No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R011C10 NETCONF YANG API Reference

This document describes the NETCONF API functions supported by the switch, including the data model and samples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAC

NAC

This section describes the NAC configuration model and provides examples of packets.

Configuring an 802.1X Access Profile

This section describes the configuration model of 802.1X access profile and provides examples of XML packets.

Data Model

The configuration model file matching 802.1X access profile is huawei-nac-dot1x.yang.

Table 2-327  Data model

Object

Description

Value

Remarks

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile

Indicates that the request operation (creation or modification) object is an 802.1X access profile. This object is the root object. It is only used to contain sub-objects, but does not have any data meaning.

N/A

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/name

Indicates the name of the created 802.1X access profile.

The value is a string of 1 to 31 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %.

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/authentication-method

Indicates that an authentication mode is configured for 802.1X users.

Enumerated type:

  • chap: EAP termination authentication using the Challenge Handshake Authentication Protocol (CHAP)
  • pap: EAP termination authentication using the Password Authentication Protocol (PAP)
  • eap: relay authentication using the Extensible Authentication Protocol (EAP)

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/authorize-of-authentication-event

Indicates that network access rights are configured for users when the 802.1X client does not respond.

N/A

N/A

huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/unicast-trigger

Indicates whether 802.1X authentication triggered by unicast packets is enabled.

Boolean type:

  • true: enabled
  • false: disabled

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/enable

Indicates whether handshake with online 802.1X authentication users is enabled.

Boolean type:

  • true: enabled
  • false: disabled

N/A

Creating an 802.1X Access Profile

This section provides a sample of creating an 802.1X access profile using the merge method. You can also use the create method to create an 802.1X access profile.

Table 2-328  Creating an 802.1X access profile

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/name

Data Requirement
Table 2-329  Creating an 802.1X access profile

Item

Data

Description

name

test

Create the 802.1X access profile test.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <dot1x-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
    <dot1x-access-profile>
     <name>test</name>
    </dot1x-access-profile>
   </dot1x-access>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply> 

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3a8e485-35d2-499e-895c-e2d2d5f555a8">
  <rpc-error>
    <error-app-tag>1</error-app-tag>
    <error-message>Service process failed.</error-message>
    <error-info>Error on node /huawei-nac-dot1x:dot1x-access/dot1x-access-profile[name="testtesttesttesttesttesttesttesttest"]/name</error-info>
  </rpc-error>
</rpc-reply>
Configuring an Authentication Mode for 802.1X Users

This section provides a sample of configuring an authentication mode for 802.1X users using the merge method. You can also use the create method to configure an authentication mode for 802.1X users.

Table 2-330  Configuring an authentication mode for 802.1X users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/authentication-method

Data Requirement
Table 2-331  Configuring an authentication mode for 802.1X users

Item

Data

Description

name

test

Set the authentication mode for 802.1X users to CHAP.

The 802.1X access profile must exist on the switch.

authentication-method

chap

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <dot1x-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
    <dot1x-access-profile>
     <name>test</name>
     <authentication-method>chap</authentication-method>
    </dot1x-access-profile>
   </dot1x-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>
Configuring Network Access Rights for Users When the 802.1X Client Does Not Respond

This section provides a sample of configuring network access rights for users when the 802.1X client does not respond using the merge method. You can also use the create method to configure network access rights for users when the 802.1X client does not respond.

Table 2-332  Configuring network access rights for users when the 802.1X client does not respond

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/authorize-of-authentication-event

Data Requirement
Table 2-333  Configuring network access rights for users when the 802.1X client does not respond

Item

Data

Description

name

test

Configure network access rights for users when the 802.1X client does not respond.

The 802.1X access profile must exist on the switch.

authentication-event

client-no-response

vlan-id

4000

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <dot1x-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
    <dot1x-access-profile>
     <name>test</name>
     <authorize-of-authentication-event>
      <authentication-event>client-no-response</authentication-event>
      <vlan-id>4000</vlan-id>
     </authorize-of-authentication-event>
    </dot1x-access-profile>
   </dot1x-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>
Enabling 802.1X Authentication Triggered by Unicast Packets

This section provides a sample of enabling 802.1X authentication triggered by unicast packets using the merge method. You can also use the create method to enable 802.1X authentication triggered by unicast packets.

Table 2-334  Enabling 802.1X authentication triggered by unicast packets

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/unicast-trigger

Data Requirement
Table 2-335  Enabling 802.1X authentication triggered by unicast packets

Item

Data

Description

name

test

Enable 802.1X authentication triggered by unicast packets.

The 802.1X access profile must exist on the switch.

unicast-trigger

true

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <dot1x-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
    <dot1x-access-profile>
     <name>test</name>
     <unicast-trigger>true</unicast-trigger>
    </dot1x-access-profile>
   </dot1x-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>
Enabling Handshake with Online 802.1X Authentication Users

This section provides a sample of enabling handshake with online 802.1X authentication users using the merge method. You can also use the create method to enable handshake with online 802.1X authentication users.

Table 2-336  Enabling handshake with online 802.1X authentication users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake

Data Requirement
Table 2-337  Enabling handshake with online 802.1X authentication users

Item

Data

Description

name

test

Enable handshake with online 802.1X authentication users.

The 802.1X access profile must exist on the switch.

handshake

true

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <dot1x-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
    <dot1x-access-profile>
     <name>test</name>
     <handshake>true</handshake>
    </dot1x-access-profile>
   </dot1x-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Configuring a MAC Access Profile

This section describes the configuration model of MAC access profile and provides examples of XML packets.

Data Model

The configuration model file matching the MAC access profile is huawei-nac-mac.yang.

Table 2-338  Data model

Object

Description

Value

Remarks

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile

Indicates that the object of a request operation (create or modify) is a MAC access profile. It is a root object, which is only used to contain sub-objects and does not have any data meaning.

N/A

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/name

Indicates the name of the created MAC access profile.

The value is a string of 1 to 31 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/password

Specifies the password for a MAC address authentication user and displays the password in cipher text.

The value is a string of case-sensitive characters without spaces. The password is either a plain-text string of 1 to 128 characters or a cipher-text string of 48 to 188 characters.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/fixed-format/user-name

Configures a fixed user name for MAC address authentication.

The value is a string of 1 to 64 case-sensitive characters without spaces.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/mac-address/mac-address-format

Indicates the format of a MAC address.

The value is of the enumerated type:

  • with-hyphen: indicates that the MAC address contains hyphens (-), for example, 0005-e01c-02e3.
  • with-hyphen-normal: indicates that the MAC address contains hyphens (-), for example, 00-05-e0-1c-02-e3.
  • without-hyphen: indicates that the MAC address does not contain hyphens (-), for example, 0005e01c02e3.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/mac-address/letter

Configures a MAC address in uppercase or lowercase format as the user name for MAC address authentication.

The value is of the enumerated type:

  • uppercase: indicates that the MAC address is in uppercase format.
  • lowercase: indicates that the MAC address is in lowercase format.

N/A

Creating a MAC Access Profile

This section provides a sample of creating a MAC access profile using the merge method. You can also use the create method to create a MAC access profile.

