No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
AAA Configuration Commands

AAA Configuration Commands

aaa

Function

The aaa command displays the Authentication, Authorization, and Accounting (AAA) view.

The undo aaa command disables the AAA services.

Format

aaa

undo aaa

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Using the aaa command in the system view, you can enter the AAA view and perform the following security configurations for access users:
  • Creating users
  • Configuring user levels
  • Creating an authentication scheme
  • Creating an authorization scheme
  • Creating a domain

After you run the undo aaa command, the AAA services are disabled. If the domain or service scheme configured for AAA is referenced by other modules, this domain or service scheme is not deleted, but the domain state turns to initialized. A domain in initialized state only binds to the default authentication scheme and accounting scheme, but does not bind to the authorization scheme, RADIUS server, and HWTACACS server. This command does not force online users to log out. You can run the cut access-user command to force users to log out.

Example

# Enter the AAA view.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] 
Related Topics

aaa abnormal-offline-record

Function

The aaa abnormal-offline-record command enables the device to record users' abnormal logout information.

The undo aaa abnormal-offline-record command disables the device from recording users' abnormal logout information.

By default, the device records users' abnormal logout information.

Format

aaa abnormal-offline-record

undo aaa abnormal-offline-record

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the undo aaa abnormal-offline-record command is run, no abnormal logout information is recorded unless the aaa abnormal-offline-record command is run.

Example

# Enable the device to record users' abnormal logout information.

<Huawei> system-view
[Huawei] aaa abnormal-offline-record

# Disable the device from recording users' abnormal logout information.

<Huawei> system-view
[Huawei] undo aaa abnormal-offline-record

aaa offline-record

Function

The aaa offline-record command enables the device to record users' normal logout information.

The undo aaa offline-record command disables the device from recording users' normal logout information.

By default, the device is enabled to record user logout information.

Format

aaa offline-record

undo aaa offline-record

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If users fail to get online, run aaa offline-record command to enable the record function for fault locating.

After the undo aaa offline-record command is run, no logout information is recorded unless the aaa offline-record command is run.

Example

# Enable the device to record users' normal logout information.

<Huawei> system-view
[Huawei] aaa offline-record

# Disable the device from recording users' normal logout information.

<Huawei> system-view
[Huawei] undo aaa offline-record

aaa online-fail-record

Function

The aaa online-fail-record enables the device to record users' online failures.

The undo aaa online-fail-record disables the device from recording users' online failures.

By default, the device records users' online failures.

Format

aaa online-fail-record

undo aaa online-fail-record

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If you want to query the login failure records to find out unauthorized users, run the aaa online-fail-record command to enable the device to record users' online failures.

After the undo aaa online-fail-record command is run, no online failure is recorded unless the aaa online-fail-record command is run.

Example

# Enable the device to record users' online failures.

<Huawei> system-view
[Huawei] aaa online-fail-record

# Disable the device from recording users' online failures.

<Huawei> system-view
[Huawei] undo aaa online-fail-record

aaa-authen-bypass

Function

The aaa-authen-bypass command sets the bypass authentication timeout interval.

The undo aaa-authen-bypass command cancels the bypass authentication timeout interval.

By default, no bypass authentication timeout interval is set.

Format

aaa-authen-bypass enable time time-value

undo aaa-authen-bypass enable

Parameters

Parameter

Description

Value

enable

Enables remote bypass authentication.

-

time time-value

Specifies the bypass authentication timeout interval.

The value is an integer that ranges from 1 to 1440, in minutes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command applies to the scenarios that require fast authentication response. If the device enabled with bypass authentication receives no response from the remote authentication server within the specified timeout interval, the device uses the next authentication method. If no other authentication method is configured, the authentication fails.

Example

# Set the bypass authentication timeout interval to 3 minutes.

<Huawei> system-view
[Huawei] aaa-authen-bypass enable time 3

aaa-author-bypass

Function

The aaa-author-bypass command sets the bypass authorization timeout interval.

The undo aaa-author-bypass command cancels the bypass authorization timeout interval.

By default, no bypass authorization timeout interval is set.

Format

aaa-author-bypass enable time time-value

undo aaa-author-bypass enable

Parameters

Parameter

Description

Value

enable

Enables remote bypass authorization.

-

time time-value

Specifies the bypass authorization timeout interval.

The value is an integer that ranges from 1 to 1440, in minutes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command applies to the scenarios that require fast authorization response. If the device enabled with bypass authorization receives no response from the remote authorization server within the specified timeout interval, the device uses the next authorization method. If no other authorization method is configured, the authorization fails.

Example

# Set the bypass authorization timeout interval to 3 minutes.

<Huawei> system-view
[Huawei] aaa-author-bypass enable time 3

aaa-author-cmd-bypass

Function

The aaa-author-cmd-bypass command sets the command-line bypass authorization timeout interval.

The undo aaa-author-cmd-bypass command cancels the command-line bypass authorization timeout interval.

By default, no command-line bypass authorization timeout interval is set.

Format

aaa-author-cmd-bypass enable time time-value

undo aaa-author-cmd-bypass enable

Parameters

Parameter

Description

Value

enable

Enables remote command-line bypass authorization.

-

time time-value

Specifies the command-line bypass authorization timeout interval.

The value is an integer that ranges from 1 to 1440, in minutes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command applies to the scenarios that require fast command-line bypass authorization response. If the device enabled with command-line bypass authorization receives no response from the remote command-line authorization server within the specified timeout interval, the device uses the next command-line authorization method. If no other command-line authorization method is configured, the authorization fails.

Example

# Set the command-line bypass authorization timeout interval to 3 minutes.

<Huawei> system-view
[Huawei] aaa-author-cmd-bypass enable time 3

accounting interim-fail

Function

The accounting interim-fail command sets the maximum number of real-time accounting failures and configures a policy used after the number of real-time accounting failures exceeds the maximum.

The undo accounting interim-fail command restores the default maximum number of real-time accounting failures and the default policy.

By default, the maximum number of real-time accounting failures is 3 and the device keeps users online after the number of real-time accounting failures exceeds the maximum.

Format

accounting interim-fail [ max-times times ] { offline | online }

undo accounting interim-fail

Parameters

Parameter

Description

Value

max-times times

Specifies the maximum number of real-time accounting failures. If the maximum number of real-time accounting failures is reached and the next accounting request still has no response, the device considers that accounting fails and takes a policy for users.

The value is an integer that ranges from 1 to 255. The default value is 3.

offline

Disconnects users if real-time accounting fails.

-

online

Keeps users online if real-time accounting fails.

-

Views

Accounting scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the real-time accounting function takes effect, the device sends real-time accounting requests to an accounting server, and the accounting server responds to the accounting requests. If the network is unstable, for example, a jitter occurs, the device may not receive response packets. As a result, accounting is interrupted for a short period of time. To reduce or prevent accounting interruption, run the accounting interim-fail command to set the maximum number of real-time accounting failures. The device considers that real-time accounting fails only after the number of consecutive real-time accounting failures exceeds the maximum.

Choose one of the following policies to be applied after the maximum number of real-time accounting failures is reached:

  • online: To prevent users from being affected by network faults, use the online policy to allow paid users to go online.
  • offline: To stop providing services when accounting fails, use the offline policy to force paid users to go offline.

Prerequisites

The real-time accounting function has been enabled by using the accounting realtime command.

Precautions

The accounting interim-fail command does not take effect for online users, but takes effect for the users who go online after the command is executed.

Example

# In the accounting scheme scheme1, set the maximum number of real-time accounting failures to 5 and use the offline policy.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] accounting-scheme scheme1
[Huawei-aaa-accounting-scheme1] accounting realtime 3
[Huawei-aaa-accounting-scheme1] accounting interim-fail max-times 5 offline

accounting realtime

Function

The accounting realtime command enables the real-time accounting function and sets the interval for real-time accounting in an accounting scheme.

The undo accounting realtime command disables the real-time accounting function.

By default, the device performs accounting based on user online duration, the real-time accounting function is disabled.

Format

accounting realtime interval

undo accounting realtime

Parameters

Parameter

Description

Value

interval

Specifies the interval for real-time accounting.

The value is an integer that ranges from 0 to 65535, in minutes. When the value is set to 0, real-time accounting is disabled.

Views

Accounting scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command applies to the users who are charged based on online duration. If a user goes offline unexpectedly, the accounting server cannot receive the accounting-stop packet, so it keeps charging the user while they are not receiving a service. To solve the problem, configure the real-time accounting function on the device. After the real-time accounting function is configured, the device periodically sends real-time accounting packets to the accounting server. After receiving the real-time accounting packets, the accounting server charges the user. If the device detects that the user goes offline, it stops sending real-time accounting packets and the accounting server stops accounting. The result of real-time accounting is precise.

Precautions

If an accounting scheme is applied to a domain, the accounting realtime command does not affect online users, but only takes effect for the users who go online after the command is executed.

A short interval for real-time accounting requires high performance of the device and accounting server. If there are more than 1000 users, setting a long interval for real-time accounting is recommended. The following table lists the suggested real-time accounting intervals for different user quantities.

Table 14-1  Real-time accounting interval for different user quantities

User Quantity

Interval for Real-Time Accounting (Minutes)

1-99

3

100-499

6

500-999

12

≥ 1000

≥ 15

Example

# In the accounting scheme scheme1, enable the real-time accounting function and set the interval for real-time accounting to 6 minutes.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] accounting-scheme scheme1
[Huawei-aaa-accounting-scheme1] accounting realtime 6

accounting start-fail

Function

The accounting start-fail command configures a policy for accounting-start failures.

The undo accounting start-fail command restores the default policy for accounting-start failures.

By default, users cannot go online if accounting-start fails. That is, the offline policy is used.

Format

accounting start-fail { offline | online }

undo accounting start-fail

Parameters

Parameter

Description

Value

offline

Rejects users' online requests if accounting-start fails.

-

online

Allows users to go online if accounting-start fails.

-

Views

Accounting scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If a user goes online after an accounting scheme is applied, the device sends an accounting-start packet to an accounting server. When the network is working properly, the accounting server responds to the accounting-start packet. If a fault occurs on the network, the device may not receive the response packet from the accounting server. As a result, accounting fails. The device provides the following policies for accounting failures:

  • online: To prevent users from being affected by network faults, use the online policy to allow paid users to go online.
  • offline: To stop providing services when accounting fails, use the offline policy to force paid users to go offline.

Precautions

The command takes effect only when the accounting mode configured using the accounting-mode command is HWTACACS or RADIUS.

Example

# In the accounting scheme scheme1, use the online policy for accounting-start failures.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] accounting-scheme scheme1
[Huawei-aaa-accounting-scheme1] accounting start-fail online

accounting-mode

Function

The accounting-mode command configures an accounting mode in an accounting scheme.

The undo accounting-mode command restores the default accounting mode in an accounting scheme.

By default, the accounting mode is none.

Format

accounting-mode { hwtacacs | none | radius }

undo accounting-mode

Parameters

Parameter

Description

Value

hwtacacs

Indicates that accounting is performed by an HWTACACS server.

-

none

Indicates non-accounting.

-

radius

Indicates that accounting is performed by a RADIUS server.

-

Views

Accounting scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Enterprises or carriers need to generate revenue by charging users who are accessing the Internet.

When a user goes online, accounting starts after the user is authenticated and authorized. When the user goes offline, accounting stops. The client sends the account packet containing the user's online duration to the accounting server.

To charge users, set the accounting mode to RADIUS or HWTACACS. Generally, the accounting mode is consistent with the authentication mode. If you do not need to charge users, set the accounting mode to none.

Precautions

The device does not support local accounting. When the authentication scheme configured using the authentication-mode (authentication scheme view) command defines local authentication, you need to run the accounting-mode none command to configure non-accounting or run the accounting start-fail command to configure a policy for accounting-start failures.

Follow-up Procedure

Apply the accounting scheme to a domain to enable the device to charge the users in the domain.

Example

# Set the accounting mode to RADIUS in the accounting scheme scheme1.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] accounting-scheme scheme1
[Huawei-aaa-accounting-scheme1] accounting-mode radius

accounting-scheme (AAA domain view)

Function

The accounting-scheme command applies an accounting scheme to a domain.

The undo accounting-scheme command restores the default accounting scheme of a domain.

By default, the accounting scheme named default is applied to a domain. In this default accounting scheme, non-accounting is used and the real-time accounting function is disabled.

Format

accounting-scheme accounting-scheme-name

undo accounting-scheme

Parameters

Parameter

Description

Value

accounting-scheme-name

Specifies the name of an accounting scheme.

The accounting scheme must already exist.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To charge users in a domain, create an accounting scheme and perform configurations in the accounting scheme, for example, the accounting mode and policy for accounting-start failures. Run the accounting-scheme command in the AAA domain view to apply the accounting scheme to the domain.

Prerequisites

An accounting scheme has been created and configured. For example, the accounting mode and policy for accounting-start failures have been configured.

Example

# Apply the accounting scheme account1 to the domain isp1.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] accounting-scheme account1
[Huawei-aaa-accounting-account1] quit
[Huawei-aaa] domain isp1
[Huawei-aaa-domain-isp1] accounting-scheme account1

# Restore the default accounting scheme of the domain isp2.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] domain isp2
[Huawei-aaa-domain-isp2] undo accounting-scheme

accounting-scheme (AAA view)

Function

The accounting-scheme command creates an accounting scheme and displays the accounting scheme view.

The undo accounting-scheme command deletes an accounting scheme.

By default, there is an accounting scheme named default in the system. This default accounting scheme can be modified but cannot be deleted. In this default accounting scheme, non-accounting is used and the real-time accounting function is disabled.

Format

accounting-scheme accounting-scheme-name

undo accounting-scheme accounting-scheme-name

Parameters

Parameter

Description

Value

accounting-scheme-name

Specifies the name of an accounting scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To charge users, run the accounting-scheme command in the AAA view to create an accounting scheme.

Follow-up Procedure

After an accounting scheme is created:
  • Run the accounting interim-fail command to set the maximum number of real-time accounting failures and configure a policy used after a real-time accounting failure.
  • Run the accounting realtime command to enable the real-time accounting function and set the interval for real-time accounting in an accounting scheme.
  • Run the accounting start-fail command to configure a policy for accounting-start failures.
  • Run the accounting-mode command to configure an accounting mode in an accounting scheme.

After an accounting scheme is configured, run the accounting-scheme (AAA domain view) command in the AAA domain view to apply the accounting scheme to a domain.

Precautions

If the configured accounting scheme does not exist, the accounting-scheme command in the AAA view creates an accounting scheme and displays the accounting scheme view. If the configured accounting scheme already exists, the accounting-scheme command in the AAA view displays the accounting scheme view directly.

The system supports a maximum of 32 accounting schemes, including the default accounting scheme.

To delete an accounting scheme applied to a domain, run the undo accounting-scheme (AAA domain view) command to unbind the accounting scheme from the domain.

Example

# Create an accounting scheme named scheme1.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] accounting-scheme scheme1
[Huawei-aaa-accounting-scheme1] 

# Enter the default accounting scheme view.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] accounting-scheme default
[Huawei-aaa-accounting-default] 

admin-user privilege level

Function

The admin-user privilege level command configures a user as an administrator to log in to the device and sets the user level.

The undo admin-user privilege level command cancels the default user level.

By default, the user level is not configured.

Format

admin-user privilege level level

undo admin-user privilege level

Parameters

Parameter

Description

Value

level

Specifies the level of a user.

A larger value indicates a higher user level. After logging in to the device, a user can run only the commands of the same level or lower levels.

The value is an integer that ranges from 0 to 15.

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The device provides hierarchical management of commands. A command has a level, and a user can use only the commands of the same level or lower levels. By using the admin-user privilege level command to set the user level, the device controls commands used by users.

By default, commands are classified into the following levels:
  • Level 0 (visit level): Commands at level 0 include diagnosis commands such as ping and tracert commands and commands that are used to access a remote device such as the Telnet or SSH client. Commands at level 0 cannot be used to save configuration files.
  • Level 1 (monitoring level): Commands at level 1 are used for system maintenance, including display commands. Commands at level 1 cannot be used to save configuration files.
  • Level 2 (configuration level): Commands at level 2 are used for service configuration, including routing commands and commands at each network layer to provide network services for users.
  • Level 3 (management level): Commands at level 3 are used for basic operations of the system to support services, including file system, FTP, Trivial File Transfer Protocol (TFTP), configuration file switching commands, slave board control commands, user management commands, command level configuration commands, and debugging commands.

To manage users refinedly, upgrade command levels to levels 0 to 15. You can run the command-privilege level command to upgrade command levels in a batch.

To manage users refinedly, upgrade command levels to levels 0 to 15. By default, level-2 commands can be upgraded to level-10 commands and level-3 commands can be upgraded to level-15 commands. There are no commands at levels 2 to 9 and levels 11 to 14. You can set commands to any of these levels to manage user rights.

If non-authentication is used, the administrator level is specified using the user privilege command in the VTY interface view.

