No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R011C10 NETCONF YANG API Reference

This document describes the NETCONF API functions supported by the switch, including the data model and samples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
AAA Management

AAA Management

Data Model

The configuration model files matching AAA management are huawei-user-management.yang, huawei-aaa.yang, and huawei-aaa-radius.yang.

Table 2-272  Local user

Object

Description

Value

Remarks

/huawei-user-management/user-management/local-user/user-name

Indicates the user name of a local user.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

N/A

/huawei-user-management/user-management/local-user/password

Indicates the password of a local user.

The value is a case-sensitive string without question marks (?) or spaces.

N/A

/huawei-user-management/user-management/local-user/privilege-level

Indicates the level of a local user.

The value is an integer that ranges from 0 to 15. A larger value indicates a higher level of a user.

N/A

/huawei-user-management/user-management/local-user/service-type

Indicates the access type of a local user.

The value can be:

  • dot1x: 802.1x user
  • ftp: FTP user
  • http: HTTP user (typically used for web system login)
  • ppp: PPP user
  • ssh: SSH user
  • telnet: Telnet user (usually a network administrator)
  • terminal: end user (usually a user connected using a console port)
  • web: Portal authentication user
  • x25pad: X25-PAD user

N/A

/huawei-user-management/user-management/local-user/ftp-directory

Indicates the directory that FTP users can access.

The value is a string of 1 to 64 case-sensitive characters without spaces.

N/A

/huawei-user-management/user-management/local-user/access-limit

Indicates the maximum number of connections that can be created with a specified user name.

The value is an integer that ranges from 1 to 4294967295.

N/A

/huawei-user-management/user-management/local-user/idle-time

Indicates the timeout period of the user account.

The value is an integer that ranges from 0 to 2147519, in seconds.

N/A

/huawei-user-management/user-management/local-user/state

Indicates the state of a local user.

Enumerated type. The value can be:
  • active: A local user is in active state. The device accepts and processes the authentication request from the user, and allows the user to change the password.
  • block: A local user is in blocking state. The device rejects the authentication request from the user and does not allow the user to change the password.

N/A

/huawei-user-management:user-management/administrator-password-police

Indicates the password policy for local administrators. The object includes:
  • enable: indicates whether the password policy is enabled for local administrators.
  • expire-day: indicates the password validity period.
  • enable: The value is of the Boolean type:

    • true: The password policy is enabled for local administrators.
    • false: The password policy is disabled for local administrators.
    The default value is false.
  • expire-day: The value is an integer that ranges from 0 to 999, in days. The default value is 90.

N/A

Table 2-273  AAA

Object

Description

Value

Remarks

/huawei-aaa:aaa/authentication-scheme/name

Indicates the name of an authentication scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/authentication-scheme/authentication-mode

Indicates the authentication mode in an authentication scheme.

The value can be:

  • hwtacacs: Authenticates users using an HWTACACS server.
  • local: Authenticates users locally.
  • radius: Authenticates users using a RADIUS server.
  • none: Indicates non-authentication. That is, users access the network without being authenticated.

N/A

/huawei-aaa:aaa/authorization-scheme/name

Indicates the name of an authorization scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/authorization-scheme/authorization-mode Indicates the authorization mode in an authorization scheme.

The value can be:

  • hwtacacs: Indicates that the user is authorized by an HWTACACS server.
  • if-authenticated: Indicates that only the user who succeeds in authentication (authentication exemption excluded) is authorized.
  • local: Indicates that the user is authorized locally.
  • none: Indicates non-authorization.

N/A

/huawei-aaa:aaa/authorization-scheme/authorization-cmd/authorization-cmd-item Configure the administrator of a specific level to run only commands that are authorized by the HWTACACS server. The object includes:
  • privilege-level: Indicates the administrator level.

  • authorization-cmd-mode: Indicates the authorization backup mode.
  • privilege-level: The value is an integer that ranges from 0 to 15.

  • authorization-cmd-mode: The value can be:
    • local: Indicates that the authorization backup mode is authorized locally.
    • none: Indicates the authorization backup mode is non-authorization.

N/A

/huawei-aaa:aaa/accounting-scheme/name

Indicates the name of an accounting scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/accounting-scheme/accounting-mode Indicates the accounting mode in an accounting scheme.

The value can be:

  • hwtacacs: Indicates that accounting is performed by an HWTACACS server.
  • radius: Indicates that accounting is performed by a RADIUS server.
  • none: Indicates non-accounting.

N/A

/huawei-aaa:aaa/accounting-scheme/start-accounting-fail/fail-policy Indicates the policy for accounting-start failures.

Enumerated type. The value can be:

  • offline: rejects users' online requests if accounting-start fails.
  • online: allows users to go online if accounting-start fails.

N/A

/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-interval Indicates the interval for real-time accounting. The value is an integer that ranges from 0 to 65535, in minutes. When the value is set to 0, real-time accounting is disabled. The default value is 0.

N/A

/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-fail/fail-max-times Indicates the maximum number of real-time accounting failures. The value is an integer that ranges from 1 to 255. The default value is 3.

N/A

/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-fail/fail-policy Indicates the policy for real-time accounting failures.

Enumerated type. The value can be:

  • offline: disconnects users if real-time accounting fails.
  • online: keeps users online if real-time accounting fails.

N/A

/huawei-aaa:aaa/service-scheme/name Indicates the name of a service scheme. The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/service-scheme/admin-user-privilege-level Indicates the level of a user who logs in to the device as an administrator.

The value is an integer that ranges from 0 to 15.

N/A

/huawei-aaa:aaa/service-scheme/voice-vlan-enable

Whether to enable the voice VLAN function in a service scheme.

Boolean type. The value can be:

  • true

  • false

N/A

/huawei-aaa:aaa/service-scheme/vlan Specifies a user VLAN in a service scheme. The value is an integer that ranges from 1 to 4094.

N/A

/huawei-aaa:aaa/service-scheme/acl Indicates the number of an ACL bound to a service scheme.

The value is an integer that ranges from 3000 to 3999.

N/A

/huawei-aaa:aaa/service-scheme/idle-cut-function/idle-time Indicates the period in which an idle user can stay online. The value is an integer that ranges from 1 to 1440, in minutes.

N/A

/huawei-aaa:aaa/service-scheme/idle-cut-function/idle-flow/flow-value Indicates the traffic threshold for the idle-cut function. The value is an integer that ranges from 0 to 4294967295, in Kbytes.

N/A

/huawei-aaa:aaa/service-scheme/idle-cut-function/idle-flow/flow-direction Indicates the direction of traffic on which the idle-cut function takes effect.

Enumerated type. The value can be:

  • inbound: indicates that the idle-cut function takes effect only on upstream traffic of users.
  • outbound: indicates that the idle-cut function takes effect only on downstream traffic of users.

N/A

/huawei-aaa:aaa/aaa-domain

Indicates an authentication domain.

The value is a string of 1 to 64 case-insensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: * ? ".

N/A

/huawei-aaa:aaa/aaa-domain/authentication-scheme

Indicates the name of an authentication scheme bound to a domain.

The value must be the name of an existing authentication scheme.

N/A

/huawei-aaa:aaa/aaa-domain/authorization-scheme

Indicates the name of an authorization scheme bound to a domain.

The value must be the name of an existing authorization scheme.

N/A

/huawei-aaa:aaa/aaa-domain/accounting-scheme

Indicates the name of an accounting scheme bound to a domain.

The value must be the name of an existing accounting scheme.

N/A

/huawei-aaa:aaa/aaa-domain/service-scheme

Indicates the name of a service scheme bound to a domain.

The value must be the name of an existing service scheme.

N/A

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-radius:radius-server/huawei-aaa-radius:radius-server Indicates the name of a RADIUS server template bound to a domain. The value must be the name of an existing RADIUS server template.

N/A

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-hwtacacs:hwtacacs-server/huawei-aaa-hwtacacs:hwtacacs-server Indicates the name of the HWTACACS server template that is applied in a domain. The HWTACACS server template must already exist.

N/A

/huawei-aaa:aaa/aaa-domain/statistics-enable Indicates whether traffic statistics collection is enabled for users in a domain.

Boolean type. The value can be:

  • true: Traffic statistics collection is enabled for users in a domain.

  • false: Traffic statistics collection is disabled for users in a domain.

