No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
AAA Configuration Commands

AAA Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

aaa

Function

The aaa command displays the AAA view.

Format

aaa

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Using the aaa command in the system view, you can enter the AAA view and perform the following security configurations for access users:
  • Creating users
  • Configuring user levels
  • Creating an authentication scheme
  • Creating an authorization scheme
  • Creating a domain

Example

# Access the AAA view.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa]

aaa abnormal-offline-record

Function

The aaa abnormal-offline-record command enables the device to record users' abnormal logout information.

The undo aaa abnormal-offline-record command disables the device from recording users' abnormal logout information.

By default, the device records users' abnormal logout information.

Format

aaa abnormal-offline-record

undo aaa abnormal-offline-record

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If users abnormally log out, run aaa abnormal-offline-record command to enable the record function for fault locating.

After the undo aaa abnormal-offline-record command is run, no abnormal logout information is recorded unless the aaa abnormal-offline-record command is run.

Example

# Enable the device to record users' abnormal logout information.

<HUAWEI> system-view
[HUAWEI] aaa abnormal-offline-record

# Disable the device from recording users' abnormal logout information.

<HUAWEI> system-view
[HUAWEI] undo aaa abnormal-offline-record

aaa offline-record

Function

The aaa offline-record command enables the device to record users' normal logout information.

The undo aaa offline-record command disables the device from recording users' normal logout information.

By default, the device is enabled to record user normal logout information.

Format

aaa offline-record

undo aaa offline-record

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If users fail to get online, run aaa offline-record command to enable the record function for fault locating.

After the undo aaa offline-record command is run, no logout information is recorded unless the aaa offline-record command is run.

Example

# Enable the device to record users' normal logout information.

<HUAWEI> system-view
[HUAWEI] aaa offline-record

# Disable the device from recording users' normal logout information.

<HUAWEI> system-view
[HUAWEI] undo aaa offline-record

aaa online-fail-record

Function

The aaa online-fail-record command enables the device to record users' online failures.

The undo aaa online-fail-record command disables the device from recording users' online failures.

By default, the device records users' online failures.

Format

aaa online-fail-record

undo aaa online-fail-record

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If you want to query the login failure records to find out unauthorized users, run the aaa online-fail-record command to enable the device to record users' online failures.

After the undo aaa online-fail-record command is run, no online failure is recorded unless the aaa online-fail-record command is run.

Example

# Enable the device to record users' online failures.

<HUAWEI> system-view
[HUAWEI] aaa online-fail-record

# Disable the device from recording users' online failures.

<HUAWEI> system-view
[HUAWEI] undo aaa online-fail-record

aaa-authen-bypass

Function

The aaa-authen-bypass command sets the bypass authentication timeout interval.

The undo aaa-authen-bypass command cancels the bypass authentication timeout interval.

By default, no bypass authentication timeout interval is set.

Format

aaa-authen-bypass enable time time-value

undo aaa-authen-bypass enable

Parameters

Parameter

Description

Value

enable

Enables remote bypass authentication.

-

time time-value

Specifies the bypass authentication timeout interval.

The value is an integer that ranges from 1 to 1440, in minutes.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command applies to the scenarios that require fast authentication response. When a user in a user domain where multiple authentication modes (for example, RADIUS authentication and local authentication) are configured, bypass authentication is enabled, and the bypass authentication timeout interval is configured, the user will be authenticated using the local authentication mode and the bypass authentication timer is enabled simultaneously if the RADIUS server does not respond to the authentication request. When other users in the same domain are authenticated during the configured bypass authentication timeout interval, the users are directly authenticated using the local authentication mode, so that the users can be authenticated without waiting until the RADIUS server responds to their authentication requests, accelerating the authentication response.

Precautions

When only one authentication mode is configured in a user domain and the bypass authentication timer is enabled, other users in the same domain are directly considered to fail the authentication during the bypass authentication timeout interval.

Example

# Set the bypass authentication timeout interval to 3 minutes.

<HUAWEI> system-view
[HUAWEI] aaa-authen-bypass enable time 3

aaa-author-bypass

Function

The aaa-author-bypass command sets the bypass authorization timeout interval.

The undo aaa-author-bypass command cancels the bypass authorization timeout interval.

By default, no bypass authorization timeout interval is set.

Format

aaa-author-bypass enable time time-value

undo aaa-author-bypass enable

Parameters

Parameter

Description

Value

enable

Enables remote bypass authorization.

-

time time-value

Specifies the bypass authorization timeout interval.

The value is an integer that ranges from 1 to 1440, in minutes.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command applies to the scenarios that require fast authorization response. When a user in a user domain where multiple authorization modes (for example, HWTACACS authorization and local authorization) are configured, bypass authorization is enabled, and the bypass authorization timeout interval is configured, the user will be authorized using the local authorization mode and the bypass authorization timer is enabled simultaneously if the HWTACACS server does not respond to the authorization request. When other users in the same domain are authorized during the configured bypass authorization timeout interval, the users are directly authorized using the local authorization mode, so that the users can be authorized without waiting until the HWTACACS server responds to their authorization requests, accelerating the authorization response.

Precautions

When only one authorization mode is configured in a user domain and the bypass authorization timer is enabled, other users in the same domain are directly considered to fail the authorization during the bypass authorization timeout interval.

Example

# Set the bypass authorization timeout interval to 3 minutes.

<HUAWEI> system-view
[HUAWEI] aaa-author-bypass enable time 3

aaa-author-cmd-bypass

Function

The aaa-author-cmd-bypass command sets the command-line bypass authorization timeout interval.

The undo aaa-author-cmd-bypass command cancels the command-line bypass authorization timeout interval.

By default, no command-line bypass authorization timeout interval is set.

Format

aaa-author-cmd-bypass enable time time-value

undo aaa-author-cmd-bypass enable

Parameters

Parameter

Description

Value

enable

Enables remote command-line bypass authorization.

-

time time-value

Specifies the command-line bypass authorization timeout interval.

The value is an integer that ranges from 1 to 1440, in minutes.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command applies to the scenarios that require fast command-line authorization response. When a user in a user domain where multiple command-line authorization modes (for example, HWTACACS authorization and local authorization) are configured, command-line bypass authorization is enabled, and the command-line bypass authorization timeout interval is configured, the user will be authorized using the local authorization mode and the command-line bypass authorization timer is enabled simultaneously if the HWTACACS server does not respond to the command-line authorization request. When other users in the same domain are authorized during the configured command-line bypass authorization timeout interval, the users are directly authorized using the local authorization mode, so that the users can be authorized without waiting until the HWTACACS server responds to their authorization requests, accelerating the authorization response.

Precautions

When only one command-line authorization mode is configured in a user domain and the command-line bypass authorization timer is enabled, other users in the same domain are directly considered to fail the command-line authorization during the command-line bypass authorization timeout interval.

Example

# Set the command-line bypass authorization timeout interval to 3 minutes.

<HUAWEI> system-view
[HUAWEI] aaa-author-cmd-bypass enable time 3

aaa-author session-timeout invalid-value enable

Function

The aaa-author session-timeout invalid-value enable command prevents a device from disconnecting or reauthenticating users when the RADIUS server delivers session-timeout with value 0.

The undo aaa-author session-timeout invalid-value enable command restores the default setting.

By default, when the RADIUS server delivers session-timeout with value 0, this attribute does not take effect.

Format

aaa-author session-timeout invalid-value enable

undo aaa-author session-timeout invalid-value enable

Parameters

None

Views

AAA view

Default Level

3: Management level

Usage Guidelines

When the RADIUS server delivers session-timeout with value 0:

  • If the aaa-author session-timeout invalid-value enable command is not configured, the session-timeout attribute delivered by the server does not take effect and the period for disconnecting or reauthenticating users depends on the device configuration.

  • If the aaa-author session-timeout invalid-value enable command is configured, the session-timeout attribute delivered by the server takes effect and the device does not disconnect or reauthenticate users.

You can run the dot1x timer reauthenticate-period reauthenticate-period-value or mac-authen timer reauthenticate-period reauthenticate-period-value command to configure the period for disconnecting or reauthenticating users on the device.

Example

# Prevent the device from disconnecting or reauthenticating users when the RADIUS server delivers session-timeout with value 0.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] aaa-author session-timeout invalid-value enable

accounting interim-fail

Function

The accounting interim-fail command sets the maximum number of real-time accounting failures and configures a policy used after the number of real-time accounting failures exceeds the maximum.

The undo accounting interim-fail command restores the default maximum number of real-time accounting failures and the default policy.

By default, the maximum number of real-time accounting failures is 3 and the device keeps users online after the number of real-time accounting failures exceeds the maximum.

Format

accounting interim-fail [ max-times times ] { offline | online }

undo accounting interim-fail

Parameters

Parameter

Description

Value

max-times times

Specifies the maximum number of real-time accounting failures. If the maximum number of real-time accounting failures is reached and the next accounting request still has no response, the device considers that accounting fails and takes a policy for users.

The value is an integer that ranges from 1 to 255. The default value is 3.

offline

Disconnects users if real-time accounting fails.

-

online

Keeps users online if real-time accounting fails.

-

Views

Accounting scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the real-time accounting function takes effect, the device sends real-time accounting requests to an accounting server, and the accounting server responds to the accounting requests. If the network is unstable, for example, a jitter occurs, the device may not receive response packets. As a result, accounting is interrupted for a short period of time. To reduce or prevent accounting interruption, run the accounting interim-fail command to set the maximum number of real-time accounting failures. The device considers that real-time accounting fails only after the number of consecutive real-time accounting failures exceeds the maximum.

Choose one of the following policies to be applied after the maximum number of real-time accounting failures is reached:

  • online: To prevent users from being affected by network faults, use the online policy to allow paid users to go online.
  • offline: To stop providing services when accounting fails, use the offline policy to force paid users to go offline.

Prerequisites

The real-time accounting function has been enabled by using the accounting realtime command.

Precautions

The accounting interim-fail command does not take effect for online users, but takes effect for the users who go online after the command is executed.

Example

# In the accounting scheme scheme1, set the maximum number of real-time accounting failures to 5 and use the offline policy.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] accounting-scheme scheme1
[HUAWEI-aaa-accounting-scheme1] accounting realtime 3
[HUAWEI-aaa-accounting-scheme1] accounting interim-fail max-times 5 offline
Related Topics

accounting realtime

Function

The accounting realtime command enables the real-time accounting function and sets the interval for real-time accounting in an accounting scheme.

The undo accounting realtime command disables the real-time accounting function.

By default, the device performs accounting based on user online duration, the real-time accounting function is disabled.

Format

accounting realtime interval

undo accounting realtime

Parameters

Parameter

Description

Value

interval

Specifies the interval for real-time accounting.

The value is an integer that ranges from 0 to 65535, in minutes. When the value is set to 0, real-time accounting is disabled. The default value is 0.

Views

Accounting scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command applies to the users who are charged based on online duration. If a user goes offline unexpectedly, the accounting server cannot receive the accounting-stop packet, so it keeps charging the user while they are not receiving a service. To solve the problem, configure the real-time accounting function on the device. After the real-time accounting function is configured, the device periodically sends real-time accounting packets to the accounting server. After receiving the real-time accounting packets, the accounting server charges the user. If the device detects that the user goes offline, it stops sending real-time accounting packets and the accounting server stops accounting. The result of real-time accounting is precise.

Precautions

  • When the accounting interval is set using both the accounting realtime command and the Acct-Interim-Interval attribute, if the Acct-Interim-Interval value range is 60-3932100, the interval set by Acct-Interim-Interval has a higher priority. Otherwise, the interval set by the accounting realtime command takes effect.

  • If an accounting scheme is applied to a domain, the accounting realtime command does not affect online users, but only takes effect for the users who go online after the command is executed.

  • If interval is set to 0 and the IP address of the client is changed, the device still sends a real-time accounting packet carrying the changed IP address information to the RADIUS server.
  • A short interval for real-time accounting requires high performance of the device and accounting server. If there are more than 1000 users, setting a long interval for real-time accounting is recommended. The following table lists the suggested real-time accounting intervals for different user quantities.

    Table 13-1  Real-time accounting interval for different user quantities

    User Quantity

    Interval for Real-Time Accounting (Minutes)

    1-99

    3

    100-499

    6

    500-999

    12

    ≥ 1000

    ≥ 15

Example

# In the accounting scheme scheme1, enable the real-time accounting function and set the interval for real-time accounting to 6 minutes.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] accounting-scheme scheme1
[HUAWEI-aaa-accounting-scheme1] accounting realtime 6

accounting start-fail

Function

The accounting start-fail command configures a policy for accounting-start failures.

The undo accounting start-fail command restores the default policy for accounting-start failures.

By default, users cannot go online if accounting-start fails. That is, the offline policy is used.

Format

accounting start-fail { offline | online }

undo accounting start-fail

Parameters

Parameter

Description

Value

offline

Rejects users' online requests if accounting-start fails.

-

online

Allows users to go online if accounting-start fails.

-

Views

Accounting scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If a user goes online after an accounting scheme is applied, the device sends an accounting-start packet to an accounting server. When the network is working properly, the accounting server responds to the accounting-start packet. If a fault occurs on the network, the device may not receive the response packet from the accounting server. As a result, accounting fails. The device provides the following policies for accounting failures:

  • online: To prevent users from being affected by network faults, use the online policy to allow paid users to go online.
  • offline: To stop providing services when accounting fails, use the offline policy to force paid users to go offline.

Precautions

The command takes effect only when the accounting mode configured using the accounting-mode command is HWTACACS or RADIUS.

Example

# In the accounting scheme scheme1, use the online policy for accounting-start failures.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] accounting-scheme scheme1
[HUAWEI-aaa-accounting-scheme1] accounting start-fail online

accounting-mode

Function

The accounting-mode command configures an accounting mode in an accounting scheme.

The undo accounting-mode command restores the default accounting mode in an accounting scheme.

By default, the accounting mode is none.

Format

accounting-mode { hwtacacs | none | radius }

undo accounting-mode

Parameters

Parameter

Description

Value

hwtacacs

Indicates that accounting is performed by an HWTACACS server.

-

none

Indicates non-accounting.

-

radius

Indicates that accounting is performed by a RADIUS server.

-

Views

Accounting scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Enterprises or carriers need to generate revenue by charging users who are accessing the Internet.

When a user goes online, accounting starts after the user is authenticated and authorized. When the user goes offline, accounting stops. The client sends the account packet containing the user's online duration to the accounting server.

To charge users, set the accounting mode to RADIUS or HWTACACS. Generally, the accounting mode is consistent with the authentication mode. If you do not need to charge users, set the accounting mode to none.

Precautions

The device does not support local accounting. When the authentication scheme configured using the authentication-mode (authentication scheme view) command defines local authentication, you need to run the accounting-mode none command to configure non-accounting or run the accounting start-fail command to configure a policy for accounting-start failures.

Follow-up Procedure

Apply the accounting scheme to a domain to enable the device to charge the users in the domain using the domain (AAA view) command.

Example

# Set the accounting mode to RADIUS in the accounting scheme scheme1.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] accounting-scheme scheme1
[HUAWEI-aaa-accounting-scheme1] accounting-mode radius

accounting-scheme (AAA domain view)

Function

The accounting-scheme command applies an accounting scheme to a domain.

The undo accounting-scheme command restores the default accounting scheme of a domain.

By default, the accounting scheme named default is applied to a domain. In this default accounting scheme, non-accounting is used and the real-time accounting function is disabled.

Format

accounting-scheme accounting-scheme-name

undo accounting-scheme

Parameters

Parameter

Description

Value

accounting-scheme-name

Specifies the name of an accounting scheme.

The accounting scheme must already exist.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To charge users in a domain, create an accounting scheme and perform configurations in the accounting scheme, for example, set the accounting mode and policy for accounting-start failures. Run the accounting-scheme command in the AAA domain view to apply the accounting scheme to the domain.

Prerequisites

An accounting scheme has been created and configured using the accounting-scheme (AAA view) command. For example, the accounting mode and policy for accounting-start failures have been configured.

Example

# Apply the accounting scheme account1 to the domain isp1.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] accounting-scheme account1
[HUAWEI-aaa-accounting-account1] quit
[HUAWEI-aaa] domain isp1
[HUAWEI-aaa-domain-isp1] accounting-scheme account1

# Restore the default accounting scheme of the domain isp2.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain isp2
[HUAWEI-aaa-domain-isp2] undo accounting-scheme

accounting-scheme (AAA view)

Function

The accounting-scheme command creates an accounting scheme and displays the accounting scheme view.

The undo accounting-scheme command deletes an accounting scheme.

By default, there is an accounting scheme named default in the system. This default accounting scheme can be modified but cannot be deleted. In this default accounting scheme, non-accounting is used and the real-time accounting function is disabled.

Format

accounting-scheme accounting-scheme-name

undo accounting-scheme accounting-scheme-name

Parameters

Parameter

Description

Value

accounting-scheme-name

Specifies the name of an accounting scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To charge users in a domain, create and configure an accounting scheme, for example, the accounting mode and policy for accounting-start failures. Run the accounting-scheme command in the AAA domain view to apply the accounting scheme to the domain.

Follow-up Procedure

After an accounting scheme is created:
  • Run the accounting interim-fail command to set the maximum number of real-time accounting failures and configure a policy used after a real-time accounting failure.
  • Run the accounting realtime command to enable the real-time accounting function and set the interval for real-time accounting in an accounting scheme.
  • Run the accounting start-fail command to configure a policy for accounting-start failures.
  • Run the accounting-mode command to configure an accounting mode in an accounting scheme.

After an accounting scheme is configured, run the accounting-scheme (AAA domain view) command in the AAA domain view to apply the accounting scheme to a domain.

Precautions

If the configured accounting scheme does not exist, the accounting-scheme command in the AAA view creates an accounting scheme and displays the accounting scheme view. If the configured accounting scheme already exists, the accounting-scheme command in the AAA view displays the accounting scheme view directly.

To delete an accounting scheme applied to a domain, run the undo accounting-scheme (AAA domain view) command.

Example

# Create an accounting scheme named scheme1.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] accounting-scheme scheme1
[HUAWEI-aaa-accounting-scheme1] 

# Enter the default accounting scheme view.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] accounting-scheme default
[HUAWEI-aaa-accounting-default] 

admin-user privilege level

Function

The admin-user privilege level command configures a user as an administrator to log in to the device and sets the user level.

The undo admin-user privilege level command cancels the default user level.

By default, the user level is not configured.

Format

admin-user privilege level level

undo admin-user privilege level

Parameters

Parameter

Description

Value

level

Specifies the level of a user.

A larger value indicates a higher user level. After logging in to the device, a user can run only the commands of the same level or lower levels.

The value is an integer that ranges from 0 to 15.

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The device provides hierarchical management of commands. A command has a level, and a user can run only the commands of the same level or lower levels. By using the admin-user privilege level command to set the user level, the device controls commands used by users.

By default, commands are classified into the following levels:
  • Level 0 (visit level): Commands at level 0 include diagnosis commands such as ping and tracert commands and commands that are used to access a remote device such as the Telnet client. Commands at level 0 cannot be used to save configuration files.
  • Level 1 (monitoring level): Commands at level 1 are used for system maintenance, including display commands. Commands at level 1 cannot be used to save configuration files.
  • Level 2 (configuration level): Commands at level 2 are used for service configuration, including routing commands and commands at each network layer to provide network services for users.
  • Level 3 (management level): Commands at level 3 are used for basic operations of the system to support services, including file system, FTP, Trivial File Transfer Protocol (TFTP), configuration file switching commands, slave board control commands, user management commands, command level configuration commands, and debugging commands.