If local authentication is used, the administrator level can be set in the following ways, in descending order of priority:

  1. Running the local-user privilege level command to set the local user level
  2. Running the admin-user privilege level command to set the administrator level in a domain
  3. Running the user privilege command to set the user level in the VTY interface view

If remote authentication is used, the administrator level can be set in the following ways, in descending order of priority:

  1. Using the user level sent by an authentication server to the device after authentication has succeeded
  2. Running the admin-user privilege level command to set the administrator level in a domain
  3. Running the user privilege command to set the user level in the VTY interface view

If remote authentication and local authentication are configured, remote authentication is first used. If remote authentication fails, local authentication is used. The administrator level can be set in the following ways, in descending order of priority:

  1. Using the user level sent by an authentication server to the device after authentication has succeeded
  2. Running the local-user privilege level command to set the local user level

    NOTE:

    The local user level is used only when the remote authentication server is faulty. If the remote authentication server responds to authentication requests but does not deliver user levels, the configured local user level does not take effect.

  3. Running the admin-user privilege level command to set the user level in a domain
  4. Running the user privilege command to set the user level in the VTY interface view

The device can update the configuration in a domain dynamically. After a service scheme is applied to a domain, you can directly modify the user level in the service scheme but cannot unbind the service scheme from the domain. To delete the service scheme, run the undo service-scheme (AAA domain view) command.

Follow-up Procedure

Run the display service-scheme command to view the user level in a service scheme.

Example

# Configure a user as an administrator to log in to the device and set the administrator level to 15.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] service-scheme svcscheme1
[Huawei-aaa-service-svcscheme1] admin-user privilege level 15

authentication-mode (authentication scheme view)

Function

The authentication-mode command configures an authentication mode in an authentication scheme.

The undo authentication-mode command restores the default authentication mode in an authentication scheme.

By default, local authentication is used.

Format

authentication-mode { hwtacacs | local | radius } * [ none ]

authentication-mode none

undo authentication-mode

Parameters

Parameter

Description

Value

hwtacacs

Indicates HWTACACS authentication. To perform HWTACACS authentication, configure an HWTACACS authentication server in an HWTACACS server template.

-

local

Indicates local authentication.

-

radius

Indicates RADIUS authentication. To perform RADIUS authentication, configure a RADIUS authentication server in a RADIUS server template.

-

none

Indicates non-authentication. That is, users access the network without being authenticated.

-

Views

Authentication scheme view

Default Level

3: Management level

Usage Guidelines

To authenticate users, configure an authentication mode in an authentication scheme.

If multiple authentication modes are configured in an authentication scheme, these authentication modes are used according to the sequence in which they were configured. The device uses another authentication mode only when no response is received in the previous authentication. If an authentication fails, the device does not use another authentication mode.

You can configure multiple authentication modes in an authentication scheme to reduce authentication failure possibilities.
  • After the authentication-mode radius local command is used, if the RADIUS authentication server does not respond and RADIUS authentication cannot be performed, the device starts local authentication.

  • After the authentication-mode local radius command is used, if the entered user name exists on the device but the entered password is incorrect, the user fails the authentication; if the entered user name does not exist on the device, the user is redirected to the RADIUS authentication mode and is authenticated based on user information on the RADIUS server.

NOTE:
  • When both RADIUS authentication and non-authentication are configured, if the user fails the RADIUS authentication, non-authentication cannot be used. As a result, a user fails to log in.
  • If you run the authentication-mode command to configure non-authentication and run the authentication-mode (user interface view) command to configure AAA authentication, the device does not allow administrators to log in from the user interface view.
If non-authentication is configured using the authentication-mode command, a user passes the authentication using any user name or password. Therefore, to protect the device or network security, you are advised to enable authentication, allowing only the authenticated users to access the device or network.

Example

# Set the authentication mode to local authentication in the authentication scheme scheme0.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] authentication-scheme scheme0
[Huawei-aaa-authen-scheme0] authentication-mode local

authentication-scheme (AAA domain view)

Function

The authentication-scheme command applies an authentication scheme to a domain.

The undo authentication-scheme command restores the default configuration of the authentication scheme in a domain.

By default, the default authentication scheme is used for a domain.

Format

authentication-scheme authentication-scheme-name

undo authentication-scheme

Parameters

Parameter

Description

Value

authentication-scheme-name

Specifies the name of an authentication scheme.

The authentication scheme must already exist.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To authenticate users in a domain, run the authentication-scheme (AAA domain view) command to apply an authentication scheme to a domain.

Prerequisites

An authentication scheme has been created and configured with required parameters, for example, set the authentication mode and authentication mode for upgrading user levels.

Example

# Apply the authentication scheme scheme1 to the domain isp1.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] authentication-scheme scheme1
[Huawei-aaa-authen-scheme1] quit
[Huawei-aaa] domain isp1
[Huawei-aaa-domain-isp1] authentication-scheme scheme1

authentication-scheme (AAA view)

Function

The authentication-scheme command creates an authentication scheme and enters the authentication scheme view, or directly enters an existing authentication scheme view.

The undo authentication-scheme command deletes an authentication scheme.

By default, the default authentication scheme is used. This default authentication scheme can be modified but cannot be deleted. In the default authentication scheme:
  • Local authentication is used.
  • The offline policy is used for authentication failures.

Format

authentication-scheme authentication-scheme-name

undo authentication-scheme authentication-scheme-name

Parameters

Parameter

Description

Value

authentication-scheme-name

Specifies the name of an authentication scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To authenticate users, run the authentication-scheme command to create an authentication scheme. Creating an authentication scheme is necessary before performing authentication-relevant configurations.

Follow-up Procedure

After an authentication scheme is created, run the authentication-mode (authentication scheme view) command to configure an authentication mode in an authentication scheme.

After an authentication scheme is configured, run the authentication-scheme (AAA domain view) command to apply the authentication scheme to a domain.

Precautions

If the configured authentication scheme does not exist, the authentication-scheme command creates an authentication scheme and displays the authentication scheme view. If the configured authentication scheme already exists, the authentication-scheme command directly displays the authentication scheme view.

A maximum of 32 authentication schemes can exist on the device, including the default authentication scheme.

To delete an authentication scheme applied to a domain, run the undo authentication-scheme (AAA domain view) command.

Example

# Create an authentication scheme named scheme0.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] authentication-scheme scheme0
[Huawei-aaa-authen-scheme0] 

# Enter the default authentication scheme view.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] authentication-scheme default
[Huawei-aaa-authen-default] 

authentication-super

Function

The authentication-super command configures an authentication mode for upgrading user levels in an authentication scheme.

The undo authentication-super command restores the default authentication mode for upgrading user levels in an authentication scheme.

Format

authentication-super { hwtacacs } * [ none ]

authentication-super none

undo authentication-super

Parameters

Parameter

Description

Value

hwtacacs

Uses HWTACACS authentication to upgrade user levels.

-

none

Indicates that user levels can be upgraded without authentication.

-

Views

Authentication scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If users in a domain need to upgrade their levels, the device requests the users to enter the password to authenticate the users. If AAA authentication has been configured using the authentication-mode (user interface view) command, run the authentication-super command to configure an authentication mode for upgrading user levels.

When you use the super command to switch a user level to a lower level or the same level, no authentication is required. When you use the super command to switch a user level to a higher level, authentication is required. The user can be granted rights only after being authenticated.

  • If hwtacacs is used and the HWTACACS authentication is specified, perform configurations relevant to HWTACACS authentication.
  • If none is used, no authentication is required.

Precautions

If multiple authentication modes are configured in an authentication scheme, these authentication modes are used in the sequence in which they were configured. The device uses another authentication mode only when it does not receive any response in the current authentication. The device does not switch to another authentication mode if the user fails to pass one authentication mode.

Example

# Set the authentication mode to RADIUS authentication in the authentication scheme scheme1.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] authentication-scheme scheme1
[Huawei-aaa-authen-scheme1] authentication-super radius

authorization-cmd

Function

The authorization-cmd command enables command line authorization for users at a certain level.

The undo authorization-cmd command disables command line authorization for users at a certain level.

By default, command line authorization is disabled for users at a certain level.

Format

authorization-cmd privilege-level hwtacacs [ local ] [ none ]

undo authorization-cmd privilege-level

Parameters

Parameter

Description

Value

privilege-level

Specifies the user level.

The value is an integer that ranges from 0 to 15.

hwtacacs

Indicates HWTACACS authorization.

-

local

Indicates local authorization.

-

none

Indicates that command line authorization is directly performed for a user if the HWTACACS server does not respond to the authorization request of the user.

-

Views

Authorization scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After being authorized, the users at a certain level can run the commands of the same or lower levels. Command line authorization can be configured to implement minimum user rights control. When command line authorization is enabled, each command entered by users can be executed only after being authorized. After command line authorization is enabled for users at a certain level, the commands run by the users at that level must be authorized by an HWTACACS server.

Precautions

You are advised to configure local authentication as a backup of command line authorization. If command line authorization cannot be performed because of a failure on an HWTACACS server, the device starts local authentication.

After the authorization-cmd command is executed, command line authorization does not take effect immediately. Command line authorization takes effect only when an authorization scheme containing command line authorization is applied to a domain correctly.

NOTE:

After an authorization scheme containing command line authorization is applied to a domain, if you run the undo authorization-cmd command, online users at a certain level in the domain cannot run any commands except for the quit command. These users need to log in again.

Example

# Configure command line authorization for users at level 2 and set the authorization mode to HWTACACS.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] authorization-scheme scheme0
[Huawei-aaa-author-scheme0] authorization-cmd 2 hwtacacs

authorization-mode

Function

The authorization-mode command configures an authorization mode in an authorization scheme.

The undo authorization-mode command restores the default authorization mode in an authorization scheme.

By default, local authorization is used.

Format

authorization-mode { hwtacacs | if-authenticated | local } * [ none ]

authorization-mode none

undo authorization-mode

Parameters

Parameter

Description

Value

hwtacacs

Indicates HWTACACS authorization.

-

if-authenticated

Indicates if-authenticated authorization, which means that users are authorized if they are authenticated and non-authentication is not used.

-

local

Indicates local authorization.

-

none

Indicates non-authorization.

-

Views

Authorization scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To authorize users, configure an authorization mode in an authorization scheme.

You can configure multiple authorization modes in an authorization scheme to reduce the chance of authorization failures.

After the authorization-mode hwtacacs local command is used, if the HWTACACS authorization server does not respond and HWTACACS authorization cannot be performed, the device starts local authorization.

Precautions

If multiple authorization modes are used in an authorization scheme, the if-authenticated mode or non-authorization mode must be used as the last authorization mode.

If multiple authorization modes are configured in an authorization scheme, authorization modes are used in the sequence in which they were configured. The device uses another authorization mode only when it does not receive any response in the current authorization.

Example

# In the authorization scheme scheme0, configure the device to perform HWTACACS authorization and perform if-authenticated authorization if HWTACACS authorization fails.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] authorization-scheme scheme0
[Huawei-aaa-author-scheme0] authorization-mode hwtacacs if-authenticated

authorization-modify mode

Function

The authorization-modify mode command configures the update mode for user authorization information delivered by the authorization server.

The undo authorization-modify mode command restores the default update mode for user authorization information delivered by the authorization server.

By default, the update mode of user authorization information delivered by the authorization server is overlay. That is, the new user authorization information overwrites all existing user authorization information.

NOTE:

The modify mode is valid for only the user authorization information, such as ACL rule and dynamic VLAN.

Format

authorization-modify mode { modify | overlay }

undo authorization-modify mode

Parameters

Parameter

Description

Value

modify

Indicates the modify mode.

-

overlay

Indicates the overlay mode.

-

Views

AAA view

Default Level

3: Management level

Usage Guidelines

The authorization server can deliver all or part of user authorization information, such as the ACL rule and dynamic VLAN.

You can run the authorization-modify mode command to configure one of the following update modes for user authorization information delivered by the authorization server:
  • modify: modification mode indicating that new user authorization information overwrites only existing user authorization information of the same type.
  • overlay: overwriting mode indicating that new user authorization information overwrites all existing user authorization information.
If the authorization server has delivered ACL 3001 to a user, and the administrator needs to deliver new authorization information:
  • In the modify mode, if the new authorization information is ACL 3002, the authorization information of the user is ACL 3002. If the new authorization information is VLAN 100, the authorization information of the user is ACL 3001 and VLAN 100.
  • In the overlay mode, no matter whether the new authorization information is ACL 3002 or VLAN 100, the authorization information of the user is the new ACL or VLAN.

This command takes effect for only the authorization information delivered by the RADIUS server.

After a user group or service scheme is authorized to a user on the device and a certain attribute configured in the user group or service scheme is modified on the server, if other configured attributes need to be modified, the authorization information on the server must contain the previously modified attribute. Otherwise, the original attribute value in the service group or service scheme will be restored. For example, to modify an attribute in a user group:
  1. The device authorizes the user group configured with the VLAN and ACL attributes to a user.
  2. To modify the VLAN attribute, authorize the new VLAN attribute to the user through the RADIUS server.
  3. To modify the ACL attribute after the VLAN attribute is modified, you must authorize the modified VLAN attribute and new ACL attribute through the RADIUS server. Otherwise, the original VLAN attribute in the user group will be restored.

Example

# Set the update mode of user authorization information delivered by the authorization server to modify.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] authorization-modify mode modify

authorization-scheme (AAA domain view)

Function

The authorization-scheme command applies an authorization scheme to a domain.

The undo authorization-scheme command unbinds an authorization scheme from a domain.

By default, no authorization scheme is applied to a domain.

Format

authorization-scheme authorization-scheme-name

undo authorization-scheme

Parameters

Parameter

Description

Value

authorization-scheme-name

Specifies the name of an authorization scheme.

The authorization scheme must already exist.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

RADIUS integrates authentication and authorization; therefore, RADIUS authorization and authentication must be used together. HWTACACS separates authentication from authorization; therefore, you can configure another authorization type even if HWTACACS authentication, local authentication, or non-authentication is used.

To authorize users in a domain, run the authorization-scheme (AAA domain view) command.

Prerequisites

An authorization scheme has been created and configured with required parameters, for example, the authorization mode and command line authorization.

Example

# Apply the authorization scheme author1 to the domain isp1.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] authorization-scheme author1
[Huawei-aaa-author-author1] quit
[Huawei-aaa] domain isp1
[Huawei-aaa-domain-isp1] authorization-scheme author1

authorization-scheme (AAA view)

Function

The authorization-scheme command creates an authorization scheme and enters the authorization scheme view, or directly enters an existing authorization scheme view.

The undo authorization-scheme command deletes an authorization scheme.

By default, the default authorization scheme is used. This default authorization scheme can be modified but cannot be deleted. In the default authorization scheme, local authorization is used and command line authorization is disabled.

Format

authorization-scheme authorization-scheme-name

undo authorization-scheme authorization-scheme-name

Parameters

Parameter

Description

Value

authorization-scheme-name

Specifies the name of an authorization scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

RADIUS integrates authentication and authorization; therefore, RADIUS authorization and authentication must be used together. HWTACACS separates authentication from authorization; therefore, you can configure another authorization type even if HWTACACS authentication, local authentication, or non-authentication is used. You must run the authorization-scheme command to create an authorization scheme before performing authorization-relevant configurations, for example, setting the authorization mode and command line authorization function.

Follow-up Procedure

After an authorization scheme is created:

  • Run the authorization-mode command to configure an authorization mode in an authorization scheme.
  • Run the authorization-cmd command to configure command line authorization for users at a certain level.

After an authorization scheme is configured, run the authorization-scheme (AAA domain view) command to apply the authorization scheme to a domain.

Precautions

  • If the configured authorization scheme does not exist, the authorization-scheme (AAA view) command creates an authorization scheme and displays the authorization scheme view.
  • If the configured authorization scheme already exists, the authorization-scheme (AAA view) command directly displays the authorization scheme view.

The system supports a maximum of 32 authorization schemes, including the default authorization scheme.

To delete the authorization scheme applied to a domain, run the undo authorization-scheme (AAA domain view) command.

Example

# Create an authorization scheme named scheme0.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] authorization-scheme scheme0

# Enter the default authorization scheme view.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] authorization-scheme default

auto-update url (service scheme view)

Function

The auto-update url command configures the URL and version number of a service scheme.

The undo auto-update url command deletes the URL and version number of a service scheme.

By default, the URL and version number of a service scheme are not configured.

Format

auto-update url url-string version version-number

undo auto-update url

Parameters

Parameter Description Value
url-string Indicates the URL. The value is a string of 1 to 208 case-sensitive characters.
version-number Indicates the version number. The value is an integer that ranges from 1 to 4294967294.

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

The AAA service scheme allows the URL and version number to be bound. IPSec binds the AAA service scheme to the IPSec policy template and sends the URL and version number to users.

Example

# Configure the URL ftp://huawei:huawei2012@10.10.10.1/test and version number 1 for the service scheme svcscheme1.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] service-scheme svcscheme1
[Huawei-aaa-service-svcscheme1] auto-update url ftp://huawei:huawei2012@10.10.10.1/test version 1

cmd recording-scheme

Function

The cmd recording-scheme command applies a policy in a recording scheme to record the commands executed on the device.

