No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NETCONF YANG API Reference

AR100, AR120, AR160, AR1200, AR2200, AR3200, and AR3600 V300R003

NETCONF YANG API Reference
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAC

NAC

Configuring an 802.1X Access Profile

Data Model

The configuration model file matching the 802.1X access profile is huawei-nac-dot1x.yang.

Table 3-1338 Data model

Object

Description

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile

Indicates that the object of a request operation (create or modify) is an 802.1X access profile. It is a root object, which is only used to contain sub-objects and does not have any data meaning.

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/name

Indicates the name of the created 802.1X access profile.

The value is a string of 1 to 31 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following special characters: / \ : * ? " < > | @ ' %.

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/authentication-method

Indicates the authentication mode for 802.1X users.

The value is of the enumerated type:

  • chap: indicates EAP termination authentication using Challenge Handshake Authentication Protocol (CHAP).
  • pap: indicates EAP termination authentication using the Password Authentication Protocol (PAP).
  • eap: indicates relay authentication using the Extensible Authentication Protocol (EAP)

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/trigger-packet

Indicates the type of packets that can trigger 802.1X authentication.

The value is of the enumerated type:

  • dhcp
  • arp

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/period-eth-trunk

Indicates the interval at which the device handshakes with an 802.1X client on an Eth-Trunk interface.

The value is an integer in the range from 30 to 7200, in seconds

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/period-non-eth-trunk

Indicates the interval at which the device handshakes with an 802.1X client on a non-Eth-Trunk interface.

The value is an integer in the range from 5 to 7200, in seconds.

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/packet-type

Indicates the type of 802.1X authentication handshake packets.

The value is of the enumerated type:

  • request-identity
  • srp-sha1-part2

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/retry-function/max-retry

Indicates the maximum number of times an authentication request sent to an 802.1X user.

The value is an integer in the range from 1 to 10.

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/retry-function/client-time-out

Indicates the client authentication timeout interval.

The value is an integer in the range from 1 to 120, in seconds.

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/eap-notify-packet

Indicates whether to enable the device to send EAP packets with a code number to 802.1X users.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/port-control-function/mode

Indicates the authorization state of an interface.

The value is of the enumerated type:

  • auto: indicates the auto identification mode.
  • authorized-force: indicates the forcible authorization mode.
  • unauthorized-force: indicates the forcible unauthorized mode.

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/re-authenticate-function/re-authenticate-enable

Indicates whether to enable re-authentication for online 802.1X authentication users.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/re-authenticate-function/re-authenticate-period

Indicates the re-authentication interval for online 802.1X users.

The value is an integer in the range from 60 to 7200, in seconds.

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/dhcp-binding

Indicates whether to enable the device to automatically generate the DHCP snooping binding table.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-nac-dot1x:dot1x-access/quiet-function/enable

Indicates whether to enable the quiet function for 802.1X authentication users.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-nac-dot1x:dot1x-access/quiet-function/quiet-period

Indicates the quiet period for 802.1X authentication users who fail to be authenticated.

The value is an integer in the range from 1 to 3600, in seconds.

/huawei-nac-dot1x:dot1x-access/quiet-function/quiet-times

Indicates the maximum number of authentication failures within 60 seconds before the device quiets an 802.1X authentication user.

The value is an integer in the range from 1 to 10.

/huawei-nac-dot1x:dot1x-access/tx-period

Indicates the interval for sending authentication requests.

The value is an integer in the range from 1 to 120, in seconds.

/huawei-nac-dot1x:dot1x-access/url

Indicates the redirection URL for 802.1X authentication.

The value is a string of 1 to 200 case-sensitive characters without spaces and question marks (?). If the string is enclosed in double quotation marks (" "), the string can contain spaces.

/huawei-nac-dot1x:dot1x-access/multicast-trigger-function/enable

Indicates whether to enable the function of triggering 802.1X authentication through multicast packets.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-nac-dot1x:dot1x-access/multicast-trigger-function/port-up-enable

Indicates whether to enable the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.
Creating an 802.1X Access Profile

This section provides a sample of creating an 802.1X access profile using the merge method. You can also use the create method to create an 802.1X access profile.

Table 3-1339 Creating an 802.1X access profile

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/name

Data Requirements
Table 3-1340 Creating an 802.1X access profile

Item

Data

Description

name

test

Create the 802.1X access profile test.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <dot1x-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
    <dot1x-access-profile>
     <name>test</name>
    </dot1x-access-profile>
   </dot1x-access>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply> 
Configuring an Authentication Mode for 802.1X Users

This section provides a sample of configuring an authentication mode for 802.1X users using the merge method. You can also use the create method to configure an authentication mode for 802.1X users.

Table 3-1341 Configuring an authentication mode for 802.1X users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/authentication-method

Data Requirements
Table 3-1342 Configuring an authentication mode for 802.1X users

Item

Data

Description

name

test

Set the authentication mode to PAP for 802.1X users.

The 802.1X access profile must have been created.

authentication-method

pap

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <dot1x-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
    <dot1x-access-profile>
     <name>test</name>
     <authentication-method>pap</authentication-method>
    </dot1x-access-profile>
   </dot1x-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>
Configuring the Interval at Which the Device Handshakes with 802.1X Users

This section provides a sample of configuring the interval at which the device handshakes with 802.1X users using the merge method.

Table 3-1343 Configuring the interval at which the device handshakes with 802.1X users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/period-eth-trunk

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/period-non-eth-trunk

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/packet-type

Data Requirements
Table 3-1344 Configuring the interval at which the device handshakes with 802.1X users

Item

Data

Description

name

test

Configure the 802.1X access profile named test.

period-eth-trunk

51

Set the interval at which the device handshakes with an 802.1X client on a non-Eth-Trunk interface to 51 seconds.

period-non-eth-trunk

200

Set the interval at which the device handshakes with an 802.1X client on an Eth-Trunk interface to 200 seconds.

packet-type

srp-sha1-part2

Set the type of 802.1X authentication handshake packets to srp-sha1-part2.

Request Example
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:dot1x-access-profile xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-nac-dot1x:name>test</hw-nac-dot1x:name>
          <hw-nac-dot1x:handshake>
            <hw-nac-dot1x:period-eth-trunk>51</hw-nac-dot1x:period-eth-trunk>
            <hw-nac-dot1x:period-non-eth-trunk>200</hw-nac-dot1x:period-non-eth-trunk>
            <hw-nac-dot1x:packet-type>srp-sha1-part2</hw-nac-dot1x:packet-type>
          </hw-nac-dot1x:handshake>
        </hw-nac-dot1x:dot1x-access-profile>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Type of Packets that Can Trigger 802.1X Authentication

This section provides a sample of configuring the type of packets that can trigger 802.1X authentication using the merge method.

Table 3-1345 Configuring the type of packets that can trigger 802.1X authentication

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/trigger-packet

Data Requirements
Table 3-1346 Configuring the type of packets that can trigger 802.1X authentication

Item

Data

Description

name

test

Configure the 802.1X access profile named test.

trigger-packet

  • dhcp
  • arp

Configure the device to use DHCP and ARP packets to trigger 802.1X authentication.

Request Example
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:dot1x-access-profile xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-nac-dot1x:name>test</hw-nac-dot1x:name>
          <hw-nac-dot1x:trigger-packet>arp</hw-nac-dot1x:trigger-packet>
    <hw-nac-dot1x:trigger-packet>dhcp</hw-nac-dot1x:trigger-packet>
        </hw-nac-dot1x:dot1x-access-profile>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Authentication Timeout Timer for 802.1X Clients

This section provides a sample of configuring the authentication timeout timer for 802.1X clients using the merge method.

Table 3-1347 Configuring the authentication timeout timer for 802.1X clients

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/retry-function/client-time-out

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/retry-function/max-retry

Data Requirements
Table 3-1348 Configuring the authentication timeout timer for 802.1X clients

Item

Data

Description

name

test

Configure the 802.1X access profile named test.

client-time-out

8

Set the client authentication timeout interval to 8 seconds.

max-retry

3

Set the number of times an authentication request packet retransmitted to an 802.1X user to 3.

Request Example
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:dot1x-access-profile xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-nac-dot1x:name>test</hw-nac-dot1x:name>
          <hw-nac-dot1x:retry-function>
            <hw-nac-dot1x:client-time-out>8</hw-nac-dot1x:client-time-out>
            <hw-nac-dot1x:max-retry>3</hw-nac-dot1x:max-retry>
          </hw-nac-dot1x:retry-function>
        </hw-nac-dot1x:dot1x-access-profile>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Device to Send EAP Packets with a Code Number to 802.1X Users

This section provides a sample of configuring the device to send EAP packets with a code number to 802.1X users using the merge method.

Table 3-1349 Configuring the device to send EAP packets with a code number to 802.1X users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/eap-notify-packet

Data Requirements
Table 3-1350 Configuring the device to send EAP packets with a code number to 802.1X users

Item

Data

Description

name

test

Configure the 802.1X access profile named test.

eap-code

10

Set the code number in EAP packets sent to users to 10.

data-type

12

Set the data type in EAP packets sent to users to 12.

Request Example
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:dot1x-access-profile xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-nac-dot1x:name>test</hw-nac-dot1x:name>
          <hw-nac-dot1x:eap-notify-packet>
            <hw-nac-dot1x:eap-code>10</hw-nac-dot1x:eap-code>
            <hw-nac-dot1x:data-type>12</hw-nac-dot1x:data-type>
          </hw-nac-dot1x:eap-notify-packet>
        </hw-nac-dot1x:dot1x-access-profile>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Authorization State of an Interface

This section provides a sample of configuring the authorization state of an interface using the merge method.

Table 3-1351 Configuring the authorization state of an interface

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/port-control-function/mode

Data Requirements
Table 3-1352 Configuring the authorization state of an interface

Item

Data

Description

name

test

Configure the 802.1X access profile named test.

mode

unauthorized-force

Configure the authorization state of an interface to forcible unauthorized mode.

Request Example
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:dot1x-access-profile xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
<hw-nac-dot1x:name>test</hw-nac-dot1x:name>
          <hw-nac-dot1x:port-control-function>
            <hw-nac-dot1x:mode>unauthorized-force</hw-nac-dot1x:mode>
          </hw-nac-dot1x:port-control-function>
        </hw-nac-dot1x:dot1x-access-profile>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring Re-authentication for Online 802.1X Authentication Users

This section provides a sample of configuring re-authentication for online 802.1X authentication users using the merge method.

Table 3-1353 Configuring re-authentication for online 802.1X authentication users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/re-authenticate-function/re-authenticate-enable

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/re-authenticate-function/re-authenticate-period

Data Requirements
Table 3-1354 Configuring re-authentication for online 802.1X authentication users

Item

Data

Description

name

d1

Configure the 802.1X access profile named d1.

re-authenticate-enable

true

Configure re-authentication for online 802.1X users.

re-authenticate-period

70

Set the re-authentication interval for online 802.1X users to 70 seconds.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:dot1x-access-profile>
          <hw-nac-dot1x:name>d1</hw-nac-dot1x:name>
          <hw-nac-dot1x:re-authenticate-function>
            <hw-nac-dot1x:re-authenticate-enable>true</hw-nac-dot1x:re-authenticate-enable>
            <hw-nac-dot1x:re-authenticate-period>70</hw-nac-dot1x:re-authenticate-period>
          </hw-nac-dot1x:re-authenticate-function>
        </hw-nac-dot1x:dot1x-access-profile>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Device to Automatically Generate the DHCP Snooping Binding Table for Static IP Users

This section provides a sample of configuring the device to automatically generate the DHCP snooping binding table for static IP users using the merge method.

