No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NETCONF YANG API Reference

AR100, AR120, AR160, AR1200, AR2200, AR3200, and AR3600 V300R003

NETCONF YANG API Reference
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
AAA Management

AAA Management

Data Model

The configuration model files matching AAA management are huawei-user-management.yang, huawei-aaa.yang, and huawei-aaa-radius.yang.

Table 3-1176 Local user

Object

Description

Value

Remarks

/huawei-user-management/user-management/local-user/user-name

Indicates the name of a local user.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark, or question marks.

N/A

/huawei-user-management/user-management/local-user/password

Indicates the password of a local user.

The value is a case-sensitive string without question marks (?) or spaces.

N/A

/huawei-user-management/user-management/local-user/privilege-level

Indicates the level of a local user.

The value is an integer ranging from 0 to 15. A larger value indicates a higher level of a user.

N/A

/huawei-user-management/user-management/local-user/service-type

Indicates the access type of a local user.

The value can be:

  • 8021X: Indicates an 802.1X user.
  • ftp: Indicates an FTP user.
  • http: Indicates an HTTP user, which is usually used for web system login.
  • ppp: Indicates a PPP user.
  • ssh: Indicates an SSH user.
  • telnet: Indicates a Telnet user, which is usually a network administrator.
  • terminal: Indicates a terminal user, which is usually a user connected using a console port.
  • web: Indicates a Portal authentication user.
  • x25-pad: Indicates an X25-PAD user.

N/A

/huawei-user-management/user-management/local-user/ftp-directory

Indicates the directory that FTP users can access.

The value is a string of 1 to 64 case-sensitive characters without spaces.

N/A

/huawei-user-management/user-management/local-user/http-directory

Indicates the directory that HTTP users can access.

The value is a string of 1 to 64 case-sensitive characters without spaces.

N/A

/huawei-user-management:user-management/local-user/expire-date

Indicates the expiration time of a local account.

The value is an integer ranging from 2000-01-01 to 2099-12-31.

N/A

/huawei-user-management:user-management/local-user/time-range

Indicates the access permission time range of the local account.

The value is a string of 1 to 32 case-sensitive characters and must begin with a letter.

N/A

/huawei-user-management:user-management/local-user/device-type-group/device-type

Indicates the type of terminals allowed to access the network.

The value is a string of 1 to 31 case-insensitive characters without spaces.

N/A

/huawei-user-management:user-management/local-user/user-type

Indicates that a local user is an NMS user.

The value is of the enumerated type and can be netmanager.

N/A

/huawei-user-management/user-management/local-user/access-limit

Indicates the maximum number of connections that can be created with a specified user name.

The value is an integer ranging from 1 to 4294967295.

N/A

/huawei-user-management/user-management/local-user/idle-time

Indicates the timeout period of the user account.

The value is an integer ranging from 1 to 2147519, in seconds.

N/A

/huawei-user-management/user-management/local-user/state

Indicates the status of a local user.

The value is of the enumerated type:

  • active: Indicates that a local user is in active state. The device accepts and processes the authentication request from the user, and allows the user to change the password.
  • block: Indicates that a local user is in blocking state. The device rejects the authentication request from the user and does not allow the user to change the password.

N/A

/huawei-user-management:user-management/administrator-password-police

Indicates the password policy for local administrators. The object includes:

  • enable: Indicates whether the password policy is enabled for local administrators.
  • expire-day: Indicates the password validity period.
  • alert-expire-day: Indicates whether the password expiration prompt function is enabled.
  • alert-original: Indicates whether the initial password change prompt function is enabled.
  • history-record-number: Indicates the maximum number of historical passwords recorded for each user.
  • enable: The value is of the Boolean type:
    • true: The password policy is enabled for local administrators.
    • false: The password policy is disabled for local administrators.

The default value is false.

  • expire-day: The value is an integer ranging from 0 to 999, in days. The default value is 90.
  • alert-expire-day: The value is an integer ranging from 0 to 999, in days. The default value is 30.
  • alert-original: The value is of the Boolean type:
    • true: The initial password change prompt function is enabled.
    • false: The initial password change prompt function is disabled.

The default value is true.

  • history-record-number: The value is an integer ranging from 0 to 12. The default value is 5.

N/A

/huawei-user-management:user-management/user-password-police

Indicates the password policy for local access users. The object includes:

  • enable: Indicates whether the password policy is enabled for local access users.
  • history-record-number: Indicates the maximum number of historical passwords recorded for each user.
  • enable: The value is of the Boolean type:
    • true: The password policy is enabled for local access users.
    • false: The password policy is disabled for local access users.

The default value is false.

  • expire-day: The value is an integer ranging from 0 to 999, in days. The default value is 90.
  • alert-expire-day: The value is an integer ranging from 0 to 999, in days. The default value is 30.
  • alert-original: The value is of the Boolean type:
    • true: The initial password change prompt function is enabled.
    • false: The initial password change prompt function is disabled.

The default value is false.

  • history-record-number: The value is an integer ranging from 0 to 12. The default value is 5.

N/A

/huawei-user-management:user-management/wrong-password-police

Indicates the local account locking function. The object includes:

  • retry-interval: Indicates the retry interval of a local account.
  • retry-times: Indicates the maximum number of consecutive incorrect password attempts of a local account.
  • block-time: Indicates the local account locking time.
  • retry-interval: The value is an integer ranging from 5 to 65535, in minutes.
  • retry-times: The value is an integer ranging from 3 to 65535.
  • block-time: The value is an integer ranging from 5 to 65535, in minutes.

N/A

/huawei-user-management:user-management/password-option/complexity-check

Indicates whether the password complexity check function is enabled for local accounts.

The value is of the Boolean type:

  • true: The password complexity check function is enabled for local accounts.
  • false: The password complexity check function is disabled for local accounts.

The default value is true.

N/A

/huawei-user-management:user-management/online-user

Obtains online user information.

N/A

N/A

Table 3-1177 AAA

Object

Description

Value

Remarks

/huawei-aaa:aaa/authentication-scheme/name

Indicates the name of an authentication scheme.

The value is a string of 1 to 32 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/authentication-scheme/authentication-mode

Indicates the authentication mode in an authentication scheme.

The value can be:

  • hwtacacs: Authenticates users using an HWTACACS server.
  • local: Authenticates users locally.
  • radius: Authenticates users using a RADIUS server.
  • none: Indicates non-authentication. That is, users access the network without being authenticated.

N/A

/huawei-aaa:aaa/authorization-scheme/name

Indicates the name of an authorization scheme.

The value is a string of 1 to 32 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/authorization-scheme/authorization-mode

Indicates the authorization mode in an authorization scheme.

The value can be:

  • hwtacacs: Indicates that the user is authorized by an HWTACACS server.
  • if-authenticated: indicates that only the user who succeeds in authentication (authentication exemption excluded) is authorized.
  • local: Indicates that the user is authorized locally.
  • none: Indicates non-authorization.

N/A

/huawei-aaa:aaa/authorization-scheme/authorization-cmd/authorization-cmd-item

Configures the administrator of a specific level to run only commands that are authorized by the HWTACACS server. The object includes:

  • privilege-level: Indicates the level of the administrator.
  • authorization-cmd-mode: Configures the backup mode for the HWTACACS server-based command line authorization.
  • privilege-level: The value is an integer ranging from 0 to 15.
  • authorization-cmd-mode: The value can be local or none.

N/A

/huawei-aaa:aaa/aaa-domain/accounting-scheme/name

Indicates the name of an accounting scheme.

The value is a string of 1 to 32 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/accounting-scheme/accounting-mode

Indicates the accounting mode in an accounting scheme.

The value can be:

  • hwtacacs: Indicates that accounting is performed by an HWTACACS server.
  • radius: Indicates that accounting is performed by a RADIUS server.
  • none: Indicates non-accounting.

N/A

/huawei-aaa:aaa/accounting-scheme/start-accounting-fail/fail-policy

Indicates the policy for accounting-start failures.

The value is of the enumerated type:

  • offline: Rejects users' online requests if accounting-start fails.
  • online: Allows users to go online if accounting-start fails.

N/A

/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-interval

Indicates the interval for real-time accounting.

The value is an integer ranging from 0 to 65535, in minutes. When the value is set to 0, real-time accounting is disabled. The default value is 0.

N/A

/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-fail/fail-max-times

Indicates the maximum number of real-time accounting failures.

The value is an integer ranging from 1 to 255. The default value is 3.

N/A

/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-fail/fail-policy

Indicates the policy for real-time accounting failures.

The value is of the enumerated type:

  • offline: Disconnects users if real-time accounting fails.
  • online: Keeps users online if real-time accounting fails.

N/A

/huawei-aaa:aaa/service-scheme/name

Indicates the name of a service scheme.

The value is a string of 1 to 32 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/service-scheme/admin-user-privilege-level

Indicates the level of a user who logs in to the device as an administrator.

The value is an integer ranging from 0 to 15.

N/A

/huawei-aaa:aaa/service-scheme/acl

Indicates the number of an ACL bound to a service scheme.

The value is an integer ranging from 3000 to 3999.

N/A

/huawei-aaa:aaa/service-scheme/qos-profile

Indicates the QoS profile to a service scheme.

The value is a string of 1 to 32 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/service-scheme/idle-cut-function/idle-time

Indicates the period in which an idle user can stay online.

The value is an integer ranging from 1 to 1440, in minutes.

N/A

/huawei-aaa:aaa/service-scheme/idle-cut-function/idle-flow/flow-value

Indicates the traffic threshold for the idle-cut function.

The value is an integer that ranges from 0 to 4294967295, in Kbytes.

N/A

/huawei-aaa:aaa/service-scheme/idle-cut-function/idle-flow/flow-direction

Indicates the direction of traffic on which the idle-cut function takes effect.

The value is of the enumerated type:

  • inbound: Indicates that the idle-cut function takes effect only on upstream traffic of users.
  • outbound: Indicates that the idle-cut function takes effect only on downstream traffic of users.

N/A

/huawei-aaa:aaa/service-scheme/dns

Indicates the DNS information configured in the service scheme. The object includes:
  • primary-ip-addres: IP address of the primary DNS server.
  • secondary-ip-address: IP address of the secondary DNS server.
  • dns-name: Domain name.
  • primary-ip-address: The value is in dotted decimal notation.
  • secondary-ip-address: The value is in dotted decimal notation.
  • dns-name: The value is a string of 1 to 64 case-insensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: * ? ".

NA

/huawei-aaa:aaa/service-scheme/wins

Indicates the WINS server information configured in the service scheme. The object includes:

  • primary-ip-address: IP address of the primary WINS server.
  • secondary-ip-address: IP address of the secondary WINS server.
  • primary-ip-address: The value is in dotted decimal notation.
  • secondary-ip-address: The value is in dotted decimal notation.

NA

/huawei-aaa:aaa/service-scheme/dhcp-group

Indicates the DHCP server group configured in the service scheme.

The value is a string of 1 to 32 case-sensitive characters without spaces.

NA

/huawei-aaa:aaa/service-scheme/ip-pool

Indicates the IP address pool configured in the service scheme.

The value is a string of 1 to 64 characters. It can contain letters, digits (0-9), dots (.), short lines (-), and underscores (_).

NA

/huawei-aaa:aaa/service-scheme/daa

Indicates the destination address accounting function. The object includes:

  • traffic-level: Indicates the tariff level.
  • accounting-on: Enables the accounting function for the tariff level.
  • qos-profile: Indicates the name of the QoS profile corresponding to the tariff level.
  • traffic-level: The value is an integer ranging from 1 to 2.
  • accounting-on: The value is of the Boolean type and can be true or false.
  • qos-profile: The value must be the name of an existing QoS profile.

N/A

/huawei-aaa:aaa/aaa-domain

Indicates the name of an authentication domain.

The value is a string of 1 to 64 case-insensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: * ? ".

N/A

/huawei-aaa:aaa/aaa-domain/authentication-scheme

Indicates the name of an authentication scheme bound to a domain.

The value must be the name of an existing authentication scheme.

N/A

/huawei-aaa:aaa/aaa-domain/authorization-scheme

Indicates the name of an authorization scheme bound to a domain.

The value must be the name of an existing authorization scheme.

N/A

/huawei-aaa:aaa/aaa-domain/accounting-scheme

Indicates the name of an accounting scheme bound to a domain.

The value must be the name of an existing accounting scheme.

N/A

/huawei-aaa:aaa/aaa-domain/service-scheme

Indicates the name of a service scheme bound to a domain.

The value must be the name of an existing service scheme.

N/A

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-radius:radius-server/huawei-aaa-radius:radius-server

Indicates the name of a RADIUS server template bound to a domain.

The value must be the name of an existing RADIUS server template.

N/A

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-hwtacacs:hwtacacs-server/huawei-aaa-hwtacacs:hwtacacs-server

Indicates the name of an HWTACACS server template bound to a domain.

The value must be the name of an existing HWTACACS server template.

N/A

/huawei-aaa:aaa/aaa-domain/statistics-enable

Indicates whether traffic statistics collection is enabled for users in a domain.

The value is of the Boolean type:

  • true
  • false

N/A

/huawei-aaa:aaa/aaa-domain/domain-block/state

Configures the domain state.

  • active: The domain is in active state.
  • block: The domain is in blocking state.

NA

/huawei-aaa:aaa/aaa-domain/force-push-function/url-template

Configures the name of a pushed URL template.

The URL template must already exist.

NA

/huawei-aaa:aaa/domain-name-parameters

Configures the domain name resolution method.

The object includes:

  • security-name-delimiter-enable: Indicates whether the security string function is enabled.
  • security-name-delimiter: Specifies a delimiter for a security string.
  • domain-name-delimiter: Specifies the domain name delimiter.
  • domain-name-direction: Specifies the domain name resolution direction.
  • domain-name-location: Specifies the domain name location.
  • security-name-delimiter-enable: The value is of the Boolean type:
    • true
    • false
  • security-name-delimiter:

    The value is \ / : < > | @ ' % or *.

  • domain-name-delimiter: The value can only be one of the following characters: \ / : < > | @ ' %.
  • domain-name-direction:
    • left-to-right: Left to right.
    • right-to-left: Right to left.
  • domain-name-location:
    • after-delimiter: The domain name is placed behind the delimiter.
    • before-delimiter: The domain name is placed before the delimiter.

By default, the security string function is enabled.

In the AAA view, WLAN-ESS interface view, and WLAN-BSS interface view, the security string delimiter is *, the domain name delimiter is @, the domain name resolution direction is from left to right, and the domain name is placed behind the delimiter.

The security string delimiter, domain name delimiter, domain name resolution direction, and domain name location are not configured in the authentication profile view.

NA

/huawei-aaa:aaa/invalid-session-timeout-enable

Indicates whether the device is disabled from disconnecting or reauthenticating users when the RADIUS server delivers session-timeout with value 0.

