No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Policy Association Configuration Commands

Policy Association Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

as access controller ip-address

Function

The as access controller ip-address command specifies an IP address for a control device on an access device.

The undo as access controller ip-address command deletes the IP address specified for a control device from an access device.

By default, no IP address is specified for a control device on an access device.

Format

as access controller ip-address ip-address

undo as access controller ip-address

Parameters

Parameter

Description

Value

ip-address

Specifies an IP address for a control device.

The value is in dotted decimal notation.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When the policy association solution is deployed, access and control devices establish connections through CAPWAP tunnels. When an access device dynamically obtains an IP address through the DHCP server, Option 43 is used to notify the access device of the IP address for the control device with which the access device establishes a CAPWAP tunnel. When an IP address is statically configured for an access device, the as access controller ip-address ip-address command is used to specify the IP address for the control device with which the access device establishes a CAPWAP tunnel.

Precautions

This command is supported only on access devices.

Example

# Specify an IP address for a control device.
<HUAWEI> system-view
[HUAWEI] as access controller ip-address 10.1.1.1

as access interface

Function

The as access interface command specifies source interface for establishing CAPWAP tunnels on an access device.

The undo as access interface command deletes the source interface specified for establishing CAPWAP tunnels from an access device.

By default, no source interface is specified for establishing CAPWAP tunnels on an access device.

Format

as access interface vlanif vlan-id

undo as access interface

Parameters

Parameter

Description

Value

vlanif vlan-id

Specifies a source interface for establishing CAPWAP tunnels.

The value is an integer that ranges from 1 to 4094.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When the policy association solution is deployed, CAPWAP tunnels are used for connection establishment, user association, message communication, user authorization policy delivery, and user synchronization between control and access devices. On an access device, run the as access interface vlanif vlan-id command to specify a source interface for establishing CAPWAP tunnels.

Precautions

This command is supported only on access devices.

The management VLAN of the CAPWAP tunnel cannot be the same as the management VLAN of the cloud switch.

In policy association, the management VLAN of a CAPWAP tunnel connects access devices to the network. It is not recommended to perform other service configurations except basic configurations in the management VLAN and the corresponding VLANIF interface. If such configurations are performed, access devices may fail to connect to the network.

Example

# Specify a source interface for establishing CAPWAP tunnels.

<HUAWEI> system-view
[HUAWEI] vlan batch 10
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] quit
[HUAWEI] as access interface vlanif 10

authentication access-point

Function

The authentication access-point command enables remote access control on the interface of an access device.

The undo authentication access-point command disables remote access control on the interface of an access device.

By default, remote access control is disabled on the interface of an access device.

Format

authentication access-point [ open ]

undo authentication access-point [ open ]

Parameters

Parameter

Description

Value

open

Disables right control of the access point.

-

Views

Ethernet interface view, MultiGE interface view, 40GE interface view, GE interface view, XGE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When you deploy policy association, configure the interface of each access device as the access point and enable remote access control on the interface.

To configure right control on a control device instead of an access device, you can disable right control of the access point on the access device (by specifying the open parameter).

Precautions

This command is supported only on access devices.

NOTE:

When you run the authentication access-point and undo authentication access-point commands, ensure that no authentication type is enabled on the interface. Otherwise, disable the authentication type before you run the commands.

The authentication access-point open and authentication access-point command must be run together; otherwise, the authentication access-point open command cannot take effect.

The interface types vary according to device models.

If there is a terminal with one MAC address and multiple IP addresses on the live network, you need to configure the function of identifying static users through IP addresses on the control device. However, because the access device cannot generate multiple entries for the terminal, you cannot implement right control on the access device. In this case, you need to disable right control of the access point on the access device. Otherwise, packets of the terminal will not be forwarded.

Example

# Configure GE0/0/1 as the access point.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication access-point

authentication access-point max-user

Function

The authentication access-point max-user command sets the maximum number of access users allowed on an interface of an access device.

The undo authentication access-point max-user command restores the default setting.