The undo cmd recording-scheme command deletes a policy from a recording scheme.

By default, the commands that are used on the device are not recorded.

Format

cmd recording-scheme recording-scheme-name

undo cmd recording-scheme

Parameters

Parameter

Description

Value

recording-scheme-name

Specifies the name of a recording scheme.

The recording scheme must already exist.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

During the device configuration, incorrect operations may result in network faults. After the cmd recording-scheme command is executed, you can view records of the commands executed on the device to locate the network faults.

Prerequisites

A recording scheme has been created by using the recording-scheme command and a recording mode has been configured by using the recording-mode hwtacacs command.

Example

# Configure a policy in the recording scheme scheme0 to record the commands executed on the device.

<Huawei> system-view
[Huawei] hwtacacs-server template hw1
[Huawei-hwtacacs-hw1] quit
[Huawei] aaa
[Huawei-aaa] recording-scheme scheme0
[Huawei-aaa-recording-scheme0] recording-mode hwtacacs hw1
[Huawei-aaa-recording-scheme0] quit
[Huawei-aaa] cmd recording-scheme scheme0

cut access-user

Function

The cut access-user command disconnects one or more sessions, also forcibly disconnecting online users.

Format

cut access-user { domain domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-instance vpn-instance-name ] | mac-address mac-address | slot slot-id | ssid ssid-name | user-group group-number | user-id begin-number [ end-number ] }

Parameters

Parameter

Description

Value

domain domain-name

Disconnects sessions in a specified domain.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces or the following symbols: * ? ". The value cannot be - or --.
interface interface-type interface-number
Disconnects sessions on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

vlan vlan-id [ qinq qinq-vlan-id ]

Disconnects sessions in a specified VLAN.

  • vlan-id specifies the ID of a VLAN. In QinQ applications, this parameter specifies the inner VLAN ID.
  • qinq-vlan-id specifies the outer VLAN ID.

The values of vlan-id and qinq-vlan-id are integers that range from 1 to 4094.

ip-address ip-address

Disconnects sessions initiated by a specified IP address.

The value is in dotted decimal notation.

vpn-instance vpn-instance-name

Indicates the name of the VPN instance that the specified IP address belongs to.

The value is a string of 1 to 31 case-sensitive characters without spaces.

mac-address mac-address

Disconnects sessions initiated by a specified MAC address.

The value is in H-H-H format. An H contains 1 to 4 hexadecimal digits.

slot slot-id

Disconnects sessions on a specified LPU.

The value range depends on the model of the device.

ssid ssid-name

Disconnects sessions initiated by a service set identifier (SSID).

The SSID must already exist.

user-group group-number

Disconnects sessions of a user-group.

The value is a string of 1 to 64 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

user-id begin-number [ end-number ]

Disconnects sessions of a specified user.

The value is an integer that ranges from 0 to 4294967295.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Performing some configurations, such as AAA, on the device, requires that no users be online. You can run the cut access-user command to disconnect sessions.

Precautions

The cut access-user command interrupts all services of the user whose session is torn down.

If the character string of the user name contains spaces (for example, a b), you can run the display access-user username "a b" command to view online users.

If the character string of the user name contains spaces and quotation marks ("") simultaneously, you cannot use the user name to view online users. In this case, you can run the display access-user | include username command to view the user ID of the online user, and then run the display access-user user-id user-id command to view the user. Alternatively, you can run the cut access-user user-id user-id command to force the user to go offline.

Example

# Tear down the session initiated by the IP address 10.1.1.1.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] cut access-user ip-address 10.1.1.1
Related Topics

dhcp-server group (service scheme view)

Function

The dhcp-server group command specifies an existing DHCP server group in a service scheme.

The undo dhcp-server group command deletes the DHCP server group in a service scheme.

By default, no DHCP server group is specified in a service scheme.

Format

dhcp-server group group-name

undo dhcp-server group

Parameters

Parameter Description Value
group-name Specifies the name of a DHCP server group. The name is a string of 1 to 32 case-sensitive characters without spaces.

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

If a service scheme is bound to a domain, the service scheme configurations are valid for the users in the domain.

The DHCP server group must have been configured using the dhcp server group group-name command.

Example

# Specify the DHCP server group group1 for the service scheme svcscheme1.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] service-scheme svcscheme1
[Huawei-aaa-service-svcscheme1] dhcp-server group group1

display aaa

Function

The display aaa command displays information about normal logout, abnormal logout, and login failures.

Format

display aaa { offline-record | abnormal-offline-record | online-fail-record } { all | reverse-order | domain domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-instance vpn-instance-name ] | mac-address mac-address | slot slot-number } [ brief ]

Parameters

Parameter

Description

Value

offline-record

Displays normal logout records.

-

abnormal-offline-record

Displays abnormal logout records.

-

online-fail-record

Displays login failure records.

-

all

Displays all login and logout records.

-

reverse-order

Displays the records in a sequence reverse to the sequence in which they were generated. That is, the latest records are displayed first.

-

domain domain-name

Specifies the name of a domain.

The value is a string of 1 to 64 case-insensitive characters, excluding spaces, *, ?, and ".

interface interface-type interface-number

Specifies the type and number of an interface.

-

vlan vlan-id [ qinq qinq-vlan-id ]

Specifies a VLAN that interfaces belong to.

  • vlan-id specifies the ID of a VLAN. In QinQ applications, this parameter specifies the inner VLAN ID.
  • qinq-vlan-id specifies the outer VLAN ID.

The values of vlan-id and qinq-vlan-id are integers that range from 1 to 4094.

ip-address ip-address

Specifies an IP address.

The value is in dotted decimal notation.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance.

The value is a string of 1 to 31 characters without spaces. It is case sensitive.

mac-address mac-address

Specifies a MAC address.

The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits.

slot slot-number

Specifies the slot ID.

The value is an integer. It must be the slot ID of an operating LPU.

brief

Displays brief login and logout information.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command allows you to view information about user normal logouts, abnormal logouts, and login failures based on the domain name, interface, IP address, VPN instance, MAC address, or slot ID.

NOTE:

The user name in the command output can only be a combination of letters, digits, and special characters. It cannot be displayed in Chinese or any other language.

Example

# View information about user normal logouts in domain rds.

<Huawei> display aaa offline-record domain rds
 -------------------------------------------------------------------
  User name          : test@rds
  Domain name        : rds
  User MAC           : 0021-9746-b67c
  User access type   : 802.1x
  User access interface : GigabitEthernet0/0/2
  Qinq vlan/User vlan: 0/1
  User IP address    : 192.168.2.2
  User ID            : 19
  User login time    : 2008/10/01 04:49:39
  User offline time  : 2008/10/01 04:59:43
  User offline reason: EAPOL user request
  -------------------------------------------------------------------
  Are you sure to display some information?(y/n)[y]:
Table 14-2  Description of the display aaa offline-record domain command output

Item

Description

User name

User name.

Domain name

Authentication domain of a user.

User MAC

MAC address of a user.

User access type

Access type of a user.
  • 802.1x indicates that the user accesses the network through 802.1x.
  • PPPoE indicates that the user accesses the network through PPPoE.
  • FTP indicates that the user accesses the network through FTP.
  • Telnet indicates that the user accesses the network through Telnet.
  • Terminal indicates that the user accesses the network through terminal.
  • SSH indicates that the user accesses the network through SSH.
  • x25-pad indicates that the user accesses the network through x25-pad.
  • HTTP indicates that the user accesses the network through HTTP.
  • Web indicates that the user accesses the network through web.
  • SSLVPN indicates that the user accesses the network through SSL VPN.
For the related command, see local-user service-type.

User access interface

Access interface of a user.

Qinq vlan/User vlan

VLAN that a user belongs to.
  • In QinQ application, QinQvlan indicates the outer VLAN ID and Uservlan indicates the inner VLAN ID.
  • For a common VLAN, Uservlan indicates the VLAN ID, and QinQvlan is 0.

User IP address

IP address of a user.

User ID

Index of a user.

User login time

Time when a user goes online.

User offline time

Time when a user goes offline.

User offline reason

Reason why a user goes offline.
  • The value "EAPOL user request" indicates that an 802.1x user requests to go offline.
  • The value "PPP user request" indicates that a PPP user requests to go offline.
  • The value "Web user request" indicates that a web user requests to go offline.
  • The value "AAA cut command" indicates that a user is deleted using command line.
  • The value "Session time out" indicates that a session times out.
  • The value "Idle cut" indicates that a user is disconnected because the user does not perform any operation within a specified period.
  • The value "PPP authentication fail" indicates a PPP authentication failure.
  • The value "STA disassociation" indicates that an STA is disassociated.
  • The value "console reset or disable port" indicates that the management interface is down.
  • The value "Interface net down" indicates that an interface is down.

display aaa configuration

Function

The display aaa configuration command displays the AAA configurations, for example, the domain, authentication scheme, authorization scheme, and accounting scheme.

Format

display aaa configuration

Parameters

None

Views

All views

Default Level

1: Monitor level

Usage Guidelines

AAA configurations are limited by system specifications. For example, a maximum of 32 domains, 32 authentication schemes, 32 authorization schemes, or 32 accounting schemes can be configured on the device. Before performing AAA configurations, run the display aaa configuration command to check whether there are sufficient resources.

Example

# Display the AAA summary.

<Huawei> display aaa configuration
                                                                                
  Domain Name Delimiter            : @                                          
  Domainname parse direction       : Left to right                              
  Domainname location              : After-delimiter                            
  Administrator user default domain: default_admin                              
  Normal user default domain       : default                                    
  Domain                           : total: 32      used: 3                     
  Authentication-scheme            : total: 32      used: 1                     
  Accounting-scheme                : total: 32      used: 2                     
  Authorization-scheme             : total: 32      used: 1                     
  Service-scheme                   : total: 256     used: 1                     
  Recording-scheme                 : total: 32      used: 0                     
  Local-user                       : total: 512     used: 10                    
  Local-user block retry-interval  : 30 Min(s)
  Local-user block retry-time      : 5
  Local-user block time            : 30 Min(s)
  Remote-user block retry-interval : 5 Min(s)
  Remote-user block retry-time     : 3
  Remote-user block time           : 5 Min(s)
Table 14-3  Description of the display aaa configuration command output

Item

Description

Domain Name Delimiter

Domain name delimiter, which can be any of the following characters: \ / : < > | @ ' %. The default domain name delimiter is @.

Domain

Number of domains.
  • total: indicates the total number of domains that can be created.
  • used: indicates the number of domains that have been created.

Domainname parse direction

Parsing direction of the user name and domain name.

  • Left to right
  • Right to left

Domainname location

Domain name location.

  • After-delimiter: The domain name is placed behind the domain name delimiter.
  • Before-delimiter: The domain name is placed before the domain name delimiter.

Administrator user default domain

Domain name of administrator users.

Normal user default domain

Domain name of normal users.

Authentication-scheme

Number of authentication schemes.
  • total: indicates the total number of authentication schemes that can be created.
  • used: indicates the number of authentication schemes that have been created.

Accounting-scheme

Number of accounting schemes.
  • total: indicates the total number of accounting schemes that can be created.
  • used: indicates the number of accounting schemes that have been created.

Authorization-scheme

Number of authorization schemes.
  • total: indicates the total number of authorization schemes that can be created.
  • used: indicates the number of authorization schemes that have been created.

Service-scheme

Number of service schemes.
  • total: indicates the total number of service schemes that can be created.
  • used: indicates the number of service schemes that have been created.

Recording-scheme

Number of recording schemes.
  • total: indicates the total number of recording schemes that can be created.
  • used: indicates the number of recording schemes that have been created.

Local-user

Number of local users.
  • total: indicates the total number of local users that can be created.
  • used: indicates the number of local users that have been created.

Local-user block retry-interval

Authentication retry interval of a local account.

Local-user block retry-time

Maximum number of consecutive authentication failures.

Local-user block time

Locking time of a local account.

Remote-user block retry-interval

Authentication retry interval of a remote AAA authentication user.

Remote-user block retry-time

Maximum number of consecutive authentication failures.

Remote-user block time

Locking time of a remote AAA authentication user.

Related Topics

display aaa statistics offline-reason

Function

The display aaa statistics offline-reason command displays the reasons why users go offline.

Format

display aaa statistics offline-reason

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display aaa statistics offline-reason command helps you know the reason why user goes offline. You can locate network faults according to the command output.

Example

# Display reasons why users go offline.

<Huawei> display aaa statistics offline-reason
19  user request to offline       :2 
87  AAA cut command               :1       
Table 14-4  Description of the display aaa statistics offline-reason command output

Item

Description

19/87

Reason code.

user request to offline

A user requested to go offline.

2/1

Number of times users go offline.

AAA cut command

A user is disconnected by the cut access-user command.

display access-user

Function

The display access-user command displays information about online users.

Format

display access-user [ domain domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-instance vpn-instance-name ] | slot slot-id | user-group user-group-name ] [ detail ]

display access-user [ mac-address mac-address | user-id user-id | statistics |ssid ssid-name ]

Parameters

Parameter

Description

Value

domain domain-name

Displays information about users in a specified domain.

The domain name must already exist.

interface interface-type interface-number

Displays information about users on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

vlan vlan-id [ qinq qinq-vlan-id ]

Displays information about users in a VLAN.

  • vlan-id specifies the ID of a VLAN. In QinQ applications, this parameter specifies the inner VLAN ID.
  • qinq-vlan-id specifies the outer VLAN ID.

The values of vlan-id and qinq-vlan-id are integers that range from 1 to 4094.

ip-address ip-address

Displays information about the user with a specified IP address.

NOTE:

When the user type is web (portal authentication users) , details about the user are displayed. When the user is in another type, brief information about the user is displayed.

The value of ip-address is in dotted decimal notation.

vpn-instance vpn-instance-name

Indicates the name of the VPN instance that the specified IP address belongs to.

The VPN instance must already exist.

mac-address mac-address

Displays information about the user with a specified MAC address.

The value is in H-H-H format. An H contains 1 to 4 hexadecimal digits.

slot slot-id

Displays information about users connecting to a specified LPU.

The value range depends on the model of the device.

ssid ssid-name

Specifies the SSID.

The SSID must already exist.

statistics

Displays WLAN user statistics on the device.

-

user-group user-group-name

Displays information about users in a specified user group.

The value is a string of 1 to 64 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

user-id user-id

Displays information about sessions of a specified user. If this parameter is specified, detailed information about the user is displayed.

The user-id must exist on the device.

detail

Displays detailed information about users.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

This command displays information about user sessions on the device.

Precautions

If the character string of the user name contains spaces (for example, a b), you can run the display access-user username "a b" command to view online users.

If the character string of the user name contains spaces and quotation marks ("") simultaneously, you cannot use the user name to view online users. In this case, you can run the display access-user | include username command to view the user ID of the online user, and then run the display access-user user-id user-id command to view the user. Alternatively, you can run the cut access-user user-id user-id command to force the user to go offline.

When displaying VPN user entries based on user IP address, you need to set the vpn-instance vpn-instance-name parameter to specify the VPN instance to which the IP address belongs.

If user-id is specified, detailed information about the specified user is displayed. If user-id is not specified, brief information about all online users is displayed, including the user ID, user name, IP address, and MAC address of each user.

The user name in the command output can only be a combination of letters, digits, and special characters. It cannot be displayed in Chinese or any other language.

When querying user information based on interfaces, MAC addresses, or VLANs, the device only displays information about 802.1x, MAC address, or Portal authentication users.

NOTE:

If you run this command when there are users going online and offline, the number of online users may be incorrectly displayed. For example, when you run the command to view the number of online L2TP users, the displayed value may exceed the maximum number of online L2TP users allowed by the system.

Example

# Display the users connected to the interface Eth0/0/1.

<Huawei> display access-user interface ethernet 0/0/1
 ----------------------------------------------------------------------------------------------- 
 UserID Username                       IP address                MAC           
 -----------------------------------------------------------------------------------------------
 36     test@rds                       -                         0021-9746-b67c 
 17     c0a80642@none                  192.168.6.66              4487-fc40-f05b 
 -----------------------------------------------------------------------------------------------
 Total 2,2 printed
NOTE:

If you specify the include or exclude parameter in the command, the values of Total and printed are still the total number of users.