Table 2-339  Creating a MAC access profile

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/name

Data Requirement
Table 2-340  Creating a MAC access profile

Item

Data

Description

name

test

Create the MAC access profile test.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>invalid mac-access-profile name</error-message>
    <error-info>Error on node /huawei-nac-mac:mac-access/mac-access-profile[name="mactestmactestmactestmactestmactest"]/name</error-info>
  </rpc-error>
</rpc-reply>
Configuring Passwords in Cipher Text for MAC Address Authentication

This section provides a sample of configuring passwords in cipher text for MAC address authentication using the merge method. You can also use the create method to configure passwords in cipher text for MAC address authentication.

Table 2-341  Configuring passwords in cipher text for MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/password

Data Requirement
Table 2-342  Configuring passwords in cipher text for MAC address authentication

Item

Data

Description

name

test

Configure passwords in cipher text for MAC address authentication.

The MAC access profile must exist on the switch.

mac-address-format

with-hyphen-normal

letter

uppercase

password

huawei@123

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
     <mac-address-format>with-hyphen-normal</mac-address-format>
     <letter>uppercase</letter>
     <password>huawei@123</password>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="11">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>CMD is incomplete, para fixed or macaddress must have one.</error-message>
    <error-info>Error on node /huawei-nac-mac:mac-access/mac-access-profile[name="mactest"]/letter</error-info>
  </rpc-error>
</rpc-reply>
Configuring Fixed User Names for MAC Address Authentication

This section provides a sample of configuring fixed user names for MAC address authentication using the merge method. You can also use the create method to configure fixed user names for MAC address authentication.

Table 2-343  Configuring fixed user names for MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/fixed-format/user-name

Data Requirement
Table 2-344  Configuring fixed user names for MAC address authentication

Item

Data

Description

name

test

Configure fixed user names for MAC address authentication.

The MAC access profile must exist on the switch.

user-name

huawei

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
      <user-name>huawei</user-name>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="12">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>CMD is incomplete, para fixed or macaddress must have one.</error-message>
    <error-info>Error on node /huawei-nac-mac:mac-access/mac-access-profile[name="mactest"]/user-name</error-info>
  </rpc-error>
</rpc-reply>
Configuring MAC Addresses as User Names for MAC Address Authentication

This section provides a sample of configuring MAC addresses as user names for MAC address authentication using the merge method. You can also use the create method to configure MAC addresses as user names for MAC address authentication.

Table 2-345  Configuring MAC addresses as user names for MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/mac-address/mac-address-format

Data Requirement
Table 2-346  Configuring MAC addresses as user names for MAC address authentication

Item

Data

Description

name

test

Configure MAC addresses as user names for MAC address authentication.

The MAC access profile must exist on the switch.

mac-address-format

with-hyphen-normal

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
     <mac-address-format>with-hyphen-normal</mac-address-format>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="11">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>CMD is incomplete, para fixed or macaddress must have one.</error-message>
    <error-info>Error on node /huawei-nac-mac:mac-access/mac-access-profile[name="mactest"]/letter</error-info>
  </rpc-error>
</rpc-reply>
Configuring MAC Addresses in the Uppercase Format as User Names for MAC Address Authentication

This section provides a sample of configuring MAC addresses in the uppercase format as user names for MAC address authentication using the merge method. You can also use the create method to configure MAC addresses in the uppercase format as user names for MAC address authentication.

Table 2-347  Configuring MAC addresses in the uppercase format as user names for MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/mac-address/letter

Data Requirement
Table 2-348  Configuring MAC addresses in the uppercase format as user names for MAC address authentication

Item

Data

Description

name

test

Configure MAC addresses in the uppercase format as user names for MAC address authentication.

The MAC access profile must exist on the switch.

mac-address-format

with-hyphen-normal

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
     <mac-address-format>with-hyphen-normal</mac-address-format>
     <letter>uppercase</letter>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="11">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>CMD is incomplete, para fixed or macaddress must have one.</error-message>
    <error-info>Error on node /huawei-nac-mac:mac-access/mac-access-profile[name="mactest"]/letter</error-info>
  </rpc-error>
</rpc-reply>

Configuring a Portal Server Template

This section describes the configuration model of Portal server template and provides examples of XML packets.

Data Model

The configuration model file matching Portal server template is huawei-aaa-portal.yang.

Table 2-349  Data model

Object

Description

Value

Remarks

/huawei-aaa-portal/portal

Indicates that the request operation (creation or modification) object is a Portal server template. This object is the root object. It is only used to contain sub-objects, but does not have any data meaning.

N/A

N/A

/huawei-aaa-portal/portal/portal-server/name

Indicates the name of the created Portal server template.

The value is a string of 1 to 31 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa-portal/portal/portal-server/portal-server-ip

Indicates that the IP address for the Portal server is configured.

The value is in dotted decimal notation.

N/A

/huawei-aaa-portal/portal/portal-server/destination-port

Indicates that the destination port number for the switch to send packets to the Portal server is configured.

The value is an integer that ranges from 1 to 65535.

N/A

/huawei-aaa-portal/portal/portal-server/shared-key

Indicates that the shared key for the switch to exchange information with the Portal server is configured.

The value is a string of case-sensitive characters without spaces. It can be a string of 48 characters in cipher text, or a string of 1 to 16 characters in plain text. If the string is enclosed in double quotation marks (" "), the string can contain spaces.

N/A

/huawei-aaa-portal:portal/portal-server/vpn-instance

Indicates that the VPN instance for the switch to communicate with the Portal server is configured.

The value must be an existing VPN instance.

N/A

/huawei-aaa-portal/portal/portal-server/server-url

Indicates that the URL for the Portal server is configured.

The value is a string of 1 to 200 case-sensitive characters without spaces and question marks (?). If the string is enclosed in double quotation marks (" "), the string can contain spaces.

N/A

/huawei-aaa-portal/portal/portal-server/url-template/name

Indicates the name of the URL template bound to the Portal server template.

The value must be the name of an existing URL template.

N/A

/huawei-aaa-portal/portal/portal-server/protocol

Indicates that the protocol used in Portal authentication is configured.

Enumerated type:

  • http
  • haca
  • portal
  • http-uam
N/A

/huawei-aaa-portal/portal/portal-server/web-redirection-disable

Indicates that the Portal authentication redirection function is disabled. By default, the Portal authentication redirection function is enabled.

Boolean type:

  • true: enabled
  • false: disabled
N/A

/huawei-aaa-portal/portal/portal-server/server-detect-function/server-detect-enable

Indicates that the Portal server detection function is enabled.

Boolean type:

  • true: enabled
  • false: disabled
N/A

/huawei-aaa-portal/portal/portal-server/user-sync-function

Indicates that the user information synchronization function is enabled for Portal authentication.

Boolean type:

  • true: enabled
  • false: disabled
N/A

/huawei-aaa-portal/portal/portal-server/source-ip-address/ip/ip-address

Indicates that the source IP address for the switch to communicate with the Portal server is configured.

The value is in dotted decimal notation.

