No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
MENU
Support Documentation

Command Reference

S7700 and S9700 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
User Access and Authentication Compatible Commands

User Access and Authentication Compatible Commands

AAA Compatible Commands

adminuser-priority (upgrade-compatible command)

Function

The adminuser-priority command configures a user as an administrator to log in to the device and sets the administrator level during login.

Format

adminuser-priority level

Parameters

Parameter Description Value
level Specifies the level of an administrator. The value is an integer ranging from 0 to 15. After logging in to the device, a user can run only the commands of the same level or lower levels.

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Its function is the same as that of the admin-user privilege level level command.

authentication-super (upgrade-compatible command)

Function

The authentication-super command configures an authentication mode for upgrading user levels in an authentication scheme.

The undo authentication-super command restores the default authentication mode for upgrading user levels in an authentication scheme.

By default, the super mode is used. That is, local authentication is used.

Format

authentication-super { hwtacacs | radius | super } * [ none ]

authentication-super none

undo authentication-super

Parameters

Parameter

Description

Value

hwtacacs

Uses HWTACACS authentication to upgrade user levels.

-

radius

Uses RADIUS authentication to upgrade user levels.

-

super

Uses local authentication to upgrade user levels.

-

none

Indicates that user levels can be upgraded without authentication.

-

Views

Authentication scheme view

Default Level

3: Management level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

hwtacacs-server shared-key (upgrade-compatible command)

Function

The hwtacacs-server shared-key command configures the shared key of an HWTACACS server.

The undo hwtacacs-server shared-key command deletes the shared key of an HWTACACS server.

By default, no shared key of an HWTACACS server is configured.

Format

hwtacacs-server shared-key simple key-string

undo hwtacacs-server shared-key

Parameters

Parameter

Description

Value
simple

Indicates the shared key in simple text.

-
key-string

Specifies the shared key of an HWTACACS server.

 The value is a string of 1 to 255 characters in plain text and a string of 20 to 392 characters in cipher text.

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Its function is the same as that of the hwtacacs-server shared-key [ cipher ] key-string command.

local-user (upgrade-compatible command)

Function

The local-user command creates a local user and sets parameters of the local user.

By default, the local user admin exists in the system. The password of the user is admin@huawei.com, priority is 15, and service type is http.

Format

local-user user-name password { key-string [ old-password password ] | simple simple-string } [ access-limit max-number | idle-timeout minutes [ seconds ] | state { block | active } ] *

Parameters

Parameter

Description

Value

user-name

Specifies the user name. If the user name contains a delimiter "@", the character before "@" is the user name and the character after "@" is the domain name. If the value does not contain "@", the entire character string represents the user name and the domain name is the default one.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

password key-string

Specifies the password of a local user.

It is recommended that you set the user password when creating a user.

The value is a string of 1 to 256 case-sensitive characters without spaces.
old-password password Specifies the old password of a local user.
NOTE:

This parameter cannot be automatically displayed through the question mark help function and must be entered completely. It should be configured by the network administrator on the NMS and delivered to the device. It is not recommended that you directly specify this parameter on the device.

The value is the password used by the local user for the current login.

password simple simple-string

Specifies the password of a local user.

It is recommended that you set the user password when creating a user.

The value is a string of 1 to 256 case-sensitive characters without spaces.

access-limit max-number

Specifies the number of connections that can be created with a specified user name.

If this parameter is not specified, the number of connections that can be established by a specified user is not limited.

The value is is an integer that varies according to the types and number of cards.

idle-timeout minutes [ seconds ]

Specifies the timeout period for disconnection of the user.

  • minutes is the period when the user interface is disconnected in minutes.
  • seconds is the period when the user interface is disconnected in seconds.

If this parameter is not specified, the device uses the user level configured by the idle-timeout command in the user view.

If minutes [ seconds ] is set to 0 0, the idle disconnection function is disabled.
  • minutes: the value is an integer ranging from 0 to 35791 minutes.
  • seconds: the value is an integer ranging from 0 to 59 seconds.

state { active | block }

Specifies the status of a local user.

  • active indicates that a local user is in active state.
  • block indicates that a local user is in blocking state.

If a user has established a connection with the device, when the user is set in blocking state, the connection still takes effect but the device rejects subsequent authentication requests from the user.

If this parameter is not specified, the status of a local user is active.

-

Views

AAA view

Default Level

3: Management level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Its function is the same as that of the local-user user-name { password { cipher | irreversible-cipher } password | access-limit max-number | ftp-directory directory | idle-timeout minutes [ seconds ] | privilege level level | state { block | active } } * command.

local-user level (upgrade-compatible command)

Function

The local-user level command sets the level of a local user.

Format

local-user user-name level level

Parameters

Parameter

Description

Value

user-name

Specifies the user name.

The value is a string of 1 to 64 case-insensitive characters without spaces.

level

Specifies the user level.

The value is an integer that ranges from 0 to 15. A greater value indicates a higher level of a user.

After logging in to the device, a user can run only the commands of the same level or lower levels.

Views

AAA view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Its function is the same as that of the local-user user-name privilege level level command.

radius-server accounting (upgrade-compatible command)

Function

The radius-server accounting command configures the RADIUS accounting server.

The undo radius-server accounting command deletes the configuration.

By default, no RADIUS accounting server is configured.

Format

radius-server accounting ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address } | weight weight-value ] * secondary

radius-server accounting ipv6-address port [ source { loopback interface-number | ip-address ipv6-address } | weight weight-value ] * secondary

undo radius-server accounting secondary

undo radius-server accounting ip-address port source { loopback | ip-address ip-address } secondary

undo radius-server accounting ipv6-address port source { loopback | ip-address ipv6-address } secondary

Parameters

Parameter

Description

Value

ipv4-address

Specifies the IPv4 address of a RADIUS accounting server.

The value is a valid unicast address in dotted decimal notation.

ipv6-address

Specifies the IPv6 address of a RADIUS accounting server.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

port

Specifies the port number of a RADIUS accounting server.

The value is an integer that ranges from 1 to 65535.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the RADIUS accounting server is bound to.

The vpn-instance must already exist.

source loopback interface-number

Specifies the number of a loopback interface.

The loopback interface must already exist.

source ip-address ipv4-address

Specifies the source IPv4 address of a RADIUS accounting server.

The value is a valid unicast address in dotted decimal notation.

source ip-address ipv6-address

Specifies the source IPv6 address of a RADIUS accounting server.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

weight weight-value

Specifies the weight of a RADIUS accounting server.

The value is an integer that ranges from 0 to 100.

secondary

Specifies the configured accounting server as the secondary accounting server. If you do not configure this parameter, it indicates that you configure the primary accounting server.

-

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Its function is the same as that of the radius-server accounting ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address } | weight weight-value ] * or radius-server accounting ipv6-address port [ source { loopback interface-number | ip-address ipv6-address } | weight weight-value ] * command.

radius-server authentication (upgrade-compatible command)

Function

The radius-server authentication command configures a RADIUS authentication server.