# Display the user with the user ID being 36.

<Huawei> display access-user user-id 36

Basic:
  User ID                         : 36
  User name                       : test@rds
  Domain-name                     : rds
  User MAC                        : 0021-9746-b67c
  User IP address                 : -
  User access Interface           : Ethernet0/0/1
  QinQVlan/UserVlan               : 0/10
  User access time                : 2010/11/28 23:37:27
  User accounting session ID      : Huawei04007000000010dc9143000036
  User access type                : 802.1x
  Terminal Device Type            : Data Terminal
  Dynamic group name              : nac 
  Upstream CAR CIR                : 300  
  Upstream CAR PIR                : 200                                         
  Upstream CAR CBS                : 56400                                       
  Upstream CAR PBS                : 37600                                       
  Up packets number(Packet)       : 239                                         
  Up bytes number(Byte)           : 19,171            
  Downstream CAR CIR              : 500                                         
  Downstream CAR PIR              : 400                                         
  Downstream CAR CBS              : 94000                                       
  Downstream CAR PBS              : 75200                                       
  Down packets number(Packet)     : 4                                           
  Down bytes number(Byte)         : 256   

AAA:
  User authentication type        : 802.1x authentication
  Current authentication method   : RADIUS
  Current authorization method    : -
  Current accounting method       : RADIUS

# Display the user with the user ID being 17.

<Huawei> display access-user user-id 17

Basic:
  User ID                         : 17
  User name                       : c0a80642
  Domain-name                     : none
  User MAC                        : 4487-fc40-f05b
  User IP address                 : 192.168.6.66
  User access Interface           : Ethernet0/0/1
  QinQVlan/UserVlan               : 0/6
  User access time                : 2014/09/10 13:15:39
  User accounting session ID      : Huawei000480000000066749df000017 
  User access type                : WEB
  AP ID                           : 0
  AP name                         : ap-0
  Radio ID                        : 0
  AP MAC                          : 0a0b-0c00-0500
  SSID                            : 222222
  Online time                     : 417(s)
  Web-server IP address           : 10.9.9.1
  User session timeout            : 4(h)

AAA:
  User authentication type        : WEB authentication
  Current authentication method   : None
  Current authorization method    : -
  Current accounting method       : None

# Display WLAN user statistics on the device.

<Huawei> display access-user statistics
 wlan access total number     : 1                                               
 wlan access failed number    : 0                                               
 wlan access success number   : 1                                               
 wlan abnormal offline number : 1                                               
 PPP online number            : 0                                               
 PPP access success number    : 0                                               
 PPP access failed number     : 0  
Table 14-5  Description of the display access-user command output

Item

Description

Basic

Basic information about a user.

User ID

ID of a user.

User name

Name of a user.

Domain-name

Name of the domain that a user belongs to.

User MAC

MAC address of a user.

User IP address

IP address of a user.

User access Interface

Access interface connected to a user.

QinQVlan/UserVlan

VLAN that a user belongs to.
  • In QinQ applications, QinQVlan indicates the outer VLAN ID and UserVlan indicates the inner VLAN ID.
  • For a common VLAN, UserVlan indicates the VLAN ID and QinQVlan is 0.

User access time

Time when a user goes online.

User accounting session ID

ID of the accounting session for a user.

User access type

Access type of a user.

Terminal Device Type

Terminal device type of a user.

Dynamic group name

User group delivered by the RADIUS server to online user.

Upstream CAR CIR

Upstream CIR dynamically delivered by the RADIUS server to online user.

Upstream CAR PIR

Upstream PIR dynamically delivered by the RADIUS server to online user.

Upstream CAR CBS

Upstream CBS dynamically delivered by the RADIUS server to online user.

Upstream CAR PBS

Upstream PBS dynamically delivered by the RADIUS server to online user.

Up packets number(Packet)

Number of incoming packets of user.

Up bytes number(Byte)

Number of bytes in incoming packets of user.

Downstream CAR CIR

Downstream CIR dynamically delivered by the RADIUS server to online user.

Downstream CAR PIR

Downstream PIR dynamically delivered by the RADIUS server to online user.

Downstream CAR CBS

Downstream CBS dynamically delivered by the RADIUS server to online user.

Downstream CAR PBS

Downstream PBS dynamically delivered by the RADIUS server to online user.

Down packets number(Packet)

Number of outgoing packets of user.

Down bytes number(Byte)

Number of bytes in outgoing packets of user.

Web-server IP address

IP address of the WEB server.

User session timeout

Timeout interval of user sessions.

AP ID

ID of the AP connected to users.

AP name

Name of the AP connected to users.

Radio ID

ID of the radio.

AP MAC

MAC address of the AP connected to users.

SSID

SSID of a STA.

Online time

STA online time.

AAA

AAA information about a user.

User authentication type

Authentication type of a user, which depends on the access type of the user.

Current authentication method

Authentication mode.

Current authorization method

Authorization mode.

Current accounting method

Accounting mode.

wlan access total number

Total access times of WLAN users.

wlan access failed number

Number of times WLAN users fail to access.

wlan access success number

Number of times WLAN users successfully access.

wlan abnormal offline number

Number of times WLAN users go offline unexpectedly.

PPP online number

Number of online PPP users.

PPP access success number

Number of times PPP users successfully access.

PPP access failed number

Number of times PPP users fail to access.

display accounting-scheme

Function

The display accounting-scheme command displays the configuration of accounting schemes, including accounting scheme names and accounting modes.

Format

display accounting-scheme [ accounting-scheme-name ]

Parameters

Parameter

Description

Value

accounting-scheme-name

Specifies the name of an accounting scheme.

The accounting scheme must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After the accounting scheme configuration is complete, run the display accounting-scheme command to view the configuration of accounting schemes.

Before applying an accounting scheme to a domain, run the display accounting-scheme command to check whether configuration of the accounting scheme is correct.

Precautions

The display accounting-scheme command displays the detailed configuration if the name of an accounting scheme is specified. Otherwise, this command displays only the summary of accounting schemes.

Example

# Display the summary of all accounting schemes.

<Huawei> display accounting-scheme
  -------------------------------------------------------------------
  Accounting-scheme-name              Accounting-method
  -------------------------------------------------------------------
  default                             None
  radius-1                            RADIUS
  tacas-1                             HWTACACS
  -------------------------------------------------------------------
  Total of accounting-scheme: 3 

# Display the detailed configuration of the default accounting scheme.

<Huawei> display accounting-scheme default

  Accounting-scheme-name                : default
  Accounting-method                     : None
  Realtime-accounting-switch            : Disabled
  Realtime-accounting-interval(min)     : -
  Start-accounting-fail-policy          : Offline
  Realtime-accounting-fail-policy       : Online
  Realtime-accounting-failure-retries   : 3
                                             
Table 14-6  Description of the display accounting-scheme command output

Item

Description

Accounting-scheme-name

Name of an accounting scheme. To create an accounting scheme, run the accounting-scheme (AAA view) command.

Accounting-method

Accounting mode in the accounting scheme. The accounting modes are as follows:

  • HWTACACS: indicates that an HWTACACS server performs accounting.
  • None: indicates non-accounting.
  • RADIUS: indicates that a RADIUS server performs accounting.

To configure an accounting mode, run the accounting-mode command.

Realtime-accounting-switch

Whether the real-time accounting function is enabled:

  • Disabled: indicates that the real-time accounting function is disabled.
  • Enabled: indicates that the real-time accounting function is enabled.

To set the interval for real-time accounting, run the accounting realtime command.

Realtime-accounting-interval(min)

Interval for real-time accounting. To set the interval for real-time accounting, run the accounting realtime command.

Start-accounting-fail-policy

Policy used for accounting-start failures.
  • Offline: disconnects users.
  • Online: keeps users online.

To configure a policy for accounting-start failures, run the accounting start-fail command.

Realtime-accounting-fail-policy

Policy used for real-time accounting failures.
  • Offline: disconnects users.
  • Online: keeps users online.

To configure the policy used for real-time accounting failures, run the accounting interim-fail command.

Realtime-accounting-failure-retries

Number of retries before a real-time accounting failure is confirmed.

To set the number of real-time retries before a real-time accounting failure is confirmed, run the accounting interim-fail command.

display authentication-scheme

Function

The display authentication-scheme command displays the configuration of authentication schemes.

Format

display authentication-scheme [ authentication-scheme-name ]

Parameters

Parameter

Description

Value

authentication-scheme-name

Specifies the name of an authentication scheme.

The authentication scheme must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After the authentication scheme configuration is complete, run the display authentication-scheme command to view the configuration of authentication schemes.

Before applying an authentication scheme to a domain, run the display authentication-scheme command to check whether configuration of the authentication scheme is correct.

Precautions

The display authentication-scheme command displays the detailed configuration if the command is executed in the authentication scheme view or the name of an authentication scheme is specified. Otherwise, this command displays only the summary of authentication schemes.

Example

# Display the summary of all authentication schemes.

<Huawei> display authentication-scheme
  -------------------------------------------------------------------
  Authentication-scheme-name          Authentication-method
  -------------------------------------------------------------------
  default                             Local
  local-1                             Local
  radius-1                            RADISU Local
  -------------------------------------------------------------------
  Total of authentication scheme: 3

# Display the detailed configuration of the default authentication scheme.

<Huawei> display authentication-scheme default
                                                                                
  Authentication-scheme-name    : default                                       
  Authentication-method         : Local                                         
Table 14-7  Description of the display authentication-scheme command output

Item

Description

Authentication-scheme-name

Name of an authentication scheme. To create an authentication scheme, run the authentication-scheme (AAA view) command.

Authentication-method

Authentication mode in an authentication scheme. To configure an authentication mode in an authentication scheme, run the authentication-mode command.

display authorization-scheme

Function

The display authorization-scheme command displays the configuration of authorization schemes.

Format

display authorization-scheme [ authorization-scheme-name ]

Parameters

Parameter

Description

Value

authorization-scheme-name

Specifies the name of an authorization scheme.

The authorization scheme must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After the authorization scheme configuration is complete, run the display authorization-scheme command to view the configuration of authorization schemes.

Before applying an authorization scheme to a domain, run the display authorization-scheme command to check whether configuration of the authorization scheme is correct.

Precautions

The display authorization-scheme command displays the detailed configuration if the name of an authorization scheme is specified. Otherwise, this command displays only the summary of authorization schemes.

Example

# Display the summary of all authorization schemes.

<Huawei> display authorization-scheme
  -------------------------------------------------------------------
  Authorization-scheme-name          Authorization-method
  -------------------------------------------------------------------
  default                             Local
  scheme0                             Local
  -------------------------------------------------------------------
   Total of authorization-scheme: 2

# Display the detailed configuration of the authorization scheme scheme0.

<Huawei> display authorization-scheme scheme0
---------------------------------------------------------------------------
 Authorization-scheme-name   : scheme0
 Authorization-method        : Local
 Authorization-cmd level  0   : Disabled
 Authorization-cmd level  1   : Disabled 
 Authorization-cmd level  2   : Disabled
 Authorization-cmd level  3   : Disabled
 Authorization-cmd level  4   : Disabled
 Authorization-cmd level  5   : Disabled
 Authorization-cmd level  6   : Disabled
 Authorization-cmd level  7   : Disabled
 Authorization-cmd level  8   : Disabled
 Authorization-cmd level  9   : Disabled
 Authorization-cmd level 10   : Disabled
 Authorization-cmd level 11   : Disabled
 Authorization-cmd level 12   : Disabled
 Authorization-cmd level 13   : Disabled
 Authorization-cmd level 14   : Disabled
 Authorization-cmd level 15   : Disabled
 Authorization-cmd no-response-policy    : Online
---------------------------------------------------------------------------
Table 14-8  Description of the display authorization-scheme command output

Item

Description

Authorization-scheme-name

Name of the authorization scheme. To create an authorization scheme, run the authorization-scheme (AAA view) command.

Authorization-method

Authorization mode in an authorization scheme. To configure an authorization mode in an authorization scheme, run the authorization-mode command.

Authorization-cmd level

Whether command line authorization is enabled for users at a certain level.
  • Disabled: indicates that command line authorization is disabled.
  • Enabled: indicates that command line authorization is enabled.

To enable command line authorization, run the authorization-cmd command.

Authorization-cmd no-response-policy

Policy for command line authorization failures, in which users are allowed to go online.

display domain

Function

The display domain command displays the domain configuration.

Format

display domain [ name domain-name ]

Parameters

Parameter

Description

Value

name domain-name

Specifies the name of a domain.

If this parameter is not specified, brief information about all domains is displayed.

The domain name must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After a domain is created by the domain command with required parameters specified, you can run the display domain command to view the domain configuration.

Example

# Display brief information about all domains.

<Huawei> display domain
  -------------------------------------------------------------------------     
  index    DomainName                                                           
  -------------------------------------------------------------------------     
  0        default                                                              
  1        default_admin                                                        
  2        aaa.com                                                              
  3        bbb.com                                                              
  4        huawei                                                               
  -------------------------------------------------------------------------     
  Total: 5                                                                      
Table 14-9  Description of the display domain domain-name command output

Item

Description

index

Index of a domain.

DomainName

Name of a domain.

# Display the configuration of the domain domain1.

<Huawei> display domain name domain1
                                                                                
  Domain-name                     : domain1                                     
  Domain-state                    : Active                                      
  Authentication-scheme-name      : default                                     
  Accounting-scheme-name          : default                                     
  Authorization-scheme-name       : -                                           
  Service-scheme-name             : -                                           
  RADIUS-server-template          : -                                           
  HWTACACS-server-template        : -                                           
  User-group                      : -                                           
  Push-url-address                : - 
  Domain auto block Time-range    : asd     
  Flow-statistic                  : enable          
  Tariff-level 
   Qos-profile                    : huawei 
   Accounting-flag                : enable
                                                                                
Table 14-10  Description of the display domain name domain-name command output

Item

Description

Domain-name

Name of a domain.

Domain-state

Status of a domain.
  • Active: indicates that the domain is activated.
  • Block: indicates that the domain is blocked.

Authentication-scheme-name

Name of the authentication scheme used in a domain. By default, the default authentication scheme is used for a domain.

Accounting-scheme-name

Name of the accounting scheme used in a domain. By default, the default accounting scheme is used in a domain.

Authorization-scheme-name

Name of the authorization scheme used in a domain.

Service-scheme-name

Name of the service scheme used in a domain.

RADIUS-server-template

Name of the RADIUS server template used in a domain.

HWTACACS-server-template

Name of the HWTACACS server template used in a domain.

User-group

Name of the user group for the users in a domain.

Push-url-address

The output displays a pushed URL used in the domain.

Domain auto block Time-range

Automatic block time range of a domain.

Flow-statistic

Whether traffic statistics collection is enabled for users in a domain:
  • enable
  • disable

Tariff-level

Tariff level of traffic.

Qos-profile

QoS profile corresponding to the tariff level.

Accounting-flag

Whether accounting is enabled for the tariff level:
  • enable
  • disable

display local-user

Function

The display local-user command displays information about local users.

Format

display local-user [ domain domain-name | state { active | block } | username user-name ] *

Parameters

Parameter

Description

Value

domain domain-name

Displays information about local users in a specified domain.

The domain name must already exist.

state { active | block }
Displays the attributes of local users in the specified state.
  • active: indicates the active state.
  • block: indicates the blocking state.

-

username user-name

Displays information about a specified local user name.

The user name must already exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The display local-user command output helps you check the configuration of local users and isolate faults related to the local users.

Precautions

If no parameter is specified, brief information about all local users is displayed. If a parameter is specified, detailed information about the specified local user is displayed.

Example

# Display brief information about local users.

<Huawei> display local-user
  ----------------------------------------------------------------------------
  User-name                      State  AuthMask  AdminLevel
  ----------------------------------------------------------------------------
  user-a                         A      A         0
  user-c                         A      A         0
  ----------------------------------------------------------------------------
  Total 2 user(s) 
# Display detailed information about the local user user-a.
<Huawei> display local-user username user-a
  The contents of local user(s):
  Password                        : ****************
  State                           : active
  Service-type-mask               : A
  Privilege level                 : -
  Idle-cut                        : no 
  Ftp-directory                   : -
  Access-limit                    : -
  Accessed-num                    : 0
  Idle-timeout                    : -
  User-group                      : -
  Original-password               : No
  Password-set-time               : 2014-12-01 18:42:57
  Password-expired                : No 
  Password-expire-time            : - 
Table 14-11  Description of the display local-user command output

Item

Description

User-name

Name of the local user.

State

State of the local user:

  • A: Active
  • B: Block

AuthMask

Access type of the local user.

  • T: indicates the Telnet users.
  • M: indicates the terminal users, which usually refers to the console users.
  • S: indicates the SSH users.
  • V: indicates the SSL VPN users.
  • F: indicates the FTP users.
  • W: indicates the web users.
  • B: indicates the IP session users.
  • X: indicates the 802.1x users.
  • A: indicates all access types.
  • H: indicates the HTTP users.
  • D: indicates the X25-PAD users.
  • P: indicates the PPP users.

AdminLevel

Administrative level of the local user.

Password

Password of the local user.

Service-type-mask

Service type of the local user. Same as the AuthMask type.

Privilege level

User level of the local user.

Idle-cut

Whether the idle cut function is enabled for the local user:
  • Yes
  • No

Ftp-directory

FTP directory of the local user.

Access-limit

Maximum number of sessions of the local user.

Accessed-num

Number of established sessions.

Idle-timeout

Idle timeout interval.

User-group

Authorization information of the user group to which the local user is bound.

Original-password

Whether the password of a local user is the initial password:
  • Yes
  • No

Password-set-time

Time when the local user's password is created.

Password-expired

Whether a local user's password has expired:
  • Yes
  • No

Password-expire-time

Time when the local user's password expires.

Related Topics

display local-user expire-time

Function

The display local-user expire-time command displays the time when local accounts expire.

Format

display local-user expire-time

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

The command output helps you diagnose and rectify the faults related to local user passwords.