The value is of the Boolean type:

  • true
  • false

NA

/huawei-aaa:aaa/authorization-modify-mode

Indicates the validation mode of user authorization information delivered by the authorization server.

  • modify: Modification mode.
  • overlay: Overlay mode.

By default, the update mode of user authorization information delivered by the authorization server is overlay. That is, the new user authorization information overwrites all existing user authorization information.

NA

/huawei-aaa:aaa/remote-user-policy

Indicates that the remote AAA authentication account locking function is enabled. The object includes:

  • retry-interval: Specifies the authentication retry interval.
  • retry-times: Specifies the maximum number of consecutive authentication failures.
  • block-time: Specifies the account locking period.
  • retry-interval: The value is an integer that ranges from 5 to 65535, in minutes.
  • retry-times: The value is an integer that ranges from 3 to 65535.
  • block-time: The value is an integer that ranges from 5 to 65535, in minutes.

NA

/huawei-aaa:aaa/global/authentication-bypass

Configures the bypass authentication function. The object includes:

  • bypass-enable: Indicates whether the bypass authentication function is enabled.
  • bypass-time: Specifies the bypass authentication timeout interval.

The object includes:

  • bypass-enable: The value is of the Boolean type and can be:
    • true: Indicates that the bypass authentication function is enabled.
    • false: Indicates that the bypass authentication function is disabled.

The default value is false.

  • bypass-time: The value is an integer ranging from 1 to 1440, in minutes.

N/A

/huawei-aaa:aaa/global/authorization-bypass

Indicates whether the bypass authorization function is configured. The object includes:

  • bypass-enable: Whether the bypass authorization function is enabled.
  • bypass-time: Specifies the bypass authorization timeout interval.
  • bypass-enable: The value is of the Boolean type and can be:
    • true: Indicates that the bypass authorization function is enabled.
    • false: Indicates that the bypass authorization function is disabled.

    The default value is false.

  • bypass-time: The value is an integer that ranges from 1 to 1440, in minutes.

N/A

/huawei-aaa:aaa/global/authorization-cmd-bypass

Indicates whether the command-line bypass authorization function is configured. The object includes:

  • bypass-enable: Whether the command-line bypass authorization function is enabled.
  • bypass-time:Specifies the command-line bypass authorization timeout interval.
  • bypass-enable: The value is of the Boolean type and can be:
    • true: Indicates that the command-line bypass authorization function is enabled.
    • false: Indicates that the command-line bypass authorization function is disabled.

    The default value is false.

  • bypass-time: The value is an integer that ranges from 1 to 1440, in minutes.

N/A

/huawei-aaa:aaa/global/domain/default-domain

Indicates the global default domain.

The domain must already exist.

NA

Table 3-1178 RADIUS

Object

Description

Value

Remarks

/huawei-aaa-radius:radius/radius-server/name

Indicates the name of a RADIUS server template.

The value is a string of 1 to 32 case-sensitive characters, including letters, digits, dots (.), underscores (_), and hyphens (-). The value cannot be - or --.

N/A

/huawei-aaa-radius:radius/radius-server/authentication-server

Configures a RADIUS authentication server. The object includes:

  • server-ip-address: Indicates the IPv4 or IPv6 address of a RADIUS authentication server.
  • port: Indicates the port number of a RADIUS authentication server.
  • vpn-instance: Indicates the name of a VPN instance to which a RADIUS authentication server is bound. This parameter can be configured only when the RADIUS authentication server uses an IPv4 address.
  • weight: Indicates the weight value of a RADIUS authentication server.
  • loopback-interface: Indicates the number of a loopback interface.
  • server-ip-address: The value is an IPv4 address in dotted decimal notation or an IPv6 address in X:X:X:X:X:X:X:X format (a 32-bit hexadecimal number).
  • port: The value is an integer ranging from 1 to 65535.
  • vpn-instance: The VPN instance must already exist.
  • weight: The value is an integer ranging from 0 to 100. The default value is 80.
  • loopback-interface: The loopback interface must already exist.

N/A

/huawei-aaa-radius:radius/radius-server/accounting-server

Configures a RADIUS accounting server. The object includes:

  • server-ip-address: Indicates the IPv4 or IPv6 address of a RADIUS accounting server.
  • port: Indicates the port number of a RADIUS accounting server.
  • vpn-instance: Indicates the name of a VPN instance to which a RADIUS accounting server is bound. This parameter can be configured only when the RADIUS accounting server uses an IPv4 address.
  • weight: Indicates the weight value of a RADIUS accounting server.
  • loopback-interface: Indicates the number of a loopback interface.
  • server-ip-address: The value is an IPv4 address in dotted decimal notation or an IPv6 address in X:X:X:X:X:X:X:X format (a 32-bit hexadecimal number).
  • port: The value is an integer ranging from 1 to 65535.
  • vpn-instance: The VPN instance must already exist.
  • weight: The value is an integer ranging from 0 to 100. The default value is 80.
  • loopback-interface: The loopback interface must already exist.

N/A

/huawei-aaa-radius:radius/radius-server/authentication-server/shared-key

Indicates the shared key of a RADIUS authentication server.

The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.

N/A

/huawei-aaa-radius:radius/radius-server/accounting-server/shared-key

Indicates the shared key of a RADIUS accounting server.

The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.

The shared key of the RADIUS accounting server must be the same as that of the RADIUS authentication server.

/huawei-aaa-radius:radius/dynamic-authorization-server

Configures a RADIUS authorization server. The object includes:

  • server-ip-address: Indicates the IP address of a RADIUS authorization server.
  • shared-key: Indicates the shared key of a RADIUS authorization server.
  • ack-reserved-interval: Indicates the duration for retaining a RADIUS authorization response packet.
  • server-group: Indicates the name of a RADIUS template corresponding to a RADIUS authorization server.
  • server-ip-address: The value must be a unicast address in dotted decimal notation.
  • shared-key: The value is a string of case-sensitive characters without spaces, single quotation mask ('), or question masks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.
  • vpn-instance: The VPN instance must already exist.
  • ack-reserved-interval: The value is an integer ranging from 0 to 300, in seconds. The default value is 0.
  • server-group: The value is a string of 1 to 32 characters, including letters, digits, dots (.), underscores (_), and hyphens (-). The value cannot be - or --.

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/enable

Indicates whether the RADIUS attribute translation function is enabled.

The value is of the Boolean type and can be:

  • true
  • false

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-normal

Configures standard RADIUS attribute translation. The object includes:

  • source-attribute-name: Indicates the name of a source attribute.
  • destination-attribute-name: Indicates the name of a destination attribute.
  • packet-type: Indicates the type of packets for RADIUS attribute translation.
  • source-attribute-name: The value is a string of 1 to 64 characters.
  • destination-attribute-name: The value is a string of 1 to 64 characters.
  • packet-type: The value is of the enumerated type.
    • receive: Translates RADIUS attributes for received packets.
    • send: Translates RADIUS attributes for sent packets.
    • access-request: Translates RADIUS attributes for Authentication Request packets.
    • account-request: Translates RADIUS attributes for Accounting Request packets.
    • access-accept: Translates RADIUS attributes for Authentication Accept packets.
    • account-response: Translates RADIUS attributes for Accounting Response packets.

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-extend

Translates extended RADIUS attributes (translating the default attributes that are not supported by non-Huawei devices to the attributes supported by the devices). The object includes:

  • source-attribute-name: Indicates the name of a source attribute.
  • destination-vendor-id: Indicates the vendor ID in the extended RADIUS attribute to be translated.
  • destination-sub-vendor-id: Indicates the sub ID in the extended RADIUS attribute to be translated.
  • packet-type: Indicates the type of packets for RADIUS attribute translation.
  • source-attribute-name: The value is a string of 1 to 64 characters.
  • destination-vendor-id: The value is an integer ranging from 1 to 4294967295.
  • destination-sub-vendor-id: The value is an integer ranging from 1 to 255.
  • packet-type: The value is of the enumerated type.
    • access-request: Translates RADIUS attributes for Authentication Request packets.
    • account-request: Translates RADIUS attributes for Accounting Request packets.

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-extend-vendor

Translates extended RADIUS attributes (translating the attributes supported by the devices to the default attributes that are not supported by non-Huawei devices). The object includes:

  • source-vendor-id: Indicates the vendor ID in the extended RADIUS attribute to be translated.
  • source-sub-vendor-id: Indicates the sub ID in the extended RADIUS attribute to be translated.
  • destination-attribute-name: Indicates the name of a destination attribute.
  • packet-type: Indicates the type of packets for RADIUS attribute translation.
  • source-vendor-id: The value is an integer ranging from 1 to 4294967295.
  • source-sub-vendor-id: The value is an integer ranging from 1 to 255.
  • destination-attribute-name: The value is a string of 1 to 64 characters.
  • packet-type: The value is of the enumerated type.
    • access-accept: Translates RADIUS attributes for Authentication Accept packets.
    • account-response: Translates RADIUS attributes for Accounting Response packets.

N/A

/huawei-aaa-radius:radius/radius-server/disable-attribute

Disables a RADIUS attribute. The object includes:

  • attribute-name: Indicates the name of a RADIUS attribute to be disabled.
  • option: Indicates the packet type of a RADIUS attribute to be disabled.
  • attribute-name: The value is a string of 1 to 64 characters.
  • option: The value is of the enumerated type.
    • receive: Disables the RADIUS attributes for received packets.
    • send: Disables the RADIUS attributes for sent packets.

N/A

/huawei-aaa-radius:radius/radius-server/set-attribute

Modifies the RADIUS attribute. The object includes:

  • attribute-name: Specifies the name of the attribute whose value needs to be modified.
  • attribute-value: Specifies the value of the attribute to be modified.
  • set-option: Specifies the packet type of the attribute whose value needs to be modified.
  • attribute-name: The value is a string of 1 to 64 characters.
  • attribute-value: The value is automatically displayed.
  • set-option: The value is of the enumerated type.
    • auth-type mac: Sets the user authentication mode to MAC address authentication. Only the Service-Type attribute supports this parameter.
    • user-type ipsession: Specifies an IP session user. Only the Service-Type attribute supports this parameter.

N/A

/huawei-aaa-radius:radius/radius-server/options/user-name/format

Indicates the user name format in the packet sent from a device to the RADIUS server.

The value is of the enumerated type:

  • original: The device does not modify the user name entered by the user.
  • domain-include: The user name includes the domain name.
  • domain-exclude: The user name does not include the domain name.
  • domain-exclude-except-eap: The user name does not include the domain name (for authentication modes excluding the EAP authentication).

-

/huawei-aaa-radius:radius/radius-server/options/traffic-unit

Indicates the traffic unit used by a RADIUS server.

The value is of the enumerated type:

  • byte: The traffic unit is byte.
  • kbyte: The traffic unit is kilobyte.
  • mbyte: The traffic unit is megabyte.
  • gbyte: The traffic unit is gigabyte.

N/A

/huawei-aaa-radius:radius/radius-server/options/dead-time

Indicates the interval for the server to return to the active state.

The value is an integer ranging from 1 to 65535, in minutes.

N/A

/huawei-aaa-radius:radius/radius-server/options/timeout-timer

Indicates the timeout interval of RADIUS request packets.

The value is an integer ranging from 1 to 10, in seconds.

N/A

/huawei-aaa-radius:radius/radius-server/options/retransmit-time

Indicates the number of times RADIUS request packets can be retransmitted.

The value is an integer ranging from 1 to 5.

N/A

/huawei-aaa-radius:radius/radius-server/options/account-stop-packet-resend-times

Enables retransmission of accounting-stop packets.

The value is an integer ranging from 0 to 300. The default value is 3.

N/A

/huawei-aaa-radius:radius/radius-server/service-type

Indicates the reauthentication mode.

The value is of the enumerated type and can be with-authenonly-reauthen.

N/A

/huawei-aaa-radius:radius/radius-server/message-authenticator

Indicates the type of packets carrying the Message-Authenticator attribute.

The value is of the enumerated type and can be access-request.

N/A

/huawei-aaa-radius:radius/radius-server/hw-dhcp-option-format

Indicates the format of Huawei extended attribute HW-DHCP-Option.

The value is of the enumerated type and can be new or old.

N/A

/huawei-aaa-radius:radius/radius-server/mac-format-called-station-id

Configures the encapsulation format of the MAC address in the called-station-id attribute of RADIUS packets. The object includes:

  • mac-address-format: Indicates the separator in a MAC address.
  • mode: Indicates the format of a MAC address.
  • letter: Indicates the style of letters in a MAC address.
  • mac-address-format: The value is of the enumerated type.
    • dot-split: Sets the separator in a MAC address to dot (.).
    • hyphen-split: Sets the separator in a MAC address to hyphen (-).
    • unformatted: Sets no separator in a MAC address.
  • mode: The value is of the enumerated type.
    • mode1: Indicates that the MAC address in the called-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.
    • mode2: Indicates that the MAC address in the called-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format.
  • letter: The value is of the enumerated type.
    • lowercase: Indicates that the MAC address in the called-station-id attribute uses the lowercase.
    • uppercase: Indicates that the MAC address in the called-station-id attribute uses the uppercase.

N/A

/huawei-aaa-radius:radius/radius-server/mac-format-calling-station-id

Configures the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets. The object includes:

  • mac-address-format: Indicates the separator in a MAC address.
  • mode: Indicates the format of a MAC address.
  • letter: Indicates the style of letters in a MAC address.
  • mac-address-format: The value is of the enumerated type.
    • dot-split: Sets the separator in a MAC address to dot (.).
    • hyphen-split: Sets the separator in a MAC address to hyphen (-).
    • unformatted: Sets no separator in a MAC address.
  • mode: The value is of the enumerated type.
    • mode1: Indicates that the MAC address in the calling-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.
    • mode2: Indicates that the MAC address in the calling-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format.
  • letter: The value is of the enumerated type.
    • lowercase: Indicates that the MAC address in the calling-station-id attribute uses the lowercase.
    • uppercase: Indicates that the MAC address in the calling-station-id attribute uses the uppercase.
    • bin: Indicates that the MAC address in the calling-station-id attribute is in binary notation.

N/A

/huawei-aaa-radius:radius/dynamic-authorization-option/decode-mac-format-calling-station-id

Configures the format of the MAC address that can be parsed by a device in the calling-station-id (Type 31) attribute carried in RADIUS dynamic authorization packets. The object includes:

  • mac-address-format: Indicates the separator in a MAC address.
  • mode: Indicates the format of a MAC address.
  • mac-address-format: The value is of the enumerated type.
    • dot-split: Sets the separator in a MAC address to dot (.).
    • hyphen-split: Sets the separator in a MAC address to hyphen (-).
    • unformatted: Sets no separator in a MAC address.
  • mode: The value is of the enumerated type.
    • common: Indicates that the MAC address in the calling-station-id attribute uses the xx-xx-xx-xx-xx-xx or xx.xx.xx.xx.xx.xx format.
    • compress: Indicates that the MAC address in the calling-station-id attribute uses xxxx-xxxx-xxxx or xxxx.xxxx.xxxx format.