To manage users refinedly, upgrade command levels to levels 0 to 15. You can run the command-privilege level command to upgrade command levels in a batch. You can also run the command-privilege level rearrange command to upgrade levels.

  • If non-authentication is used, the administrator level is specified using the user privilege command in the VTY interface view.

  • If local authentication is used, the administrator level is specified using the local-user privilege level command.
  • If remote authentication is used, the administrator level can be set in the following ways, in descending order of priority:
    1. Using the user level sent by an authentication server to the device after authentication has succeeded
    2. Running the admin-user privilege level command to set the administrator level in a service scheme
    3. Running the user privilege command to set the user level in the VTY interface view
  • If remote authentication and local authentication are configured, remote authentication is first used. If remote authentication fails, local authentication is used. The administrator level can be set in the following ways, in descending order of priority:
    1. Using the user level sent by an authentication server to the device after authentication has succeeded
    2. Running the local-user privilege level command to set the local user level

      NOTE:

      The local user level is used only when the remote authentication server is faulty. If the remote authentication server responds to authentication requests but does not deliver user levels, the configured local user level does not take effect.

The device can update the configuration in a domain dynamically. After a service scheme is applied to a domain, you can directly modify the user level in the service scheme but cannot unbind the service scheme from the domain. To delete the service scheme, run the undo service-scheme (AAA domain view) command.

Follow-up Procedure

Run the display service-scheme command to view the user level in a service scheme.

Example

# Configure a user as an administrator to log in to the device and set the administrator level to 15.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme svcscheme1
[HUAWEI-aaa-service-svcscheme1] admin-user privilege level 15

authentication ipv6-statistics enable

Function

The authentication ipv6-statistics enable command enables IPv6 traffic statistics collection.

The undo authentication ipv6-statistics enable command disables IPv6 traffic statistics collection.

By default, IPv6 traffic statistics collection is disabled.

NOTE:

This function is only supported by the S5720HI.

You can configure this command on the S5720EI, S6720EI, and S6720S-EI, but the function does not take effect.

Format

authentication ipv6-statistics enable

undo authentication ipv6-statistics enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the statistic enable (AAA domain view) command is run to collect user traffic statistics, the switch does not collect statistics on IPv6 traffic by default. To enable IPv6 traffic statistics collection, run the authentication ipv6-statistics enable command.

Precautions
  • The switch does not support IPv6 traffic statistics collection for Layer 2 Portal authentication users and user terminals with one MAC address and multiple IP addresses.
  • The switch does not support IPv6 traffic statistics collection for Layer 3 Portal authentication users.

Example

# Enable IPv6 traffic statistics collection.

<HUAWEI> system-view
[HUAWEI] authentication ipv6-statistics enable

authentication-mode (authentication scheme view)

Function

The authentication-mode command configures an authentication mode for an authentication scheme.

The undo authentication-mode command restores the default authentication mode in an authentication scheme.

By default, local authentication is used.

Format

authentication-mode { hwtacacs | local | radius } * [ none ]

authentication-mode none

undo authentication-mode

Parameters

Parameter Description Value
hwtacacs Authenticates users using an HWTACACS server. To perform HWTACACS authentication, configure an HWTACACS authentication server in an HWTACACS server template. -
local Authenticates users locally. -
radius Authenticates users using a RADIUS server. To perform RADIUS authentication, configure a RADIUS authentication server in a RADIUS server template. -
none Indicates non-authentication. That is, users access the network without being authenticated. -

Views

Authentication scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To authenticate users, configure an authentication mode in an authentication scheme.

If multiple authentication modes are configured in an authentication scheme, the authentication modes are used according to the sequence in which they were configured.

  • In the sequence of local authentication followed by remote authentication:

    If a login account is not created locally but exists on the remote server, the authentication mode is changed from local authentication to remote authentication.

    If a login account is created locally and on the remote server, and local authentication fails because the password is incorrect, remote authentication will not be performed.

  • In the sequence of remote authentication followed by local authentication:

    If a login account is created locally but not on the remote server, remote authentication fails and local authentication will not be performed.

    A user is authenticated using the local authentication mode only when the remote server is Down or does not respond to the user's authentication request.

You can configure multiple authentication modes in an authentication scheme to reduce authentication failure possibilities.
  • After the authentication-mode radius local command is used, the device cannot complete RADIUS authentication if it fails to connect to the RADIUS authentication server. In this case, the device starts local authentication.

  • After the authentication-mode local radius command is used, if the entered user name exists on the device but the entered password is incorrect, the user fails the authentication; if the entered user name does not exist on the device, the user is redirected to the RADIUS authentication mode and is authenticated based on user information on the RADIUS server.

NOTE:
  • When both RADIUS authentication and non-authentication are configured, if the user fails the RADIUS authentication, non-authentication cannot be used. As a result, a user fails to log in.
  • If you run the authentication-mode command to configure non-authentication and run the authentication-mode (user interface view) command to configure AAA authentication, the device does not allow administrators to log in from the user interface view.

Precautions

If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. Therefore, to protect the device and improve network security, you are advised to enable authentication, allowing only authenticated users to access the device or network.

Example

# Configure the authentication scheme named scheme1 to use RADIUS authentication.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme scheme1
[HUAWEI-aaa-authen-scheme1] authentication-mode radius

authentication-scheme (AAA domain view)

Function

The authentication-scheme command applies an authentication scheme to a domain.

The undo authentication-scheme command restores the default configuration of the authentication scheme in a domain.

By default, the authentication scheme named radius is applied to the default domain, the authentication scheme named default is applied to the default_admin domain, and the authentication scheme named radius is applied to other domains.

Format

authentication-scheme scheme-name

undo authentication-scheme

Parameters

Parameter Description Value
scheme-name Specifies the name of an authentication scheme. The value must be an existing authentication scheme name.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To authenticate users in a domain, run the authentication-scheme (AAA domain view) command to apply an authentication scheme to a domain.

Prerequisites

An authentication scheme has been created and configured with required parameters, for example, the authentication mode and authentication mode for upgrading user levels.

Example

# Apply the authentication scheme named scheme1 to a domain named domain1.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain domain1
[HUAWEI-aaa-domain-domain1] authentication-scheme scheme1

authentication-scheme (AAA view)

Function

The authentication-scheme command creates an authentication scheme and displays its view.

The undo authentication-scheme command deletes an authentication scheme.

By default, the default authentication scheme is used. This default authentication scheme can be modified but cannot be deleted. In the default authentication scheme:
  • Local authentication is used.
  • The offline policy is used for authentication failures.
By default, the system also provides the authentication scheme radius. The radius authentication scheme can be modified, but cannot be deleted. In the radius authentication scheme:
  • Local authentication is used.
  • The offline policy is used for authentication failures.

Format

authentication-scheme scheme-name

undo authentication-scheme scheme-name

Parameters

Parameter Description Value
scheme-name Specifies the name of an authentication scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To authenticate users, run the authentication-scheme command to create an authentication scheme. Creating an authentication scheme is necessary before performing authentication-relevant configurations.

Follow-up Procedure

After an authentication scheme is created, run the authentication-mode (authentication scheme view) command to configure an authentication mode in an authentication scheme.

After an authentication scheme is configured, run the authentication-scheme (AAA domain view) command to apply the authentication scheme to a domain.

Precautions

If the configured authentication scheme does not exist, the authentication-scheme command creates an authentication scheme and displays the authentication scheme view. If the configured authentication scheme already exists, the authentication-scheme command directly displays the authentication scheme view.

To delete an authentication scheme applied to a domain, run the undo authentication-scheme (AAA domain view) command.

Example

# Create an authentication scheme named newscheme.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme newscheme
[HUAWEI-aaa-authen-newscheme]

# Access the default authentication scheme view.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme default
[HUAWEI-aaa-authen-default]

authentication-super

Function

The authentication-super command configures an authentication mode for upgrading user levels in an authentication scheme.

The undo authentication-super command restores the default authentication mode for upgrading user levels in an authentication scheme.

By default, the super mode is used. That is, local authentication is used.

Format

authentication-super { hwtacacs | radius | super } * [ none ]

authentication-super none

undo authentication-super

Parameters

Parameter

Description

Value

hwtacacs

Uses HWTACACS authentication to upgrade user levels.

-

radius

Uses RADIUS authentication to upgrade user levels.

-

super

Uses local authentication to upgrade user levels.

-

none

Indicates that user levels can be upgraded without authentication.

-

Views

Authentication scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If users in a domain need to upgrade their levels, the device requests the users to enter the password to authenticate the users. If AAA authentication has been configured using the authentication-mode (user interface view) command, run the authentication-super command to configure an authentication mode for upgrading user levels.

When you use the super command to switch a user level to a lower level or the same level, no authentication is required. When you use the super command to switch a user level to a higher level, authentication is required. The user can be granted rights only after being authenticated.

  • If super is used and the local authentication is specified, run the local-user command in the AAA view to create a local user and set parameters for the local user.
  • If hwtacacs is used and the HWTACACS authentication is specified, perform configurations relevant to HWTACACS authentication.
  • If radius is used and the RADIUS authentication is specified, perform configurations relevant to RADIUS authentication.
  • If none is used, no authentication is required.

Precautions

If multiple authentication modes are configured in an authentication scheme, these authentication modes are used in the sequence in which they were configured. The device uses another authentication mode only when it does not receive any response in the current authentication. The device does not switch to another authentication mode if the user fails to pass one authentication mode.

Example

# Set the authentication mode to HWTACACS authentication in the authentication scheme scheme1.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme scheme1
[HUAWEI-aaa-authen-scheme1] authentication-super hwtacacs

authentication-type radius chap access-type admin

Function

The authentication-type radius chap access-type admin command replaces PAP authentication with CHAP authentication when RADIUS authentication is performed on administrators.

The undo authentication-type radius chap access-type admin command restores PAP authentication when RADIUS authentication is performed on administrators.

By default, PAP authentication is used when RADIUS authentication is performed on administrators.

Format

authentication-type radius chap access-type admin [ ftp | ssh | telnet | terminal | http ] *

undo authentication-type radius chap access-type admin

Parameters

Parameter

Description

Value

ftp

Replaces PAP authentication with CHAP authentication when RADIUS authentication is performed on administrators who access the device using FTP.

-

ssh

Replaces PAP authentication with CHAP authentication when RADIUS authentication is performed on administrators who access the device using SSH.

-

telnet

Replaces PAP authentication with CHAP authentication when RADIUS authentication is performed on administrators who access the device using Telnet.

-

terminal

Replaces PAP authentication with CHAP authentication when RADIUS authentication is performed on administrators who access the device using a terminal.

-

http

Replaces PAP authentication with CHAP authentication when RADIUS authentication is performed on administrators who access the device using a web management system.

-

Views

Authentication scheme view

Default Level

3: Management level

Usage Guidelines

CHAP is ciphertext authentication protocol. During CHAP authentication, the NAS device sends the user name, encrypted password, and 16-byte random code to the RADIUS server. The RADIUS server searches for the database according to the user name and obtains the password that is the same as the encrypted password at the user side. The RADIUS server then encrypts the received 16-byte random code and compares the result with the password. If they are the same, the user is authenticated. If they are different, the user fails to be authenticated. In addition, if the user is authenticated, the RADIUS server generates a 16-byte random code to challenge the user. CHAP is more secure and reliable than PAP.

If no parameter is specified when you run the authentication-type radius chap access-type admin command, the configuration takes effect on the administrators who access the device using FTP, SSH, Telnet, Terminal, and HTTP.

When the device is connected to the RADIUS server that supports CHAP authentication, this function needs to be configured.

Example

# Replace PAP authentication with CHAP authentication when RADIUS authentication is performed on administrators who access the device using FTP.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme scheme1
[HUAWEI-aaa-authen-scheme1] authentication-type radius chap access-type admin ftp

authorization-cmd

Function

The authorization-cmd command configures command-specific authorization for an administrator of a specific level. After command-specific authorization is enabled and an administrator of a specific level logs in to the device, the commands that the administrator enters can be executed only after being authorized by the HWTACACS server.

The undo authorization-cmd command disables command-specific authorization for an administrator of a specific level.

By default, the command-specific authorization is disabled. That is, an administrator of any level can execute only commands of or below its level after logging in to the device.

Format

authorization-cmd privilege-level hwtacacs [ local ] [ none ]

undo authorization-cmd privilege-level

Parameters

Parameter Description Value
privilege-level Specified the administrator level. The value is an integer that ranges from 0 to 15.
hwtacacs Indicates HWTACACS authorization. -
local Indicates local authorization. -
none

Indicates that command line authorization is directly performed for a user if the HWTACACS server does not respond to the authorization request of the user.

-

Views

Authorization scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After being authorized, the users at a certain level can run the commands of the same or lower levels. Command line authorization can be configured to implement minimum user rights control. When command line authorization is enabled, each command entered by users can be executed only after being authorized. After command line authorization is enabled for users at a certain level, the commands run by the users at that level must be authorized by an HWTACACS server.

Precautions

You are advised to configure local authorization as a backup of command line authorization. If command line authorization cannot be performed because of a failure on an HWTACACS server, the device starts local authorization.

After the authorization-cmd command is executed, command line authorization does not take effect immediately. Command line authorization takes effect only when an authorization scheme containing command line authorization is applied to administrator view correctly.

After an authorization scheme containing command line authorization is applied to administrator view, if you run the undo authorization-cmd command, an online administrator at a certain level cannot run any commands except for the quit command. The administrator needs to log in again.

Example

# Configure command line authorization administrators at level 2.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authorization-scheme scheme1
[HUAWEI-aaa-author-scheme1] authorization-cmd 2 hwtacacs

authorization-info check-fail policy

Function

The authorization-info check-fail policy command determines whether the device allows users to go online after the authorization information check fails.

The undo authorization-info check-fail policy command restores the default configuration.

By default, the device allows users to go online after the authorization information check fails.

Format

authorization-info check-fail policy { online | offline }

undo authorization-info check-fail policy

Parameters

Parameter

Description

Value

online

Indicates that the device allows users to go online after the authorization information check fails.

-

offline

Indicates that the device prohibits users from going online after the authorization information check fails.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The device supports user authorization through the ACL, UCL Group, User Group and VLAN delivered from the RADIUS server. If the ACL, UCL Group, User Group and VLAN delivered from the RADIUS server are not configured on the device, the authorization information check fails on the device.

You can use this command to configure the users to go online and the authorization information delivered by the RADIUS server does not take effect.

Example

# Configure the device to allow users to go online after the authorization information check fails.

<HUAWEI> system-view
[HUAWEI] authorization-info check-fail policy online

authorization-mode

Function

The authorization-mode command configures an authorization mode for an authorization scheme.

The undo authorization-mode command restores the default authorization mode in an authorization scheme.

By default, local authorization is used.

Format

authorization-mode { hwtacacs | if-authenticated | local } * [ none ]

authorization-mode none

undo authorization-mode

Parameters

Parameter Description Value
hwtacacs Indicates that the user is authorized by an HWTACACS server. -
if-authenticated Indicates that only the user who succeeds in authentication (authentication exemption excluded) is authorized.

The configuration of if-authenticated authorization does not take effect in RADIUS authentication.

-
local Authenticates users locally -
none Indicates non-authorization. -

Views

Authorization scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To authorize users, configure an authorization mode in an authorization scheme.

You can configure multiple authorization modes in an authorization scheme to reduce the chance of authorization failures.

After the authorization-mode hwtacacs local command is used, if it fails to connect to the HWTACACS authentication server and HWTACACS authorization cannot be performed, the device starts local authorization.

Precautions

  • If multiple authorization modes are used in an authorization scheme, the if-authenticated mode ornone mode must be used as the last authorization mode.

  • When the authorization mode is if-authenticated or none, the user privilege level is inherited from the user domain or is the same as that set in the VTY user view.
  • If multiple authorization modes are configured in an authorization scheme, the authorization modes are used according to the sequence in which they were configured. The device uses another authorization mode only when it does not receive any response in the current authorization.

Example

# Configure the authorization scheme named scheme1 to apply HWTACACS authorization.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authorization-scheme scheme1
[HUAWEI-aaa-author-scheme1] authorization-mode hwtacacs

authorization-modify mode

Function

The authorization-modify mode command configures the update mode for user authorization information delivered by the authorization server.

The undo authorization-modify mode command restores the default update mode for user authorization information delivered by the authorization server.

By default, the update mode of user authorization information delivered by the authorization server is overlay. That is, the new user authorization information overwrites all existing user authorization information.

Format

authorization-modify mode { modify | overlay }

undo authorization-modify mode

Parameters

Parameter

Description

Value

modify

Indicates the modify mode.

-

overlay

Indicates the overlay mode.

-

Views

AAA view

Default Level

3: Management level

Usage Guidelines

The authorization server can deliver all or part of user authorization information, such as the ACL rule and dynamic VLAN.

You can run the authorization-modify mode command to configure one of the following update modes for user authorization information delivered by the authorization server:
  • modify: modification mode indicating that new user authorization information overwrites only existing user authorization information of the same type.
  • overlay: overwriting mode indicating that new user authorization information overwrites all existing user authorization information.
If the authorization server has delivered ACL 3001 to a user, and the administrator needs to deliver new authorization information:
  • In the modify mode, if the new authorization information is ACL 3002, the authorization information of the user is ACL 3002. If the new authorization information is VLAN 100, the authorization information of the user is ACL 3001 and VLAN 100.
  • In the overlay mode, no matter whether the new authorization information is ACL 3002 or VLAN 100, the authorization information of the user is the new ACL or VLAN.

This command takes effect for only the authorization information delivered by the RADIUS server.

After a user group or service scheme is authorized to a user on the device and a certain attribute configured in the user group or service scheme is modified on the server, if other configured attributes need to be modified, the authorization information on the server must contain the previously modified attribute. Otherwise, the original attribute value in the user group or service scheme will be restored. For example, to modify an attribute in a user group:
  1. The device authorizes the user group configured with the VLAN and ACL attributes to a user.
  2. To modify the VLAN attribute, authorize the new VLAN attribute to the user through the RADIUS server.
  3. To modify the ACL attribute after the VLAN attribute is modified, you must authorize the modified VLAN attribute and new ACL attribute through the RADIUS server. Otherwise, the original VLAN attribute in the user group will be restored.

Example

# Set the update mode of user authorization information delivered by the authorization server to modify.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authorization-modify mode modify

authorization-scheme (AAA domain view)

Function

The authorization-scheme command applies an authorization scheme to a domain.

The undo authorization-scheme command unbinds an authorization scheme from a domain.

By default, no authorization scheme is applied to a domain.

Format

authorization-scheme authorization-scheme-name

undo authorization-scheme

Parameters

Parameter

Description

Value

authorization-scheme-name

Specifies the name of an authorization scheme.

The authorization scheme must already exist.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

RADIUS integrates authentication and authorization; therefore, RADIUS authorization and authentication must be used together. HWTACACS separates authentication from authorization; therefore, you can configure another authorization type even if HWTACACS authentication, local authentication, or non-authentication is used.