Example

# Display the time when local accounts expire.

<Huawei> display local-user expire-time
 -------------------------------------------------------------------------------    
 Username                Password-expire       Account-expire            Expired
 -------------------------------------------------------------------------------
 zsh                     2014-12-01 21:25:44    -                        NO
 mm001                   2014-12-01 21:29:58    -                        NO
 -------------------------------------------------------------------------------
 Total: 2, printed: 2  
Table 14-12  Description of the display local-user expire-time command output

Item

Description

Username

Local account name.

Password-expire

Number of days after which the password expires.

Account-expire

Account expiration time.

Expired

Whether the local account has expired:
  • YES
  • NO
NOTE:

The displayed value and actual value may have a difference within one minute; there is a possibility that the password has expired, but the displayed value is NO.

When the local user account or password has expired, the local user becomes invalid.

display local-aaa-user password policy

Function

The display local-aaa-user password policy command displays the password policy of local user.

Format

display local-aaa-user password policy { access-user | administrator }

Parameters

Parameter Description Value
access-user Indicates the password policy of local access users. -
administrator Indicates the password policy of local administrator. -

Views

All views

Default Level

3: Management level

Usage Guidelines

After configuring the password policy for local users, you can run the display local-aaa-user password policy command to check whether the configuration is correct.

Example

# Display the password policy of local access users.

<Huawei> display local-aaa-user password policy access-user
  Password control                 : Enable 
  Password history                 : Enable (history records:5) 
Table 14-13  Description of the display local-aaa-user password policy access-user command output

Item

Description

Password control

Whether the password control function is enabled:
  • Enable
  • Disable

To configure this function, run the local-aaa-user password policy access-user command.

Password history

Whether the historical password recording function is enabled and the maximum number of historical passwords of each user.

To configure this function, run the password history record number command.

# Display the password policy of local administrator.

<Huawei> display local-aaa-user password policy administrator
  Password control                 : Enable                                     
  Password expiration              : Enable (180 days)                          
  Password history                 : Enable (history records:5)                 
  Password alert before expiration : 30 days                                    
  Password alert original          : Enable 
Table 14-14  Description of the display local-aaa-user password policy administrator command output

Item

Description

Password control

Whether the password control function is enabled:
  • Enable
  • Disable

To configure this function, run the local-aaa-user password policy administrator command.

Password expiration

Whether the password expiration function is enabled and password expiration time.

To configure this function, run the password expire command.

Password history

Whether the historical password recording function is enabled and the maximum number of historical passwords of each user.

To configure this function, run the password history record number command.

Password alert before expiration

Password expiration prompt days.

To configure this function, run the password alert before-expire command.

Password alert original

Whether the device prompt users to change the initial passwords:
  • Enable
  • Disable

To configure this function, run the password alert original command.

display recording-scheme

Function

The display recording-scheme command displays the configuration of recording schemes.

Format

display recording-scheme [ recording-scheme-name ]

Parameters

Parameter

Description

Value

recording-scheme-name

Specifies the name of a recording scheme.

The recording scheme must already exist.

Views

All views

Default Level

1: Monitor level

Usage Guidelines

The display recording-scheme command displays the configuration of recording schemes.

Example

# Display the configuration of the recording scheme scheme0.

<Huawei> display recording-scheme scheme0
-----------------------------------------------------------------
 Recording-scheme-name           : scheme0
 HWTACACS-template-name          : tacas-1
---------------------------------------------------------------- 
Table 14-15  Description of the display recording-scheme command output

Item

Description

Recording-scheme-name

Name of the recording scheme. To create a recording scheme, run the recording-scheme command.

HWTACACS-template-name

Name of the HWTACACS server template associated with the recording scheme. To associate an HWTACACS server template with a recording scheme, run the recording-mode hwtacacs command.

display remote-user authen-fail

Function

The display remote-user authen-fail command displays the accounts that fail in remote AAA authentication.

Format

display remote-user authen-fail [ blocked | username username ]

Parameters

Parameter

Description

Value

blocked

Displays all the remote AAA authentication accounts that have been locked.

-

username username

Displays details about the accounts that fail in remote AAA authentication.

If the username parameter is not specified, basic information about all accounts that fail in remote AAA authentication is displayed.

It is a string of 1 to 64 case-insensitive characters without spaces.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After the account locking function is enabled for the users that fail in AAA remote authentication, the device records all failed accounts, including:
  • The accounts that failed in authentication and are locked, for example, when the user entered the wrong account name or password too many times.
  • The accounts that failed in authentication, but are not locked, for example, when the number of times the account name or password was entered incorrectly did not exceed the limit.

Prerequisites

The remote-aaa-user authen-fail command has been enabled to lock the accounts that fail in remote AAA authentication.

Precautions

The device cannot back up a recorded account that fails the AAA authentication. If an active/standby switchover policy has been configured on the device, all user entries are cleared when the device completes an active/standby switchover.

Example

# Display all accounts that have failed in remote AAA authentication.

<Huawei> display remote-user authen-fail
  ----------------------------------------------------------------------------
  Username                   RetryInterval(Mins) RetryTimeLeft BlockTime(Mins)
  ----------------------------------------------------------------------------
  test@rds                   5                   2             0
  t@rds                      0                   0             5
  ----------------------------------------------------------------------------
  Total 2, 2 printed 

# Display all locked accounts.

<Huawei> display remote-user authen-fail blocked
  ----------------------------------------------------------------------------
  Username                   RetryInterval(Mins) RetryTimeLeft BlockTime(Mins)
  ----------------------------------------------------------------------------
  t@rds                      0                   0             4
  ----------------------------------------------------------------------------
  Total 1, 1 printed   

# Display details about the account test that failed in remote AAA authentication.

<Huawei> display remote-user authen-fail username test
  The contents of the user:
  Retry-interval    : 0 Min(s)
  Retry-time-left   : 0
  Block-time-left   : 4 Min(s)
  User-state        : Block
Table 14-16  Description of the display remote-user authen-fail command output

Item

Description

Username

User name.

RetryInterval(Mins)

Authentication retry interval.

Retry-interval

Authentication retry interval.

RetryTimeLeft

Remaining number of consecutive authentication failures.

Retry-time-left

Remaining number of consecutive authentication failures.

BlockTime(Mins)

Remaining locking time of an account.

Block-time-left

Remaining locking time of an account.

User-state

User status:
  • Block
  • Active

display service-scheme

Function

The display service-scheme command displays the configuration of service schemes.

Format

display service-scheme [ name name ]

Parameters

Parameter

Description

Value

name name

Specifies the name of a service scheme.

The value must be an existing service scheme name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The display service-scheme command displays the configuration of service schemes.

Before applying a service scheme to a domain, run the display service-scheme command to check whether the service scheme is correct.

Precautions

The display service-scheme command displays the detailed configuration if the command is executed in the service scheme view or the name of a service scheme is specified. Otherwise, this command displays only the summary of service schemes.

Example

# Display information about all service schemes.

<Huawei> display service-scheme
  -------------------------------------------------------------------
  service-scheme-name                    scheme-index
  -------------------------------------------------------------------
  svcscheme1                               0
  svcscheme2                               1
  -------------------------------------------------------------------
  Total of service scheme: 2

# Display the configuration of the service scheme svcscheme1.

<Huawei> display service-scheme name svcscheme1
                                                                                
  service-scheme-name          : svcscheme1                                     
  service-scheme-dns-name      : -                                              
  service-scheme-primary-dns   : -                                              
  service-scheme-secondry-dns  : -                                              
  service-scheme-adminlevel    : 16                                             
  service-scheme-dhcpgroup     : -      
service-scheme-ippool        : -
  service-scheme-primary-wins  : -                                              
  service-scheme-secondry-wins : -                                              
  service-scheme-update-config : -                                              
  service-scheme-update-version: -                                              
Table 14-17  Description of the display service-scheme command output

Item

Description

service-scheme-name

Name of a service scheme. To create a service scheme, run the service-scheme (AAA view) command.

service-scheme-dns-name

Default DNS domain name in the service scheme.

service-scheme-primary-dns

Address of the primary DNS server.

service-scheme-secondry-dns

Address of the secondary DNS server.

service-scheme-adminlevel

Level of an administrator. The value is an integer that ranges from 0 to 15. The value 16 indicates that this parameter is invalid. To configure a level of an administrator, run the admin-user privilege level command.

service-scheme-dhcpgroup

DHCP server group.

service-scheme-ippool

IP address pool in the service scheme.

service-scheme-primary-wins

Address of the primary wins server.

service-scheme-secondry-wins

Address of the secondary wins server.

service-scheme-update-config

The URL of the update packet.

service-scheme-update-version

Version number of the update packet.

dns (service scheme view)

Function

The dns command configures the primary or secondary DNS server in a service scheme.

The undo dns command cancels the configuration of the primary or secondary DNS server in a service scheme.

By default, no primary or secondary DNS server is configured in a service scheme.

Format

dns ip-address [ secondary ]

undo dns [ ip-address ]

Parameters

Parameter Description Value
ip-address

Specifies the IP address of a DNS server.

The value is in dotted decimal notation.
secondary

Specifies the secondary DNS server.

-

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

If no DNS server is specified when a local address pool, DHCP server, or RADIUS server assigns IP addresses to users, the DNS server configured in the service scheme view is used.

Example

# Set the IP address of the primary DNS server in the service scheme svcscheme1 to 10.10.10.1.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] service-scheme svcscheme1
[Huawei-aaa-service-svcscheme1] dns 10.10.10.1

# Set the IP address of the secondary DNS server in the service scheme svcscheme1 to 10.10.20.1.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] service-scheme svcscheme1
[Huawei-aaa-service-svcscheme1] dns 10.10.20.1 secondary

dns-name (service scheme view)

Function

The dns-name command configures the default DNS domain name in a service scheme.

The undo dns-name command deletes the default DNS domain name in a service scheme.

By default, no default DNS domain name is configured in a service scheme.

Format

dns-name domain-name

undo dns-name

Parameters

Parameter Description Value
domain-name

Specifies the default DNS domain name.

The value is a string of 1 to 255 case-sensitive characters. For example, the value can be huawei.com.

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

The AAA service scheme allows the default DNS domain name to be bound. IPSec binds the AAA service scheme to the IPSec policy template and sends the default DNS domain name to users.

Example

# Configure the default DNS domain name in the service scheme svcscheme1 to huawei.com.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] service-scheme svcscheme1
[Huawei-aaa-service-svcscheme1] dns-name huawei.com

domain (AAA view)

Function

The domain command creates an AAA domain and displays the AAA domain view.

The undo domain command deletes an AAA domain.

By default, the device has two domains: default and default_admin. The two domains can be modified but cannot be deleted.

Format

domain domain-name

undo domain domain-name

Parameters

Parameter

Description

Value

domain-name

Specifies the domain name.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces or the following symbols: * ? ". The value cannot be - or --.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The device can manage users through domains. A domain is the minimum user management unit. A domain name can be an ISP name or the name of a service provided by an ISP. A domain can use the default authorization attribute, and be configured with a RADIUS template and authentication and accounting schemes.

If the domain to be configured already exists, the domain command displays the AAA domain view.

Prerequisites

To perform AAA for access users, you need to apply the authentication schemes, authorization schemes, and accounting schemes in the domain view. Therefore, authentication, authorization, and accounting schemes must be configured in the AAA view in advance.

Precautions

  • The default domain is used for common access users. By default, this domain is activated and uses the default authentication scheme and accounting scheme.
  • The default_admin domain is used for administrators. By default, this domain is activated and uses the default authentication scheme and accounting scheme.

The device supports a maximum of 32 domains, including the default and default_admin domains.

Example

# Create a domain admin.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] domain admin

domain (system view)

Function

The domain command configures a global default domain.

The undo domain command restores the default setting.

By default, the global default domain for common access users is default and the global default domain for administrators is default_admin.

Format

domain domain-name [ admin ]

undo domain [ [ domain-name ] admin ]

Parameters

Parameter

Description

Value

domain-name

Specifies the name of a global default domain.

The domain must already exist.

admin

Configures a domain for administrations.

If this parameter is not specified, the domain for common access users is configured.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the global default domain is configured, a user must be managed by the global default domain if their domain cannot be identified.

Precautions

You must create a domain before configuring the domain as the global default domain.

Example

# Create a domain localuser and configure the domain as the global default domain.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] domain localuser
[Huawei-aaa-domain-localuser] quit
[Huawei-aaa] quit
[Huawei] domain localuser

domain-location

Function

The domain-location command configures the position of a domain name.

The undo domain-location command restores the default position of a domain name.

By default, the domain name is placed behind the domain name delimiter.

Format

domain-location { after-delimiter | before-delimiter }

undo domain-location

Parameters

Parameter

Description

Value

after-delimiter

Indicates that the domain name is placed behind the domain name delimiter.

-

before-delimiter

Indicates that the domain name is placed before the domain name delimiter.

-

Views

AAA view

Default Level

In the AAA view, the default level is management level.

In the WLAN-ESS interface view, the default level is configuration level.

Usage Guidelines

Usage Scenario

The format of a user name is user name@domain name. If before-delimiter is specified, the format domain name@user name is used.

You can use the domain-location command only when there is no online user.

NOTE:

When the command is executed in the AAA view, the configuration takes effect for all users. When the command is executed in the interface view, the configuration takes effect for only the users connected to this interface.

Precautions

If you run the domain-location command in the AAA view, the position of a domain is configured globally and the configuration takes effect for all users.

Example

# Configure the domain name before the domain name delimiter in the AAA view.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] domain-location before-delimiter

domain-name-delimiter

Function

The domain-name-delimiter command configures a domain name delimiter.

The undo domain-name-delimiter command restores the default domain name delimiter.

By default, the domain name delimiter is @.

Format

domain-name-delimiter delimiter

undo domain-name-delimiter

Parameters

Parameter Description Value
delimiter Specifies a domain name delimiter of only one bit. The value can only be one of the following characters: \ / : < > | @ ' %.

Views

AAA view

Default Level

In the AAA view, the default level is management level.

In the WLAN-ESS interface view, the default level is configuration level.

Usage Guidelines

Usage Scenario

Different AAA servers may use different domain name delimiters. To ensure that an AAA server obtains the correct user name and domain name, configure the same domain name delimiter on the device and the AAA server.

For example, if the domain name delimiter is %, the user name of user1 in the domain dom1 is user1%dom1 or dom1%user1.

NOTE:

When the command is executed in the AAA view, the configuration takes effect for all users. When the command is executed in the interface view, the configuration takes effect for only the users connected to this interface.

Precautions

Before using the domain-name-delimiter command, ensure that no local user exists.

If you run the domain-name-delimiter command in the AAA view, the domain name delimiter is configured globally and the configuration takes effect for all users.

Example

# Configure the domain name delimiter as / in the AAA view.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] domain-name-delimiter /

domainname-parse-direction

Function

The domainname-parse-direction command configures the direction in which a domain name is parsed.

The undo domainname-parse-direction command restores the default direction in which a domain name is parsed.

By default, the domain name is parsed from left to right.

Format

domainname-parse-direction { left-to-right | right-to-left }

undo domainname-parse-direction

Parameters

Parameter

Description

Value

left-to-right

Parses a domain name form left to right.

-

right-to-left

Parses a domain name form right to left.

-

Views

AAA view

Default Level

In the AAA view, the default level is management level.

In the WLAN-ESS interface view, the default level is configuration level.

Usage Guidelines

Usage Scenario

In AAA implementations, users belong to different domains. A network access server (NAS) centrally manages users in a domain. During a user's login, the NAS parses the entered user name. A user is authenticated only when the user has the correct user name and domain name. When configuring an AAA scheme, run the domainname-parse-direction { left-to-right | right-to-left } command to configure the direction in which a domain name is parsed.

Assume that the user name is username@dom1@dom2.
  • If the domain-location command configures the domain name behind the domain name delimiter:
    • When left-to-right is specified, the user name is username and the domain name is dom1@dom2.
    • When right-to-left is specified, the user name is username@dom1 and the domain name is dom2.
  • If the domain-location command configures the domain name before the domain name delimiter:
    • When left-to-right is specified, the user name is dom1@dom2 and the domain name is username.
    • When right-to-left is specified, the user name is dom2 and the domain name is username@dom1.
NOTE:

When the command is executed in the AAA view, the configuration takes effect for all users. When the command is executed in the interface view, the configuration takes effect for only the users connected to this interface.

Precautions

If you run the domainname-parse-direction command in the AAA view, the direction in which a domain name is parsed is configured globally.

Example

# Configure the device to parse a domain name from right to left in the AAA view.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] domainname-parse-direction right-to-left

force-domain

Function

The force-domain command configures a forcible authentication domain on an interface.

The undo force-domain command deletes a forcible authentication domain on an interface.

By default, no forcible authentication domain is configured on an interface.

Format

force-domain name domain-name

undo force-domain

Parameters

Item

Description

Value

name domain-name

Specifies the name of a forcible authentication domain.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces or the following symbols: * ? " . The value cannot be - or --.