N/A

/huawei-aaa-portal/portal/listening-port

Indicates that the number of the port through which the switch listens to Portal packets is configured.

The value is an integer that ranges from 1024 to 55535.

N/A

/huawei-aaa-portal/portal/url-template/name

Indicates the name of a created URL template.

The value is a string of 1 to 31 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa-portal/portal/url-template/url/url

Indicates that the redirection URL or pushed URL for the Portal server is configured.

The value is a string of 1 to 200 case-sensitive characters without spaces. If the string is enclosed in double quotation marks (" "), the string can contain spaces.

N/A

/huawei-aaa-portal/portal/url-template/url-parameter

Indicates that parameters carried in the URL are configured.

The value is a string of 1 to 16 case-sensitive characters without spaces. If the string is enclosed in double quotation marks (" "), the string can contain spaces.

N/A

/huawei-aaa-portal/portal/url-template/url-parameter/mac-address-format

Indicates that the MAC address format in the URL is configured.

  • normal: The MAC address format is set to XX-XX-XX-XX-XX-XX.
  • compact: The MAC address format is set to XXXX-XXXX-XXXX.
  • delimiter: The value is one case-sensitive character without spaces.
N/A
/huawei-aaa-portal:portal/url-template/mark-parameter/start-mark Configuring the start character in the URL.

The value is one case-sensitive character without spaces.

N/A
/huawei-aaa-portal:portal/url-template/mark-parameter/assignment-mark Configuring the assignment character in the URL.

The value is one case-sensitive character without spaces.

N/A
/huawei-aaa-portal:portal/url-template/mark-parameter/isolate-mark Configuring the delimiter in the URL.

The value is one case-sensitive character without spaces.

N/A
Creating a Portal Server Template

This section provides a sample of creating a Portal server template using the merge method. You can also use the create method to create a Portal server template.

Table 2-350  Creating a Portal server template

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/name

Data Requirement
Table 2-351  Portal server template

Item

Data

Description

name

huawei

Create the Portal server template huawei.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xc:operation="merge">  
     <name>huawei</name>
    </portal-server> 
   </portal>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="14">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Invalid server name</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="portalserverportalserverportalserver"]/name</error-info>
  </rpc-error>
</rpc-reply>
Configuring an IP Address for the Portal Server

This section provides a sample of configuring an IP address for the Portal server using the merge method. You can also use the create method to configure an IP address for the Portal server.

Table 2-352  Configuring an IP address for the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/portal-server-ip

Data Requirement
Table 2-353  Configuring an IP address for the Portal server

Item

Data

Description

portal-server-ip

10.10.10.10

Configure the IP address 10.10.10.10 for the Portal server.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
      <portal-server-ip>10.10.10.10</portal-server-ip>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="15">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Undo/config server-ip failed.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="huawei"]/portal-server-ip[.="255.255.255.255"]</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Source IP Address for the Switch to Communicate with the Portal Server

This section provides a sample of configuring the source IP address for the switch to communicate with the Portal server using the merge method. You can also use the create method to configure the source IP address for the switch to communicate with the Portal server.

Table 2-354  Configuring the source IP address for the switch to communicate with the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/source-ip-address/ip/ip-address

Data Requirement
Table 2-355  Configuring the source IP address for the switch to communicate with the Portal server

Item

Data

Description

ip-address

192.168.255.255

Configure the source IP address 192.168.255.255 for the switch to communicate with the Portal server.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xc:operation="merge">  
     <name>huawei</name>
     <ip-address xc:operation="merge">192.168.255.255</ip-address>
    </portal-server> 
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="16">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Source-ip cmd executing failed.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="huawei"]/ip-address</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Destination Port Number for the Switch to Send Packets to the Portal Server

This section provides a sample of configuring the destination port number for the switch to send packets to the Portal server using the merge method. You can also use the create method to configure the destination port number for the switch to send packets to the Portal server using the merge method.

Table 2-356  Configuring the destination port number for the switch to send packets to the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/destination-port/port

Data Requirement
Table 2-357  Configuring the destination port number for the switch to send packets to the Portal server

Item

Data

Description

port

555

Set the destination port number for the switch to send packets to the Portal server to 555.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
     <destination-port>
      <port>555</port>
      <always>true</always>
     </destination-port>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="17">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>
Configuring the Shared Key for the Switch to Exchange Information with the Portal Server

This section provides a sample of configuring the shared key for the switch to exchange information with the Portal server using the merge method. You can also use the create method to configure the shared key for the switch to exchange information with the Portal server.

Table 2-358  Configuring the shared key for the switch to exchange information with the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/shared-key

Data Requirement
Table 2-359  Configuring the shared key for the switch to exchange information with the Portal server

Item

Data

Description

shared-key

zLUYANG12#$%()aa

Set the shared key for the switch to exchange information with the Portal server to zLUYANG12#$%()aa.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
     <shared-key>zLUYANG12#$%()aa</shared-key>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="18">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Invalid shared-key</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="huawei"]/shared-key</error-info>
  </rpc-error>
</rpc-reply>
Configuring a VPN Instance for the Switch to Communicate with the Portal Server

This section provides a sample of configuring a VPN instance for the switch to communicate with the Portal server using the merge method. You can also use the create method to configure a VPN instance for the switch to communicate with the Portal server.

Table 2-360  Configuring a VPN instance for the switch to communicate with the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/portal-server/vpn-instance

Data Requirement
Table 2-361  Configuring a VPN instance for the switch to communicate with the Portal server

Item

Data

Description

vpn-instance

vpna

Configure the VPN instance vpna for the switch to communicate with the Portal server.

The VPN instance must exist on the switch.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <hw-l3vpn:vpn-instances xmlns:hw-l3vpn="urn:huawei:params:xml:ns:yang:huawei-l3vpn">
    <hw-l3vpn:vpn-instance>
     <hw-l3vpn:vpn-instance-name>vpna</hw-l3vpn:vpn-instance-name>
    </hw-l3vpn:vpn-instance>
   </hw-l3vpn:vpn-instances>
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server>
     <name>webauth1</name>
     <vpn-instance>vpna</vpn-instance>
    </portal-server>
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="19">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message> The vpn-instance does not exist or is invalid.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="webauth1"]/vpn-instance</error-info>
  </rpc-error>
</rpc-reply>
Disabling the Portal Authentication Redirection Function

This section provides a sample of disabling the Portal authentication redirection function using the merge method.

Table 2-362  Disabling the Portal authentication redirection function

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/web-redirection-disable

Data Requirement
Table 2-363  Disabling the Portal authentication redirection function

Item

Data

Description

web-redirection-disable

true

Disable the Portal authentication redirection function.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
 <edit-config>
  <target>
   <running/>
  </target>
  <config>
   <hw-aaa-portal:portal xmlns:hw-aaa-portal="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <hw-aaa-portal:portal-server>
     <hw-aaa-portal:name>test</hw-aaa-portal:name>
     <hw-aaa-portal:web-redirection-disable>true</hw-aaa-portal:web-redirection-disable>
    </hw-aaa-portal:portal-server>
   </hw-aaa-portal:portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>
Configuring a URL for the Portal Server

This section provides a sample of configuring a URL for the Portal server using the merge method. You can also use the create method to configure a URL for the Portal server.