By default, an access device does not limit the maximum number of users who are allowed to log in through its interfaces.

Format

authentication access-point max-user max-user-number

undo authentication access-point max-user

Parameters

Parameter

Description

Value

max-user-number

Specifies the maximum number of access users allowed on an interface of an access device.

The value is an integer that ranges from 1 to 128 for S2750EI, and S5700S-LI, from 1 to 512 for S5720EI, S6720EI, and S6720S-EI, and from 1 to 256 for other models.

Views

Ethernet interface view, MultiGE interface view, 40GE interface view, GE interface view, XGE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To limit the maximum number of access users allowed on an interface of an access device, run the authentication access-point max-user command.

Precautions

This command is supported only on access devices.

This command takes effect only for users who attempt to log in for the first time.

The interface types vary according to device models.

Example

# Set the maximum number of access users allowed on GE 0/0/1 to 100.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication access-point max-user 100

authentication associate alarm-restrain enable

Function

The authentication associate alarm-restrain enable command enables an access device to suppress alarms that are generated due to excess associated users.

The undo authentication associate alarm-restrain enable command disables alarm suppression.

By default, an access device is enabled to suppress alarms that are generated due to excess associated users.

Format

authentication associate alarm-restrain enable

undo authentication associate alarm-restrain enable

Parameters

None

Views

System view

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

If associated users fail to log in to an access device due to the configured limitation on the access number, the device generates alarms about the login failure event.

These alarms consume device resources and affect system performance. To prevent the device from generating too many repeated alarms in a short period, run the authentication associate alarm-restrain enable command to enable suppression on these alarms. The device then does not generate alarms of the same type within a specified suppression period (set using the authentication associate alarm-restrain period command).

Precautions

This command is supported only on access devices.

Example

# Enable an access device to suppress alarms that are generated due to excess associated users.

<HUAWEI> system-view
[HUAWEI] authentication associate alarm-restrain enable

authentication associate alarm-restrain period

Function

The authentication associate alarm-restrain period command sets a suppression period for alarms that an access device generates due to excess associated users.

The undo authentication associate alarm-restrain period command restores the default setting.

By default, an access device suppresses such alarms for 300 seconds.

Format

authentication associate alarm-restrain period period-value

undo authentication associate alarm-restrain period

Parameters

Parameter

Description

Value

period-value

Specifies a suppression period for alarms that an access device generates due to excess associated users.

The value is an integer that ranges from 60 to 604800, in seconds.

Views

System view

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After an access device is enabled to suppress alarms that are generated due to excess associated users using the authentication associate alarm-restrain enable command, run the authentication associate alarm-restrain period command to set a suppression period for these alarms. The device then does not generate alarms of the same type within the suppression period.

Precautions

This command is supported only on access devices.

Example

# Set the suppression period to 600s for alarms that an access device generates due to excess associated users.

<HUAWEI> system-view
[HUAWEI] authentication associate alarm-restrain period 600

authentication control-point

Function

The authentication control-point command configures an interface as the control point.

The undo authentication control-point command restores the default setting.

By default, an interface does not function as a control point.

Format

authentication control-point [ open ]

undo authentication control-point

Parameters

Parameter

Description

Value

open

Enables the forwarding function of the control point.

-

Views

VLANIF interface view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When policy association is configured, the interface on a control device is configured as the control point. If the open parameter is configured, the control point directly forwards user traffic. If the open parameter is not configured, the control point manages the forwarding rights for user traffic through NAC authentication.

Precautions

  • This command is supported only on control devices.

  • When the VLANIF interface is configured as the NAC authentication interface, the VLANIF interface and its mapping physical interface must be configured as control points. However, NAC authentication cannot be configured on the physical interface. The open parameter cannot be configured for a VLANIF interface.

  • When you run the authentication control-point [ open ] and undo authentication control-point commands, check whether any authentication type is enabled on the interface. If yes, disable the authentication type before you run the commands.

