A secondary RADIUS server is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

accounting: Specifies a secondary RADIUS accounting server.

authentication: Specifies a secondary RADIUS authentication server.

host-name: Specifies the host name of the secondary RADIUS server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of a secondary RADIUS server.

ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS server.

port-number: Specifies the service port number of a secondary RADIUS server. The value range for the UDP port number is 1 to 65535. The default port numbers for authentication and accounting are 1812 and 1813, respectively.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary RADIUS server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Usage guidelines

If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers.

If the device finds that a secondary server in active state is unreachable, the device performs the following operations:

· Changes the status of the secondary server to blocked.

· Starts a quiet timer for the server.

· Tries to communicate with another secondary server in active state.

When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.

This command can affect the RADIUS server status detection feature when a valid test profile is specified for a secondary RADIUS authentication server.

· If you set the status of the server to blocked, the device stops detecting the status of the server.

· If you set the status of the server to active, the device starts to detect the status of the server.

Examples

# In RADIUS scheme radius1, set the status of all the secondary authentication servers to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication block

Related commands

display radius scheme

radius-server test-profile

server-load-sharing enable

state primary

stop-accounting-buffer enable (RADIUS scheme view)

Use stop-accounting-buffer enable to enable buffering of RADIUS stop-accounting requests to which no responses have been received.

Use undo stop-accounting-buffer enable to disable the buffering feature.

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

Default

The device buffers the RADIUS stop-accounting requests to which no responses have been received.

Views

RADIUS scheme view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to buffer a RADIUS stop-accounting request that has no response after the maximum transmission attempts (set by using the retry command) have been made. The device resends the buffered request until it receives a server response or when the number of stop-accounting request transmission attempts reaches the upper limit. If no more attempts are available, the device discards the request. However, if you have removed an accounting server, stop-accounting requests destined for the server are not buffered.

Examples

# Enable buffering of RADIUS stop-accounting requests to which no responses have been received.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] stop-accounting-buffer enable

Related commands

display stop-accounting-buffer (for RADIUS)

reset stop-accounting-buffer (for RADIUS)

stop-accounting-packet send-force

Use stop-accounting-packet send-force to enable forcibly sending stop-accounting packets. The device will send stop-accounting packets when users for which no start-accounting packets are sent go offline.

Use undo stop-accounting-packet send-force to disable forcibly sending stop-accounting packets.

Syntax

stop-accounting-packet send-force

undo stop-accounting-packet send-force

Default

Forcibly sending stop-accounting packets is disabled. The device does not send stop-accounting packets when users for which no start-accounting packets are sent go offline.

Views

RADIUS scheme view

Predefined user roles

network-admin

Usage guidelines

Typically, if the device does not send a start-accounting packet to the RADIUS server for an authenticated user, it does not send a stop-accounting packet when the user goes offline. If the server has generated a user entry for the user without start-accounting packets, it does not release the user entry when the user goes offline. This feature forces the device to send stop-accounting packets to the RADIUS server when the user goes offline for timely releasing the user entry on the server.

Examples

# In RADIUS scheme radius1, enable forcibly sending stop-accounting packets.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] stop-accounting-packet send-force

Related commands

display radius scheme

test-aaa

Use test-aaa to perform an AAA test.

Syntax

test-aaa user user-name password password radius-scheme radius-scheme-name [ radius-server { ipv4-address | ipv6 ipv6-address } port-number [ vpn-instance vpn-instance-name ] ] [ chap | pap ] [ attribute-test-group attr-test-group-name ] [ trace ]

Views

User view

Predefined user roles

network-admin

Parameters

user user-name: Specifies the test username, a string of 1 to 80 characters. The username can be a pure username or contain a domain name. The format for a username containing a domain name is pure-username@domain-name. The pure username is case sensitive and the domain name is case insensitive.

password password: Specifies the password of the test user, a case-sensitive string of 1 to 63 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-server: Specifies a RADIUS server.

ipv4-address: Specifies the IPv4 address of the RADIUS server.

ipv6 ipv6-address: Specifies the IPv6 address of the RADIUS server.

port-number: Specifies the UDP port number of the RADIUS server, in the range of 1 to 65535.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the RADIUS server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

chap: Specifies the CHAP authentication method (the default).

pap: Specifies the PAP authentication method.

attribute-test-group attr-test-group-name: Specifies a RADIUS attribute test group by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a RADIUS attribute test group or the specified RADIUS attribute test group does not exist, the device does not change the attributes carried in authentication or accounting requests.

trace: Displays detailed information about RADIUS packets exchanged during the AAA test. If you do not specify this keyword, the command displays brief information about the AAA test, including the sent and received packets and the test result.

Usage guidelines

Use this command to identify the reasons for the failure of interaction between the device and the AAA servers.

The device might communicate with the AAA servers incorrectly during an AAA test. Make sure no users come online or go offline during an AAA text.

If the configuration of the specified RADIUS scheme changes, the new configuration does not affect the current AAA test. The modification will take effect in the next test.

The system can have only one AAA test at a time. Another AAA test can be performed only after the current test finishes.

Examples

# Perform an AAA test and display detailed information about the test. The test uses username user1, password 123456, the CHAP authentication method, and RADIUS scheme test.

<Sysname> test-aaa user user1 password 123456 radius-scheme test chap trace

Sent a RADIUS authentication request.

Server IP : 192.168.1.110

Source IP : 192.168.1.166

VPN instance : N/A

Server port : 1812

Packet type : Authentication request

Packet length: 118 bytes

Packet ID : 0

Attribute list:

[User-Name(1)] [6] [user1]

[CHAP-Password(3)] [19] [******]

[NAS-IP-Address(4)] [6] [192.168.1.166]

[Service-Type(6)] [6] [2] [Framed]

[Framed-Protocol(7)] [6] [1] [PPP]

[NAS-Identifier(32)] [5] [Sysname]

[Acct-Session-Id(44)] [40] [00000008201707241008280000000c16100171]

[CHAP-Challenge(60)] [18] [******]

[NAS-Port-Type(61)] [6] [15] [Ethernet]

Received a RADIUS authentication response.