Table 2-364  Configuring a URL for the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/server-url

Data Requirement
Table 2-365  Configuring a URL for the Portal server

Item

Data

Description

server-url

http://www.abc.com

Configure the URL http://www.abc.com for the Portal server.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
     <server-url>http://www.abc.com</server-url>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="22">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Invalid url</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="huawei"]/server-url</error-info>
  </rpc-error>
</rpc-reply>
Creating a URL Template

This section provides a sample of creating a URL template using the merge method. You can also use the create method to create a URL template.

Table 2-366  Creating a URL template

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/url-template

Data Requirement
Table 2-367  Creating a URL template

Item

Data

Description

name

test

Create the URL template test.t

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <listening-port>3210</listening-port>
    <url-template>
     <name>test</name>
    </url-template>
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="23">
  <rpc-error>
    <error-app-tag>1</error-app-tag>
    <error-message>Service process failed.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/url-template[name="abcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabc"]/name</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Redirection URL or Pushed URL for the Portal Server

This section provides a sample of configuring the redirection URL or pushed URL for the Portal server using the merge method. You can also use the create method to configure the redirection URL or pushed URL for the Portal server.

Table 2-368  Configuring the redirection URL or pushed URL for the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/url-template/url/url

Data Requirement
Table 2-369  Configuring the redirection URL or pushed URL for the Portal server

Item

Data

Description

url

12345

Configure the redirection URL or pushed URL for the Portal server.

url-type

push-only

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <listening-port>3210</listening-port>
    <url-template>
     <name>test</name>
     <url>
      <url>12345</url>
      <url-type>push-only</url-type>
     </url>
    </url-template>
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="24">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Invalid url</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/url-template[name="huawei"]/url[url-type="push-only"]/url</error-info>
  </rpc-error>
</rpc-reply>
Configuring Parameters Carried in the URL

This section provides a sample of configuring parameters carried in the URL using the merge method. You can also use the create method to configure parameters carried in the URL.

Table 2-370  Configuring parameters carried in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/url-template/url-parameter

Data Requirement
Table 2-371  Configuring parameters carried in the URL

Item

Data

Description

redirect-url

Rede

Configure parameters carried in the URL.

sysname

Sses

user-ipaddress

User

user-mac

User

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <listening-port>3210</listening-port>
    <url-template>
     <name>test</name>
     <url>
      <url>12345</url>
      <url-type>push-only</url-type>
     </url>
     <url-parameter>
      <redirect-url>Rede</redirect-url>
      <sysname>Sses</sysname>
      <user-ipaddress>User</user-ipaddress>
      <user-mac>User</user-mac>
     </url-parameter>
    </url-template>
   </portal>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="27">
  <rpc-error>
    <error-app-tag>1</error-app-tag>
    <error-message>Service process failed.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/url-template[name="huawei"]/url-parameter</error-info>
  </rpc-error>
</rpc-reply>
Configuring the MAC Address Format in the URL

This section provides a sample of configuring the MAC address format in the URL using the merge method. You can also use the create method to configure the MAC address format in the URL.

Table 2-372  Configuring the MAC address format in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/url-template/url-parameter/mac-address-format

Data Requirement
Table 2-373  Configuring the MAC address format in the URL

Item

Data

Description

delimiter

7

Configure the MAC address format in the URL.

format

compact

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <listening-port>3210</listening-port>
    <url-template>
     <name>test</name>
     <url>
      <url>12345</url>
      <url-type>push-only</url-type>
     </url>
     <url-parameter>
      <redirect-url>Rede</redirect-url>
      <sysname>Sses</sysname>
      <user-ipaddress>User</user-ipaddress>
      <user-mac>User</user-mac>
      <mac-address-format>
       <delimiter>7</delimiter>
       <format>compact</format>
      </mac-address-format>
     </url-parameter>
    </url-template>
   </portal>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="29">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Incomplete information.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/url-template[name="huawei"]/url-parameter</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Start Character in the URL

This section provides a sample of configuring the start character in the URL using the merge method. You can also use the create method to configure the start character in the URL.

Table 2-374  Configuring the start character in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/url-template/mark-parameter/start-mark

Data Requirement
Table 2-375  Configuring the start character in the URL

Item

Data

Description

name

url1

Set the start character in the URL to a.

start-mark

a

Request Example
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
      <url-template>
        <name>url1</name>
        <mark-parameter>
          <start-mark>a</start-mark>
        </mark-parameter>
      </url-template>
    </portal>
  </config>
</edit-config>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="32">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Invalid mark-parameter start-mark</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/url-template[name="url1"]/mark-parameter/start-mark</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Assignment Character in the URL

This section provides a sample of configuring the assignment character in the URL using the merge method. You can also use the create method to configure the assignment character in the URL.

Table 2-376  Configuring the assignment character in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/url-template/mark-parameter/assignment-mark

Data Requirement
Table 2-377  Configuring the assignment character in the URL

Item

Data

Description

name

url1

Set the assignment character in the URL to an equal sign (=).

assignment-mark

=

Request Example
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
      <url-template>
        <name>url1</name>
        <mark-parameter>
          <assignment-mark>=</assignment-mark>
        </mark-parameter>
      </url-template>
    </portal>
  </config>
</edit-config>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="33">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Invalid mark-parameter assignment-mark</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/url-template[name="url1"]/mark-parameter/assignment-mark</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Delimiter in the URL

This section provides a sample of configuring the delimiter in the URL using the merge method. You can also use the create method to configure the delimiter in the URL.

Table 2-378  Configuring the delimiter in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/url-template/mark-parameter/isolate-mark

Data Requirement
Table 2-379  Configuring the delimiter in the URL

Item

Data

Description

name

url1

Set the delimiter in the URL to l.

isolate-mark

l

Request Example
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
      <url-template>
        <name>url1</name>
        <mark-parameter>
          <isolate-mark>1</isolate-mark>
        </mark-parameter>
      </url-template>
    </portal>
  </config>
</edit-config>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="34">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Invalid mark-parameter isolate-mark</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/url-template[name="url1"]/mark-parameter/isolate-mark</error-info>
  </rpc-error>
</rpc-reply>
Binding the URL Template to the Portal Server Template

This section provides a sample of binding the URL template to the Portal server template using the merge method. You can also use the create method to bind the URL template to the Portal server template.

Table 2-380  Binding the URL template to the Portal server template

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/url-template/name

Data Requirement
Table 2-381  Binding the URL template to the Portal server template

Item

Data

Description

name

abc

Bind the URL template abc to the Portal server template huawei.

The URL template abc and the Portal server template huawei must have been created.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <url-template>
     <name>abc</name>
    </url-template>
    <portal-server> 
     <name>huawei</name>
     <url-template xc:operation="merge">
      <name>abc</name>
     </url-template>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="35">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Undo/config url template failed.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="huawei"]/url-template/name</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Protocol Used in Portal Authentication

This section provides a sample of configuring the protocol used in Portal authentication using the merge method. You can also use the create method to configure the protocol used in Portal authentication.