  • When the interface below functions as the control point, it can only directly forward user traffic. That is, only the authentication control-point open command can be configured.
    • An interface on the cards except LE1D2S04SEC0 card, LE1D2X32SEC0 card, LE1D2H02QEC0 card, and X series cards
    • An Eth-Trunk interface containing interfaces on the cards except LE1D2S04SEC0 card, LE1D2X32SEC0 card, LE1D2H02QEC0 card, and X series
    • An interface on the S6720SI, S6720S-SI, S6720EI or S6720S-EI
    • An Eth-Trunk interface containing interfaces on the S6720SI, S6720S-SI, S6720EI or S6720S-EI

Example

# Configure GE0/0/1 as the control point.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication control-point

authentication open ucl-policy enable

Function

The authentication open ucl-policy enable command configures a control point where the authentication control-point open command has been configured to filter user traffic based on a user ACL before forwarding the traffic.

The undo authentication open ucl-policy enable command restores a control point where authentication control-point open has been configured to directly forwarding user traffic.

By default, a control point where authentication control-point open has been configured directly forwards user traffic.

NOTE:

Only the S5720HI, LE1D2S04SEC0 card, LE1D2X32SEC0 card, LE1D2H02QEC0 card, and X series cards support this command.

Format

authentication open ucl-policy enable

undo authentication open ucl-policy enable

Parameters

None

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

This command is applicable to the following scenarios:

A control point directly forwards traffic from wired users who go online on an interface of the access device without authentication and the traffic from wireless users in direct forwarding mode. To enable the control point to filter user traffic based on a user ACL, run the authentication open ucl-policy enable command.

Prerequisites

The control device has been configured to filter packets based on a user ACL using the traffic-filter inbound acl { acl-number | name acl-name } command.

Precautions

This command can be executed only on the control device.

Example

# Configure the control point GE1/0/1 where the authentication control-point open command has been configured to filter user traffic based on a user ACL before forwarding the traffic.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] authentication control-point open
[HUAWEI-GigabitEthernet1/0/1] authentication open ucl-policy enable

authentication speed-limit

Function

The authentication speed-limit command configures the rate limit for an access device to send user association and disassociation request messages.

The undo authentication speed-limit command restores the default rate limit for an access device to send user association and disassociation request messages.

By default, an access device sends a maximum of 60 user association and disassociation request messages within 30 seconds.

Format

authentication speed-limit max-num max-num-value interval interval-value

undo authentication speed-limit

Parameters

Parameter

Description

Value

max-num max-num-value Specifies the maximum number of user association and disassociation request messages. The value is an integer that ranges from 1 to 65535. The default value is 60.
interval interval-value Specifies the interval for an access device to send user association and disassociation request messages. The value is an integer that ranges from 1 to 65535, in seconds. The default value is 30.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A control device can connect to multiple access devices. If the rate limit for an access device to send user association and disassociation request messages is not specified, there will be a heavy load on the control device. You can run this command to adjust the rate limit.

Precautions

This command is supported only on access devices.

In an SVF system, commands cannot be configured on ASs. When the access rate of users is high, they may fail to go online due to a rate limit. To lower the rate limit, run the direct-command command on the UC device to deliver the authentication speed-limit command configuration to the ASs. This requires that the ASs run V200R013C00 or a later version.

Example

# Configure the access device to send a maximum of 100 association and disassociation request messages within 10 seconds.

<HUAWEI> system-view
[HUAWEI] authentication speed-limit max-num 100 interval 10

control-down offline delay (access device)

Function

The control-down offline delay command configures the user logout delay on an access device when a control tunnel is faulty.

The undo control-down offline delay command restores the default user logout delay on an access device when a control tunnel is faulty.

By default, the users on an access device go offline immediately when a control tunnel is faulty.

