No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R012C00 NETCONF YANG API Reference

This document describes the NETCONF YANG API functions supported by the switch, including the data model and samples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
AAA Management

AAA Management

Data Model

The configuration model files matching AAA management are huawei-user-management.yang, huawei-aaa.yang and huawei-aaa-radius.yang.

Table 2-311  Local user

Object

Description

Value

Remarks

/huawei-user-management/user-management/local-user/user-name

Indicates the user name of a local user.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

N/A

/huawei-user-management/user-management/local-user/password

Indicates the password of a local user.

The value is a case-sensitive string without question marks (?) or spaces.

N/A

/huawei-user-management/user-management/local-user/privilege-level

Indicates the level of a local user.

The value is an integer that ranges from 0 to 15. A larger value indicates a higher level of a user.

N/A

/huawei-user-management/user-management/local-user/service-type

Indicates the access type of a local user.

The value can be:

  • dot1x: 802.1x user
  • api: API user
  • ftp: FTP user
  • http: HTTP user (typically used for web system login)
  • ppp: PPP user
  • ssh: SSH user
  • telnet: Telnet user (usually a network administrator)
  • terminal: end user (usually a user connected using a console port)
  • web: Portal authentication user
  • x25pad: X25-PAD user

N/A

/huawei-user-management/user-management/local-user/ftp-directory

Indicates the directory that FTP users can access.

The value is a string of 1 to 64 case-sensitive characters without spaces.

N/A

/huawei-user-management/user-management/local-user/http-directory

Indicates the directory that HTTP users can access.

The value is a string of 1 to 64 case-sensitive characters without spaces.

N/A

/huawei-user-management:user-management/local-user/expire-date

Indicates the expiration time of a local account.

The value is an integer that ranges from 2000-01-01 to 2099-12-31.

N/A

/huawei-user-management:user-management/local-user/time-range

Indicates the access permission time range of local accounts.

The value is a string of 1 to 32 case-sensitive characters and must begin with a letter.

N/A

/huawei-user-management:user-management/local-user/device-type-group/device-type

Indicates the type of terminals that allow local users to access the network.

The value is a string of 1 to 31 case-insensitive characters without spaces.

N/A

/huawei-user-management:user-management/local-user/user-type

Indicates that a local user is an NMS user.

Enumerated type. The value is net-manager.

N/A

/huawei-user-management/user-management/local-user/access-limit

Indicates the maximum number of connections that can be created with a specified user name.

The value is an integer that ranges from 1 to 4294967295.

N/A

/huawei-user-management/user-management/local-user/idle-time

Indicates the timeout period of the user account.

The value is an integer that ranges from 0 to 2147519, in seconds.

N/A

/huawei-user-management/user-management/local-user/state

Indicates the state of a local user.

Enumerated type. The value can be:
  • active: A local user is in active state. The device accepts and processes the authentication request from the user, and allows the user to change the password.
  • block: A local user is in blocking state. The device rejects the authentication request from the user and does not allow the user to change the password.

N/A

/huawei-user-management:user-management/administrator-password-police

Indicates the password policy for local administrators. The object includes:
  • enable: indicates whether the password policy is enabled for local administrators.
  • expire-day: indicates the password validity period.
  • alert-expire-day: indicates whether the password expiration prompt function is enabled.
  • alert-original: indicates whether the initial password change prompt function is enabled.
  • history-record-number: indicates the maximum number of historical passwords recorded for each user.
  • enable: The value is of the Boolean type:

    • true: The password policy is enabled for local administrators.
    • false: The password policy is disabled for local administrators.
    The default value is false.
  • expire-day: The value is an integer that ranges from 0 to 999, in days. The default value is 90.
  • alert-expire-day: The value is an integer that ranges from 0 to 999, in days. The default value is 30.
  • alert-original: The value is of the Boolean type:
    • true: indicates the initial password change prompt function is enabled.
    • false: indicates the initial password change prompt function is disabled.
    The default value is true.
  • history-record-number: The value is an integer that ranges from 0 to 12. The default value is 5.

N/A

/huawei-user-management:user-management/user-password-police Indicates the password policy for local access users. The object includes:
  • enable: indicates whether the password policy is enabled for local access users.
  • history-record-number: indicates the maximum number of historical passwords recorded for each user.
  • enable: The value is of the Boolean type:

    • true: indicates the password policy is enabled for local access users.
    • false: indicates the password policy is disabled for local access users.
    The default value is false.
  • history-record-number: The value is an integer that ranges from 0 to 12. The default value is 5.
N/A
/huawei-user-management:user-management/wrong-password-police Indicates the local account locking function. The object includes:
  • retry-interval: indicates the authentication retry interval of local users.
  • retry-time: indicates the maximum number of consecutive incorrect password attempts of a local account.
  • block-time: indicates the local account locking time.
  • retry-interval: The value is an integer that ranges from 5 to 65535, in minutes.
  • retry-time: The value is an integer that ranges from 3 to 65535.
  • block-time: The value is an integer that ranges from 5 to 65535, in minutes.
N/A
/huawei-user-management:user-management/password-option/complexity-check Indicates whether the password complexity check function is enabled for local accounts. The value is of the Boolean type:
  • true: indicates the password complexity check function is enabled for local accounts.
  • false: indicates the password complexity check function is disabled for local accounts.
The default value is true.
N/A
Table 2-312  AAA

Object

Description

Value

Remarks

/huawei-aaa:aaa/authentication-scheme/name

Indicates the name of an authentication scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/authentication-scheme/authentication-mode

Indicates the authentication mode in an authentication scheme.