Views

WLAN-ESS interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, if the entered user name does not include a domain name, for example, user, a management user is authenticated using the AAA schemes in the default_admin domain, and a common user is authenticated using the scheme in the default domain. The AAA scheme in the configured domain cannot be used, so this user may fail in authentication.

To solve this problem, run this command to configure a forcible authentication domain. The user is authenticated using the AAA scheme in the forcible authentication domain no matter whether the entered user name includes the forcible authentication domain name.

Prerequisites

A forcible authentication domain has been created using the domain command.

Precautions

If the service set mapping the interface has been bound to the radio, you cannot run this command. The command can be configured only after the service set is unbound from the radio.

Example

# Configure forcible authentication domain domain1 on a WLAN-ESS interface.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] domain domain1                                                        
 Info: Success to create a new domain.                                           
[Huawei-aaa-domain-domain1] quit   
[Huawei-aaa] quit
[Huawei] interface wlan-ess 0
[Huawei-Wlan-Ess0] force-domain name domain1
Related Topics

ip-pool (service scheme view)

Function

The ip-pool command sets the IP address pool bound to a service scheme or moves the location of a configured IP address pool bound to a service scheme.

The undo ip-pool command deletes the IP address pool bound to a service scheme. If no parameter is specified, all the IP address pools bound to a service scheme are deleted.

By default, no IP address pool is bound to a service scheme.

Format

ip-pool pool-name [ move-to new-position ]

undo ip-pool [ pool-name ]

Parameters

Parameter Description Value
pool-name Specifies the IP address pool name. The name is a string of 1 to 64 characters and can contain letters (a-z, A-Z), digits (0-9), dots (.), hyphens (-), and underscores (_).
move-to new-position Moves the location of a configured IP address pool bound to a service scheme

The value range varies according to the number of configured address pools bound to a domain. For example, if there are ten IP address pools in a domain, the value ranges from 1 to 10.

The number of IP address pools ranges from 1 to 16.

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command limits the range of IP addresses of users in a service scheme. The ip-pool command is used to reference the configured address pool to a service scheme. An IP address pool is configured using the ip pool (system view) command.

Prerequisites

A global IP address pool has been created using the ip pool (system view) command and the address range has been specified using the network (Global address pool view) command.

Example

# Set the IP address pool pool1 for the service scheme svcscheme1.

<Huawei> system-view
[Huawei] ip pool pool1
[Huawei-ip-pool-pool1] network 192.168.100.0
[Huawei-ip-pool-pool1] quit
[Huawei] aaa
[Huawei-aaa] service-scheme svcscheme1
[Huawei-aaa-service-svcscheme1] ip-pool pool1

# Change the position of the IP address ippool1 in the service scheme svcscheme1.

<Huawei> system-view
[Huawei] ip pool ippool1
[Huawei-ip-pool-ippool1] network 192.168.100.0
[Huawei-ip-pool-ippool1] quit
[Huawei] ip pool ippool2
[Huawei-ip-pool-ippool2] network 192.168.200.0
[Huawei-ip-pool-ippool2] quit
[Huawei] aaa
[Huawei-aaa] service-scheme svcscheme1
[Huawei-aaa-service-svcscheme1] ip-pool ippool1
[Huawei-aaa-service-svcscheme1] ip-pool ippool2
[Huawei-aaa-service-svcscheme1] ip-pool ippool1 move-to 2

idle-cut (service scheme view)

Function

The idle-cut command enables the idle-cut function for domain users and sets the idle-cut parameters.

The undo idle-cut command disables the idle-cut function.

By default, the idle-cut function is disabled for domain users.

Format

idle-cut idle-time flow-value [ inbound | outbound ]

undo idle-cut

Parameters

Parameter Description Value
idle-time Specifies the period in which an idle user can stay online. The value is an integer that ranges from 1 to 1440, in minutes.
flow-value Specifies the traffic threshold for idle-cut function. When the traffic of a user stays below this threshold for a certain period, the device considers that the user is in idle state. The value is an integer that ranges from 1 to 4294967295, in kbytes.
inbound

Indicates that the idle-cut function takes effect for only upstream traffic of users.

-
outbound

Indicates that the idle-cut function takes effect for only downstream traffic of users.

NOTE:

If neither inbound nor outbound is specified, the idle-cut function takes effect for both upstream and downstream traffic.

-

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If an administrator does not perform operations on the device for a long time, system resources will be wasted. If a common user does not access network resources for a long time, the user still occupies certain bandwidth, which reduces access rate of other users. The idle-cut function disconnects the users whose traffic volume stays below the traffic threshold within the idle time, to save resources.

Precautions

This command takes effect only for common PPPoE users, but not for other common users.

The idle-cut function takes effect only after the service scheme is bound to the domain using the service-scheme (AAA domain view) command and traffic statistics collection is enabled for the domain using the statistic enable (AAA domain view) command.

The idle-cut function takes effect only after the idle time and traffic threshold are configured. To configure the traffic threshold, run the idle-cut idle-time flow-value command. To configure the idle time, use the value of idle-time configured on the device or the value (carried in RADIUS attribute 28 Idle-Timeout) authorized by the RADIUS server. If both values exist, the value authorized by the RADIUS server has a higher priority.

Example

# Enable the idle-cut function for the domain, and set the idle time to 1 minute and the traffic threshold to 10 kbytes.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] service-scheme huawei 
[Huawei-aaa-service-huawei] idle-cut 1 10

local-aaa-user wrong-password

Function

The local-aaa-user wrong-password command enables local account locking function and sets the retry interval, consecutive incorrect password attempts, and locking duration.

The undo local-aaa-user wrong-password command disables local account locking function.

By default, the local account locking function is enabled, retry interval is 5 minutes, maximum number of consecutive incorrect password attempts is 3, and account locking period is 5 minutes.

Format

local-aaa-user wrong-password retry-interval retry-interval retry-time retry-time block-time block-time

undo local-aaa-user wrong-password

Parameters

Parameter

Description

Value

retry-interval retry-interval

Specifies the retry interval of a local account.

The value is an integer that ranges from 5 to 65535, in minutes.

retry-time retry-time

Specifies the consecutive incorrect password attempts.

The value is an integer that ranges from 3 to 65535.

block-time block-time

Specifies the local account locking duration.

In actual application, there is a one minute difference in locking time.

The value is an integer that ranges from 5 to 65535, in minutes.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command applies to the following scenarios:
  • The command locks a local account to improve password security of the local user. If the number of times the user enters an incorrect password reaches the maximum number of consecutive authentication failures within the given retry period, the account is locked. The device does not authenticate the user when the account is locked.
  • The command locks a local account to ensure that the password will not be cracked by a brute force from a malicious user. If the number of times the user enters incorrect original password reaches the maximum number of consecutive failures within the given retry period, the account is locked. The user cannot modify the password when the account is locked.

Follow-up Procedure

After a local account is locked, you can run the local-user user-name state active command to unlock the local account.

Precautions

Only entering the incorrect password can lock the account. Other local authentication failures will not lock the account.

Example

# Enable local account locking, and set the authentication retry interval to 5 minutes, maximum number of consecutive incorrect password attempts to 3, and account locking period to 5 minutes.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5

local-user

Function

The local-user command creates a local user and sets parameters of the local user.

The undo local-user command deletes a local user.

By default, the local user admin exists in the system. The password of the user is Admin@huawei, the irreversible encryption algorithm is used, the level is 15, and service type is http.

Format

local-user user-name { access-limit max-number | ftp-directory directory | idle-timeout minutes [ seconds ] | password { cipher | irreversible-cipher } password [ opt ] | privilege level level | state { active | block } } *

undo local-user user-name [ access-limit | ftp-directory | idle-timeout | privilege level ]

Parameters

Parameter

Description

Value

user-name

Specifies a user name. If the user name contains a domain name delimiter such as @, the character before @ is the user name and the character behind @ is the domain name. If the value does not contain @, the entire character string is the user name and the domain name is the default one.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

access-limit max-number

Specifies the maximum number of connections established by a specified user.

If this parameter is not specified, the number of connections that can be established by a specified user is not limited.

The value is an integer and must be set according to the device configuration.

ftp-directory directory

Specifies the directory that an FTP user can access.

If this parameter is not specified, the FTP directory of the local user is empty. The device will check whether the default FTP directory has been set using the set default ftp-directory command. If no FTP directory exists, FTP users cannot log in to the device.

NOTE:
Ensure that the configured FTP directory is an absolute path; otherwise, the configuration does not take effect.

The value is a string of 1 to 64 case-sensitive characters without spaces.

opt

Indicates that the challenge in the MD5 algorithm takes precedence. By default, the password takes precedence.

-

idle-timeout minutes [ seconds ]

Specifies the idle timeout interval.

  • minutes indicates the idle timeout interval, in minutes.
  • seconds indicates the idle timeout interval, in seconds.

If this parameter is not specified, the device uses the idle timeout interval configured by the idle-timeout command in the user interface view.

If minutes [ seconds ] is set to 0 0, the idle disconnection function is disabled.

NOTICE:

If the idle timeout interval is set to 0 or a large value, the terminal will remain in the login state, resulting in security risks. You are advised to run the lock command to lock the current connection.

The value of minutes is an integer that ranges from 0 to 35791, in minutes. The value of seconds is an integer that ranges from 0 to 59, in seconds.

privilege level level

Specifies the level of a local user. After logging in to the device, a user can run only the commands of the same level or lower levels.

NOTE:

If this parameter is not specified, the user level is 0.

The value is an integer that ranges from 0 to 15. A larger value indicates a higher level of a user.

password { cipher | irreversible-cipher } password

Specifies the password of a local user.

  • The cipher parameter indicates that the user password is encrypted using the reversible encryption algorithm. Unauthorized users can obtain the plain text password by using the corresponding decryption algorithm, so security is low.

  • The irreversible-cipher parameter indicates that the user password is encrypted using the irreversible encryption algorithm. Unauthorized users cannot obtain the plain text password by using the special encryption algorithm. User security is ensured.

If this parameter is not specified, the device automatically allocates the default password to the user. To improve security, change the password immediately and update the password periodically.

If a user is allowed to encrypt the local user password using the irreversible encryption algorithm, the device does not support CHAP authentication for the user.

NOTICE:

It is recommended that you set the user password when creating a user. The interaction method using the local-user password command is recommended.

The value is a case-sensitive string without question marks (?) or spaces.
  • If the cipher parameter is specified, the value of password can be a plain-text password of 8 to 128 characters or a cipher-text password of 32 to 200 characters.
  • If the irreversible-cipher parameter is specified, the value of password can be a plain-text password of 8 to 128 characters or a cipher-text password of 56 characters.

A simple local user password may bring security risks. The user password must consist of two types of characters, including uppercase letters, lowercase letters, numerals, and special characters. In addition, the password cannot be the same as the user name or user name in an inverse order.

state { active | block }

Indicates the state of a local user.

  • active: indicates the active state. the device accepts and processes the authentication request from the user, and allows the user to change the password.
  • block: indicates the blocking state. the device rejects the authentication request from the user and does not allow the user to change the password.

If a user has established a connection with the device, when the user is set in blocking state, the connection still takes effect but the device rejects subsequent authentication requests from the user.

If this parameter is not specified, the status of a local user is active.

-

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To facilitate device maintenance, run the local-user command on the device to create a local user and set parameters such as the password, user level, and FTP directory.

A maximum of 512 local accounts can be configured.

Precautions

After a local administrator logs in to the device, the administrator can create, modify, or delete attributes of other local users of the same or a lower level. The attributes include password, user level, maximum number of access users, and account validity period.

After you change the rights (for example, the password, level, FTP directory, idle timeout interval, or status) of a local account, the rights of users already online do not change. The change takes effect when the user next goes online.

Example

# Create a local user user1, and set the domain name to vipdomain, the password to admin@12345 in cipher text, the maximum number of connections to 100, and the idle timeout interval to 10 minutes.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user user1@vipdomain password irreversible-cipher admin@12345 access-limit 100 idle-timeout 10

# Change the password of the local user user1@vipdomain to huawei@1234.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user user1@vipdomain password irreversible-cipher huawei@1234
Info: After you change the rights (including the password, access type, FTP dire
ctory, and level) of a local user, the rights of users already online do not cha
nge. The change takes effect to users who go online after the change. 
Related Topics

local-user account-type

Function

The local-user account-type command sets the account type for a local user.

The undo local-user account-type command restores the default account type for a local user.

By default, the account type of local users is not specified.

Format

local-user user-name account-type cmcc-tr069

undo local-user user-name account-type

Parameters

Parameter

Description

Value

user-name

Specifies the local user of which the account type needs to be set.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

cmcc-tr069

Sets the account type of the local user to CMCC-TR069.

-

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

TR-069, also called CPE WAN Management Protocol (CWMP), defines the communication mechanism between the Customer Premises Equipment (CPE) and Auto-Configuration Server (ACS) and allows the ACS to centrally manage CPEs.

This command is applicable to the following scenarios:
  • After a user is created by the local-user command, set the account type of the user to CMCC-TR069, which indicates a TR069 administrator of China Mobile.
  • When a device functions as a CPE, if the ACS of China Mobile creates an administrator on the CPE through TR-069, the CPE automatically executes this command to set the account type of the administrator to CMCC-TR069.

After the CMCC-TR069 administrator is created, the administrator can manage the device through ACS. When the device restores configurations after a reboot, the ACS quickly obtains information about the CMCC-TR069 administrator.

Precautions

If the TR-069 function is not enabled by the set operator-code cmcc command, this command cannot be executed.

Only one CMCC-TR069 user is supported on a device.

Example

# Set the account type of the local user user1@vipdomain to CMCC-TR069.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user user1@vipdomain accoun-type cmcc-tr069

local-user change-password

Function

The local-user change-password command enables local users to change their passwords.

Format

local-user change-password

Parameters

None

Views

User view

Default Level

0: Visit level

Usage Guidelines

Usage Scenario

If you are a low-level administrator, to ensure security of the password, you can run the local-user change-password command in the user view to change your password after passing the authentication.

Precautions

To modify the password, a local user must enter the old password.

After the user that passes local authentication changes the password, the user must type the new password to pass local authentication.

The local-user change-password command is used to change the password of a local user. It does not save the configuration, but the result of changing the password is saved through the local-user password command. If the server does not receive old password, new password, or confirmed password from the user within 30 seconds, it terminates the password change process. When the user presses Ctrl+C to cancel password change, the password change process is terminated.

A simple local user password may bring security risks. When a local user changes the password, the new password must consist of two types of characters, including uppercase letters, lowercase letters, numerals, and special characters. In addition, the password cannot be the same as the user name or user name in a reverse order.

Example

# The local user changes the password.

<Huawei> local-user change-password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, including lowercase letters, uppercase letters, numer
als and special characters. 
Please enter old password: 
Please enter new password: 
Please confirm new password: 
Info: The password is changed successfully.

local-user expire-date

Function

The local-user expire-date command sets the expiration date of a local account.

The undo local-user expire-date command restores the default expiration date of a local account.

By default, a local account is permanently valid.

Format

local-user user-name expire-date expire-date

undo local-user user-name expire-date

Parameters

Parameter Description Value
user-name

Specifies a local account.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

expire-date

Specifies the expiration date of a local account.

The value is in YYYY/MM/DD format. YYYY specifies the year, MM specifies the month, and DD specifies the day. The value ranges from 2000/1/1 to 2099/12/31.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After a local account is created, the account has no expiration date by default. You can run the local-user expire-date command to set the expiration date of a local account. When the expiration date is reached, the account expires. This configuration enhances network security.

Precautions

When you configure the expiration date of a local account for a new user for which no password is configured, the device specifies the default password for the user. To improve security, change the password immediately and update the password periodically.

For example, if the validity period of the local account is set to 2013-10-1, the account becomes invalid at 00:00 on 2013-10-1.

Example

# Set the expiration date of local account hello@163.net to 2013/10/1.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user hello@163.net expire-date 2013/10/1
Related Topics

local-user idle-cut

Function

The local-user idle-cut command enables the idle-cut function for local users.

The undo local-user idle-cut command restores the default setting.

By default, the idle-cut function is disabled for local users.

Format

local-user user-name idle-cut

undo local-user user-name idle-cut

Parameters

Parameter Description Value
user-name Specifies a user name. The value is a string of 1 to 64 case-insensitive characters. It cannot be - or -- and cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If a user uses no or a little network traffic for a long time, the user still occupies certain bandwidth, which reduces access rate of other users. After this command is executed, the device periodically detects the specified users. If the traffic volume of a user within the idle-cut period is lower than the threshold, the user is disconnected. By default, the idle-cut period is 10 minutes and threshold is 600K bytes. If the service scheme bound to an AAA domain contains the idle-cut parameters configured by the idle-cut (service scheme view) command, these idle-cut parameters take effect.

Precautions

When local authentication is used, this command is valid to only common users (for example, NAC and PPP users). To configure idle-cut for administrators, run the local-user idle-timeout command.

Example

# Enable the idle-cut function for local user hello@163.net.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user hello@163.net idle-cut

local-user password

Function

The local-user password command configures a password for a local account.

By default, the password of a local account is Admin@huawei, and the irreversible encryption algorithm is used.