Server IP : 192.168.1.110

Source IP : 192.168.1.166

VPN instance : N/A

Server port : 1812

Packet type : Access-Reject

Packet length: 20 bytes

Packet ID : 0

Reply-Message: "E63032: Incorrect password. You can retry 9 times."

Sent a RADIUS start-accounting request.

Server IP : 192.168.1.110

Source IP : 192.168.1.166

VPN instance : N/A

Server port : 1813

Packet type : Start-accounting request

Packet length: 63 bytes

Packet ID : 1

Attribute list:

[User-Name(1)] [6] [user1]

[Acct-Status-Type(40)] [6] [1] [Start]

[NAS-IP-Address(4)] [6] [192.168.1.166]

[NAS-Identifier(32)] [5] [Sysname]

[Acct-Session-Id(44)] [40] [00000008201707241008280000000c16100171]

Received a RADIUS start-accounting response.

Server IP : 192.168.1.110

Source IP : 192.168.1.166

VPN instance : N/A

Server port : 1813

Packet type : Start-accounting response

Packet length: 20 bytes

Packet ID : 1

Sent a RADIUS stop-accounting request.

Server IP : 192.168.1.110

Source IP : 192.168.1.166

VPN instance : N/A

Server port : 1813

Packet type : Stop-accounting request

Packet length: 91 bytes

Packet ID : 1

Attribute list:

[User-Name(1)] [6] [user1]

[Acct-Status-Type(40)] [6] [2] [Stop]

[NAS-IP-Address(4)] [6] [192.168.1.166]

[NAS-Identifier(32)] [5] [Sysname]

[Acct-Delay-Time(41)] [6] [0]

[Acct-Session-Id(44)] [40] [00000008201707241008280000000c16100171]

[Acct-Terminate-Cause(49)] [6] [1] [User Request]

Received a RADIUS stop-accounting response.

Server IP : 192.168.1.110

Source IP : 192.168.1.166

VPN instance : N/A

Server port : 1813

Packet type : Stop-accounting response

Packet length: 20 bytes

Packet ID : 1

Test result: Failed

# Perform an AAA test and display brief information about the test. The test uses username user1, password 123456 and the CHAP authentication method to test RADIUS server at 192.168.1.110 in RADIUS scheme test.

<Sysname> test-aaa user user1 password 123456 radius-scheme test radius-server 192.168.1.110 1812

Sent a RADIUS authentication request.

Received a RADIUS authentication response.

Test result: Successful

Table 13 Command output

Field	Description
Server IP	IP address of the server.
Source IP	Source IP address of the RADIUS packet.
VPN instance	MPLS L3VPN instance to which the server belongs. This field displays N/A if the server belongs to the public network.
Server port	UDP port number of the server.
Packet type	Type of the RADIUS packet: · Authentication request. · Access-Accept. · Access-Reject. · Start-accounting request. · Start-accounting response. · Stop-accounting request. · Stop-accounting response.
Packet length	Total length of the RADIUS packet, in bytes.
Packet ID	ID of the RADIUS packet. This field is used to identity a pair of request and response packets.
[attribute-name (code)] [length] [value] [description]	Information about a RADIUS attribute: · attribute-name—Name of the attribute. · code—Code of the attribute. · length—Length of the attribute, in bytes. · value—Value of the attribute. · description—Description of the attribute.
Reply-Message:	The RADIUS server rejected the authentication request and replied a message.
Test result	Result of the AAA test: · Successful—The test has succeeded. · Failed—The test has failed. If any request is rejected, the test fails.

Related commands

radius attribute-test-group

radius scheme

threshold remanent-volume

Use threshold remanent-volume to set the available data threshold.

Use undo threshold remanent-volume to restore the default.

Syntax

threshold remanent-volume threshold-value

undo threshold remanent-volume

Default

The available data threshold is 0.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the available data threshold, in the range of 0 to 4294967295. The unit is set by using the attribute remanent-volume unit command.

Usage guidelines

Use this command if the RADIUS server divides the total data quota of an authenticated user into multiple equal portions and assigns one portion to the user each time. When the user's available data on the device reaches the threshold, the device sends a realtime accounting request to the RADIUS server to apply for a new portion. This process continues till the user uses up the total data quota.

Examples

# In RADIUS scheme radius1, set the available data threshold to 2048 MB.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] threshold remanent-volume 2048

[Sysname-radius-radius1] attribute remanent-volume unit mega-byte

Related commands

attribute remanent-volume unit

display radius scheme

timer quiet (RADIUS scheme view)

Use timer quiet to set the quiet timer for the servers specified in a RADIUS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet timer period is 5 minutes in a RADIUS scheme.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.

Usage guidelines

Make sure the server quiet timer is set correctly.

A timer that is too short might result in frequent authentication or accounting failures. This is because the device will continue to attempt to communicate with an unreachable server that is in active state.

A timer that is too long might temporarily block a reachable server that has recovered from a failure. This is because the server will remain in blocked state until the timer expires.

Examples

# In RADIUS scheme radius1, set the quiet timer to 10 minutes for the servers.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer quiet 10

Related commands

display radius scheme

timer realtime-accounting (RADIUS scheme view)

Use timer realtime-accounting to set the real-time accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting interval [ second ]

undo timer realtime-accounting

Default

The real-time accounting interval is 12 minutes.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

interval: Specifies the real-time accounting interval in the range of 0 to 71582.

second: Specifies the measurement unit as second. If you do not specify this keyword, the real-time accounting interval is measured in minutes.

Usage guidelines

When the real-time accounting interval on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.

When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server. If the real-time accounting interval is not configured on the server, the device does not send online user accounting information.

If a user uses RADIUS accounting but not RADIUS authentication and authorization, the device performs real-time accounting for that user only based on the real-time accounting interval set in the user's RADIUS accounting scheme. The real-time accounting interval assigned by the RADIUS accounting server does not take effect.

A short interval helps improve accounting precision but requires many system resources.

Table 14 Recommended real-time accounting intervals

Number of users	Real-time accounting interval
1 to 99	3 minutes
100 to 499	6 minutes
500 to 999	12 minutes
1000 or more	15 minutes or longer

Examples

# In RADIUS scheme radius1, set the real-time accounting interval to 51 minutes.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

Related commands

retry realtime-accounting

timer response-timeout (RADIUS scheme view)

Use timer response-timeout to set the RADIUS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The RADIUS server response timeout period is 3 seconds.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds.