Table 3-1355 Configuring the device to automatically generate the DHCP snooping binding table for static IP users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/dhcp-binding

Data Requirements
Table 3-1356 Configuring the device to automatically generate the DHCP snooping binding table for static IP users

Item

Data

Description

name

d1

Configure the 802.1X access profile named d1.

dhcp-binding

true

Configure the device to automatically generate the DHCP snooping binding table for static IP users.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:dot1x-access-profile>
          <hw-nac-dot1x:name>d1</hw-nac-dot1x:name>
          <hw-nac-dot1x:dhcp-binding>true</hw-nac-dot1x:dhcp-binding>
        </hw-nac-dot1x:dot1x-access-profile>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Quiet Function for 802.1X Authentication Users

This section provides a sample of configuring the quiet function for 802.1X authentication users using the merge method.

Table 3-1357 Configuring the quiet function for 802.1X authentication users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/quiet-function/enable

/huawei-nac-dot1x:dot1x-access/quiet-function/quiet-period

/huawei-nac-dot1x:dot1x-access/quiet-function/quiet-times

Data Requirements
Table 3-1358 Configuring the quiet function for 802.1X authentication users

Item

Data

Description

enable

true

Configure the quiet function for 802.1X authentication users.

quiet-period

40

Set the quiet period for 802.1X authentication users to 40 seconds.

quiet-times

8

Set the maximum number of authentication failures within 60 seconds before the device quiets an 802.1X authentication user to 8.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:quiet-function>
          <hw-nac-dot1x:enable>true</hw-nac-dot1x:enable>
          <hw-nac-dot1x:quiet-period>40</hw-nac-dot1x:quiet-period>
          <hw-nac-dot1x:quiet-times>8</hw-nac-dot1x:quiet-times>
        </hw-nac-dot1x:quiet-function>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Interval for Sending 802.1X Authentication Request Packets

This section provides a sample of configuring the interval for sending 802.1X authentication request packets using the merge method.

Table 3-1359 Configuring the interval for sending 802.1X authentication request packets

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/tx-period

Data Requirements
Table 3-1360 Configuring the interval for sending 802.1X authentication request packets

Item

Data

Description

tx-period

40

Set the interval for sending 802.1X authentication request packets to 40 seconds.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:tx-period>40</hw-nac-dot1x:tx-period>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the URL Redirection for 802.1X Authentication

This section provides a sample of configuring the URL redirection for 802.1X authentication using the merge method.

Table 3-1361 Configuring the URL redirection for 802.1X authentication

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/url

Data Requirements
Table 3-1362 Configuring the URL redirection for 802.1X authentication

Item

Data

Description

url

http://www.123.com.cn

Configure the URL redirection.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:url>http://www.123.com.cn</hw-nac-dot1x:url>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Function of Triggering 802.1X Authentication Through Multicast Packets

This section provides a sample of configuring the function of triggering 802.1X authentication through multicast packets using the merge method.

Table 3-1363 Configuring the function of triggering 802.1X authentication through multicast packets

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/multicast-trigger-function/enable

Data Requirements
Table 3-1364 Configuring the function of triggering 802.1X authentication through multicast packets

Item

Data

Description

enable

true

Configure the function of triggering 802.1X authentication through multicast packets.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:multicast-trigger-function>
          <hw-nac-dot1x:enable>true</hw-nac-dot1x:enable>
        </hw-nac-dot1x:multicast-trigger-function>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Enabling the Function of Triggering 802.1X Authentication Through Multicast Packets Immediately After an Interface Goes Up

This section provides a sample of enabling the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up using the merge method.

Table 3-1365 Enabling the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/multicast-trigger-function/port-up-enable

Data Requirements
Table 3-1366 Enabling the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up

Item

Data

Description

port-up-enable

true

Enable the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:multicast-trigger-function>
          <hw-nac-dot1x:port-up-enable>true</hw-nac-dot1x:port-up-enable>
        </hw-nac-dot1x:multicast-trigger-function>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Configuring a MAC Access Profile

Data Model

The configuration model file matching the MAC access profile is huawei-nac-mac.yang.

Table 3-1367 Data model

Object

Description

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile

Indicates that the object of a request operation (create or modify) is a MAC access profile. It is a root object, which is only used to contain sub-objects and does not have any data meaning.

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/name

Indicates the name of the created MAC access profile.

The value is a string of 1 to 31 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following special characters: / \ : * ? " < > | @ ' %.

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/password

Specifies the password for a MAC address authentication user and displays the password in cipher text.

The value is a string of case-sensitive characters without spaces. The password is either a plain-text string of 1 to 128 characters or a cipher-text string of 48 to 188 characters.

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/fixed-format/user-name

Configures a fixed user name for MAC address authentication.

The value is a string of 1 to 64 case-sensitive characters without spaces.

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/mac-address/mac-address-format

Indicates the format of a MAC address.

The value is of the enumerated type:

  • with-hyphen: indicates that the MAC address contains hyphens (-), for example, 0005-e01c-02e3.
  • with-hyphen-normal: indicates that the MAC address contains hyphens (-), for example, 00-05-e0-1c-02-e3.
  • without-hyphen: indicates that the MAC address does not contain hyphens (-), for example, 0005e01c02e3.

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/mac-address/letter

Configures a MAC address in uppercase or lowercase format as the user name for MAC address authentication.

The value is of the enumerated type:

  • uppercase: indicates that the MAC address is in uppercase format.
  • lowercase: indicates that the MAC address is in lowercase format.

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/trigger-packet

Configures the type of packets that can trigger MAC address authentication.

The value is of the enumerated type:

  • dhcp: indicates DHCP packets.
  • arp: indicates ARP packets.

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/mac-re-authenticate/re-authenticate

Indicates whether to enable re-authentication for online MAC address authentication users.

The value is of the Boolean type:

  • true: enables re-authentication.
  • false: disables re-authentication.

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/mac-re-authenticate/re-authenticate-period

Configures the interval for re-authenticating online MAC address authentication users.

The value is an integer in the range from 60 to 7200, in seconds.

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/permit-mac/permit-mac-authenticate/mac

Indicates a source MAC address segment allowed for MAC address authentication.

The value is in the format of H-H-H, in which H is a hexadecimal number of 1 to 4 digits.

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/permit-mac/permit-mac-authenticate/prefix-length

Indicates the mask of a source MAC address segment allowed for MAC address authentication.

The value is an integer in the range from 1 to 48.

Creating a MAC Access Profile

This section provides a sample of creating a MAC access profile using the merge method. You can also use the create method to create a MAC access profile.

Table 3-1368 Creating a MAC access profile

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/name

Data Requirements
Table 3-1369 Creating a MAC access profile

Item

Data

Description

name

test

Create the MAC access profile named test.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>  
Configuring a Password for a MAC Address Authentication User and Displaying the Password in Cipher Text

This section provides a sample of configuring a password for a MAC address authentication user and displaying the password in cipher text using the merge method. You can also use the create method to configure a password for a MAC address authentication user and displaying the password in cipher text.

Table 3-1370 Configuring a password for a MAC address authentication user and displaying the password in cipher text

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/password

Data Requirements
Table 3-1371 Configuring a password for a MAC address authentication user and displaying the password in cipher text

Item

Data

Description

name

test

Configure a password for a MAC address authentication user and displaying the password in cipher text.

The MAC access profile must have been created.

mac-address-format

with-hyphen-normal

letter

uppercase

password

huawei@123

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
     <mac-address-format>with-hyphen-normal</mac-address-format>
     <letter>uppercase</letter>
     <password>huawei@123</password>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>
Configuring a Fixed User Name for MAC Address Authentication

This section provides a sample of configuring a fixed user name for MAC address authentication using the merge method. You can also use the create method to configure a fixed user name for MAC address authentication.

Table 3-1372 Configuring a fixed user name for MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/fixed-format/user-name

Data Requirements
Table 3-1373 Configuring a fixed user name for MAC address authentication

Item

Data

Description

name

test

Configure a fixed user name for MAC address authentication.

The MAC access profile must have been created.

user-name

huawei

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
      <user-name>huawei</user-name>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>
Configuring the Format of MAC Addresses Used as User Names for MAC Address Authentication

This section provides a sample of configuring the format of MAC addresses used as user names for MAC address authentication using the merge method. You can also use the create method to configure the format of MAC addresses used as user names for MAC address authentication.

Table 3-1374 Configuring the format of MAC addresses used as user names for MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/mac-address/mac-address-format

Data Requirements
Table 3-1375 Configuring the format of MAC addresses used as user names for MAC address authentication

Item

Data

Description

name

test

Configure the format of MAC addresses used as user names for MAC address authentication.

The MAC access profile must have been created.

mac-address-format

with-hyphen-normal

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
     <mac-address-format>with-hyphen-normal</mac-address-format>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>
Configuring a MAC Address in Uppercase Format as the User Name for MAC Address Authentication

This section provides a sample of configuring a MAC address in uppercase format as the user name for MAC address authentication using the merge method. You can also use the create method to configure a MAC address in uppercase format as the user name for MAC address authentication.

Table 3-1376 Configuring a MAC address in uppercase format as the user name for MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/mac-address/letter

Data Requirements
Table 3-1377 Configuring a MAC address in uppercase format as the user name for MAC address authentication

Item

Data

Description

name

test

Configure a MAC address in uppercase format as the user name for MAC address authentication.

The MAC access profile must have been created.

letter

uppercase

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
     <mac-address-format>with-hyphen-normal</mac-address-format>
     <letter>uppercase</letter>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>
Configuring the Type of Packets That Can Trigger MAC Address Authentication

This section provides a sample of configuring the type of packets that can trigger MAC address authentication using the merge method. You can also use the create method to configure the type of packets that can trigger MAC address authentication.

Table 3-1378 Configuring the type of packets that can trigger MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/trigger-packet

Data Requirements
Table 3-1379 Configuring the type of packets that can trigger MAC address authentication

Item

Data

Description

name

test

Configure the function of triggering MAC address authentication through DHCP and ARP packets.

The MAC access profile must have been created.

trigger-packet

  • dhcp
  • arp
Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
     <trigger-packet>arp</trigger-packet>
     <trigger-packet>dhcp</trigger-packet>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>
Enabling Re-authentication for Online MAC Address Authentication Users

This section provides a sample of enabling re-authentication for online MAC address authentication users using the merge method. You can also use the create method to enable re-authentication for online MAC address authentication users.

Table 3-1380 Enabling re-authentication for online MAC address authentication users

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/mac-re-authenticate/re-authenticate

Data Requirements
Table 3-1381 Enabling re-authentication for online MAC address authentication users

Item

Data

Description

name

test

Enable re-authentication for online MAC address authentication users.

The MAC access profile must have been created.

re-authenticate

true

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
     <mac-re-authenticate>
      <re-authenticate>true</re-authenticate>
     </mac-re-authenticate>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>
Configuring the Interval for Re-authenticating Online MAC Address Authentication Users

This section provides a sample of configuring the interval for re-authenticating online MAC address authentication users using the merge method. You can also use the create method to configure the interval for re-authenticating online MAC address authentication users.

Table 3-1382 Configuring the interval for re-authenticating online MAC address authentication users

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/mac-re-authenticate/re-authenticate-period

Data Requirements
Table 3-1383 Configuring the interval for re-authenticating online MAC address authentication users

Item

Data

Description

name

test

Set the interval for re-authenticating online MAC address authentication users to 80 seconds.