N/A

/huawei-aaa:aaa/global/authentication-bypass Indicates whether the bypass authentication function is configured. The object includes:
  • bypass-enable: Whether the bypass authentication function is enabled.

  • bypass-time: Specifies the bypass authentication timeout interval.
  • bypass-enable: The value is of the Boolean type and can be:

    • true: Indicates that the bypass authentication function is enabled.
    • false: Indicates that the bypass authentication function is disabled.
    The default value is false.
  • bypass-time: The value is an integer that ranges from 1 to 1440, in minutes.

N/A

Table 2-274  RADIUS

Object

Description

Value

Remarks

/huawei-aaa-radius:radius/radius-server/name

Indicates the name of a RADIUS server template.

The value is a string of 1 to 32 case-sensitive characters, including letters, digits, dots (.), underscores (_), and hyphens (-). The value cannot be - or --.

N/A

/huawei-aaa-radius:radius/radius-server/authentication-server Configures a RADIUS authentication server. The object includes:
  • server-ip-address: indicates the IPv4 or IPv6 address of a RADIUS authentication server.
  • port: indicates the port number of a RADIUS authentication server.
  • vpn-instance: indicates the name of a VPN instance to which a RADIUS authentication server is bound. This parameter can be configured only when the RADIUS authentication server uses an IPv4 address.
  • weight: indicates the weight value of a RADIUS authentication server.
  • loopback-interface: indicates the number of a loopback interface.
  • server-ip-address: The value is an IPv4 address in dotted decimal notation or an IPv6 address in X:X:X:X:X:X:X:X format (a 32-digit hexadecimal number).
  • port: The value is an integer that ranges from 1 to 65535.
  • vpn-instance: The value must be the name of an existing VPN instance.
  • weight: The value is an integer that ranges from 0 to 100. The default value is 80.
  • loopback-interface: The loopback interface must already exist.

N/A

/huawei-aaa-radius:radius/radius-server/accounting-server

Configures a RADIUS accounting server. The object includes:
  • server-ip-address: indicates the IPv4 or IPv6 address of a RADIUS accounting server.
  • port: indicates the port number of a RADIUS accounting server.
  • vpn-instance: indicates the name of a VPN instance to which a RADIUS accounting server is bound. This parameter can be configured only when the RADIUS accounting server uses an IPv4 address.
  • weight: indicates the weight value of a RADIUS accounting server.
  • loopback-interface: indicates the number of a loopback interface.
  • server-ip-address: The value is an IPv4 address in dotted decimal notation or an IPv6 address in X:X:X:X:X:X:X:X format (a 32-bit hexadecimal number).
  • port: The value is an integer that ranges from 1 to 65535.
  • vpn-instance: The value must be the name of an existing VPN instance.
  • weight: The value is an integer that ranges from 0 to 100. The default value is 80.
  • loopback-interface: The loopback interface must already exist.

N/A

/huawei-aaa-radius:radius/radius-server/authentication-server/shared-key Indicates the shared key of a RADIUS authentication server.

The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.

N/A

/huawei-aaa-radius:radius/radius-server/accounting-server/shared-key Indicates the shared key of a RADIUS accounting server.

The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.

The shared key of the RADIUS accounting server must be the same as that of the RADIUS authentication server.

/huawei-aaa-radius:radius/dynamic-authorization-server
Configures a RADIUS authorization server. The object includes:
  • server-ip-address: indicates the IP address of a RADIUS authorization server.
  • shared-key: indicates the shared key of a RADIUS authorization server.
  • vpn-instance: indicates the name of a VPN instance to which a RADIUS authorization server is bound.
  • ack-reserved-interval: indicates the duration for retaining a RADIUS authorization response packet.
  • server-group: indicates the name of a RADIUS server template corresponding to a RADIUS authorization server.
  • server-ip-address: The value is a valid unicast address in dotted decimal notation.
  • shared-key: The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.
  • vpn-instance: The value must be the name of an existing VPN instance.
  • ack-reserved-interval: The value is an integer that ranges from 0 to 300, in seconds. The default value is 0.
  • server-group: The value is a string of 1 to 32 case-sensitive characters, including letters, digits, dots (.), underscores (_), and hyphens (-). The value cannot be - or --.

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/enable Indicates whether RADIUS attribute translation is enabled. Boolean type. The value can be:
  • true

  • false

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-normal Configures standard RADIUS attribute translation. The object includes:
  • source-attribute-name: indicates the name of a source attribute.

  • destination-attribute-name: indicates the name of a destination attribute.

  • packet-type: indicates the packet type in a standard RADIUS attribute to be translated.
  • source-attribute-name: The value is a string of 1 to 64 characters.

  • destination-attribute-name: The value is a string of 1 to 64 characters.

  • packet-type: The value is the enumerated type.
    • receive: translates RADIUS attributes for received packets.
    • send: translates RADIUS attributes for sent packets.
    • access-request: translates RADIUS attributes for Authentication Request packets.
    • account-request: translates RADIUS attributes for Accounting Request packets.
    • access-accept: translates RADIUS attributes for Authentication Accept packets.
    • account-response: translates RADIUS attributes for Accounting Response packets.

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-extend Translates extended RADIUS attributes, that is, translating the non-Huawei attributes not supported by the device to the attributes supported by the device. The object includes:
  • source-attribute-name: indicates the name of a source attribute.

  • destination-vendor-id: indicates the vendor ID in the extended RADIUS attribute to be translated.
  • destination-sub-vendor-id: indicates the sub ID in the extended RADIUS attribute to be translated.
  • packet-type: indicates the packet type in the extended RADIUS attribute to be translated.
  • source-attribute-name: The value is a string of 1 to 64 characters.

  • destination-vendor-id: The value is an integer that ranges from 1 to 4294967295.

  • destination-sub-vendor-id: The value is an integer that ranges from 1 to 255.

  • packet-type: The value is the enumerated type.
    • access-request: translates RADIUS attributes for Authentication Request packets.
    • account-request: translates RADIUS attributes for Accounting Request packets.

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-extend-vendor Translates extended RADIUS attributes, that is, translating the attributes supported by the device to the non-Huawei attributes not supported by the device. The object includes:
  • source-vendor-id: indicates the vendor ID in the extended RADIUS attribute to be translated.

  • source-sub-vendor-id: indicates the sub ID in the extended RADIUS attribute to be translated.
  • destination-attribute-name: indicates the name of a destination attribute.
  • packet-type: indicates the packet type in the extended RADIUS attribute to be translated.
  • source-vendor-id: The value is an integer that ranges from 1 to 4294967295.

  • source-sub-vendor-id: The value is an integer that ranges from 1 to 255.

  • destination-attribute-name: The value is a string of 1 to 64 characters.

  • packet-type: The value is the enumerated type.
    • access-accept: translates RADIUS attributes for Authentication Accept packets.
    • account-response: translates RADIUS attributes for Accounting Response packets.

N/A

/huawei-aaa-radius:radius/radius-server/disable-attribute Disables a RADIUS attribute. The object includes:
  • attribute-name: indicates the name of a RADIUS attribute to be disabled.

  • option: indicates the packet type of a RADIUS attribute to be disabled.
  • attribute-name: The value is a string of 1 to 64 characters.

  • option: The value is the enumerated type and can be either of the following:
    • receive: disables a RADIUS attribute for received packets.
    • send: disables a RADIUS attribute for sent packets.

N/A

/huawei-aaa-radius:radius/radius-server/set-attribute Modifies the RADIUS attribute. The object includes:
  • attribute-name: Specifies the name of the attribute whose value needs to be modified.

  • attribute-value: Specifies the target value that the attribute value is to be changed to.
  • set-option: Specifies the packet type of the attribute whose value needs to be modified
  • attribute-name: The value is a string of 1 to 64 characters.
  • attribute-value: The value is automatically displayed.
  • set-option: The value is the enumerated type.
    • auth-type mac: sets the user authentication mode to MAC address authentication. Only the Service-Type attribute supports this parameter.
    • user-type ipsession: indicates an IP session user. Only the Service-Type attribute supports this parameter.

N/A

/huawei-aaa-radius:radius/radius-server/options/user-name/domain-include Configures the device to encapsulate domain names in user names in RADIUS packets to be sent to a RADIUS server.

-

N/A

/huawei-aaa-radius:radius/radius-server/options/user-name/original-name Configures the device not to modify the user names entered by users in the packets sent to a RADIUS server.