Usage guidelines

If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

· The maximum number of RADIUS packet transmission attempts.

· The RADIUS server response timeout period.

· The number of RADIUS servers in the RADIUS scheme.

Examples

# In RADIUS scheme radius1, set the RADIUS server response timeout timer to 5 seconds.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

Related commands

display radius scheme

retry

user-name-format (RADIUS scheme view)

Use user-name-format to specify the format of the username to be sent to a RADIUS server.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the usernames sent to a RADIUS server.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

keep-original: Sends the username to the RADIUS server as the username is entered.

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Usage guidelines

A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username sent to a RADIUS server.

If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the RADIUS server will consider two users in different ISP domains but with the same userid as one user.

Examples

# In RADIUS scheme radius1, configure the device to remove the domain name from the usernames sent to the RADIUS servers.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

Related commands

display radius scheme

vpn-instance (RADIUS scheme view)

Use vpn-instance to specify an MPLS L3VPN instance for a RADIUS scheme.

Use undo vpn-instance to restore the default.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

The RADIUS scheme belongs to the public network.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The VPN instance specified for a RADIUS scheme applies to all authentication and accounting servers in that scheme. If a VPN instance is also configured for an individual RADIUS server, the VPN instance specified for the RADIUS scheme does not take effect on that server.

Examples

# Specify VPN instance test for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] vpn-instance test

Related commands

display radius scheme

EAP profile commands

ca-file

Use ca-file to specify a CA certificate file for EAP authentication.

Use undo ca-file to restore the default.

Syntax

ca-file file-name

undo ca-file

Default

No CA certificate is specified for EAP authentication.

Views

EAP profile view

Predefined user roles

network-admin

Parameters

file-name: Specifies a CA certificate file by its name, a case-sensitive string of 1 to 91 characters. Only CA certificate files in PEM format are supported.

Usage guidelines

You must specify a CA certificate file for the RADIUS server to authenticate certificates of RADIUS clients if the PEAP-GTC, PEAP-MSCHAPv2, TTLS-GTC, or TTLS-MSCHAPv2 EAP authentication method is used.

Before you specify a CA certificate file, you must use FTP or TFTP to transfer the file to the root directory of the default storage medium on the device.

You can specify only one CA certificate file in an EAP profile. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# In EAP profile eap1, specify CA certificate file ca.pem for EAP authentication.

<Sysname> system-view

[Sysname] eap-profile eap1

[Sysname-eap-profile-eap1] ca-file ca.pem

Related commands

certificate-file

Use certificate-file to specify a local certificate file for EAP authentication.

Use undo certificate-file to restore the default.

Syntax

certificate-file file-name

undo certificate-file

Default

No local certificate file is specified for EAP authentication.

Views

EAP profile view

Predefined user roles

network-admin

Parameters

file-name: Specifies a certificate file by its name, a case-sensitive string of 1 to 91 characters. Only certificate files in PEM format are supported.

Usage guidelines

You must specify a local certificate file if the PEAP-GTC, PEAP-MSCHAPv2, TTLS-GTC, TTLS-MSCHAPv2, or TLS EAP authentication method is used and RADIUS clients request to authenticate the certificate of the RADIUS server.

Before you specify a local certificate file, you must use FTP or TFTP to transfer the file to the root directory of the default storage medium on the device.

You can specify only one local certificate file in an EAP profile. If you execute this command multiple times, the most recent configuration takes effect.

For the RADIUS server to start up, you must specify a local certificate file.

Examples

# In EAP profile eap1, specify certificate file server.pem as the local certificate file for EAP authentication.

<Sysname> system-view

[Sysname] eap-profile eap1

[Sysname-eap-profile-eap1] certificate-file server.pem

Related commands

private-key-file

eap-profile

Use eap-profile to create an EAP profile and enter its view, or enter the view of an existing EAP profile.

Use undo eap-profile to delete an EAP profile.

Syntax

eap-profile eap-profile-name

undo eap-profile eap-profile-name

Default

No EAP profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

eap-profile-name: Specifies the EAP profile name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

An EAP profile is a collection of EAP authentication settings, including the EAP authentication method and authentication parameters used by the RADIUS server to perform authentication.

You can configure a maximum of 16 EAP profiles.

If an EAP profile is applied to the local RADIUS server, all settings in the EAP profile take effect only after the RADIUS server configuration is activated by using the radius-server activate command.

Examples

# Create an EAP profile named eap1 and enter its view.

<Sysname> system-view

[Sysname] eap-profile eap1

[Sysname-eap-profile-eap1]

Related commands

display radius-server active-eap-profile

radius-server activate

radius-server test-profile

method

Use method to specify the default EAP authentication method.

Use undo method to restore the default.

Syntax

method { md5 | peap-gtc | peap-mschapv2 | tls | ttls-gtc | ttls-mschapv2 }

undo method

Default

The default EAP authentication method is the MD5-challenge method.

Views

EAP profile view

Predefined user roles

network-admin

Parameters

md5: Specifies the MD5-challenge method.

peap-gtc: Specifies the PEAP-GTC method.

peap-mschapv2: Specifies the PEAP-MSCHAPv2 method.

tls: Specifies the TLS method.

ttls-gtc: Specifies the TTLS-GTC method.

ttls-mschapv2: Specifies the TTLS-MSCHAPv2 method.

Usage guidelines

You can specify only one default EAP authentication method in an EAP profile. If you execute this command multiple times, the most recent configuration takes effect.

The device supports multiple EAP authentication methods. When the device initiates an authentication request to the peer, it preferentially uses the default EAP authentication method in the EAP profile. If the peer uses a different EAP authentication method, it will notify the device of its supported EAP authentication methods. The device will select a method that is supported both locally and by the peer to re-initiate the authentication request. However, if the access device uses the EAP termination mode in authentication for wireless clients, you can specify only the PEAP-GTC as the default EAP authentication method.

Examples

# In EAP profile eap1, specify PEAP-GTC as the default EAP authentication method.

<Sysname> system-view

[Sysname] eap-profile eap1

[Sysname-eap-profile-eap1] method peap-gtc

Related commands

display radius-server active-eap-profile

private-key-file

Use private-key-file to specify a private key file for the local certificate.