To authorize users in a domain, run the authorization-scheme (AAA domain view) command.

Prerequisites

An authorization scheme has been created and configured with required parameters, for example, the authorization mode and command line authorization.

Example

# Apply the authorization scheme author1 to the domain isp1.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authorization-scheme author1
[HUAWEI-aaa-author-author1] quit
[HUAWEI-aaa] domain isp1
[HUAWEI-aaa-domain-isp1] authorization-scheme author1

authorization-scheme (AAA view)

Function

The authorization-scheme command creates an authorization scheme and enters the authorization scheme view, or directly enters an existing authorization scheme view.

The undo authorization-scheme command deletes an authorization scheme.

By default, the default authorization scheme is used. This default authorization scheme can be modified but cannot be deleted. In the default authorization scheme, local authorization is used and command line authorization is disabled.

Format

authorization-scheme authorization-scheme-name

undo authorization-scheme authorization-scheme-name

Parameters

Parameter

Description

Value

authorization-scheme-name

Specifies the name of an authorization scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

RADIUS integrates authentication and authorization; therefore, RADIUS authorization and authentication must be used together. HWTACACS separates authentication from authorization; therefore, you can configure another authorization type even if HWTACACS authentication, local authentication, or non-authentication is used. You must run the authorization-scheme command to create an authorization scheme before performing authorization-relevant configurations, for example, setting the authorization mode and command line authorization function.

Follow-up Procedure

After an authorization scheme is created:

  • Run the authorization-mode command to configure an authorization mode in an authorization scheme.
  • Run the authorization-cmd command to configure command line authorization for users at a certain level.

After an authorization scheme is configured, run the authorization-scheme (AAA domain view) command to apply the authorization scheme to a domain.

Precautions

  • If the configured authorization scheme does not exist, the authorization-scheme (AAA view) command creates an authorization scheme and displays the authorization scheme view.
  • If the configured authorization scheme already exists, the authorization-scheme (AAA view) command directly displays the authorization scheme view.

To delete the authorization scheme applied to a domain, run the undo authorization-scheme (AAA domain view) command.

Example

# Create an authorization scheme named scheme0.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authorization-scheme scheme0
[HUAWEI-aaa-author-scheme0]

# Enter the default authorization scheme view.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authorization-scheme default
[HUAWEI-aaa-author-default]

cmd recording-scheme

Function

The cmd recording-scheme command applies a policy in a recording scheme to record the commands executed on the device.

The undo cmd recording-scheme command deletes a policy from a recording scheme.

By default, the commands that are used on the device are not recorded.

Format

cmd recording-scheme recording-scheme-name

undo cmd recording-scheme

Parameters

Parameter

Description

Value

recording-scheme-name

Specifies the name of a recording scheme.

The recording scheme must already exist.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

During the device configuration, incorrect operations may result in network faults. After the cmd recording-scheme command is executed, you can view records of the commands executed on the device to locate the network faults.

Prerequisites

A recording scheme has been created by using the recording-scheme command and a recording mode has been configured by using the recording-mode hwtacacs command.

Example

# Configure a policy in the recording scheme scheme0 to record the commands executed on the device.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template hw1
[HUAWEI-hwtacacs-hw1] quit
[HUAWEI] aaa
[HUAWEI-aaa] recording-scheme scheme0
[HUAWEI-aaa-recording-scheme0] recording-mode hwtacacs hw1
[HUAWEI-aaa-recording-scheme0] quit
[HUAWEI-aaa] cmd recording-scheme scheme0

cut access-user

Function

The cut access-user command terminates one or multiple access user connections, also forcibly disconnecting online users.

Format

cut access-user { domain domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-instance vpn-instance-name ] | mac-address mac-address | service-scheme service-scheme-name | access-slot slot-id | user-id begin-number [ end-number ] | username user-name }

cut access-user ssid ssid-name (This command is only supported by the S5720HI.)

cut access-user access-type { admin [ ftp | ssh | telnet | terminal | web ] | ppp } [ username user-name ]

NOTE:

The vpn-instance vpn-instance-name command is supported only by the S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI.

Parameters

Parameter

Description

Value

domain domain-name

Disconnects sessions in a specified domain.

The value must be the name of an existing domain.
interface interface-type interface-number
Disconnects sessions on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

vlan vlan-id [ qinq qinq-vlan-id ]

Disconnects sessions in a specified VLAN.

  • vlan-id specifies the ID of a VLAN. In QinQ applications, this parameter specifies the inner VLAN ID.
  • qinq-vlan-id specifies the outer VLAN ID.

The values of vlan-id and qinq-vlan-id are integers that range from 1 to 4094.

ip-address ip-address

Disconnects sessions initiated by a specified IP address.

The value is in dotted decimal notation.

vpn-instance vpn-instance-name

Indicates the name of the VPN instance that the specified IP address belongs to.

The value must be an existing VPN instance name.

mac-address mac-address

Disconnects sessions initiated by a specified MAC address.

The value is in H-H-H format. An H contains 4 hexadecimal digits.

service-scheme service-scheme-name Terminates connections based on the service scheme. The value must be the name of an existing service scheme.

access-slot slot-id

Disconnects sessions on a specified device.

NOTE:

This parameter is valid for only users that go online through physical interfaces of the device, and is invalid for users that go online through Eth-Trunks.

The value range depends on the model of the device.

ssid ssid-name

Disconnects sessions initiated by a service set identifier (SSID) for a service set.

The SSID must already exist.

NOTE:
SSID is supported only in the NAC unified mode.

user-id begin-number [ end-number ]

Disconnects sessions of a specified user.

The user-id must exist on the device.

username user-name

Disconnects sessions of a user with a specified user name.

The value must be the name of an existing user.

access-type

Displays information about the users using the specified authentication mode.

-

admin [ ftp | ssh | telnet | terminal | web ]

Displays information about the administrators using the specified authentication mode.

  • ftp: FTP user
  • ssh: SSH user
  • telnet: Telnet user
  • terminal: Terminal user
  • web: Web user

-

ppp

Displays information about online users using PPP authentication.

-

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Performing some configurations, such as AAA, on the device, requires that no users be online. You can run the cut access-user command to disconnect sessions.

Precautions

The cut access-user command interrupts all services of the user whose session is torn down.

If the character string of the user name contains spaces (for example, a b), you can run the display access-user username "a b" command to view online users.

If the character string of the user name contains spaces and quotation marks ("") simultaneously, you cannot use the user name to view online users. In this case, you can run the display access-user | include username command to view the user ID of the online user, and then run the display access-user user-id user-id command to view the user. Alternatively, you can run the cut access-user user-id user-id command to force the user to go offline.

Example

# Tear down the session initiated by the IP address 10.1.1.1.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] cut access-user ip-address 10.1.1.1

display aaa

Function

The display aaa command displays information about normal logout, abnormal logout, and login failures.

Format

display aaa { offline-record | abnormal-offline-record | online-fail-record } { all | reverse-order | domain domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-instance vpn-instance-name ] | mac-address mac-address | access-slot slot-number | time start-time end-time [ date start-date end-date ] | username user-name [ time start-time end-time [ date start-date end-date ] ] } [ brief ]

NOTE:

The vpn-instance vpn-instance-name command is supported only by the S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI.

Parameters

Parameter

Description

Value

offline-record

Displays normal logout records.

-

abnormal-offline-record

Displays abnormal logout records.

-

online-fail-record

Displays login failure records.

-

all

Displays all login and logout records.

-

reverse-order

Displays the records in a sequence reverse to the sequence in which they were generated. That is, the latest records are displayed first.

-

domain domain-name

Specifies the name of a domain.

The value is a string of 1 to 64 case-insensitive characters, excluding spaces, *, ?, and ".

interface interface-type interface-number

Specifies the type and number of an interface.

-

ip-address ip-address

Specifies an IP address.

The value is in dotted decimal notation.

vlan vlan-id

Specifies the inner VLAN ID.

The value is an integer that ranges from 1 to 4094.

qinq qinq-vlan-id

Specifies the outer VLAN ID.

The value is an integer that ranges from 1 to 4094.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance.

The value must be an existing VPN instance name.

mac-address mac-address

Specifies a MAC address.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

access-slot slot-number

Specifies the slot ID.

The value is an integer. The value range depends on the model of the device.

username user-name

Specifies a user.

The value must be an existing user.

time start-time end-time

Specifies a time range.

The format is HH:MM:SS, indicating hour:minute:second.

date start-date end-date

Specifies a date.

The format is YYYY/MM/DD. YYYY is the year, MM is the month, and DD is the day.

brief

Displays brief login and logout information.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

This command allows you to view information about user normal logouts, abnormal logouts, and login failures based on the domain name, interface, IP address, VPN instance, MAC address, or slot ID.

Precautions

Only letters, digits, and special characters can be displayed for username.

When the value of username contains special characters or characters in other languages except English, the device displays dots (.) for these characters. If there are more than three such consecutive characters, three dots (.) are displayed. Here, the special characters are the ASCII codes smaller than 32 (space) or larger than 126 (~).

When the value of username is longer than 20 characters, the device displays up to three dots (.) for the characters following 19; that is, only 22 characters are displayed.

Example

# View information about user normal logouts in domain rds.
<HUAWEI> display aaa offline-record domain rds
 -------------------------------------------------------------------
  User name             : test@rds
  Domain name           : rds
  User MAC              : 0021-9746-b67c
  User access type      : 802.1x
  User access interface : GigabitEthernet10/0/2
  Qinq vlan/User vlan   : 0/1
  User IP address       : 192.168.2.2
  User IPV6 address     : -
  User ID               : 19
  User login time       : 2008/10/01 04:49:39
  User offline time     : 2008/10/01 04:59:43
  User offline reason   : EAPOL user request
  -------------------------------------------------------------------
  Are you sure to display some information?(y/n)[y]:
Table 13-2  Description of the display aaa offline-record domain command output

Item

Description

User name

User name.

Domain name

Domain of a user.

User MAC

MAC address of a user.

User access type

Access type of a user.
  • 802.1x indicates that the user accesses the network through 802.1X.
  • API indicates that the user accesses the network through the API.
  • FTP indicates that the user accesses the network through FTP.
  • Telnet indicates that the user accesses the network through Telnet.
  • Terminal indicates that the user accesses the network through terminal.
  • SSH indicates that the user accesses the network through SSH.
  • x25-pad indicates that the user accesses the network through x25-pad.
  • HTTP indicates that the user accesses the network through HTTP.
  • Web indicates that the user accesses the network through web.
For the related command, see local-user service-type.

User access interface

Access interface of a user.

Qinq vlan/User vlan

VLAN that a user belongs to.
  • In QinQ application, QinQvlan indicates the outer VLAN ID and Uservlan indicates the inner VLAN ID.
  • For a common VLAN, Uservlan indicates the VLAN ID, and QinQvlan is 0.

User IP address

IP address of a user.

User IPV6 address

IPv6 address of a user.

User ID

Index of a user.

User login time

Time when a user goes online.

User offline time

Time when a user goes offline.

User offline reason

Reason why a user fails to go online or offline. The common reasons are as follows:
  • The value "EAPOL user request" indicates that an 802.1X user requests to go offline.
  • The value "PPP user request" indicates that a PPP user requests to go offline.
  • The value "Web user request" indicates that a web user requests to go offline.
  • The value "AAA cut command" indicates that a user is deleted using command line.
  • The value "Session time out" indicates that a session times out.
  • The value "Idle cut" indicates that a user is disconnected because the user does not perform any operation within a specified period.
  • The value "PPP authentication fail" indicates a PPP authentication failure.
  • The value "STA disassociation" indicates that an STA is disassociated.
  • The value "console reset or disable port" indicates that the management interface is down.
  • The value "Interface net down" indicates that an interface is down.
  • The value "No authentication server configured" indicates that no authentication server is configured.
  • The value "No radius-server template bound" indicates that no RADIUS server template is bound.
  • The value "No tacacs-server template bound" indicates that no TACACS server template is bound.
  • The value "No accounting server configured" indicates that no accounting server is configured.
  • The value "Accounting server no response" indicates that the accounting server does not respond.
  • The value "Local Authentication user block" indicates that the local user is locked.
  • The value "Authorize vlan error" indicates that VLAN authorization fails.

display aaa configuration

Function

The display aaa configuration command displays the AAA configurations, for example, the domain, authentication scheme, authorization scheme, and accounting scheme.

Format

display aaa configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

AAA configurations are limited by system specifications. Before performing AAA configurations, run the display aaa configuration command to check whether there are sufficient resources.

Example

# Display the AAA summary.

<HUAWEI> display aaa configuration
                                                                                
  Domain Name Delimiter            : @                                          
  Domainname parse direction       : Left to right                              
  Domainname location              : After-delimiter                            
  Administrator user default domain: default_admin                              
  Normal user default domain       : default                                    
  Domain                           : total: 32      used: 3                     
  Authentication-scheme            : total: 17      used: 3                     
  Accounting-scheme                : total: 16      used: 2                     
  Authorization-scheme             : total: 16      used: 2                     
  Service-scheme                   : total: 16      used: 0                     
  Recording-scheme                 : total: 3       used: 1                     
  Local-user                       : total: 1000    used: 3                     
  Local-user block retry-interval  : 5 Min(s)
  Local-user block retry-time      : 3
  Local-user block time            : 5 Min(s)
  Remote-user block retry-interval : 30 Min(s)
  Remote-user block retry-time     : 30
  Remote-user block time           : 30 Min(s)
Table 13-3  Description of the display aaa configuration command output

Item

Description

Domain Name Delimiter

Domain name delimiter, which can be any of the following characters: \ / : < > | @ ' %. The default domain name delimiter is @.

To configure a domain name delimiter, run the domain-name-delimiter command.

Domain

Number of domains.
  • total: indicates the total number of domains that can be created.
  • used: indicates the number of domains that have been created.

Domainname parse direction

Parsing direction of the domain name.

  • Left to right
  • Right to left

To configure this parameter, run the domainname-parse-direction command.

Domainname location

Domain name location.

  • After-delimiter: The domain name is placed behind the domain name delimiter.
  • Before-delimiter: The domain name is placed before the domain name delimiter.

To configure this parameter, run the domain-location command.

Administrator user default domain

Domain name of administrator users.

Normal user default domain

Domain name of normal users.

Authentication-scheme

Number of authentication schemes.
  • total: indicates the total number of authentication schemes that can be created.
  • used: indicates the number of authentication schemes that have been created.

Accounting-scheme

Number of accounting schemes.
  • total: indicates the total number of accounting schemes that can be created.
  • used: indicates the number of accounting schemes that have been created.

Authorization-scheme

Number of authorization schemes.
  • total: indicates the total number of authorization schemes that can be created.
  • used: indicates the number of authorization schemes that have been created.

Service-scheme

Number of service schemes.
  • total: indicates the total number of service schemes that can be created.
  • used: indicates the number of service schemes that have been created.

Recording-scheme

Number of recording schemes.
  • total: indicates the total number of recording schemes that can be created.
  • used: indicates the number of recording schemes that have been created.

Local-user

Number of local users.
  • total: indicates the total number of local users that can be created.
  • used: indicates the number of local users that have been created.

Local-user block retry-interval

Authentication retry interval of a local account.

To configure this parameter, run the local-aaa-user wrong-password command.

Local-user block retry-time

Maximum number of consecutive authentication failures for a local account.

To configure this parameter, run the local-aaa-user wrong-password command.

Local-user block time

Locking time of a local account.

To configure this parameter, run the local-aaa-user wrong-password command.

Remote-user block retry-interval

Authentication retry interval of a remote AAA authentication user.

To configure this parameter, run the remote-aaa-user authen-fail command.

Remote-user block retry-time

Maximum number of consecutive authentication failures for a remote AAA authentication user.

To configure this parameter, run the remote-aaa-user authen-fail command.

Remote-user block time

Locking time of a remote AAA authentication user.

To configure this parameter, run the remote-aaa-user authen-fail command.

Session timeout invalid enable
  • Yes: The device will not disconnect or reauthenticate users when the RADIUS server delivers session-timeout with value 0.
  • No: The device will disconnect or reauthenticate users when the RADIUS server delivers session-timeout with value 0.

To configure this parameter, run the aaa-author session-timeout invalid-value enable command.

Related Topics

display aaa statistics offline-reason

Function

The display aaa statistics offline-reason command displays the reasons why users go offline.

Format

display aaa statistics offline-reason

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display aaa statistics offline-reason command helps you know the reason why a user goes offline. You can locate network faults according to the command output.

Example

# Display reasons why users go offline.

<HUAWEI> display aaa statistics offline-reason
19  User request to offline       :2 
87  AAA cut command               :1       
Table 13-4  Description of the display aaa statistics offline-reason command output

Item

Description

19/87

Reason code.

User request to offline

A user requested to go offline.

2/1

Number of times users go offline.

AAA cut command

A user is disconnected by the cut access-user command.

display access-user (All views)

Function

The display access-user command displays information about online users (including access users and administrators).

Format

display access-user [ domain domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-instance vpn-instance-name ] | ipv6-address ipv6-address | access-slot slot-id ] [ detail ]

display access-user username user-name [ detail ]

display access-user ssid ssid-name (Only the S5720HI support this command.)

display access-user [ mac-address mac-address | service-scheme service-scheme-name | user-id user-id ]

display access-user statistics (Only the S5720HI support this command.)

display access-user access-type { admin [ ftp | ssh | telnet | terminal | web ] | ppp } [ username user-name ]

NOTE:

The vpn-instance vpn-instance-name command is supported only by the S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI.

Parameters

Parameter

Description

Value

domain domain-name

Displays information about users in a specified domain.

The domain name must already exist.

interface interface-type interface-number

Displays information about users on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

vlan vlan-id [ qinq qinq-vlan-id ]

Displays information about users in a VLAN.

  • vlan-id specifies the ID of a VLAN. In QinQ applications, this parameter specifies the inner VLAN ID.
  • qinq-vlan-id specifies the outer VLAN ID.

In the authorized ISP VLAN scenario, you can view the user information only when the specified VLAN ID is the ISP VLAN ID.

The values of vlan-id and qinq-vlan-id are integers that range from 1 to 4094.

ip-address ip-address

Displays information about the user with a specified IP address.

NOTE:

When the user type is NAC or static, details about the user are displayed. When the user is in another type, brief information about the user is displayed.

The value of ip-address is in dotted decimal notation.

vpn-instance vpn-instance-name

Indicates the name of the VPN instance that the specified IP address belongs to.

The value must be an existing VPN instance name.

ipv6-address ipv6-address

Displays information about the user with a specified IPv6 address.

The value consists of 128 octets, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format X:X:X:X:X:X:X:X.

mac-address mac-address

Displays information about the user with a specified MAC address.

The value is in H-H-H format. An H contains four hexadecimal digits.

service-scheme service-scheme-name

Displays information about the user with a specified service scheme.

The service scheme must already exist.

access-slot slot-id

Displays information about users connecting to a specified device.

The value range depends on the model of the device.

ssid ssid-name

Specifies the SSID for a service set.

The SSID must already exist.

NOTE:
SSID is supported only in the NAC unified mode.
username user-name

Displays information about the user with a user name.