The MAC access profile must have been created.

re-authenticate-period

80

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
     <mac-re-authenticate>
      <re-authenticate-period>80</re-authenticate-period>
     </mac-re-authenticate>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <ok/>
</rpc-reply>
Configuring a Source MAC Address Segment Allowed for MAC Address Authentication

This section provides a sample of configuring a source MAC address segment allowed for MAC address authentication using the merge method.

Table 3-1384 Configuring a source MAC address segment allowed for MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/permit-mac/permit-mac-authenticate

Data Requirements
Table 3-1385 Configuring a source MAC address segment allowed for MAC address authentication

Item

Data

Description

name

test

Configure the MAC access profile named test.

dhcp-option-format

option82-circuit-id

Set the user name for MAC address authentication to a specified DHCP option.

separate

#

Set the delimiter in the user name of MAC address authentication to #.

code-format

format-hex

Set the user name for MAC address authentication in hexadecimal format.

password

huawei@123

Set the password for MAC address authentication to huawei@123.

get-dhcp-option

option-82

Send DHCP option information to the authentication server.

re-authenticate-dhcp-renew

true

Re-authenticate the users when the device receives DHCP lease renewal packets from MAC address authentication users.

off-line-dhcp-release

true

Clear user entries when the device receives DHCP release packets from MAC address authentication users.

mac

c0bf-c023-fb11

Set the MAC address to c0bf-c023-fb11.

prefix-length

24

Set the mask length of the MAC address to 24.

Request Example
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-mac:mac-access xmlns:hw-nac-mac="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
        <hw-nac-mac:mac-access-profile>
          <hw-nac-mac:name>test</hw-nac-mac:name>
          <hw-nac-mac:dhcp-option-format>option82-circuit-id</hw-nac-mac:dhcp-option-format>
          <hw-nac-mac:separate>#</hw-nac-mac:separate>
          <hw-nac-mac:code-format>format-hex</hw-nac-mac:code-format>
          <hw-nac-mac:password>huawei@123</hw-nac-mac:password>
          <hw-nac-mac:get-dhcp-option>option-82</hw-nac-mac:get-dhcp-option>
          <hw-nac-mac:mac-re-authenticate>
            <hw-nac-mac:re-authenticate-dhcp-renew>true</hw-nac-mac:re-authenticate-dhcp-renew>
          </hw-nac-mac:mac-re-authenticate>
          <hw-nac-mac:off-line-dhcp-release>true</hw-nac-mac:off-line-dhcp-release>
          <hw-nac-mac:permit-mac>
            <hw-nac-mac:permit-mac-authenticate>
              <hw-nac-mac:mac>c0bf-c023-fb11</hw-nac-mac:mac>
              <hw-nac-mac:prefix-length>24</hw-nac-mac:prefix-length>
            </hw-nac-mac:permit-mac-authenticate>
          </hw-nac-mac:permit-mac>
        </hw-nac-mac:mac-access-profile>
      </hw-nac-mac:mac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Quiet Function for MAC Address Authentication Users

This section provides a sample of configuring the quiet function for MAC address authentication users using the merge method.

Table 3-1386 Configuring the quiet function for MAC address authentication users

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/quiet-function

Data Requirements
Table 3-1387 Configuring the quiet function for MAC address authentication users

Item

Data

Description

quiet-period

2400

Set the quiet period of a MAC address authentication user to 2400 seconds.

quiet-times

7

Set the maximum number of authentication failures within 60 seconds before the device quiets the MAC address authentication user to 7.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">   
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac" xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <quiet-function>
     <quiet-period>2400</quiet-period>
     <quiet-times>7</quiet-times>
    </quiet-function>
   </mac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Configuring a Portal Server Template

This section describes the data model of a Portal server template and provides examples of creating and deleting Portal authentication XML packets.

Data Model

The data model file matching the Portal server template is huawei-aaa-portal.yang.

Table 3-1388 Data model

Object

Description

/huawei-aaa-portal/portal

Indicates that the object of a request operation (create or modify) is Portal. It is a root object, which is only used to contain sub-objects and does not have any data meaning.

/huawei-aaa-portal/portal/portal-server/portal-server-ip

Indicates the IP address of a Portal server.

The value is in dotted decimal notation.

/huawei-aaa-portal/portal/portal-server/destination-port

Indicates the destination port number in the packets sent from the device to the Portal server.

The value is an integer in the range from 1 to 65535.

/huawei-aaa-portal/portal/portal-server/shared-key

Indicates the shared key used by the device to exchange information with the Portal server.

The value is a string of case-sensitive characters without spaces. The shared key is either a cipher-text string of 48 characters or a plain-text string of 1 to 16 characters. If the string is enclosed in double quotation marks (" "), the string can contain spaces.

/huawei-aaa-portal/portal/portal-server/server-url

Indicates the URL of the Portal server.

The value is a string of 1 to 200 case-sensitive characters without spaces and question marks (?). If the string is enclosed in double quotation marks (" "), the string can contain spaces.

/huawei-aaa-portal/portal/portal-server/url-template/name

Binds a URL template to a Portal server template.

The value must be an existing URL template name.

/huawei-aaa-portal/portal/portal-server/protocol

Indicates the protocol used for Portal authentication.

The value is of the enumerated type:

  • http
  • haca
  • portal

/huawei-aaa-portal/portal/portal-server/name

Indicates the name of a Portal server template.

The value is a string of 1 to 31 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following special characters: / \ : * ? " < > | @ ' %. The value cannot be set to listening-port, reply-message, version, or the first character or several leftmost characters of these character strings.

/huawei-aaa-portal/portal/portal-server/web-redirection-disable

Indicates whether to enable the Portal authentication redirection function.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-aaa-portal/portal/portal-server/server-detect-function/server-detect-enable

Indicates whether to enable the Portal server detection function.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-aaa-portal/portal/portal-server/user-sync-function

Indicates whether to enable the synchronization of Portal authentication user information.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-aaa-portal/portal/portal-server/source-ip-address/ip/ip-address

Indicates the source IP address used by the device to communicate with the Portal server. The value is in dotted decimal notation.

/huawei-aaa-portal/portal/listening-port

Indicates the number of the port through which the device listens to Portal packets. The value is an integer in the range from 1024 to 55535.

/huawei-aaa-portal/portal/url-template

Indicates the name of a URL template.

The value is a string of 1 to 31 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following special characters: / \ : * ? " < > | @ ' %.

/huawei-aaa-portal/portal/url-template/url/url

Indicates the redirection URL or pushed URL of the Portal server.

The value is a string of 1 to 200 characters without spaces. If the string is enclosed in double quotation marks (" "), the string can contain spaces.

/huawei-aaa-portal/portal/url-template/url-parameter

Indicates parameters carried in the URL.

The value is a string of 1 to 16 case-sensitive characters without spaces. If the string is enclosed in double quotation marks (" "), the string can contain spaces.

/huawei-aaa-portal/portal/url-template/url-parameter/mac-address-format

/huawei-aaa-portal:portal/url-template/url-ssid

Indicates the SSID that users associate with in the redirection URL or pushed URL of the Portal server.

The value must be an existing SSID.

/huawei-aaa-portal:portal/url-template/mark-parameter/start-mark

Indicates the start character in the URL.

The value is one case-sensitive character without spaces.

/huawei-aaa-portal:portal/url-template/mark-parameter/assignment-mark

Indicates the assignment character in the URL.

The value is one case-sensitive character without spaces.

/huawei-aaa-portal:portal/url-template/mark-parameter/isolate-mark

Indicates the delimiter between URLs.

The value is one case-sensitive character without spaces.

/huawei-aaa-portal:portal/reply-message-enable

Indicates whether to enable the device to transparently transmit user authentication responses sent by the authentication server to the Portal server.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-aaa-portal:portal/logout-resend-function/interval

Indicates the re-transmission interval of Portal authentication user logout packets.

The value is an integer in the range from 1 to 300, in seconds.

/huawei-aaa-portal:portal/logout-resend-function/times

Indicates the number of re-transmission times for Portal authentication user logout packets.

The value is an integer in the range from 0 to 15.

The value 0 indicates that the re-transmission function is disabled.

/huawei-aaa-portal:portal/version

Indicates the Portal protocol version supported by the device.

The value is of the enumerated type:

  • v2
  • v2v1

/huawei-aaa-portal:portal/logout-different-server-enable

Indicates whether to enable a device to process user logout requests sent by a Portal server other than the one from which users log in.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.
Creating a Portal Server Template

This section describes how to create a Portal server template using the merge method. A Portal server template can also be created using the create method.

Table 3-1389 Creating a Portal server template

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/name

Data Requirements
Table 3-1390 Portal server template

Item

Data

Description

name

huawei

Create a Portal server template named huawei.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xc:operation="merge">  
     <name>huawei</name>
    </portal-server> 
   </portal>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>  
Configuring the IP Address of a Portal Server

This section describes how to configure the IP address of a Portal server using the merge method. This IP address can also be configured using the create method.

Table 3-1391 Configuring the IP address of a Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/portal-server-ip

Data Requirements
Table 3-1392 Configuring the IP address of a Portal server

Item

Data

Description

portal-server-ip

10.10.10.10

Set the IP address of a Portal server to 10.10.10.10.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
     <portal-server-ip>10.10.10.10</portal-server-ip>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  
Configuring the Source IP Address Used by the Device to Communicate with the Portal Server

This section describes how to configure the source IP address used by the device to communicate with a Portal server using the merge method. This source IP address can also be configured using the create method.

Table 3-1393 Configuring the source IP address used by the device to communicate with the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/source-ip-address/ip/ip-address

Data Requirements
Table 3-1394 Configuring the source IP address used by the device to communicate with the Portal server

Item

Data

Description

ip-address

192.168.255.255

Set the source IP address used by the device to communicate with the Portal server to 192.168.255.255.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xc:operation="merge">  
     <name>huawei</name>
     <ip-address xc:operation="merge">192.168.255.255</ip-address>
    </portal-server> 
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  
Configuring the Destination Port Number in the Packets Sent from the Device to the Portal Server

This section describes how to configure the destination port number in the packets sent from the device to the Portal server using the merge method. This destination port number can also be configured using the create method.

Table 3-1395 Configuring the destination port number in the packets sent from the device to the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/destination-port

Data Requirements
Table 3-1396 Configuring the destination port number in the packets sent from the device to the Portal server

Item

Data

Description

port

555

Set the destination port number in the packets sent from the device to the Portal server to 555.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
     <destination-port>
      <port>555</port>
      <always>true</always>
     </destination-port>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>  
Configuring the Shared Key Used by the Device to Exchange Information with the Portal Server

This section describes how to configure the shared key used by the device to exchange information with the Portal server using the merge method. This shared key can also be configured using the create method.

Table 3-1397 Configuring the shared key used by the device to exchange information with the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/shared-key

Data Requirements
Table 3-1398 Configuring the shared key used by the device to exchange information with the Portal server

Item

Data

Description

shared-key

zLUYANG12#$%()aa

Set the shared key used by the device to exchange information with the Portal server to zLUYANG12#$%()aa.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
     <shared-key>zLUYANG12#$%()aa</shared-key>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  
Disabling Portal Authentication Redirection

This section describes how to disable Portal authentication redirection using the replace method.