-

N/A

/huawei-aaa-radius:radius/radius-server/options/traffic-unit Indicates the traffic unit used by a RADIUS server.

Enumerated type. The value can be:

  • byte
  • kbyte
  • mbyte
  • gbyte

N/A

/huawei-aaa-radius:radius/radius-server/options/dead-time Indicates the interval for the server to return to the active state. The value is an integer that ranges from 1 to 65535, in minutes.

N/A

/huawei-aaa-radius:radius/radius-server/options/timeout-timer Indicates the timeout interval of RADIUS request packets. The value is an integer that ranges from 1 to 10, in seconds.

N/A

/huawei-aaa-radius:radius/radius-server/options/retransmit-time Indicates the number of times RADIUS request packets can be retransmitted. The value is an integer that ranges from 1 to 5.

N/A

/huawei-aaa-radius:radius/radius-server/mac-format-called-station-id

Sets the encapsulation format of the MAC address in the called-station-id attribute of RADIUS packets. The object includes:

  • mac-address-format: indicates the separator in a MAC address.

  • mode: indicates the format of a MAC address.
  • letter: indicates whether letters in a MAC address are in uppercase or lowercase.
  • mac-address-format: The value is the enumerated type.
    • dot-split: sets the separator to dot (.).
    • hyphen-split: sets the separator to hyphen (-).
    • unformatted: sets no separator.
  • mode: The value is the enumerated type.
    • mode1: indicates that the MAC address in the called-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.
    • mode2: indicates that the MAC address in the called-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format.
  • letter: The value is the enumerated type.
    • lowercase: indicates that the MAC address in the called-station-id attribute uses the lowercase.
    • uppercase: indicates that the MAC address in the called-station-id attribute uses the uppercase.

N/A

/huawei-aaa-radius:radius/radius-server/mac-format-calling-station-id

Sets the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets. The object includes:

  • mac-address-format: indicates the separator in a MAC address.
  • mode: indicates the format of a MAC address.
  • letter: indicates the style of letters in a MAC address.
  • mac-address-format: The value is the enumerated type.
    • dot-split: sets the separator to dot (.).
    • hyphen-split: sets the separator to hyphen (-).
    • unformatted: sets no separator.
  • mode: The value is the enumerated type.
    • mode1: indicates that the MAC address in the calling-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.
    • mode2: indicates that the MAC address in the calling-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format.
  • letter: The value is the enumerated type.
    • lowercase: indicates that the MAC address in the calling-station-id attribute uses the lowercase.
    • uppercase: indicates that the MAC address in the calling-station-id attribute uses the uppercase.
    • bin: indicates that the MAC address in the calling-station-id attribute is in binary notation.

N/A

/huawei-aaa-radius:radius/dynamic-authorization-option/decode-mac-format-calling-station-id

Sets the format of the MAC address that can be parsed by a device in the calling-station-id attribute carried in RADIUS dynamic authorization packets. The object includes:

  • mac-address-format: indicates the separator in a MAC address.
  • mode: indicates the format of a MAC address.
  • mac-address-format: The value is the enumerated type.
    • dot-split: sets the separator to dot (.).
    • hyphen-split: sets the separator to hyphen (-).
    • unformatted: sets no separator.
  • mode: The value is the enumerated type.
    • common: indicates that the MAC address in the calling-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format.
    • compress: indicates that the MAC address in the calling-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.

N/A

/huawei-aaa-radius:radius/radius-server/check-attribute/attribute-name Enables the function of checking whether a RADIUS Access-Accept packet carries a specified attribute.

The value is a string of 1 to 64 characters.

N/A

/huawei-aaa-radius:radius/radius-server/nas-ip-address Sets the NAS-IP-Address attribute in RADIUS packets sent by the device.

The value is a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-radius:radius/radius-server/nas-ipv6-address Sets the NAS-IPv6-Address attribute in RADIUS packets sent by the device.

The value is a 32-bit hexadecimal string in the X:X:X:X:X:X:X:X format.

N/A

/huawei-aaa-radius:radius/radius-server/server-detect-function
Creates a user account for automatic detection in the RADIUS server template.
  • server-detect-enable: indicates whether to enable automatic RADIUS server detection.
  • test-user-name: indicates the user name for automatic detection.
  • test-user-password: indicates the user password for automatic detection.
  • interval: indicates the RADIUS server automatic detection interval.
  • server-detect-enable: The value is Boolean that can only be true or false.
  • test-user-name: The value is a string of 1 to 253 case-sensitive characters without spaces.
  • test-user-password: The value is a string of case-sensitive characters without spaces or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.
  • interval: The value is an integer that ranges from 5 to 3600, in seconds.

N/A

/huawei-aaa-radius:radius/radius-server/shared-key Indicates the shared key of the RADIUS server in a RADIUS server template. The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.

If shared keys are configured for the RADIUS authentication server, RADIUS accounting server, and RADIUS server template, the configurations for the servers have higher priorities. If no shared key is configured for the RADIUS authentication and accounting servers, the shared key configured in the RADIUS server template is used.

/huawei-aaa-radius:radius/radius-server/server-algorithm

Indicates the algorithm for selecting RADIUS servers.

Enumerated type. The value can be:

  • loading-share: sets the algorithm for selecting RADIUS servers to load balancing.
  • master-backup: sets the algorithm for selecting RADIUS servers to primary/secondary.

N/A

Configuring a Local User

This section describes how to configure a local user using the merge method.

Table 2-275  Configuring a local user

Operation

XPATH

edit-config:merge

/huawei-user-management/user-management/local-user

Data Requirements

Table 2-276  Configuring a local user

Item

Data

Description

User name of a local user

huawei123 Set the user name of a local user to huawei123.

Password of a local user

huawei@123

Set the password of a local user to huawei@123.

Level of a local user

15 Set the level of a local user to 15.

Access type of a local user

ftp

Set the access type of a local user to FTP.

Directory that FTP users can access

flash: Set the directory that FTP users can access to flash:.

Maximum number of connections that users can establish.

4294967295 Set the maximum number of connections that users can establish to 4294967295.

Timeout period of the user account.

110 Set the timeout period of the user account to 110 seconds.

State of a local user.

active Set the state of a local user to active.

Request Example

<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-user-management:user-management xmlns:hw-user-management="urn:huawei:params:xml:ns:yang:huawei-user-management">
        <hw-user-management:local-user>
          <hw-user-management:user-name>huawei123</hw-user-management:user-name>
          <hw-user-management:privilege-level>15</hw-user-management:privilege-level>
          <hw-user-management:service-type>ftp</hw-user-management:service-type>
          <hw-user-management:password>huawei@123</hw-user-management:password>
          <hw-user-management:ftp-directory>flash:</hw-user-management:ftp-directory>
          <hw-user-management:access-limit>4294967295</hw-user-management:access-limit>
          <hw-user-management:idle-time>110</hw-user-management:idle-time>
          <hw-user-management:state>active</hw-user-management:state>
        </hw-user-management:local-user>
      </hw-user-management:user-management>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> The password length must range from 8 to 128</error-message>
  <error-info>Error on node /huawei-user-management:user-management/local-user[user-name="huawei123"]/password</error-info>
 </rpc-error>
</rpc-reply>

Configuring Security of the Local User Password

This section provides a sample of configuring security of the local user password using the merge method.

Table 2-277  Configuring security of the local user password

Operation

XPATH

edit-config:merge

  • /huawei-user-management:user-management/administrator-password-police

Data Requirements

Table 2-278  Configuring security of the local user password

Item

Data

Description

Password policy of the local administrator

  • Whether to enable the password policy for the local administrator: true
  • Password expiration period: 90.

Enable the password policy for the local administrator, set the password expiration period to 90 days.

Request Example

<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-user-management:user-management xmlns:hw-user-management="urn:huawei:params:xml:ns:yang:huawei-user-management">
        <hw-user-management:administrator-password-police>
          <hw-user-management:enable>true</hw-user-management:enable>
          <hw-user-management:expire-day>90</hw-user-management:expire-day>
        </hw-user-management:administrator-password-police>
      </hw-user-management:user-management>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-user-management:user-management/administrator-password-police/expire-day</error-path>
    <error-message>parse rpc config error.(Value "1000" does not satisfy the constraint "0..999" (range, length, or pattern).).</error-message>
  </rpc-error>
</rpc-reply>

Configuring an AAA Scheme

This section describes how to configure an AAA scheme using the merge method.