The user name must already exist.

statistics

Displays user statistics on the device.
  • Historical user statistics: displays historical wireless user statistics on the device.
  • Current online user statistics: displays current user statistics on the device.

The keyword statistics is supported only in the NAC unified mode.

user-id user-id

Displays information about sessions of a specified user. If this parameter is specified, detailed information about the user is displayed.

The user-id must exist on the device.

detail

Displays detailed information about users.

-

access-type

Displays information about the users using the specified authentication mode.

-

admin [ ftp | ssh | telnet | terminal | web ]

Displays information about the administrators using the specified authentication mode.

  • ftp: FTP user
  • ssh: SSH user
  • telnet: Telnet user
  • terminal: Terminal user
  • web: Web user

-

ppp

Displays information about online users using PPP authentication.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

This command displays information about user sessions on the device.

Precautions

If the character string of the user name contains spaces (for example, a b), you can run the display access-user username "a b" command to view online users.

If the character string of the user name contains spaces and quotation marks ("") simultaneously, you cannot use the user name to view online users. In this case, you can run the display access-user | include username command to view the user ID of the online user, and then run the display access-user user-id user-id command to view the user. Alternatively, you can run the cut access-user user-id user-id command to force the user to go offline.

When displaying VPN user entries based on user IP address, you must set the vpn-instance vpn-instance-name parameter to specify the VPN instance to which the IP address belongs.

If user-id is specified, detailed information about the specified user is displayed. If user-id is not specified, brief information about all online users is displayed, including the user ID, user name, IP address, and MAC address of each user.

Only letters, digits, and special characters can be displayed for username.

When the value of username contains special characters or characters in other languages except English, the device displays dots (.) for these characters. If there are more than three such consecutive characters, three dots (.) are displayed. Here, the special characters are the ASCII codes smaller than 32 (space) or larger than 126 (~).

When the value of username is longer than 20 characters, the device displays up to three dots (.) for the characters following 19; that is, only 22 characters are displayed.

When interface is specified, the device displays the connection information of online wired users on the interface.

When querying user information based on interfaces, MAC addresses, or VLANs, the device only displays information about 802.1X, MAC address, or Portal authentication users.

Example

# Display information about user sessions on the device.

<HUAWEI> display access-user
  ----------------------------------------------------------------------------------------------- 
  UserID Username                       IP address                   MAC            Status
  -----------------------------------------------------------------------------------------------
  1      normal@local                   -                         001b-21c4-3b56    Success
  62     005500000001                   192.168.1.121             0055-0000-0001    Open 
  32675  fztest                         -                         4611-97a4-0000    Success
  16019  b002404                        192.168.1.2               0000-c055-0102    Success
  -----------------------------------------------------------------------------------------------
 Total: 4, printed: 4
NOTE:

If you specify the include or exclude parameter in the command, the values of Total and printed are still the total number of users.

# Display the user with the user ID being 1.

<HUAWEI> display access-user user-id 1
Basic:                                                                          
  User ID                         : 1                                      
  User name                       : normal                                      
  Domain-name                     : rds                                         
  User MAC                        : 3039-26e0-e5a6                              
  User IP address                 : 10.124.1.253
  User vpn-instance               : -   
  User IPv6 address               : -       
  User access Interface           : GigabitEthernet0/0/1                                
  User vlan event                 : Success                                     
  QinQVlan/UserVlan               : 0/20                                       
  User access time                : 2014/03/31 15:38:55                         
  User accounting session ID      : esap_lm000000000001245e5878016032            
  Option82 information            : -                                           
  User access type                : MAC 
  Redirect ACL ID(Effective)      : 3001  
  User Privilege                  : 15  
  Terminal Device Type            : Data Terminal
  Dynamic ACL number(Effective)   : 3100
  Dynamic group index(Effective)  : 10
  Dynamic group name(Effective)   : group10
  Session Timeout                 : 1800(s)
  Termination Action              : RE-AUTHENTICATION
                                                                                
AAA:                                                                            
  User authentication type        : MAC authentication                       
  Current authentication method   : RADIUS                                      
  Current authorization method    : -                                           
  Current accounting method       : RADIUS      

# Display the user with the user ID being 62.

<HUAWEI> display access-user user-id 62
Basic:                                                
  User ID                         : 62                    
  User name                       : 005500000001          
  Domain-name                     : -                     
  User MAC                        : 0055-0000-0001        
  User IP address                 : 192.168.1.121
  User vpn-instance               : -   
  User IPv6 address               : -       
  User access Interface           : Wlan-Dbss3:152           
  User vlan event                 : Open                  
  QinQVlan/UserVlan               : 0/125                        
  User access time                : 2015/07/10 11:27:12           
  User accounting session ID      : esap_lm000000000001245e5878016032  
  Option82 information            : -                       
  User access type                : None              
  Redirect ACL ID(Effective)      : 3001  
  User Privilege                  : 15  
  AP ID                           : 152               
  AP name                         : ap-152            
  Radio ID                        : 0                 
  AP MAC                          : 0000-0000-0002        
  SSID                            : 57-open             
  Online time                     : 23(s)                
                                                      
AAA:                                                  
  User authentication type        : None             
  Current authentication method   : None              
  Current authorization method    : Local            
  Current accounting method       : None 

# Display the user with the user ID being 32675.

<HUAWEI> display access-user user-id 32675
Basic:                                                                          
  User ID                         : 32675                                       
  User name                       : fztest                                      
  Domain-name                     : fz                                          
  User MAC                        : 4611-97a4-0000                              
  User IP address                 : - 
  User IPv6 address               : -       
  User access Interface           : Eth-Trunk1                                  
  User vlan event                 : Success                                     
  QinQVlan/UserVlan               : 0/18                                        
  User access time                : 2015/02/11 21:51:58                         
  User accounting session ID      : esap_lm000000000001245e5878016032           
  Option82 information            : -                                           
  User access type                : 802.1x                                      
  Redirect ACL ID(Effective)      : 3001  
  User Privilege                  : 15  
  AS ID                           : 1                                           
  AS name                         : test                                 
  AS IP                           : 192.168.1.11                                
  AS MAC                          : 0012-0016-4578                              
  AS Interface                    : GigabitEthernet0/0/1
  Terminal Device Type            : Data Terminal                               
                                                                                
AAA:                                                                            
  User authentication type        : 802.1x authentication                       
  Current authentication method   : RADIUS                                      
  Current authorization method    : -                                           
  Current accounting method       : RADIUS  

# Display the user with the user ID being 16019.

<HUAWEI> display access-user user-id 16019
Basic:
  User ID                         : 16019
  User name                       : b002404
  Domain-name                     : abc
  User MAC                        : 0000-c055-0102
  User IP address                 : 192.168.1.2
  User vpn-instance               : -       
  User IPv6 address               : FC00:3::5689:98FF:FE01:583D                 
  User IPv6 link local address    : FE80::5689:98FF:FE01:583D                   
  User access Interface           : GigabitEthernet0/0/1
  User vlan event                 : Success
  QinQVlan/UserVlan               : 20/21
  User vlan source                : user request          
  User access time                : 2016/08/16 18:32:16
  User accounting session ID      : esap_lm000000000001245e5878016032
  Option82 information            : -
  User PIR(Kbps)                  : 5000
  User flow mapping name          : zt       
  User flow queue name            : zt      
  User access type                : MAC
  Redirect ACL ID(Effective)      : 3001  
  Terminal Device Type            : Data Terminal
  User inbound data flow(Packet)  : -
  User inbound data flow(Byte)    : -
  User outbound data flow(Packet) : -
  User outbound data flow(Byte)   : -
  DAA Inbound data flow(Packet/Byte)
    Tariff level 1                : -/-
  DAA Outbound data flow(Packet/Byte)
    Tariff level 1                : -/-
  User Lease                      : 600(s)                                      
  ISP   VLAN                      : 1000                                        
  ISP Interface                   : GigabitEthernet0/1/17      

AAA:
  User authentication type        : MAC authentication
  Current authentication method   : RADIUS
  Current authorization method    : -
  Current accounting method       : None
Table 13-5  Description of the display access-user command output

Item

Description

Basic

Basic information about a user.

UserID/User ID

Index of a user.

Username/User name

User name.

Domain-name

Authentication domain of a user.

MAC/User MAC

MAC address of a user.

IP address/User IP address

IP address of a user.

User vpn-instance

User VPN instance.

User IPv6 address

IPv6 address of a user.

User IPv6 link local address

IPv6 link-local address.

User access Interface

Access interface of a user.

Status/User vlan event

Whether a user joins a VLAN.

  • Open: For a wired user, the user goes online through the open function upon authentication failure. For wireless users, no authentication is performed.
  • Success: authentication is successful
  • Pre-authen: pre-authentication
  • Client-no-resp: the client does not respond
  • Fail-authorized: authorization upon authentication failure
  • Web-server-down: web server is Down
  • Aaa-server-down: AAA server is Down

QinQVlan/UserVlan

VLAN that a user belongs to.
  • In QinQ applications, QinQVlan indicates the outer VLAN ID and UserVlan indicates the inner VLAN ID.
  • For a common VLAN, UserVlan indicates the VLAN ID, and QinQVlan is 0.

User vlan source

Source of a user VLAN.

  • server vlan: The VLAN is delivered by the remote server.
  • user group vlan: the VLAN is bound to a user group.
  • service scheme vlan: The VLAN is configured in the service scheme view.
  • local event vlan: The authorized VLAN (visitor or survival) is configured locally.
  • user request: The VLAN is carried in the user request (authentication request).

User access time

Time when a user goes online.

If a time zone is configured and the daylight saving time begins, the time is displayed in the format of YYYY/MM/DD HH:MM:SS UTC±HH:MM DST.

User accounting session ID

ID of an accounting session.

Option82 information

Option 82 of a user.

User PIR(Kbps)

Peak Information Rate (PIR) in kbit/s.

User flow mapping name

Name of the user flow mapping template.

User flow queue name

Name of the user flow queue.

User access type

Access type of a user. For the related command, see local-user service-type.

Redirect ACL ID(Effective)

User Redirect ACL ID:
  • Effective: The redirection ACL has taken effect.
  • Ineffective: The redirection ACL does not take effect. The possible reason is that the ACL is not configured on the device.

User Privilege

Level of a user.

Terminal Device Type

Terminal device type of a user.

Dynamic ACL number(Effective)

ACL number:
  • Effective: The dynamic ACL has taken effect.
  • Ineffective: The dynamic ACL does not take effect. The possible causes are as follows: Dynamic RADIUS authorization fails; the ACL does not exist on the device; the wired user fails to obtain an IP address.
NOTE:

This field is displayed only when ACL is dynamically delivered by the RADIUS server.

Dynamic group index(Effective) Index of a UCL group. This option is available only in NAC unified mode.
Dynamic group name(Effective) Name of a UCL group. This option is available only in NAC unified mode.
Session Timeout Timeout interval of sessions.
Termination Action Action taken when a session times out.
  • RE-AUTHENTICATION: authentication is performed again
  • OFFLINE: the user is disconnected.

AP ID

ID of the AP connected to users.

AP name

Name of the AP connected to users.

Radio ID

ID of the radio.

AP MAC

MAC address of the AP connected to users.

SSID

SSID of a STA.

Online time

STA online time.

AAA

AAA information about a user.

User authentication type

Authentication type of a user, which depends on the access type of the user.

Current authentication method

Authentication method used for a user.

Current authorization method

Current authorization method.

Current accounting method

Current accounting method.

AS ID

ID of the access devices in policy association network.

AS name

Name of the access devices in policy association network.

AS IP

IP address of the access devices in policy association network.

AS MAC

MAC address of the access devices in policy association network.

AS Interface

Interface of the access devices in policy association network.

User inbound data flow(Packet)

Data traffic (number of packets) from users to the device.

User inbound data flow(Byte)

Data traffic (number of bytes) from users to the device.

User outbound data flow(Packet)

Data traffic (number of packets) from the device to users.

User outbound data flow(Byte)

Data traffic (number of bytes) from the device to users.

DAA Inbound data flow(Packet/Byte)(The Eth-Trunk contains a card that does not support this function)

DAA incoming traffic (number of packets or bytes)(The Eth-Trunk contains a card that does not support this function).

NOTE:

The device does not support this item.

Tariff level 1

Tariff level.

NOTE:

The device does not support this item.

DAA Outbound data flow(Packet/Byte)

DAA outgoing traffic (number of packets or bytes).

NOTE:

The device does not support this item.

User Lease

User lease.

ISP VLAN

Authorized outbound interface VLAN.

ISP Interface

Authorized outbound interface.

display accounting-scheme

Function

The display accounting-scheme command displays the configuration of accounting schemes, including accounting scheme names and accounting modes.

Format

display accounting-scheme [ accounting-scheme-name ]

Parameters

Parameter

Description

Value

accounting-scheme-name

Specifies the name of an accounting scheme.

The accounting scheme must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After the accounting scheme configuration is complete, run the display accounting-scheme command to view the configuration of accounting schemes.

Before applying an accounting scheme to a domain, run the display accounting-scheme command to check whether configuration of the accounting scheme is correct.

Precautions

The display accounting-scheme command displays the detailed configuration if the name of an accounting scheme is specified. Otherwise, this command displays only the summary of accounting schemes.

Example

# Display the summary of all accounting schemes.

<HUAWEI> display accounting-scheme
  -------------------------------------------------------------------
  Accounting-scheme-name              Accounting-method
  -------------------------------------------------------------------
  default                             None
  radius-1                            RADIUS
  tacas-1                             HWTACACS

  -------------------------------------------------------------------
  Total of accounting-scheme: 3 

# Display the detailed configuration of the default accounting scheme.

<HUAWEI> display accounting-scheme default

  Accounting-scheme-name                : default
  Accounting-method                     : None
  Realtime-accounting-switch            : Disabled
  Realtime-accounting-interval(min)     : -
  Start-accounting-fail-policy          : Offline
  Realtime-accounting-fail-policy       : Online
  Realtime-accounting-failure-retries   : 3 
Table 13-6  Description of the display accounting-scheme command output

Item

Description

Accounting-scheme-name

Name of an accounting scheme. To create an accounting scheme, run the accounting-scheme (AAA view) command.

Accounting-method

Accounting mode in the accounting scheme. The accounting modes are as follows:

  • HWTACACS: indicates that an HWTACACS server performs accounting.
  • None: indicates non-accounting.
  • RADIUS: indicates that a RADIUS server performs accounting.

To configure an accounting mode, run the accounting-mode command.

Realtime-accounting-switch

Whether the real-time accounting function is enabled:

  • Disabled: indicates that the real-time accounting function is disabled.
  • Enabled: indicates that the real-time accounting function is enabled.

To set the interval for real-time accounting, run the accounting realtime command.

Realtime-accounting-interval(min)

Interval for real-time accounting. To set the interval for real-time accounting, run the accounting realtime command.

Start-accounting-fail-policy

Policy used for accounting-start failures.
  • Offline: disconnects users.
  • Online: keeps users online.

To configure a policy for accounting-start failures, run the accounting start-fail command.

Realtime-accounting-fail-policy

Policy used for real-time accounting failures.
  • Offline: disconnects users.
  • Online: keeps users online.

To configure the policy used for real-time accounting failures, run the accounting interim-fail command.

Realtime-accounting-failure-retries

Number of retries before a real-time accounting failure is confirmed.

To set the number of real-time retries before a real-time accounting failure is confirmed, run the accounting interim-fail command.

display authentication ipv6-statistics status

Function

The display authentication ipv6-statistics status command to displays whether IPv6 statistics collection takes effect.

NOTE:

Only S5720EI, S5720HI, S6720EI, and S6720S-EI support this command.

Format

display authentication ipv6-statistics status

Parameters

None

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

After IPv6 traffic statistics collection is globally enabled using the authentication ipv6-statistics enable command, you can run this command to check whether the function takes effect.

Example

# Check whether IPv6 traffic statistics collection takes effect.

<HUAWEI> display authentication ipv6-statistics status
------------------------------------------------------------------------------- 
  Slot-id                        State                                          
------------------------------------------------------------------------------- 
  6                              success                                        
  8                              not support                                    
------------------------------------------------------------------------------- 
  Total: 2  
Table 13-7  Description of the display authentication ipv6-statistics status command output

Item

Description

Slot-id

Slot ID.

State

Whether IPv6 traffic statistics collection takes effect:

  • success: The function takes effect.
  • failure: The function does not take effect.
  • not support: The device does not support the function.
  • unknown: Unknown error.

To configure the IPv6 traffic statistics collection function, run the authentication ipv6-statistics enable command.

display authentication-scheme

Function

The display authentication-scheme command displays the configuration of authentication schemes.

Format

display authentication-scheme [ authentication-scheme-name ]

Parameters

Parameter

Description

Value

authentication-scheme-name

Specifies the name of an authentication scheme.

The authentication scheme must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After the authentication scheme configuration is complete, run the display authentication-scheme command to view the configuration of authentication schemes.

Precautions

The display authentication-scheme command displays the detailed configuration if the command is executed in the authentication scheme view or the name of an authentication scheme is specified. Otherwise, this command displays only the summary of authentication schemes.

Example

# Display the summary of all authentication schemes.

<HUAWEI> display authentication-scheme
  -------------------------------------------------------------------
  Authentication-scheme-name          Authentication-method
  -------------------------------------------------------------------
  default                             Local
  radius                              RADIUS
  -------------------------------------------------------------------
  Total of authentication scheme: 2

# Display the detailed configuration of the default authentication scheme.

<HUAWEI> display authentication-scheme default
                                                                                
  Authentication-scheme-name          : default                                 
  Authentication-method               : Local  
  Radius authentication-type of admin : PAP(all) 
Table 13-8  Description of the display authentication-scheme command output

Item

Description

Authentication-scheme-name

Name of an authentication scheme. To create an authentication scheme, run the authentication-scheme (AAA view) command.

Authentication-method

Authentication mode in an authentication scheme. To configure an authentication mode in an authentication scheme, run the authentication-mode (authentication scheme view) command.

Radius authentication-type of admin

Access type of administrators on whom CHAP authentication is performed. The value can be:

  • PAP(all): PAP authentication is performed on the administrators of all access types when they are authenticated using RADIUS.
  • CHAP(ftp) PAP (other): CHAP authentication is performed on FTP users whose access types are displayed in brackets () when they are authenticated using RADIUS, and PAP authentication is performed on the administrators of other access types.

To configure the access type, run the authentication-type radius chap access-type admin command.

display authorization-scheme

Function

The display authorization-scheme command displays the configuration of authorization schemes.

Format

display authorization-scheme [ authorization-scheme-name ]

Parameters

Parameter

Description

Value

authorization-scheme-name

Specifies the name of an authorization scheme.

The authorization scheme must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After the authorization scheme configuration is complete, run the display authorization-scheme command to view the configuration of authorization schemes.

Before applying an authorization scheme to a domain, run the display authorization-scheme command to check whether configuration of the authorization scheme is correct.

Precautions

The display authorization-scheme command displays the detailed configuration if the name of an authorization scheme is specified. Otherwise, this command displays only the summary of authorization schemes.