Format

control-down offline delay { delay-value | unlimited }

undo control-down offline delay

Parameters

Parameter

Description

Value

delay-value Specifies the user logout delay when a control tunnel is faulty. The value is an integer that ranges from 1 to 60, in seconds. The default value is 0, indicating that users immediately go offline when a control tunnel is faulty.
unlimited Specifies the user logout delay as unlimited. That is, users do not go offline when a control tunnel is faulty.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run the control-down offline delay command to configure the user logout delay on an access device when a control tunnel is faulty. In this way, the users will not directly go offline upon a tunnel fault. If the fault persists after the delay, the users go offline; if the fault is rectified within the delay, the users keep online.

Precautions

This command is supported only on access devices.

You are advised to configure the same user logout delay on control devices and access devices.

Example

# Configure the user logout delay to 10 seconds on an access device after the control tunnel is faulty.

<HUAWEI> system-view
[HUAWEI] control-down offline delay 10

control-down offline delay (control device)

Function

The control-down offline delay command configures the user logout delay on a control device when a control tunnel is faulty.

The undo control-down offline delay command restores the default user logout delay on a control device when a control tunnel is faulty.

By default, users on a control device go offline immediately when a control tunnel is faulty.

Format

control-down offline delay { delay-value | unlimited }

undo control-down offline delay

Parameters

Parameter

Description

Value

delay-value Specifies the user logout delay when a control tunnel is faulty. The value is an integer that ranges from 1 to 60, in seconds. The default value is 0, indicating that users immediately go offline when a control tunnel is faulty.
unlimited Specifies the user logout delay as unlimited. That is, users do not go offline when a control tunnel is faulty.

-

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run the control-down offline delay command to configure the user logout delay on a control device when a control tunnel is faulty. In this way, the users will not directly go offline upon a tunnel fault. If the fault persists after the delay, the users go offline; if the fault is rectified within the delay, the users keep online.

Precautions

This command is supported only on control devices.

You are advised to configure the same user logout delay on control devices and access devices.

When you configure users not to go offline upon a channel tunnel failure, you also need to configure link-down offline delay unlimited command in the authentication profile view.

Example

# Configure the user logout delay to 10 seconds on GE0/0/1 of the control device after a control tunnel is faulty.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] control-down offline delay 10

display access-user as-name

Function

The display access-user as-name command displays information about online users on a specified access device.

Format

display access-user as-name as-name

Parameters

Parameter

Description

Value

as-name Specifies the name of an access device. The value is the name of an existing access device.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check information about online access users on a control device.

The actual name of an access device may differ from the name displayed on the control device (using the display as all command). When an access device goes online, its name is processed as follows:
  • If the access device uses the default name, its name is changed to default name-MAC address of the access device on the control device.
  • If the access device name contains spaces or double quotation masks ("), the spaces are changed to en dashes (-) and the double quotation masks (") are changed to single quotation masks (') on the control device.

Example

# Display information about users on the access device test_as.

<HUAWEI> display access-user as-name test_as 
------------------------------------------------------------------------------ 
 UserID Username                IP address       MAC            Status          
 ------------------------------------------------------------------------------ 
 16019  fdsa@none               192.168.6.5      00e0-4c88-143f Success        
 ------------------------------------------------------------------------------ 
 Total: 1, printed: 1 
NOTE:

Only letters, digits, and special characters can be displayed for username.

When the value of username contains special characters or characters in other languages except English, the device displays dots (.) for these characters. If there are more than three such consecutive characters, three dots (.) are displayed. Here, the special characters are the ASCII codes smaller than 32 (space) or larger than 126 (~).

Table 13-104  Description of the display access-user as-name command output

Item

Description

UserID ID that is assigned to a user after the user goes online.
Username Name of a user.
IP address IP address of a user.
MAC MAC address of a user.
Status Status of a user.

display associate-user

Function

The display associate-user command displays associated users on devices.

Format

display associate-user

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run this command to check associated users on access devices and control devices.

Precautions

There are no longer associated users on control devices after the users are successfully authenticated or added to domains. You can run the display access-user (All views) command to check user information.