Table 2-382  Configuring the protocol used in Portal authentication

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/protocol

Data Requirement
Table 2-383  Configuring the protocol used in Portal authentication

Item

Data

Description

protocol

portal

Set the protocol used in Portal authentication to the Portal protocol.

The Portal server template huawei must have been created.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
     <protocol>portal</protocol>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc>   
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="19">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message> The vpn-instance does not exist or is invalid.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="huawei"]/vpn-instance</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Number of the Port Through Which the Switch Listens to Portal Packets

This section provides a sample of configuring the number of the port through which the switch listens to Portal packets using the merge method. You can also use the create method to configure the number of the port through which the switch listens to Portal packets.

Table 2-384  Configuring the number of the port through which the switch listens to Portal packets

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/listening-port

Data Requirement
Table 2-385  Configuring the number of the port through which the switch listens to Portal packets

Item

Data

Description

listening-port

3210

Set the number of the port through which the switch listens to Portal packets to 3210.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <listening-port>3210</listening-port>
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="37">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>
Enabling the Portal Server Detection Function

This section provides a sample of enabling the Portal server detection function using the merge method. You can also use the create method to enable the Portal server detection function.

Table 2-386  Enabling the Portal server detection function

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/server-detect-function/server-detect-enable

Data Requirement
Table 2-387  Enabling the Portal server detection function

Item

Data

Description

server-detect-enable

true

Enable the Portal server detection function.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xc:operation="merge">  
     <name>huawei</name>
     <server-detect-function>
      <server-detect-enable xc:operation="merge">true</server-detect-enable>
     </server-detect-function>
    </portal-server> 
   </portal>
  </config>
 </edit-config>
</rpc>  
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="37">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>
Enabling the User Information Synchronization Function for Portal Authentication

This section provides a sample of enabling the user information synchronization function for Portal authentication using the merge method. You can also use the create method to enable the user information synchronization function for Portal authentication.

Table 2-388  Enabling the user information synchronization function for Portal authentication

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/user-sync-function

Data Requirement
Table 2-389  Enabling the user information synchronization function for Portal authentication

Item

Data

Description

user-sync-enable

true

Enable the user information synchronization function for Portal authentication.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xc:operation="merge">  
     <name>huawei</name>
     <user-sync-function>
      <user-sync-enable>true</user-sync-enable>
     </user-sync-function>    
    </portal-server> 
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Configuring a Portal Access Profile

This section describes the configuration model of Portal access profile and provides examples of XML packets.

Data Model

The configuration model file matching Portal access profile is huawei-nac-portal.yang.

Table 2-390  Data model

Object

Description

Value

Remarks

/huawei-nac-portal

Indicates that the request operation (creation, deletion, or modification) object is nac-portal. This object is the root object. It is only used to contain sub-objects, but does not have any data meaning.

N/A

N/A

/huawei-nac-portal/portal-access/configure-mode/unified-mode/portal-access-profile

Indicates that a Portal access profile is created.

The value is a string of 1 to 31 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %.

N/A

/huawei-nac-portal/portal-access/configure-mode/unified-mode/portal-access-profile/portal-server/portal-server

Indicates that a Portal server template is bound to the Portal access profile.

The value must be the name of an existing Portal server template.

N/A

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/portal-server/bak-portal-server

Indicates that a backup Portal server template is bound to the Portal access profile.

The value must be the name of an existing Portal server template.

N/A

/huawei-nac-portal/portal-access/configure-mode/unified-mode/portal-access-profile/portal-mode

Indicates that the Portal authentication mode for the Portal access profile is configured.

Enumerated type:

  • direct: Layer 2 Portal authentication
  • layer3: Layer 3 Portal authentication

N/A

/huawei-nac-portal/portal-access/configure-mode/unified-mode/portal-access-profile/portal-authentication-timer/offline-detect

Indicates that the offline detection interval for Portal authentication users is configured.

The value is 0 or an integer that ranges from 30 to 7200, in seconds. The default value is 300.

The value 0 indicates that user offline detection is not performed.

N/A

/huawei-nac-portal/portal-access/https-redirect-enable

Indicates whether HTTPS redirection of Portal authentication is enabled.

Boolean type:

  • true: enabled
  • false: disabled

N/A

huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/authorize-of-authentication-event/authorize-parameters/service-scheme

Indicates that network access rights are configured (using a service scheme) for users when the Portal server is Down.

N/A

N/A

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/re-authen-trigger-event

Indicates that the switch is configured to re-authenticate users when the Portal server changes from Down to Up.

N/A

N/A

Creating a Portal Access Profile

This section provides a sample of creating a Portal access profile using the merge method. You can also use the create method to create a Portal access profile.

Table 2-391  Creating a Portal access profile

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/portal-server/portal-server

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/portal-server/bak-portal-server

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/portal-mode

Data Requirement
Table 2-392  Portal access profile

Item

Data

Description

name

test

Create the Portal access profile test.

portal-server

webauthserver

Configure the Portal server template webauthserver bound to the Portal access profile test.

bak-portal-server

webauthbakserver

Configure the backup Portal server template webauthbakserver bound to the Portal access profile test.

Request Example
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
      <portal-access-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>test</name>
        <portal-server ns0:operation="merge">
          <portal-server>webauthserver</portal-server>
          <bak-portal-server>webauthbakserver</bak-portal-server>
        </portal-server>
        <portal-mode>direct</portal-mode>
      </portal-access-profile>
    </portal-access>
    <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
      <portal-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>webauthserver</name>
        <portal-server-ip>11.11.11.11</portal-server-ip>
        <destination-port>
          <port>50100</port>
          <always>true</always>
        </destination-port>
      </portal-server>
      <portal-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>webauthbakserver</name>
        <portal-server-ip>10.10.10.22</portal-server-ip>
        <destination-port>
          <port>50100</port>
          <always>true</always>
        </destination-port>
      </portal-server>
    </portal>
  </config>
</edit-config>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="38">
  <rpc-error>
    <error-app-tag>1</error-app-tag>
    <error-message>Service process failed.</error-message>
    <error-info>Error on node /huawei-nac-portal:portal-access/portal-access-profile[name="test"]/name</error-info>
  </rpc-error>
</rpc-reply>
Enabling HTTPS Redirection of Portal Authentication

This section provides a sample of enabling HTTPS redirection of Portal authentication using the merge method. You can also use the create method to enable HTTPS redirection of Portal authentication.

Table 2-393  Enabling HTTPS redirection of Portal authentication

Operation

XPATH

edit-config:merge

/huawei-nac-portal/portal-access/https-redirect-enable

Data Requirement
Table 2-394  Enabling HTTPS redirection of Portal authentication

Item

Data

Description

https-redirect-enable

true

Enable HTTPS redirection of Portal authentication.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <portal-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
    <https-redirect-enable xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">true</https-redirect-enable>
   </portal-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="39">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>
Configuring Network Access Rights for Users When the Portal Server is Down (Using a Service Scheme)

This section provides a sample of configuring network access rights for users when the Portal server is Down (using a service scheme) using the merge method. You can also use the create method to configure network access rights for users when the Portal server is Down (using a service scheme).