Example

# Display the summary of all authorization schemes.

<HUAWEI> display authorization-scheme
  -------------------------------------------------------------------
  Authorization-scheme-name          Authorization-method
  -------------------------------------------------------------------
  default                             Local
  scheme0                             Local
  -------------------------------------------------------------------
   Total of authorization-scheme: 2

# Display the detailed configuration of the authorization scheme scheme0.

<HUAWEI> display authorization-scheme scheme0
---------------------------------------------------------------------------
 Authorization-scheme-name   : scheme0
 Authorization-method        : Local
 Authorization-cmd level  0   : Disabled
 Authorization-cmd level  1   : Disabled 
 Authorization-cmd level  2   : Disabled
 Authorization-cmd level  3   : Disabled
 Authorization-cmd level  4   : Disabled
 Authorization-cmd level  5   : Disabled
 Authorization-cmd level  6   : Disabled
 Authorization-cmd level  7   : Disabled
 Authorization-cmd level  8   : Disabled
 Authorization-cmd level  9   : Disabled
 Authorization-cmd level 10   : Disabled
 Authorization-cmd level 11   : Disabled
 Authorization-cmd level 12   : Disabled
 Authorization-cmd level 13   : Disabled
 Authorization-cmd level 14   : Disabled
 Authorization-cmd level 15   : Disabled
 Authorization-cmd no-response-policy    : Online
---------------------------------------------------------------------------
Table 13-9  Description of the display authorization-scheme command output

Item

Description

Authorization-scheme-name

Name of the authorization scheme. To create an authorization scheme, run the authorization-scheme (AAA view) command.

Authorization-method

Authorization mode set for the authorization scheme. To configure an authorization mode, run the authorization-mode command.

Authorization-cmd level

Whether the command line authorization function is enabled for a user with a specified level:
  • Disabled: indicates that the command line authorization function is disabled.
  • Enabled: indicates that the command line authorization function is enabled.
To set the command line authorization function, run the authorization-cmd command.

Authorization-cmd no-response-policy

Policy for command line authorization failures, in which users are allowed to go online.

display domain

Function

The display domain command displays the domain configuration.

Format

display domain [ name domain-name ]

Parameters

Parameter

Description

Value

name domain-name

Specifies the name of a domain.

If this parameter is not specified, brief information about all domains is displayed.

The domain name must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After a domain is created by the domain command with required parameters specified, you can run the display domain command to view the domain configuration.

Example

# Display brief information about all domains.

<HUAWEI> display domain
  -------------------------------------------------------------------------
  index    DomainName
  -------------------------------------------------------------------------
  0        default
  1        default_admin
  -------------------------------------------------------------------------
  Total: 2
Table 13-10  Description of the display domain command output

Item

Description

index

Index of a domain.

To configure this parameter, run the domain (AAA view) command.

DomainName

Name of a domain.

To configure this parameter, run the domain (AAA view) command.

# Display the configuration of the domain default.

<HUAWEI> display domain name default

  Domain-name                     : default
  Domain-index                    : 0
  Domain-state                    : Active
  Authentication-scheme-name      : default
  Accounting-scheme-name          : default
  Authorization-scheme-name       : -
  Service-scheme-name             : -
  RADIUS-server-template          : -
  HWTACACS-server-template        : -
  User-group                      : -
  Push-url-address                : -
Table 13-11  Description of the display domain name command output

Item

Description

Domain-name

Name of a domain.

To configure this parameter, run the domain (AAA view) command.

Domain-index

Index of a domain.

To configure this parameter, run the domain (AAA view) command.

Domain-state

Status of a domain.
  • Active: indicates that the domain is activated.
  • Block: indicates that the domain is blocked.

To configure this parameter, run the state (AAA domain view) command.

Authentication-scheme-name

Name of the authentication scheme used in a domain.

To configure this parameter, run the authentication-scheme (AAA domain view) command.

Accounting-scheme-name

Name of the accounting scheme used in a domain.

To configure this parameter, run the accounting-scheme (AAA domain view) command.

Authorization-scheme-name

Name of the authorization scheme used in a domain.

To configure this parameter, run the authorization-scheme (AAA domain view) command.

Service-scheme-name

Name of the service scheme used in a domain.

To configure this parameter, run the service-scheme (aaa domain view) command.

RADIUS-server-template

Name of the RADIUS server template used in a domain.

To configure this parameter, run the radius-server (aaa domain view) command.

HWTACACS-server-template

Name of the HWTACACS server template used in a domain.

To configure this parameter, run the hwtacacs-server command.

User-group

Name of the user group for the users in a domain.

To configure this parameter, run the user-group (AAA domain view) command.

Push-url-address

The output displays a pushed URL used in the domain.

To configure this parameter, run the force-push command.

display local-user

Function

The display local-user command displays information about local users.

Format

display local-user [ domain domain-name | state { active | block } | username user-name ] *

Parameters

Parameter

Description

Value

domain domain-name

Displays information about local users in a specified domain.

The domain name must already exist.

state { active | block }
Displays the attributes of local users in the specified state.
  • active: indicates the active state.
  • block: indicates the blocking state.

-

username user-name

Displays information about a specified local user name.

The user name must already exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The display local-user command output helps you check the configuration of local users and isolate faults related to the local users.

Precautions

If no parameter is specified, brief information about all local users is displayed. If a parameter is specified, detailed information about the specified local user is displayed.

Low-level users cannot view information about high-level users.

Example

# Display brief information about local users.

<HUAWEI> display local-user
  ----------------------------------------------------------------------------
  User-name                      State  AuthMask  AdminLevel
  ----------------------------------------------------------------------------
  user-a                         A      A         0
  user-c                         A      A         0
  ----------------------------------------------------------------------------
  Total 2 user(s) 
# Display detailed information about the local user user-a.
<HUAWEI> display local-user username user-a
  The contents of local user(s):
  Password             : ****************
  State                : active
  Service-type-mask    : A
  Privilege level      : -
  Ftp-directory        : -
  HTTP-directory       : -       
  Access-limit         : Yes
  Access-limit-max     : 4294967295
  Accessed-num         : 0
  Idle-timeout         : -
  User-group           : -
  Original-password    : No
  Password-set-time    : 2019-12-01 18:42:57+01:00 DST
  Password-expired     : No 
  Password-expire-time : - 
  Account-expire-time  : -   
NOTE:

For a local user who fails to log in to the device but is not locked, Retry-time-left is displayed. For a local user whose initial password is changed, Change password retry-count-left is displayed. When the number of continuous login failures or the number of initial password change failures reaches the limit specified using the local-aaa-user wrong-password command, the user is locked.

# Display information about local user user1 who fails to log in to the device.
<HUAWEI> display local-user username user1                                                                                               
  The contents of local user(s):                                                                                                    
  Password             : ****************                                                                                           
  State                : active                                                                                                     
  Service-type-mask    : T                                                                                                          
  Privilege level      : 0                                                                                                          
  Ftp-directory        : -                                                                                                          
  HTTP-directory       : -                                                                                                          
  Access-limit         : -                                                                                                          
  Accessed-num         : 0                                                                                                          
  Idle-timeout         : -                                                                                                          
  Retry-interval       : 4 Min(s)                                                                                                   
  Retry-time-left      : 1                                                                                                          
  Original-password    : Yes                                                                                                        
  Password-set-time    : 2019-01-27 13:26:55+08:00                                                                                  
  Password-expired     : No                                                                                                         
  Password-expire-time : -                                                                                                          
  Account-expire-time  : -
# Display information about local user user1 whose initial password fails to be changed.
<HUAWEI> display local-user username user1
  The contents of local user(s):                                                                                                    
  Password             : ****************                                                                                           
  State                : active                                                                                                     
  Service-type-mask    : T                                                                                                          
  Privilege level      : 0                                                                                                          
  Ftp-directory        : -                                                                                                          
  HTTP-directory       : -                                                                                                          
  Access-limit         : -                                                                                                          
  Accessed-num         : 1                                                                                                          
  Idle-timeout         : -                                                                                                          
  Change password retry-interval  : 4 Min(s)                                                                                        
  Change password retry-count-left: 3                                                                                               
  Original-password    : Yes                                                                                                        
  Password-set-time    : 2019-01-27 13:26:55+08:00                                                                                  
  Password-expired     : No                                                                                                         
  Password-expire-time : -                                                                                                          
  Account-expire-time  : -
# Display information about local users in blocking state.
<HUAWEI> display local-user state block
  -----------------------------------------------------------                                                    
  User-name                      State  AuthMask  AdminLevel                                                              
  -----------------------------------------------------------                                                     
  test2                          B      T         0                                                       
  -----------------------------------------------------------
# Display information about local user test2 in blocking state.
<HUAWEI> display local-user state block username test2
  The contents of local user(s):                                                                                                    
  Password             : ****************                                                                                           
  State                : block                                                                                                      
  Service-type-mask    : T                                                                                                          
  Privilege level      : 0                                                                                                          
  Ftp-directory        : -                                                                                                          
  HTTP-directory       : -                                                                                                          
  Access-limit         : -                                                                                                          
  Accessed-num         : 0                                                                                                          
  Idle-timeout         : -                                                                                                          
  Block-time-left      : 8 Min(s)                                                                                                   
  Original-password    : Yes                                                                                                        
  Password-set-time    : 2019-01-27 13:26:55+08:00                                                                                  
  Password-expired     : No                                                                                                         
  Password-expire-time : -                                                                                                          
  Account-expire-time  : -
Table 13-12  Description of the display local-user command output

Item

Description

User-name

Name of the local user.

To configure this parameter, run the local-user command.

State

State of the local user:

  • A: Active
  • B: Block

To configure this parameter, run the local-user command.

AuthMask

Access type of the local user.

  • T: indicates the Telnet users.
  • M: indicates the terminal users, which usually refer to the console users.
  • S: indicates the SSH users.
  • F: indicates the FTP users.
  • W: indicates the web users.
  • X: indicates the 802.1X users.
  • A: indicates all access types.
  • H: indicates the HTTP users.
  • D: indicates the X25-PAD users.
  • P: indicates the PPP users.
  • Combination: For example, MH indicates either a terminal user or an HTTP user.

To configure this parameter, run the local-user service-type command.

AdminLevel

Local user level.

To configure this parameter, run the local-user command.

Password

Password of the local user.

To configure this parameter, run the local-user command.

Service-type-mask

Service type of the local user. Same as the AuthMask type.

To configure this parameter, run the local-user service-type command.

Privilege level

Local user level.

To configure this parameter, run the local-user command.

Ftp-directory

FTP directory of the local user.

To configure this parameter, run the local-user command.

HTTP-directory

HTTP directory of the local user.

To configure this parameter, run the local-user command.

Access-limit

Whether the maximum number of sessions of the local user is configured.

To configure this parameter, run the local-user command.

Access-limit-max

Maximum number of sessions of the local user.

To configure this parameter, run the local-user command.

Accessed-num

Number of established sessions.

Idle-timeout

Idle timeout interval.

To configure this parameter, run the local-user command.

User-group

Authorization information of the user group to which the local user is bound.

To configure this parameter, run the local-user command.

Original-password

Whether the password of a local user is the initial password:
  • Yes
  • No

To configure this parameter, run the password alert original command.

Password-set-time

Time when the local user's password is created. The value is in format local time + DST offset.

Password-expired

Whether a local user's password has expired:
  • Yes
  • No

Password-expire-time

Time when the local user's password expires. The value is in format local time + DST offset.

To configure this parameter, run the password expire command.

Account-expire-time

Expiry time of a local user account. The value is in format local time + DST offset.

To configure this parameter, run the local-user expire-date command.

Retry-interval

Login retry interval before a local user is locked.

To configure this parameter, run the local-aaa-user wrong-password command.

Retry-time-left

Remaining number of login retries before a local user is locked.

To configure this parameter, run the local-aaa-user wrong-password command.

Change password retry-interval

Retry interval for changing the initial password of a local user before the user is locked.

To configure this parameter, run the local-aaa-user wrong-password command.

Change password retry-count-left

Remaining number of initial password change retries before a local user is locked.

To configure this parameter, run the local-aaa-user wrong-password command.

Related Topics

display local-user expire-time

Function

The display local-user expire-time command displays the time when local accounts expire.

Format

display local-user expire-time

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

The command output helps you diagnose and rectify the faults related to local user passwords.

Example

# Display the time when local accounts expire.

<HUAWEI> display local-user expire-time
 -------------------------------------------------------------------------------    
 Username                Password-expire       Account-expire            Expired
 -------------------------------------------------------------------------------
 zsh                     2014-12-01 21:25:44    -                        NO
 mm001                   2014-12-01 21:29:58    -                        NO
 -------------------------------------------------------------------------------
 Total: 2, printed: 2  
Table 13-13  Description of the display local-user expire-time command output

Item

Description

Username

Local account name.

To configure this parameter, run the local-user command.

Password-expire

Number of days after which the password expires.

To configure this parameter, run the password expire command.

Account-expire

Account expiration time.

To configure this parameter, run the local-user expire-date command.

Expired

Whether the local account has expired:
  • YES
  • NO
NOTE:

The displayed value and actual value may have a difference within one minute; there is a possibility that the password has expired, but the displayed value is NO.

When the local user account or password has expired, the local user becomes invalid.

display local-aaa-user password policy

Function

The display local-aaa-user password policy command displays the password policy of local user.

Format

display local-aaa-user password policy { access-user | administrator }

Parameters

Parameter Description Value
access-user Indicates the password policy of local access users. -
administrator Indicates the password policy of local administrator. -

Views

All views

Default Level

3: Management level

Usage Guidelines

After configuring the password policy for local users, you can run the display local-aaa-user password policy command to check whether the configuration is correct.

Example

# Display the password policy of local access users.

<HUAWEI> display local-aaa-user password policy access-user
  Password control                 : Enable 
  Password history                 : Enable (history records:5) 
Table 13-14  Description of the display local-aaa-user password policy access-user command output

Item

Description

Password control

Whether the password control function is enabled:
  • Enable
  • Disable

To configure this function, run the local-aaa-user password policy access-user command.

Password history

Whether the historical password recording function is enabled and the maximum number of historical passwords of each user.

To configure this function, run the password history record number command.

# Display the password policy of local administrator.

<HUAWEI> display local-aaa-user password policy administrator
  Password control                 : Enable                                     
  Password expiration              : Enable (180 days)                          
  Password history                 : Enable (history records:5)                 
  Password alert before expiration : 30 days                                    
  Password alert original          : Enable 
Table 13-15  Description of the display local-aaa-user password policy administrator command output

Item

Description

Password control

Whether the password control function is enabled:
  • Enable
  • Disable

To configure this function, run the local-aaa-user password policy administrator command.

Password expiration

Whether the password expiration function is enabled and password expiration time.

To configure this function, run the password expire command.

Password history

Whether the historical password recording function is enabled and the maximum number of historical passwords of each user.

To configure this function, run the password history record number command.

Password alert before expiration

Password expiration prompt days.

To configure this function, run the password alert before-expire command.

Password alert original

Whether the device prompt users to change the initial passwords:
  • Enable
  • Disable

To configure this function, run the password alert original command.

display recording-scheme

Function

The display recording-scheme command displays the configuration of recording schemes.

Format

display recording-scheme [ recording-scheme-name ]

Parameters

Parameter

Description

Value

recording-scheme-name

Specifies the name of a recording scheme.

The recording scheme must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display recording-scheme command displays the configuration of recording schemes.

Example

# Display the configuration of the recording scheme scheme0.

<HUAWEI> display recording-scheme scheme0
-----------------------------------------------------------------
 Recording-scheme-name           : scheme0
 HWTACACS-template-name          : tacas-1
---------------------------------------------------------------- 
Table 13-16  Description of the display recording-scheme command output

Item

Description

Recording-scheme-name

Name of the recording scheme. To create a recording scheme, run the recording-scheme command.

HWTACACS-template-name

Name of the HWTACACS server template associated with the recording scheme. To associate an HWTACACS server template with a recording scheme, run the recording-mode hwtacacs command.

display remote-user authen-fail

Function

The display remote-user authen-fail command displays the accounts that fail in remote AAA authentication.

Format

display remote-user authen-fail [ blocked | username username ]

Parameters

Parameter

Description

Value

blocked

Displays all the remote AAA authentication accounts that have been locked.

-

username username

Displays details about the accounts that fail in remote AAA authentication.

If the username parameter is not specified, basic information about all accounts that fail in remote AAA authentication is displayed.

It is a string of 1 to 253 case-insensitive characters without spaces.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the account locking function is enabled for the users who fail in AAA remote authentication, the device records all failed accounts, including:
  • The accounts that failed in authentication and are locked, for example, when the user entered the wrong account name or password too many times.
  • The accounts that failed in authentication, but are not locked, for example, when the number of times the account name or password was entered incorrectly did not exceed the limit.

Prerequisites

The remote-aaa-user authen-fail command has been enabled to lock the accounts that fail in remote AAA authentication.

Precautions

The device cannot back up a recorded account that fails the AAA authentication. If an active/standby switchover policy has been configured on the device, all user entries are cleared when the device completes an active/standby switchover.

Example

# Display all accounts that have failed in remote AAA authentication.

<HUAWEI> display remote-user authen-fail
  ----------------------------------------------------------------------------
  Username                   RetryInterval(Mins) RetryTimeLeft BlockTime(Mins)
  ----------------------------------------------------------------------------
  test@rds                   5                   2             0
  t@rds                      0                   0             5
  ----------------------------------------------------------------------------
  Total 2, 2 printed 

# Display all locked accounts.

<HUAWEI> display remote-user authen-fail blocked
  ----------------------------------------------------------------------------
  Username                   RetryInterval(Mins) RetryTimeLeft BlockTime(Mins)
  ----------------------------------------------------------------------------
  t@rds                      0                   0             4
  ----------------------------------------------------------------------------
  Total 1, 1 printed   

# Display details about the account test that failed in remote AAA authentication.

<HUAWEI> display remote-user authen-fail username test
  The contents of the user:
  Retry-interval    : 0 Min(s)
  Retry-time-left   : 0
  Block-time-left   : 4 Min(s)
  User-state        : Block
Table 13-17  Description of the display remote-user authen-fail command output

Item

Description

Username

User name.

RetryInterval(Mins)

Authentication retry interval, in minutes.

To configure this parameter, run the remote-aaa-user authen-fail command.

Retry-interval

Authentication retry interval.

To configure this parameter, run the remote-aaa-user authen-fail command.

RetryTimeLeft

Remaining number of consecutive authentication failures.

To configure this parameter, run the remote-aaa-user authen-fail command.

Retry-time-left

Remaining number of consecutive authentication failures.

To configure this parameter, run the remote-aaa-user authen-fail command.

BlockTime(Mins)

Remaining locking time of an account.

To configure this parameter, run the remote-aaa-user authen-fail command.

Block-time-left

Remaining locking time of an account.

To configure this parameter, run the remote-aaa-user authen-fail command.

User-state

User status:
  • Block
  • Active

display service-scheme

Function

The display service-scheme command displays the configuration of service schemes.

Format

display service-scheme [ name name ]

Parameters

Parameter

Description

Value

name name

Specifies the name of a service scheme.

The service scheme must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The display service-scheme command displays the configuration of service schemes.

Before applying a service scheme to a domain, run the display service-scheme command to check whether the service scheme is correct.

Precautions

The display service-scheme command displays the detailed configuration if the command is executed in the service scheme view or the name of a service scheme is specified. Otherwise, this command displays only the summary of service schemes.