N/A

/huawei-aaa-radius:radius/dynamic-authorization-option/decode-attribute-sameastemplate

Indicates whether the device is enabled to parse attributes in the RADIUS dynamic authorization packet based on the configuration in the system view.

The value is of the Boolean type:

  • true: Indicates that the device is enabled to parse attributes in the RADIUS dynamic authorization packet based on the configuration in the system view.
  • false: Indicates that the device is disabled from parsing attributes in the RADIUS dynamic authorization packet based on the configuration in the system view.

The default value is true.

N/A

/huawei-aaa-radius:radius/session-manage-function/client/any/any-enable

Indicates whether the session management function is enabled.

The value is of the Boolean type:

  • true: Indicates that the session management function is enabled.
  • false: Indicates that the session management function is disabled.

The default value is false.

N/A

/huawei-aaa-radius:radius/session-manage-function/client/ip/client-item

Indicates the session management server. The object includes:

  • ip-address: Specifies the IP address of the session management server.
  • vpn-instance: Specifies the VPN instance bound to the session management server.
  • shared-key: Specifies the shared key of the session management server.
  • ip-address: The value is in dotted decimal notation.
  • vpn-instance: The value is a string of 1 to 31 case-sensitive characters without spaces.
  • shared-key: The value is a case-sensitive character string without spaces and question masks (?).

N/A

/huawei-aaa-radius:radius/radius-server/hw-ap-info-format

Configures the AP's IP address carried in Huawei extended HW-AP-Information attribute.

The value is include-ap-ip.

N/A

/huawei-aaa-radius:radius/radius-server/check-attribute/attribute-name

Checks whether a RADIUS Access-Accept packet carries a specified attribute.

The value is a string of 1 to 64 characters.

N/A

/huawei-aaa-radius:radius/radius-server/nas-ip-address

Sets the NAS-IP-Address attribute in RADIUS packets sent by the device.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-radius:radius/radius-server/nas-ipv6-address

Sets the NAS-IPv6-Address attribute in RADIUS packets sent by the device.

The value is a 32-bit hexadecimal number in the format of X:X:X:X:X:X:X:X.

N/A

/huawei-aaa-radius:radius/radius-server/server-detect-function

Configures automatic RADIUS server detection. The object includes:

  • server-detect-enable: Indicates whether automatic RADIUS server detection is enabled.
  • test-user-name: Indicates the user name for automatic detection.
  • test-user-password: Indicates the user password for automatic detection.
  • interval: Indicates the interval for automatic RADIUS server detection.
  • server-detect-enable: The value is of the Boolean type and can be true or false.
  • test-user-name: The value is a string of 1 to 253 case-sensitive characters without spaces.
  • test-user-password: The value is a string of 1 to 128 case-sensitive characters without spaces or question marks (?). The value can be a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.
  • interval: The value is an integer ranging from 5 to 3600, in seconds.

N/A

/huawei-aaa-radius:radius/radius-server/shared-key

Indicates the shared key of the RADIUS server in a RADIUS server template.

The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.

If shared keys are configured for the RADIUS authentication server, RADIUS accounting server, and RADIUS server template, the configurations for the servers have higher priorities. If no shared key is configured for the RADIUS authentication and accounting servers, the shared key configured in the RADIUS server template is used.

/huawei-aaa-radius:radius/server-shared-key/server-item

Configures the shared key of the RADIUS server globally. The object includes:

  • shared-key: Specifies the shared key.
  • ip-address: Specifies the IP address of the RADIUS server.
  • shared-key: The value is a string of case-sensitive characters without spaces, single quotation mask ('), or question masks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.
  • ip-address: The value is in the format of the IPv4 or IPv6 address.

N/A

/huawei-aaa-radius:radius/radius-server/server-algorithm

Indicates the algorithm for selecting RADIUS servers.

The value is of the enumerated type:

  • loading-share: Sets the algorithm for selecting RADIUS servers to load balancing.
  • master-backup: Sets the algorithm for selecting RADIUS servers to primary/secondary.

N/A

/huawei-aaa-radius:radius/global/options

Configures keeplive detection for the RADIUS server. The object includes:

  • dead-interval: Indicates the detection interval of the RADIUS server.
  • dead-count: Indicates the maximum number of consecutive packets that are not acknowledged by the RADIUS server.
  • dead-detect-condition: Indicates the RADIUS server detection mode.
  • dead-interval: The value is an integer ranging from 1 to 300, in seconds.
  • dead-count: The value is an integer ranging from 1 to 65535.
  • dead-detect-condition: The value is of the enumerated type and can be by-server-ip.

N/A

/huawei-aaa-radius:radius/radius-server/format-attribute/nas-port-format

Indicates the encapsulation format of the NAS-Port attribute. The object includes:

  • self-designed-format: Indicates the self-defined format of the NAS-Port attribute.
  • format: Indicates the format of the NAS-Port attribute.
  • self-designed-format: The value is a string of 1 to 32 characters.
  • format: The value is of the enumerated type and can be new or old.

N/A

/huawei-aaa-radius:radius/radius-server/format-attribute/nas-identifier-format

Indicates the encapsulated content of the NAS-Identifier attribute.

The value is of the enumerated type and can be hostname or vlan-id.

N/A

/huawei-aaa-radius:radius/radius-server/format-attribute/nas-port-id-format

Indicates the encapsulation format of the NAS-Port-Id attribute.

The value is of the enumerated type and can be new or old.

N/A

Table 3-1179 HACA

Object

Description

/huawei-aaa-haca:aca

Indicates that the operation request (creating and modifying) object is nac-access. It is a root object, which is only used to contain sub-objects, but does not have any data meaning.

/huawei-aaa-haca:aca/haca-server/name

Indicates the name of an HACA server template.

The value is a string of 1 to 32 case-sensitive characters, including letters, digits, periods (.), hyphens (-), underscores (_), and a combination of the above characters. The value cannot be - or --.

/huawei-aaa-haca:aca/haca-server/enable

Indicates whether the HACA function is enabled. The value is of the Boolean type and can be true or false.

/huawei-aaa-haca:aca/haca-server/server/server-ip

Indicates the IP address of an HACA server.

The value is a valid unicast IP address in dotted decimal notation.

/huawei-aaa-haca:aca/haca-server/server/port

Indicates the port number of an HACA server.

The value is an integer that ranges from 1 to 65535. The default value is 49.

/huawei-aaa-haca:aca/haca-server/pki-domain

Indicates a PKI realm name.

The PKI realm name must already exist.

/huawei-aaa-haca:aca/haca-server/heart-beat

Indicates the interval at which HACA heartbeat packets are sent.

The value is an integer that ranges from 1 to 1440, in minutes.

/huawei-aaa-haca:aca/haca-server/detection-function/reconnect-interval

Indicates the interval for reconnecting to an HACA server.

The value is an integer that ranges from 1 to 255, in minutes.

/huawei-aaa-haca:aca/haca-server/timeout

Indicates the response timeout interval of an HACA server.

The value is an integer that ranges from 1 to 300, in seconds.

/huawei-aaa-haca:aca/haca-server/accounting-stop-packet-resend-times

Indicates the number of accounting-stop packets that can be retransmitted.

The value is an integer that ranges from 0 to 300.

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-haca:haca-server/huawei-aaa-haca:haca-server

Indicates the name of an HACA server template for a domain.

The value must be an existing HACA server template name.

Configuring a Local User

Creating and Configuring a Local User

This section provides a sample of configuring a local user using the merge method.

Table 3-1180 Configuring a local user

Operation

XPATH

edit-config:merge

/huawei-user-management/user-management/local-user

Data Requirements
Table 3-1181 Configuring a local user

Item

Data

Description

Name of the local user

huawei123

Set the name of the local user to huawei123.

Password of the local user

huawei@123

Set the password of the local user to huawei@123.

Level of the local user

15

Set the level of the local user to 15.

Access type of the local user

ftp

Set the access type of the local user to FTP.

Directory that local FTP users can access

flash:

Set the directory that local FTP users can access to flash:.

Maximum number of connections that the user can establish

4294967295

Set the maximum number of connections that the user can establish to 4294967295.

Timeout period of the user account

110

Set the timeout period of the user account to 110 seconds.

State of the local user

active

Set the state of the local user to active.

Expiration date of the local user account

2019-09-21T16:10:21.52Z

Set the expiration date of the local user account to 2019-09 -21T16:10:21.52Z.

Time segment in which the local user account is allowed to be accessed

time1

Set the time segment in which the local user account is allowed to be accessed to time1.

Type of terminals that the local user account is allowed to be accessed

ipphone

Set the type of terminals that the local user account is allowed to be accessed to ipphone.

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-user-management:user-management xmlns:hw-user-management="urn:huawei:params:xml:ns:yang:huawei-user-management"> 
        <hw-user-management:local-user> 
          <hw-user-management:user-name>huawei123</hw-user-management:user-name> 
          <hw-user-management:privilege-level>15</hw-user-management:privilege-level> 
          <hw-user-management:service-type>ftp</hw-user-management:service-type> 
          <hw-user-management:password>huawei@123</hw-user-management:password> 
          <hw-user-management:ftp-directory>flash:</hw-user-management:ftp-directory> 
          <hw-user-management:access-limit>4294967295</hw-user-management:access-limit> 
          <hw-user-management:idle-time>110</hw-user-management:idle-time> 
          <hw-user-management:state>active</hw-user-management:state> 
          <hw-user-management:expire-date>2019-09-21T16:10:21.52Z</hw-user-management:expire-date> 
          <hw-user-management:time-range>time1</hw-user-management:time-range> 
          <hw-user-management:device-type-group> 
           <hw-user-management:device-type>ipphone</hw-user-management:device-type> 
          </hw-user-management:device-type-group> 
        </hw-user-management:local-user> 
      </hw-user-management:user-management> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>
Configuring Password Security for a Local User

This section provides a sample of configuring password security for a local user using the merge method.

Table 3-1182 Configuring password security for a local user

Operation

XPATH

edit-config:merge

  • /huawei-user-management:user-management/administrator-password-police
  • /huawei-user-management:user-management/user-password-police
  • /huawei-user-management:user-management/wrong-password-police
  • /huawei-user-management:user-management/password-option/complexity-check
Data Requirements
Table 3-1183 Configuring password security for a local user

Item

Data

Description

Password policy for local administrators

  • Enable the password policy for local administrators: true
  • Password validity period: 90
  • Number of password expiration prompt days: 5
  • Enable the system to prompt users to change the initial password: true
  • Maximum number of historical passwords recorded for each user: 5

Enable the password policy for local administrators, set the password validity period to 90 days, remind users five days before the password expires, enable the system to prompt users to change the initial password, and set the maximum number of historical passwords recorded for each user to 5.

Password policy for local access users

  • Enable the password policy for local access users: true
  • Maximum number of historical passwords recorded for each user: 5

Enable the password policy for local access users and set the maximum number of historical passwords recorded for each user to 5.

Local account locking

  • Enable local account locking: true
  • Authentication retry interval: 5
  • Maximum number of consecutive incorrect password attempts: 3
  • Account locking duration: 10

Enable local account locking, and set the authentication retry interval to 5 minutes, maximum number of consecutive incorrect password attempts to 3, and account locking period to 10 minutes.

Password complexity check

true

Enable password complexity check.

Request Example
<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-user-management:user-management xmlns:hw-user-management="urn:huawei:params:xml:ns:yang:huawei-user-management"> 
        <hw-user-management:administrator-password-police> 
          <hw-user-management:enable>true</hw-user-management:enable> 
          <hw-user-management:expire-day>90</hw-user-management:expire-day> 
          <hw-user-management:alert-expire-day>5</hw-user-management:alert-expire-day> 
          <hw-user-management:alert-original>true</hw-user-management:alert-original> 
          <hw-user-management:history-record-number>5</hw-user-management:history-record-number> 
        </hw-user-management:administrator-password-police> 
        <hw-user-management:user-password-police> 
          <hw-user-management:enable>true</hw-user-management:enable> 
          <hw-user-management:history-record-number>5</hw-user-management:history-record-number> 
        </hw-user-management:user-password-police> 
        <hw-user-management:wrong-password-police> 
          <hw-user-management:retry-interval>5</hw-user-management:retry-interval> 
          <hw-user-management:retry-times>3</hw-user-management:retry-times> 
          <hw-user-management:block-time>10</hw-user-management:block-time> 
        </hw-user-management:wrong-password-police> 
        <hw-user-management:password-option> 
          <hw-user-management:complexity-check>true</hw-user-management:complexity-check> 
        </hw-user-management:password-option> 
      </hw-user-management:user-management> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
  <ok/> 
</rpc-reply>

Configuring an AAA Scheme

This section provides a sample of configuring an AAA scheme using the merge method.

Table 3-1184 Configuring an AAA scheme

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa

Data Requirements
Table 3-1185 Configuring an AAA scheme

Item

Data

Description

Name of an authentication scheme

authen1

Set the name of an authentication scheme to authen1.

Authentication mode of an authentication scheme

hwtacacs

Set the authentication mode of an authentication scheme to HWTACACS.

Name of an authorization scheme

author1

Set the name of an authorization scheme to author1.

Authorization mode of an authorization scheme

hwtacacs

Set the authorization mode of an authorization scheme to HWTACACS.

HWTACACS server-based command line authorization

Authorization level: 15; Backup authorization mode: local

Configure the HWTACACS server-based command line authorization function for level-15 administrators, and change the command line authorization mode to the local authorization mode if the HWTACACS server does not respond to the command line authorization.

Name of an accounting scheme

acct1

Set the name of an accounting scheme to acct1.

Accounting mode of an accounting scheme

hwtacacs

Set the accounting mode of an accounting scheme to HWTACACS.

Policy for accounting-start failures

online

Set the policy for accounting-start failures to online, that is, allow users to go online if accounting-start fails.

Interval between two real-time accounting attempts

15

Set the interval between two real-time accounting attempts to 15 minutes.

Maximum number of non-responses to real-time accounting requests

5

Set the maximum number of non-responses to real-time accounting requests to 5.

Policy used upon a real-time accounting failure

offline

Set the policy used upon a real-time accounting failure to offline, that is, disconnect users if real-time accounting fails.

Bypass authentication

true

Enable the bypass authentication function and set the bypass authentication timeout interval to 13 minutes.