Table 2-395  Configuring network access rights for users when the Portal server is Down (using a service scheme)

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/authorize-of-authentication-event/authorize-parameters/service-scheme

Data Requirement
Table 2-396  Configuring network access rights for users when the Portal server is Down (using a service scheme)

Item

Data

Description

service-scheme

serscheme_2

Configure network access rights for users when the Portal server is Down (using the service scheme serscheme_2).

Request Example
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
      <portal-access-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>portal_1</name>
        <authorize-of-authentication-event>
          <authentication-event>portal-server-down</authentication-event>
          <service-scheme>serscheme_2</service-scheme>
        </authorize-of-authentication-event>
      </portal-access-profile>
    </portal-access>
    <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
      <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>serscheme_2</name>
        <vsys>vsys</vsys>
      </service-scheme>
    </aaa>
  </config>
</edit-config>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="41">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message> Service Scheme lsw_ss does not exist.</error-message>
    <error-info>Error on node /huawei-nac-portal:portal-access/portal-access-profile[name="portal_1"]/authorize-of-authentication-event[authentication-event="portal-server-down"]/service-scheme</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Switch to Re-authenticate Users When the Portal Server Changes from Down to Up

This section provides a sample of configuring the switch to re-authenticate users when the Portal server changes from Down to Up using the merge method. You can also use the create method to configure the switch to re-authenticate users when the Portal server changes from Down to Up.

Table 2-397  Configuring the switch to re-authenticate users when the Portal server changes from Down to Up

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/re-authen-trigger-event

Data Requirement
Table 2-398  Configuring the switch to re-authenticate users when the Portal server changes from Down to Up

Item

Data

Description

re-authen-trigger-event

portal-server-up

Configure the switch to re-authenticate users when the Portal server changes from Down to Up.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <portal-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
    <portal-access-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>test_name</name>
     <re-authen-trigger-event xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">portal-server-up</re-authen-trigger-event>
    </portal-access-profile>
   </portal-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="44">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Creating an Authentication-Free Rule Profile

This section describes the configuration model of authentication-free rule profile and provides examples of XML packets.

Data Model

The configuration model file matching authentication-free rule profile is huawei-nac.yang.

Table 2-399  Data model

Object

Description

Value

Remarks

/huawei-nac/nac-access/authentication-free-rule-profile

Indicates that the request operation (creation or modification) object is an authentication-free rule profile. This object is the root object. It is only used to contain sub-objects, but does not have any data meaning.

N/A

N/A

/huawei-nac/nac-access/authentication-free-rule-profile/name

Indicates the name of the created authentication-free rule profile.

Currently, the switch supports only one authentication-free rule profile, that is, the built-in profile default_free_rule.

N/A

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule

Indicates that an authentication-free rule is configured for users.

N/A

N/A

Creating an Authentication-Free Rule Profile

This section provides a sample of creating an authentication-free rule profile using the merge method. You can also use the create method to create an authentication-free rule profile.

Table 2-400  Creating an authentication-free rule profile

Operation

XPATH

edit-config:merge

/huawei-nac/nac-access/authentication-free-rule-profile/name

Data Requirement
Table 2-401  Creating an authentication-free rule profile
Item Data Description
name default_free_rule Create the authentication-free rule profile default_free_rule.
rule-id 1 Configure a common authentication-free rule.
destination any
Request Example

# Configure a common authentication-free rule.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-free-rule-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>default_free_rule</name>
     <free-rule>
      <rule-id>1</rule-id>
      <destination>
       <any>any</any>
      </destination>
     </free-rule>
    </authentication-free-rule-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

# Sample of successful response.

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
  <ok/>
</rpc-reply>

# Sample of failed response.

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="45">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Free-rule-template name cmd executing failed.</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-free-rule-profile[name="default_free_rule1"]/name</error-info>
  </rpc-error>
</rpc-reply>

Configuring an Authentication Profile

This section describes the configuration model of authentication profile and provides examples of XML packets.

Data Model

The configuration model file matching authentication profile is huawei-nac.yang.

Table 2-402  Data model
Object Description Value Remarks
/huawei-nac:nac-access/configure-mode/unified-mode Indicates that the request operation (creation or modification) object is nac-access. This object is the root object. It is only used to contain sub-objects, but does not have any data meaning. N/A N/A
/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile Indicates that an authentication profile is configured. The value is a string of 1 to 31 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. N/A
/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/dot1x-access-profile Indicates that an 802.1X access profile is bound to the authentication profile. The value must be the name of an existing 802.1X access profile. N/A
/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/mac-access-profile Indicates that a MAC access profile is bound to the authentication profile. The value must be the name of an existing MAC access profile. N/A
/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/portal-access-profile Indicates that a Portal access profile is bound to the authentication profile. The value must be the name of an existing Portal access profile. N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/access-force-domain/domain-name

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/access-force-domain/access-type

Indicates that a forcible domain is configured based on the access type. The value must be the name of an existing domain. N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/access-default-domain/domain-name

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/access-default-domain/access-type

Indicates that the default domain is configured based on the access type. The value must be the name of an existing domain. N/A
/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/default-force-domain Indicates that a forcible domain is configured. The value must be the name of an existing domain. N/A
/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/default-default-domain Indicates that the default domain is configured. The value must be the name of an existing domain. N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-device/device-type

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-device/service-scheme

Indicates that the function of allowing voice terminals to go online without authentication is configured. The value must be the name of an existing service scheme. N/A
/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/mode Indicates that the user access mode is configured.

Enumerated type:

  • single-terminal: The interface allows only one user to go online.
  • single-voice-with-data: The interface allows only one data user and one voice user to go online.
  • multi-share: The interface allows multiple users to go online. In this mode, the switch only authenticates the first access user. If the first user passes authentication, the subsequent users share the same network access rights with the first user. If the first user goes offline, other users also go offline.
  • multi-authen: The interface allows multiple users to go online. In this mode, the switch authenticates each access user. If a user passes authentication, the switch grants independent network access rights to the user. If a user goes offline, other users are not affected.
N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/max-user/multi-authen/user-num/max-user-num

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/max-user/multi-authen/user-num/access-type

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/mode

Indicates that the maximum numbers of access users in different authentication modes are configured. The value is an integer that varies depending on the card type. N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/authentication-event

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/response-fail

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/vlan-id

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/service-scheme

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/ucl-group

Indicates that network access rights are configured for users in each phase before authentication. N/A N/A
/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/re-authen-trigger-event Indicates that the switch is configured to re-authenticate users when the authentication server changes from Down to Up. N/A N/A
/huawei-nac:nac-access/configure-mode/unified-mode/pre-authen-access Indicates whether the pre-connection function is disabled.

Boolean type:

  • true: enabled
  • false: disabled
N/A
/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:authentication-profile/authentication-profile-name Binding the authentication profile to an interface. The value must be the name of an existing authentication profile. N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/link-down-offline-parameters/off-line/unlimited

Indicates whether users are logged out when an interface link is faulty.