Table 2-279  Configuring an AAA scheme

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa

Data Requirements

Table 2-280  Configuring an AAA scheme

Item

Data

Description

Name of an authentication scheme

authen1

Set the name of an authentication scheme to authen1.

Authentication mode in an authentication scheme

hwtacacs

Set the authentication mode in an authentication scheme to HWTACACS.

Name of an authorization scheme

author1

Set the name of an authorization scheme to author1.

HWTACACS server-based command line authorization. Authorization level: 15, backup authorization mode: local Configure the HWTACACS server-based command line authorization function for the level-15 administrator and change the command line authorization mode to the local authorization mode if the HWTACACS server does not respond to the command line authorization.

Authorization mode in an authorization scheme

hwtacacs

Set the authorization mode in an authorization scheme to HWTACACS.

Name of an accounting scheme acct1

Set the name of an accounting scheme to acct1.

Accounting mode in an accounting scheme hwtacacs

Set the accounting mode in an accounting scheme to HWTACACS.

Policy for accounting-start failures online

Set the policy for accounting-start failures to online. That is, users are allowed to go online if accounting-start fails.

Interval for real-time accounting 15

Set the interval for real-time accounting to 15 minutes.

Maximum number of real-time accounting failures 5

Set the maximum number of real-time accounting failures to 5.

Policy for real-time accounting failures offline

Set the policy for real-time accounting failures to offline. That is, users are disconnected if real-time accounting fails.

Whether to enable the bypass authentication function. true

Enable the bypass authentication function and set the bypass authentication timeout interval to 13 minutes.

Bypass authentication timeout interval. 13

Request Example

<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
        <hw-aaa:authentication-scheme>
          <hw-aaa:name>authen1</hw-aaa:name>
          <hw-aaa:vsys>ads</hw-aaa:vsys>
          <hw-aaa:authentication-mode>hwtacacs</hw-aaa:authentication-mode>
        </hw-aaa:authentication-scheme>
        <hw-aaa:authorization-scheme>
          <hw-aaa:name>author1</hw-aaa:name>
          <hw-aaa:vsys>ads</hw-aaa:vsys>
          <hw-aaa:authorization-mode>hwtacacs</hw-aaa:authorization-mode>
          <hw-aaa:authorization-cmd>
            <hw-aaa:authorization-cmd-item>
              <hw-aaa:privilege-level>15</hw-aaa:privilege-level>
              <hw-aaa:authorization-cmd-mode>local</hw-aaa:authorization-cmd-mode>
            </hw-aaa:authorization-cmd-item>
          </hw-aaa:authorization-cmd>
        </hw-aaa:authorization-scheme>
        <hw-aaa:accounting-scheme>
          <hw-aaa:name>acct1</hw-aaa:name>
          <hw-aaa:vsys>ads</hw-aaa:vsys>
          <hw-aaa:accounting-mode>hwtacacs</hw-aaa:accounting-mode>
          <hw-aaa:start-accounting-fail>
            <hw-aaa:fail-policy>online</hw-aaa:fail-policy>
          </hw-aaa:start-accounting-fail>
          <hw-aaa:realtime-accounting>
            <hw-aaa:realtime-interval>15</hw-aaa:realtime-interval>
            <hw-aaa:realtime-fail>
              <hw-aaa:fail-policy>offline</hw-aaa:fail-policy>
              <hw-aaa:fail-max-times>5</hw-aaa:fail-max-times>
            </hw-aaa:realtime-fail>
          </hw-aaa:realtime-accounting>
        </hw-aaa:accounting-scheme>
        <hw-aaa:global>
          <hw-aaa:authentication-bypass>
            <hw-aaa:bypass-enable>true</hw-aaa:bypass-enable>
            <hw-aaa:bypass-time>13</hw-aaa:bypass-time>
          </hw-aaa:authentication-bypass>
        </hw-aaa:global>
      </hw-aaa:aaa>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>invalid authen scheme name</error-message>
  <error-info>Error on node /huawei-aaa:aaa/authentication-scheme[name="authen1authen1authen1authen1authen1",vsys="ads"]/name</error-info>
 </rpc-error>
</rpc-reply>

Creating a Service Scheme

This section describes how to creat a service scheme using the merge method.

Table 2-281  Creating a service scheme

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/service-scheme

Data Requirement

Table 2-282  Creating a service scheme

Item

Data

Description

Name of a service scheme

lsw_serv

Set the name of a service scheme to lsw_serv.

Level of a user who logs in to the device as an administrator

2

Set the level of a user who logs in to the device as an administrator to 2.

Whether to enable the voice VLAN function in a service scheme

true

Enable the voice VLAN function in a service scheme.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>vsys</vsys>
    <admin-user-privilege-level>2</admin-user-privilege-level>
    <voice-vlan-enable>true</voice-vlan-enable>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-app-tag>1</error-app-tag>
  <error-message>Service process failed.</error-message>
  <error-info>Error on node /huawei-aaa:aaa/service-scheme[name="lsw_servlsw_servlsw_servlsw_servlsw_serv",vsys="vsys"]/name</error-info>
 </rpc-error>
</rpc-reply> 

Configuring a User VLAN in a Service Scheme

This section describes how to configure a user VLAN in a service scheme using the rpc method.

Table 2-283  Configuring a user VLAN in a service scheme

Operation

XPATH

edit-config:create

/huawei-aaa:aaa/service-scheme

Data Requirement

Table 2-284  Configuring a user VLAN in a service scheme

Item

Data

Description

ID of the user VLAN configured in a service scheme 121

Configure user VLAN 121 in the service scheme.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <vlans xmlns="urn:huawei:params:xml:ns:yang:huawei-vlan">
   <vlan xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <id>121</id>
   </vlan>
  </vlans>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>public</vsys> 
    <vlan>121</vlan>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-app-tag>1</error-app-tag><error-message>Service process failed.</error-message>
  <error-info>Error on node /huawei-aaa:aaa/service-scheme[name="lsw_serv",vsys="public"]/vlan</error-info>
 </rpc-error>
</rpc-reply>

Binding an ACL to a Service Scheme

This section describes how to bind an ACL to a service scheme using the rpc method.

Table 2-285  Binding an ACL to a service scheme

Operation

XPATH

edit-config:create

/huawei-aaa:aaa/service-scheme

Data Requirement

Table 2-286  Binding an ACL to a service scheme

Item

Data

Description

Number of the ACL bound to a service scheme 3101

Bind ACL 3101 to a service scheme.

Request Example

NOTE:

Before binding an ACL to a service scheme, create the ACL first using the acl (system view) command.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>public</vsys>
    <acl>3101</acl>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Unrecognized information.</error-message>
  <error-info>Error on node /huawei-aaa:aaa/service-scheme[name="lsw_serv",vsys="public"]/acl[.="3101"]</error-info>
 </rpc-error>
</rpc-reply>

Configuring the Idle-Cut Function for Domain Users

This section describes how to configure the idle-cut function for domain users using the rpc method.

Table 2-287  Configuring the idle-cut function for domain users

Operation

XPATH

edit-config:create

/huawei-aaa:aaa/service-scheme/idle-cut-function

Data Requirement

Table 2-288  Configuring the idle-cut function for domain users

Item

Data

Description

Period in which an idle user can stay online 12

Set the period in which an idle user can stay online to 12 minutes.

Traffic threshold for the idle-cut function 22

Set the traffic threshold for the idle-cut function to 22 kbytes.

Direction of traffic on which the idle-cut function takes effect inbound

Configure the idle-cut function to take effect on inbound traffic.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>public</vsys>
    <idle-cut-function>
     <idle-time>12</idle-time>
     <idle-flow>
      <flow-value>22</flow-value>
      <flow-direction>inbound</flow-direction>
     </idle-flow>
    </idle-cut-function>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse rpc config error.</error-message>
 </rpc-error>
</rpc-reply>

Creating a RADIUS Server Template

This section describes how to create a RADIUS server template using the rpc method.

Table 2-289  Creating a RADIUS server template

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server

Data Requirement

Table 2-290  Creating a RADIUS server template

Item

Data

Description

Name of a RADIUS server template rds

Create a RADIUS server template named rds.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="b0bc2528-ebf8-494e-bedc-ca47ba18d578">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>rds</name>
    <vsys>public</vsys>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="b0bc2528-ebf8-494e-bedc-ca47ba18d578">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="b0bc2528-ebf8-494e-bedc-ca47ba18d578">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Invalid radius-server template name</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrds",vsys="public"]/name</error-info>
 </rpc-error>
</rpc-reply>

Configuring a RADIUS Authentication Server

This section describes how to configure a RADIUS authentication server using the rpc method.