Use undo private-key-file to restore the default.

Syntax

private-key-file file-name

undo private-key-file

Default

No private key file is specified for the local certificate.

Views

EAP profile view

Predefined user roles

network-admin

Parameters

file-name: Specifies a private key file by its name, a case-sensitive string of 1 to 91 characters. Only private key files in PEM format are supported.

Usage guidelines

You must specify a private key file for the RADIUS server to decrypt information encrypted by RADIUS clients if the PEAP-GTC, PEAP-MSCHAPv2, TTLS-GTC, TTLS-MSCHAPv2, or TLS EAP authentication method is used.

If the local certificate file for EAP authentication includes a private key, specify the local certificate file as the private key file.

Before you specify a private key file, you must use FTP or TFTP to transfer the file to the root directory of the default storage medium on the device.

You can specify only one private key file in an EAP profile. If you execute this command multiple times, the most recent configuration takes effect.

For the RADIUS server to start up, you must specify a private key file.

Examples

# In EAP profile eap1, specify private key file server.pem for the local certificate.

<Sysname> system-view

[Sysname] eap-profile eap1

[Sysname-eap-profile-eap1] private-key-file server.pem

Related commands

certificate-file

display radius-server active-eap-profile

private-key-password

Use private-key-password to specify a private key password for the local certificate.

Use undo private-key-password to restore the default.

Syntax

private-key-password { cipher | simple } string

undo private-key-password

Default

No private key password is specified for the local certificate.

Views

EAP profile view

Predefined user roles

network-admin

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its encrypted form is a case-sensitive string of 1 to 117 characters. Its plaintext form is a case-sensitive string of 1 to 63 characters.

Usage guidelines

The private key password must be provided when the device imports or uses the private key of the local certificate. Make sure the private key password specified by using this command is the same as the private key password provided when the private key is imported to the device.

You can specify only one private key password in an EAP profile. If you execute this command multiple times, the most recent configuration takes effect.

For the RADIUS server to start up, you must specify a private key password.

Examples

# In EAP profile eap1, specify plaintext password 123 as the private key password for the local certificate.

<Sysname> system-view

[Sysname] eap-profile eap1

[Sysname-eap-profile-eap1] private-key-password simple 123

Related commands

private-key-file

ssl-server-policy

Use ssl-server-policy to specify an SSL server policy for EAP authentication.

Use undo ssl-server-policy to restore the default.

Syntax

ssl-server-policy policy-name

undo ssl-server-policy

Default

No SSL server policy is specified for EAP authentication.

Views

EAP profile view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an SSL server policy name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Before you execute this command, you must complete the configuration of the specified SSL server policy and the PKI domain to be specified for this policy. For more information about SSL server policies and PKI domains, see SSL configuration and PKI configuration in Security Configuration Guide.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# In EAP profile eap1, specify SSL server policy tls-server for EAP authentication.

<Sysname> system-view

[Sysname] eap-profile aprf1

[System-eap-prof-aprf1] ssl-server-policy tls-server

Related commands

pki-domain (Security Command Reference)

ssl server-policy (Security Command Reference)

HWTACACS commands

data-flow-format (HWTACACS scheme view)

Use data-flow-format to set the data flow and packet measurement units for traffic statistics.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

Traffic is counted in bytes and packets.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

data: Specifies the unit for data flows.

byte: Specifies the unit as byte.

giga-byte: Specifies the unit as gigabyte.

kilo-byte: Specifies the unit as kilobyte.

mega-byte: Specifies the unit as megabyte.

packet: Specifies the unit for data packets.

giga-packet: Specifies the unit as giga-packet.

kilo-packet: Specifies the unit as kilo-packet.

mega-packet: Specifies the unit as mega-packet.

one-packet: Specifies the unit as one-packet.

Usage guidelines

The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting results might be incorrect.

Examples

# In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display hwtacacs scheme

Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes.

Syntax

display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes.

statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the specified HWTACACS scheme.

Examples

# Displays the configuration of all HWTACACS schemes.

<Sysname> display hwtacacs scheme

Total 1 HWTACACS schemes

------------------------------------------------------------------

HWTACACS Scheme Name : hwtac

Index : 0

Primary Auth Server:

Host name: Not configured

IP : 2.2.2.2 Port: 49 State: Active

VPN Instance: 2

Single-connection: Enabled

Primary Author Server:

Host name: Not configured

IP : 2.2.2.2 Port: 49 State: Active

VPN Instance: 2

Single-connection: Disabled

Primary Acct Server:

Host name: Not configured

IP : Not Configured Port: 49 State: Block

VPN Instance: Not configured

Single-connection: Disabled

VPN Instance : 2

NAS IP Address : 2.2.2.3

Server Quiet Period(minutes) : 5

Realtime Accounting Interval(minutes) : 12

Stop-accounting packets buffering : Enabled

Retransmission times : 100

Response Timeout Interval(seconds) : 5

Username Format : with-domain

Data flow unit : Byte

Packet unit : one

------------------------------------------------------------------

Table 15 Command output

Field	Description
Index	Index number of the HWTACACS scheme.
Primary Auth Server	Primary HWTACACS authentication server.
Primary Author Server	Primary HWTACACS authorization server.
Primary Acct Server	Primary HWTACACS accounting server.
Secondary Auth Server	Secondary HWTACACS authentication server.
Secondary Author Server	Secondary HWTACACS authorization server.
Secondary Acct Server	Secondary HWTACACS accounting server.
Host name	Host name of the server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by IP address.
IP	IP address of the server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by hostname, and the hostname is not resolved.
Port	Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number.
State	Status of the HWTACACS server: active or blocked.
VPN Instance	MPLS L3VPN instance to which the HWTACACS server or scheme belongs. If no VPN instance is specified for the server or scheme, this field displays Not configured.
Single-connection	Single connection status: · Enabled—Establish only one TCP connection for all users to communicate with the server. · Disabled—Establish a TCP connection for each user to communicate with the server.
NAS IP Address	Source IP addresses or source interface for outgoing HWTACACS packets. This field displays Not configured if no source interface or source IP addresses are specified for outgoing HWTACACS packets.
Server Quiet Period(minutes)	Quiet period for the primary servers, in minutes.
Realtime Accounting Interval(minutes)	Real-time accounting interval, in minutes.
Stop-accounting packets buffering	Whether buffering of nonresponded HWTACACS stop-accounting requests is enabled.
Retransmission times	Maximum number of transmission attempts for individual HWTACACS stop-accounting requests.
Response Timeout Interval(seconds)	HWTACACS server response timeout period, in seconds.
Username Format	Format for the usernames sent to the HWTACACS server: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered.
Data flow unit	Measurement unit for data flows.
Packet unit	Measurement unit for packets.