The undo radius-server authentication command deletes the configured RADIUS authentication server.

By default, no RADIUS authentication server is specified.

Format

radius-server authentication ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address } | weight weight-value ] * secondary

radius-server authentication ipv6-address port [ source { loopback interface-number | ip-address ipv6-address } | weight weight-value ] * secondary

undo radius-server authentication secondary

undo radius-server authentication ipv4-address port source { loopback | ip-address ipv4-address } secondary

undo radius-server authentication ipv6-address port source { loopback | ip-address ipv6-address } secondary

Parameters

Parameter

Description

Value

ipv4-address

Specifies the IPv4 address of a RADIUS authentication server.

The value is a valid unicast address in dotted decimal notation.
ipv6-address

Specifies the IPv6 address of a RADIUS authentication server.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

port

Specifies the port number of a RADIUS authentication server.

The value is an integer that ranges from 1 to 65535.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the RADIUS authentication server is bound to.

The value is a string of 1 to 31 case-sensitive characters without spaces.

source loopback interface-number

Specifies the IP address of the loopback interface taken as the source IP address. interface-number specifies the number of a loopback interface.

The value is an integer that ranges from 0 to 1023.

source ip-address ipv4-address

Specifies the source IPv4 address in RADIUS packets sent from the device to a RADIUS authentication server.

If this parameter is not specified, the IPv4 address of the outbound interface is used as the source IPv4 address in RADIUS packets sent from the device to a RADIUS authentication server.

The value is a valid unicast address in dotted decimal notation.

source ip-address ipv6-address

Specifies the source IPv6 address in RADIUS packets sent from the device to a RADIUS authentication server.

If this parameter is not specified, the IPv6 address of the outbound interface is used as the source IPv6 address in RADIUS packets sent from the device to a RADIUS authentication server.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

weight weight-value

Specifies the weight of a RADIUS authentication server.

The value is an integer that ranges from 0 to 100.

secondary

Specifies the configured authentication server as the secondary accounting server. If you do not configure this parameter, it indicates that you configure the primary authentication server.

-

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Its function is the same as that of the radius-server authentication ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address } | weight weight-value ] * or radius-server authentication ipv6-address port [ source { loopback interface-number | ip-address ipv6-address } | weight weight-value ] * command.

radius-server authorization (upgrade-compatible command)

Function

The radius-server authorization command configures the RADIUS authorization server.

The undo radius-server authorization command deletes the configured RADIUS authorization server.

By default, no RADIUS authorization server is configured.

Format

radius-server authorization ip-address [ vpn-instance vpn-instance-name ] { server-group group-name | shared-key { key-string | simple simple-string } } * [ ack-reserved-interval interval ]

undo radius-server authorization ip-address [ vpn-instance vpn-instance-name ]

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of a RADIUS authorization server.

The value is a valid unicast address in dotted decimal notation.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the RADIUS authorization server is bound to.

The value is a string of 1 to 31 case-sensitive characters without spaces.

server-group group-name

Specifies the name of a RADIUS group corresponding to a RADIUS server template.

The value is a string of 1 to 32 case-sensitive characters without spaces.

shared-key key-string

Specifies the shared key in cipher text.

The value is a string of 32 characters in cipher text, for example, %$%$m^NF$L^SO%2@^y$T`^1'|lcZ%$%$, or a string of 1 to 16 characters in plain text, for example, 1234567.

shared-key simple simple-string

Specifies the shared key in plain text.

The value is a string of 1 to 16 case-sensitive characters, without spaces. By default, the key is converted to cipher text.
ack-reserved-interval interval

Specifies the duration for retaining a RADIUS authorization response packet.

The value is an integer that ranges from 0 to 300, in seconds. By default, the value is 0s.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Its function is the same as that of the radius-server authorization command.

radius-server shared-key (upgrade-compatible command)

Function

The radius-server shared-key command configures the shared key of a RADIUS server.

By default, the RADIUS shared key is huawei and the password is in cipher text.

Format

radius-server shared-key { key-string | simple simple-string }

Parameters

Parameter

Description

Value
key-string

Specifies a cipher text password.

The value is a case-sensitive character string of 1 to 256 without spaces, quotation mask ("), and question mask (?).

simple simple-string

Specifies a simple text password.

The value is a string of 1 to 16 case-sensitive characters, without spaces.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Its function is the same as that of the radius-server shared-key cipher key-string command.

radius-server testuser (upgrade-compatible command)

Function

Using the radius-server testuser command, you can create a user account for automatic detection in the RADIUS server template.

Using the undo radius-server testuser command, you can delete a user account for automatic detection.

By default, a user account for automatic detection in the RADIUS server template is not created.

Format

radius-server testuser username username password password

undo radius-server testuser

Parameters

Parameter

Description

Value
username username

Specifies a user name used for automatic detection.

The value is a string of 1 to 64 characters without spaces. It is case insensitive.
password password

Specifies the user password for automatic detection.

The value is a character string of 1 to 16 characters without spaces, single quotation marks and question marks. It is case sensitive. If it is in cipher text, the password is a string of 32 characters.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Its function is the same as that of the radius-server testuser username username password cipher password command.

radius-server test-user (upgrade-compatible command)

Function

Using the radius-server test-user command, you can create a user account for automatic detection in the RADIUS server template.

Using the undo radius-server test-user command, you can delete a user account for automatic detection.

By default, a user account for automatic detection in the RADIUS server template is not created.

Format

radius-server test-user username password

undo radius-server test-user

Parameters

Parameter

Description

Value
username

Specifies a user name used for automatic detection.

The value is a string of 1 to 64 characters without spaces. It is case insensitive.
password

Specifies the user password for automatic detection.

The value is a character string of 1 to 16 characters without spaces, single quotation marks and question marks. It is case sensitive. If it is in cipher text, the password is a string of 32 characters.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Its function is the same as that of the radius-server testuser username username password cipher password command.

radius-server test-user detect interval (upgrade-compatible command)

Function

The radius-server test-user detect interval command sets the interval for automatic user status detection.

Format

radius-server test-user detect interval interval-time

Parameters

Parameter

Description

Value

interval-time

Specifies the interval for automatic user status detection.

The value is an integer that ranges from 5 to 3600, in seconds.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Its function is the same as that of the radius-server detect-server interval interval interval command.

radius-server user-name domain-included force (upgrade-compatible command)

Function

The radius-server user-name domain-included force command configures the device encapsulate the domain name in the user name in RADIUS packets to be sent to a RADIUS server.

Format

radius-server user-name domain-included force

Parameters

None

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Its function is the same as that of the radius-server user-name domain-included command.

NAC Compatible Commands

authentication arp handshake (upgrade-compatible command)

Function

The authentication arp handshake command enables the handshake with pre-connection users and authorized users.

The undo authentication arp handshake command disables the handshake with pre-connection users and authorized users.

By default, the handshake with pre-connection users and authorized users is enabled.