Table 3-1399 Disabling Portal authentication redirection

Operation

XPATH

edit-config:replace

/huawei-aaa-portal/portal/portal-server/web-redirection-disable

Data Requirements
Table 3-1400 Disabling Portal authentication redirection

Item

Data

Description

web-redirection-disable

true

Disable Portal authentication redirection.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xc:operation="merge">  
     <name>huawei</name>
     <web-redirection-disable xc:operation="replace">true</web-redirection-disable>
    </portal-server> 
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  
Configuring the URL of the Portal Server

This section describes how to configure the URL of a Portal server using the merge method. This URL can also be configured using the create method.

Table 3-1401 Configuring the URL of the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/server-url

Data Requirements
Table 3-1402 Configuring the URL of the Portal server

Item

Data

Description

server-url

http://www.abc.com

Set the URL of the Portal server to http://www.abc.com.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
     <server-url>http://www.abc.com</server-url>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Creating a URL Template

This section describes how to create a URL template using the merge method. A URL template can also be created using the create method.

Table 3-1403 Creating a URL template

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/url-template

Data Requirements
Table 3-1404 Creating a URL template

Item

Data

Description

name

test

Create a URL template named test.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <listening-port>3210</listening-port>
    <url-template>
     <name>test</name>
    </url-template>
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Configuring the Redirection URL or Pushed URL of the Portal Server

This section describes how to configure the redirection URL or pushed URL of the Portal server using the merge method. This redirection URL or pushed URL can also be configured using the create method.

Table 3-1405 Configuring the redirection URL or pushed URL of the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/url-template/url/url

Data Requirements
Table 3-1406 Configuring the redirection URL or pushed URL of the Portal server

Item

Data

Description

url

12345

Configure the redirection URL or pushed URL of the Portal server.

url-type

push-only

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <listening-port>3210</listening-port>
    <url-template>
     <name>test</name>
     <url>
      <url>12345</url>
      <url-type>push-only</url-type>
     </url>
    </url-template>
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Configuring the Parameters in the URL

This section describes how to configure the parameters in the URL using the merge method. These parameters can also be configured using the create method.

Table 3-1407 Configuring the parameters in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/url-template/url-parameter

Data Requirements
Table 3-1408 Configuring the parameters in the URL

Item

Data

Description

ac-ip

Acip

Configure the parameters in the URL.

ac-mac

Acma

ap-ip

Apip

ap-mac

Apma

redirect-url

Rede

ssid

Ssif

sysname

Sses

user-ipaddress

User

user-mac

User

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <listening-port>3210</listening-port>
    <url-template>
     <name>test</name>
     <url>
      <url>12345</url>
      <url-type>push-only</url-type>
     </url>
     <url-parameter>
      <ac-ip>Acip</ac-ip>
      <ac-mac>Acma</ac-mac>
      <ap-ip>Apip</ap-ip>
      <ap-mac>Apma</ap-mac>
      <redirect-url>Rede</redirect-url>
      <ssid>Ssid</ssid>
      <sysname>Sses</sysname>
      <user-ipaddress>User</user-ipaddress>
      <user-mac>User</user-mac>
     </url-parameter>
    </url-template>
   </portal>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Configuring the MAC Address Format in the URL

This section describes how to configure the MAC address format in the URL using the merge method. This MAC address format can also be configured using the create method.

Table 3-1409 Configuring the MAC address format in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/url-template/url-parameter/mac-address-format

Data Requirements
Table 3-1410 Configuring the MAC address format in the URL

Item

Data

Description

delimiter

7

Configure the MAC address format in the URL.

format

compact

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <listening-port>3210</listening-port>
    <url-template>
     <name>test</name>
     <url>
      <url>12345</url>
      <url-type>push-only</url-type>
     </url>
     <url-parameter>
      <ac-ip>Acip</ac-ip>
      <ac-mac>Acma</ac-mac>
      <ap-ip>Apip</ap-ip>
      <ap-mac>Apma</ap-mac>
      <redirect-url>Rede</redirect-url>
      <ssid>Ssid</ssid>
      <sysname>Sses</sysname>
      <user-ipaddress>User</user-ipaddress>
      <user-mac>User</user-mac>
      <mac-address-format>
       <delimiter>7</delimiter>
       <format>compact</format>
      </mac-address-format>
     </url-parameter>
    </url-template>
   </portal>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Binding a URL Template to a Portal Server Template

This section describes how to bind a URL template to a Portal server template using the merge method. A URL template can also be bound to a Portal server template using the create method.

Table 3-1411 Binding a URL template to a Portal server template

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/url-template/name

Data Requirements
Table 3-1412 Binding a URL template to a Portal server template

Item

Data

Description

name

abc

Bind the URL template abc to the Portal server template huawei.

Both the Portal server template huawei and URL template abc have been created.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <url-template>
     <name>abc</name>
    </url-template>
    <portal-server> 
     <name>huawei</name>
     <url-template xc:operation="merge">
      <name>abc</name>
     </url-template>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Configuring the Protocol Used for Portal Authentication

This section describes how to configure the protocol used for Portal authentication using the merge method. This protocol can also be configured using the create method.

Table 3-1413 Configuring the protocol used for Portal authentication

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/protocol

Data Requirements
Table 3-1414 Configuring the protocol used for Portal authentication

Item

Data

Description

protocol

portal

Set the protocol used for Portal authentication to portal.

The Portal server template huawei has been created.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
     <protocol>portal</protocol>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc>   
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Configuring the Number of the Port Through Which the Device Listens to Portal Packets

This section describes how to configure the number of the port through which the device listens to Portal packets using the merge method. This port number can also be configured using the create method.

Table 3-1415 Configuring the number of the port through which the device listens to Portal packets

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/listening-port

Data Requirements
Table 3-1416 Configuring the number of the port through which the device listens to Portal packets

Item

Data

Description

listening-port

3210

Set the number of the port through which the device listens to Portal packets to 3210.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <listening-port>3210</listening-port>
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>
Enabling Portal Server Detection

This section describes how to enable Portal server detection using the merge method. Portal server detection can also be enabled using the create method.

Table 3-1417 Enabling Portal server detection

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/server-detect-function/server-detect-enable

Data Requirements
Table 3-1418 Enable Portal server detection.

Item

Data

Description

server-detect-enable

true

Enable Portal server detection.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xc:operation="merge">  
     <name>huawei</name>
     <server-detect-function>
      <server-detect-enable xc:operation="merge">true</server-detect-enable>
     </server-detect-function>
    </portal-server> 
   </portal>
  </config>
 </edit-config>
</rpc>  
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>
Enabling Portal Authentication User Information Synchronization

This section describes how to enable Portal authentication user information synchronization using the merge method. Portal authentication user information synchronization can also be enabled using the create method.

Table 3-1419 Enabling Portal authentication user information synchronization

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/user-sync-function

Data Requirements
Table 3-1420 Enabling Portal authentication user information synchronization

Item

Data

Description

user-sync-enable

true

Enable Portal authentication user information synchronization.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xc:operation="merge">  
     <name>huawei</name>
     <server-detect-function>
      <server-detect-enable xc:operation="merge">true</server-detect-enable>
     </server-detect-function>
    </portal-server> 
   </portal>
  </config>
 </edit-config>
</rpc>  
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>
Configuring the SSID that Users Associate with in the Redirection URL or Pushed URL of the Portal Server

This section provides a sample of configuring the SSID that users associate with in the redirection URL or pushed URL of the Portal server using the merge method. You can also use the create method to configure the SSID that users associate with in the redirection URL or pushed URL of the Portal server.

Table 3-1421 Configuring the SSID that users associate with in the redirection URL or pushed URL of the portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/url-template/url-ssid

Data Requirements
Table 3-1422 Configuring the SSID that users associate with in the redirection URL or pushed URL of the portal server

Item

Data

Description

name

111

Configure the SSID that users associate with in the redirection URL or pushed URL of the Portal server.

url

111

ssid

111

url-type

push-only

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <url-template>
     <name>111</name>
     <url-ssid>
      <url>111</url>
      <ssid>111</ssid>
      <url-type>push-only</url-type>
     </url-ssid>
    </url-template>
   </portal>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Configuring the Start Character in the URL

This section provides a sample of configuring the start character in the URL using the merge method. You can also use the create method to configure the start character in the URL.

Table 3-1423 Configuring the start character in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/url-template/mark-parameter/start-mark

Data Requirements
Table 3-1424 Configuring the start character in the URL

Item

Data

Description

name

url1

Set the start character in the URL to a.

start-mark

a

Request Example
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
      <url-template>
        <name>url1</name>
        <mark-parameter>
          <start-mark>a</start-mark>
        </mark-parameter>
      </url-template>
    </portal>
  </config>
</edit-config>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Configuring the Assignment Character in the URL

This section provides a sample of configuring the assignment character in the URL using the merge method. You can also use the create method to configure the assignment character in the URL.

Table 3-1425 Configuring the assignment character in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/url-template/mark-parameter/assignment-mark

Data Requirements
Table 3-1426 Configuring the assignment character in the URL

Item

Data

Description

name

url1

Set the assignment character in the URL to an equal sign (=).

assignment-mark

=

Request Example
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
      <url-template>
        <name>url1</name>
        <mark-parameter>
          <assignment-mark>=</assignment-mark>
        </mark-parameter>
      </url-template>
    </portal>
  </config>
</edit-config>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Configuring the Delimiter Between URLs

This section provides a sample of configuring the delimiter between URLs using the merge method. You can also use the create method to configure the delimiter between URLs.

Table 3-1427 Configuring the delimiter between URLs

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/url-template/mark-parameter/isolate-mark

Data Requirements
Table 3-1428 Configuring the delimiter between URLs

Item

Data

Description

name

url1

Set the delimiter between URLs to l.

isolate-mark

l

Request Example
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
      <url-template>
        <name>url1</name>
        <mark-parameter>
          <isolate-mark>1</isolate-mark>
        </mark-parameter>
      </url-template>
    </portal>
  </config>
</edit-config>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Enabling the Device to Transparently Transmit User Authentication Responses Sent by the Authentication Server to the Portal Server

This section provides a sample of enabling the device to transparently transmit user authentication responses sent by the authentication server to the Portal server using the merge method. You can also use the create method to enable the device to transparently transmit user authentication responses sent by the authentication server to the Portal server.

Table 3-1429 Enabling the device to transparently transmit user authentication responses sent by the authentication server to the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/reply-message-enable

Data Requirements
Table 3-1430 Enabling the device to transparently transmit user authentication responses sent by the authentication server to the Portal server

Item

Data

Description

reply-message-enable

true

Enable the device to transparently transmit user authentication responses sent by the authentication server to the Portal server.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <reply-message-enable>true</reply-message-enable>
   </portal>
  </config>
 </edit-config>
</rpc>  
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>
Configuring the Re-transmission Times and Interval for Portal Authentication User Logout Packets

This section provides a sample of configuring the re-transmission times and interval for Portal authentication user logout packets using the merge method. You can also use the create method to configure the re-transmission times and interval for Portal authentication user logout packets.

Table 3-1431 Configuring the re-transmission times and interval for Portal authentication user logout packets

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/logout-resend-function/interval

/huawei-aaa-portal:portal/logout-resend-function/times

Data Requirements
Table 3-1432 Configuring the re-transmission times and interval for Portal authentication user logout packets

Item

Data

Description

interval

15

Configure the re-transmission times to 10 and interval to 15 seconds for Portal authentication user logout packets.

times

10

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <logout-resend-function>
     <interval>15</interval>
     <times>10</times>
    </logout-resend-function>
   </portal>
  </config>
 </edit-config>
</rpc> 
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>
Configuring the Portal Protocol Version Supported by the Device

This section provides a sample of configuring the Portal protocol version supported by the device using the merge method.