# Display statistics for HWTACACS scheme tac.

<Sysname> display hwtacacs scheme tac statistics

HWTACACS scheme name: tac

Primary authentication server: 111.8.0.244 (Port: 49, VPN instance: -)

Round trip time: 20 seconds

Request packets: 1

Change-password request packets: 0

Request packets including plaintext passwords: 0

Request packets including ciphertext passwords: 0

Response packets: 2

Pass response packets: 1

Failure response packets: 0

Get-data response packets: 0

Get-username response packets: 0

Get-password response packets: 1

Restart response packets: 0

Error response packets: 0

Follow response packets: 0

Malformed response packets: 0

Continue packets: 1

Continue-abort packets: 0

Pending request packets: 0

Timeout packets: 0

Unknown type response packets: 0

Dropped response packets: 0

Primary authorization server :111.8.0.244 (Port: 49, VPN instance: -)

Round trip time: 1 seconds

Request packets: 1

Response packets: 1

PassAdd response packets: 1

PassReply response packets: 0

Failure response packets: 0

Error response packets: 0

Follow response packets: 0

Malformed response packets: 0

Pending request packets: 0

Timeout packets: 0

Unknown type response packets: 0

Dropped response packets: 0

Primary accounting server :111.8.0.244 (Port: 49, VPN instance: -)

Round trip time: 0 seconds

Request packets: 2

Accounting start request packets: 1

Accounting stop request packets: 1

Accounting update request packets: 0

Pending request packets: 0

Response packets: 2

Success response packets: 2

Error response packets: 0

Follow response packets: 0

Malformed response packets: 0

Timeout response packets: 0

Unknown type response packets: 0

Dropped response packets: 0

Table 16 Command output

Field	Description
Primary authentication server	Primary HWTACACS authentication server.
Primary authorization server	Primary HWTACACS authorization server.
Primary accounting server	Primary HWTACACS accounting server.
Secondary authentication server	Secondary HWTACACS authentication server.
Secondary authorization server	Secondary HWTACACS authorization server.
Secondary accounting server	Secondary HWTACACS accounting server.
Port	Port number of the HWTACACS server.
VPN instance	VPN instance to which the HWTACACS server or scheme belongs. If the HWTACACS server or scheme belongs to the public network, this field displays a hyphen (-).
Round trip time	The time interval during which the device processed a pair of request and response. The unit is second.
Request packets	Total number of sent request packets.
Login request packets	Number of sent login request packets.
Change-password request packets	Number of sent request packets for changing passwords.
Request packets including plaintext passwords	Number of request packets that include plaintext passwords.
Request packets including ciphertext passwords	Number of request packets that include ciphertext passwords.
Response packets	Total number of received response packets.
Pass response packets	Number of response packets indicating successful authentication.
Failure response packets	Number of response packets indicating authentication or authorization failure.
Get-data response packets	Number of response packets for obtaining user data.
Get-username response packets	Number of response packets for obtaining usernames.
Get-password response packets	Number of response packets for obtaining passwords.
Restart response packets	Number of response packets for reauthentication.
Error response packets	Number of error-type response packets.
Follow response packets	Number of follow-type response packets.
Malformed response packets	Number of malformed response packets.
Continue packets	Number of sent Continue packets.
Continue-abort packets	Number of sent Continue-abort packets.
Pending request packets	Number of request packets waiting for a response.
Timeout packets/Timeout response packets	Number of timeout response packets.
Unknown type response packets	Number of unknown-type response packets.
Dropped response packets	Number of dropped response packets.
PassAdd response packets	Number of received PassAdd response packets. The packets indicate that all requested authorization attributes are assigned and additional authorization attributes are added.
PassReply response packets	Number of received PassReply response packets. The device uses the specified authorization attributes in the packets to replace the requested authorization attributes.
Accounting start request packets	Number of accounting start request packets.
Accounting stop request packets	Number of accounting stop request packets.
Accounting update request packets	Number of accounting update request packets.
Success response packets	Number of accounting success response packets.

Related commands

reset hwtacacs statistics

display stop-accounting-buffer (for HWTACACS)

Use display stop-accounting-buffer to display information about buffered HWTACACS stop-accounting requests to which no responses have been received.

Syntax

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

Examples

# Display information about nonresponded stop-accounting requests buffered for HWTACACS scheme hwt1.

<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1

Total entries: 2

Scheme IP address Username First sending time Attempts

hwt1 192.168.100.1 abc 23:27:16-01/15/2020 19

hwt1 192.168.90.6 bob 23:33:01-01/15/2020 20

Table 17 Command output

Field	Description
First sending time	Time when the stop-accounting request was first sent.
Attempts	Number of attempts that were made to send the stop-accounting request.

Related commands

reset stop-accounting-buffer (for HWTACACS)

retry stop-accounting (HWTACACS scheme view)

stop-accounting-buffer enable (HWTACACS scheme view)

user-name-format (HWTACACS scheme view)

hwtacacs dscp

Use hwtacacs dscp to change the DSCP priority of HWTACACS packets.

Use undo hwtacacs dscp to restore the default.

Syntax

hwtacacs [ ipv6 ] dscp dscp-value

undo hwtacacs [ ipv6 ] dscp

Default

The DSCP priority of HWTACACS packets is 0.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 HWTACACS packets. If you do not specify this keyword, the command sets the DSCP priority for IPv4 HWTACACS packets.

dscp-value: Specifies the DSCP priority of HWTACACS packets, in the range of 0 to 63. A larger value represents a higher priority.

Usage guidelines

To change the transmission priority of HWTACACS packets, change the DSCP priority for them.

DSCP priority is contained in the ToS field of the IPv4 header and in the Traffic Class field of the IPv6 header.