Format

authentication arp handshake

undo authentication arp handshake

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the undo authentication handshake command in the authentication profile view.

authentication handshake (upgrade-compatible command)

Function

The authentication handshake command enables the handshake with pre-connection users and authorized users.

The undo authentication handshake command disables the handshake with pre-connection users and authorized users.

By default, the handshake with pre-connection users and authorized users is enabled.

Format

authentication handshake

undo authentication handshake

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication handshake command in the authentication profile view.

authentication event action authorize (upgrade-compatible command)

Function

The authentication event action authorize command configures the device to assign network access policies to users before the users are authenticated.

The undo authentication event action authorize command deletes the configured network access policies.

By default, no network access right is granted to users before the users are authenticated.

Format

authentication event pre-authen action authorize service-scheme service-scheme

undo authentication event pre-authen action authorize

authentication event { authen-fail | authen-server-down } action authorize service-scheme service-scheme [ response-fail ]

undo authentication event { authen-fail | authen-server-down } action authorize

Parameters

Parameter Description Value
pre-authen

Configures the device to assign network access policies to users when the users establish pre-connections with the device.

-
authen-fail

Configures the device to assign network access policies to users when the authentication server sends authentication failure packets to the device.

-
authen-server-down

Configures the device to assign network access policies to users when the authentication server is Down and thereby the users fail to be authenticated.

-
response-fail

Configures the device to send authentication failure packets to users after assigning network access policies to the users.

If this parameter is not specified, the device by default sends authentication success packets to users and therefore the users cannot know the fact that they fail to be authenticated. To solve this problem, specify this parameter so that the device will send authentication failure packets for the users to know their authentication results.

-
service-scheme service-scheme

Specifies the name of the service scheme based on which network access policies are assigned to users.

The value is a string of 1 to 32 case-sensitive characters without spaces and the following: \ / : < > | @ ' % * " ?

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication event pre-authen action authorize service-scheme scheme-name and authentication event { authen-fail | authen-server-down } action authorize service-scheme service-scheme [ response-fail ] commands in the authentication profile view.

authentication event authen-server-up action re-authen (upgrade-compatible command)

Function

The authentication event authen-server-up action re-authen command enables the device to re-authenticate users when the authentication server changes from Down to Up.

The undo authentication event authen-server-up action re-authen command restores the default setting.

By default, the device does not re-authenticate users when the authentication server changes from Down to Up.

Format

authentication event authen-server-up action re-authen

undo authentication event authen-server-up action re-authen

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication event authen-server-up action re-authen command in the authentication profile view.

authentication event client-no-response action authorize (upgrade-compatible command)

Function

The authentication event client-no-response action authorize command configures the device to assign network access policies to users before the users are authenticated.

The undo authentication event client-no-response action authorize command deletes the configured network access policies.

By default, no network access right is granted to users before the users are authenticated.

Format

authentication event client-no-response action authorize service-scheme service-scheme

undo authentication event client-no-response action authorize

Parameters

Parameter Description Value
service-scheme service-scheme

Specifies the name of the service scheme based on which network access policies are assigned to users.

The value is a string of 1 to 32 case-sensitive characters without spaces and the following: \ / : < > | @ ' % * " ?

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication event client-no-response action authorize service-scheme service-scheme command in the 802.1X access profile view.

authentication event portal-server-down action authorize (upgrade-compatible command)

Function

The authentication event portal-server-down action authorize command configures network access policies for users when the Portal server is Down.

The undo authentication event portal-server-down action authorize command deletes the configured network access policies.

By default, no network access policy is configured for users when the Portal server is Down.

Format

authentication event portal-server-down action authorize service-scheme service-scheme

undo authentication event portal-server-down action authorize

Parameters

Parameter Description Value
service-scheme service-scheme

Specifies the name of the service scheme based on which network access policies are assigned to users.

The value is a string of 1 to 32 case-sensitive characters without spaces and the following: \ / : < > | @ ' % * " ?

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication event portal-server-down action authorize service-scheme service-scheme command in the portal access profile view.

authentication event portal-server-up action re-authen (upgrade-compatible command)

Function

The authentication event portal-server-up action re-authen command enables the device to re-authenticate users when the Portal server changes from Down to Up.

The undo authentication event portal-server-up action re-authen command restores the default setting.

By default, the device does not re-authenticate users when the Portal server changes from Down to Up.

Format

authentication event portal-server-up action re-authen

undo authentication event portal-server-up action re-authen

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication event portal-server-up action re-authen command in the portal access profile view.

authentication timer arp handshake-period (upgrade-compatible command)

Function

The authentication timer arp handshake-period command sets the handshake interval of the device with pre-connection users and authorized users.

The undo authentication timer arp command restores the default setting.

The default handshake interval of the device with pre-connection users and authorized users is 300 seconds.

Format

authentication timer arp handshake-period handshake-period

undo authentication timer arp

Parameters

Parameter

Description

Value

handshake-period

Specifies the handshake interval.

The value is an integer that ranges from 5 to 7200, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication timer handshake-period handshake-period command in the authentication profile view.

authentication timer handshake-period (upgrade-compatible command)

Function

The authentication timer handshake-period command sets the handshake interval of the device with pre-connection users and authorized users.

The undo authentication timer handshake-period command restores the default setting.

The default handshake interval of the device with pre-connection users and authorized users is 300 seconds.

Format

authentication timer handshake-period handshake-period

undo authentication timer handshake-period

Parameters

Parameter

Description

Value

handshake-period

Specifies the handshake interval.

The value is an integer that ranges from 5 to 7200, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication timer handshake-period handshake-period command in the authentication profile view.

authentication timer authen-fail-user-aging (upgrade-compatible command)

Function

The authentication timer authen-fail-user-aging command configures the aging time for entries of the users who fail to be authenticated.

The undo authentication timer authen-fail-user-aging command restores the default aging time for entries of the users who fail to be authenticated.

By default, the aging time for entries of the users who fail to be authenticated is 23 hours.

Format

authentication timer authen-fail-user-aging aging-time

undo authentication timer authen-fail-user-aging

Parameters

Parameter Description Value
aging-time

Specifies the aging time.

If the user still fails to be authenticated when the user aging time expires, the user entry is deleted.

The value is an integer that ranges from 0 or 60 to 4294860, in seconds.

The value 0 indicates that the entry does not age.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication timer authen-fail-aging aging-time command in the authentication profile view.

authentication timer pre-authen-user-aging (upgrade-compatible command)

Function

The authentication timer pre-authen-user-aging command configures the aging time for pre-connection user entries.

The undo authentication timer pre-authen-user-aging command restores the default aging time for pre-connection user entries.

By default, the aging time for pre-connection user entries is 23 hours.

Format

authentication timer pre-authen-user-aging aging-time

undo authentication timer pre-authen-user-aging

Parameters

Parameter Description Value
aging-time

Specifies the aging time.

If the user still fails to be authenticated when the user aging time expires, the user entry is deleted.