Example

# Display the associated users on a control device.

<HUAWEI> display associate-user
 ------------------------------------------------------------------             
 UserID IP address       MAC            SA MAC                                  
 ------------------------------------------------------------------             
 27     192.168.12.1     00e0-4c88-143f dcba-6543-e00a                          
 ------------------------------------------------------------------             
 Total: 1, printed: 1       
Table 13-105  Description of the display associate-user command output

Item

Description

UserID ID that is assigned to a user after the user is associated.
IP address IP address of a user.
MAC MAC address of a user.
SA MAC MAC address of an access device.

# Display the associated users on an access device.

<HUAWEI> display associate-user
 -------------------------------------------------------------------------------
 UserID IP address       MAC            Status        Trigger type              
 -------------------------------------------------------------------------------
 27     192.168.12.1     00e0-4c88-143f Associated    Arp                       
 -------------------------------------------------------------------------------             
 Total: 1, printed: 1       
Table 13-106  Description of the display associate-user command output

Item

Description

UserID ID that is assigned to a user after the user is associated.
IP address IP address of a user.
MAC MAC address of a user.
Status
Status of a user.
  • Up: indicates that the access device has received the authentication success notification from the control device and enabled data forwarding rights for users.
  • Associated: indicates that the access device has received the association success response from the control device and is waiting for the authentication success notification from the control device.
  • Idle: indicates that the access device detects that the user has been connected and periodically sends an association request or is waiting for the association response from the control device.
  • Deleting: indicates that the user has been added to the logout queue and is waiting for logout.
Trigger type
Triggering type.
  • Arp: indicates that ARP packets are sent to trigger creation of the association table.
  • Dot1x: indicates that dot1x packets are sent to trigger creation of the association table.
  • Http: indicates that HTTP packets are sent to trigger creation of the association table.
  • Dhcp: indicates that DHCP packets are sent to trigger creation of the association table.

display associate-user statistics

Function

The display associate-user statistics command displays statistics about associated users on an interface.

Format

display associate-user statistics [ interface interface-type interface-number ]

Parameters

Parameter

Description

Value

interface interface-type interface-number
Displays statistics about associated users on a specified interface.
  • interface-type specifies the type of the interface.
  • interface-number specifies the number of the interface.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

To check statistics about associated users on an interface, run the display associate-user statistics command.

Precautions

This command is supported only on access devices.

Example

# Display statistics about associated users on an interface.

<HUAWEI> display associate-user statistics
-------------------------------------------------------------------------------
Interface                    number
-------------------------------------------------------------------------------
GigabitEthernet0/0/1         3
TotalNumber                  3
-------------------------------------------------------------------------------
    Total 1
Table 13-107  Description of the display associate-user statistics command output

Item

Description

Interface

Interface that functions as an access point.

number

Number of associated users on a specified access point.

TotalNumber

Total number of associated users on all access points.

Total: m

Total number of associated entries m.

display authentication associate

Function

The display authentication associate command displays the global configurations of associated users.

Format

display authentication associate

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

To check the global configurations of associated users, run the display authentication associate command. The command output contains the suppression status of alarms that an access device generates due to excess associated users and the configured alarm suppression period.

Precautions

This command is supported only on access devices.

Example

# Display the global configurations of associated users.

<HUAWEI> display authentication associate
 authentication associate alarm-restrain: Enable
 authentication associate alarm-restrain period: 300
Table 13-108  Description of the display authentication associate command output

Item

Description

authentication associate alarm-restrain

Suppression status of alarms that an access device generates due to excess associated users:
  • Enable
  • Disable

To configure a suppression status, run the authentication associate alarm-restrain enable command.

authentication associate alarm-restrain period

Suppression period for alarms that an access device generates due to excess associated users.

To configure a suppression period, run the authentication associate alarm-restrain period command.

display authentication associate alarm-restrain-table

Function

The display authentication associate alarm-restrain-table command displays suppression table information of alarms that are generated due to excess associated users.

Format

display authentication associate alarm-restrain-table { all | interface interface-type interface-number }

Parameters

Parameter

Description

Value

all

Displays alarm suppression table information on all interfaces.