Table 3-1433 Configuring the Portal protocol version supported by the device

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/version

Data Requirements
Table 3-1434 Configuring the Portal protocol version supported by the device

Item

Data

Description

version

v1v2

Set the Portal protocol version supported by the device to version V1.0 or V2.0.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-portal:portal xmlns:hw-aaa-portal="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
        <hw-aaa-portal:version>v1v2</hw-aaa-portal:version>
      </hw-aaa-portal:portal>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring a Device to Process User Logout Requests Sent by a Portal Server Other Than the One From Which Users Log In

This section provides a sample of configuring a device to process user logout requests sent by a Portal server other than the one from which users log in using the merge method.

Table 3-1435 Configuring a device to process user logout requests sent by a Portal server other than the one from which users log in

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/logout-different-server-enable

Data Requirements
Table 3-1436 Configuring a device to process user logout requests sent by a Portal server other than the one from which users log in

Item

Data

Description

logout-different-server-enable

true

Configure a device to process user logout requests sent by a Portal server other than the one from which users log in.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-portal:portal xmlns:hw-aaa-portal="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
        <hw-aaa-portal:logout-different-server-enable>true</hw-aaa-portal:logout-different-server-enable>
      </hw-aaa-portal:portal>
    </config>
  </edit-config>
</rpc>t-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring Parameters in the URL

This section provides a sample of configuring parameters in the URL using the merge method.

Table 3-1437 Configuring parameters in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/url-template/url-parameter/login-url/key

/huawei-aaa-portal:portal/url-template/url-parameter/login-url/value

/huawei-aaa-portal:portal/url-template/url-parameter/user-vlan

/huawei-aaa-portal:portal/url-template/url-parameter/set-parameter-value/set-ac-ip/source-type/ip/ip-address

/huawei-aaa-portal:portal/url-template/url-parameter/set-parameter-value/set-ap-ip/source-type/ip/ip-address

Data Requirements
Table 3-1438 Configuring parameters in the URL

Item

Data

Description

name

huawei

Configure the URL template named huawei.

user-vlan

vlan1

Set the user VLAN to VLAN 1.

key

key1

Set the user login keyword to key1.

value

12

Set the URL value to 12.

set-ac-ip

1.1.1.1

Set the IP address of AC to 1.1.1.1.

set-ap-ip

2.2.2.2

Set the IP address of AP to 2.2.2.2.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-portal:portal xmlns:hw-aaa-portal="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
        <hw-aaa-portal:url-template>
          <hw-aaa-portal:name>huawei</hw-aaa-portal:name>
          <hw-aaa-portal:url-parameter>
           <hw-aaa-portal:user-vlan>vlan1</hw-aaa-portal:user-vlan>
           <hw-aaa-portal:login-url>
              <hw-aaa-portal:key>key1</hw-aaa-portal:key>
              <hw-aaa-portal:value>12</hw-aaa-portal:value>
            </hw-aaa-portal:login-url>            
            <hw-aaa-portal:set-parameter-value>
              <hw-aaa-portal:set-ac-ip>
                <hw-aaa-portal:ip-address>1.1.1.1</hw-aaa-portal:ip-address>
              </hw-aaa-portal:set-ac-ip>
              <hw-aaa-portal:set-ap-ip>
                <hw-aaa-portal:ip-address>2.2.2.2</hw-aaa-portal:ip-address>
              </hw-aaa-portal:set-ap-ip>
            </hw-aaa-portal:set-parameter-value>
          </hw-aaa-portal:url-parameter>
        </hw-aaa-portal:url-template>
      </hw-aaa-portal:portal>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Configuring a Portal Access Profile

This section describes the data model of a Portal access profile and provides examples of Portal authentication creation and deletion packets.

Data Model

The configuration model file matching Portal authentication is huawei-nac-portal.yang.

Table 3-1439 Data model

Object

Description

/huawei-nac-portal

Indicates that the object of a request operation (create, delete, or modify) is nac-portal. It is a root object, which is only used to contain sub-objects and does not have any data meaning.

/huawei-nac-portal/portal-access/configure-mode/unified-mode/portal-access-profile

Creates a Portal access profile and displays the Portal access profile view.

The value is a string of 1 to 31 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following special characters: / \ : * ? " < > | @ ' %.

/huawei-nac-portal/portal-access/configure-mode/unified-mode/portal-access-profile/portal-server/portal-server

/huawei-nac-portal/portal-access/configure-mode/unified-mode/portal-access-profile/portal-mode

Indicates the name of the Portal server template used by the Portal access profile.

The value must be the name of an existing Portal server template.

/huawei-nac-portal/portal-access/configure-mode/unified-mode/portal-access-profile/portal-authentication-timer/offline-detect

Indicates the offline detection interval of Portal authentication users.

The value is 0 or an integer in the range from 30 to 7200, in seconds. The default value is 300.

The value 0 indicates that offline detection is not performed.

/huawei-nac-portal/portal-access/configure-mode/unified-mode/portal-access-profile/authorize-of-authentication-event/authorize-parameters/user-group/user-group

Indicates the network access rights used when the Portal server is Down.

/huawei-nac-portal/portal-access/https-redirect-enable

Indicates that HTTPS redirection of Portal authentication is enabled.

/huawei-nac-portal:portal-access/url-encode-enable

Indicates whether to enable URL encoding and decoding.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-nac-portal:portal-access/portal-max-user-num

Indicates the maximum number of concurrent Portal authentication users allowed to access the device.

/huawei-nac-portal:portal-access/user-alarm

Indicates the alarm threshold for the Portal authentication user count percentage.

The value is an integer in the range from 1 to 100, but the upper alarm threshold must be larger than or equal to the lower alarm threshold.

/huawei-nac-portal:portal-access/quiet-function/quiet-enable

Indicates whether to enable the quiet function for Portal authentication.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-nac-portal:portal-access/quiet-function/quiet-period

Indicates the quiet period of Portal authentication users who fail to be authenticated.

The value is an integer in the range from 10 to 3600, in seconds.

/huawei-nac-portal:portal-access/quiet-function/quiet-times

Indicates the maximum number of authentication failures within 60 seconds before the device quiets a Portal authentication user.

The value is an integer in the range from 1 to 10.

Creating a Portal Access Profile

This section describes how to create a Portal access profile using the merge method. A Portal access profile can also be created using the create method.

Table 3-1440 Creating a Portal access profile

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile

Data Requirements
Table 3-1441 Portal access profile

Item

Data

Description

name

test

Create the Portal access profile named test. Configure the Portal server template webauthserver1234 used by the Portal access profile. Set the offline detection interval of Portal authentication users to 361s. Configure network access rights for the user group usergroup1234 to use when the Portal server is Down.

Both the user group and Portal server template must have been created.

offline-detect

361

authentication-event

portal-server-down

user-group

usergroup1234

portal-server

webauthserver1234

portal-mode

direct

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <portal-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
    <portal-access-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>test</name>
     <portal-authentication-timer xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
      <offline-detect>361</offline-detect>
     </portal-authentication-timer>
     <authorize-of-authentication-event xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge"> 
      <authentication-event>portal-server-down</authentication-event>
      <user-group>usergroup1234</user-group>
     </authorize-of-authentication-event>
     <portal-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
      <portal-server>webauthserver1234</portal-server>
     </portal-server>
     <portal-mode>direct</portal-mode>
    </portal-access-profile>   
   </portal-access>
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>webauthserver1234</name>
     <portal-server-ip>30.0.0.0</portal-server-ip>
    </portal-server>
   </portal>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <user-group xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>usergroup1234</name>
    </user-group> 
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  
Deleting a Portal Access Profile

This section describes how to delete a Portal access profile using the remove method.

Table 3-1442 Deleting a Portal access profile

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile

Data Requirements
Table 3-1443 Portal access profile

Item

Data

Description

name

test

Delete the Portal access profile named test.

Both the user group and Portal server template must have been created.

offline-detect

361

authentication-event

portal-server-down

user-group

usergroup1234

portal-server

webauthserver1234

portal-mode

direct

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<portal-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
  <portal-access-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
   <name>test</name>
   <portal-authentication-timer xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
    <offline-detect>361</offline-detect>
   </portal-authentication-timer>
   <authorize-of-authentication-event xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove"> 
    <authentication-event>portal-server-down</authentication-event>
    <user-group>usergroup1234</user-group>
   </authorize-of-authentication-event>
   <portal-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
    <portal-server>webauthserver1234</portal-server>
   </portal-server>
   <portal-mode>direct</portal-mode>
  </portal-access-profile>   
</portal-access>

<portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
 <portal-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
  <name>webauthserver1234</name>
  <portal-server-ip>30.0.0.0</portal-server-ip>
 </portal-server>
</portal>
<nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
  <user-group xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
   <name>usergroup1234</name>
  </user-group> 
</nac-access>
</config>
</edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  
Enabling HTTPS Redirection of Portal Authentication

This section describes how to enable HTTPS redirection of Portal authentication using the merge method. HTTPS redirection of Portal authentication can also be enabled using the create method.

Table 3-1444 Enabling HTTPS redirection of Portal authentication

Operation

XPATH

edit-config:merge

/huawei-nac-portal/portal-access/https-redirect-enable

Data Requirements
Table 3-1445 Enabling HTTPS redirection of Portal authentication

Item

Data

Description

https-redirect-enable

true: enabled

false: disabled

Enable HTTPS redirection of Portal authentication.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <portal-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
    <https-redirect-enable xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">true</https-redirect-enable>
   </portal-access>
  </config>
 </edit-config>
</rpc>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  
Configuring URL Encoding and Decoding

This section provides a sample of configuring URL encoding and decoding using the merge method.

Table 3-1446 Configuring URL encoding and decoding

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/url-encode-enable

Data Requirements
Table 3-1447 Configuring URL encoding and decoding

Item

Data

Description

url-encode-enable

true

Configure URL encoding and decoding.

Request Example
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
        <hw-nac-portal:url-encode-enable xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="create">true</hw-nac-portal:url-encode-enable>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Maximum Number of Concurrent Portal Authentication Users Allowed to Access the Device

This section provides a sample of configuring the maximum number of concurrent Portal authentication users allowed to access the device using the merge method.

Table 3-1448 Configuring the maximum number of concurrent Portal authentication users allowed to access the device

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/portal-max-user-num

Data Requirements
Table 3-1449 Configuring the maximum number of concurrent Portal authentication users allowed to access the device

Item

Data

Description

portal-max-user-num

90

Set the maximum number of concurrent Portal authentication users allowed to access the device to 90.

Request Example
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
        <hw-nac-portal:portal-max-user-num xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">90</hw-nac-portal:portal-max-user-num>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring Alarm Thresholds for the Portal Authentication User Count Percentage

This section provides a sample of configuring alarm thresholds for the Portal authentication user count percentage using the merge method.

Table 3-1450 Configuring alarm thresholds for the Portal authentication user count percentage

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/user-alarm

Data Requirements
Table 3-1451 Configuring alarm thresholds for the Portal authentication user count percentage

Item

Data

Description

percent-lower

32

Set the lower alarm threshold to 32.

percent-upper

82

Set the upper alarm threshold to 82.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
        <hw-nac-portal:user-alarm xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-nac-portal:percent-lower>32</hw-nac-portal:percent-lower>
          <hw-nac-portal:percent-upper>82</hw-nac-portal:percent-upper>
        </hw-nac-portal:user-alarm>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Creating a User Group

This section describes the data model of creating a user group and provides examples of XML packets.