Format

local-user user-name password

NOTE:

This command is an interactive command. After you enter local-user user-name password and press Enter, you can set the password as prompted. The local user password is a string of 8~128 case-sensitive characters.

Parameters

Parameter Description Value
user-name

Specifies the local user name.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

To improve security of the local account, the device sets the initial password for a created local account. You can run the local-user password command to change the password.

A maximum of 512 local accounts can be configured.

A simple local user password may bring security risks. The user password must consist of two types of characters, including uppercase letters, lowercase letters, numerals, and special characters. In addition, the password cannot be the same as the user name or user name in a reverse order.

Example

# Set the password to abc@#123456 for the local account hello@163.net.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user hello@163.net password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, i
ncluding lowercase letters, uppercase letters, numerals and special characters. 
Please enter password:              //Enter the password abc@#123456                                                          
Please confirm password:              //Confirm the password abc@#123456
Info: Add a new user.

# Change the password to huawei@1234 for the local account hello@163.net.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user hello@163.net password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, i
ncluding lowercase letters, uppercase letters, numerals and special characters. 
Please enter password:              //Enter the password huawei@1234                                                           
Please confirm password:              //Confirm the password huawei@1234
Please enter old password:              //Enter the old password abc@#123456 
Info: The password is changed successfully.
Related Topics

local-aaa-user password policy access-user

Function

The local-aaa-user password policy access-user command enables the password policy for local access users and enters the local access user password policy view.

The undo local-aaa-user password policy access-user command disables the password policy of local access users.

By default, the password policy of local access users is disabled.

Format

local-aaa-user password policy access-user

undo local-aaa-user password policy access-user

Parameters

None

Views

AAA view

Default Level

3: Management level

Usage Guidelines

After a local user is created using the local-user command, the minimum length and complexity of the password are limited. If you want to improve password security, run this command to configure password policy. The new password cannot be the same as any previously used password stored on the device.

The local user service types of common users include 8021x, bind, ppp, and web.

Example

# Enable the local access user password policy and enter the local access user password policy view.
<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-aaa-user password policy access-user
[Huawei-aaa-lupp-acc]

local-aaa-user password policy administrator

Function

The local-aaa-user password policy administrator command enables the password policy for local administrators and enters the local administrator password policy view.

The undo local-aaa-user password policy administrator command disables the password policy of local administrators.

By default, the password policy of local administrators is disabled.

Format

local-aaa-user password policy administrator

undo local-aaa-user password policy administrator

Parameters

None

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After a local user is created using the local-user command, the minimum length and complexity of the password are limited. If you want to improve password security, you can run the following commands to configure the password policy for the local administrators:

Precautions

After the undo local-aaa-user password policy administrator command is executed, the administrator password policy will be disabled, causing a security risk.

The local user service types of the administrator include ftp, http, ssh, telnet, x25-pad, and terminal.

NOTE:
The web NMS will force you to change the default and initial passwords, regardless of the configuration of the administrator password policy.

Example

# Enable the local administrator password policy and enter the local administrator password policy view.
<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-aaa-user password policy administrator
[Huawei-aaa-lupp-admin]

local-user service-type

Function

The local-user service-type command sets the access type for a local user.

The undo local-user service-type command restores the default access type for a local user.

By default, a local user can not use any access type.

Format

local-user user-name service-type { 8021x | bind | ftp | http | ppp | ssh | sslvpn | telnet | terminal | web | x25-pad } *

undo local-user user-name service-type

Parameters

Parameter

Description

Value

user-name

Specifies a user name.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

8021x

Indicates an 802.1x user.

-

bind

Indicates an IP session user.

-

ftp

Indicates an FTP user.

-

http

Indicates an HTTP user, which is usually used for web system login.

-

ppp

Indicates a PPP user.

-

ssh

Indicates an SSH user.

-

sslvpn

Indicates an SSLVPN user.

-

telnet

Indicates a Telnet user, which is usually a network administrator.

-

terminal

Indicates a terminal user, which is usually a user connected using a console port.

-

web

Indicates a Portal authentication user.

-

x25-pad

Indicates an X25-PAD user.

-

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The device can manage access types of local users. After you specify the access type of a user, the user can successfully log in only when the configured access type is the same as the actual access type of the user.

Precautions

When MAC authentication users use AAA local authentication, the device does not match or check the access type of local users.

Local users have the following access types:
  • Administrative: FTP, HTTP, SSH, Telnet, x25-pad, and Terminal
  • Common: 802.1x, bind, ppp, sslvpn, and web
If the user already exists before you set the access type and the irreversible password algorithm is used, the access type can only be set as administrative. If the reversible password algorithm is used, the access type can be set as either administrative or common; however, the access type cannot be set as both administrative and common. When an access type is set as administrative, the password encryption algorithm is automatically changed to irreversible algorithm.

Security risks exist if the user access type is set to Telnet, FTP or HTTP. It is recommended that you set the user access type to SSH.

When you configure an access type for a new local user for which no password is configured, the device specifies the default password for the local user. To improve security, change the password immediately and update the password periodically.

Example

# Set the access type of the local user user1@vipdomain to SSH.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user user1@vipdomain service-type ssh

local-user time-range

Function

The local-user time-range command sets the access permission time range for a local user.

The undo local-user time-range command deletes the access permission time range for a local user.

By default, a local account can access the network anytime.

Format

local-user user-name time-range time-name

undo local-user user-name time-range

Parameters

Parameter Description Value
user-name

Indicates the local account.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

time-name

Indicates the access permission time range of the local account. time-name specifies the name of the access permission time range.

The value is a string of 1 to 32 case-sensitive characters and must begin with a letter. In addition, the word all cannot be specified as a time range name.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Use Scenario

After a local account is created, the account has no expiration date by default. To restrict the network access time of a local account, run the local-user time-range command. After the command is executed, the account can access network resources only in the specified time range.

Prerequisite

The time range has been created using the time-range command.

Precautions

If you run the local-user time-range and local-user expire-date commands in the AAA view multiple times, only the latest configuration takes effect.

After the access permission time range of an online local user is changed, the access permission time range of the user will take effect only when the user goes online next time.

When you add a new local user for which no password is configured to a time range, the device specifies the default password for the local user. To improve security, change the password immediately and update the password periodically.

Example

# Set the access permission time segment of local account hello@163.net to 9:00-18:00 from Monday to Friday.

<Huawei> system-view
[Huawei] time-range huawei 9:00 to 18:00 working-day
[Huawei] aaa
[Huawei-aaa] local-user hello@163.net time-range huawei
Related Topics

local-user user-group

Function

The local-user user-group command specifies a user group for a local user.

The undo local-user user-group command unbinds a local user from a user group.

By default, no user group is configured for a local user.

Format

local-user user-name user-group group-name

undo local-user user-name user-group

Parameters

Parameter

Description

Value

user-name

Specifies the name of a local user.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

group-name

Specifies the name of a user group.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value can contain digits, letters, and special characters such as the asterisk (*) and number sign (#).

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The system manages user rights through user groups. A local user can obtain rights after joining a user group.

Prerequisites

The user group to be specified using the local-user user-group command must have been created using the user-group command.

Follow-up Procedure

After running the local-user user-group command, you can run the display local-user command to check whether the local user is added to the user group.

Precautions

One user group can be used by multiple local users. However, a local user belongs to only one user group.

If the user groups have been configured for the local user and in the service template, only the user group configured for the local user takes effect.

The default user group and the user groups that are used by a local user or an online user cannot be deleted.

When you add a new local user for which no password is configured to a user group, the device specifies the default password for the local user. To improve security, change the password immediately and update the password periodically.

Example

# Specify the user group group1 for the local user hello@huawei.net.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user hello@huawei.net user-group group1

outbound recording-scheme

Function

The outbound recording-scheme command applies a policy to a recording scheme to record the connection information.

The undo outbound recording-scheme command deletes a policy from a recording scheme. Connection information is not recorded then.

By default, connection information is not recorded.

Format

outbound recording-scheme recording-scheme-name

undo outbound recording-scheme

Parameters

Parameter

Description

Value

recording-scheme-name

Specifies the name of a recording scheme.

The recording scheme must already exist.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can use the outbound recording-scheme command to record information about connections between the access device and other devices.

Prerequisites

A recording scheme has been created using the recording-scheme command in the AAA view and an HWTACACS server template has been associated with a recording scheme using the recording-mode hwtacacs command in the recording scheme view.

Example

# Apply a policy to the recording scheme scheme to record the connection information.

<Huawei> system-view
[Huawei] hwtacacs server template hw1
[Huawei-hwtacacs-hw1] quit
[Huawei] aaa
[Huawei-aaa] recording-scheme scheme
[Huawei-aaa-recording-scheme] recording-mode hwtacacs hw1
[Huawei-aaa-recording-scheme] quit
[Huawei-aaa] outbound recording-scheme scheme

password alert before-expire

Function

The password alert before-expire command to set the password expiration prompt days.

The undo password alert before-expire command restores the default password expiration prompt days.

By default, the number of password expiration prompt days is 30 days.

Format

password alert before-expire day

undo password alert before-expire

Parameters

Parameter Description Value
day

Indicates how long the system displays a prompt before the password expires.

If the value is set to 0, the device does not prompt users that the passwords will expire.

The value is an integer that ranges from 0 to 999, in days. The default value is 30.

Views

Local administrator password policy view

Default Level

3: Management level

Usage Guidelines

When a user logs in to the device, the device checks how many more days the password is valid for. If the number of days is less than the prompt days set in this command, the device notifies the user in how many days the password will expire and asks the user whether they want to change the password.
  • If the user changes the password, the device records the new password and modification time.
  • If the user does not change the password or fails to change the password, the user can still log in as long as the password has not expired.

Example

# Set the number of password expiration prompt days to 90.
<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-aaa-user password policy administrator
[Huawei-aaa-lupp-admin] password alert before-expire 90

password alert original

Function

The password alert original command enables the device to prompt users to change initial passwords.

The undo password alert original command disables the device from prompting users to change initial passwords.

By default, the device prompts users to change initial passwords.

Format

password alert original

undo password alert original

Parameters

None

Views

Local administrator password policy view

Default Level

3: Management level

Usage Guidelines

To improve device security, use this command to enable the initial password change prompt function. After this command is executed, the device asks the user who logs in for the first time whether to change the initial password:
  • If the user selects Y to change the password, the user needs to enter the old password, new password, and confirm password. The password can be successfully changed only when the old password is correct and the new password and confirm password are the same and meet requirements (password length and complexity). After the password is changed, the user can log in to the device successfully.
  • If the user selects N or fails to change the password, the user cannot log in.

After the undo password alert original command is executed, the initial password alert will be disabled, causing a security risk.

Example

# Enable the device to prompt users to change initial passwords.
<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-aaa-user password policy administrator
[Huawei-aaa-lupp-admin] password alert original

password expire

Function

The password expire command sets the password validity period.

The undo password expire command restores the default password validity period.

By default, the password validity period is 90 days.

Format

password expire day

undo password expire

Parameters

Parameter Description Value
day

Indicates the password validity period.

If the value is 0, the password is permanently valid.

The value is an integer that ranges from 0 to 999, in days. The default value is 90.

Views

Local administrator password policy view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To improve password security, the administrator can use this command to set the validity period for local user's password. When the validity period expires, the password becomes invalid.

If the local user still uses this password to log in to the device, the device allows the user to log in, prompts the user that the password has expired, and asks the user whether to change the password:
  • If the user selects Y, the user needs to enter the old password, new password, and confirm password. The password can be successfully changed only when the old password is correct and the new password and confirm password are the same and meet requirements (password length and complexity). After the password is changed, the user can log in to the device successfully.
  • If the user selects N or fails to change the password, the user cannot log in.

Precautions

Changing the system time will affect the password validity status.

After this command is executed, the device checks whether the password expires every minute; therefore, there may be a time difference within 1 minute.

Example

# Set the password validity period to 120 days.
<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-aaa-user password policy administrator
[Huawei-aaa-lupp-admin] password expire 120

password history record number

Function

The password history record number command sets the maximum number of historical passwords recorded for each user.

The undo password history record number command restores the default maximum number of historical passwords recorded for each user.

By default, five historical passwords are recorded for each user.

Format

password history record number number

undo password history record number

Parameters

Parameter Description Value
number

Indicates the maximum number of historical passwords recorded for each user.

If the value is set to 0, the device will not check whether a changed password is the same as any historical password.

The value is an integer that ranges from 0 to 12. The default value is 5.

Views

Local administrator password policy view, local access user password policy view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To improve password security, it is not recommended that you use a previously used password. You can set the maximum number of historical passwords recorded for each user. When a user changes the password, the device compares the new password against the historical passwords stored on the device. If the new password is the same as a stored password, the device displays an error message to prompt the user that password change fails.

Precautions

  • When the number of recorded historical passwords reaches the maximum value, the later password will overwrite the earliest password on the device.

  • After the historical password recording function is disabled, the device does not record historical passwords; however, the passwords that have been stored are not deleted.

Example

# Set the maximum number of historical passwords recorded for each administrator to 10.
<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-aaa-user password policy administrator
[Huawei-aaa-lupp-admin] password history record number 10
# Set the maximum number of historical passwords recorded for each local access user to 10.
<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-aaa-user password policy access-user
[Huawei-aaa-lupp-acc] password history record number 10

permit-domain

Function

The permit-domain command specifies permitted domains for WLAN users.

The undo permit-domain command deletes the permitted domains of WLAN users.

By default, no permitted domain is specified for WLAN users.

Format

permit-domain name domain-name &<1-4>

undo permit-domain { name domain-name | all }

Parameters

Item

Description

Value

name domain-name

Specifies the name of a permitted domain for WLAN users.

The domain must already exist.

all

Deletes the permitted domain for all WLAN users.

-

Views

WLAN-ESS interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a permitted domain is specified on an interface, only the WLAN users in the permitted domain can be authenticated, authorized, or charged.
NOTE:

This command applies only to wireless users.

This command is only available in the NAC unified mode.

Prerequisites

Permitted domains have been created using the domain command.

Precautions

If the service set mapping the interface has been bound to the radio, you cannot run this command. The command can be configured only after the service set is unbound from the radio.

Example

# Specify permitted domains test1, test2, test3, and test4 for WLAN users on a WLAN-ESS interface.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] domain test1                                                        
[Huawei-aaa-domain-test1] quit                                                   
[Huawei-aaa] domain test2                                                                                                    
[Huawei-aaa-domain-test2] quit                                                   
[Huawei-aaa] domain test3                                                                                                    
[Huawei-aaa-domain-test3] quit                                                   
[Huawei-aaa] domain test4                                                                                                   
[Huawei-aaa-domain-test4] quit  
[Huawei-aaa] quit
[Huawei] interface wlan-ess 0
[Huawei-Wlan-Ess0] permit-domain name test1 test2 test3 test4
Related Topics

qos-profile (service scheme view)

Function

The qos-profile command binds a QoS profile to a service scheme.

The undo qos-profile command unbinds the QoS profile from the service scheme.

By default, no QoS profile is bound to a service scheme.

Format

qos-profile profile-name

undo qos-profile profile-name

Parameters

Parameter Description Value
profile-name

Specifies the name of the QoS profile bound to the service scheme.

The value is the name of an existing QoS profile.

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After creating a service scheme using the service-scheme (AAA view) command, you can run the qos-profile command to bind a QoS profile to the service scheme. The user assigned with the service scheme will have the attributes in the QoS profile.

Prerequisites

A QoS profile has been created using the qos-profile command.

Precautions

The RADIUS server can also deliver a QoS profile and the CAR to the device. (The CAR can also be set in a QoS profile.)

When the server delivers the CAR and a QoS profile using Huawei extended RADIUS attributes:
  • If the server delivers the CAR, the device uses the CAR.
  • If the server delivers a QoS profile, the device uses the QoS profile.
  • If the server delivers the CAR and a QoS profile, the device preferentially uses the CAR.
  • If the server does not deliver the CAR and QoS profile, the device uses the QoS profile bound to the service scheme.

Example

# Bind the QoS profile abc to the service scheme huawei.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] service-scheme huawei
[Huawei-aaa-service-huawei] qos-profile abc

recording-mode hwtacacs

Function

The recording-mode hwtacacs command associates an HWTACACS server template with a recording scheme.

The undo recording-mode command unbinds an HWTACACS server template from a recording scheme.

By default, no HWTACACS server template is associated with a recording scheme.

Format

recording-mode hwtacacs template-name

undo recording-mode

Parameters

Parameter

Description

Value

template-name

Specifies the name of an HWTACACS server template.

The HWTACACS server template must already exist.

Views

Recording scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The device needs to send the records such as the executed commands, connection information, and system events to the specified HWTACACS accounting server; therefore, an HWTACACS server template needs to be associated with a recording scheme.

Prerequisites

The HWTACACS server template has been created by using the hwtacacs-server template command.

Example

# Associate the recording scheme scheme0 with the HWTACACS server template tacacs1.

<Huawei> system-view
[Huawei] hwtacacs-server template tacacs1
[Huawei-hwtacacs-tacacs1] quit
[Huawei] aaa
[Huawei-aaa] recording-scheme scheme0
[Huawei-aaa-recording-scheme0] recording-mode hwtacacs tacacs1

recording-scheme

Function

The recording-scheme command creates a recording scheme and displays the recording scheme view.