-

interface interface-type interface-number
Displays alarm suppression table information on a specified interface.
  • interface-type specifies the type of the interface.
  • interface-number specifies the number of the interface.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After an access device is enabled to suppress alarms that are generated due to excess associated users using the authentication associate alarm-restrain enable command, run the display authentication associate alarm-restrain-table command to check the alarm suppression table information.

Precautions

This command is supported only on access devices.

Example

# Display alarm suppression table information on all interfaces.

<HUAWEI> display authentication associate alarm-restrain-table all
-------------------------------------------------------------------------------
Interface                    alarm time
-------------------------------------------------------------------------------
GigabitEthernet0/0/1         --
-------------------------------------------------------------------------------
    Total 1
Table 13-109  Description of the display authentication associate alarm-restrain-table all command output

Item

Description

Interface

Interface that functions as an access point.

alarm time

Date and time when alarms were generated.

Total: m

Total number of suppressed entries m.

local-authorize

Function

The local-authorize command specifies the user authorization information to be delivered to a control device.

The undo local-authorize command restores the default user authorization information to be delivered to a control device.

By default, all user authorization information can be delivered to a control device.

Format

local-authorize { none | { acl | car | priority | ucl-group | vlan } * }

undo local-authorize

Parameters

Parameter

Description

Value

acl Delivers ACL authorization information.

-

car Delivers CAR authorization information.

-

priority Delivers priority authorization information.

-

ucl-group Delivers UCL group authorization information.
NOTE:

When you authorize the ACL or UCL group, configure the corresponding ACL or UCL group on control devices to ensure that the authorization information takes effect on the control devices.

-

vlan Delivers VLAN authorization information.

-

none Delivers no authorization information.

-

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To enable a control device to implement specified user access policies, you can run this command to specify user authorization information to be delivered to the control device. By default, all authorization information is delivered to a control device.

Precautions

This command is supported only on control devices.

This command takes effect for all user authorization types, such as local authorization, remote authorization, and RADIUS dynamic authorization.

For VLAN authorization in a policy association scenario, VLAN authorization information must be delivered. You must configure the local-authorize vlan command or do not configure the local-authorize command, that is, use the default settings. By default, all user authorization information can be delivered to a control device.

Example

# Deliver only UCL group authorization information to the control device.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme huawei
[HUAWEI-aaa-service-huawei] local-authorize ucl-group
Related Topics

remote-authorize

Function

The remote-authorize command specifies the user authorization information to be delivered to an access device.

The undo remote-authorize command restores the default user authorization information to be delivered to an access device.

By default, all user authorization information cannot be delivered to access devices.

Format

remote-authorize { acl | car | ucl-group } *

undo remote-authorize

Parameters

Parameter

Description

Value

acl Delivers ACL authorization information.

-

car Delivers CAR authorization information.

-

ucl-group Delivers UCL group authorization information.
NOTE:

When you authorize the ACL or UCL group, configure the corresponding ACL or UCL group on access devices to ensure that the authorization information takes effect on the access devices.

-

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To enable an access device to implement specified user access policies, you can run this command to specify user authorization information to be delivered to the access device. By default, no authorization information is delivered to the access device.

Precautions

This command is supported only on access devices.

This command takes effect for all user authorization information, including local authorization, remote authorization, and RADIUS dynamic authorization information.

In SVF centralized configuration mode, access devices do not support ACL-based authorization or UCL groups.

Example

# Deliver only ACL authorization information to the access device.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme huawei
[HUAWEI-aaa-service-huawei] remote-authorize acl
Related Topics

user-detect

Function

The user-detect command enables the online user detection function on an access device.

The undo user-detect command disables the online user detection function on an access device.

By default, the online user detection function is enabled on an access device, the detection interval is 15 seconds, and the number of packet retransmission attempts is 3.