Example

# Display information about all service schemes.

<HUAWEI> display service-scheme
  -------------------------------------------------------------------
  service-scheme-name                    scheme-index
  -------------------------------------------------------------------
  svcscheme1                               0
  svcscheme2                               1
  -------------------------------------------------------------------
  Total of service scheme: 2

# Display the configuration of the service scheme svcscheme1.

<HUAWEI> display service-scheme name svcscheme1
                                                                                
  service-scheme-name           : svcscheme1                                     
  service-scheme-primary-dns    : -                                              
  service-scheme-secondary-dns  : -                                              
  service-scheme-adminlevel     : 15
  service-scheme-uclgroup-ID    : 10
  service-scheme-uclgroup-name  : u1
  service-scheme-acl-id         : 3001 
  service-scheme-redirect-acl-id: 3001 
  service-scheme-vlan           : 10
  service-scheme-voicevlan      : enable
Table 13-18  Description of the display service-scheme command output

Item

Description

service-scheme-name

Name of a service scheme.

To create a service scheme, run the service-scheme (AAA view) command.

scheme-index

Index of a service scheme.

service-scheme-primary-dns

Address of the primary DNS server.

To configure this item, run the dns (service scheme view) command.

service-scheme-secondary-dns

Address of the secondary DNS server.

To configure this item, run the dns (service scheme view) command.

service-scheme-adminlevel

Level of an administrator.

To configure this item, run the admin-user privilege level command.

service-scheme-uclgroup-ID

Index of the bound UCL group.

To configure this item, run the ucl-group (service scheme view) command.

service-scheme-uclgroup-name

Name of the bound UCL group.

To configure this item, run the ucl-group (service scheme view) command.

service-scheme-acl-id

Bound ACL number.

To configure this item, run the acl-id (service scheme view) command.

service-scheme-redirect-acl-id

Number of the ACL used for redirection in the service scheme.

To configure this item, run the redirect-acl command.

service-scheme-vlan

User VLAN ID.

To configure this item, run the user-vlan (service scheme view) command.

service-scheme-voicevlan

Whether voice VLAN is enabled.

To configure this item, run the voice-vlan (service scheme view) command.

dns (service scheme view)

Function

The dns command configures the primary or secondary DNS server in a service scheme.

The undo dns command cancels the configuration of the primary or secondary DNS server in a service scheme.

By default, no primary or secondary DNS server is configured in a service scheme.

Format

dns ip-address [ secondary ]

undo dns [ ip-address ]

Parameters

Parameter Description Value
ip-address

Specifies the IP address of a DNS server.

The value is in dotted decimal notation.
secondary

Specifies the secondary DNS server.

-

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

If no DNS server is specified when a local address pool, DHCP server, or RADIUS server assigns IP addresses to users, the DNS server configured in the service scheme view is used.

Example

# Set the IP address of the primary DNS server in the service scheme svcscheme1 to 10.10.10.1.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme svcscheme1
[HUAWEI-aaa-service-svcscheme1] dns 10.10.10.1

# Set the IP address of the secondary DNS server in the service scheme svcscheme1 to 10.10.20.1.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme svcscheme1
[HUAWEI-aaa-service-svcscheme1] dns 10.10.20.1 secondary

domain (AAA view)

Function

The domain command creates a domain and displays its view.

The undo domain command deletes a domain.

By default, the device has two domains: default and default_admin. The two domains can be modified but cannot be deleted.

Format

domain domain-name [ domain-index domain-index ]

undo domain domain-name

Parameters

Parameter Description Value
domain-name Specifies the name of a domain. The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces or the following symbols: * ? ". The value cannot be - or --.
domain-index domain-index Specifies the index of a domain.

The value is an integer that ranges from 0 to 31.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The device can manage users through domains. A domain is the minimum user management unit. A domain name can be an ISP name or the name of a service provided by an ISP. A domain can use the default authorization attribute, and be configured with a RADIUS template and authentication and accounting schemes.

If the domain to be configured already exists, the domain command displays the domain view.

If a user that belongs to this domain is online, you cannot run the undo domain command to delete the domain.

Prerequisites

To perform AAA for access users, you need to apply the authentication schemes, authorization schemes, and accounting schemes in the domain view. Therefore, authentication, authorization, and accounting schemes must be configured in the AAA view in advance.

Precautions

  • The domain default is a global default common domain for user access, for example, NAC. By default, the domain is activated, and is bound to the authentication scheme radius and accounting scheme default, but is not bound to any authorization scheme.
  • The domain default_admin is a global default management domain for users who log in to the device through HTTPS, SSH, Telnet, and the Web system, namely, administrators. By default, the domain is activated, and is bound to the authentication scheme default and accounting scheme default, but is not bound to any authorization scheme.

Example

# Specify the domain named domain1 and access the domain view.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain domain1
[HUAWEI-aaa-domain-domain1]
Related Topics

domain (system view)

Function

The domain command configures a global default domain.

The undo domain command restores the default setting.

By default, there are two global default domains: common domain default and administrative domain default_admin. The former is used as the global default domain of access users, while the latter as the global default domain of administrators.

Format

Common domain default:

domain domain-name

undo domain

Administrative domain default_admin:

domain domain-name admin

undo domain admin

Parameters

Parameter

Description

Value

domain-name

Specifies the name of a global default domain.

The domain must already exist.

admin

Configures a domain for administrators.

If this parameter is not specified, the domain for common access users is configured.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the global default domain is configured, a user must be managed by the global default domain if their domain cannot be identified.

Precautions

You must create a domain before configuring the domain as the global default domain.

Example

# Create domain abc and configure it as the global default common domain.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain abc
[HUAWEI-aaa-domain-abc] quit
[HUAWEI-aaa] quit
[HUAWEI] domain abc

domain-location

Function

The domain-location command configures the position of a domain name.

The undo domain-location command restores the default position of a domain name.

By default, the domain name in the AAA view is placed behind the domain name delimiter, and no position is configured in the authentication profile view.

Format

domain-location { after-delimiter | before-delimiter }

undo domain-location

Parameters

Parameter

Description

Value

after-delimiter

Indicates that the domain name is placed behind the domain name delimiter.

-

before-delimiter

Indicates that the domain name is placed before the domain name delimiter.

-

Views

AAA view, authentication profile view

Default Level

In the AAA view, the default level is management level.

In the authentication profile view, the default level is configuration level.

Usage Guidelines

Usage Scenario

The format of a user name is user name@domain name. If before-delimiter is specified, the format domain name@user name is used.

You can use the domain-location command only when there is no online user.

Precautions

If you run the domain-location command in the AAA view, the position of a domain is configured globally and the configuration takes effect for all users.

When this command is executed in the authentication profile, the configuration takes effect only after the authentication profile is bound to a VAP profile.

When the command is executed in the AAA view, the configuration takes effect for all users. When the command is executed in the authentication profile, the configuration takes effect for only the users connected to this authentication profile.

Example

# Configure the domain name before the domain name delimiter.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain-location before-delimiter

domain-name-delimiter

Function

The domain-name-delimiter command configures a domain name delimiter.

The undo domain-name-delimiter command restores the default domain name delimiter.

By default, the domain name delimiter in the AAA view is @, and no delimiter is available in the authentication profile view.

Format

domain-name-delimiter delimiter

undo domain-name-delimiter

Parameters

Parameter Description Value
delimiter Specifies a domain name delimiter of only one bit. The value can only be one of the following characters: \ / : < > | @ ' %.

Views

AAA view, authentication profile view

Default Level

In the AAA view, the default level is management level.

In the authentication profile view, the default level is configuration level.

Usage Guidelines

Usage Scenario

Different AAA servers may use different domain name delimiters. To ensure that an AAA server obtains the correct user name and domain name, configure the same domain name delimiter on the device and the AAA server.

For example, if the domain name delimiter is %, the user name of user1 in the domain dom1 is user1%dom1 or dom1%user1.

Precautions

Before using the domain-name-delimiter command, ensure that no local user exists.

If you run the domain-name-delimiter command in the AAA view, the domain name delimiter is configured globally and the configuration takes effect for all users.

When this command is executed in the authentication profile, the configuration takes effect only after the authentication profile is bound to a VAP profile.

When the command is executed in the AAA view, the configuration takes effect for all users. When the command is executed in the authentication profile, the configuration takes effect for only the users connected to this authentication profile.

Example

# Configure the domain name delimiter as / in the AAA view.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain-name-delimiter /

domainname-parse-direction

Function

The domainname-parse-direction command configures the direction in which a domain name is parsed.

The undo domainname-parse-direction command restores the default direction in which a domain name is parsed.

By default, the domain name is parsed in the AAA view from left to right, and no direction is configured in which a domain name is parsed.

Format

domainname-parse-direction { left-to-right | right-to-left }

undo domainname-parse-direction

Parameters

Parameter

Description

Value

left-to-right

Parses a domain name form left to right.

-

right-to-left

Parses a domain name form right to left.

-

Views

AAA view, authentication profile view

Default Level

In the AAA view, the default level is management level.

In the authentication profile view, the default level is configuration level.

Usage Guidelines

Usage Scenario

In AAA implementations, users belong to different domains. A network access server (NAS) centrally manages users in a domain. During a user's login, the NAS parses the entered user name. A user is authenticated only when the user has the correct user name and domain name. When configuring an AAA scheme, run the domainname-parse-direction { left-to-right | right-to-left } command to configure the direction in which a domain name is parsed.

Assume that the user name is username@dom1@dom2.
  • If the domain-location command configures the domain name behind the domain name delimiter:
    • When left-to-right is specified, the user name is username and the domain name is dom1@dom2.
    • When right-to-left is specified, the user name is username@dom1 and the domain name is dom2.
  • If the domain-location command configures the domain name before the domain name delimiter:
    • When left-to-right is specified, the user name is dom1@dom2 and the domain name is username.
    • When right-to-left is specified, the user name is dom2 and the domain name is username@dom1.

Precautions

If you run the domainname-parse-direction command in the AAA view, the direction in which a domain name is parsed is configured globally and the configuration takes effect for all users.

When this command is executed in the authentication profile, the configuration takes effect only after the authentication profile is bound to a VAP profile.

When the command is executed in the AAA view, the configuration takes effect for all users. When the command is executed in the authentication profile, the configuration takes effect for only the users connected to this authentication profile.

Example

# Configure the device to parse a domain name from right to left in the AAA view.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domainname-parse-direction right-to-left

idle-cut (service scheme view)

Function

The idle-cut command enables the idle-cut function for domain users and sets the idle-cut parameters.

The undo idle-cut command disables the idle-cut function.

By default, the idle-cut function is disabled for domain users.

Format

idle-cut idle-time flow-value [ inbound | outbound ]

undo idle-cut

Parameters

Parameter Description Value
idle-time Specifies the period in which an idle user can stay online. The value is an integer that ranges from 1 to 1440, in minutes.
flow-value Specifies the traffic threshold for idle-cut function. When the traffic of a user stays below this threshold for a certain period, the device considers that the user is in idle state. The value is an integer that ranges from 0 to 4294967295, in kbytes.
inbound

Indicates that the idle-cut function takes effect for only upstream traffic of users.

-
outbound

Indicates that the idle-cut function takes effect for only downstream traffic of users.

NOTE:

If neither inbound nor outbound is specified, the idle-cut function takes effect for both upstream and downstream traffic.

-

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If a user uses no or a little network traffic for a long time, the user still occupies certain bandwidth, which reduces access rate of other users. The idle-cut function disconnects the users whose traffic volume stays below the traffic threshold within the idle time, to save resources and improve service experience of other users.

Precautions

  • The idle-cut command configured in the service scheme view takes effect only for administrators.

Example

# Enable the idle-cut function for the domain, and set the idle time to 1 minute and the traffic threshold to 10 kbytes.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme huawei 
[HUAWEI-aaa-service-huawei] idle-cut 1 10

local-aaa-user wrong-password

Function

The local-aaa-user wrong-password command enables local account locking function and sets the retry interval, consecutive incorrect password attempts, and locking duration.

The undo local-aaa-user wrong-password command disables local account locking function.

By default, the local account locking function is enabled, retry interval is 5 minutes, maximum number of consecutive incorrect password attempts is 3, and account locking period is 5 minutes.

Format

local-aaa-user wrong-password retry-interval retry-interval retry-time retry-time block-time block-time

undo local-aaa-user wrong-password

Parameters

Parameter

Description

Value

retry-interval retry-interval

Specifies the retry interval of a local account.

The value is an integer that ranges from 5 to 65535, in minutes.

retry-time retry-time

Specifies the consecutive incorrect password attempts.

The value is an integer that ranges from 3 to 65535.

block-time block-time

Specifies the local account locking duration.

In actual application, there is a one minute difference in locking time.

The value is an integer that ranges from 5 to 65535, in minutes.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command applies to the following scenarios:
  • The command locks a local account to improve password security of the local user. If the password is entered incorrectly more than a certain number of times within the given retry period, the account is locked. The device does not authenticate the user when the account is locked.
  • The command locks a local account to ensure that the password will not be cracked by a brute force from a malicious user. When attempting to change the password, if the original password is entered incorrectly more than a certain number of times within the given retry period, the account is locked. The user cannot modify the password when the account is locked.

Follow-up Procedure

After a local account is locked, you can run the local-user user-name state active command to unlock the local account.

Precautions

Only entering the incorrect password can lock the account. Other local authentication failures will not lock the account.

Example

# Enable local account locking, and set the authentication retry interval to 5 minutes, maximum number of consecutive incorrect password attempts to 3, and account locking period to 5 minutes.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5

local-user

Function

The local-user command creates a local user and sets parameters of the local user.

The undo local-user command deletes a local user.

By default, the local user admin exists in the system. The password of the user is admin@huawei.com, the irreversible encryption algorithm is used, the level is 15, and service type is http and terminal.

Format

local-user user-name { password { cipher | irreversible-cipher } password | access-limit max-number | ftp-directory directory | idle-timeout minutes [ seconds ] | privilege level level | state { block | active } | user-group group-name } *

local-user user-name http-directory directory

undo local-user user-name [ access-limit | ftp-directory | http-directory | idle-timeout | privilege level | user-group group-name ]

Parameters

Parameter

Description

Value

user-name

Specifies the user name. If the user name contains a delimiter "@", the character before "@" is the user name and the character after "@" is the domain name. If the value does not contain "@", the entire character string represents the user name and the domain name is the default one.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

password { cipher | irreversible-cipher } password

Specifies the password of a local user.

  • The cipher parameter indicates that the user password is encrypted using the reversible encryption algorithm. Unauthorized users can obtain the plain text by using the corresponding decryption algorithm, so security is low.

  • The irreversible-cipher parameter indicates that the user password is encrypted using the irreversible encryption algorithm. Unauthorized users cannot obtain the plain text by using the special encryption algorithm. User security is ensured.

If a user is allowed to encrypt the local user password using the irreversible encryption algorithm, the device does not support CHAP authentication for the user.

NOTICE:

It is recommended that you set the user password when creating a user. The interaction method using the local-user password command is recommended.

The value is a case-sensitive string without question marks (?) or spaces.
  • If the cipher parameter is specified, the value of password can be a plain text of 8 to 128 characters or a cipher-text password of 48, 68, 88, 108, 128, 148, 168, or 188 characters.
  • If the irreversible-cipher parameter is specified, the value of password can be a plain text of 8 to 128 characters or a cipher-text password of 68 characters.

A simple local user password may bring security risks. The user password must consist of two types of characters, including uppercase letters, lowercase letters, numerals, and special characters. In addition, the password cannot be the same as the user name or user name in an inverse order.

access-limit max-number

Specifies the number of connections that can be created with a specified user name.

If this parameter is not specified, a user can establish a maximum of 4294967295 connections by default.

The value is an integer that ranges from 1 to 4294967295.

The actual number of connections is the smaller value between max-number and the maximum number of users of a type on different models.

ftp-directory directory

Specifies the directory that FTP users can access.

If this parameter is not specified, the FTP directory of the local user is empty. The device will check whether the default FTP directory has been set using the set default ftp-directory command. If no FTP directory exists, FTP users cannot log in to the device.

NOTE:
Ensure that the configured FTP directory is an absolute path; otherwise, the configuration does not take effect.

The value is a string of 1 to 64 case-sensitive characters without spaces.

http-directory directory

Specifies the directory that HTTP users can access.

If this parameter is not specified, the HTTP directory of the local user is empty.

The value is a string of 1 to 64 case-sensitive characters without spaces.

idle-timeout minutes [ seconds ]

Specifies the timeout period for disconnection of the user.

  • minutes is the period when the user interface is disconnected in minutes.
  • seconds is the period when the user interface is disconnected in seconds.

If this parameter is not specified, the device uses the idle timeout interval configured by the idle-timeout command in the user view.

If minutes [ seconds ] is set to 0 0, the idle disconnection function is disabled.

NOTICE:

If the idle timeout interval is set to 0 or a large value, the terminal will remain in the login state, resulting in security risks. You are advised to run the lock command to lock the current connection.

  • minutes: the value is an integer ranging from 0 to 35791 minutes.
  • seconds: the value is an integer ranging from 0 to 59 seconds.

privilege level level

Specifies the level of a local user. After logging in to the device, a user can run only the commands of the same level or lower levels.

NOTE:

If this parameter is not specified, the user level is 0.

The permission of API users is not controlled by this parameter. Therefore, you do not need to configure this parameter.

The value is an integer that ranges from 0 to 15. The greater the value, the higher the level of a user.

state { active | block }

Specifies the status of a local user.

  • active indicates that a local user is in active state. the device accepts and processes the authentication request from the user, and allows the user to change the password.
  • block indicates that a local user is in blocking state. the device rejects the authentication request from the user and does not allow the user to change the password.

If a user has established a connection with the device, when the user is set in blocking state, the connection still takes effect but the device rejects subsequent authentication requests from the user.

If this parameter is not specified, the status of a local user is active.

-

user-group group-name

Specifies the name of a user group.

NOTE:

This parameter is supported only by the switches in the NAC common mode.

The value is a string of 1 to 64 case-sensitive characters without spaces. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To facilitate device maintenance, run the local-user command on the device to create a local user and set parameters such as the password, user level, and FTP directory.

Prerequisites

Before adding a local user to a user group, ensure that the user group has been created using the user-group command.

Precautions

  • For device security purposes, change the password periodically.
  • Security risks exist if the user login mode is set to Telnet or FTP. You are advised set the user login mode to STelnet or SFTP and set the user access type to SSH.

    When a device starts without any configuration, HTTP uses the randomly generated self-signed certificate to support HTTPs. The self-signed certificate may bring risks. Therefore, you are advised to replace it with the officially authorized digital certificate.

  • After a local administrator logs in to the device, the administrator can create, modify, or delete attributes of other local users of the same or a lower level. The attributes include password, user level, maximum number of access users, and account validity period.

    After you change the rights (for example, the password, level, FTP directory, idle timeout interval, or status) of a local account, the rights of users already online do not change. The change takes effect when the user next goes online.

  • Online users cannot be deleted. When the user is offline or the cut access-user username user-name command is executed in the AAA view to disconnect the user, delete the user.
  • The user name function may be invalid due to improper configuration of the domain name delimiter.
  • One user group can be used by multiple local users. However, a local user belongs to only one user group. If the user groups have been configured for the local user and in the service template, only the user group configured for the local user takes effect. The user groups that are used by a local user or an online user cannot be deleted.