The undo recording-scheme command deletes a recording scheme.

By default, no recording scheme is configured on the device.

Format

recording-scheme recording-scheme-name

undo recording-scheme recording-scheme-name

Parameters

Parameter

Description

Value

recording-scheme-name

Specifies the name of a recording scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After a recording scheme takes effect, you can view the records such as the executed commands, connection information, and system-level events on the recording server. The records help you locate network faults. Because a recording scheme needs to be associated with an HWTACACS server template, the recording scheme is configured only when HWTACACS authentication or authorization is performed.

Creating a recording template using the recording-scheme command is mandatory for configuration.

Follow-up Procedure

Run the recording-mode hwtacacs command to associate an HWTACACS server template with the recording scheme.

After a recording scheme is created and associated with an HWTACACS server template, perform the following configurations in the AAA view:
  • Run the cmd recording-scheme command to apply a policy in a recording scheme to record the commands executed on the device.
  • Run the outbound recording-scheme command to apply a policy in a recording scheme to record the connection information.
  • Run the system recording-scheme command to apply a policy in a recording scheme to record the system events.

Precautions

If the recording scheme to be configured does not exist, the recording-scheme command creates a recording scheme and displays the recording scheme view. If the recording scheme to be configured already exists, the recording-scheme command displays the recording scheme view.

Before deleting a recording scheme, ensure that the scheme has not been referenced by the cmd recording-scheme or outbound recording-scheme or system recording-scheme command.

A maximum of 32 recording schemes can be configured on the device.

Example

# Create a recording scheme scheme0.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] recording-scheme scheme0
[Huawei-aaa-recording-scheme0]

remote-aaa-user authen-fail

Function

The remote-aaa-user authen-fail command enables the remote AAA authentication account locking function, and sets the authentication retry interval, maximum number of consecutive authentication failures, and account locking period.

The undo remote-aaa-user authen-fail command disables the remote AAA authentication account locking function.

By default, the remote AAA account locking function is enabled, authentication retry interval is 30 minutes, maximum number of consecutive authentication failures is 30, and account locking period is 30 minutes.

Format

remote-aaa-user authen-fail retry-interval retry-interval retry-time retry-time block-time block-time

undo remote-aaa-user authen-fail

Parameters

Parameter

Description

Value

retry-interval retry-interval

Specifies the authentication retry interval.

The value is an integer that ranges from 5 to 65535, in minutes.

retry-time retry-time

Specifies the maximum number of consecutive authentication failures.

The value is an integer that ranges from 3 to 65535.

block-time block-time

Specifies the account locking period.

The value is an integer that ranges from 5 to 65535, in minutes.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To ensure account security, you can enable the device to lock the accounts that fail in remote AAA authentication. If a user enters incorrect account and password n times more than the maximum number of consecutive authentication failures within the given period, the account is locked. After a certain period, the account is unlocked.

Precautions

  • This command is valid only for remote AAA authentication, including RADIUS and HWTACACS authentication.

Example

# Enable the remote AAA account locking function, and set the authentication retry interval to 5 minutes, maximum number of consecutive authentication failures to 3, and account locking period to 5 minutes.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] remote-aaa-user authen-fail retry-interval 5 retry-time 3 block-time 5

remote-user authen-fail unblock

Function

The remote-user authen-fail unblock command unlocks remote AAA authentication accounts.

Format

remote-user authen-fail unblock { all | username username }

Parameters

Parameter

Description

Value

all

Unlocks all accounts that fail the remote AAA authentication.

-

username username

Unlocks a specified account that fails the remote AAA authentication.

The value is a string of 1 to 64 case-insensitive characters without spaces.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

You may need to unlock remote AAA authentication accounts in the following situations:
  • When a user enters incorrect user name or password fewer times than the maximum permitted, run the remote-user authen-fail unblock command to unlock the user and delete the incorrect record of the user from the device.
  • When a user is incorrectly locked or needs to be unlocked due to special reasons, run the remote-user authen-fail unblock command to unlock the user.

Example

# Unlock the remote AAA authentication account test.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] remote-user authen-fail unblock username test

reset aaa

Function

Using the reset aaa command, you can clear records of abnormal offline, user offline and failure to get online.

Format

reset aaa { abnormal-offline-record | offline-record | online-fail-record }

Parameters

Parameter Description Value
abnormal-offline-record

Clears records of user abnormal offline.

-

offline-record

Clears records of user offline.

-

online-fail-record

Clears records of user failure to get online.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

This command allows you to clear records of user offline, abnormal offline, and failure to get online. After the records are cleared, the function of recording information is enabled.

Example

# Clear user offline records.

<Huawei> system-view
[Huawei] reset aaa offline-record

reset aaa statistics offline-reason

Function

Using the reset aaa statistics offline-reason command, you can clear the statistics about reasons why users go offline.

Format

reset aaa statistics offline-reason

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can use the reset aaa statistics offline-reason command to delete the statistics about reasons why users go offline, and then collect new statistics.

Example

# Clear the statistics about reasons why users go offline.

<Huawei> reset aaa statistics offline-reason

reset access-user statistics

Function

Using the reset access-user statistics command, you can delete the statistics on access user authentication.

Format

reset access-user statistics

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

The reset access-user statistics command deletes the statistics on access user authentication.

Example

# Delete the statistics on access user authentication.

<Huawei> reset access-user statistics

reset local-user password history record

Function

The reset local-user password history record command clears historical passwords stored for the local user.

Format

reset local-user [ user-name ] password history record

Parameters

Parameter Description Value
user-name

Clears the historical passwords of the specified user.

If this parameter is not specified, the historical passwords of all local users are cleared.

The local user must exist on the device.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the administrator wants to record historical passwords of local users again, this command can be used to clear existing historical passwords.

Precautions

After this command is used, all historical passwords on the device are deleted and cannot be restored. This operation has security risks, so exercise caution when using it.

Example

# Clear historical passwords of all local users.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] reset local-user password history record

route set acl

Function

The route set acl command configures the local subnet information to be sent to the remote end.

The undo route set acl command restores the default setting.

By default, no local subnet information is sent to the remote end.

Format

route set acl acl-number

undo route set acl

Parameters

Parameter Description Value
acl-number Specifies the number of the ACL to be sent to the remote end. The value is an integer that ranges from 3000 to 3999.

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The headquarters and a branch use virtual tunnel interfaces to set up an IPSec tunnel. When you apply an IPSec profile to the Tunnel-template interface on the headquarters gateway and apply an IPSec profile to the tunnel interface on the branch gateway, you can run this command to send the source IP address configured in an ACL to the remote end. The source IP address can be used to generate subnet route information.

Prerequisite

An ACL has been created using the acl (system view) command.

Precautions

This command can send subnet route information only when it is used together with the route set interface command.

Example

# Send information about ACL 3000 to the remote end.

<Huawei> system-view
[Huawei] acl 3000
[Huawei-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[Huawei-acl-adv-3000] quit
[Huawei] aaa
[Huawei-aaa] service-scheme svcscheme1
[Huawei-aaa-service-svcscheme1] route set acl 3000

route set interface

Function

The route set interface command configures the address of the interface bound to the IPSec tunnel to be sent to the remote end.

The undo route set interface command restores the default setting.

By default, no address of the interface bound to the IPSec tunnel is sent to the remote end.

Format

route set interface

undo route set interface

Parameters

None

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The headquarters and a branch use virtual tunnel interfaces to set up an IPSec tunnel. You can run this command to send the address of the interface bound to the IPSec tunnel to the remote end. This address can be used to generate subnet route information.

Precautions

If you do not configure this command, packets cannot be sent through the IPSec tunnel even if the IPSec tunnel is successfully established and route information is sent to the remote end.

Example

# Configure the address of the interface bound to the IPSec tunnel to be sent to the remote end.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] service-scheme svcscheme1
[Huawei-aaa-service-svcscheme1] route set interface

security-name-delimiter

Function

The security-name-delimiter command configures a delimiter for a security string.

The undo security-name-delimiter command restores the default delimiter for a security string.

By default, the delimiter for a security string is *.

NOTE:

This command is valid only when the authentication method for 802.1x users is EAP.

Format

security-name-delimiter delimiter

undo security-name-delimiter

Parameters

Parameter

Description

Value

delimiter

Specifies a delimiter for a security string.

The value is of the enumeration type and only can be \ / : < > | @ ' % *.

Views

AAA view, WLAN-ESS interface view

Default Level

In the AAA view, the default level is management level.

In the WLAN-ESS interface view, the default level is configuration level.

Usage Guidelines

Usage Scenario

Some STAs may use the user name in the format of username@domain*securitystring. * is the security string delimiter. To enable the AAA server to identify this type of user name, you need to configure a delimiter for a security string on the device. In this way, when sending the user name to the AAA server, the device deletes the *securitystring and only uses username@domain for authentication.

NOTE:

When the command is executed in the AAA view, the configuration takes effect for all users. When the command is executed in the interface view, the configuration takes effect for only the users connected to this interface.

Precautions

The delimiter for a security string cannot be the same as the domain name delimiter.

If you run the security-name-delimiter command in the AAA view, the delimiter for a security string is configured globally.

The delimiter of a security string configured on an interface is prior to that configured globally. The globally configured delimiter for a security string takes effect only when no delimiter for a security string is configured on the interface.

Example

# Configure the delimiter for a security string as / in the AAA view.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] security-name-delimiter /

service-scheme (AAA domain view)

Function

The service-scheme command applies a service scheme to a domain.

The undo service-scheme command unbinds a service scheme from a domain.

By default, no service scheme is bound to a domain.

Format

service-scheme service-scheme-name

undo service-scheme

Parameters

Parameter

Description

Value

service-scheme-name

Specifies the name of a service scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If local authorization is used, configure authorization information in a service scheme. The authorization configuration in a service scheme takes effect only when the service scheme is applied to a domain.

Prerequisites

A service scheme has been created and configured with required parameters.

Example

# Apply the service scheme srvscheme1 to the domain huawei.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] service-scheme srvscheme1
[Huawei-aaa-service-srvscheme1] quit
[Huawei-aaa] domain huawei
[Huawei-aaa-domain-huawei] service-scheme srvscheme1

service-scheme (AAA view)

Function

The service-scheme command creates a service scheme and displays the service scheme view.

The undo service-scheme command deletes a service scheme.

By default, no default service scheme is configured on the device.

Format

service-scheme service-scheme-name

undo service-scheme service-scheme-name

Parameters

Parameter

Description

Value

service-scheme-name

Specifies the name of a service scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After users are authorized, the device authorizes users based on the configuration in a service scheme.

Follow-up Procedure

Run the service-scheme (AAA domain view) command to apply the service scheme to a domain.

Precautions

If the service scheme to be configured does not exist, the service-scheme (AAA view) command creates a service scheme and displays the service scheme view. If the service scheme to be configured already exists, the service-scheme (AAA view) command displays the service scheme view.

A maximum of 256 service schemes can be configured on the device.

To delete or modify the service scheme applied to a domain, run the undo service-scheme (AAA domain view) command to unbind the service scheme from the domain.

Example

# Create a service scheme srvscheme1.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] service-scheme srvscheme1
[Huawei-aaa-service-srvscheme1]

state (AAA domain view)

Function

The state command configures the state of a domain .

The undo state command restores the state of a domain.

By default, a domain is in active state after being created.

Format

state { active | block [ time-range time-name &<1-4> ] }

undo state [ block time-range [ time-name &<1-4> ] ]

Parameters

Parameter

Description

Value

active

Sets the domain state to active.

-

block

Sets the domain state to blocking.

-

time-range time-name

Indicates the block time range of the domain.

time-name specifies the name of the block time range. If this parameter is not specified, the domain is always blocked.

The value is a string of 1 to 32 case-sensitive characters and must begin with a letter. In addition, the word all cannot be specified as a time range name.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If exceptions occur during service configuration, set the domain in blocking state to block access of new users. After the service configuration is complete, set the domain in active state.

Prerequisite

Before specifying the time-name parameter, ensure that the time range has been created using the time-range command.

Precautions

After the state block command is run to set the domain state to block, online users in the domain are not affected.

After the state block time-range command is run to set the state of a domain including online users to block, the domain state turns from active to block within the specified time range, and online users are forced to go offline.

Example

# Set the state of the domain vipdomain to blocking.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] domain vipdomain
[Huawei-aaa-domain-vipdomain] state block
Related Topics

statistic enable (AAA domain view)

Function

The statistic enable command enables traffic statistics collection for domain users.

The undo statistic enable command disables traffic statistics collection for domain users.

By default, traffic statistics collection is disabled for domain users.

Format

statistic enable

undo statistic enable

Parameters

None

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To implement traffic-based accounting, you can use this command to enable traffic statistics collection for a domain. Then the device collects traffic statistics for the users in the domain. If an accounting server is configured, the device sends traffic statistics to the accounting server through accounting packets so that the server performs accounting for the users based on traffic statistics.

Follow-up Procedure

Run the display access-user command to view traffic statistics of users.

Precautions

The statistics enable (QoS profile view) command executed in the QoS profile view collects DAA service statistics for domain users. The statistics include the number of bytes matching each tariff level. This command collects non-DAA service statistics. The device sends the two types of statistics to the accounting server for flexible accounting.

Only Portal authentication users on the WAN-side interface and PPP authentication users support this command.

Example

# Enable traffic statistics collection for domain users.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] domain huawei
[Huawei-aaa-domain-huawei] statistic enable
Related Topics

system recording-scheme

Function

The system recording-scheme command applies a policy in a recording scheme to record the system events.

The undo system recording-scheme command deletes a policy from a recording scheme. System events are not recorded then.

By default, system events are not recorded.

Format

system recording-scheme recording-scheme-name

undo system recording-scheme

Parameters

Parameter

Description

Value

recording-scheme-name

Specifies the name of a recording scheme.

The recording scheme must already exist.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The system events recorded on an HWTACACS server helps you monitor devices. When network faults occur, you can isolate faults based on the system events recorded on the HWTACACS server.

Prerequisites

A recording scheme has been created using the recording-scheme command in the AAA view and an HWTACACS server template has been associated with a recording scheme using the recording-mode hwtacacs command in the recording scheme view.

Precautions

Currently, the device can record only the events caused by the reboot command.

Example

# Apply a policy in the recording scheme scheme to record the system events.

<Huawei> system-view
[Huawei] hwtacacs server template hw1
[Huawei-hwtacacs-hw1] quit
[Huawei] aaa
[Huawei-aaa] recording-scheme scheme
[Huawei-aaa-recording-scheme] recording-mode hwtacacs hw1
[Huawei-aaa-recording-scheme] quit
[Huawei-aaa] system recording-scheme scheme

user-group (AAA domain view)

Function

The user-group command binds the users in a domain to the authorization information of a user group.

The undo user-group command unbinds the users in a domain from the authorization information of a user group.

By default, no authorization information of a user group is bound to the users in a domain.

Format

user-group group-name

undo user-group

Parameters

Parameter Description Value
group-name Specifies the name of a user group. The value is a string of 1 to 64 case-sensitive characters without spaces. The value can contain digits, letters, and special characters such as the asterisk (*) and number sign (#).

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run the user-group command in the AAA domain to bind the users in a domain to the authorization information of a user group.

Precautions

  • The user group to be specified using the local-user user-group command must have been created using the user-group command.

  • A user group cannot be deleted after being referenced to a domain using this command.

  • Huawei proprietary attribute 82 delivered by RADIUS cannot be used together with the function of binding authentication information of a user group to a domain.

Example

# Bind the user group group1 to the domain test.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] domain test
[Huawei-aaa-domain-test] user-group group1
Related Topics

user-password complexity-check

Function

The user-password complexity-check command enables password complexity check.

The undo user-password complexity-check command disables password complexity check.

By default, a device checks password complexity.

Format

user-password complexity-check

undo user-password complexity-check

Parameters

None

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can choose whether to enable password complexity check.

Precautions

To ensure device security, do not disable password complexity check, and change the password periodically.

Example

# Disable password complexity check.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] undo user-password complexity-check
Related Topics

wins (service scheme view)

Function

The wins command configures the primary or secondary WINS server address in the service scheme view.

The undo wins command deletes a primary or secondary WINS server address.

By default, no primary or secondary WINS server address is configured in a service scheme.

Format

wins ip-address [ secondary ]

undo wins [ ip-address ]

Parameters

Parameter Description Value
ip-address Indicates the WINS server address configured in a service scheme. The value is in dotted decimal notation.
secondary Indicates that the IP address of the secondary WINS server is configured. -

Views

service scheme view

Default Level

3: Management level

Usage Guidelines

The AAA service scheme allows the WINS server address to be bound. IPSec binds the AAA service scheme to the IPSec policy template and sends the WINS server address to users.

Example

# Configure the WINS server address in the service scheme svcscheme1.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] service-scheme svcscheme1
[Huawei-aaa-service-svcscheme1] wins 10.1.1.1
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 53064

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next