Bypass authentication timeout interval

13

Request Example
<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa"> 
        <hw-aaa:authentication-scheme> 
          <hw-aaa:name>authen1</hw-aaa:name> 
          <hw-aaa:vsys>ads</hw-aaa:vsys> 
          <hw-aaa:authentication-mode>hwtacacs</hw-aaa:authentication-mode> 
        </hw-aaa:authentication-scheme> 
        <hw-aaa:authorization-scheme> 
          <hw-aaa:name>author1</hw-aaa:name> 
          <hw-aaa:vsys>ads</hw-aaa:vsys> 
          <hw-aaa:authorization-mode>hwtacacs</hw-aaa:authorization-mode> 
          <hw-aaa:authorization-cmd> 
            <hw-aaa:authorization-cmd-item> 
              <hw-aaa:privilege-level>15</hw-aaa:privilege-level> 
              <hw-aaa:authorization-cmd-mode>local</hw-aaa:authorization-cmd-mode> 
            </hw-aaa:authorization-cmd-item> 
          </hw-aaa:authorization-cmd> 
        </hw-aaa:authorization-scheme> 
        <hw-aaa:accounting-scheme> 
          <hw-aaa:name>acct1</hw-aaa:name> 
          <hw-aaa:vsys>ads</hw-aaa:vsys> 
          <hw-aaa:accounting-mode>hwtacacs</hw-aaa:accounting-mode> 
          <hw-aaa:start-accounting-fail> 
            <hw-aaa:fail-policy>online</hw-aaa:fail-policy> 
          </hw-aaa:start-accounting-fail> 
          <hw-aaa:realtime-accounting> 
            <hw-aaa:realtime-interval>15</hw-aaa:realtime-interval> 
            <hw-aaa:realtime-fail> 
              <hw-aaa:fail-policy>offline</hw-aaa:fail-policy> 
              <hw-aaa:fail-max-times>5</hw-aaa:fail-max-times> 
            </hw-aaa:realtime-fail> 
          </hw-aaa:realtime-accounting> 
        </hw-aaa:accounting-scheme> 
        <hw-aaa:global> 
          <hw-aaa:authentication-bypass> 
            <hw-aaa:bypass-enable>true</hw-aaa:bypass-enable> 
            <hw-aaa:bypass-time>13</hw-aaa:bypass-time> 
          </hw-aaa:authentication-bypass> 
        </hw-aaa:global> 
      </hw-aaa:aaa> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
  <ok/> 
</rpc-reply>

Configuring a Service Scheme

Creating a Service Scheme

This section provides a sample of creating a service scheme using the merge method.

Table 3-1186 Creating a service scheme

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/service-scheme

Data Requirements
Table 3-1187 Creating a service scheme

Item

Data

Description

Name of a service scheme

lsw_serv

Set the name of the service scheme to lsw_serv.

User level when a user logs in to the device as an administrator

2

Set the user level when a user logs in to the device as an administrator to 2.

Voice VLAN in the service scheme

true

Enable voice VLAN in the service scheme.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8"> 
 <edit-config> 
 <target> 
  <running/> 
 </target> 
 <error-option>rollback-on-error</error-option> 
 <config> 
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa"> 
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
    <name>lsw_serv</name> 
    <vsys>vsys</vsys> 
    <admin-user-privilege-level>2</admin-user-privilege-level> 
    <voice-vlan-enable>true</voice-vlan-enable> 
   </service-scheme> 
  </aaa> 
 </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8"> 
  <ok/> 
</rpc-reply>
Binding an ACL to a Service Scheme

This section provides a sample of binding an access control list (ACL) to a service scheme using the rpc method.

Table 3-1188 Binding an ACL to a service scheme

Operation

XPATH

edit-config:create

/huawei-aaa:aaa/service-scheme

Data Requirements
Table 3-1189 Binding an ACL to a service scheme

Item

Data

Description

Number of an ACL bound to a service scheme

3101

Bind ACL 3101 to a service scheme.

Request Example
NOTE:

Before binding an ACL to a service scheme, you need to create an ACL number.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8"> 
 <edit-config> 
 <target> 
  <running/> 
 </target> 
 <error-option>rollback-on-error</error-option> 
 <config> 
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa"> 
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
    <name>lsw_serv</name> 
    <vsys>pubilc</vsys> 
    <acl>3101</acl> 
   </service-scheme> 
  </aaa> 
 </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8"> 
  <ok/> 
</rpc-reply>
Binding a QoS Profile to a Service Scheme

This section provides a sample of binding a QoS profile to a service scheme using the rpc method.

Table 3-1190 Binding a QoS profile to a service scheme

Operation

XPATH

edit-config:create

/huawei-aaa:aaa/service-scheme

Data Requirements
Table 3-1191 Binding a QoS profile to a service scheme

Item

Data

Description

Name of a QoS profile bound to the service scheme

lsw_qos

Set the name of a QoS profile bound to the service scheme to lsw_qos.

Request Example
NOTE:

Before binding a QoS profile to a service scheme, you need to create a QoS profile name.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8"> 
 <edit-config> 
 <target> 
  <running/> 
 </target> 
 <error-option>rollback-on-error</error-option> 
 <config> 
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa"> 
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
    <name>lsw_serv</name> 
    <vsys>pubilc</vsys> 
    <qos-profile>lsw_qos</qos-profile> 
   </service-scheme> 
  </aaa> 
 </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8"> 
  <ok/> 
</rpc-reply>
Configuring DNS, WINS, and DHCP Server Information in a Service Scheme

This section provides a sample of configuring DNS, WINS, and DHCP server information in a service scheme using the merge method.

Table 3-1192 Configuring DNS, WINS, and DHCP server information in a service scheme

Operation

XPATH

edit-config:merge

  • /huawei-aaa:aaa/service-scheme/dns
  • /huawei-aaa:aaa/service-scheme/wins
  • /huawei-aaa:aaa/service-scheme/dhcp-group
  • /huawei-aaa:aaa/service-scheme/ip-pool
Data Requirements
Table 3-1193 Configuring DNS, WINS, and DHCP server information in a service scheme

Item

Data

Description

IP addresses of the primary and secondary DNS servers

  • IP address of the primary DNS server: 10.1.1.1
  • IP address of the secondary DNS server: 10.1.1.2
  • Default DNS domain name: huawei.com

In service scheme s1, set the IP address of the primary DNS server to 10.1.1.1 , that of the standby DNS server to 10.1.1.2 and that of the domain to huawei.com.

IP addresses of the primary and secondary WINS servers

  • IP address of the primary WINS server: 10.2.1.1
  • IP address of the secondary WINS server: 10.2.1.2

In service scheme s1, set the IP address of the primary WINS server to 10.2.1.1 and that of the standby WINS server to 10.2.1.2.

Name of the DHCP server group and that of the IP address pool

  • Name of the DHCP server group: group1
NOTE:

Ensure that a DHCP server group has been created.

  • Name of the IP address pool: pool1

In service scheme s1, set the name of the DHCP server group to group1 and that of the available IP address pool to pool1.

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa"> 
        <hw-aaa:service-scheme xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
          <hw-aaa:name>s1</hw-aaa:name> 
          <hw-aaa:vsys>sys</hw-aaa:vsys> 
          <hw-aaa:dns> 
            <hw-aaa:primary-ip-address>10.1.1.1</hw-aaa:primary-ip-address> 
            <hw-aaa:secondary-ip-address>10.1.1.2</hw-aaa:secondary-ip-address> 
          </hw-aaa:dns> 
          <hw-aaa:wins> 
            <hw-aaa:primary-ip-address>10.2.1.1</hw-aaa:primary-ip-address> 
            <hw-aaa:secondary-ip-address>10.2.1.2</hw-aaa:secondary-ip-address> 
          </hw-aaa:wins> 
          <hw-aaa:ip-pool>pool1</hw-aaa:ip-pool> 
          <hw-aaa:dhcp-group>group1</hw-aaa:dhcp-group> 
        </hw-aaa:service-scheme> 
      </hw-aaa:aaa> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>
Configuring Traffic-based Accounting in a Service Scheme

This section provides a sample of configuring traffic-based accounting in a service scheme using the merge method.

Table 3-1194 Configuring traffic-based accounting in a service scheme

Operation

XPATH

edit-config:replace

/huawei-aaa:aaa/service-scheme/daa

Data Requirements
Table 3-1195 Configuring traffic-based accounting in a service scheme

Item

Data

Description

Name of a service scheme

serv

In service scheme serv, configure the QoS profile corresponding to tariff level 1 as qos and enable the accounting function.

Tariff level 1

1

Name of a QoS profile

qos

Traffic-based accounting for the tariff level

enable

Request Example
NOTE:

Before binding a QoS profile to a service scheme, you need to create a QoS profile name.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
 <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
 <name>serv</name>
 <vsys>public</vsys>
 <daa>
  <traffic-level>1</traffic-level>
  <accounting-on>enable</accounting-on>
  <qos-profile>qos</qos-profile>
 </daa>
 </service-scheme>
</aaa>
</config>
</edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply> 

Configuring a RADIUS Server

Creating a RADIUS Server Template

This section provides a sample of creating a RADIUS server template using the rpc method.

Table 3-1196 Creating a RADIUS server template

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server

Data Requirements
Table 3-1197 Creating a RADIUS server template

Item

Data

Description

Name of a RADIUS server template

rds

Set the name of a RADIUS server template to rds.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="b0bc2528-ebf8-494e-bedc-ca47ba18d578"> 
 <edit-config> 
 <target> 
  <running/> 
 </target> 
 <error-option>rollback-on-error</error-option> 
 <config> 
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
   <radius-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
    <name>rds</name> 
    <vsys>public</vsys> 
   </radius-server> 
  </radius> 
 </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="b0bc2528-ebf8-494e-bedc-ca47ba18d578"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="b0bc2528-ebf8-494e-bedc-ca47ba18d578"> 
 <rpc-error> 
  <error-app-tag>-1</error-app-tag> 
  <error-message>Invalid radius-server template name</error-message> 
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrds",vsys="public"]/name</error-info> 
 </rpc-error> 
</rpc-reply>
Configuring a RADIUS Authentication Server

This section provides a sample of creating a RADIUS authentication server using the rpc method.

Table 3-1198 Configuring a RADIUS Authentication Server

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server

Data Requirements
Table 3-1199 Configuring a RADIUS Authentication Server

Item

Data

Description

IPv4 address of a RADIUS authentication server

10.1.1.1

Set the IPv4 address of a RADIUS authentication server to 10.1.1.1.

Port number of a RADIUS authentication server

1816

Set the port number of a RADIUS authentication server to 1816.

Weight of a RADIUS authentication server

100

Set the weight of a RADIUS authentication server to 100.

Shared key of a RADIUS authentication server

huawei@123

Set the shared key of a RADIUS authentication server to huawei@123.

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
        <hw-aaa-radius:radius-server> 
          <hw-aaa-radius:name>rds</hw-aaa-radius:name> 
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys> 
          <hw-aaa-radius:authentication-server> 
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address> 
            <hw-aaa-radius:port>1816</hw-aaa-radius:port> 
            <hw-aaa-radius:shared-key>huawei@123</hw-aaa-radius:shared-key> 
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight> 
          </hw-aaa-radius:authentication-server> 
        </hw-aaa-radius:radius-server> 
      </hw-aaa-radius:radius> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
 <rpc-error> 
  <error-app-tag>-1</error-app-tag> 
  <error-message> The vpn-instance does not exist or is invalid.</error-message> 
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/authentication-server[server-ip-address="10.1.1.1"]</error-info> 
 </rpc-error> 
</rpc-reply> 
Configuring a RADIUS Accounting Server

This section provides a sample of configuring a RADIUS accounting server using the rpc method.

Table 3-1200 Configuring a RADIUS accounting server

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server

Data Requirements
Table 3-1201 Configuring a RADIUS accounting server

Item

Data

Description

IPv4 address of a RADIUS accounting server

10.1.1.1

Set the IPv4 address of a RADIUS accounting server to 10.1.1.1.

Port number of a RADIUS accounting server

1817

Set the port number of a RADIUS accounting server to 1817.

Weight of a RADIUS accounting server

100

Set the weight of a RADIUS accounting server to 100.

Shared key of a RADIUS accounting server

huawei@123

Set the shared key of a RADIUS accounting server to huawei@123.

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
        <hw-aaa-radius:radius-server> 
          <hw-aaa-radius:name>rds</hw-aaa-radius:name> 
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys> 
          <hw-aaa-radius:authentication-server> 
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address> 
            <hw-aaa-radius:port>1816</hw-aaa-radius:port> 
            <hw-aaa-radius:shared-key>huawei@123</hw-aaa-radius:shared-key> 
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight> 
          </hw-aaa-radius:authentication-server> 
          <hw-aaa-radius:accounting-server> 
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address> 
            <hw-aaa-radius:port>1817</hw-aaa-radius:port> 
            <hw-aaa-radius:shared-key>huawei@123</hw-aaa-radius:shared-key> 
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight> 
          </hw-aaa-radius:accounting-server> 
        </hw-aaa-radius:radius-server> 
      </hw-aaa-radius:radius> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
 <rpc-error> 
  <error-app-tag>-1</error-app-tag> 
  <error-message> The vpn-instance does not exist or is invalid.</error-message> 
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/accounting-server[server-ip-address="10.1.1.1"]</error-info> 
 </rpc-error> 
</rpc-reply>
Configuring a RADIUS Authorization Server

This section provides a sample of configuring a RADIUS authorization server using the rpc method.

Table 3-1202 Configuring a RADIUS authorization server

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/dynamic-authorization-server

Data Requirements
Table 3-1203 Configuring a RADIUS authorization server

Item

Data

Description

IP address of a RADIUS authorization server

10.1.1.1

Set the IP address of a RADIUS authorization server to 10.1.1.1.

Shared key of a RADIUS authorization server

huawei@123

Set the shared key of a RADIUS authorization server to huawei@123.

Holdtime of RADIUS authorization response packets

10

Set the holdtime of RADIUS authorization response packets to 10 seconds.

Name of a RADIUS server template corresponding to a RADIUS server

rds

Set the name of a RADIUS group corresponding to a RADIUS server template to rds.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25"> 
 <edit-config> 
 <target> 
  <running/> 
 </target> 
 <config> 
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
    <name>rds</name> 
    <vsys>public</vsys> 
   </radius-server> 
   <dynamic-authorization-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
    <server-ip-address>10.1.1.1</server-ip-address> 
    <vsys>public</vsys> 
    <shared-key>huawei@123</shared-key> 
    <ack-reserved-interval>10</ack-reserved-interval> 
    <server-group>rds</server-group> 
   </dynamic-authorization-server> 
  </radius> 
 </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25"> 
 <rpc-error> 
  <error-app-tag>-1</error-app-tag> 
  <error-message> The server template does not exist.</error-message> 
  <error-info>Error on node /huawei-aaa-radius:radius/dynamic-authorization-server[server-ip-address="10.1.1.1",vsys="public"]</error-info> 
 </rpc-error> 
</rpc-reply> 
Configuring RADIUS Attribute Translation

This section provides a sample of configuring RADIUS attribute translation using the rpc method.

Table 3-1204 Configuring RADIUS attribute translation

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/translate-attribute

Data Requirements
Table 3-1205 Configuring RADIUS attribute translation

Item

Data

Description

RADIUS attribute translation

true

Enable RADIUS attribute translation.

Name of a source attribute for RADIUS attribute translation

nas-identifier

Set the name of a source attribute for RADIUS attribute translation to nas-identifier.