Format

user-detect { interval interval-value | retry retry-value } *

undo user-detect

Parameters

Parameter

Description

Value

interval interval-value Specifies the detection interval. The value is an integer that ranges from 1 to 65535, in seconds. The default value is 15.
retry retry-value Specifies the number of packet retransmission attempts. The value is an integer that ranges from 1 to 255. The default value is 3.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a user goes offline due to a power failure or network interruption, the access device and control device may still store information about this user, which results in a heavy load on the control device. In addition, a limited number of users can access the device. If a user goes offline unexpectedly but the device still stores information of this user, other users cannot access the network.

After the detection interval is set, the device considers a user to be offline if the user does not respond within the interval. Then the access device and control device delete the saved information about the user, ensuring effective resource usage.

Precautions

This command is supported only on access devices.

You are advised to keep this function enabled on access devices.

This function takes effect only for users who go online after it is configured.

Example

# Enable online user detection in the system view, and set the detection interval to 10 seconds and number of packet retransmission attempts to 5.

<HUAWEI> system-view
[HUAWEI] user-detect interval 10 retry 5

user-sync (access device)

Function

The user-sync command enables the user synchronization function on an access device.

The undo user-sync command disables the user synchronization function on an access device.

By default, user synchronization is enabled on an access device and the synchronization interval is 60 seconds.

Format

user-sync interval interval-value

undo user-sync

Parameters

Parameter

Description

Value

interval interval-value Specifies the user synchronization interval. The value is an integer that ranges from 60 to 3600, in seconds. The default value is 60.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a user is disconnected from an access device due to online detection or a failure to send a disconnection request message, the user information on the control device and access device cannot be synchronized.

After the user synchronization interval is reached, the access device sends a synchronization message containing MAC addresses of all online users to the control device. After receiving the synchronization message, the control device responds with a synchronization failure message if it finds that some users are offline. The access device forcibly disconnects the corresponding users according to the synchronization failure message.

Precautions

This command is supported only on access devices.

The user synchronization function needs to be enabled on both access devices and control devices to ensure that the function works properly. In addition, the user synchronization interval configured on access devices must be shorter than or equal to that configured on control devices, preventing users from being disconnected due to incorrect synchronization.

The user synchronization function of access devices depends on whether the control tunnel is available. When the control tunnel is faulty, the user synchronization function becomes abnormal.

Example

# Set the user synchronization interval to 100 seconds.

<HUAWEI> system-view
[HUAWEI] user-sync interval 100

user-sync (control device)

Function

The user-sync command enables the user synchronization function on a control device.

The undo user-sync command disables the user synchronization function on a control device.

By default, user synchronization is enabled on a control device, the synchronization interval is 60 seconds, and the number of synchronization attempts is 10.

Format

user-sync { interval interval-value | retry retry-value } *

undo user-sync

Parameters

Parameter

Description

Value

interval interval-value Specifies the user synchronization interval. The value is an integer that ranges from 60 to 3600, in seconds. The default value is 60.
retry retry-value Specifies the maximum number of synchronization attempts. The value is an integer that ranges from 5 to 300. The default value is 10.

Views

VLANIF interface view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a user is disconnected from an access device due to online detection or a failure to send a disconnection request message, the user information on the control device and access device cannot be synchronized.

After the user synchronization interval is reached, the number of synchronization attempts is added by 1. If the number of synchronization attempts reaches the maximum, the user is forced offline. If the access device detects that the user is online by sending a synchronization message, the number of synchronization attempts is set to 0.

Precautions

This command is supported only on control devices.

The user synchronization function needs to be enabled on both access devices and control devices to ensure that the function works properly. In addition, the user synchronization interval configured on access devices must be shorter than or equal to that configured on control devices, preventing users from being disconnected due to incorrect synchronization.

Example

# Set the user synchronization interval to 100 seconds and maximum number of synchronization attempts to 15 on GE0/0/1 of the control device.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] user-sync interval 100 retry 15
Translation
Download
Updated: 2019-10-09

Document ID: EDOC1000178165

Views: 48489

Downloads: 1163

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next