The value is an integer that ranges from 0 or 60 to 4294860, in seconds.

The value 0 indicates that the entry does not age.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication timer pre-authen-aging aging-time command in the authentication profile view.

authentication timer re-authen (upgrade-compatible command)

Function

The authentication timer re-authen command configures the interval for re-authenticating pre-connection users or users who fail to be authenticated.

The undo authentication timer re-authen command restores the default setting.

By default, pre-connection users and users who fail to be authenticated are re-authenticated at an interval of 60 seconds.

Format

authentication timer re-authen { pre-authen re-authen-time | authen-fail re-authen-time }

undo authentication timer re-authen { pre-authen | authen-fail }

Parameters

Parameter Description Value
pre-authen re-authen-time

Specifies the interval for re-authenticating pre-connection users.

The value is an integer that ranges from 0 or 30 to 7200, in seconds.

The value 0 indicates that the re-authentication function is disabled for pre-connection users.
authen-fail re-authen-time

Specifies the interval for re-authenticating users who fail to be authenticated.

The value is an integer that ranges from 30 to 7200, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication timer re-authen { pre-authen re-authen-time | authen-fail re-authen-time } command in the authentication profile view.

authentication device-type voice authorize (upgrade-compatible command)

Function

The authentication device-type voice authorize command enables voice terminals to go online without authentication.

The undo authentication device-type voice authorize command disables voice terminals from going online without authentication.

By default, voice terminals are disabled from going online without authentication.

Format

authentication device-type voice authorize [ service-scheme scheme-name ]

undo authentication device-type voice authorize [ service-scheme ]

Parameters

Parameter

Description

Value
service-scheme

Assigns network access rights to voice terminals based on a specified service scheme.

-

scheme-name

Specifies the name of the service scheme based on which network access rights are assigned to voice terminals.

The value must be an existing service scheme name.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication device-type voice authorize service-scheme scheme-name command in the authentication profile view.

authentication free-rule (upgrade-compatible command)

Function

The authentication free-rule command configures the NAC authentication-free rule for users.

The undo authentication free-rule command restores the default configuration.

By default, no NAC authentication-free rule is configured.

Format

authentication free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } [ tcp destination-port port | udp destination-port port ] | any } } | source { any | { interface interface-type interface-number | ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id } * } } *

undo authentication free-rule { rule-id | all }

Parameters

Parameter Description Value
rule-id

Specifies the ID of the NAC authentication-free rule.

The value is an integer of which the range depends on product models
destination

Specifies the destination network resources that the authentication-free users can access.

-
source

Specifies the source information of the authentication-free users.

-
any

Specifies any condition. When any is used together with different keywords, the effect of the command is different.

-
ip ip-address

Specifies the IP address in the rule. This parameter can specify the source or destination address depending on the keyword.

The value is in dotted decimal notation.
mask mask-length

Specifies the mask length of an IP address. This parameter can specify the source or destination address mask depending on the keyword.

The value is an integer that ranges from 1 to 32.
mask ip-mask

Specifies the IP address mask. This parameter can specify the source or destination address mask depending on the keyword.

The value is in dotted decimal notation.
tcp destination-port port

Specifies the TCP destination port number.

The value is an integer that ranges from 1 to 65535.
udp destination-port port

Specifies the UDP destination port number.

The value is an integer that ranges from 1 to 65535.
interface interface-type interface-number

Specifies the type and number of the source interface in the rule.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-
vlan vlan-id

Specifies the VLAN ID of the source packet in the rule.

The value is an integer that ranges from 1 to 4094.
all

Specifies all rules.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } [ tcp destination-port port | udp destination-port port ] | any } } | source { any | { interface interface-type interface-number | ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id } * } } * command in the authentication-free rule profile view.

authentication max-user (upgrade-compatible command)

Function

The authentication max-user command configures the maximum number of authenticated users allowed in a VAP profile.

The undo authentication max-user command restores the default setting.

By default, a maximum of 128 authenticated users are allowed in a VAP profile.

Format

authentication max-user max-user-number

undo authentication max-user

Parameters

Parameter

Description

Value
max-user-number

Specifies the maximum number of users.

The value is an integer that ranges from 1 to 128.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication wlan-max-user max-user-number.

authentication mode (upgrade-compatible command)

Function

The authentication mode command configures the user access mode.

The undo authentication mode command restores the default user access mode.

By default, the user access mode is multi-authen.

Format

authentication mode { single-terminal | single-voice-with-data | multi-share | multi-authen [ max-user max-user-number ] }

undo authentication mode [ multi-authen max-user ]

Parameters

Parameter Description Value
single-terminal

Specifies the interface to allow only one user to go online.

-
single-voice-with-data

Specifies the interface to allow only one data user and one voice user to go online.

This mode applies to the scenario in which a data user connects to a network through a voice terminal.

-
multi-share

Specifies the interface to allow multiple users to go online.

In this mode, the device only authenticates the first user. If the first user can be authenticated, the subsequent users share the same network access rights with the first user. If the first user goes offline, other users are also offline.

-
multi-authen

Specifies the interface to allow multiple users to go online.

In this mode, the device authenticates each access user. If users can be authenticated, the users have their individual network access rights. If a user goes offline, other users are not affected.

-
max-user max-user-number

Specifies the maximum number of access users on the interface in multi-authen mode.

The value is an integer that depends on device types.

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication mode { single-terminal | single-voice-with-data | multi-share | multi-authen [ max-user max-user-number ] } command in the authentication profile view.

authentication (upgrade-compatible command)

Function

The authentication command enables NAC authentication.

The undo authentication command disables NAC authentication.

By default, NAC authentication is disabled.

Format

Layer 2 interface view:

authentication { { dot1x | mac-authen } * [ portal ] | portal }

undo authentication { dot1x | mac-authen | portal } *

VLANIF interface view:

authentication { mac-authen [ portal ] | portal }

undo authentication { mac-authen | portal } *

Layer 3 interface view:

authentication portal

undo authentication portal

Parameters

Parameter Description Value
dot1x

Enables 802.1X authentication.

-
mac-authen

Enables MAC address authentication.

-
portal

Enables Portal authentication.

-

Views

VLANIF interface view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the dot1x-access-profile access-profile-name, mac-access-profile access-profile-name, and portal-access-profile access-profile-name commands in the authentication profile view.

authentication single-access (upgrade-compatible command)

Function

The authentication single-access command enables the device to allow users to access in only one authentication mode.

The undo authentication single-access command restores the default setting.

By default, the device allows users to access in different authentication modes.

Format

authentication single-access

undo authentication single-access

Parameters

None

Views

System view, VLANIF interface view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication single-access command in the authentication profile view.

authentication trigger-condition dhcp dhcp-option (upgrade-compatible command)

Function

The authentication trigger-condition dhcp dhcp-option command enables the device to send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets.

The undo authentication trigger-condition dhcp dhcp-option command restores the default configuration.

By default, the device does not send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets.