Examples

# Set the DSCP priority of IPv4 HWTACACS packets to 10.

<Sysname> system-view

[Sysname] hwtacacs dscp 10

hwtacacs nas-ip

Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo hwtacacs nas-ip to delete the specified source IP address for outgoing HWTACACS packets.

Syntax

hwtacacs nas-ip { interface interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

undo hwtacacs nas-ip { interface | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

Default

The source IP address of an HWTACACS packet sent to the server is the primary IPv4 address or the IPv6 address of the outbound interface.

Views

System view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a source interface by its type and number. The device uses the primary IPv4 address or the IPv6 address of the interface as the source IP address of an outgoing HWTACACS packet.

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, the HWTACACS server checks the source IP address of the packet.

· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

As a best practice to avoid HWTACACS packet loss caused by physical port errors, specify a loopback interface address as the source IP address for outgoing HWTACACS packets.

If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:

· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.

· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.

· The setting in HWTACACS scheme view takes precedence over the setting in system view.

You can specify a maximum of 16 source IP addresses in system view, including:

· Zero or one public-network source IPv4 address.

· Zero or one public-network source IPv6 address.

· Private-network source IP addresses.

Each VPN instance can have only one private-network source IPv4 address and one private-network source IPv6 address in system view.

You can specify only one source interface to provide the source IP address for outgoing HWTACACS packets. Make sure the route between the source interface and the HWTACACS server is reachable.

The source interface configuration and the source IP address configuration overwrite each other.

Examples

# Specify IP address 129.10.10.1 as the source IP address for HWTACACS packets.

<Sysname> system-view

[Sysname] hwtacacs nas-ip 129.10.10.1

Related commands

nas-ip (HWTACACS scheme view)

hwtacacs scheme

Use hwtacacs scheme to create an HWTACACS scheme and enter its view, or enter the view of an existing HWTACACS scheme.

Use undo hwtacacs scheme to delete an HWTACACS scheme.

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

Default

No HWTACACS schemes exist.

Views

System view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme-name: Specifies the HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

An HWTACACS scheme can be used by more than one ISP domain at the same time.

You can configure a maximum of 16 HWTACACS schemes.

Examples

# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.

Use undo key to delete the shared key for secure HWTACACS authentication, authorization, or accounting communication.

Syntax

key { accounting | authentication | authorization } { cipher | simple } string

undo key { accounting | authentication | authorization }

Default

No shared key is configured for secure HWTACACS authentication, authorization, or accounting communication.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

accounting: Specifies the shared key for secure HWTACACS accounting communication.

authentication: Specifies the shared key for secure HWTACACS authentication communication.

authorization: Specifies the shared key for secure HWTACACS authorization communication.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.

Usage guidelines

The shared keys configured on the device must match those configured on the HWTACACS servers.

Examples

# In HWTACACS scheme hwt1, set the shared key to 123456TESTauth&! in plaintext form for secure HWTACACS authentication communication.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&!

# Set the shared key to 123456TESTautr&! in plaintext form for secure HWTACACS authorization communication.

[Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&!

# Set the shared key to 123456TESTacct&! in plaintext form for secure HWTACACS accounting communication.

[Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&!

Related commands

display hwtacacs scheme

nas-ip (HWTACACS scheme view)

Use nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo nas-ip to delete the specified source IP address for outgoing HWTACACS packets.

Syntax

nas-ip { ipv4-address | interface interface-type interface-number | ipv6 ipv6-address }

undo nas-ip [ interface | ipv6 ]

Default

The source IP address of an outgoing HWTACACS packet is that configured by using the hwtacacs nas-ip command in system view.

If the hwtacacs nas-ip command is not used, the source IP address is the primary IP address of the outbound interface.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

As a best practice to avoid HWTACACS packet loss caused by physical port errors, specify a loopback interface address as the source IP address for outgoing HWTACACS packets.

If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:

· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.

· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.

· The setting in HWTACACS scheme view takes precedence over the setting in system view.

For an HWTACACS scheme, the following restrictions apply:

· You can specify only one source IPv4 address and one source IPv6 address for outgoing HWTACACS packets.

· You can specify only one source interface to provide the source IP address for outgoing HWTACACS packets. Make sure the route between the source interface and the HWTACACS server is reachable.

· The source interface configuration and the source IP address configuration overwrite each other.

If you do not specify any parameter for the undo nas-ip command, the command deletes the configured source IPv4 address for outgoing HWTACACS packets.

Examples

# In HWTACACS scheme hwt1, specify IP address 10.1.1.1 as the source address for outgoing HWTACACS packets.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

Related commands

display hwtacacs scheme

hwtacacs nas-ip

primary accounting (HWTACACS scheme view)

Use primary accounting to specify the primary HWTACACS accounting server.

Use undo primary accounting to restore the default.

Syntax

primary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary accounting

Default

The primary HWTACACS accounting server is not specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the host name of the primary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies an IPv4 address of the primary HWTACACS accounting server.

ipv6 ipv6-address: Specifies an IPv6 address of the primary HWTACACS accounting server.

port-number: Specifies the service port number of the primary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the primary HWTACACS accounting server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.

single-connection: The device and the primary HWTACACS accounting server use the same TCP connection to exchange accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the primary accounting server for a user.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure the port number and shared key settings of the primary HWTACACS accounting server are the same as those configured on the server.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.

As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify the primary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary accounting 10.163.155.12 49 key simple 123456TESTacct&!

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

secondary accounting (HWTACACS scheme view)

vpn-instance (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

Use primary authentication to specify the primary HWTACACS authentication server.

Use undo primary authentication to restore the default.

Syntax

primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary authentication

Default

The primary HWTACACS authentication server is not specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the host name of the primary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server.

port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the primary HWTACACS authentication server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.

single-connection: The device and the primary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection at each authentication.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure the port number and shared key settings of the primary HWTACACS authentication server are the same as those configured on the server.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.

As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple 123456TESTauth&!

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

secondary authentication (HWTACACS scheme view)

vpn-instance (HWTACACS scheme view)

primary authorization

Use primary authorization to specify the primary HWTACACS authorization server.

Use undo primary authorization to restore the default.