  • The idle-cut command configured in the service scheme view takes effect only for administrators.

Example

# Create a local user user1, and set the domain name to vipdomain, the password to admin@12345 in cipher text, the maximum number of connections to 100, and the idle timeout interval to 10 minutes.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user user1@vipdomain password irreversible-cipher admin@12345 access-limit 100 idle-timeout 10
Related Topics

local-user change-password

Function

The local-user change-password command enables local users to change their passwords.

Format

local-user change-password

Parameters

None

Views

User view

Default Level

0: Visit level

Usage Guidelines

Usage Scenario

If you are a low-level administrator, to ensure security of the password, you can run the local-user change-password command in the user view to change your password after passing the authentication.

Precautions

  • To modify the password, a local user must enter the old password.
  • After the user that passes local authentication changes the password, the user must type the new password to pass local authentication.
  • The local-user change-password command is used to change the password of a local user. It does not save the configuration, but the result of changing the password is saved through the local-user password command. If the server does not receive old password, new password, or confirmed password from the user within 30 seconds, it terminates the password change process. When the user presses Ctrl+C to cancel password change, the password change process is terminated.
  • A simple password of a local user may bring security risks. When a local user changes the password, the new password must be a string of 8 to 128 characters and must contain at least two types of the following: uppercase letters, lowercase letters, digits, and special characters. In addition, the new password cannot be the same as the user name or the user name in a reverse order.
  • For device security purposes, change the password periodically.

Example

# The local user changes the password.

<HUAWEI> local-user change-password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, including lowercase letters, uppercase letters, numer
als and special characters. 
Please enter old password: 
Please enter new password: 
Please confirm new password: 
Info: The password is changed successfully.

local-user device-type

Function

The local-user device-type command configures the type of terminals allowed to access the network.

The undo local-user device-type command deletes the type of terminals allowed to access the network.

By default, the type of terminals allowed to access the network is not configured.

NOTE:

This function is supported only by S5720HI.

Format

local-user user-name device-type device-type &<1-8>

undo local-user user-name device-type

Parameters

Parameter Description Value
user-name Specifies the name of a local user.

When querying and modifying the user account, you can use the wildcard *, for example, *@isp, user@*, and *@*.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

device-type Specifies a terminal type.

The value is a string of 1 to 31 case-insensitive characters without spaces.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

You can run the local-user device-type command to configure the type of terminals allowed to access the network. In local authentication and authorization, the device checks whether a terminal is allowed to access the network. If so, the device checks the user name and password of the terminal.

Example

# Set the type of the terminal that local user hello uses to access the network to iphone.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user hello device-type iphone

local-user expire-date

Function

The local-user expire-date command sets the expiration date of a local account.

The undo local-user expire-date command restores the default expiration date of a local account.

By default, a local account is permanently valid.

Format

local-user user-name expire-date expire-date

undo local-user user-name expire-date

Parameters

Parameter Description Value
user-name

Specifies a local account.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

expire-date

Specifies the expiration date of the local account.

The value is in YYYY/MM/DD format. YYYY specifies the year, MM specifies the month, and DD specifies the day. The value ranges from 2000/1/1 to 2099/12/31.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After a local account is created, the account has no expiration date by default. You can run the local-user expire-date command to set the expiration date of a local account. When the expiration date is reached, the account expires. This configuration enhances network security.

Precautions

  • For example, if the expiration date of the local account is set to 2013-10-1, the account becomes invalid at 00:00 on 2013-10-1.
  • This function takes effect only for users who go online after this function is successfully configured.

Example

# Set the expiration date of local account hello@163.net to 2013/10/1.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user hello@163.net expire-date 2013/10/1
Related Topics

local-user password

Function

The local-user password command configures a password for a local account.

By default, the password of a local account is empty.

Format

local-user user-name password

NOTE:

This command is an interactive command. After you enter local-user user-name password and press Enter, you can set the password as prompted. The local user password is a string of 8~128 case-sensitive characters.

Parameters

Parameter Description Value
user-name

Specifies the local user name.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

If no password is configured when a local user is created, the password is empty, and the local user cannot log in to the device.

A simple local user password may bring security risks. The user password must consist of two types of characters, including uppercase letters, lowercase letters, numerals, and special characters. In addition, the password cannot be the same as the user name or user name in a reverse order.

Example

# Set the password to abc@#123456 for the local account hello@163.net.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user hello@163.net password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, i
ncluding lowercase letters, uppercase letters, numerals and special characters. 
Please enter password:              //Enter the password abc@#123456                                                          
Please confirm password:              //Confirm the password abc@#123456
Info: Add a new user.
Related Topics

local-aaa-user password policy access-user

Function

The local-aaa-user password policy access-user command enables the password policy for local access users and enters the local access user password policy view.

The undo local-aaa-user password policy access-user command disables the password policy of local access users.

By default, the password policy of local access users is disabled.

Format

local-aaa-user password policy access-user

undo local-aaa-user password policy access-user

Parameters

None

Views

AAA view

Default Level

3: Management level

Usage Guidelines

After a local user is created using the local-user command, the minimum length and complexity of the password are limited. If you want to improve password security, run this command to configure password policy. The new password cannot be the same as any previously used password stored on the device.

Example

# Enable the local access user password policy and enter the local access user password policy view.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user password policy access-user
[HUAWEI-aaa-lupp-acc]

local-aaa-user password policy administrator

Function

The local-aaa-user password policy administrator command enables the password policy for local administrators and enters the local administrator password policy view.

The undo local-aaa-user password policy administrator command disables the password policy of local administrators.

By default, the password policy of local administrators is disabled.

Format

local-aaa-user password policy administrator

undo local-aaa-user password policy administrator

Parameters

None

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After a local user is created using the local-user command, the minimum length and complexity of the password are limited. If you want to improve password security, you can run the following commands to configure the password policy for the local administrators:

Precautions

After the undo local-aaa-user password policy administrator command is executed, the administrator password policy will be disabled, causing a security risk.

In V200R010C00 and later versions, when the device starts with the default configurations, it automatically performs the following configurations and saves the configurations to the configuration file:
  • Run the local-aaa-user password policy administrator command to enable the password policy for local administrators.
  • Run the password expire 0 command to configure the passwords of local administrators to be permanently valid.
  • Run the password history record number 0 command to configure the device not to check whether a changed password of a local administrator is the same as any historical password.

Example

# Enable the local administrator password policy and enter the local administrator password policy view.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user password policy administrator
[HUAWEI-aaa-lupp-admin]

local-user service-type

Function

The local-user service-type command sets the access type for a local user.

The undo local-user service-type command restores the default access type for a local user.

By default, a local user cannot use any access type.

Format

local-user user-name service-type { 8021x | api | ftp | http | ppp | ssh | telnet | terminal | web | x25-pad } *

undo local-user user-name service-type

NOTE:

Only the S2720EI, S5720EI, S5720HI, S5720I-SI, S5720LI, S5720S-LI, S5720S-SI, S5720SI, S5730HI, S5730S-EI, S5730SI, S6720EI, S6720HI, S6720LI, S6720S-EI, S6720S-LI, S6720S-SI, and S6720SI support the api parameter.

Parameters

Parameter

Description

Value

user-name

Specifies a user name.

If the user name contains a domain name delimiter such as @, the character before @ is the user name and the character behind @ is the domain name. If the value does not contain @, the entire character string is the user name and the domain name is the default one.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

8021x

Indicates an 802.1X user.

-

api

Indicates an API user, which is typically used for NETCONF access.

NOTE:

If the access type of a user is API, the user name cannot be set to root.

-

ftp

Indicates an FTP user.

-

http

Indicates an HTTP user, which is usually used for web system login.

-

ppp

Indicates a PPP user.

-

ssh

Indicates an SSH user.

-

telnet

Indicates a Telnet user, which is usually a network administrator.

-

terminal

Indicates a terminal user, which is usually a user connected using a console port.

-

web

Indicates a Portal authentication user.

-

x25-pad

Indicates an X25-PAD user.

NOTE:

Currently, the device does not support X25-PAD.

-

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The device can manage access types of local users. After you specify the access type of a user, the user can successfully log in only when the configured access type is the same as the actual access type of the user.

Local users have the following access types:
  • Administrative: api, FTP, HTTP, SSH, Telnet, x25-pad, and Terminal
  • Common: 802.1X, ppp, and web

Precautions

  • When MAC authentication users use AAA local authentication, the device does not match or check the access type of local users. However, the access type must be configured; otherwise, local authentication for MAC address authentication users fails.

  • Security risks exist if the user login mode is set to Telnet or FTP. You are advised set the user login mode to STelnet or SFTP and set the user access type to SSH.

    When a device starts without any configuration, HTTP uses the randomly generated self-signed certificate to support HTTPs. The self-signed certificate may bring risks. Therefore, you are advised to replace it with the officially authorized digital certificate.

  • Common access types cannot be configured together with administrative access types.

    The API access type cannot be configured together with other access types.

    If a user has been created and the password uses an irreversible encryption algorithm, the access type can only be set to an administrative one.

    If a user has been created and the password uses a reversible encryption algorithm, the access type can be set to an administrative or common one. When the access type is set to an administrative one, the encryption algorithm of the password is automatically converted into an irreversible encryption algorithm.

Example

# Set the access type of the local user user1@vipdomain to SSH.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user user1@vipdomain service-type ssh

local-user time-range

Function

The local-user time-range command sets the access permission time range for a local user.

The undo local-user time-range command deletes the access permission time range for a local user.

By default, a local account can access the network anytime.

Format

local-user user-name time-range time-name

undo local-user user-name time-range

Parameters

Parameter Description Value
user-name

Indicates the local account.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

time-name

Indicates the access permission time range of the local account. time-name specifies the name of the access permission time range.

The value is a string of 1 to 32 case-sensitive characters and must begin with a letter. In addition, the word all cannot be specified as a time range name.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Use Scenario

After a local account is created, the account has no expiration date by default. To restrict the network access time of a local account, run the local-user time-range command. After the command is executed, the account can access network resources only in the specified time range.

Prerequisite

The time range has been created using the time-range command.

Precautions

If you run the local-user time-range and local-user expire-date commands in the AAA view multiple times, only the latest configuration takes effect.

After the access permission time range of an online local user is changed, the access permission time range of the user will take effect only when the user goes online next time.

Example

# Set the access permission time segment of local account hello@163.net to 9:00-18:00 from Monday to Friday.

<HUAWEI> system-view
[HUAWEI] time-range huawei 9:00 to 18:00 working-day
[HUAWEI] aaa
[HUAWEI-aaa] local-user hello@163.net time-range huawei
Related Topics

local-user user-type netmanager

Function

The local-user user-type netmanager command configures a local user as the NMS user.

The undo local-user user-type netmanager command cancels to configure a local user as the NMS user.

By default, no local user is configured as the NMS user.

Format

local-user user-name user-type netmanager

undo local-user user-name user-type netmanager

Parameters

Parameter Description Value
user-name

Specifies a user name.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When a VTY user logging in to the device is an NMS user, you need to run this command to set the user type. When the number of login VTY users has reached the maximum, an NMS user can log in using the reserved VTY numbers 16-20. The NMS user is allowed to log in to the device only after passing the AAA local authentication.

Prerequisite

The local user has been created using the local-user command. This user must pass the AAA local authentication.

Example

# Configure the local user user1@vipdomain as the NMS user.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user user1@vipdomain password cipher Huawei@1234
[HUAWEI-aaa] local-user user1@vipdomain user-type netmanager

outbound recording-scheme

Function

The outbound recording-scheme command applies a policy to a recording scheme to record the connection information.

The undo outbound recording-scheme command deletes a policy from a recording scheme. Connection information is not recorded then.

By default, connection information is not recorded.

Format

outbound recording-scheme recording-scheme-name

undo outbound recording-scheme

Parameters

Parameter

Description

Value

recording-scheme-name

Specifies the name of a recording scheme.

The recording scheme must already exist.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Incorrect connections may result in network faults, for example, loops. The connection information recorded on a server helps you monitor devices. When network faults occur, you can locate faults based on the connection information recorded on the server.

Prerequisites

A recording scheme has been created using the recording-scheme command in the AAA view and an HWTACACS server template has been associated with a recording scheme using the recording-mode hwtacacs command in the recording scheme view.

Example

# Apply a policy to the recording scheme scheme to record the connection information.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template hw1
[HUAWEI-hwtacacs-hw1] quit
[HUAWEI] aaa
[HUAWEI-aaa] recording-scheme scheme
[HUAWEI-aaa-recording-scheme] recording-mode hwtacacs hw1
[HUAWEI-aaa-recording-scheme] quit
[HUAWEI-aaa] outbound recording-scheme scheme

password alert before-expire

Function

The password alert before-expire command to set the password expiration prompt days.

The undo password alert before-expire command restores the default password expiration prompt days.

By default, the number of password expiration prompt days is 30 days.

Format

password alert before-expire day

undo password alert before-expire

Parameters

Parameter Description Value
day

Indicates how long the system displays a prompt before the password expires.

If the value is set to 0, the device does not prompt users that the passwords will expire.

The value is an integer that ranges from 0 to 999, in days. The default value is 30.

Views

Local administrator password policy view

Default Level

3: Management level

Usage Guidelines

When a user logs in to the device, the device checks how many more days the password is valid for. If the number of days is less than the prompt days set in this command, the device notifies the user in how many days the password will expire and asks the user whether they want to change the password.
  • If the user changes the password, the device records the new password and modification time.
  • If the user does not change the password or fails to change the password, the user can still log in as long as the password has not expired.

Example

# Set the number of password expiration prompt days to 90.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user password policy administrator
[HUAWEI-aaa-lupp-admin] password alert before-expire 90

password alert original

Function

The password alert original command enables the device to prompt users to change initial passwords.

The undo password alert original command disables the device from prompting users to change initial passwords.

By default, the device prompts users to change initial passwords.

Format

password alert original

undo password alert original

Parameters

None

Views

Local administrator password policy view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To improve device security, use this command to enable the initial password change prompt function. When a user logs in to the device:
  • If the user enters the initial password, the device displays a message to ask whether to change the initial password. The user can select Y or N:
    • If the user selects Y to change the password, the user needs to enter the old password, new password, and confirm password. The password can be successfully changed only when the old password is correct and the new password and confirm password are the same and meet requirements (password length and complexity). After the password is changed, the user can log in to the device successfully.
    • If the user selects N or fails to change the password, and the initial password is the default password, the device does not allow the user to log in. If the initial password is not the default password, the device allows the user to log in.
  • If the entered password is not the initial password, the device does not display any message and the user can successfully log in.

After the undo password alert original command is executed, the initial password alert will be disabled, causing a security risk.

NOTE:

The initial password may be the default password, the password created by a local user in the first login, or the password changed by another user (for example, user B changes user A's password, and user A uses the changed password to log in. The device displays a prompt message in this situation).

Precautions

This function is only valid for Telnet users.

Example

# Enable the device to prompt users to change initial passwords.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user password policy administrator
[HUAWEI-aaa-lupp-admin] password alert original

password expire

Function

The password expire command sets the password validity period.

The undo password expire command restores the default password validity period.

By default, the password validity period is 90 days.

Format

password expire day

undo password expire

Parameters

Parameter Description Value
day

Indicates the password validity period.

If the value is 0, the password is permanently valid.

The value is an integer that ranges from 0 to 999, in days. The default value is 90.

Views

Local administrator password policy view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To improve password security, the administrator can use this command to set the validity period for local user's password. When the validity period expires, the password becomes invalid.

If the local user still uses this password to log in to the device, the device allows the user to log in, prompts the user that the password has expired, and asks the user whether to change the password:
  • If the user selects Y, the user needs to enter the old password, new password, and confirm password. The password can be successfully changed only when the old password is correct and the new password and confirm password are the same and meet requirements (password length and complexity). After the password is changed, the user can log in to the device successfully.
  • If the user selects N or fails to change the password, the user cannot log in.

Precautions

Changing the system time will affect the password validity status.

After this command is executed, the device checks whether the password expires every minute; therefore, there may be a time difference within 1 minute.

In V200R010C00 and later versions, when the device starts with the default configurations, it automatically performs the following configurations and saves the configurations to the configuration file:
  • Run the local-aaa-user password policy administrator command to enable the password policy for local administrators.
  • Run the password expire 0 command to configure the passwords of local administrators to be permanently valid.
  • Run the password history record number 0 command to configure the device not to check whether a changed password of a local administrator is the same as any historical password.

Example

# Set the password validity period to 120 days.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user password policy administrator
[HUAWEI-aaa-lupp-admin] password expire 120

password history record number

Function

The password history record number command sets the maximum number of historical passwords recorded for each user.

The undo password history record number command restores the default maximum number of historical passwords recorded for each user.

By default, five historical passwords are recorded for each user.

Format

password history record number number

undo password history record number

Parameters

Parameter Description Value
number

Indicates the maximum number of historical passwords recorded for each user.

If the value is set to 0, the device will not check whether a changed password is the same as any historical password.

The value is an integer that ranges from 0 to 12. The default value is 5.

Views

Local administrator password policy view, local access user password policy view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To improve password security, it is not recommended that you use a previously used password. You can set the maximum number of historical passwords recorded for each user. When a user changes the password, the device compares the new password against the historical passwords stored on the device. If the new password is the same as a stored password, the device displays an error message to prompt the user that password change fails.

Precautions

When the number of recorded historical passwords reaches the maximum value, the later password will overwrite the earliest password on the device.

After the historical password recording function is disabled, the device does not record historical passwords; however, the passwords that have been stored are not deleted.

In V200R010C00 and later versions, when the device starts with the default configurations, it automatically performs the following configurations and saves the configurations to the configuration file:
  • Run the local-aaa-user password policy administrator command to enable the password policy for local administrators.
  • Run the password expire 0 command to configure the passwords of local administrators to be permanently valid.
  • Run the password history record number 0 command to configure the device not to check whether a changed password of a local administrator is the same as any historical password.

Example

# Set the maximum number of historical passwords recorded for each administrator to 10.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user password policy administrator
[HUAWEI-aaa-lupp-admin] password history record number 10
# Set the maximum number of historical passwords recorded for each local access user to 10.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user password policy access-user
[HUAWEI-aaa-lupp-acc] password history record number 10

permit-domain

Function

The permit-domain command specifies permitted domains for WLAN users.

The undo permit-domain command deletes the permitted domains of WLAN users.

By default, no permitted domain is specified for WLAN users.

NOTE:

This function is supported only by S5720HI.

Format

permit-domain name domain-name &<1-4>

undo permit-domain { name domain-name | all }

Parameters

Item

Description

Value

name domain-name

Specifies the name of a permitted domain for WLAN users.

The domain must already exist.

all

Deletes the permitted domain for all WLAN users.

-

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a permitted domain is specified on an authentication profile, only the WLAN users in the permitted domain can be authenticated, authorized, or charged.

Prerequisites

Permitted domains have been created using the domain command.

Precautions

This command applies only to wireless users.

When this command is executed in the authentication profile, the configuration takes effect only after the authentication profile is bound to a VAP profile.

This command is only available in the NAC unified mode.