The value is of the Boolean type:

  • true: Users are logged out.
  • false: Users are not logged out.

    The default value is false.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/link-down-offline-parameters/off-line/delay-time

Indicates the user logout delay when an interface link is faulty.

The value is an integer in the range from 0 to 60, in seconds.

The default value is 10.

N/A

Creating an Authentication Profile

This section provides a sample of creating an authentication profile using the merge method. You can also use the create method to create an authentication profile.

Table 2-403  Creating an authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile

Data Requirement
Table 2-404  Creating an authentication profile

Item

Data

Description

name

authen_pro

Create the authentication profile authen_pro.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="create">
     <name>authen_pro</name>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="46">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>invalid authen profile name</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_proauthen_proauthen_proauthen_pro"]/name</error-info>
  </rpc-error>
</rpc-reply>
Binding an 802.1X Access Profile to the Authentication Profile

This section provides a sample of binding an 802.1X access profile to the authentication profile using the merge method. You can also use the create method to bind an 802.1X access profile to the authentication profile.

Table 2-405  Binding an 802.1X access profile to the authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/dot1x-access-profile

Data Requirement
Table 2-406  Binding an 802.1X access profile to the authentication profile

Item

Data

Description

dot1x-access-profile

dot1x_access_profile

Bind the 802.1X access profile dot1x_access_profile to the authentication profile authen_pro.

The 802.1X access profile must exist on the switch.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <dot1x-access-profile>dot1x_access_profile</dot1x-access-profile>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="47">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo access profile failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/dot1x-access-profile</error-info>
  </rpc-error>
</rpc-reply>
Binding a MAC Access Profile to the Authentication Profile

This section provides a sample of binding a MAC access profile to the authentication profile using the merge method. You can also use the create method to bind a MAC access profile to the authentication profile.

Table 2-407  Binding a MAC access profile to the authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/mac-access-profile

Data Requirement
Table 2-408  Binding a MAC access profile to the authentication profile

Item

Data

Description

mac-access-profile

mac_access_profile

Bind the MAC access profile mac_access_profile to the authentication profile authen_pro.

The MAC access profile must exist on the switch.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <mac-access-profile>mac_access_profile</mac-access-profile>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="49">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo access profile failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/mac-access-profile</error-info>
  </rpc-error>
</rpc-reply>
Binding a Portal Access Profile to the Authentication Profile

This section provides a sample of binding a Portal access profile to the authentication profile using the merge method. You can also use the create method to bind a Portal access profile to the authentication profile.

Table 2-409  Binding a Portal access profile to the authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/portal-access-profile

Data Requirement
Table 2-410  Binding a Portal access profile to the authentication profile

Item

Data

Description

portal-access-profile

portal_access_profile

Bind the Portal access profile portal_access_profile to the authentication profile authen_pro.

The Portal access profile must exist on the switch.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <portal-access-profile>portal_access_profile</portal-access-profile>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="48">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo access profile failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/portal-access-profile</error-info>
  </rpc-error>
</rpc-reply>
Configuring a Forcible Domain Based on the Access Type

This section provides a sample of configuring a forcible domain based on the access type using the merge method. You can also use the create method to configure a forcible domain based on the access type.

Table 2-411  Configuring a forcible domain based on the access type

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/access-force-domain/domain-name

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/access-force-domain/access-type

Data Requirement
Table 2-412  Configuring a forcible domain based on the access type

Item

Data

Description

domain-name

domain2

Configure a forcible domain based on the access type.

The domain must exist on the switch.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
    <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>domain2</name>
     <vsys>ads</vsys>
    </aaa-domain>
   </aaa>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <force-domain>
      <access-force-domain>
       <access-type>dot1x</access-type>
       <domain-name>domain2</domain-name>
      </access-force-domain>
      <access-force-domain>
       <access-type>mac</access-type>
       <domain-name>domain2</domain-name>
      </access-force-domain>
      <access-force-domain>
       <access-type>portal</access-type>
       <domain-name>domain2</domain-name>
      </access-force-domain>
     </force-domain>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="51">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo access domain failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/force-domain/access-force-domain[access-type="dot1x"]/domain-name</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Default Domain Based on the Access Type

This section provides a sample of configuring the default domain based on the access type using the merge method. You can also use the create method to configure the default domain based on the access type.

Table 2-413  Configuring the default domain based on the access type

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/access-default-domain/domain-name

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/access-default-domain/access-type

Data Requirement
Table 2-414  Configuring the default domain based on the access type

Item

Data

Description

domain-name

domain2

Configure the default domain based on the access type.

The domain must exist on the switch.

Request Example
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
      <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>domain2</name>
        <vsys>public</vsys>
      </aaa-domain>
    </aaa>
    <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
      <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>authen_pro</name>
        <default-domain>
          <access-default-domain>
            <access-type>dot1x</access-type>
            <domain-name>domain2</domain-name>
          </access-default-domain>
          <access-default-domain>
            <access-type>mac</access-type>
            <domain-name>domain2</domain-name>
          </access-default-domain>
          <access-default-domain>
            <access-type>portal</access-type>
            <domain-name>domain2</domain-name>
          </access-default-domain>
        </default-domain>
      </authentication-profile>
    </nac-access>
  </config>
</edit-config>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="52">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo access domain failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/default-domain/access-default-domain[access-type="dot1x"]/domain-name</error-info>
  </rpc-error>
</rpc-reply>
Configuring a Forcible Domain

This section provides a sample of configuring a forcible domain using the remove method.

Table 2-415  Configuring a forcible domain

Operation

XPATH

edit-config:remove

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/default-force-domain

Data Requirement
Table 2-416  Configuring a forcible domain

Item

Data

Description

domain-name

domain1

Configure a forcible domain.

The domain must exist on the switch.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
    <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>domain1</name>
     <vsys>ads</vsys>
    </aaa-domain>
   </aaa>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
     <name>authen_pro</name>
     <force-domain>
      <default-force-domain>domain1</default-force-domain>
     </force-domain>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="54">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo  access domain failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/force-domain/default-force-domain</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Default Domain

This section provides a sample of configuring the default domain using the merge method. You can also use the create method to configure the default domain.

Table 2-417  Configuring the default domain

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/default-default-domain

Data Requirement
Table 2-418  Configuring the default domain

Item

Data

Description

default-default-domain

domain1

Configure the default domain.

The domain must exist on the switch.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
    <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>domain1</name>
     <vsys>ads</vsys>
    </aaa-domain>
   </aaa>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen</name>
     <default-domain>
      <default-default-domain>domain1</default-default-domain>
     </default-domain>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="55">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo  access domain failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/default-domain/default-default-domain</error-info>
  </rpc-error>
</rpc-reply>
Configuring the User Access Mode

This section provides a sample of configuring the user access mode using the merge method. You can also use the create method to configure the user access mode.

Table 2-419  Configuring the user access mode

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/mode

Data Requirement
Table 2-420  Configuring the user access mode

Item

Data

Description

name

lsw_auth

Set the user access mode to multi-share.