Syntax

primary authorization { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary authorization

Default

The primary HWTACACS authorization server is not specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the host name of the primary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authorization server.

port-number: Specifies the service port number of the primary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the primary HWTACACS authorization server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.

single-connection: The device and the primary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the primary authorization server for a user.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure the port number and shared key settings of the primary HWTACACS authorization server are the same as those configured on the server.

Two authorization servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.

As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify the primary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple 123456TESTautr&!

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

secondary authorization (HWTACACS scheme view)

vpn-instance (HWTACACS scheme view)

reset hwtacacs statistics

Use reset hwtacacs statistics to clear HWTACACS statistics.

Syntax

reset hwtacacs statistics { accounting | all | authentication | authorization }

Views

User view

Predefined user roles

network-admin

Parameters

accounting: Clears the HWTACACS accounting statistics.

all: Clears all HWTACACS statistics.

authentication: Clears the HWTACACS authentication statistics.

authorization: Clears the HWTACACS authorization statistics.

Examples

# Clear all HWTACACS statistics.

<Sysname> reset hwtacacs statistics all

Related commands

display hwtacacs scheme

reset stop-accounting-buffer (for HWTACACS)

Use reset stop-accounting-buffer to clear buffered HWTACACS stop-accounting requests to which no responses have been received.

Syntax

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

Views

User view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

Examples

# Clear nonresponded stop-accounting requests buffered for HWTACACS scheme hwt1.

<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1

Related commands

display stop-accounting-buffer (for HWTACACS)

stop-accounting-buffer enable (HWTACACS scheme view)

retry stop-accounting (HWTACACS scheme view)

Use retry stop-accounting to set the maximum number of transmission attempts for individual HWTACACS stop-accounting requests.

Use undo retry stop-accounting to restore the default.

Syntax

retry stop-accounting retries

undo retry stop-accounting

Default

The maximum number of transmission attempts for individual HWTACACS stop-accounting requests is 100.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of transmission attempts for HWTACACS stop-accounting requests. The value range is 1 to 300.

Examples

# In HWTACACS scheme hwt1, set the maximum number of HWTACACS stop-accounting attempts to 300.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] retry stop-accounting 300

Related commands

display stop-accounting-buffer (for HWTACACS)

timer response-timeout (HWTACACS scheme view)

secondary accounting (HWTACACS scheme view)

Use secondary accounting to specify a secondary HWTACACS accounting server.

Use undo secondary accounting to remove a secondary HWTACACS accounting server.

Syntax

secondary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary accounting [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary HWTACACS accounting servers are specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the host name of a secondary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of a secondary HWTACACS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of a secondary HWTACACS accounting server.

port-number: Specifies the service port number of the secondary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the secondary HWTACACS accounting server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.

single-connection: The device and the secondary HWTACACS accounting server use the same TCP connection to exchange all accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the secondary accounting server for a user.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure the port number and shared key settings of the secondary HWTACACS accounting server are the same as those configured on the server.

An HWTACACS scheme supports a maximum of 16 secondary HWTACACS accounting servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary accounting command, the command removes all secondary accounting servers.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.

As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify a secondary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple 123456TESTacct&!

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

primary accounting (HWTACACS scheme view)

vpn-instance (HWTACACS scheme view)

secondary authentication (HWTACACS scheme view)

Use secondary authentication to specify a secondary HWTACACS authentication server.

Use undo secondary authentication to remove a secondary HWTACACS authentication server.

Syntax

secondary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary authentication [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary HWTACACS authentication servers are specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the host name of a secondary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of a secondary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of a secondary HWTACACS authentication server.

port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the secondary HWTACACS authentication server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.

single-connection: The device and the secondary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure the port number and shared key settings of each secondary HWTACACS authentication server are the same as those configured on the corresponding server.

An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authentication servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary authentication command, the command removes all secondary authentication servers.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.

As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

Examples

# In HWTACACS scheme hwt1, specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple 123456TESTauth&!

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

vpn-instance (HWTACACS scheme view)

secondary authorization

Use secondary authorization to specify a secondary HWTACACS authorization server.

Use undo secondary authorization to remove a secondary HWTACACS authorization server.

Syntax

secondary authorization { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary authorization [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary HWTACACS authorization servers are specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the host name of a secondary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of a secondary HWTACACS authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of a secondary HWTACACS authorization server.

port-number: Specifies the service port number of the secondary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the secondary HWTACACS authorization server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.

single-connection: The device and the secondary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure the port number and shared key settings of the secondary HWTACACS authorization server are the same as those configured on the server.

An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authorization servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary authorization command, the command removes all secondary authorization servers.

Two authorization servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.

As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&!

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

primary authorization (HWTACACS scheme view)

vpn-instance (HWTACACS scheme view)

server-block-action (HWTACACS view)

Use server-block-action to specify the action to take for AAA requests if all servers in an HWTACACS scheme are blocked.

Use undo server-block-action to restore the default.

Syntax

server-block-action { attempt | skip }

undo server-block-action

Default

The device attempts to connect to the server with the highest priority in an HWTACACS scheme upon receiving AAA requests if all servers in the scheme are blocked.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

attempt: Attempts to connect to the server that has the highest priority in the scheme. (Typically, the highest-priority server is the primary server. If no primary server is specified, it is the firstly configured secondary server. Primary and secondary servers manually set in block state are not used.) If the device fails to connect to the server, it turns to the backup method.

skip: Skips all servers in the scheme and turns to the backup method.

Usage guidelines

When processing an AAA request, the device does not turn back to a skipped scheme even though the state of the servers in the scheme changes from blocked to active.

Examples

# In HWTACACS scheme hwt1, configure the device to skip all servers in the scheme upon receiving AAA requests if all servers in the scheme are blocked.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] server-block-action skip

Related commands

display hwtacacs scheme

stop-accounting-buffer enable (HWTACACS scheme view)

Use stop-accounting-buffer enable to enable buffering of HWTACACS stop-accounting requests to which no responses have been received.

Use undo stop-accounting-buffer enable to disable buffering of HWTACACS stop-accounting requests to which no responses have been received.