Name of a destination attribute for RADIUS attribute translation

nas-port-id

Set the name of a destination attribute for RADIUS attribute translation to nas-port-id.

Type of packets for RADIUS attribute translation

send

Translate RADIUS attributes for sent packets.

Name of a source attribute for extended RADIUS attribute translation

HW-URL-Flag

Set the name of a source attribute for extended RADIUS attribute translation to HW-URL-Flag.

Vendor ID of an extended RADIUS attribute after translation

9

Set the vendor ID of an extended RADIUS attribute after translation to 9.

Sub ID of an extended RADIUS attribute after translation

2

Set the sub ID of an extended RADIUS attribute after translation to 2.

Type of packets for extended RADIUS attribute translation (translating the default attributes that are not supported by non-Huawei devices to those that are supported)

access-request

Specify Access-Request packets for RADIUS attribute translation.

Vendor ID of an extended RADIUS attribute for translation

9

Set the vendor ID of an extended RADIUS attribute for translation to 9.

Sub ID of a RADIUS attribute for translation

11

Set the sub ID of a RADIUS attribute for translation to 11.

Name of a destination attribute to be translated

HW-Access-Type

Set the name of a destination attribute to be translated to HW-Access-Type.

Type of packets for extended RADIUS attribute translation (translating the attributes that are supported by non-Huawei devices to those that are not)

access-accept

Specify Access-Accept packets for RADIUS attribute translation.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <edit-config> 
 <target> 
  <running/> 
 </target> 
 <error-option>rollback-on-error</error-option> 
 <config> 
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
    <name>test12345</name> 
    <vsys>public</vsys> 
    <translate-attribute xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
     <enable>true</enable> 
      <translate-normal xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
      <source-attribute-name>nas-identifier</source-attribute-name> 
      <destination-attribute-name>nas-port-id</destination-attribute-name> 
      <packet-type>send</packet-type> 
     </translate-normal> 
     <translate-extend xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
      <source-attribute-name>HW-URL-Flag</source-attribute-name> 
      <destination-vendor-id>9</destination-vendor-id> 
      <destination-sub-vendor-id>2</destination-sub-vendor-id> 
      <packet-type>access-request</packet-type> 
     </translate-extend> 
     <translate-extend-vendor xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
      <source-vendor-id>9</source-vendor-id> 
      <source-sub-vendor-id>11</source-sub-vendor-id> 
      <destination-attribute-name>HW-Access-Type</destination-attribute-name> 
      <packet-type>access-accept</packet-type> 
     </translate-extend-vendor> 
    </translate-attribute> 
   </radius-server> 
  </radius> 
 </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <rpc-error> 
  <error-app-tag>-1</error-app-tag> 
  <error-message>Wrong parameter.</error-message> 
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/translate-attribute/translate-normal[source-attribute-name="nas-identifier1"]</error-info> 
 </rpc-error> 
</rpc-reply>
Disabling a RADIUS Attribute

This section provides a sample of disabling a RADIUS attribute using the rpc method.

Table 3-1206 Disabling a RADIUS attribute

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/disable-attribute

Data Requirements
Table 3-1207 Disabling a RADIUS attribute

Item

Data

Description

Name of a disabled RADIUS attribute

HW-Exec-Privilege

Set the name of a disabled RADIUS attribute to HW-Exec-Privilege.

Type of packets whose RADIUS attributes are disabled

receive

Disable the RADIUS attributes for received packets.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25"> 
 <edit-config> 
 <target> 
  <running/> 
 </target> 
 <config> 
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
    <name>rds</name> 
    <vsys>public</vsys> 
    <disable-attribute xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
     <attribute-name>HW-Exec-Privilege</attribute-name> 
     <option>receive</option> 
    </disable-attribute> 
   </radius-server> 
  </radius> 
 </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25"> 
 <rpc-error> 
  <error-app-tag>-1</error-app-tag> 
  <error-message>Process radius-attribute return error</error-message> 
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/disable-attribute[attribute-name="HW-Exec-Privilege1"]</error-info> 
 </rpc-error> 
</rpc-reply>
Modifying a RADIUS Attribute Value

This section provides a sample of modifying a RADIUS attribute value using the rpc method.

Table 3-1208 Modifying a RADIUS attribute value

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/set-attribute

Data Requirements
Table 3-1209 Modifying a RADIUS attribute value

Item

Data

Description

Name of a RADIUS attribute value to be modified

Service-Type

Set the name of a RADIUS attribute value to be modified to Service-Type.

Modified value of a RADIUS attribute

5

Change the value of a RADIUS attribute to 5.

User type for RADIUS attribute value modification

auth-type-mac

Specify users whose authentication mode is MAC address authentication for RADIUS attribute value modification.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <edit-config> 
 <target> 
  <running/> 
 </target> 
 <error-option>rollback-on-error</error-option> 
 <config> 
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
    <name>test12345</name> 
    <vsys>public</vsys> 
    <set-attribute xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
     <attribute-name>Service-Type</attribute-name> 
     <attribute-value>5</attribute-value> 
     <set-option>auth-type-mac</set-option> 
    </set-attribute>   
   </radius-server> 
  </radius> 
 </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <rpc-error> 
  <error-app-tag>-1</error-app-tag> 
  <error-message>Wrong parameter.</error-message> 
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/set-attribute[attribute-name="Service-Type1"]</error-info> 
 </rpc-error> 
</rpc-reply>
Configuring the User Name Format in Packets Sent from the Device to the RADIUS Server

This section provides a sample of configuring the user name format in packets sent from the device to the RADIUS server using the rpc method.

Table 3-1210 Configuring the user name format in packets sent from the device to the RADIUS server

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/options/user-name/format

Data Requirements
Table 3-1211 Configuring the user name format in packets sent from the device to the RADIUS server

Item

Data

Description

Original user name in packets sent to the RADIUS server

original

Remain the original user name entered by the user in the packets sent to the RADIUS server.

Request Example
<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
        <hw-aaa-radius:radius-server> 
          <hw-aaa-radius:name>rds</hw-aaa-radius:name> 
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys> 
          <hw-aaa-radius:options> 
            <hw-aaa-radius:user-name> 
              <hw-aaa-radius:format>original</hw-aaa-radius:format> 
            </hw-aaa-radius:user-name> 
          </hw-aaa-radius:options> 
        </hw-aaa-radius:radius-server> 
      </hw-aaa-radius:radius> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <rpc-error> 
  <error-type>application</error-type> 
  <error-tag>operation-failed</error-tag> 
  <error-severity>error</error-severity> 
  <error-message>parse rpc config error.</error-message> 
 </rpc-error> 
</rpc-reply>
Configuring the RADIUS Traffic Unit, Timeout-caused Retransmission Times, Timeout Interval, and Interval for the Server to Restore to the Active State

This section provides a sample of configuring the RADIUS traffic unit, timeout-caused retransmission times, timeout interval, and interval for the server to restore to the active state using the rpc method.

Table 3-1212 Configuring the RADIUS traffic unit, timeout-caused retransmission times, timeout interval, and interval for the server to restore to the active state

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/options

Data Requirements
Table 3-1213 Configuring the RADIUS traffic unit, timeout-caused retransmission times, timeout interval, and interval for the server to restore to the active state

Item

Data

Description

Traffic unit of a RADIUS server

byte

Set the traffic unit of a RADIUS server to byte.

Interval for the server to restore to the active state

3

Set the interval for the RADIUS server to restore to the active state to 3 minutes.

Timeout interval of RADIUS request packets

3

Set the timeout interval of RADIUS request packets to 3 seconds.

Number of times RADIUS request packets are retransmitted due to timeout

2

Set the number of times RADIUS request packets are retransmitted to 2.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <edit-config> 
 <target> 
  <running/> 
 </target> 
 <error-option>rollback-on-error</error-option> 
 <config> 
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
   <radius-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
    <vsys>public</vsys> 
    <name>test12345</name> 
    <options xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
     <traffic-unit>byte</traffic-unit> 
     <dead-time>3</dead-time> 
     <timeout-timer>3</timeout-timer> 
     <retransmit-time>2</retransmit-time> 
    </options>    
   </radius-server> 
  </radius> 
 </config> 
 </edit-config> 
</rpc>     
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <rpc-error> 
  <error-type>application</error-type> 
  <error-tag>operation-failed</error-tag> 
  <error-severity>error</error-severity> 
  <error-message>parse rpc config error.</error-message> 
 </rpc-error> 
</rpc-reply>
Configuring the MAC Address Format in the RADIUS Packet Attribute Field

This section provides a sample of configuring the MAC address format in the RADIUS packet attribute field using the rpc method.

Table 3-1214 Configuring the MAC address format in the RADIUS packet attribute field

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/mac-format-called-station-id or /huawei-aaa-radius:radius/radius-server/mac-format-calling-station-id

Data Requirements
Table 3-1215 Configuring the MAC address format in the RADIUS packet attribute field

Item

Data

Description

MAC address separator in the encapsulated field called-station-id

dot-split

Use the dot (.) as the separator of the MAC address in the encapsulated field called-station-id.

MAC address format in the encapsulated field called-station-id

mode1

Set the MAC address format in the encapsulated field called-station-id to XXXX-XXXX-XXXX or XXXX.XXXX.XXXX.

MAC address case in the encapsulated field called-station-id

lowercase

Use lowercase for the MAC address in the encapsulated field called-station-id

MAC address separator in the encapsulated field calling-station-id

dot-split

Use the dot (.) as the separator of the MAC address in the encapsulated field calling-station-id.

MAC address format in the encapsulated field calling-station-id

mode1

Set the MAC address format in the encapsulated field calling-station-id to XXXX-XXXX-XXXX or XXXX.XXXX.XXXX.

Uppercase or lowercase of the MAC address in the encapsulated field calling-station-id

lowercase

Use lowercase for the MAC address in the encapsulated field calling-station-id

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <edit-config> 
 <target> 
  <running/> 
 </target> 
 <error-option>rollback-on-error</error-option> 
 <config> 
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
    <name>test12345</name> 
    <vsys>public</vsys> 
    <mac-format-called-station-id> 
     <mac-address-format>dot-split</mac-address-format> 
     <mode>mode1</mode> 
     <letter>lowercase</letter> 
    </mac-format-called-station-id> 
    <mac-format-calling-station-id> 
     <mac-address-format>dot-split</mac-address-format> 
     <mode>mode1</mode> 
     <letter>lowercase</letter> 
    </mac-format-calling-station-id> 
   </radius-server> 
  </radius> 
 </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <rpc-error> 
  <error-app-tag>-1</error-app-tag> 
  <error-message>Incomplete information.</error-message> 
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/mac-format-called-station-id</error-info> 
 </rpc-error> 
</rpc-reply>
Configuring the Device to Resolve the MAC Address Format in RADIUS Dynamic Authorization Packets

This section provides a sample of configuring the device to resolve the MAC address format in RADIUS dynamic authorization packets using the rpc method.

Table 3-1216 Configuring the device to resolve the MAC address format in RADIUS dynamic authorization packets

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/dynamic-authorization-option

Data Requirements
Table 3-1217 Configuring the device to resolve the MAC address format in RADIUS dynamic authorization packets

Item

Data

Description

MAC address separator in the encapsulated field calling-station-id

dot-split

Use the dot (.) as the MAC address separator in the encapsulated field calling-station-id.

MAC address format in the encapsulated field calling-station-id

compress

Set the MAC address format in the encapsulated field calling-station-id to xxxx-xxxx-xxxx or xxxx.xxxx.xxxx.

Resolution of the attributes in RADIUS dynamic authorization packets based on the configurations in the RADIUS server template

true

Resolve the attributes in RADIUS dynamic authorization packets based on the configurations in the RADIUS server template.

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
        <hw-aaa-radius:dynamic-authorization-option> 
          <hw-aaa-radius:decode-mac-format-calling-station-id> 
            <hw-aaa-radius:mac-address-format>dot-split</hw-aaa-radius:mac-address-format> 
            <hw-aaa-radius:mode>compress</hw-aaa-radius:mode> 
          </hw-aaa-radius:decode-mac-format-calling-station-id> 
          <hw-aaa-radius:decode-attribute-sameastemplate>true</hw-aaa-radius:decode-attribute-sameastemplate> 
        </hw-aaa-radius:dynamic-authorization-option> 
      </hw-aaa-radius:radius> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
 <rpc-error> 
  <error-app-tag>-1</error-app-tag> 
  <error-message>Invalid mac-address-format</error-message> 
  <error-info>Error on node /huawei-aaa-radius:radius/dynamic-authorization-option/decode-mac-format-calling-station-id</error-info> 
 </rpc-error> 
</rpc-reply>
Configuring Huawei Extended Attributes

This section provides a sample of configuring Huawei extended attributes using the rpc method.

Table 3-1218 Configuring Huawei extended attributes

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/hw-ap-info-format

Data Requirements
Table 3-1219 Configuring Huawei extended attributes

Item

Data

Description

AP's IP address carried in Huawei extended attribute HW-AP-Information

include-ap-ip

Configure AP's IP address carried in Huawei extended attribute HW-AP-Information.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <edit-config> 
 <target> 
  <running/> 
 </target> 
 <error-option>rollback-on-error</error-option> 
 <config> 
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
    <name>test12345</name> 
    <vsys>public</vsys> 
    <hw-ap-info-format>include-ap-ip</hw-ap-info-format> 
   </radius-server> 
  </radius> 
 </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <rpc-error> 
  <error-type>application</error-type> 
  <error-tag>operation-failed</error-tag> 
  <error-severity>error</error-severity> 
  <error-message>parse rpc config error.</error-message> 
 </rpc-error> 
</rpc-reply>
Checking the Specified Attributes in the Received RADIUS Access-Accept Packets

This section provides a sample of checking the specified attributes in received RADIUS Access-Accept packets using the rpc method.

Table 3-1220 Checking the specified attributes in the received RADIUS Access-Accept packets

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/check-attribute/attribute-name

Data Requirements
Table 3-1221 Checking the specified attributes in the received RADIUS Access-Accept packets

Item

Data

Description

Name of a RADIUS attribute

framed-protocol

Check the framed-protocol attribute in the received RADIUS Access-Accept packet.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <edit-config> 
 <target> 
  <running/> 
 </target> 
 <error-option>rollback-on-error</error-option> 
 <config> 
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
    <name>test12345</name> 
    <vsys>public</vsys> 
    <check-attribute xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
     <attribute-name>framed-protocol</attribute-name> 
    </check-attribute> 
   </radius-server> 
  </radius> 
 </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <rpc-error> 
  <error-app-tag>-1</error-app-tag> 
  <error-message> Failed to find the attribute.</error-message> 
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/check-attribute[attribute-name="abc"]/attribute-name</error-info> 
 </rpc-error> 
</rpc-reply>
Configuring NAS Attributes

This section provides a sample of configuring NAS attributes using the rpc method.