Format

authentication trigger-condition dhcp dhcp-option option-code

undo authentication trigger-condition dhcp dhcp-option option-code

Parameters

Parameter Description Value
option-code

Specifies the option that the device sends to the authentication server.

The value is fixed as 82.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication trigger-condition dhcp dhcp-option option-code command in the mac access profile view.

authentication trigger-condition (802.1X authentication) (upgrade-compatible command)

Function

The authentication trigger-condition command configures the packet types that can trigger 802.1X authentication.

The undo authentication trigger-condition command restores the default configuration.

By default, DHCP/ARP packets can trigger 802.1X authentication.

Format

authentication trigger-condition { dhcp | arp } *

undo authentication trigger-condition [ dhcp | arp ] *

Parameters

Parameter Description Value
dhcp

Triggers 802.1X authentication through DHCP packets.

-
arp

Triggers 802.1X authentication through ARP packets.

-

Views

System view, VLANIF interface view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication trigger-condition { dhcp | arp } * command in the 802.1X access profile view.

authentication trigger-condition (MAC address authentication) (upgrade-compatible command)

Function

The authentication trigger-condition command configures the packet types that can trigger MAC address authentication.

The undo authentication trigger-condition command restores the default configuration.

By default, DHCP/ARP/DHCPv6/ND packets can trigger MAC address authentication.

Format

authentication trigger-condition { dhcp | arp | dhcpv6 | nd } *

undo authentication trigger-condition [ dhcp | arp | dhcpv6 | nd ] *

Parameters

Parameter Description Value
dhcp

Triggers MAC address authentication through DHCP packets.

-
arp

Triggers MAC address authentication through ARP packets.

-
dhcpv6

Triggers MAC address authentication through DHCPv6 packets.

-
nd

Triggers MAC address authentication through ND packets.

-

Views

System view, VLANIF interface view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the authentication trigger-condition { dhcp | arp | dhcpv6 | nd } * command in the mac access profile view.

domain (upgrade-compatible command)

Function

The domain command configures the default domain or force domain for users.

The undo domain command deletes the configured default domain or force domain.

By default, no default domain or force domain is configured for users.

Format

Layer 2 interface view:

domain name domain-name [ dot1x | mac-authen | portal ] [ force ]

undo domain name domain-name [ dot1x | mac-authen | portal ] [ force ]

VLANIF interface view:

domain name domain-name [ mac-authen | portal ] [ force ]

undo domain name domain-name [ mac-authen | portal ] [ force ]

Layer 3 interface view:

domain name domain-name [ portal ] [ force ]

undo domain name domain-name [ portal ] [ force ]

System view (for all access authentication users):

domain domain-name force [ mac-address mac-address mask mask ]

undo domain domain-name force [ mac-address mac-address ]

System view (only for MAC address authentication users):

domain domain-name mac-authen force

undo domain domain-name mac-authen force

domain name domain-name mac-authen force [ mac-address mac-address mask mask ]

undo domain name domain-name mac-authen force [ mac-address mac-address ]

Parameters

Parameter

Description

Value

name domain-name

Specifies the name of the default domain or force domain.

If no user authentication mode is specified, the default domain or force domain takes effect for all access authentication users.

The value must be an existing domain name on the device.
mac-address mac-address mask mask
Specifies the MAC address range within which the MAC address authentication users use the forcible domain.
  • mac-address mac-address: user MAC addresses.
  • mask mask: masks of the MAC addresses.
NOTE:
You can specify a maximum of 16 MAC address ranges.

The MAC address and mask are both in the format of H-H-H, in which H is a 4-digit hexadecimal number.
dot1x

Specifies 802.1X authentication as the user authentication mode.

-
mac-authen

Specifies MAC address authentication as the user authentication mode.

-
portal

Specifies Portal authentication as the user authentication mode.

-

Views

System view, VLANIF interface view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the access-domain domain-name [ dot1x | mac-authen | portal ]* [ force ] command in the authentication profile view.

dot1x authentication-method (upgrade-compatible command)

Function

The dot1x authentication-method command sets the authentication mode for 802.1X users.

The undo dot1x authentication-method command restores the default authentication mode for 802.1X users.

By default, the global 802.1X user authentication mode is CHAP authentication and the 802.1X user authentication mode on interfaces is the same as the mode globally configured.

Format

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

Parameters

Parameter

Description

Value

chap

Indicates the CHAP-based EAP termination authentication mode.

-

pap

Indicates the PAP-based EAP termination authentication mode.

-

eap

Indicates that the EAP relay mode.

-

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the dot1x authentication-method { chap | pap | eap } command in the 802.1X access profile view.

dot1x eap-notify-packet (upgrade-compatible command)

Function

The dot1x eap-notify-packet command enables the device to send an EAP packet code number to users.

The undo dot1x eap-notify-packet command disables the device from sending an EAP packet code number to users.

By default, the device is disabled from sending an EAP packet code number to users.

Format

dot1x eap-notify-packet eap-code code-number data-type type-number

undo dot1x eap-notify-packet [ eap-code code-number data-type type-number ]

Parameters

Parameter

Description

Value

eap-code code-number

Specifies an EAP packet code number sent to users.

The value is an integer that ranges from 5 to 255. The default value is 255.

data-type type-number

Specifies the data type in EAP packets sent to users.

The value is an integer that ranges from 1 to 255. The default value is 255.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the dot1x eap-notify-packet eap-code code-number data-type type-number command in the 802.1X access profile view.

dot1x guest-vlan (upgrade-compatible command)

Function

The dot1x guest-vlan command configures a guest VLAN on an interface.

By default, no guest VLAN is configured on an interface.

Format

dot1x guest-vlan vlan-id

Parameters

Parameter

Description

Value

vlan-id

Specifies the ID of a guest VLAN.

The value is an integer that ranges from 1 to 4094.

Views

interface view

Default Level

2: Configuration level

Usage Guidelines

In dot1x authentication, a guest VLAN allows users to access limited resources when the users do not perform authentication, terminals do not respond to authentication requests, or the users fail to be authenticated.

Example

# In the interface view, configure VLAN 20 as the guest VLAN on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] dot1x guest-vlan 20

dot1x handshake (upgrade-compatible command)

Function

The dot1x handshake command enables the device to send handshake packets to online 802.1X users.

The undo dot1x handshake command disables the device from sending handshake packets to online 802.1X users.

By default, the device handshake function is disabled for online 802.1X users.

Format

dot1x handshake

undo dot1x handshake

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the dot1x handshake command in the dot1x access profile view.

dot1x (upgrade-compatible command)

Function

The dot1x command enables dot1x authentication globally or on an interface.

By default, dot1x authentication is disabled globally or on an interface.

Format

dot1x

Parameters

None

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view

Default Level

2: Configuration level

Usage Guidelines

You can use the dot1x command to enable dot1x authentication globally or on an interface.