Data Model

The configuration model file matching user group is huawei-nac.yang.

Table 3-1452 Data model

Object

Description

/huawei-nac:nac-access

Indicates that the object of a request operation (create or modify) is nac-access. It is a root object, which is only used to contain sub-objects and does not have any data meaning.

/huawei-nac:nac-access/user-group

Indicates the name of a user group.

The value is a string of 1 to 64 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following special characters: / \ : * ? " < > | @ ' %.

/huawei-nac:nac-access/user-group/acl

Binds an ACL to the user group.

The value is an integer in the range from 3000 to 3999.

/huawei-nac:nac-access/user-group/vlan/vlan/vlan-id

Binds a VLAN to the user group.

The value is an integer in the range from 1 to 4094.

/huawei-nac:nac-access/user-group/isolate/isolate-inter

Indicates whether to configure the inter-group isolation function in the user group view.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-nac:nac-access/user-group/isolate/isolate-inner

Indicates whether to configure the intra-group isolation function in the user group view.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-nac:nac-access/user-group/remark/remark-8021p

Indicates the priority for processing Layer 2 Ethernet packets.

The value is an integer in the range from 0 to 7.

/huawei-nac:nac-access/user-group/remark/remark-dscp

Indicates the priority for processing IP packets.

The value is an integer in the range from 0 to 63.

/huawei-nac:nac-access/user-group/remark/remark-exp

Indicates the priority for processing MPLS packets.

The value is an integer in the range from 0 to 7.

/huawei-nac:nac-access/user-group/remark/remark-lp

Indicates the priority for processing internal packets on the device.

The value is an integer in the range from 0 to 7.

Creating a User Group

This section describes how to create a user group using the merge method. A user group can also be created using the create method.

Table 3-1453 Creating a user group

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/user-group

Data Requirements
Table 3-1454 Creating a user group

Item

Data

Description

name

test

Create a user group named test.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <user-group xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>test</name>
    </user-group>   
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Binding an ACL to the User Group

This section describes how to bind an ACL to the user group using the merge method. An ACL can also be bound to a user group using the create method.

Table 3-1455 Binding an ACL to the user group

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/user-group/acl

Data Requirements
Table 3-1456 Binding an ACL to the user group

Item

Data

Description

acl-name

3777

Bind ACL 3777 to the user group test.

The user group name and ACL number must already exist on the device.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <user-group xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>test</name>
     <acl xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
      <acl-name>3777</acl-name>
     </acl>   
    </user-group>   
   </nac-access>
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>webauthserver1</name>
     <portal-server-ip>10.1.1.1</portal-server-ip>
    </portal-server>
   </portal>
   <access-lists xmlns="urn:ietf:params:xml:ns:yang:ietf-acl">
    <access-list>
     <access-control-list-name>3777</access-control-list-name>
    </access-list>
   </access-lists>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Binding a VLAN to the User Group

This section describes how to bind a VLAN to the user group using the merge method. A VLAN can also be bound to a user group using the create method.

Table 3-1457 Binding a VLAN to the user group

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/user-group/vlan/vlan/vlan-id

Data Requirements
Table 3-1458 Binding a VLAN to the user group

Item

Data

Description

vlan-id

15

Bind VLAN 15 to the user group test.

The user group name and VLAN ID must already exist on the device.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <user-group xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>test111</name>
     <vlan-id xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">15</vlan-id> 
    </user-group> 
   </nac-access>
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>webauthserver1</name>
     <portal-server-ip>20.0.0.0</portal-server-ip>
    </portal-server>
   </portal>
   <vlans xmlns="urn:huawei:params:xml:ns:yang:huawei-vlan">
    <vlan>
     <id>15</id>
    </vlan>
   </vlans>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Configuring Inter-Group Isolation in the User Group

This section describes how to configure inter-group isolation in the user group using the merge method. Inter-group isolation can also be configured using the create method.

Table 3-1459 Configuring inter-group isolation in the user group

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/user-group/isolate/isolate-inter

Data Requirements
Table 3-1460 Configuring inter-group isolation in the user group

Item

Data

Description

isolate-inter

true

Configure inter-group isolation in the user group. The user group must have been created.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <user-group xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>test</name>
     <isolate xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
      <isolate-inter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">true</isolate-inter>
     </isolate> 
    </user-group>   
   </nac-access>
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>webauthserver1</name>
     <portal-server-ip>20.0.0.0</portal-server-ip>
    </portal-server>
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Configuring Intra-Group Isolation in the User Group

This section describes how to configure intra-group isolation in the user group using the merge method. Intra-group isolation can also be configured using the create method.

Table 3-1461 Configuring intra-group isolation in the user group

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/user-group/isolate/isolate-inner

Data Requirements
Table 3-1462 Configuring intra-group isolation in the user group

Item

Data

Description

isolate-inner

true

Configure intra-group isolation in the user group. The user group must have been created.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <user-group xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>test</name>
     <isolate xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
      <isolate-inner xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">true</isolate-inner>
     </isolate> 
    </user-group>   
   </nac-access>
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>webauthserver1</name>
     <portal-server-ip>20.0.0.0</portal-server-ip>
    </portal-server>
   </portal>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Configuring the User Group Priority

This section provides a sample of configuring the user group priority using the merge method. You can also use the create method to configure the user group priority.

Table 3-1463 Configuring the user group priority

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/user-group/remark/remark-8021p

/huawei-nac:nac-access/user-group/remark/remark-dscp

/huawei-nac:nac-access/user-group/remark/remark-exp

/huawei-nac:nac-access/user-group/remark/remark-lp

Data Requirements
Table 3-1464 Configuring the user group priority

Item

Data

Description

name

user_group

Configure the priority of a user group, which must have been created.

remark-8021p

0

remark-dscp

0

remark-exp

0

remark-lp

0

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <user-group xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>user_group</name>
     <remark>
      <remark-8021p>0</remark-8021p>
      <remark-dscp>0</remark-dscp>
      <remark-exp>0</remark-exp>
      <remark-lp>0</remark-lp>
     </remark>
    </user-group>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 

Creating an Authentication-Free Rule Profile

This section describes the data model of creating an authentication-free rule profile and provides examples of XML packets.

Data Model

The configuration model file matching the authentication-free rule profile is huawei-nac.yang.

Table 3-1465 Data model

Object

Description

/huawei-nac/nac-access/authentication-free-rule-profile

Indicates that the object of a request operation (create or modify) is an authentication-free rule profile. It is a root object, which is only used to contain sub-objects and does not have any data meaning.

/huawei-nac/nac-access/authentication-free-rule-profile/name

Indicates the name of an authentication-free rule profile.

Currently, the device supports only one authentication-free rule profile, that is, the built-in profile default_free_rule.

/huawei-nac/nac-access/authentication-free-rule-profile/free-acl/ipv4-acl

Configures an ACL to define an authentication-free rule.

The value must be an existing ACL.

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule

Configures an authentication-free rule for NAC authentication users.

Creating an Authentication-Free Rule Profile

This section describes how to create an authentication-free rule profile using the merge method. An authentication-free rule profile can also be created using the create method.

Table 3-1466 Creating an authentication-free rule profile

Operation

XPATH

edit-config:merge

/huawei-nac/nac-access/authentication-free-rule-profile/name

Data Requirements
Table 3-1467 Creating an authentication-free rule profile

Item

Data

Description

name

default_free_rule

Create an authentication-free rule profile default_free_rule.

ipv4-acl

6000

Configure an authentication-free rule defined by ACL.

The ACL must already exist.

rule-id

1

Configure a common authentication-free rule.

The authentication-free rule profile must have been created.

destination

any

Request Example

# Configure an authentication-free rule defined by ACL.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac" xc:operation="replace">
    <authentication-free-rule-profile>  
     <name>default_free_rule</name>
     <free-acl>
      <ipv4-acl>6000</ipv4-acl>
     </free-acl>
    </authentication-free-rule-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc> 

# Configure a common authentication-free rule.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-free-rule-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>default_free_rule</name>
     <free-rule>
      <rule-id>1</rule-id>
      <destination>
       <any>any</any>
      </destination>
     </free-rule>
    </authentication-free-rule-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
<ok/>
</rpc-reply>
Configuring Authentication-free Rules

This section provides a sample of configuring authentication-free rules using the merge method.

Table 3-1468 Configuring authentication-free rules

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/authentication-free-rule-profile/free-acl/ipv4-acl-name

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule/rule-id

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule/source/source/source-any/any

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule/source/source/source-ip/ip

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule/source/source/source-ip/subnet/prefix-length/prefix-length

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule/source/source/source-ip/subnet/net-mask/net-mask

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule/source/source/interface/interface

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule/source/source/vlan/vlan-id

Data Requirements
Table 3-1469 Configuring authentication-free rules

Item

Data

Description

ipv4-acl-name

acl1

Configure the IPv4 ACL named acl1.

rule-id

37

Set the rule number to 37.

any

any

Set any condition.

ip

1.1.1.1

Set the IP address to 1.1.1.1.

prefix-length

24

Set the prefix length to 24.

net-mask

255.255.255.0

Set the mask to 255.255.255.0.

interface

GigabitEthernet0/0/1

Set the interface to GigabitEthernet0/0/1.

vlan-id

1

Set the VLAN ID to VLAN 1.

Request Example

# Configure an ACL to define an authentication-free rule.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-free-rule-profile>
          <hw-nac:name>default_free_rule</hw-nac:name>
          <hw-nac:free-acl>
            <hw-nac:ipv4-acl-name>acl1</hw-nac:ipv4-acl-name>
          </hw-nac:free-acl>
        </hw-nac:authentication-free-rule-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Configure any to define an authentication-free rule.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-free-rule-profile>
          <hw-nac:name>default_free_rule</hw-nac:name>
          <hw-nac:free-rule xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:rule-id>37</hw-nac:rule-id>
            <hw-nac:source>
              <hw-nac:any>any</hw-nac:any>
            </hw-nac:source>
          </hw-nac:free-rule>
        </hw-nac:authentication-free-rule-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Configure the IP address and prefix to define an authentication-free rule.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-free-rule-profile>
          <hw-nac:name>default_free_rule</hw-nac:name>
          <hw-nac:free-rule xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:rule-id>37</hw-nac:rule-id>
            <hw-nac:source>
              <hw-nac:ip>1.1.1.1</hw-nac:ip>
              <hw-nac:prefix-length>24</hw-nac:prefix-length>
            </hw-nac:source>
          </hw-nac:free-rule>
        </hw-nac:authentication-free-rule-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Configure the IP address and mask to define an authentication-free rule.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-free-rule-profile>
          <hw-nac:name>default_free_rule</hw-nac:name>
          <hw-nac:free-rule xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:rule-id>37</hw-nac:rule-id>
            <hw-nac:source>
              <hw-nac:ip>1.1.1.1</hw-nac:ip>
              <hw-nac:net-mask>255.255.255.0</hw-nac:net-mask>
            </hw-nac:source>
          </hw-nac:free-rule>
        </hw-nac:authentication-free-rule-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Configure an interface to define an authentication-free rule.