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

Default

The device buffers HWTACACS stop-accounting requests to which no responses have been received.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to buffer an HWTACACS stop-accounting request to which no response has been received. The device resends the buffered request until it receives a server response or when the number of transmission attempts reaches the maximum (set by using the retry stop-accounting command). If no more attempts are available, the device discards the request. However, if you have removed an accounting server, stop-accounting requests destined for the server are not buffered.

Examples

# Enable buffering of HWTACACS stop-accounting requests to which no responses have been received.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] stop-accounting-buffer enable

Related commands

display stop-accounting-buffer (for HWTACACS)

reset stop-accounting-buffer (for HWTACACS)

timer quiet (HWTACACS scheme view)

Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet period is 5 minutes.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.

Examples

# In HWTACACS scheme hwt1, set the server quiet timer to 10 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet 10

Related commands

display hwtacacs scheme

timer realtime-accounting (HWTACACS scheme view)

Use timer realtime-accounting to set the real-time accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

Default

The real-time accounting interval is 12 minutes.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.

Usage guidelines

For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is used to set the interval.

A short interval helps improve accounting precision but requires many system resources.

Number of users	Real-time accounting interval
1 to 99	3 minutes
100 to 499	6 minutes
500 to 999	12 minutes
1000 or more	15 minutes or longer

Examples

# In HWTACACS scheme hwt1, set the real-time accounting interval to 51 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

Related commands

display hwtacacs scheme

timer response-timeout (HWTACACS scheme view)

Use timer response-timeout to set the HWTACACS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The HWTACACS server response timeout time is 5 seconds.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds.

Usage guidelines

HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.

The client timeout period of the associated access module cannot be shorter than the total response timeout timer of all HWTACACS servers in the scheme. Any violation will result in user logoffs before the authentication, authorization, or accounting process is complete.

Examples

# In HWTACACS scheme hwt1, set the HWTACACS server response timeout timer to 30 seconds.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

Related commands

display hwtacacs scheme

user-name-format (HWTACACS scheme view)

Use user-name-format to specify the format of the username to be sent to an HWTACACS server.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the usernames sent to an HWTACACS server.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

keep-original: Sends the username to the HWTACACS server as the username is entered.

with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.

without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.

Usage guidelines

A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. However, some HWTACACS servers cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.

If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the HWTACACS server will consider two users in different ISP domains but with the same userid as one user.

Examples

# In HWTACACS scheme hwt1, configure the device to remove the ISP domain name from the usernames sent to the HWTACACS servers.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

Related commands

display hwtacacs scheme

vpn-instance (HWTACACS scheme view)

Use vpn-instance to specify an MPLS L3VPN instance for an HWTACACS scheme.

Use undo vpn-instance to restore the default.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

The HWTACACS scheme belongs to the public network.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The VPN instance specified for an HWTACACS scheme applies to all servers in that scheme. If a VPN instance is also configured for an individual HWTACACS server, the VPN instance specified for the HWTACACS scheme does not take effect on that server.

Examples

# Specify VPN instance test for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] vpn-instance test

Related commands

display hwtacacs scheme

Connection recording policy commands

aaa connection-recording policy

Use aaa connection-recording policy to create a connection recording policy and enter its view, or enter the view of an existing connection recording policy.

Use aaa connection-recording policy to delete the connection recording policy.

Syntax

aaa connection-recording policy

undo aaa connection-recording policy

Default

The connection recording policy does not exist.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this feature on scenarios where the device acts as an FTP, SSH, SFTP, or Telnet login client to establish a connection with a login server. This feature enables the device to provide an accounting server with the connection start and termination information. When the login client establishes a connection with the login server, the system sends a start-accounting request to the accounting server. When the connection is terminated, the system sends a stop-accounting request to the accounting server.

Examples

# Create a connection recording policy and enter its view.

<Sysname> system-view

[Sysname] aaa connection-recording policy

[sysname-connection-recording-policy]

Related commands

accounting hwtacacs-scheme

display aaa connection-recording policy

accounting hwtacacs-scheme

Use accounting hwtacacs-scheme to specify the accounting method for the connection recording policy.

Use undo accounting to restore the default.

Syntax

accounting hwtacacs-scheme hwtacacs-scheme-name

undo accounting

Default

No accounting method is specified for the connection recording policy. No accounting is performed on the connections initiated by the device as a login client.

Views

Connection recording policy view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

If the accounting method is changed, the new method takes effect only on subsequent connections initiated by the device as a login client.

For a connection, once the device sends the start-accounting request to an HWTACACS server, it sends the connection's stop-accounting packet to the same server.

If you execute this command multiple times, the most recent configuration takes effect.

The device includes the username entered by a user in the accounting packets to be sent to the AAA server for connection recording. The username format configured by using the user-name-format command in the accounting scheme does not take effect.

Examples

# Create a connection recording policy, and specify HWTACACS scheme tac as the accounting method.

<Sysname> system-view

[Sysname] aaa connection-recording policy

[sysname-connection-recording-policy] accounting hwtacacs-scheme tac

Related commands

aaa connection-recording policy

display aaa connection-recording policy

Use display aaa connection-recording policy to display the connection recording policy configuration.

Syntax

display aaa connection-recording policy

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the connection recording policy configuration.

<Sysname> display aaa connection-recording policy

Connection-recording policy:

Accounting scheme: HWTACACS=tac1

Related commands

aaa connection-recording policy

accounting hwtacacs-scheme

15-User Access and Authentication Command Reference

AAA commands

aaa normal-offline-record enable

accounting command

authentication default

domain

domain default enable

local-server log change-password-prompt

authorization-attribute (local user view/user group view)

display user-group

group

RADIUS commands

attribute 15 check-mode

display radius scheme

display radius statistics

include-attribute 218 vendor-id 25506

key (RADIUS scheme view)

primary accounting (RADIUS scheme view)

primary authentication (RADIUS scheme view)

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

radius attribute extended

reauthentication server-select

secondary accounting (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

server-block-action (RADIUS scheme view)

state secondary

user-name-format (RADIUS scheme view)

HWTACACS commands

display hwtacacs scheme

primary accounting (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

server-block-action (HWTACACS view)

timer quiet (HWTACACS scheme view)

timer response-timeout (HWTACACS scheme view)

user-name-format (HWTACACS scheme view)

Connection recording policy commands