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Example

# Enable dot1x authentication globally.

<HUAWEI> system-view
[HUAWEI] dot1x

dot1x reauthenticate (upgrade-compatible command)

Function

The dot1x reauthenticate command enables periodic 802.1X re-authentication on an interface.

The undo dot1x reauthenticate command disables periodic 802.1X re-authentication on an interface.

By default, periodic 802.1X re-authentication is disabled on an interface.

Format

dot1x reauthenticate

undo dot1x reauthenticate

Parameters

None

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the dot1x reauthenticate command in the 802.1X access profile view.

dot1x restrict-vlan (upgrade-compatible command)

Function

Using the dot1x restrict-vlan command, you can configure the device to add 802.1X users that fail to be authenticated to a restrict VLAN.

Using the undo dot1x restrict-vlan command, you can cancel the setting.

By default, 802.1X users do not join any VLAN after they fail to be authenticated.

Format

dot1x restrict-vlan vlan-id

Parameters

Parameter

Description

Value

vlan-id

Specifies the VLAN ID.

The value is an integer that ranges from 1 and 4094.

Views

System view, interface view

Default Level

2: Configuration level

Usage Guidelines

If a user that fails to be authenticated wants to access some resources, configure a restrict VLAN to allow the user to access limited resources. Users in the restrict VLAN can access resources in the restrict VLAN without being authenticated but must be authenticated when they access resources outside the restrict VLAN.

Example

# Configure VLAN 20 as a restrict VLAN on interface view.

<HUAWEI> system-view
[HUAWEI] dot1x restrict-vlan 20

dot1x retry (upgrade-compatible command)

Function

The dot1x retry command sets the maximum number of times an authentication request is sent to an 802.1X user.

The undo dot1x retry command restores the default setting.

By default, the device sends an authentication request to an 802.1X user twice.

Format

dot1x retry max-retry-value

undo dot1x retry

Parameters

Parameter

Description

Value

max-retry-value

Specifies the maximum number of times an authentication request is sent to an 802.1X user.

The default value is recommended.

The value is an integer that ranges from 1 to 10.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the dot1x retry max-retry-value command in the 802.1X access profile view.

dot1x timer reauthenticate-period (upgrade-compatible command)

Function

The dot1x timer reauthenticate-period command sets the re-authentication interval for 802.1X authentication users.

The undo dot1x timer reauthenticate-period command restores the default re-authentication interval.

By default, the re-authentication interval is 3600 seconds.

Format

dot1x timer reauthenticate-period reauthenticate-period-value

undo dot1x timer reauthenticate-period

Parameters

Parameter

Description

Value

reauthenticate-period-value

Specifies the re-authentication interval for 802.1X address authentication users.

The value is an integer that ranges from 60 to 7200, in seconds.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the dot1x timer reauthenticate-period reauthenticate-period-value command in the802.1X access profile view.

dot1x timer (upgrade-compatible command)

Function

The dot1x timer command sets values of timers used in 802.1X authentication.

The undo dot1x timer command restores the default settings of timers used in 802.1X authentication.

By default, the values of timers used in 802.1X authentication are not set.

Format

dot1x timer { client-timeout client-timeout-value | handshake-period handshake-period-value | eth-trunk-access handshake-period handshake-period-value }

undo dot1x timer { client-timeout | handshake-period | eth-trunk-access handshake-period }

Parameters

Parameter

Description

Value

client-timeout client-timeout-value

Specifies the timeout interval of the authentication response from the client.

For details, see dot1x retry (upgrade-compatible command).

The value is an integer that ranges from 1 to 120, in seconds.

By default, the timeout interval of the authentication response from the client is 5 seconds.

handshake-period handshake-period-value

Specifies the handshake interval between the device and 802.1X authentication client connected to a non-Eth-Trunk interface.

For details, see dot1x handshake (upgrade-compatible command).

The value is an integer that ranges from 5 to 7200, in seconds.

By default, the interval for sending handshake packets is 15 seconds.
eth-trunk-access handshake-period handshake-period-value

Specifies the handshake interval between the device and 802.1X authentication client connected to an Eth-Trunk.

For details, see dot1x handshake (upgrade-compatible command).

The value is an integer that ranges from 30 to 7200, in seconds.

By default, the interval for sending handshake packets is 120 seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the dot1x timer { client-timeout client-timeout-value | handshake-period handshake-period-value | eth-trunk-access handshake-period handshake-period-value } command in the 802.1X access profile view.

dot1x trigger dhcp-binding (upgrade-compatible command)

Function

The dot1x trigger dhcp-binding command enables the device to automatically generate the DHCP snooping binding table after static IP users pass 802.1X authentication or when the users are at the pre-connection phase.

The undo dot1x trigger dhcp-binding command restores the default setting.

By default, the device does not automatically generate the DHCP snooping binding table after static IP users pass 802.1X authentication or when the users are at the pre-authentication phase.

Format

dot1x trigger dhcp-binding

undo dot1x trigger dhcp-binding

Parameters

None

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the dot1x trigger dhcp-binding command in the dot1x access profile view.

dot1x unicast-trigger (upgrade-compatible command)

Function

The dot1x unicast-trigger command enables 802.1X authentication triggered by unicast packets.

The undo dot1x unicast-trigger command disables 802.1X authentication triggered by unicast packets.

By default, 802.1X authentication triggered by unicast packets is disabled.

Format

dot1x unicast-trigger

undo dot1x unicast-trigger

Parameters

None

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the dot1x unicast-trigger command in the 802.1X access profile view.

mac-authen guest-vlan (upgrade-compatible command)

Function

The mac-authen guest-vlan command configures a guest VLAN on an interface.

By default, no guest VLAN is configured on an interface.

Format

mac-authen guest-vlan vlan-id

Parameters

Parameter

Description

Value

vlan-id

Specifies the ID of a guest VLAN.

The value is an integer that ranges from 1 to 4094.

Views

interface view

Default Level

2: Configuration level

Usage Guidelines

In MAC address authentication, a guest VLAN allows users to access limited resources without authentication. Users in the guest VLAN can access resources in the guest VLAN without authentication but must be authenticated when they access resources outside the guest VLAN.

Example

# Configure VLAN 4 as the guest VLAN of GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] mac-authen guest-vlan 4

mac-authen offline dhcp-release (upgrade-compatible command)

Function

The mac-authen offline dhcp-release command enables the device to clear user entries when receiving DHCP Release packets from MAC address authentication users.

The undo mac-authen offline dhcp-release command restores the default configuration.

By default, the device does not clear user entries when receiving DHCP Release packets from MAC address authentication users.

Format

In the system view:

mac-authen offline dhcp-release interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo mac-authen offline dhcp-release interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

mac-authen offline dhcp-release

undo mac-authen offline dhcp-release

Parameters

Parameter

Description

Value

interface interface-type interface-number1 [ to interface-number2 ] } &<1-10>
Specifies the type and number of an interface.
  • interface-type specifies the interface type.
  • interface-number1 specifies the number of the first interface.
  • interface-number2 specifies the number of the last interface. The value of interface-number2 must be greater than the value of interface-number1. interface-number2 and interface-number1 together specify an interface range.