Table 2-291  Configuring a RADIUS authentication server

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server

Data Requirement

Table 2-292  Configuring a RADIUS authentication server

Item

Data

Description

IPv4 address of the RADIUS authentication server 10.1.1.1

Set the IPv4 address of the RADIUS authentication server to 10.1.1.1.

Port number of the RADIUS authentication server 1816

Set the port number of the RADIUS authentication server to 1816.

Weight value of the RADIUS authentication server 100 Set the weight value of the RADIUS authentication server to 100.
Shared key of the RADIUS authentication server huawei@123 Set the shared key of the RADIUS authentication server to huawei@123.

Request Example

<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>rds</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:authentication-server>
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address>
            <hw-aaa-radius:port>1816</hw-aaa-radius:port>
            <hw-aaa-radius:shared-key>huawei@123</hw-aaa-radius:shared-key>
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight>
          </hw-aaa-radius:authentication-server>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> The vpn-instance does not exist or is invalid.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/authentication-server[server-ip-address="10.1.1.1"]</error-info>
 </rpc-error>
</rpc-reply> 

Configuring a RADIUS Accounting Server

This section describes how to configure a RADIUS accounting server using the rpc method.

Table 2-293  Configuring a RADIUS accounting server

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server

Data Requirement

Table 2-294  Configuring a RADIUS accounting server

Item

Data

Description

IPv4 address of the RADIUS accounting server 10.1.1.1

Set the IPv4 address of the RADIUS accounting server to 10.1.1.1.

Port number of the RADIUS accounting server 1817

Set the port number of the RADIUS accounting server to 1817.

Weight value of the RADIUS accounting server 100 Set the weight value of the RADIUS accounting server to 100.
Shared key of the RADIUS accounting server huawei@123 Set the shared key of the RADIUS accounting server to huawei@123.

Request Example

<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>rds</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:accounting-server>
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address>
            <hw-aaa-radius:port>1817</hw-aaa-radius:port>
            <hw-aaa-radius:shared-key>huawei@123</hw-aaa-radius:shared-key>
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight>
          </hw-aaa-radius:accounting-server>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> The vpn-instance does not exist or is invalid.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/accounting-server[server-ip-address="10.1.1.1"]</error-info>
 </rpc-error>
</rpc-reply>

Configuring a RADIUS Authorization Server

This section describes how to configure a RADIUS authorization server using the rpc method.

Table 2-295  Configuring a RADIUS authorization server

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/dynamic-authorization-server

Data Requirement

Table 2-296  Configuring a RADIUS authorization server

Item

Data

Description

IP address of the RADIUS authorization server 10.1.1.1

Set the IP address of the RADIUS authorization server to 10.1.1.1.

Shared key of the RADIUS authorization server huawei@123

Set the shared key of the RADIUS authorization server to huawei@123.

Duration for retaining a RADIUS authorization response packet 10

Set the duration for retaining a RADIUS authorization response packet to 10s.

Name of the RADIUS server template corresponding to the RADIUS authorization server rds Configure the RADIUS server template rds for the RADIUS authorization server.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <edit-config>
 <target>
  <running/>
 </target>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>rds</name>
    <vsys>public</vsys>
   </radius-server>
   <dynamic-authorization-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <server-ip-address>10.1.1.1</server-ip-address>
    <vsys>public</vsys>
    <shared-key>huawei@123</shared-key>
    <ack-reserved-interval>10</ack-reserved-interval>
    <server-group>rds</server-group>
   </dynamic-authorization-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> The server template does not exist.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/dynamic-authorization-server[server-ip-address="10.1.1.1",vsys="public"]</error-info>
 </rpc-error>
</rpc-reply> 

Configuring RADIUS Attribute Translation

This section describes how to configure RADIUS attribute translation using the rpc method.

Table 2-297  Configuring RADIUS attribute translation

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/translate-attribute

Data Requirement

Table 2-298  Configuring RADIUS attribute translation

Item

Data

Description

Whether to enable RADIUS attribute translation true

Enable RADIUS attribute translation.

Name of a source RADIUS attribute nas-identifier

Set the source RADIUS attribute to nas-identifier.

Name of a destination RADIUS attribute nas-port-id

Set the destination RADIUS attribute to nas-port-id.

Type of packets whose RADIUS attributes need to be translated send Translate RADIUS attributes for sent packets.
Name of an extended source RADIUS attribute HW-URL-Flag Set the source extended RADIUS attribute to HW-URL-Flag.
Vendor ID in the translated extended RADIUS attributes 9 Set the vendor ID in the translated extended RADIUS attributes to 9.
Sub ID in the translated extended RADIUS attributes 2 Set the sub ID in the translated extended RADIUS attributes to 2.
Type of packets whose extended RADIUS attributes need to be translated. (The non-Huawei attributes not supported by the device will be translated to the attributes supported by the device.) access-request Translate RADIUS attributes for Authentication Request packets.
Vendor ID in the extended RADIUS attributes to be translated 9 Set the vendor ID in the extended RADIUS attributes to be translated to 9.
Sub ID in the extended RADIUS attributes to be translated 11 Set the sub ID in the extended RADIUS attributes to be translated to 11.
Name of a translated destination attribute HW-Access-Type Set the translated destination attribute to HW-Access-Type.
Type of packets whose extended RADIUS attributes need to be translated. (The attributes supported by the device will be translated to the non-Huawei attributes not supported by the device.) access-accept Translate RADIUS attributes for Authentication Accept packets.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>test12345</name>
    <vsys>public</vsys>
    <translate-attribute xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <enable>true</enable>
      <translate-normal xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
      <source-attribute-name>nas-identifier</source-attribute-name>
      <destination-attribute-name>nas-port-id</destination-attribute-name>
      <packet-type>send</packet-type>
     </translate-normal>
     <translate-extend xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
      <source-attribute-name>HW-URL-Flag</source-attribute-name>
      <destination-vendor-id>9</destination-vendor-id>
      <destination-sub-vendor-id>2</destination-sub-vendor-id>
      <packet-type>access-request</packet-type>
     </translate-extend>
     <translate-extend-vendor xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
      <source-vendor-id>9</source-vendor-id>
      <source-sub-vendor-id>11</source-sub-vendor-id>
      <destination-attribute-name>HW-Access-Type</destination-attribute-name>
      <packet-type>access-accept</packet-type>
     </translate-extend-vendor>
    </translate-attribute>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Wrong parameter.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/translate-attribute/translate-normal[source-attribute-name="nas-identifier1"]</error-info>
 </rpc-error>
</rpc-reply>

Disabling a RADIUS Attribute

This section describes how to disable a RADIUS attribute using the rpc method.

Table 2-299  Disabling a RADIUS attribute

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/disable-attribute

Data Requirement

Table 2-300  Disabling a RADIUS attribute

Item

Data

Description

Name of the RADIUS attribute to be disabled HW-Exec-Privilege

Set the RADIUS attribute to be disabled to HW-Exec-Privilege.

Type of packets in which the RADIUS attribute is to be disabled receive Disable the RADIUS attribute for received packets.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <edit-config>
 <target>
  <running/>
 </target>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>rds</name>
    <vsys>public</vsys>
    <disable-attribute xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
     <attribute-name>HW-Exec-Privilege</attribute-name>
     <option>receive</option>
    </disable-attribute>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Process radius-attribute return error</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/disable-attribute[attribute-name="HW-Exec-Privilege1"]</error-info>
 </rpc-error>
</rpc-reply>

Modifying the Value of a RADIUS Attribute

This section describes how to modify the value of a RADIUS attribute using the rpc method.

Table 2-301  Modifying the value of a RADIUS attribute

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/set-attribute

Data Requirement

Table 2-302  Modifying the value of a RADIUS attribute

Item

Data

Description

Name of the RADIUS attribute to be modified Service-Type

Set the RADIUS attribute to be modified to Service-Type.