?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-free-rule-profile>
          <hw-nac:name>default_free_rule</hw-nac:name>
          <hw-nac:free-rule xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:rule-id>37</hw-nac:rule-id>
            <hw-nac:source>
              <hw-nac:interface>GigabitEthernet0/0/1</hw-nac:interface>
            </hw-nac:source>
          </hw-nac:free-rule>
        </hw-nac:authentication-free-rule-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Configure the VLAN ID to define an authentication-free rule.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-free-rule-profile>
          <hw-nac:name>default_free_rule</hw-nac:name>
          <hw-nac:free-rule xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:rule-id>37</hw-nac:rule-id>
            <hw-nac:source>
              <hw-nac:vlan-id>1</hw-nac:vlan-id>
            </hw-nac:source>
          </hw-nac:free-rule>
        </hw-nac:authentication-free-rule-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Configure an Authentication Profile

This section describes the data model of configuring an authentication profile and provides examples of XML packets.

Data Model

The configuration model file matching the authentication profile is huawei-nac.yang.

Table 3-1470 Data model

Object

Description

/huawei-nac:nac-access/configure-mode/unified-mode

Indicates that the object of a request operation (create or modify) is nac-access. It is a root object, which is only used to contain sub-objects and does not have any data meaning.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile

Indicates the name of an authentication profile.

The value is a string of 1 to 31 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following special characters: / \ : * ? " < > | @ ' %.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/mac-access-profile

Binds a MAC access profile to the authentication profile.

The value must be the name of an existing MAC access profile.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/portal-access-profile

Binds a Portal access profile to the authentication profile.

The value must be the name of an existing Portal access profile.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/free-rule-profile

Binds an authentication-free rule profile to the authentication profile.

The value must be the name of an existing authentication-free rule profile.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/access-force-domain/domain-name /huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/access-force-domain/access-type

Configures a forcible domain based on the access type.

The value must be an existing domain.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/access-default-domain/domain-name /huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/access-default-domain/access-type

Configures a default domain based on the access type.

The value must be an existing domain.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/default-force-domain

Configures a forcible domain.

The value must be an existing domain.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/default-default-domain

Configures a default domain.

The value must be an existing domain.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/authentication-event

Configures network access rights for users in each phase before authentication.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/re-authen-trigger-event

Configures the device to re-authenticate users when the status of the authentication server changes from Down to Up.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/assigned-ip-address/in-accounting-start

Whether to configure accounting-start packets to carry users' IP addresses.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:authentication-profile/authentication-profile-name

Binds an authentication profile to an interface.

The value must be the name of an existing Portal access profile.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/handshake/enable

Indicates whether to enable the handshake with pre-connection users and authorized users.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/handshake/period

Indicates the handshake interval of the device with pre-connection users and authorized users.

The value is an integer in the range from 5 to 7200, in seconds.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/single-access

Indicates whether to enable the device to allow users to access in only one authentication mode in the authentication profile.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/security-name-delimiter

Indicates the security string delimiter in the authentication profile.

The value is of the enumerated type. The value can be \ / : , < > | @ ' % or *.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-delimiter

Indicates the domain name delimiter in the authentication profile.

The value is of the enumerated type. The value can be \ / : , < > | @ ' % or *.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-direction

Indicates the direction in which a domain name is parsed in the authentication profile.

The value is of the enumerated type:

  • left-to-right: indicates the direction from left to right.
  • right-to-left: indicates the direction from right to left.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-location

Indicates the position of a domain name in the authentication profile.

The value is of the enumerated type:

  • after-delimiter: indicates that the domain name is placed behind the delimiter.
  • before-delimiter: indicates that the domain name is placed before the delimiter.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/re-authen-period/pre-authen

Indicates the interval for re-authenticating pre-connection users in the authentication profile.

The value can be 0 or any integer in the range from 30 to 7200, in seconds.

The value 0 indicates that the re-authentication function is disabled for pre-connection users.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/re-authen-period/authen-fail

Indicates the interval for re-authenticating users who fail to be authenticated in the authentication profile.

The value can be 0 or any integer in the range from 30 to 7200, in seconds.

The value 0 indicates that the re-authentication function is disabled for pre-connection users.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/aging-period/pre-authen

Indicates the aging time for pre-connection user entries in the authentication profile.

The value can be 0 or any integer in the range from 60 to 4294860, in seconds.

The value 0 indicates that the entry does not age.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/aging-period/authen-fail

Indicates the aging time for entries of the users who fail to be authenticated in the authentication profile.

The value can be 0 or any integer in the range from 60 to 4294860, in seconds.

The value 0 indicates that the entry does not age.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/realtime-accounting-trigger/update-ip-accounting

Indicates whether to enable a device to send accounting packets for address updating in the authentication profile.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/realtime-accounting-trigger/roam-accounting

Indicates whether to enable a device to send accounting packets for roaming in the authentication profile.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

Creating an Authentication Profile

This section describes how to create an authentication profile using the merge method. An authentication profile can also be created using the create method.

Table 3-1471 Creating an authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile

Data Requirements
Table 3-1472 Creating an authentication profile

Item

Data

Description

name

authen_pro

Create an authentication profile authen_pro.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="create">
     <name>authen_pro</name>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Binding a MAC Access Profile to the Authentication Profile

This section describes how to bind a MAC access profile to an authentication profile using the merge method. A MAC access profile can also be bound to an authentication profile using the create method.

Table 3-1473 Binding a MAC access profile to the authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/mac-access-profile

Data Requirements
Table 3-1474 Binding a MAC access profile to the authentication profile

Item

Data

Description

mac-access-profile

mac-access-profile

Bind the MAC access profile mac_access_profile to the authentication profile authen_pro.

The MAC access profile must have been created.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <mac-access-profile>mac_access_profile</mac-access-profile>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  
Binding an 802.1X Access Profile to the Authentication Profile

This section provides a sample of binding an 802.1X access profile to the authentication profile using the merge method. You can also use the create method to bind an 802.1X access profile to the authentication profile.

Table 3-1475 Binding an 802.1X access profile to the authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/dot1x-access-profile

Data Requirements
Table 3-1476 Binding an 802.1X access profile to the authentication profile

Item

Data

Description

dot1x-access-profile

dot1x-access-profile

Bind the 802.1X access profile dot1x_access_profile to the authentication profile authen_pro.

The 802.1X access profile must have been created.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <dot1x-access-profile>dot1x_access_profile</dot1x-access-profile>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  

Binding a Portal Access Profile to the Authentication Profile

This section describes how to bind a Portal access profile to an authentication profile using the merge method. A Portal access profile can also be bound to an authentication profile using the create method.

Table 3-1477 Binding a Portal access profile to the authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/portal-access-profile

Data Requirements
Table 3-1478 Binding a Portal access profile to the authentication profile

Item

Data

Description

mac-access-profile

portal-access-profile

Bind the Portal access profile portal_access_profile to the authentication profile authen_pro.

The Portal access profile must have been created.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <mac-access-profile>portal_access_profile</mac-access-profile>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>
Binding an Authentication-Free Rule Profile to the Authentication Profile

This section describes how to bind an authentication-free rule profile to an authentication profile using the merge method. An authentication-free rule profile can also be bound to an authentication profile using the create method.

Table 3-1479 Binding an authentication-free rule profile to the authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/free-rule-profile

Data Requirements
Table 3-1480 Binding an authentication-free rule profile to the authentication profile

Item

Data

Description

free-rule-profile

default_free_rule

Bind the authentication-free rule profile default_free_rule to the authentication profile authen_pro.

The authentication-free rule profile must have been created.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <free-rule-profile>default_free_rule</free-rule-profile>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  
Configuring a Forcible Authentication Domain based on the Access Type

This section describes how to configure a forcible authentication domain based on the access type using the merge method. A forcible authentication domain can also be configured based on the access type using the create method.

Table 3-1481 Configuring a forcible authentication domain based on the access type

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/access-force-domain/domain-name

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/access-force-domain/access-type

Data Requirements
Table 3-1482 Configuring a forcible authentication domain based on the access type

Item

Data

Description

domain-name

domain2

Configure a forcible authentication domain based on the access type.

The forcible authentication domain must already exist on the device.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
    <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>domain2</name>
     <vsys>ads</vsys>
    </aaa-domain>
   </aaa>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <force-domain>
      <access-force-domain>
       <access-type>dot1x</access-type>
       <domain-name>domain2</domain-name>
      </access-force-domain>
      <access-force-domain>
       <access-type>mac</access-type>
       <domain-name>domain2</domain-name>
      </access-force-domain>
      <access-force-domain>
       <access-type>portal</access-type>
       <domain-name>domain2</domain-name>
      </access-force-domain>
     </force-domain>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  
Configuring a Default Authentication Domain based on the Access Type

This section describes how to configure a default authentication domain based on the access type using the merge method. A default authentication domain can also be configured based on the access type using the create method.

Table 3-1483 Configuring a default authentication domain based on the access type

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/access-default-domain/domain-name

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/access-default-domain/access-type

Data Requirements
Table 3-1484 Configuring a default authentication domain based on the access type

Item

Data

Description

domain-name

domain2

Configure a default authentication domain based on the access type.

The default authentication domain must already exist on the device.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
    <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>domai2</name>
     <vsys>ads</vsys>
    </aaa-domain>
   </aaa>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen</name>
     <default-domain>
      <access-default-domain/>
      <access-default-domain>
       <access-type>dot1x</access-type>
       <domain-name>domain2</domain-name>
      </access-default-domain>
      <access-default-domain>
       <access-type>mac</access-type>
       <domain-name>domain2</domain-name>
      </access-default-domain>
      <access-default-domain>
       <access-type>portal</access-type>
       <domain-name>domain2</domain-name>
      </access-default-domain>
     </default-domain>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  
Configuring a Forcible Authentication Domain

This section describes how to configure a forcible authentication domain using the remove method.

Table 3-1485 Configuring a forcible authentication domain

Operation

XPATH

edit-config:remove

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/default-force-domain

Data Requirements
Table 3-1486 Configuring a forcible authentication domain

Item

Data

Description

domain-name

domain1

Configure a forcible authentication domain.

The forcible authentication domain must already exist on the device.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
    <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>domain1</name>
     <vsys>ads</vsys>
    </aaa-domain>
   </aaa>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
     <name>authen_pro</name>
     <force-domain>
      <default-force-domain>domain1</default-force-domain>
     </force-domain>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  
Configuring a Default Authentication Domain

This section describes how to create a default authentication domain using the merge method. A default authentication domain can also be configured using the create method.

Table 3-1487 Configuring a default authentication domain

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/default-default-domain

Data Requirements
Table 3-1488 Configuring a default authentication domain

Item

Data

Description

default-default-domain

domain1

Configure a default authentication domain.

The default authentication domain must already exist on the device.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
    <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>domain1</name>
     <vsys>ads</vsys>
    </aaa-domain>
   </aaa>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen</name>
     <default-domain>
      <default-default-domain>domain1</default-default-domain>
     </default-domain>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  
Configuring Network Access Rights for Users in Each Phase Before Authentication

This section provides a sample of configuring network access rights for users in each phase before authentication using the merge method. You can also use the create method to configure network access rights for users in each phase before authentication.

Table 3-1489 Configuring network access rights for users in each phase before authentication

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/authentication-event

Data Requirements
Table 3-1490 Configuring network access rights for users in each phase before authentication

Item

Data

Description

name

auth_1

Configure network access rights for users in each phase before authentication.

authentication-event

pre-authen

service-scheme

ar_service

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>auth_1</name>
     <authorize-of-authentication-event xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
      <authentication-event>pre-authen</authentication-event>
      <service-scheme>ar_service</service-scheme>
     </authorize-of-authentication-event> 
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>  
Configuring the Device to Re-authenticate Users When the Status of the Authentication Server Changes From Down to Up

This section provides a sample of configuring the device to re-authenticate users when the status of the authentication server changes from Down to Up using the merge method. You can also use the create method to configure the device to re-authenticate users when the status of the authentication server changes from Down to Up.