Table 3-1222 Configuring NAS attributes

Operation

XPATH

edit-config:create

  • /huawei-aaa-radius:radius/radius-server/nas-ip-address
  • /huawei-aaa-radius:radius/radius-server/nas-ipv6-address
  • /huawei-aaa-radius:radius/radius-server/format-attribute/nas-port-format
  • /huawei-aaa-radius:radius/radius-server/format-attribute
Data Requirements
Table 3-1223 Configuring NAS attributes

Item

Data

Description

Value of the NAS-IP-Address attribute used by the NAS to send RADIUS packets

10.3.3.3

Set the value of the NAS-IP-Address attribute used by the NAS to send RADIUS packets to 10.3.3.3.

Value of the NAS-IPv6-Address attribute used by the NAS to send RADIUS packets

FC00::7

Set the value of the NAS-IPv6-Address attribute used by the NAS to send RADIUS packets to FC00::7.

Encapsulation format of the NAS-Port attribute

new, s2t2p6no10ni12

To customize the NAS-Port attribute, first set the encapsulation format to new and then to 2t2p6no10ni12.

Encapsulation content in the NAS-Identifier attribute

hostname

Encapsulate the host name of the NAS-Identifier attribute.

Encapsulation format of the NAS-Port-Id attribute

new

Set the encapsulation format of the NAS-Port-id attribute to new.

Request Example
<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
        <hw-aaa-radius:radius-server> 
          <hw-aaa-radius:name>t1</hw-aaa-radius:name> 
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys> 
          <hw-aaa-radius:nas-ip-address>10.3.3.3</hw-aaa-radius:nas-ip-address> 
          <hw-aaa-radius:nas-ipv6-address>FC00::7</hw-aaa-radius:nas-ipv6-address> 
          <hw-aaa-radius:format-attribute> 
            <hw-aaa-radius:nas-port-format> 
              <hw-aaa-radius:self-designed-format>s2t2p6no10ni12</hw-aaa-radius:self-designed-format> 
              <hw-aaa-radius:format>new</hw-aaa-radius:format> 
            </hw-aaa-radius:nas-port-format> 
            <hw-aaa-radius:nas-identifier-format>hostname</hw-aaa-radius:nas-identifier-format> 
            <hw-aaa-radius:nas-port-id-format>new</hw-aaa-radius:nas-port-id-format> 
          </hw-aaa-radius:format-attribute> 
        </hw-aaa-radius:radius-server> 
      </hw-aaa-radius:radius> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <rpc-error> 
  <error-app-tag>-1</error-app-tag> 
  <error-message>Wrong parameter.</error-message> 
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/nas-ip-address</error-info> 
 </rpc-error> 
</rpc-reply>
Configuring RADIUS Automatic Detection

This section provides a sample of configuring RADIUS automatic detection using the merge method.

Table 3-1224 Configuring RADIUS automatic detection

Operation

XPATH

edit-config:merge

/huawei-aaa-radius:radius/radius-server/server-detect-function

/huawei-aaa-radius:radius/global/options/dead-detect-condition

Data Requirements
Table 3-1225 Configuring RADIUS automatic detection

Item

Data

Description

User name for automatic detection

testusername

Set the user name for automatic detection to testusername.

User password for automatic detection

huawei@123

Set the user password for automatic detection to huawei@123.

Automatic detection period

100

Set the automatic detection period to 100 seconds.

Detection mode of the RADIUS server

by-server-ip

Detect the RADIUS server based on its IP address.

Request Example
<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
        <hw-aaa-radius:radius-server> 
          <hw-aaa-radius:name>t1</hw-aaa-radius:name> 
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys> 
          <hw-aaa-radius:server-detect-function> 
            <hw-aaa-radius:server-detect-enable>true</hw-aaa-radius:server-detect-enable> 
            <hw-aaa-radius:test-user-name>testusername</hw-aaa-radius:test-user-name> 
            <hw-aaa-radius:test-user-password>huawei@123</hw-aaa-radius:test-user-password> 
            <hw-aaa-radius:interval>100</hw-aaa-radius:interval> 
          </hw-aaa-radius:server-detect-function> 
        </hw-aaa-radius:radius-server> 
        <hw-aaa-radius:global> 
          <hw-aaa-radius:options> 
            <hw-aaa-radius:dead-detect-condition>by-server-ip</hw-aaa-radius:dead-detect-condition> 
          </hw-aaa-radius:options> 
        </hw-aaa-radius:global> 
      </hw-aaa-radius:radius> 
    </config> 
  </edit-config> 
</rpc>     
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
 <rpc-error> 
  <error-app-tag>-1</error-app-tag> 
  <error-message> Invalid character in the template shared-key.</error-message> 
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/server-detect-function/server-detect-enable</error-info> 
 </rpc-error> 
</rpc-reply>
Configuring the Shared Key and Algorithm of the RADIUS Server

This section provides a sample of configuring the shared key and algorithm of the RADIUS server using the merge method.

Table 3-1226 Configuring the shared key and algorithm of the RADIUS server

Operation

XPATH

edit-config:merge

  • /huawei-aaa-radius:radius/radius-server/shared-key
  • /huawei-aaa-radius:radius/radius-server/server-algorithm
  • /huawei-aaa-radius:radius/server-shared-key/server-item
Data Requirements
Table 3-1227 Configuring the shared key and algorithm of the RADIUS server

Item

Data

Description

RADIUS server's shared key in the RADIUS template

huawei@123

Set the shared key of the RADIUS server to huawei@123 in the RADIUS template.

RADIUS server's algorithm in the RADIUS template

loading-share

Set the algorithm of the RADIUS server to load balancing in the RADIUS template.

Globally configured shared key of the RADIUS server

IP address: 10.1.1.1

Shared key: huawei@1234

Globally set the shared key of the RADIUS server whose IP address is 10.1.1.1 to huawei@1234.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25"> 
 <edit-config> 
 <target> 
  <running/> 
 </target> 
 <config> 
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
    <name>rds</name> 
    <vsys>public</vsys> 
    <shared-key>huawei@123</shared-key> 
    <server-algorithm>load-sharing</server-algorithm> 
   </radius-server> 
   <hw-aaa-radius:server-shared-key> 
     <hw-aaa-radius:server-item> 
       <hw-aaa-radius:ip-address>10.1.1.1</hw-aaa-radius:ip-address> 
       <hw-aaa-radius:shared-key>huawei@1234</hw-aaa-radius:shared-key> 
     </hw-aaa-radius:server-item> 
   </hw-aaa-radius:server-shared-key> 
  </radius> 
 </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25"> 
 <rpc-error> 
  <error-app-tag>-1</error-app-tag> 
  <error-message>Invalid radius-server shared key</error-message> 
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/shared-key</error-info> 
 </rpc-error> 
</rpc-reply>
Configuring Session Management

This section provides a sample of configuring session management using the merge method.

Table 3-1228 Configuring session management

Operation

XPATH

edit-config:merge

/huawei-aaa-radius:radius/session-manage-function

Data Requirements
Table 3-1229 Configuring session management

Item

Data

Description

IP address of the RADIUS session management server

10.1.1.1

Enable session management on the RADIUS server, and set the IP address, VPN, and shared key of the RADIUS session management server to 10.1.1.1, vpn1, and huawei@123 respectively.

VPN instance of the RADIUS session management server

vpn1

Shared key of the RADIUS session management server

huawei@123

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
        <hw-aaa-radius:session-manage-function> 
          <hw-aaa-radius:client-item> 
            <hw-aaa-radius:ip-address>10.1.1.1</hw-aaa-radius:ip-address> 
            <hw-aaa-radius:vpn-instance>vpn1</hw-aaa-radius:vpn-instance> 
            <hw-aaa-radius:shared-key>huawei@123</hw-aaa-radius:shared-key> 
          </hw-aaa-radius:client-item> 
        </hw-aaa-radius:session-manage-function> 
      </hw-aaa-radius:radius> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="5"> 
  <rpc-error> 
    <error-type>application</error-type> 
    <error-tag>operation-failed</error-tag> 
    <error-severity>error</error-severity> 
    <error-path>/huawei-aaa-radius:radius/session-manage-function/client-item[ip-address='NEED-A-VALUE-FOR-KEY-NODE!']/ip-address</error-path> 
    <error-message>parse rpc config error.(Invalid value "NEED-A-VALUE-FOR-KEY-NODE!" in "ip-address" element.).</error-message> 
  </rpc-error> 
</rpc-reply>
Configuring the Message-Authenticator Attribute to RADIUS Authentication Packets

This section provides a sample of configuring the Message-Authenticator attribute to RADIUS authentication packets using the merge method.

Table 3-1230 Configuring the Message-Authenticator attribute to RADIUS authentication packets

Operation

XPATH

edit-config:merge

/huawei-aaa-radius:radius/radius-server/message-authenticator

Data Requirements
Table 3-1231 Configuring the Message-Authenticator attribute to RADIUS authentication packets

Item

Data

Description

Type of packets carrying the Message-Authenticator attribute

access-request

In RADIUS server template t1, configure the Message-Authenticator attribute to RADIUS authentication packets.

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
        <hw-aaa-radius:radius-server> 
          <hw-aaa-radius:name>t1</hw-aaa-radius:name> 
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys> 
          <hw-aaa-radius:message-authenticator>access-request</hw-aaa-radius:message-authenticator> 
        </hw-aaa-radius:radius-server> 
      </hw-aaa-radius:radius> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <rpc-error> 
    <error-app-tag>-1</error-app-tag> 
    <error-message> Invalid character in the template name.</error-message> 
    <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="NEED-A-VALUE-FOR-KEY-NODE!",vsys="NEED-A-VALUE-FOR-KEY-NODE!"]/name</error-info> 
  </rpc-error> 
</rpc-reply>
Configuring Re-authentication Without Re-authorization

This section provides a sample of configuring re-authentication without re-authorization using the merge method.

Table 3-1232 Configuring re-authentication without re-authorization

Operation

XPATH

edit-config:merge

/huawei-aaa-radius:radius/radius-server/service-type

Data Requirements
Table 3-1233 Configuring re-authentication without re-authorization

Item

Data

Description

Re-authentication without re-authorization

with-authenonly-reauthen

In RADIUS server template t1, enable the device to re-authenticate the user without re-delivering authorization information.

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
        <hw-aaa-radius:radius-server> 
          <hw-aaa-radius:name>t1</hw-aaa-radius:name> 
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys> 
          <hw-aaa-radius:service-type>with-authenonly-reauthen</hw-aaa-radius:service-type> 
        </hw-aaa-radius:radius-server> 
      </hw-aaa-radius:radius> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <rpc-error> 
    <error-app-tag>-1</error-app-tag> 
    <error-message> Invalid character in the template name.</error-message> 
    <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="NEED-A-VALUE-FOR-KEY-NODE!",vsys="NEED-A-VALUE-FOR-KEY-NODE!"]/name</error-info> 
  </rpc-error> 
</rpc-reply>
Configuring the Retransmission of Accounting-Stop Packets

This section provides a sample of configuring the retransmission of Accounting-Stop packets using the merge method.

Table 3-1234 Configuring the retransmission of Accounting-Stop packets

Operation

XPATH

edit-config:merge

/huawei-aaa-radius:radius/radius-server/options/account-stop-packet-resend-times

Data Requirements
Table 3-1235 Configuring the retransmission of Accounting-Stop packets

Item

Data

Description

Number of times that Accounting-Stop packets are retransmitted

60

In RADIUS server template t1, set the number of times that Accounting-Stop packets are retransmitted to 60.

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0"ns0:operation="merge"> 
        <hw-aaa-radius:radius-server> 
          <hw-aaa-radius:name>t1</hw-aaa-radius:name> 
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys> 
          <hw-aaa-radius:options> 
            <hw-aaa-radius:accounting-stop-packet-resend-times>60</hw-aaa-radius:accounting-stop-packet-resend-times> 
          </hw-aaa-radius:options> 
        </hw-aaa-radius:radius-server> 
      </hw-aaa-radius:radius> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <rpc-error> 
    <error-type>application</error-type> 
    <error-tag>operation-failed</error-tag> 
    <error-severity>error</error-severity> 
    <error-path>/huawei-aaa-radius:radius/radius-server[name='t1'][vsys='public']/options/accounting-stop-packet-resend-times</error-path> 
    <error-message>parse rpc config error.(Value "500" does not satisfy the constraint "0..300" (range, length, or pattern).).</error-message> 
  </rpc-error> 
</rpc-reply>
Configuring the Update Mode of Authorization Information Delivered by the Authorization Server

This section provides a sample of configuring the update mode of authorization information delivered by the authorization server using the merge method.

Table 3-1236 Configuring the update mode of authorization information delivered by the authorization server

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/authorization-modify-mode

Data Requirements
Table 3-1237 Configuring the update mode of authorization information delivered by the authorization server

Item

Data

Description

Update mode of authorization information delivered by the authorization server

modify

Set the update mode of user authorization information delivered by the authorization server to modify.

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa" xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
        <hw-aaa:authorization-modify-mode>modify</hw-aaa:authorization-modify-mode> 
      </hw-aaa:aaa> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>

Configuring the Device to Ignore the Offline or Re-authentication Attribute Delivered by the RADIUS Server

This section provides a sample of configuring the device to ignore the offline or re-authentication attribute delivered by the RADIUS server using the merge method.

Table 3-1238 Configuring the device to ignore the offline or re-authentication attribute delivered by the RADIUS server

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/invalid-session-timeout-enable

Data Requirements
Table 3-1239 Configuring the device to ignore the offline or re-authentication attribute delivered by the RADIUS server

Item

Data

Description

Device enabled to ignore the offline or re-authentication attribute delivered by the RADIUS server

true

Enable the device to ignore the offline or re-authentication attribute delivered by the RADIUS server

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa" xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
        <hw-aaa:invalid-session-timeout-enable>true</hw-aaa:invalid-session-timeout-enable> 
      </hw-aaa:aaa> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>

Configuring Account Locking After Remote Authentication Fails

This section provides a sample of configuring account locking after remote authentication fails using the merge method.

Table 3-1240 Configuring account locking after remote authentication fails

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/remote-user-policy

Data Requirements
Table 3-1241 Configuring account locking after remote authentication fails

Item

Data

Description

Authentication retry interval after remote authentication fails

5

Unlock the account five minutes later after it is locked when a user enters incorrect passwords for three consecutive times within five minutes during remote authentication.

Maximum number of consecutive authentication failures.

3

Account locking duration

5

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa" xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
        <hw-aaa:remote-user-policy> 
          <hw-aaa:retry-interval>5</hw-aaa:retry-interval> 
          <hw-aaa:retry-times>3</hw-aaa:retry-times> 
          <hw-aaa:block-time>5</hw-aaa:block-time> 
        </hw-aaa:remote-user-policy> 
      </hw-aaa:aaa> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>

Configuring Bypass Authentication, Bypass Authorization, and Command-Line Bypass Authorization

This section provides a sample of configuring bypass authentication, bypass authorization, and command-line bypass authorization using the merge method.