Modified value of the RADIUS attribute 5 Modify the value of the RADIUS attribute to 5.
User authentication mode auth-type-mac Set the user authentication mode to MAC address authentication.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>test12345</name>
    <vsys>public</vsys>
    <set-attribute xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <attribute-name>Service-Type</attribute-name>
     <attribute-value>5</attribute-value>
     <set-option>auth-type-mac</set-option>
    </set-attribute>  
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Wrong parameter.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/set-attribute[attribute-name="Service-Type1"]</error-info>
 </rpc-error>
</rpc-reply>

Configuring the Format of User Names in RADIUS Packets to Be Sent to a RADIUS Server

This section describes how to configure the format of user names in RADIUS packets to be sent to a RADIUS server using the rpc method.

Table 2-303  Configuring the format of user names in RADIUS packets to be sent to a RADIUS server

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/options/user-name

Data Requirement

Table 2-304  Configuring the format of user names in RADIUS packets to be sent to a RADIUS server

Item

Data

Description

Whether to configure the device not to modify the user names entered by users in the packets sent to a RADIUS server true Configure the device not to modify the user names entered by users in the packets sent to a RADIUS server.

Request Example

<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>rds</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:options>
            <hw-aaa-radius:user-name>
              <hw-aaa-radius:original-name>true</hw-aaa-radius:original-name>
            </hw-aaa-radius:user-name>
          </hw-aaa-radius:options>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse rpc config error.</error-message>
 </rpc-error>
</rpc-reply>

Configuring the RADIUS Traffic Unit, Retransmission Times, Timeout Interval, and Back-to-Active Interval

This section describes how to configure the traffic unit used by a RADIUS server, number of times that RADIUS packets can be retransmitted, timeout interval of RADIUS request packets, and interval for the server to return to the active state using the rpc method.

Table 2-305  Configuring the RADIUS traffic unit, retransmission times, timeout interval, and back-to-active interval

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/options

Data Requirement

Table 2-306  Configuring the RADIUS traffic unit, retransmission times, timeout interval, and back-to-active interval

Item

Data

Description

Traffic unit used by a RADIUS server byte Set the traffic unit used by a RADIUS server to bytes.
Interval for the RADIUS server to return to the active state 3 Set the interval for the RADIUS server to return to the active state to 3 minutes.
Timeout interval of RADIUS request packets 3 Set the timeout interval of RADIUS request packets to 3 seconds.
Number of times RADIUS request packets can be retransmitted 2 Set the number of times RADIUS request packets can be retransmitted to 2.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <vsys>public</vsys>
    <name>test12345</name>
    <options xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <traffic-unit>byte</traffic-unit>
     <dead-time>3</dead-time>
     <timeout-timer>3</timeout-timer>
     <retransmit-time>2</retransmit-time>
    </options>   
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse rpc config error.</error-message>
 </rpc-error>
</rpc-reply>

Configuring the Format of MAC Addresses in Attributes in RADIUS Packets

This section describes how to configure the format of MAC addresses in attributes in RADIUS packets using the rpc method.

Table 2-307  Configuring the format of MAC addresses in attributes in RADIUS packets

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/mac-format-called-station-id or /huawei-aaa-radius:radius/radius-server/mac-format-calling-station-id

Data Requirement

Table 2-308  Configuring the format of MAC addresses in attributes in RADIUS packets

Item

Data

Description

Separator in the MAC address in the called-station-id attribute dot-split Configure the dot (.) as the separator in the MAC address in the called-station-id attribute.
Format of the MAC address in the called-station-id attribute mode1 Configure the MAC address in the called-station-id attribute to use the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.
Style of the MAC address in the called-station-id attribute lowercase Configure the MAC address in the called-station-id attribute to use the lowercase.
Separator in the MAC address in the calling-station-id attribute dot-split Configure the dot (.) as the separator in the MAC address in the calling-station-id attribute.
Format of the MAC address in the calling-station-id attribute mode1 Configure the MAC address in the calling-station-id attribute to use the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.
Style of the MAC address in the calling-station-id attribute lowercase Configure the MAC address in the calling-station-id attribute to use the lowercase.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>test12345</name>
    <vsys>public</vsys>
    <mac-format-called-station-id>
     <mac-address-format>dot-split</mac-address-format>
     <mode>mode1</mode>
     <letter>lowercase</letter>
    </mac-format-called-station-id>
    <mac-format-calling-station-id>
     <mac-address-format>dot-split</mac-address-format>
     <mode>mode1</mode>
     <letter>lowercase</letter>
    </mac-format-calling-station-id>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Incomplete information.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/mac-format-called-station-id</error-info>
 </rpc-error>
</rpc-reply>

Configuring the Format of the MAC address That Can Be Parsed by a Device in RADIUS Dynamic Authorization Packets

This section describes how to configure the format of the MAC address that can be parsed by a device in RADIUS dynamic authorization packets using the rpc method.

Table 2-309  Configuring the format of the MAC address that can be parsed by a device in RADIUS dynamic authorization packets

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/dynamic-authorization-option

Data Requirement

Table 2-310  Configuring the format of the MAC address that can be parsed by a device in RADIUS dynamic authorization packets

Item

Data

Description

Separator in the MAC address in the calling-station-id attribute dot-split Configure the dot (.) as the separator in the MAC address in the calling-station-id attribute.
Format of the MAC address in the calling-station-id attribute compress Configure the MAC address in the calling-station-id attribute to use the xxxx-xxxx-xxxx or xxxx.xxxx.xxxx format.

Request Example

<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:dynamic-authorization-option>
          <hw-aaa-radius:decode-mac-format-calling-station-id>
            <hw-aaa-radius:mac-address-format>dot-split</hw-aaa-radius:mac-address-format>
            <hw-aaa-radius:mode>compress</hw-aaa-radius:mode>
          </hw-aaa-radius:decode-mac-format-calling-station-id>
        </hw-aaa-radius:dynamic-authorization-option>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Invalid mac-address-format</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/dynamic-authorization-option/decode-mac-format-calling-station-id</error-info>
 </rpc-error>
</rpc-reply>

Configuring an Attribute in the received RADIUS Access-Accept packets to Be Checked

This section describes how to configure an attribute in the received RADIUS Access-Accept packets to be checked using the rpc method.

Table 2-311  Configuring an attribute in the received RADIUS Access-Accept packets to be checked

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/check-attribute/attribute-name

Data Requirement

Table 2-312  Configuring an attribute in the received RADIUS Access-Accept packets to be checked

Item

Data

Description

Name of an RADIUS attribute framed-protocol Configure the framed-protocol attribute in RADIUS Access-Accept packets to be checked.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>test12345</name>
    <vsys>public</vsys>
    <check-attribute xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <attribute-name>framed-protocol</attribute-name>
    </check-attribute>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> Failed to find the attribute.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/check-attribute[attribute-name="abc"]/attribute-name</error-info>
 </rpc-error>
</rpc-reply>

Configuring NAS Attributes

This section describes how to configure NAS attributes using the rpc method.

Table 2-313  Configuring NAS attributes

Operation

XPATH

edit-config:create

  • /huawei-aaa-radius:radius/radius-server/nas-ip-address
  • /huawei-aaa-radius:radius/radius-server/nas-ipv6-address

Data Requirement

Table 2-314  Configuring NAS attributes

Item

Data

Description

Value of the NAS-IP-Address attribute in RADIUS packets sent by the device 10.3.3.3 Set the NAS-IP-Address attribute in RADIUS packets sent by the device to 10.3.3.3.
Value of the NAS-IPv6-Address attribute in RADIUS packets sent by the device FC00::7 Set the NAS-IPv6-Address attribute in RADIUS packets sent by the device to FC00::7.

Request Example

<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>t1</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:nas-ip-address>10.3.3.3</hw-aaa-radius:nas-ip-address>
          <hw-aaa-radius:nas-ipv6-address>FC00::7</hw-aaa-radius:nas-ipv6-address>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Wrong parameter.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/nas-ip-address</error-info>
 </rpc-error>
</rpc-reply>

Configuring Automatic RADIUS Server Detection

This section describes how to configure automatic RADIUS server detection using the merge method.

Table 2-315  Configuring automatic RADIUS server detection

Operation

XPATH

edit-config:merge

/huawei-aaa-radius:radius/radius-server/server-detect-function

Data Requirement

Table 2-316  Configuring automatic RADIUS server detection

Item

Data

Description

User name used for automatic detection testusername Set the user name used for automatic detection to testusername.
User password for automatic detection huawei@123 Set the user password for automatic detection to huawei@123.
Automatic detection interval 100 Set the automatic detection interval to 100s.