Example

# Specify permitted domain dom for WLAN users to the authentication profile john.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain dom   
[HUAWEI-aaa-domain-dom] quit 
[HUAWEI-aaa] quit 
[HUAWEI] authentication-profile name john
[HUAWEI-authen-profile-john] permit-domain name dom
Related Topics

recording-mode hwtacacs

Function

The recording-mode hwtacacs command associates an HWTACACS server template with a recording scheme.

The undo recording-mode command unbinds an HWTACACS server template from a recording scheme.

By default, no HWTACACS server template is associated with a recording scheme.

Format

recording-mode hwtacacs template-name

undo recording-mode

Parameters

Parameter

Description

Value

template-name

Specifies the name of an HWTACACS server template.

The HWTACACS server template must already exist.

Views

Recording scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The device needs to send the records such as the executed commands, connection information, and system events to the specified HWTACACS accounting server; therefore, an HWTACACS server template needs to be associated with a recording scheme.

Prerequisites

The HWTACACS server template has been created by using the hwtacacs-server template command.

Example

# Associate the recording scheme scheme0 with the HWTACACS server template tacacs1.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template tacacs1
[HUAWEI-hwtacacs-tacacs1] quit
[HUAWEI] aaa
[HUAWEI-aaa] recording-scheme scheme0
[HUAWEI-aaa-recording-scheme0] recording-mode hwtacacs tacacs1

recording-scheme

Function

The recording-scheme command creates a recording scheme and displays the recording scheme view.

The undo recording-scheme command deletes a recording scheme.

By default, no recording scheme is configured on the device.

Format

recording-scheme recording-scheme-name

undo recording-scheme recording-scheme-name

Parameters

Parameter

Description

Value

recording-scheme-name

Specifies the name of a recording scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After a recording scheme takes effect, you can view the records such as the executed commands, connection information, and system-level events on the recording server. The records help you locate network faults. Because a recording scheme needs to be associated with an HWTACACS server template, the recording scheme is configured only when HWTACACS authentication or authorization is performed.

Creating a recording template using the recording-scheme command is mandatory for configuration.

Follow-up Procedure

Run the recording-mode hwtacacs command to associate an HWTACACS server template with the recording scheme.

After a recording scheme is created and associated with an HWTACACS server template, perform the following configurations in the AAA view:
  • Run the cmd recording-scheme command to apply a policy in a recording scheme to record the commands executed on the device.
  • Run the outbound recording-scheme command to apply a policy in a recording scheme to record the connection information.
  • Run the system recording-scheme command to apply a policy in a recording scheme to record the system events.

Precautions

If the recording scheme to be configured does not exist, the recording-scheme command creates a recording scheme and displays the recording scheme view. If the recording scheme to be configured already exists, the recording-scheme command displays the recording scheme view.

Before deleting a recording scheme, ensure that the scheme has not been referenced by the cmd recording-scheme or outbound recording-scheme or system recording-scheme command.

Example

# Create a recording scheme scheme0.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] recording-scheme scheme0
[HUAWEI-aaa-recording-scheme0]

redirect-acl

Function

The redirect-acl command configures the ACL used for redirection in a service scheme.

The undo redirect-acl command deletes the ACL used for redirection in a service scheme.

By default, no ACL for redirection is configured in the service scheme.

Format

redirect-acl { acl-number | name acl-name }

undo redirect-acl

Parameters

Parameter Description Value
acl-number

Specifies the number of the ACL used for redirection.

The value ranges from 3000 to 3999 for wired users and from 3000 to 3031 for wireless users, and it must exist.

name acl-name

Specifies the name of the ACL used for redirection.

The ACL name must exist. The length ranges from 1 to 64.

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

In some authentication scenarios, after users succeed in authentication, the administrator needs to redirect HTTP/HTTPS traffic matching ACL permit rules to the Portal authentication page where users are authenticated again.

Precautions

Before running this command, you are advised to run the acl (system view) or acl name command to create an ACL.

If the ACL is not created before and after this command is run, the redirection ACL will fail to be delivered.

To redirect HTTPS traffic, run the portal https-redirect enable command to configure the HTTPS redirection function.

Example

# Configure ACL 3001 for redirection in the service scheme svcscheme1.

<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] quit
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme svcscheme1
[HUAWEI-aaa-service-svcscheme1] redirect-acl 3001

remote-aaa-user authen-fail

Function

The remote-aaa-user authen-fail command enables the remote AAA authentication account locking function, and sets the authentication retry interval, maximum number of consecutive authentication failures, and account locking period.

The undo remote-aaa-user authen-fail command disables the remote AAA authentication account locking function.

By default, the remote AAA account locking function is enabled, authentication retry interval is 30 minutes, maximum number of consecutive authentication failures is 30, and account locking period is 30 minutes.

Format

remote-aaa-user authen-fail retry-interval retry-interval retry-time retry-time block-time block-time

undo remote-aaa-user authen-fail

Parameters

Parameter

Description

Value

retry-interval retry-interval

Specifies the authentication retry interval.

The value is an integer that ranges from 5 to 65535, in minutes.

retry-time retry-time

Specifies the maximum number of consecutive authentication failures.

The value is an integer that ranges from 3 to 65535.

block-time block-time

Specifies the account locking period.

The value is an integer that ranges from 5 to 65535, in minutes.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To ensure account security, you can enable the device to lock the accounts that fail in remote AAA authentication. If a user enters incorrect account and password more than the maximum number of consecutive authentication failures within the given period, the account is locked. After a certain period, the account is unlocked.

Precautions

  • This command is valid only for remote AAA authentication and is invalid for local authentication.

  • In scenarios where an active/standby switchover is performed, the originally locked account is automatically unlocked.

  • After the remote AAA authentication account locking function is disabled using the undo remote-aaa-user authen-fail command, the originally locked account is automatically unlocked.

Example

# Enable the remote AAA account locking function, and set the authentication retry interval to 5 minutes, maximum number of consecutive authentication failures to 3, and account locking period to 5 minutes.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] remote-aaa-user authen-fail retry-interval 5 retry-time 3 block-time 5

remote-user authen-fail unblock

Function

The remote-user authen-fail unblock command unlocks remote AAA authentication accounts.

Format

remote-user authen-fail unblock { all | username username }

Parameters

Parameter

Description

Value

all

Unlocks all accounts that fail the remote AAA authentication.

-

username username

Unlocks a specified account that fails the remote AAA authentication.

The value is a string of 1 to 253 case-insensitive characters without spaces.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

You may need to unlock remote AAA authentication accounts in the following situations:
  • When a user enters an incorrect user name or password fewer times than the maximum permitted, run the remote-user authen-fail unblock command to unlock the user and delete the incorrect record of the user from the device.
  • When a user is incorrectly locked or needs to be unlocked due to special reasons, run the remote-user authen-fail unblock command to unlock the user.

Example

# Unlock the remote AAA authentication account test.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] remote-user authen-fail unblock username test

reset aaa

Function

Using the reset aaa command, you can clear records of abnormal offline, user offline and failure to get online.

Format

reset aaa { abnormal-offline-record | offline-record | online-fail-record }

Parameters

Parameter Description Value
abnormal-offline-record

Clears records of user abnormal offline.

-

offline-record

Clears records of user offline.

-

online-fail-record

Clears records of user failure to get online.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

This command allows you to clear records of user offline, abnormal offline, and failure to get online. After the records are cleared, the function of recording information is enabled.

Example

# Clear user offline records.

<HUAWEI> system-view
[HUAWEI] reset aaa offline-record

reset aaa statistics offline-reason

Function

Using the reset aaa statistics offline-reason command, you can clear the statistics about reasons why users go offline.

Format

reset aaa statistics offline-reason

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can use the reset aaa statistics offline-reason command to delete the statistics about reasons why users go offline, and then collect new statistics.

Example

# Clear the statistics about reasons why users go offline.

<HUAWEI> reset aaa statistics offline-reason

reset access-user statistics

Function

The reset access-user statistics command deletes the statistics on access user authentication.

Format

reset access-user statistics

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

When diagnosing and locating faults related to access user authentication, you need to collect statistics on user login and logout information within a period of time. Before the statistics collection, you can run the reset access-user statistics command to clear the historical statistics, and then run the display access-user statistics command to view the current statistics.

Example

# Delete the statistics on access user authentication.

<HUAWEI> reset access-user statistics

reset local-user password history record

Function

The reset local-user password history record command clears historical passwords stored for the local user.

Format

reset local-user [ user-name ] password history record

Parameters

Parameter Description Value
user-name

Clears the historical passwords of the specified user.

If this parameter is not specified, the historical passwords of all local users are cleared.

The local user must exist on the device.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the administrator wants to record historical passwords of local users again, this command can be used to clear existing historical passwords.

Precautions

After this command is used, all historical passwords on the device are deleted and cannot be restored. This operation has security risks, so exercise caution when using it.

Example

# Clear historical passwords of all local users.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] reset local-user password history record

security-name enable

Function

The security-name enable command enables the security string function.

The undo security-name enable command disables the security string function.

By default, the security string function is enabled.

NOTE:

This function is supported only by S5720HI.

Format

security-name enable

undo security-name enable

Parameters

None

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Some special clients use user names in the format of username@domain*securitystring in which a security string and a security string delimiter (*) are added to the user name. To ensure that the AAA server can identify such user names, run the security-name enable command to enable the security string function on the device. When sending a user name to the AAA server, the device deletes *securitystring and only uses username@domain for authentication.

You can run the security-name-delimiter command to modify the security string delimiter.

Example

# Enable the security string function.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] security-name enable

security-name-delimiter

Function

The security-name-delimiter command configures a delimiter for a security string.

The undo security-name-delimiter command restores the default delimiter for a security string.

By default, the delimiter for a security string in the AAA view is *, and no delimiter is available in the authentication profile view.

NOTE:

This command only applies to 802.1X users. If the CHAP or PAP authentication is configured for 802.1X users, the device removes the security string, but does not encapsulate it into the HW-SecurityStr attribute. If the EAP authentication is configured for 802.1X users, the device removes the security string and encapsulates it into the HW-SecurityStr attribute.

This function is supported only by S5720HI.

Format

security-name-delimiter delimiter

undo security-name-delimiter

Parameters

Parameter

Description

Value

delimiter

Specifies a delimiter for a security string.

The value is \ / : < > | @ ' % or *.

Views

AAA view, authentication profile view

Default Level

In the AAA view, the default level is management level.

In the authentication profile view, the default level is configuration level.

Usage Guidelines

Usage Scenario

Some STAs may use the user name in the format of username@domain*securitystring. * is the security string delimiter. To enable the AAA server to identify this type of user name, you need to configure a delimiter for a security string on the device. In this way, when sending the user name to the AAA server, the device deletes the *securitystring and only uses username@domain for authentication.

Precautions

When the command is executed in the AAA view, the configuration takes effect for all users. When the command is executed in the authentication profile, the configuration takes effect for only the users connected to this authentication profile.

The delimiter for a security string cannot be the same as the domain name delimiter.

If you run the security-name-delimiter command in the AAA view, the delimiter for a security string is configured globally.

When this command is executed in the authentication profile, the configuration takes effect only after the authentication profile is bound to a VAP profile.

Example

# Configure the delimiter for a security string as / in the AAA view.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] security-name-delimiter /

service-scheme (aaa domain view)

Function

The service-scheme command applies a service scheme to a domain.

The undo service-scheme command unbinds a service scheme from a domain.

By default, no service scheme is bound to a domain.

Format

service-scheme service-scheme-name

undo service-scheme

Parameters

Parameter

Description

Value

service-scheme-name

Specifies the name of a service scheme.

The value must be an existing service scheme name.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The authorization configuration in a service scheme takes effect only when the service scheme is applied to a domain.

Prerequisites

A service scheme has been created and configured with required parameters.

Example

# Apply the service scheme srvscheme1 to the domain huawei.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme srvscheme1
[HUAWEI-aaa-service-srvscheme1] quit
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] service-scheme srvscheme1

service-scheme (AAA view)

Function

The service-scheme command creates a service scheme and displays the service scheme view.

The undo service-scheme command deletes a service scheme.

By default, no service scheme is configured.

Format

service-scheme service-scheme-name

undo service-scheme service-scheme-name

Parameters

Parameter

Description

Value

service-scheme-name

Specifies the name of a service scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot contain spaces or the following symbols: /, \, :, *, ?, ", <, >, |, @, ', and %. The value cannot be - or --.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The service scheme is used to assign IP address pool and DNS server parameters to users.

Follow-up Procedure

Run the service-scheme (AAA domain view) command to apply the service scheme to a domain.

Precautions

In traditional NAC mode, the authorization scheme is not supported.

If the service scheme to be configured does not exist, the service-scheme (AAA view) command creates a service scheme and displays the service scheme view. If the service scheme to be configured already exists, the service-scheme (AAA view) command displays the service scheme view.

To delete or modify the service scheme applied to a domain, run the undo service-scheme (AAA domain view) command to unbind the service scheme from the domain.

Example

# Create a service scheme srvscheme1.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme srvscheme1
[HUAWEI-aaa-service-srvscheme1]

state (AAA domain view)

Function

The state command configures the state of a domain .

The undo state command restores the state of a domain.

By default, a domain is in active state after being created.

Format

state { active | block [ time-range time-name &<1-4> ] }

undo state [ block time-range [ time-name &<1-4> ] ]

Parameters

Parameter

Description

Value

active

Sets the domain state to active.

-

block

Sets the domain state to blocking.

-

time-range time-name

Indicates the block time range of the domain.

time-name specifies the name of the block time range. If this parameter is not specified, the domain is always blocked.

The value is a string of 1 to 32 case-sensitive characters and must begin with a letter. In addition, the word all cannot be specified as a time range name.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If exceptions occur during service configuration, set the domain in blocking state to block access of new users. After the service configuration is complete, set the domain in active state.

Prerequisite

Before specifying the time-name parameter, ensure that the time range has been created using the time-range command.

Precautions

After the state block command is run to set the domain state to block, online users in the domain are not affected.

After the state block time-range command is run to set the state of a domain including online users to block, the domain state turns from active to block within the specified time range, and online users are forced to go offline.

Example

# Set the state of the domain vipdomain to blocking.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain vipdomain
[HUAWEI-aaa-domain-vipdomain] state block

# Set the name of the time range in which the vipdomain domain state turns to block to tim.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain vipdomain
[HUAWEI-aaa-domain-vipdomain] state block time-range tim
Warning: This operation may cause online users to go offline. Continue? [Y/N]Y
Related Topics

statistic enable (AAA domain view)

Function

The statistic enable command enables traffic statistics collection for domain users.

The undo statistic enable command disables traffic statistics collection for domain users.

By default, traffic statistics collection is disabled for domain users.

NOTE:

Only the S5720EI, S1720GF, S1720GFR-P, S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S5700-10P-LI, S5700LI, S5700S-LI, S5720HI, S5720LI, S5720S-LI, S6720EI, and S6720S-EI support this command.

Format

statistic enable

undo statistic enable

Parameters

None

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To implement traffic-based accounting, you can use this command to enable traffic statistics collection for a domain. Then the device collects traffic statistics for the users in the domain. If an accounting server is configured, the device sends traffic statistics to the accounting server through accounting packets so that the server performs accounting for the users based on traffic statistics.

Follow-up Procedure

Run the display access-user (All views) command to view traffic statistics of users.

Precautions

This command collects service statistics for domain users. The device sends the statistics to the accounting server.

On the S5700LI, S5700S-LI, S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S5720LI, and S5720S-LI:

  • This statistics collection function is only available for 802.1X authentication users.
  • Traffic statistics are collected based on interfaces.
  • The traffic statistics collection is valid for domain users only when interfaces are physical interface and each interface connects to only one domain user.
  • The interface traffic statistics for the first 15s when a user goes online are not collected.
  • When users are online, you cannot run the reset_counters_interface command to clear interface traffic statistics. Otherwise, the user traffic statistics are inaccurate.

After this command is run, the device does not collect IPv6 traffic statistics for users. To enable IPv6 statistics collection, run the authentication ipv6-statistics enable command.

Example

# Enable traffic statistics collection for domain users.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] statistic enable
Related Topics

system recording-scheme

Function

The system recording-scheme command applies a policy in a recording scheme to record the system events.

The undo system recording-scheme command deletes a policy from a recording scheme. System events are not recorded then.

By default, system events are not recorded.

Format

system recording-scheme recording-scheme-name

undo system recording-scheme

Parameters

Parameter

Description

Value

recording-scheme-name

Specifies the name of a recording scheme.

The recording scheme must already exist.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The system events recorded on an HWTACACS server helps you monitor devices. When network faults occur, you can isolate faults based on the system events recorded on the HWTACACS server.

Prerequisites

A recording scheme has been created using the recording-scheme command in the AAA view and an HWTACACS server template has been associated with a recording scheme using the recording-mode hwtacacs command in the recording scheme view.

Precautions

Currently, the device can record only the events caused by the reboot command.

Example

# Apply a policy in the recording scheme scheme to record the system events.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template hw1
[HUAWEI-hwtacacs-hw1] quit
[HUAWEI] aaa
[HUAWEI-aaa] recording-scheme scheme
[HUAWEI-aaa-recording-scheme] recording-mode hwtacacs hw1
[HUAWEI-aaa-recording-scheme] quit
[HUAWEI-aaa] system recording-scheme scheme

user-group (AAA domain view)

Function

The user-group command binds the users in a domain to the authorization information of a user group.

The undo user-group command unbinds the users in a domain from the authorization information of a user group.

By default, no authorization information of a user group is bound to the users in a domain.

NOTE:

This command is supported only in the NAC common mode.

Format

user-group group-name

undo user-group

Parameters

Parameter Description Value
group-name Specifies the name of a user group. The user group name must already exist.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run the user-group command in the AAA domain to bind the users in a domain to the authorization information of a user group.

Precautions

  • The user group to be specified using the local-user user-group command must have been created using the user-group command.

  • A user group cannot be deleted after being referenced to a domain using this command.

  • Huawei proprietary attribute 82 delivered by RADIUS cannot be used together with the function of binding authentication information of a user group to a domain.

  • The priority of the authorization information delivered using this command is lower than that of the authorization information delivered using the portal free-rule rule-id source ip ip-address mask { mask-length | ip-mask } [ mac mac-address ] [ interface interface-type interface-number ] destination user-group group-name command.

Example

# Bind the user group group1 to the domain test.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain test
[HUAWEI-aaa-domain-test] user-group group1

user-password complexity-check

Function

The user-password complexity-check command enables password complexity check.

The undo user-password complexity-check command disables password complexity check.

By default, a device checks password complexity.

Format

user-password complexity-check

undo user-password complexity-check

Parameters

None

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

In the versions earlier than V200R003, the device uses simple user name and password rules, so the user names and passwords are easy to manage and remember; however, weak passwords have security risks. In V200R003 and later versions, the device poses stricter requirements on user names and passwords. After you create a local user by using the local-user command, the password must pass a complexity check performed by the device.

In V200R005 and later versions, you can choose whether to enable password complexity check.

Precautions

To ensure device security, do not disable password complexity check, and change the password periodically.

Example

# Disable password complexity check.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] undo user-password complexity-check
Related Topics
Translation
Download
Updated: 2019-10-09

Document ID: EDOC1000178165

Views: 48037

Downloads: 1163

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next