-

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the mac-authen offline dhcp-release command in the mac access profile view.

mac-authen password (upgrade-compatible command)

Function

The mac-authen password command configures a password for MAC address authentication.

By default, no password is configured for MAC address authentication.

Format

mac-authen password password

Parameters

Parameter

Description

Value

password

Specifies the password for MAC address authentication.

The value is a string of 1 to 16 characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the mac-authen username command in the mac access profile view.

mac-authen permit mac-address (upgrade-compatible command)

Function

The mac-authen permit mac-address command specifies the MAC address range allowed for MAC address authentication.

The undo mac-authen permit mac-address command deletes the MAC address range allowed for MAC address authentication.

By default, no MAC address range is specified for MAC address authentication.

Format

mac-authen permit mac-address mac-address mask { mask | mask-length }

undo mac-authen permit mac-address mac-address mask { mask | mask-length }

Parameters

Parameter

Description

Value
mac-address Specifies a MAC address for MAC address authentication. The value is in H-H-H format. H contains 1 to 4 hexadecimal digits.
mask mask Specifies the MAC address mask. The value is in H-H-H format. H contains 1 to 4 hexadecimal digits.
mask mask-length Specifies the MAC address mask length.

The value is an integer that ranges from 1 to 48.

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the mac-authen permit mac-address mac-address mask { mask | mask-length } command in the mac access profile view.

mac-authen reauthenticate dhcp-renew (upgrade-compatible command)

Function

The mac-authen reauthenticate dhcp-renew command enables the device to re-authenticate the users when receiving DHCP lease renewal packets from MAC address authentication users.

The undo mac-authen reauthenticate dhcp-renew command restores the default setting.

By default, the device does not re-authenticate the users when receiving DHCP lease renewal packets from MAC address authentication users.

Format

mac-authen reauthenticate dhcp-renew

undo mac-authen reauthenticate dhcp-renew

Parameters

None

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the mac-authen reauthenticate dhcp-renew command in the mac access profile view.

mac-authen reauthenticate (upgrade-compatible command)

Function

The mac-authen reauthenticate command enables periodic MAC address re-authentication on a specified interface.

The undo mac-authen reauthenticate command disables periodic MAC address re-authentication on a specified interface.

By default, periodic MAC address re-authentication is enabled on a specified interface.

Format

mac-authen reauthenticate

undo mac-authen reauthenticate

Parameters

None

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the mac-authen reauthenticate command in the mac access profile view.

mac-authen timer reauthenticate-period (upgrade-compatible command)

Function

The mac-authen timer reauthenticate-period command sets the re-authentication interval for MAC address authentication users.

The undo mac-authen timer reauthenticate-period command restores the default re-authentication interval.

By default, the re-authentication interval is 1800 seconds.

Format

mac-authen timer reauthenticate-period reauthenticate-period-value

undo mac-authen timer reauthenticate-period

Parameters

Parameter

Description

Value

reauthenticate-period-value

Specifies the re-authentication interval for MAC address authentication users.

The value is an integer that ranges from 60 to 7200, in seconds.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the mac-authen timer reauthenticate-period reauthenticate-period-value command in the mac access profile view.

mac-authen username fixed password (upgrade-compatible command)

Function

The mac-authen username fixed password command configures the fixed user name and password for MAC address authentication.

The undo mac-authen username fixed password command deletes the fixed user name and password for MAC address authentication.

By default, no fixed user name and password is configured for MAC address authentication.

Format

mac-authen username fixed username password [ simple ] password

undo mac-authen username fixed username password simple password

Parameters

Parameter Description Value
fixed username

Specifies the fixed user name for MAC address authentication.

 The value is a string of 1 to 64 characters.
simple

Indicates the password in plain text.

 -
password

Specifies the password for MAC address authentication.

 The value is a string of 1 to 16 characters.

Views

System view, VLANIF interface view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the mac-authen username command in the mac access profile view.

mac-authen username (upgrade-compatible command)

Function

The mac-authen username command configures the user name format for MAC address authentication.

The undo mac-authen username restores the default user name format.

By default, the MAC address without hyphens (-) is used as the user name and password for MAC address authentication.

Format

mac-authen username { fixed username [ password cipher password ] | macaddress [ format { with-hyphen | without-hyphen } [ password cipher password ] ] | dhcp-option option-code { circuit-id | remote-id } password cipher password }

undo mac-authen username [ fixed username [ password cipher password ] | macaddress [ format { with-hyphen | without-hyphen } [ password cipher password ] ] | dhcp-option option-code [ password cipher password ] ]

Parameters

Parameter

Description

Value

fixed username

Specifies the fixed user name for MAC address authentication.

The value is a string of 1 to 64 case-sensitive that do not contain spaces and question marks (?).

password cipher password
Specifies the password displayed in cipher text for MAC address authentication.
  • The user with a fixed name can log in without a password if no password is set, which is not recommended.
  • When a MAC address is used as the user name, the MAC address can be used as the password if no password is set. When local authentication is specified in the AAA authentication scheme, you must set a password.
  • If the DHCP option is used as the user name, you must set a password.
NOTE:

If fixed user names are configured in the VLANIF interface view, Eth-Trunk interface view or Port group view, the password must be set.

If a MAC address is configured as the user name in the Port group view, the password cannot be set.

The value is a case-sensitive string without question marks (?) or spaces. The password contains 1 to 128 characters in plain text or 48 to 188 characters in cipher text.

NOTE:

To improve security, it is recommended that the password contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 6 characters.

macaddress

Specifies that the user name in MAC address authentication is the MAC address.

-

format

Specifies the format of the MAC address.

-

with-hyphen

Specifies that the MAC address with hyphens is used as the user name, for example, 0005-e01c-02e3.

-

without-hyphen

Specifies that the MAC address without hyphens is used as the user name, for example, 0005e01c02e3.

-

dhcp-option option-code
Specifies the name of the MAC address authentication user to a specified DHCP option.
  • circuit-id: Specifies the circuit ID in the DHCP Option82 as the user name in MAC address authentication.
  • remote-id: Specifies the remote ID in the DHCP Option82 as the user name in MAC address authentication.
NOTE:
In VLANIF interface view, the parameter does not support.

The value is an integer. In the current version, the value is fixed as 82.

Views

System view, VLANIF interface view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the mac-authen username command in the mac access profile view.

portal auth-network (upgrade-compatible command)

Function

The portal auth-network command configures a source subnet for Portal authentication.

The undo portal auth-network command restores the default source subnet for Portal authentication.

By default, the source subnet for Portal authentication is 0.0.0.0/0, indicating that users in all subnets must pass Portal authentication.