The authentication profile must exist on the switch.

mode

multi-share

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
        <authentication-profile>
          <name>lsw_auth</name>
          <authentication-mode-parameters xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <mode>multi-share</mode>
          </authentication-mode-parameters>
        </authentication-profile>
      </nac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="56">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>
Configuring Network Access Rights for Users in Each Phase Before Authentication

This section provides a sample of configuring network access rights for users in each phase before authentication using the merge method. You can also use the create method to configure network access rights for users in each phase before authentication.

Table 2-421  Configuring network access rights for users in each phase before authentication

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/authentication-event

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/response-fail

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/vlan-id

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/service-scheme

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/ucl-group

Data Requirement
Table 2-422  Configuring network access rights for users in each phase before authentication

Item

Data

Description

name

authen_pro

Configure network access rights for users in each phase before authentication.

authentication-event

pre-authen

authen-fail

authen-server-down

vlan-id 1200

1200

response-fail

true

service-scheme

lsw_service

ucl-group

lsw_ucl

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
        <authentication-profile>
          <name>authen_pro</name>
          <authorize-of-authentication-event xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <authentication-event>pre-authen</authentication-event>
            <vlan-id>1200</vlan-id>
          </authorize-of-authentication-event>
    <authorize-of-authentication-event xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <authentication-event>authen-fail</authentication-event>
   <response-fail>true</response-fail>
            <service-scheme>lsw_service</service-scheme>
          </authorize-of-authentication-event>
    <authorize-of-authentication-event xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <authentication-event>authen-server-down</authentication-event>
   <response-fail>true</response-fail>
            <ucl-group>lsw_ucl</ucl-group>
          </authorize-of-authentication-event>
        </authentication-profile>
      </nac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="57">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Authorize event failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/authorize-of-authentication-event[authentication-event="authen-fail"]</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Function of Allowing Voice Terminals to Go Online Without Authentication

This section provides a sample of configuring the function of allowing voice terminals to go online without authentication using the merge method. You can also use the create method to configure the function of allowing voice terminals to go online without authentication.

Table 2-423  Configuring the function of allowing voice terminals to go online without authentication

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-device/device-type

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-device/service-scheme

Data Requirement
Table 2-424  Configuring the function of allowing voice terminals to go online without authentication

Item

Data

Description

name

authen_pro

Configure the function of allowing voice terminals to go online without authentication. The service scheme must exist on the switch.

device-type

voice

service-scheme

lsw_service

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
    <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>lsw_service</name>
     <vsys>asd</vsys>
    </service-scheme>
   </aaa>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <authorize-of-device>
      <device-type>voice</device-type>
      <service-scheme>lsw_service</service-scheme>
     </authorize-of-device>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="58">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>bind authen profile failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/authorize-of-device[device-type="voice"]</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Maximum Number of Access Users Allowed on the Interface in Multi-Authen Mode

This section provides a sample of configuring the maximum number of access users allowed on the interface in multi-authen mode using the merge method. You can also use the create method to configure the maximum number of access users allowed on the interface in multi-authen mode.

Table 2-425  Configuring the maximum number of access users allowed on the interface in multi-authen mode

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/max-user/multi-authen/user-num/max-user-num

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/max-user/multi-authen/user-num/access-type

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/mode

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/max-user/multi-authen/default-max-user-num

Data Requirement
Table 2-426  Configuring the maximum number of access users allowed on the interface in multi-authen mode

Item

Data

Description

name

lsw_auth

Configure the maximum number of access users allowed on the interface in multi-authen mode.

mac

200

dot1x

210

portal

220

default-max-user-num

1000

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
        <authentication-profile>
          <name>lsw_auth</name>
          <authentication-mode-parameters xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <mode>multi-authen</mode>
            <user-num xc:operation="merge">
              <access-type xc:operation="merge">mac</access-type>
              <max-user-num xc:operation="merge">200</max-user-num>
            </user-num>
             <user-num xc:operation="merge">
              <access-type xc:operation="merge">dot1x</access-type>
              <max-user-num xc:operation="merge">210</max-user-num>
            </user-num>
             <user-num xc:operation="merge">
              <access-type xc:operation="merge">portal</access-type>
              <max-user-num xc:operation="merge">220</max-user-num>
            </user-num>
              <default-max-user-num>1000</default-max-user-num>
          </authentication-mode-parameters>
        </authentication-profile>
      </nac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="61">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Authorize mode multi-authen failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="lsw_auth"]/authentication-mode-parameters/user-num[access-type="mac"]/max-user-num</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Switch to Re-authenticate Users When the Authentication Server Changes from Down to Up

This section provides a sample of configuring the switch to re-authenticate users when the authentication server changes from Down to Up using the merge method. You can also use the create method to configure the switch to re-authenticate users when the authentication server changes from Down to Up.

Table 2-427  Configuring the switch to re-authenticate users when the authentication server changes from Down to Up

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/re-authen-trigger-event

Data Requirement
Table 2-428  Configuring the switch to re-authenticate users when the authentication server changes from Down to Up

Item

Data

Description

name

lsw_auth

Configure the switch to re-authenticate users when the authentication server changes from Down to Up.

re-authen-trigger-event

authen-server-up

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>lsw_auth</name>
     <re-authen-trigger-event>authen-server-up</re-authen-trigger-event>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="62">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>
Disabling the Pre-connection Function

This section provides a sample of disabling the pre-connection function using the merge method. You can also use the create method to disable the pre-connection function.

Table 2-429  Disabling the pre-connection function

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/pre-authen-access

Data Requirement
Table 2-430  Disabling the pre-connection function

Item

Data

Description

pre-authen-access

false

Disable the pre-connection function.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <pre-authen-access xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">false</pre-authen-access>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="62">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>
Binding the Authentication Profile to an Interface

This section provides a sample of binding the authentication profile to an interface using the merge method. You can also use the create method to bind the authentication profile to an interface.

Table 2-431  Binding the authentication profile to an interface

Operation

XPATH

edit-config:merge

/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:authentication-profile/authentication-profile-name

Data Requirement
Table 2-432  Binding the authentication profile to an interface

Item

Data

Description

interface name

GigabitEthernet0/0/1

Bind the authentication profile lzl to GigabitEthernet0/0/1.

authentication-profile-name

lzl

Request Example
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
      <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>lzl</name>
      </authentication-profile>
    </nac-access>
    <if:interfaces xmlns:if="urn:ietf:params:xml:ns:yang:ietf-interfaces">
      <if:interface xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
        <if:name>GigabitEthernet0/0/1</if:name>
        <hw-nac:authentication-profile xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
          <hw-nac:authentication-profile-name>lzl</hw-nac:authentication-profile-name>
        </hw-nac:authentication-profile>
      </if:interface>
    </if:interfaces>
  </config>
</edit-config>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>  

Sample of failed response

<rpc-reply message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>invalid-value</error-tag>
  <error-severity>error</error-severity>
  <error-message>The request specifies an unacceptable value for one or more parameters.</error-message>
 </rpc-error>
</rpc-reply> 
Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000178028

Views: 4304

Downloads: 0

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next