Table 3-1242 Configuring bypass authentication, bypass authorization, and command-line bypass authorization

Operation

XPATH

edit-config:merge

  • /huawei-aaa:aaa/global/authentication-bypass
  • /huawei-aaa:aaa/global/authorization-bypass
  • /huawei-aaa:aaa/global/authorization-cmd-bypass
Data Requirements
Table 3-1243 Configuring bypass authentication, bypass authorization, and command-line bypass authorization

Item

Data

Description

Bypass authentication

true

Enable bypass authentication, bypass authorization, and command-line bypass authorization separately, and set each timeout interval to two minutes.

Bypass authentication timeout interval

2

Bypass authorization

true

Bypass authorization timeout interval

2

Command-line bypass authorization

true

Command-line bypass authorization timeout interval

2

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa" xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
        <hw-aaa:global> 
          <hw-aaa:authentication-bypass> 
            <hw-aaa:bypass-enable>true</hw-aaa:bypass-enable> 
            <hw-aaa:bypass-time>2</hw-aaa:bypass-time> 
          </hw-aaa:authentication-bypass> 
          <hw-aaa:authorization-bypass> 
            <hw-aaa:bypass-enable>true</hw-aaa:bypass-enable> 
            <hw-aaa:bypass-time>2</hw-aaa:bypass-time> 
          </hw-aaa:authorization-bypass> 
          <hw-aaa:authorization-cmd-bypass> 
            <hw-aaa:bypass-enable>true</hw-aaa:bypass-enable> 
            <hw-aaa:bypass-time>2</hw-aaa:bypass-time> 
          </hw-aaa:authorization-cmd-bypass> 
        </hw-aaa:global> 
      </hw-aaa:aaa> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>

HWTACACS Server

Data Model

The data model file matching HWTACACS servers for authentication, authorization, and accounting is huawei-aaa-hwtacacs.yang.

Table 3-1244 Data Model

Object

Description

Value

Remarks

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-enable

Enables HWTACACS.

The value is of the Boolean type:

  • true: Enable HWTACACS.
  • false: Disable HWTACACS.

    The default value is true.

N/A

/huawei-aaa-hwtacacs:hwtacacs/accounting-stop-packet-resend-times

Retransmits Accounting-Stop packets.

The value is an integer ranging from 1 to 300.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/name

Creates an HWTACACS server template.

The value is a string of 1 to 32 case-sensitive characters.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server

Indicates the primary HWTACACS authentication server. The object includes:

  • server-ip-address: Specifies the IP address of the HWTACACS authentication server.
  • Port: Specifies the port number of the HWTACACS authentication server.
  • vpn-instance: Specifies the VPN instance to which the HWTACACS authentication server is bound.
  • public-net: Indicates that the HWTACACS authentication server is connected to the public network.
  • server-ip-address: The value is in dotted decimal notation.
  • port: The value is an integer ranging from 1 to 65535. The default value is 49.
  • vpn-instance: Indicates a created VPN instance.
  • public-net: -

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server

Specifies the second HWTACACS authentication server as a standby server. The object includes:

  • server-ip-address: Specifies the IP address of the HWTACACS authentication server.
  • Port: Specifies the port number of the HWTACACS authentication server.
  • vpn-instance: Specifies the VPN instance to which the HWTACACS authentication server is bound.
  • public-net: Indicates that the HWTACACS authentication server is connected to the public network.
  • server-ip-address: The value is in dotted decimal notation.
  • port: The value is an integer ranging from 1 to 65535. The default value is 49.
  • vpn-instance: Indicates a created VPN instance.
  • public-net: -

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/third-authentication-server

Specifies the third HWTACACS authentication server as a standby server. The object includes:

  • server-ip-address: Specifies the IP address of the HWTACACS authentication server.
  • Port: Specifies the port number of the HWTACACS authentication server.
  • vpn-instance: Specifies the VPN instance to which the HWTACACS authentication server is bound.
  • public-net: Indicates that the HWTACACS authentication server is connected to the public network.
  • server-ip-address: The value is in dotted decimal notation.
  • port: The value is an integer ranging from 1 to 65535. The default value is 49.
  • vpn-instance: Indicates a created VPN instance.
  • public-net: -

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server

Indicates the primary HWTACACS authorization server. The object includes:

  • server-ip-address: Specifies the IP address of the HWTACACS authorization server.
  • Port: Specifies the port number of the HWTACACS authorization server.
  • vpn-instance: Specifies the VPN instance to which the HWTACACS authorization server is bound.
  • public-net: Indicates that the HWTACACS authorization server is connected to the public network.
  • server-ip-address: The value is in dotted decimal notation.
  • port: The value is an integer ranging from 1 to 65535. The default value is 49.
  • vpn-instance: Indicates a created VPN instance.
  • public-net: -

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server

Specifies the second HWTACACS authorization server as a standby server. The object includes:

  • server-ip-address: Specifies the IP address of the HWTACACS authorization server.
  • Port: Specifies the port number of the HWTACACS authorization server.
  • vpn-instance: Specifies the VPN instance to which the HWTACACS authorization server is bound.
  • public-net: Indicates that the HWTACACS authorization server is connected to the public network.
  • server-ip-address: The value is in dotted decimal notation.
  • port: The value is an integer ranging from 1 to 65535. The default value is 49.
  • vpn-instance: Indicates a created VPN instance.
  • public-net: -

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/third-authorization-server

Specifies the third HWTACACS authorization server as a standby server. The object includes:

  • server-ip-address: Specifies the IP address of the HWTACACS authorization server.
  • Port: Specifies the port number of the HWTACACS authorization server.
  • vpn-instance: Specifies the VPN instance to which the HWTACACS authorization server is bound.
  • public-net: Indicates that the HWTACACS authorization server is connected to the public network.
  • server-ip-address: The value is in dotted decimal notation.
  • port: The value is an integer ranging from 1 to 65535. The default value is 49.
  • vpn-instance: Indicates a created VPN instance.
  • public-net: -

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server

Specifies the primary HWTACACS accounting server. The object includes:

  • server-ip-address: Specifies the IP address of the HWTACACS accounting server.
  • port: Specifies the port number of the HWTACACS accounting server.
  • vpn-instance: Specifies the VPN instance to which the HWTACACS accounting server is bound.
  • public-net: Indicates that the HWTACACS accounting server is connected to the public network.
  • server-ip-address: The value is in dotted decimal notation.
  • port: The value is an integer ranging from 1 to 65535. The default value is 49.
  • vpn-instance: Indicates a created VPN instance.
  • public-net: -

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server

Specifies the second HWTACACS accounting server as a standby server. The object includes:

  • server-ip-address: Specifies the IP address of the HWTACACS accounting server.
  • port: Specifies the port number of the HWTACACS accounting server.
  • vpn-instance: Specifies the VPN instance to which the HWTACACS accounting server is bound.
  • public-net: Indicates that the HWTACACS accounting server is connected to the public network.
  • server-ip-address: The value is in dotted decimal notation.
  • port: The value is an integer ranging from 1 to 65535. The default value is 49.
  • vpn-instance: Indicates a created VPN instance.
  • public-net: -

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/third-accounting-server

Specifies the third HWTACACS accounting server as a standby server. The object includes:

  • server-ip-address: Specifies the IP address of the HWTACACS accounting server.
  • port: Specifies the port number of the HWTACACS accounting server.
  • vpn-instance: Specifies the VPN instance to which the HWTACACS accounting server is bound.
  • public-net: Indicates that the HWTACACS accounting server is connected to the public network.
  • server-ip-address: The value is in dotted decimal notation.
  • port: The value is an integer ranging from 1 to 65535. The default value is 49.
  • vpn-instance: Indicates a created VPN instance.
  • public-net: -

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/source-ip-address

Indicates the source IP address for communication between the device and HWTACACS server. The object includes:

  • ip/ip-address: Specifies an IP address as the source IP address used by the device to communicate with the HWTACACS server.
  • interface/loopback-interface: Specifies the IP address of a loopback interface as the source IP address used by the device to communicate with the HWTACACS server.
  • ip/ip-address: The value is in dotted decimal notation.
  • interface/loopback-interface: Indicates an existing loopback interface.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/source-ipv6-address

Indicates the source IPv6 address for communication between the device and HWTACACS server. The object includes:

  • ip/ipv6-address: Specifies an IPv6 address as the source IP address used by the device to communicate with the HWTACACS server.
  • interface/ipv6-loopback-interface: Specifies the IPv6 address of a loopback interface as the source IP address used by the device to communicate with the HWTACACS server.
  • ip/ipv6-address: The value is a 32-digit hexadecimal number, in dotted decimal notation.
  • interface/ipv6-loopback-interface: Indicates an existing loopback interface.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/shared-key

Indicates the shared key of the HWTACACS server.

The value is a string of case-sensitive characters in plaintext or ciphertext, spaces and question marks not supported. If the string is quoted by double quotation marks, spaces and question marks can be included. Length range:

  • Plaintext: The length ranges from 1 to 128. The system converts the character string into ciphertext before saving it to the configuration file.
  • Ciphertext: The length is fixed and can only be 48, 68, 88, 108, 128, 148, 168, or 188. If a user enters a key with 32, 56, 80, 104, or 128 characters and the system can decrypt the key, the system determines that the key is ciphertext. If the system cannot decrypt the key, the system determines that the password is plaintext.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/options/timeout-timer

Specifies the response timeout interval of an HWTACACS server.

The value is an integer ranging from 1 to 300, in seconds.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/options/quiet-interval

Specifies the interval for the primary server to restore to the active state.

The value is an integer ranging from 0 to 255, in minutes.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/options/user-name/format

Specifies the user name format in packets sent from the device to the HWTACACS server.

The value is of the enumerated type:

  • original: The device does not modify the user name entered by the user.
  • domain-include: The user name includes the domain name.
  • domain-exclude: The user name does not include the domain name.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/options/traffic-unit

Indicates the traffic unit of the HWTACACS server.

The value is of the enumerated type:

  • byte: The traffic unit is byte.
  • kbyte: The traffic unit is kilobyte.
  • mbyte: The traffic unit is megabyte.
  • gbyte: The traffic unit is gigabyte.

N/A

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-hwtacacs:hwtacacs-server/huawei-aaa-hwtacacs:hwtacacs-server

Indicates the name of the HWTACACS server template that is applied in a domain.

The HWTACACS server template must already exist.

N/A

Creating and Configuring an HWTACACS Server Template

This section provides a sample of creating and configuring an HWTACACS server template using the merge method.

Table 3-1245 Creating and configuring an HWTACACS server template

Operation

XPATH

edit-config:merge

  • /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-enable
  • /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server
Data Requirements
Table 3-1246 Creating and configuring an HWTACACS server template

Item

Data

Description

HWTACACS function

true

Enable HWTACACS.

Primary HWTACACS authentication, authorization, and accounting servers

IP address: 10.1.1.1

Port number: 1000

VPN instance to which servers belong: vpn1

Set the IP address, port number, and VPN instance of the primary HWTACACS authentication, authorization, and accounting servers to 10.1.1.1, 1000, and vpn1 respectively.

Second HWTACACS authentication, authorization, and accounting servers functioning as standby servers

IP address: 10.1.1.2

Port number: 1001

VPN instance to which servers belong: vpn1

Set the IP address, port number, and VPN instance of the standby HWTACACS authentication, authorization, and accounting servers to 10.1.1.2, 1001, and vpn1 respectively.

Source IP address for communication between the device and HWTACACS server

10.1.1.10

Set the source IP address for communication between the device and HWTACACS server to 10.1.1.10.

Shared key of the HWTACACS server

Huawei@123

Set the shared key of the HWTACACS server to Huawei@123.

Response timeout interval of an HWTACACS server

30

Set the response timeout interval of an HWTACACS server to 30 seconds.

Interval for the primary server to restore to the active state

5

Set the interval for the primary server to restore to the active state to five minutes.

User name format in packets sent from the device to the HWTACACS server

domain-include

Include the domain name in the user name in packets sent to the HWTACACS server

Traffic unit of the HWTACACS server

kbyte

Indicates that the traffic unit of the HWTACACS server is kilobyte.

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-hwtacacs:hwtacacs xmlns:hw-aaa-hwtacacs="urn:huawei:params:xml:ns:yang:huawei-aaa-hwtacacs">
        <hw-aaa-hwtacacs:hwtacacs-enable>true</hw-aaa-hwtacacs:hwtacacs-enable>
        <hw-aaa-hwtacacs:hwtacacs-server>
          <hw-aaa-hwtacacs:name>h1</hw-aaa-hwtacacs:name>
          <hw-aaa-hwtacacs:vsys>public</hw-aaa-hwtacacs:vsys>
          <hw-aaa-hwtacacs:primary-authentication-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.1</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1000</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:primary-authentication-server>
          <hw-aaa-hwtacacs:secondary-authentication-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.2</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1001</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:secondary-authentication-server>
          <hw-aaa-hwtacacs:primary-authorization-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.1</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1000</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:primary-authorization-server>
          <hw-aaa-hwtacacs:secondary-authorization-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.2</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1001</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:secondary-authorization-server>
          <hw-aaa-hwtacacs:primary-accounting-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.1</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1000</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:primary-accounting-server>
          <hw-aaa-hwtacacs:secondary-accounting-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.2</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1001</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:secondary-accounting-server>
          <hw-aaa-hwtacacs:source-ip-address>
            <hw-aaa-hwtacacs:ip>
              <hw-aaa-hwtacacs:ip-address>10.1.1.10</hw-aaa-hwtacacs:ip-address>
            </hw-aaa-hwtacacs:ip>
          </hw-aaa-hwtacacs:source-ip-address>
          <hw-aaa-hwtacacs:shared-key>Huawei@123</hw-aaa-hwtacacs:shared-key>
          <hw-aaa-hwtacacs:option>
            <hw-aaa-hwtacacs:timeout-timer>30</hw-aaa-hwtacacs:timeout-timer>
            <hw-aaa-hwtacacs:quiet-interval>5</hw-aaa-hwtacacs:quiet-interval>
            <hw-aaa-hwtacacs:user-name>
              <hw-aaa-hwtacacs:format>domain-include</hw-aaa-hwtacacs:format>
            </hw-aaa-hwtacacs:user-name>
            <hw-aaa-hwtacacs:traffic-unit>kbyte</hw-aaa-hwtacacs:traffic-unit>
          </hw-aaa-hwtacacs:option>
        </hw-aaa-hwtacacs:hwtacacs-server>
      </hw-aaa-hwtacacs:hwtacacs>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>    
Configuring the Retransmission of Accounting-Stop Packets

This section provides a sample of configuring the retransmission of Accounting-Stop packets using the merge method.