Table 3-1491 Configuring the device to re-authenticate users when the status of the authentication server changes from Down to Up

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/re-authen-trigger-event

Data Requirements
Table 3-1492 Configuring the device to re-authenticate users when the status of the authentication server changes from Down to Up

Item

Data

Description

name

ar_auth

Configure the device to re-authenticate users when the status of the authentication server changes from Down to Up.

re-authen-trigger-event

authen-server-up

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>ar_auth</name>
     <re-authen-trigger-event>authen-server-up</re-authen-trigger-event>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Configuring Accounting-Start Packets to Carry Users' IP Addresses

This section provides a sample of configuring accounting-start packets to carry users' IP addresses using the merge method. You can also use the create method to configure accounting-start packets to carry users' IP addresses.

Table 3-1493 Configuring accounting-start packets to carry users' IP addresses

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/assigned-ip-address/in-accounting-start

Data Requirements
Table 3-1494 Configuring accounting-start packets to carry users' IP addresses

Item

Data

Description

name

auth_1

Configure accounting-start packets to carry users' IP addresses.

in-accounting-start

true

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>auth_1</name>
     <assigned-ip-address>
      <in-accounting-start>true</in-accounting-start>
     </assigned-ip-address>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Enabling the Handshake with Pre-connection Users and Authorized Users

This section provides a sample of enabling the handshake with pre-connection users and authorized users using the merge method. You can also use the create method to enable the handshake with pre-connection users and authorized users.

Table 3-1495 Enabling the handshake with pre-connection users and authorized users

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/handshake/enable

Data Requirements
Table 3-1496 Enabling the handshake with pre-connection users and authorized users

Item

Data

Description

name

auth_1

Enable the handshake with pre-connection users and authorized users.

enable

true

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>auth_1</name>
     <handshake>
      <enable>true</enable>
     </handshake>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply> 
Configuring the Handshake Interval of the Device with Pre-connection Users and Authorized Users

This section provides a sample of configuring the handshake interval of the device with pre-connection users and authorized users using the merge method. You can also use the create method to configure the handshake interval of the device with pre-connection users and authorized users.

Table 3-1497 Configuring the handshake interval of the device with pre-connection users and authorized users

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/handshake/period

Data Requirements
Table 3-1498 Configuring the handshake interval of the device with pre-connection users and authorized users

Item

Data

Description

name

auth_1

Set the handshake interval of the device with pre-connection users and authorized users to 500 seconds.

period

500

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>auth_1</name>
     <handshake>
      <period>500</period>
     </handshake>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>
Binding an Authentication Profile to an Interface

This section provides a sample of binding an authentication profile to an interface using the merge method. You can also use the create method to bind an authentication profile to an interface.

Table 3-1499 Binding an authentication profile to an interface

Operation

XPATH

edit-config:merge

/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:authentication-profile/authentication-profile-name

Data Requirements
Table 3-1500 Binding an authentication profile to an interface

Item

Data

Description

interface name

GigabitEthernet0/0/1

Bind the authentication profile lzl to GigabitEthernet0/0/1.

authentication-profile-name

lzl

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>lzl</name>
    </authentication-profile>
   </nac-access>
   <if:interfaces xmlns:if="urn:ietf:params:xml:ns:yang:ietf-interfaces">
    <if:interface xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
     <if:name>GigabitEthernet0/0/1</if:name>
     <if:type>ethernetCsmacd</if:type>
     <hw-nac:authentication-profile xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
      <hw-nac:authentication-profile-name>lzl</hw-nac:authentication-profile-name>
     </hw-nac:authentication-profile>
    </if:interface>
   </if:interfaces>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="DEVICECONFIG_012824316d704d43adb16b1a4245d273">
 <ok/>
</rpc-reply>
Configuring a Domain Name Resolution Scheme

This section provides a sample of configuring a domain name resolution scheme using the merge method.

Table 3-1501 Configuring a domain name resolution scheme

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/security-name-delimiter

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-delimiter

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-direction

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-location

Data Requirements
Table 3-1502 Configuring a domain name resolution scheme

Item

Data

Description

name

p1

Configure the authentication profile named p1.

security-name-delimiter

\

Configure the security string delimiter.

domain-name-delimiter

\

Configure the domain name delimiter.

domain-name-direction

left-to-right

Set the domain name resolution direction to left-to-right.

domain-name-location

after-delimiter

Set the domain name location to after-delimiter.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:domain-name-parameters>
            <hw-nac:security-name-delimiter>\</hw-nac:security-name-delimiter>
            <hw-nac:domain-name-delimiter>\</hw-nac:domain-name-delimiter>
            <hw-nac:domain-name-direction>left-to-right</hw-nac:domain-name-direction>
            <hw-nac:domain-name-location>after-delimiter</hw-nac:domain-name-location>
          </hw-nac:domain-name-parameters>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Interval for Re-authenticating Pre-connection Users

This section provides a sample of configuring the interval for re-authenticating pre-connection users using the merge method.

Table 3-1503 Configuring the interval for re-authenticating pre-connection users

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/re-authen-period/pre-authen

Data Requirements
Table 3-1504 Configuring the interval for re-authenticating pre-connection users

Item

Data

Description

name

p1

Configure the authentication profile named p1.

pre-authen

40

Set the interval for re-authenticating pre-connection users to 40 seconds.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:timer>
            <hw-nac:re-authen-period>
              <hw-nac:pre-authen>40</hw-nac:pre-authen>
            </hw-nac:re-authen-period>
          </hw-nac:timer>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Interval for Re-authenticating Users Who Fail to be Authenticated

This section provides a sample of configuring the interval for re-authenticating users who fail to be authenticated using the merge method.

Table 3-1505 Configuring the interval for re-authenticating users who fail to be authenticated

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/re-authen-period/authen-fail

Data Requirements
Table 3-1506 Configuring the interval for re-authenticating users who fail to be authenticated

Item

Data

Description

name

p1

Configure the authentication profile named p1.

authen-fail

200

Set the interval for re-authenticating users who fail to be authenticated to 200 seconds.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
<hw-nac:name>p1</hw-nac:name>
          <hw-nac:timer>
            <hw-nac:re-authen-period>
              <hw-nac:authen-fail>200</hw-nac:authen-fail>
            </hw-nac:re-authen-period>
          </hw-nac:timer>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Aging Time for Pre-connection User Entries

This section provides a sample of configuring the aging time for pre-connection user entries using the merge method.

Table 3-1507 Configuring the aging time for pre-connection user entries

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/aging-period/pre-authen

Data Requirements
Table 3-1508 Configuring the aging time for pre-connection user entries

Item

Data

Description

name

p1

Configure the authentication profile named p1.

pre-authen

1000

Set the aging time for pre-connection user entries to 1000 seconds.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:timer>
            <hw-nac:aging-period>
              <hw-nac:pre-authen>1000</hw-nac:pre-authen>
            </hw-nac:aging-period>
          </hw-nac:timer>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Aging Time for Entries of the Users Who Fail to be Authenticated

This section provides a sample of configuring the aging time for entries of the users who fail to be authenticated using the merge method.

Table 3-1509 Configuring the aging time for entries of the users who fail to be authenticated

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/re-authen-period/authen-fail

Data Requirements
Table 3-1510 Configuring the aging time for entries of the users who fail to be authenticated

Item

Data

Description

name

p1

Configure the authentication profile named p1.

authen-fail

1000

Set the aging time for entries of the users who fail to be authenticated to 1000 seconds.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:timer>
            <hw-nac:aging-period>
              <hw-nac:authen-fail>1000</hw-nac:authen-fail>
            </hw-nac:aging-period>
          </hw-nac:timer>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring a Device to Send Accounting Packets for Address Updating

This section provides a sample of configuring a device to send accounting packets for address updating using the merge method.

Table 3-1511 Configuring a device to send accounting packets for address updating

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/realtime-accounting-trigger/update-ip-accounting

Data Requirements
Table 3-1512 Configuring a device to send accounting packets for address updating

Item

Data

Description

name

p1

Configure the authentication profile named p1.

update-ip-accounting

true

Configure a device to send accounting packets for address updating.

Request Example
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:realtime-accounting-trigger xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:update-ip-accounting>true</hw-nac:update-ip-accounting>
          </hw-nac:realtime-accounting-trigger>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring a Device to Send Accounting Packets for Roaming

This section provides a sample of configuring a device to send accounting packets for roaming using the merge method.

Table 3-1513 Configuring a device to send accounting packets for roaming

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/realtime-accounting-trigger/roam-accounting

Data Requirements
Table 3-1514 Configuring a device to send accounting packets for roaming

Item

Data

Description

name

p1

Configure the authentication profile named p1.

roam-accounting

true

Configure a device to send accounting packets for roaming.

Request Example
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:realtime-accounting-trigger xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:roam-accounting>true</hw-nac:roam-accounting>
          </hw-nac:realtime-accounting-trigger>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Device to Dynamically Adjust the Rate of Packets From NAC Users

This section provides a sample of configuring the device to dynamically adjust the rate of packets from NAC users using the merge method.

Table 3-1515 Configuring the device to dynamically adjust the rate of packets from NAC users

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/speed-limit-auto

Data Requirements
Table 3-1516 Configuring the device to dynamically adjust the rate of packets from NAC users

Item

Data

Description

name

p1

Configure the authentication profile named p1.

speed-limit-auto

true

Configure the device to dynamically adjust the rate of packets from NAC users.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:speed-limit-auto>true</hw-nac:speed-limit-auto>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Default Source IP Address of Offline Detection Packets

This section provides a sample of configuring the default source IP address of offline detection packets using the merge method.

Table 3-1517 Configuring the default source IP address of offline detection packets

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/default-detect-ip

Data Requirements
Table 3-1518 Configuring the default source IP address of offline detection packets

Item

Data

Description

default-detect-ip

0.0.0.0

Set the default source IP address of offline detection packets to 0.0.0.0.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:arp-detect xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-nac:default-detect-ip>0.0.0.0</hw-nac:default-detect-ip>
        </hw-nac:arp-detect>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Configuring the Source IP Address and Source MAC Address of Offline Detection Packets in a VLAN

This section provides a sample of configuring the source IP address and source MAC address of offline detection packets in a VLAN using the merge method.

Table 3-1519 Configuring the source IP address and source MAC address of offline detection packets in a VLAN

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/detect-source/detect-source-item/vlan

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/detect-source/detect-source-item/ip

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/detect-source/detect-source-item/mac

Data Requirements
Table 3-1520 Configuring the source IP address and source MAC address of offline detection packets in a VLAN

Item

Data

Description

vlan

1

Set the VLAN ID to VLAN 1.

ip

192.168.1.1

Set the IP address to 192.168.1.1.

mac

2222-1111-1234

Set the MAC address to 2222-1111-1234.

Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:arp-detect>
          <hw-nac:detect-source>
            <hw-nac:detect-source-item xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
              <hw-nac:vlan>1</hw-nac:vlan>
              <hw-nac:ip>192.168.1.1</hw-nac:ip>
              <hw-nac:mac>2222-1111-1234</hw-nac:mac>
            </hw-nac:detect-source-item>
          </hw-nac:detect-source>
        </hw-nac:arp-detect>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>
Translation
Download
Updated: 2019-03-06

Document ID: EDOC1100022096

Views: 8561

Downloads: 69

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next