Request Example

<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>t1</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:server-detect-function>
            <hw-aaa-radius:server-detect-enable>true</hw-aaa-radius:server-detect-enable>
            <hw-aaa-radius:test-user-name>testusername</hw-aaa-radius:test-user-name>
            <hw-aaa-radius:test-user-password>huawei@123</hw-aaa-radius:test-user-password>
            <hw-aaa-radius:interval>100</hw-aaa-radius:interval>
          </hw-aaa-radius:server-detect-function>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> Invalid character in the template shared-key.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/server-detect-function/server-detect-enable</error-info>
 </rpc-error>
</rpc-reply>

Configuring the Shared Key and Algorithm of the RADIUS Server

This section describes how to configure the shared key and algorithm of the RADIUS server using the merge method.

Table 2-317  Configuring the shared key and algorithm of the RADIUS server

Operation

XPATH

edit-config:merge

  • /huawei-aaa-radius:radius/radius-server/shared-key

  • /huawei-aaa-radius:radius/radius-server/server-algorithm

Data Requirement

Table 2-318  Configuring the shared key and algorithm of the RADIUS server

Item

Data

Description

Shared key of the RADIUS server in a RADIUS server template huawei@123

Set the shared key of the RADIUS server in a RADIUS server template to huawei@123.

Algorithm for selecting RADIUS servers in a RADIUS server template loading-share

Set the algorithm for selecting RADIUS servers in a RADIUS server template to load balancing.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <edit-config>
 <target>
  <running/>
 </target>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>rds</name>
    <vsys>public</vsys>
    <shared-key>huawei@123</shared-key>
    <server-algorithm>load-sharing</server-algorithm>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Invalid radius-server shared key</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/shared-key</error-info>
 </rpc-error>
</rpc-reply>

Applying an AAA Scheme to a Domain

This section describes how to apply an AAA scheme to a domain using the merge method.

Table 2-319  Applying an AAA scheme to a domain

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/aaa-domain

Data Requirement

Table 2-320  Applying an AAA scheme to a domain

Item

Data

Description

Domain name

domain1

Create a domain named domain1.

Name of an authentication scheme bound to the domain

authen1

Bind the authentication scheme authen1 to the domain.

Name of an accounting scheme bound to the domain

acc1

Bind the accounting scheme acc1 to the domain.

Name of a service scheme bound to the domain

ser1

Bind the service scheme ser1 to the domain.

Whether to enable traffic statistics collection for domain users true Enable traffic statistics collection for domain users.

Request Example

<rpc message-id="10" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
        <hw-aaa:authentication-scheme>
          <hw-aaa:name>authen1</hw-aaa:name>
          <hw-aaa:vsys>public</hw-aaa:vsys>
          <hw-aaa:authentication-mode>radius</hw-aaa:authentication-mode>
        </hw-aaa:authentication-scheme>
        <hw-aaa:accounting-scheme>
          <hw-aaa:name>acc1</hw-aaa:name>
          <hw-aaa:vsys>public</hw-aaa:vsys>
          <hw-aaa:accounting-mode>radius</hw-aaa:accounting-mode>
        </hw-aaa:accounting-scheme>
        <hw-aaa:service-scheme>
          <hw-aaa:name>ser1</hw-aaa:name>
          <hw-aaa:vsys>public</hw-aaa:vsys>
        </hw-aaa:service-scheme>
        <hw-aaa:aaa-domain>
          <hw-aaa:name>domain1</hw-aaa:name>
          <hw-aaa:vsys>ads</hw-aaa:vsys>
          <hw-aaa:authentication-scheme>authen1</hw-aaa:authentication-scheme>
          <hw-aaa:accounting-scheme>acc1</hw-aaa:accounting-scheme>
          <hw-aaa:service-scheme>ser1</hw-aaa:service-scheme>
          <hw-aaa:statistics-enable>true</hw-aaa:statistics-enable>
        </hw-aaa:aaa-domain>
      </hw-aaa:aaa>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="10">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="10">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>config/undo scheme failed</error-message>
  <error-info>Error on node /huawei-aaa:aaa/aaa-domain[name="domain1",vsys="ads"]/authentication-scheme</error-info>
 </rpc-error>
</rpc-reply>

Applying the RADIUS Server Template in a Domain

This section describes how to apply the RADIUS server template in a domain using the merge method.

Table 2-321  Applying the RADIUS server template in a domain

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-radius:radius-server/huawei-aaa-radius:radius-server

Data Requirements

Table 2-322  Applying the RADIUS server template in a domain

Item

Data

Description

Domain name.

domain1

Create a domain named domain1.

Name of the RADIUS server template that is applied in the domain.

rds Apply the RADIUS server template named rds in the domain.

Request Example

<rpc message-id="10" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>rds</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:authentication-server>
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address>
            <hw-aaa-radius:port>1816</hw-aaa-radius:port>
            <hw-aaa-radius:shared-key>huawei@123</hw-aaa-radius:shared-key>
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight>
          </hw-aaa-radius:authentication-server>
          <hw-aaa-radius:accounting-server>
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address>
            <hw-aaa-radius:port>1817</hw-aaa-radius:port>
            <hw-aaa-radius:shared-key>huawei@123</hw-aaa-radius:shared-key>
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight>
          </hw-aaa-radius:accounting-server>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
        <hw-aaa:aaa-domain>
          <hw-aaa:name>domain1</hw-aaa:name>
          <hw-aaa:vsys>public</hw-aaa:vsys>
          <hw-aaa-radius:radius-server xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
            <hw-aaa-radius:radius-server>rds</hw-aaa-radius:radius-server>
          </hw-aaa-radius:radius-server>
        </hw-aaa:aaa-domain>
      </hw-aaa:aaa>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="10">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="10">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>config/undo scheme failed</error-message>
  <error-info>Error on node /huawei-aaa:aaa/aaa-domain[name="domain1",vsys="ads"]/authentication-scheme</error-info>
 </rpc-error>
</rpc-reply>

Applying the HWTACACS Server Template in a Domain

This section describes how to apply the HWTACACS server template in a domain using the merge method.

Table 2-323  Applying the HWTACACS server template in a domain

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-hwtacacs:hwtacacs-server/huawei-aaa-hwtacacs:hwtacacs-server

Data Requirements

Table 2-324  Applying the HWTACACS server template in a domain

Item

Data

Description

Domain name.

domain1

Create a domain named domain1.

Name of the HWTACACS server template that is applied in a domain.

tac1
NOTE:
Make sure that this template has been created on the device.
Apply the HWTACACS server template named tac1 in the domain.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
 <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" >
  <name>domain1</name>
  <vsys>public</vsys>
  <hwtacacs-server xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-hwtacacs">
   <hwtacacs-server ns0:operation="merge">tac1</hwtacacs-server>
  </hwtacacs-server>
 </aaa-domain>
</aaa>
</config>
</edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config hwtacacs server failed</error-message>
    <error-info>Error on node /huawei-aaa:aaa/aaa-domain[name="domain2",vsys="public"]/huawei-aaa-hwtacacs:hwtacacs-server/hwtacacs-server</error-info>
  </rpc-error>
</rpc-reply>

Configuring an HWTACACS Server Template

This section describes the configuration model of an HWTACACS server template and provides examples of XML packets.

Data Model

The configuration model file matching the HWTACACS server template is huawei-aaa-hwtacacs.yang.

Table 2-325  Configurations of the HWTACACS server template

Object

Description

Value

Remarks

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/name

Indicates the name of an HWTACACS server template.

The value is a string of 1 to 32 case-insensitive characters, including letters, digits, periods (.), hyphens (-), underscores (_), and a combination of the above characters. The value cannot be - or --.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/vsys Indicates the vsys name. The value is a string of 1 to 31 characters. This object is of no significance for a switch.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/server-ip-address

Indicates the IP address of the primary HWTACACS authentication server.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/port

Indicates the port number of the primary HWTACACS authentication server.

The value is an integer ranging from 1 to 65535.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/vpn-instance

Indicates the VPN instance to which the primary HWTACACS authentication server belongs.

The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/public-net.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/public-net

Indicates whether to connect to the primary HWTACACS authentication server on the public network.

The value is of the Boolean type:
  • true: connects to the server on the public network.
  • false: disconnects from the server on the public network.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/vpn-instance.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/server-ip-address

Indicates the IP address of the secondary HWTACACS authentication server.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/port

Indicates the port number of the secondary HWTACACS authentication server.