Format

portal auth-network network-address { mask-length | mask-address }

undo portal auth-network { network-address { mask-length | mask-address } | all }

Parameters

Parameter Description Value
network-address Specifies the IP address of the source subnet for Portal authentication. The value is in dotted decimal notation.
mask-length Specifies the mask length. The value is an integer that ranges from 1 to 32.
mask-address Specifies the mask of the source subnet for Portal authentication. The value is in dotted decimal notation.
all Deletes all Portal authentication subnets. -

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the portal auth-network network-address { mask-length | mask-address } command in the portal access profile view.

portal timer offline-detect (upgrade-compatible command)

Function

The portal timer offline-detect command sets the Portal user offline detection interval.

The undo portal timer offline-detect command restores the default Portal user offline detection interval.

By default, the Portal user offline detection interval is 300 seconds.

Format

portal timer offline-detect time-length

undo portal timer offline-detect

Parameters

Parameter Description Value
time-length Specifies the Portal user offline detection interval.

The value is 0 or an integer that ranges from 30 to 7200, in seconds. The default value is 300. The value 0 indicates that offline detection is not performed.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the portal timer offline-detect time-length command in the portal access profile view.

shared-key simple (upgrade-compatible command)

Function

The shared-key simple command configures the shared key for a web authentication server.

Format

shared-key simple shared-key

Parameters

Parameter Description Value
simple

Indicates the password in plain text.

 -
shared-key

Specifies the shared key for a web authentication server.

 The value is a 1 to 16 character string.

Views

Web template view

Default Level

2: Configuration level

Usage Guidelines

You can use the shared-key command to configure the shared key for a web authentication server.

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Example

# Set the shared key of web authentication server pjf to 123456.

<HUAWEI> system-view
[HUAWEI] web-auth-server pjf
[HUAWEI-web-auth-server-pjf] shared-key simple 123456

url (URL template view) (upgrade-compatible command)

Function

The url command configures the redirection URL or pushed URL.

The undo url command cancels the redirection URL or pushed URL.

By default, no redirection URL or pushed URL is configured.

Format

url [ ssid ssid ] [ push-only | redirect-only ] url-string

Parameters

Parameter

Description

Value
url-string

Specifies the redirection URL of the Portal server or pushed URL.

It is a string of 1 to 200 case-sensitive characters that do not contain spaces and question marks (?).
ssid ssid

Specifies the SSID that users associate with.

The SSID must already exist.
push-only

Specifies the URL as a pushed URL.

-
redirect-only

Specifies the URL as a redirection URL.

-

Views

URL template view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Example

# Set the redirection URL to http://10.1.1.1.

<HUAWEI> system-view
[HUAWEI] url-template name huawei
[HUAWEI-url-template-huawei] url http://10.1.1.1

ucl-group (upgrade-compatible command)

Function

The ucl-group command creates a UCL group.

By default, no UCL group is created.

Format

ucl-group name group-name [ extend ]

Parameters

Parameter Description Value
name group-name

Specifies the name of a UCL group.

 The value is a string of 1 to 31 case-sensitive characters without spaces.
extend

Extends the maximum number of UCL groups.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Example

# Create a UCL group named abc.

<HUAWEI> system-view
[HUAWEI] ucl-group name abc

voice-vlan (service scheme view) (upgrade-compatible command)

Function

The voice-vlan command configures a voice VLAN in a service scheme.

The undo voice-vlan command deletes the voice VLAN configured in the service scheme.

By default, no voice VLAN is configured in the service scheme.

Format

voice-vlan vlan-id

undo voice-vlan

Parameters

Parameter

Description

Value

vlan-id

Specifies the voice VLAN ID.

The value is an integer that ranges from 1 to 4094.

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

Example

# Configure voice VLAN 100 in the service scheme huawei.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme huawei
[HUAWEI-aaa-service-huawei] voice-vlan 100

web-auth-server (interface view) (upgrade-compatible command)

Function

The web-auth-server command binds a Portal server template to an interface.

The undo web-auth-server command unbinds a Portal server template from an interface.

By default, no Portal server template is bound to an interface.

Format

  • Layer 2 interface view

    web-auth-server server-name [ bak-server-name ] direct

    undo web-auth-server [ server-name [ bak-server-name ] direct ]

  • VLANIF interface view

    web-auth-server server-name [ bak-server-name ] { direct | layer3 }

    undo web-auth-server [ server-name [ bak-server-name ] { direct | layer3 } ]

  • Routed main interface view

    web-auth-server server-name [ bak-server-name ] layer3

    undo web-auth-server [ server-name [ bak-server-name ] layer3 ]

Parameters

Parameter Description Value
server-name Specifies the name of the Portal server template.

The value must be an existing Portal server template name.
bak-server-name

Specifies the name of the secondary Portal server template.

NOTE:

The name of the secondary Portal server template cannot be configured to the command-line keywords direct and layer3.

The value must be an existing Portal server template name.
direct

Specifies Layer 2 authentication as the Portal authentication mode.

When there is no Layer 3 forwarding device between the device and users, configure the Layer 2 authentication mode.

 -
layer3

Specifies Layer 3 authentication as the Portal authentication mode.

When there is a Layer 3 forwarding device between the device and users, configure the Layer 3 authentication mode.

-

Views

VLANIF interface view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the web-auth-server server-name [ bak-server-name ] { direct | layer3 } command in the portal access profile view.

web-auth-server (system view) (upgrade-compatible command)

Function

The web-auth-server command configures a web authentication server in the system view.

By default, no web authentication server is configured in the system view.

Format

web-auth-server server-name ip-address [ port port [ all ] ] [ key password | shared-key { simple password | cipher password } ] [ url url-string ]

Parameters

Parameter

Description

Value

server-name

Specifies the name of a web authentication server template.

The value is a string of 1 to 31 case-insensitive characters.

ip-address

Specifies the IP address of a web authentication server.

The value is in dotted decimal notation.

port port

Specifies the port number that the Portal server uses to receive and encapsulate UDP packets from the device.

The value is an integer that ranges from 1 to 65535.

all

Indicates that the device always uses the destination port number specified by port-number to encapsulate UDP packets.

-

key password

Specifies the shared key that the device uses to exchange information with a Portal server.

The value is a string of 1 to 16 characters.

shared-key

Specifies the shared key that the device uses to exchange information with a Portal server.

-

simple password

Displays a shared key in plain text.

NOTICE:

If simple is selected, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

The value is a string of 1 to 16 characters.

cipher password

Displays a shared key in cipher text.

The value is a string of 1 to 256 characters.

url url-string

Specifies the URL of a portal server. Portal authentication users can visit this URL to access the Portal server.

The value is a string of 1 to 200 characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When an unauthenticated user goes online, a device forces the user to log in to a special website (namely, the Portal website) so that the user can access the service on the Portal for free. To access the Internet, the user must pass the authentication on the Portal.

Example

# Set the IP address of web authentication server huawei to 10.1.1.1.

<HUAWEI> system-view
[HUAWEI] web-auth-server huawei 10.1.1.1
Translation
简体中文
Download
Updated: 2019-10-18

Document ID: EDOC1000178288

Views: 28433

Downloads: 109

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next
Enterprise APP

Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.