Table 3-1247 Configuring the retransmission of Accounting-Stop packets

Operation

XPATH

edit-config:merge

/huawei-aaa-hwtacacs:hwtacacs/accounting-stop-packet-resend-times

Data Requirements
Table 3-1248 Configuring the retransmission of Accounting-Stop packets

Item

Data

Description

Number of retransmitted Accounting-Stop packets

150

Set the number of retransmitted Accounting-Stop packets to 150.

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-hwtacacs:hwtacacs xmlns:hw-aaa-hwtacacs="urn:huawei:params:xml:ns:yang:huawei-aaa-hwtacacs">
        <hw-aaa-hwtacacs:accounting-stop-packet-resend-times>150</hw-aaa-hwtacacs:accounting-stop-packet-resend-times>
      </hw-aaa-hwtacacs:hwtacacs>
    </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply> 

Configuring an HACA Server

Configuring an HACA Server Template

This section provides a sample of configuring an HACA server template using the merge method. An HACA server template can also be configured using the create method.

Table 3-1249 Configuring an HACA server template

Operation

XPATH

edit-config:merge

/huawei-aaa-haca:aca

Data Requirements
Table 3-1250 Configuring an HACA server template

Item

Data

Description

Name of an HACA server template

hacaserver1

Configure an HACA server template hacaserver1, enable HACA, set the IP address of the HACA server to 10.1.1.1, set the port number of the HACA server to 1111, configure a PKI realm default, set the interval at which HACA heartbeat packets are sent to 200 minutes, set the interval for reconnecting to the HACA server to 200 minutes, and set the response timeout interval of the HACA server to 200 seconds.

HACA function

true

IP address of an HACA server

10.1.1.1

Port number of an HACA server

1111

Name of a PKI realm

default

Interval at which HACA heartbeat packets are sent

200

Interval for reconnecting to an HACA server

200

Response timeout interval of an HACA server

200

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8"> 
 <edit-config> 
  <target> 
   <running/> 
  </target> 
  <error-option>rollback-on-error</error-option> 
  <config> 
   <aca xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-haca"> 
    <haca-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
     <name>hacaserver1</name> 
     <vsys>public</vsys> 
     <enable>true</enable> 
     <server> 
      <server-ip>10.1.1.1</server-ip> 
      <port>1111</port> 
     </server> 
     <pki-domain>default</pki-domain> 
     <heart-beat>200</heart-beat> 
     <detection-function> 
      <reconnect-interval>200</reconnect-interval> 
     </detection-function> 
     <timeout>200</timeout> 
    </haca-server> 
   </aca> 
  </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8"> 
  <ok/> 
</rpc-reply>                                                                                                                                 
Allowing the Retransmission of Accounting-Stop Packets

This section provides a sample of allowing the retransmission of Accounting-Stop packets using the merge method. You can also use the create method to allow the retransmission of Accounting-Stop packets.

Table 3-1251 Allowing the retransmission of Accounting-Stop packets

Operation

XPATH

edit-config:merge

/huawei-aaa-haca:aca/haca-server/accounting-stop-packet-resend-times

Data Requirements
Table 3-1252 Allowing the retransmission of Accounting-Stop packets

Item

Data

Description

Number of retransmitted Accounting-Stop packets

10

Set the number of retransmitted Accounting-Stop packets to 10.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
<edit-config> 
<target> 
<running/> 
</target> 
<error-option>rollback-on-error</error-option> 
<config> 
<aca xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-haca"> 
 <haca-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="create"> 
  <name>haca_server</name> 
  <vsys>public</vsys> 
  <accounting-stop-packet-resend-times>10</accounting-stop-packet-resend-times> 
 </haca-server> 
</aca> 
</config> 
</edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>   

Configuring a Domain

Applying the AAA Scheme to a Domain

This section provides a sample of applying the AAA scheme to a domain using the merge method.

Table 3-1253 Applying the AAA scheme to a domain

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/aaa-domain

Data Requirements
Table 3-1254 Applying the AAA scheme to a domain

Item

Data

Description

Domain name

domain1

Create a domain named domain1.

Name of an authentication scheme bound to a domain

authen1

Bind authentication scheme authen1 to a domain.

Name of an accounting scheme bound to a domain

acc1

Bind accounting scheme acc1 to a domain.

Name of a service scheme bound to a domain

ser1

Bind service scheme ser1 to a domain.

Traffic statistics collection for domain users

true

Enable traffic statistics collection for domain users.

Request Example
<rpc message-id="10" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa"> 
        <hw-aaa:authentication-scheme> 
          <hw-aaa:name>authen1</hw-aaa:name> 
          <hw-aaa:vsys>public</hw-aaa:vsys> 
          <hw-aaa:authentication-mode>radius</hw-aaa:authentication-mode> 
        </hw-aaa:authentication-scheme> 
        <hw-aaa:accounting-scheme> 
          <hw-aaa:name>acc1</hw-aaa:name> 
          <hw-aaa:vsys>public</hw-aaa:vsys> 
          <hw-aaa:accounting-mode>radius</hw-aaa:accounting-mode> 
        </hw-aaa:accounting-scheme> 
        <hw-aaa:service-scheme> 
          <hw-aaa:name>ser1</hw-aaa:name> 
          <hw-aaa:vsys>public</hw-aaa:vsys> 
        </hw-aaa:service-scheme> 
        <hw-aaa:aaa-domain> 
          <hw-aaa:name>domain1</hw-aaa:name> 
          <hw-aaa:vsys>ads</hw-aaa:vsys> 
          <hw-aaa:authentication-scheme>authen1</hw-aaa:authentication-scheme> 
          <hw-aaa:accounting-scheme>acc1</hw-aaa:accounting-scheme> 
          <hw-aaa:service-scheme>ser1</hw-aaa:service-scheme> 
          <hw-aaa:statistics-enable>true</hw-aaa:statistics-enable> 
        </hw-aaa:aaa-domain> 
      </hw-aaa:aaa> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="10"> 
  <ok/> 
</rpc-reply>
Applying the RADIUS Server Template to a Domain

This section provides a sample of applying the RADIUS server template to a domain using the merge method.

Table 3-1255 Applying the RADIUS server template to a domain

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-radius:radius-server/huawei-aaa-radius:radius-server

Data Requirements
Table 3-1256 Applying the RADIUS server template to a domain

Item

Data

Description

Domain name

domain1

Create a domain named domain1.

Name of the RADIUS server template bound to a domain

rds

Bind RADIUS server template rds to a domain.

Request Example
<rpc message-id="10" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
        <hw-aaa-radius:radius-server> 
          <hw-aaa-radius:name>rds</hw-aaa-radius:name> 
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys> 
          <hw-aaa-radius:authentication-server> 
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address> 
            <hw-aaa-radius:port>1816</hw-aaa-radius:port> 
            <hw-aaa-radius:shared-key>huawei@123</hw-aaa-radius:shared-key> 
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight> 
          </hw-aaa-radius:authentication-server> 
          <hw-aaa-radius:accounting-server> 
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address> 
            <hw-aaa-radius:port>1817</hw-aaa-radius:port> 
            <hw-aaa-radius:shared-key>huawei@123</hw-aaa-radius:shared-key> 
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight> 
          </hw-aaa-radius:accounting-server> 
        </hw-aaa-radius:radius-server> 
      </hw-aaa-radius:radius> 
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa"> 
        <hw-aaa:aaa-domain> 
          <hw-aaa:name>domain1</hw-aaa:name> 
          <hw-aaa:vsys>public</hw-aaa:vsys> 
          <hw-aaa-radius:radius-server xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius"> 
            <hw-aaa-radius:radius-server>rds</hw-aaa-radius:radius-server> 
          </hw-aaa-radius:radius-server> 
        </hw-aaa:aaa-domain> 
      </hw-aaa:aaa> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="10"> 
  <ok/> 
</rpc-reply>
Applying the HWTACACS Server Template to a Domain

This section provides a sample of applying the HWTACACS server template to a domain using the merge method.

Table 3-1257 Applying the HWTACACS server template to a domain

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-hwtacacs:hwtacacs-server/huawei-aaa-hwtacacs:hwtacacs-server

Data Requirements
Table 3-1258 Applying the HWTACACS server template to a domain

Item

Data

Description

Domain name

domain1

Create a domain named domain1.

Name of the HWTACACS server template bound to a domain

tac1

NOTE:

Ensure that the template has been created on the device.

Bind HWTACACS server template tac1 to a domain.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
<edit-config> 
<target> 
<running/> 
</target> 
<error-option>rollback-on-error</error-option> 
<config> 
<aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa"> 
 <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" > 
  <name>domain1</name> 
  <vsys>public</vsys> 
  <hwtacacs-server xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-hwtacacs"> 
   <hwtacacs-server ns0:operation="merge">tac1</hwtacacs-server> 
  </hwtacacs-server> 
 </aaa-domain> 
</aaa> 
</config> 
</edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> 
  <ok/> 
</rpc-reply>
Binding the HACA Server Template to a Domain

This section provides a sample of binding the HACA server template to a domain using the merge method. An HACA server template can also be bound to a domain using the create method.

Table 3-1259 Binding the HACA server template to a domain

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-haca:haca-server

Data Requirements
Table 3-1260 Binding the HACA server template to a domain

Item

Data

Description

Name of an HACA server template

haca1

Bind HACA server template haca1 to domain domain1.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8"> 
 <edit-config> 
  <target> 
   <running/> 
  </target> 
  <error-option>rollback-on-error</error-option> 
  <config> 
   <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa"> 
    <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
     <name>domain1</name> 
     <vsys>ads</vsys> 
     <haca-server xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-haca"> 
      <haca-server>haca1</haca-server> 
     </haca-server> 
    </aaa-domain> 
   </aaa> 
  </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8"> 
  <ok/> 
</rpc-reply> 
Configuring the Idle-Cut Function for Domain Users

This section provides a sample of configuring the idle-cut function for domain users using the rpc method.

Table 3-1261 Configuring the idle-cut function for domain users

Operation

XPATH

edit-config:create

/huawei-aaa:aaa/service-scheme/idle-cut-function

Data Requirements
Table 3-1262 Configuring the idle-cut function for domain users

Item

Data

Description

Idle timeout interval

12

Set the idle timeout interval to 12 minutes.

Traffic threshold for the idle-cut function

22

Set the traffic threshold for the idle-cut function to 22 kilobytes.

Direction of traffic on which the idle-cut function takes effect

inbound

Configure the idle-cut function to take effect on user traffic in the inbound direction, that is, the idle-cut function takes effect only for upstream traffic.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8"> 
 <edit-config> 
 <target> 
  <running/> 
 </target> 
 <error-option>rollback-on-error</error-option> 
 <config> 
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa"> 
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
    <name>lsw_serv</name> 
    <vsys>pubilc</vsys> 
    <idle-cut-function> 
     <idle-time>12</idle-time> 
     <idle-flow> 
      <flow-value>22</flow-value> 
      <flow-direction>inbound</flow-direction> 
     </idle-flow> 
    </idle-cut-function> 
   </service-scheme> 
  </aaa> 
 </config> 
 </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8"> 
  <ok/> 
</rpc-reply>
Configuring a Domain Name Resolution Scheme

This section provides a sample of configuring a domain name resolution scheme using the merge method.

Table 3-1263 Configuring a domain name resolution scheme

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/domain-name-parameters

Data Requirements
Table 3-1264 Configuring a domain name resolution scheme

Item

Data

Description

Security string function

true

Enable the security string function and use the slash (/) to separate security strings. Use the @ sign to separate domain names, resolve the domain name from left to right, and place the domain name after the delimiter.

Security string delimiter

/

Domain name delimiter

@

Domain name resolution direction

left-to-right

Domain name location

after-delimiter

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa"> 
        <hw-aaa:domain-name-parameters xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
          <hw-aaa:security-name-delimiter-enable>true</hw-aaa:security-name-delimiter-enable> 
          <hw-aaa:security-name-delimiter>/</hw-aaa:security-name-delimiter> 
          <hw-aaa:domain-name-delimiter>@</hw-aaa:domain-name-delimiter> 
          <hw-aaa:domain-name-direction>left-to-right</hw-aaa:domain-name-direction> 
          <hw-aaa:domain-name-location>after-delimiter</hw-aaa:domain-name-location> 
        </hw-aaa:domain-name-parameters> 
      </hw-aaa:aaa> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>
Configuring the Domain State

This section provides a sample of configuring the domain state using the merge method.

Table 3-1265 Configuring the domain state

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/aaa-domain/domain-block

Data Requirements
Table 3-1266 Configuring the domain state

Item

Data

Description

Domain state

block

Set the time period when domain domain1 is in block state to time1.

Time period when the domain is in block state

time1

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa"> 
        <hw-aaa:aaa-domain xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
          <hw-aaa:name>domain1</hw-aaa:name> 
          <hw-aaa:vsys>sys</hw-aaa:vsys> 
          <hw-aaa:domain-block> 
            <hw-aaa:state>block</hw-aaa:state> 
            <hw-aaa:time-range>time1</hw-aaa:time-range> 
          </hw-aaa:domain-block> 
        </hw-aaa:aaa-domain> 
      </hw-aaa:aaa> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>
Configuring the URL Push Function in a Domain

This section provides a sample of configuring the URL push function in a domain using the merge method.

Table 3-1267 Configuring the URL push function in a domain

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/aaa-domain/force-push-function

Data Requirements
Table 3-1268 Configuring the URL push function in a domain

Item

Data

Description

Name of a URL template

url1

Push URL template url1 in domain domain1.

Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa"> 
        <hw-aaa:aaa-domain xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
          <hw-aaa:name>domain1</hw-aaa:name> 
          <hw-aaa:vsys>sys</hw-aaa:vsys> 
          <hw-aaa:force-push-function> 
            <hw-aaa:url-template>url1</hw-aaa:url-template> 
          </hw-aaa:force-push-function> 
        </hw-aaa:aaa-domain> 
      </hw-aaa:aaa> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>
Configuring a Global Default Domain

This section provides a sample of configuring a global default domain using the merge method.

Table 3-1269 Configuring a global default domain

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/global/domain

Data Requirements
Table 3-1270 Configuring a global default domain

Item

Data

Description

Global default domain

domain1

Create a global default domain named domain1.

Request Example
<rpc message-id="3" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <edit-config> 
    <target> 
      <running/> 
    </target> 
    <config> 
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa" xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge"> 
        <hw-aaa:aaa-domain> 
          <hw-aaa:name>domain1</hw-aaa:name> 
          <hw-aaa:vsys>ads</hw-aaa:vsys> 
        </hw-aaa:aaa-domain> 
        <hw-aaa:global> 
          <hw-aaa:domain> 
            <hw-aaa:default-domain>domain1</hw-aaa:default-domain> 
          </hw-aaa:domain> 
        </hw-aaa:global> 
      </hw-aaa:aaa> 
    </config> 
  </edit-config> 
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
  <ok/> 
</rpc-reply>
Translation
Download
Updated: 2019-03-06

Document ID: EDOC1100022096

Views: 8399

Downloads: 69

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next