The value is an integer ranging from 1 to 65535.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/vpn-instance

Indicates the VPN instance to which the secondary HWTACACS authentication server belongs.

The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/public-net.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/public-net

Indicates whether to connect to the secondary HWTACACS authentication server on the public network.

The value is of the Boolean type:
  • true: connects to the server on the public network.
  • false: disconnects from the server on the public network.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/vpn-instance.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/server-ip-address

Indicates the IP address of the primary HWTACACS authorization server.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/port

Indicates the port number of the primary HWTACACS authorization server.

The value is an integer ranging from 1 to 65535.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/vpn-instance

Indicates the VPN instance to which the primary HWTACACS authorization server belongs.

The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/public-net.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/public-net

Indicates whether to connect to the primary HWTACACS authorization server on the public network.

The value is of the Boolean type:
  • true: connects to the server on the public network.
  • false: disconnects from the server on the public network.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/vpn-instance.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/server-ip-address

Indicates the IP address of the secondary HWTACACS authorization server.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/port

Indicates the port number of the secondary HWTACACS authorization server.

The value is an integer ranging from 1 to 65535.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/vpn-instance

Indicates the VPN instance to which the secondary HWTACACS authorization server belongs.

The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/public-net.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/public-net

Indicates whether to connect to the secondary HWTACACS authorization server on the public network.

The value is of the Boolean type:
  • true: connects to the server on the public network.
  • false: disconnects from the server on the public network.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/vpn-instance.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/server-ip-address

Indicates the IP address of the primary HWTACACS accounting server.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/port

Indicates the port number of the primary HWTACACS accounting server.

The value is an integer ranging from 1 to 65535.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/vpn-instance

Indicates the VPN instance to which the primary HWTACACS accounting server belongs.

The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/public-net.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/public-net

Indicates whether to connect to the primary HWTACACS accounting server on the public network.

The value is of the Boolean type:
  • true: connects to the server on the public network.
  • false: disconnects from the server on the public network.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/vpn-instance.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/server-ip-address

Indicates the IP address of the secondary HWTACACS accounting server.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/port

Indicates the port number of the secondary HWTACACS accounting server.

The value is an integer ranging from 1 to 65535.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/vpn-instance

Indicates the VPN instance to which the secondary HWTACACS accounting server belongs.

The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/public-net.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/public-net

Indicates whether to connect to the secondary HWTACACS accounting server on the public network.

The value is of the Boolean type:
  • true: connects to the server on the public network.
  • false: disconnects from the server on the public network.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/vpn-instance.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/ip-address Indicates the source IP address of the switch to communicate with HWTACACS server.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/shared-key Indicates the shared key of the switch and HWTACACS server.

The value is a string of 1 to 255 case-sensitive characters without question marks (?) or spaces.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/options/user-name/domain-include Indicates whether the packets sent to the HWTACACS server contain domain name. The value is of the Boolean type:
  • true: contain domain name.
  • false: do not contain domain name.

N/A

Creating and Configuring an HWTACACS Server Template

This section provides a sample of creating and configuring an HWTACACS server template using the create method.

Table 2-326  Creating and configuring an HWTACACS server template

Operation

XPATH

edit-config:create

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server

Data Requirements

Item

Data

Description

Name of an HWTACACS server template test Create an HWTACACS server template named test.
Name of the vsys public Configure the name of vsys to public.
Primary HWTACACS authentication, authorization, and accounting servers IP address: 10.1.1.1 Set the IP address of primary HWTACACS authentication, authorization, and accounting servers to 10.1.1.1.
Port number: 1000 Set the port number of primary HWTACACS authentication, authorization, and accounting servers to 1000.
Secondary HWTACACS authentication, authorization, and accounting servers IP address: 10.2.2.2 Set the IP address of secondary HWTACACS authentication, authorization, and accounting servers to 10.2.2.2.
Port number: 1001 Set the port number of secondary HWTACACS authentication, authorization, and accounting servers to 1001.
VPN instance to which servers belong: vpn1 Set the VPN instance to which secondary HWTACACS authentication, authorization, and accounting servers belong to vpn1.
Source IP address of the switch to communicate with HWTACACS server 192.168.10.1 Set the source IP address for communication between the switch and HWTACACS servers to 192.168.10.1.
Shared key of the switch and HWTACACS server Huawei@123 Set the shared key of the HWTACACS servers to Huawei@123.
Whether the packets sent to the HWTACACS server contain domain name false Configure that the packets sent to the HWTACACS servers do not contain domain name.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-hwtacacs:hwtacacs xmlns:hw-aaa-hwtacacs="urn:huawei:params:xml:ns:yang:huawei-aaa-hwtacacs">
        <hw-aaa-hwtacacs:hwtacacs-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="create">
          <hw-aaa-hwtacacs:name>test</hw-aaa-hwtacacs:name>
          <hw-aaa-hwtacacs:vsys>public</hw-aaa-hwtacacs:vsys>
          <hw-aaa-hwtacacs:primary-authentication-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.1</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1000</hw-aaa-hwtacacs:port>
          </hw-aaa-hwtacacs:primary-authentication-server>
          <hw-aaa-hwtacacs:secondary-authentication-server>
            <hw-aaa-hwtacacs:server-ip-address>10.2.2.2</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1001</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:secondary-authentication-server>
          <hw-aaa-hwtacacs:primary-authorization-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.1</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1000</hw-aaa-hwtacacs:port>
          </hw-aaa-hwtacacs:primary-authorization-server>
          <hw-aaa-hwtacacs:secondary-authorization-server>
            <hw-aaa-hwtacacs:server-ip-address>10.2.2.2</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1001</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:secondary-authorization-server>
          <hw-aaa-hwtacacs:primary-accounting-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.1</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1000</hw-aaa-hwtacacs:port>
          </hw-aaa-hwtacacs:primary-accounting-server>
          <hw-aaa-hwtacacs:secondary-accounting-server>
            <hw-aaa-hwtacacs:server-ip-address>10.2.2.2</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1001</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:secondary-accounting-server>
          <hw-aaa-hwtacacs:ip-address>192.168.10.1</hw-aaa-hwtacacs:ip-address>
          <hw-aaa-hwtacacs:shared-key>Huawei@123</hw-aaa-hwtacacs:shared-key>
          <hw-aaa-hwtacacs:options>
            <hw-aaa-hwtacacs:user-name>
              <hw-aaa-hwtacacs:domain-include>false</hw-aaa-hwtacacs:domain-include>
            </hw-aaa-hwtacacs:user-name>
          </hw-aaa-hwtacacs:options>
        </hw-aaa-hwtacacs:hwtacacs-server>
      </hw-aaa-hwtacacs:hwtacacs>
    </config>
  </edit-config>
</rpc>

Response Example

# Sample of successful response
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>
# Sample of failed response
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message> The VPN instance does not exist.</error-message>
    <error-info>Error on node /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server[name="test",vsys="public"]/primary-accounting-server</error-info>
  </rpc-error>
</rpc-reply>

Deleting an HWTACACS Server Template

This section provides a sample of deleting an HWTACACS server template using the delete method.

Table 2-327  Deleting an HWTACACS server template

Operation

XPATH

edit-config:delete

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server

Data Requirements

Item

Data

Description

Name of an HWTACACS server template test Delete an HWTACACS server template named test with vsys named public.
Name of the vsys public

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="2" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-hwtacacs:hwtacacs xmlns:hw-aaa-hwtacacs="urn:huawei:params:xml:ns:yang:huawei-aaa-hwtacacs">
        <hw-aaa-hwtacacs:hwtacacs-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="delete">
          <hw-aaa-hwtacacs:name>test</hw-aaa-hwtacacs:name>
          <hw-aaa-hwtacacs:vsys>public</hw-aaa-hwtacacs:vsys>
        </hw-aaa-hwtacacs:hwtacacs-server>
      </hw-aaa-hwtacacs:hwtacacs>
    </config>
  </edit-config>
</rpc>

Response Example

# Sample of successful response
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
  <ok/>
</rpc-reply>
# Sample of failed response
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>data-missing</error-tag>
    <error-severity>error</error-severity>
    <error-path/>
    <error-message>edit operation failed.</error-message>
  </rpc-error>
</rpc-reply>
Translation
Download
Updated: 2019-10-18

Document ID: EDOC1000178028

Views: 5003

Downloads: 0

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next