The value can be:

  • hwtacacs: Authenticates users using an HWTACACS server.
  • local: Authenticates users locally.
  • radius: Authenticates users using a RADIUS server.
  • none: Indicates non-authentication. That is, users access the network without being authenticated.

N/A

/huawei-aaa:aaa/authorization-scheme/name

Indicates the name of an authorization scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/authorization-scheme/authorization-mode Indicates the authorization mode in an authorization scheme.

The value can be:

  • hwtacacs: Indicates that the user is authorized by an HWTACACS server.
  • if-authenticated: Indicates that only the user who succeeds in authentication (authentication exemption excluded) is authorized.
  • local: Indicates that the user is authorized locally.
  • none: Indicates non-authorization.

N/A

/huawei-aaa:aaa/authorization-scheme/authorization-cmd/authorization-cmd-item Configure the administrator of a specific level to run only commands that are authorized by the HWTACACS server. The object includes:
  • privilege-level: Indicates the administrator level.

  • authorization-cmd-mode: Indicates the authorization backup mode.
  • privilege-level: The value is an integer that ranges from 0 to 15.

  • authorization-cmd-mode: The value can be:
    • local: Indicates that the authorization backup mode is authorized locally.
    • none: Indicates the authorization backup mode is non-authorization.

N/A

/huawei-aaa:aaa/accounting-scheme/name

Indicates the name of an accounting scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/accounting-scheme/accounting-mode Indicates the accounting mode in an accounting scheme.

The value can be:

  • hwtacacs: Indicates that accounting is performed by an HWTACACS server.
  • radius: Indicates that accounting is performed by a RADIUS server.
  • none: Indicates non-accounting.

N/A

/huawei-aaa:aaa/accounting-scheme/start-accounting-fail/fail-policy Indicates the policy for accounting-start failures.

Enumerated type. The value can be:

  • offline: rejects users' online requests if accounting-start fails.
  • online: allows users to go online if accounting-start fails.

N/A

/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-interval Indicates the interval for real-time accounting. The value is an integer that ranges from 0 to 65535, in minutes. When the value is set to 0, real-time accounting is disabled. The default value is 0.

N/A

/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-fail/fail-max-times Indicates the maximum number of real-time accounting failures. The value is an integer that ranges from 1 to 255. The default value is 3.

N/A

/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-fail/fail-policy Indicates the policy for real-time accounting failures.

Enumerated type. The value can be:

  • offline: disconnects users if real-time accounting fails.
  • online: keeps users online if real-time accounting fails.

N/A

/huawei-aaa:aaa/service-scheme/name Indicates the name of a service scheme. The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/service-scheme/admin-user-privilege-level Indicates the level of a user who logs in to the device as an administrator.

The value is an integer that ranges from 0 to 15.

N/A

/huawei-aaa:aaa/service-scheme/voice-vlan-enable

Whether to enable the voice VLAN function in a service scheme.

Boolean type. The value can be:

  • true

  • false

N/A

/huawei-aaa:aaa/service-scheme/vlan Specifies a user VLAN in a service scheme. The value is an integer that ranges from 1 to 4094.

N/A

/huawei-aaa:aaa/service-scheme/acl Indicates the number of an ACL bound to a service scheme.

The value is an integer that ranges from 3000 to 3999.

N/A

/huawei-aaa:aaa/service-scheme/ucl-group Indicates the UCL group bound to a service scheme. The value must be the name of an existing UCL group.

N/A

/huawei-aaa:aaa/service-scheme/idle-cut-function/idle-flow/idle-time Indicates the period in which an idle user can stay online. The value is an integer that ranges from 1 to 1440, in minutes.

N/A

/huawei-aaa:aaa/service-scheme/idle-cut-function/idle-flow/flow-value Indicates the traffic threshold for the idle-cut function. The value is an integer that ranges from 0 to 4294967295, in Kbytes.

N/A

/huawei-aaa:aaa/service-scheme/idle-cut-function/flow-direction Indicates the direction of traffic on which the idle-cut function takes effect.

Enumerated type. The value can be:

  • inbound: indicates that the idle-cut function takes effect only on upstream traffic of users.
  • outbound: indicates that the idle-cut function takes effect only on downstream traffic of users.

N/A

/huawei-aaa:aaa/aaa-domain

Indicates an authentication domain.

The value is a string of 1 to 64 case-insensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: * ? "

N/A

/huawei-aaa:aaa/aaa-domain/authentication-scheme

Indicates the name of an authentication scheme bound to a domain.

The value must be the name of an existing authentication scheme.

N/A

/huawei-aaa:aaa/aaa-domain/authorization-scheme

Indicates the name of an authorization scheme bound to a domain.

The value must be the name of an existing authorization scheme.

N/A

/huawei-aaa:aaa/aaa-domain/accounting-scheme

Indicates the name of an accounting scheme bound to a domain.

The value must be the name of an existing accounting scheme.

N/A

/huawei-aaa:aaa/aaa-domain/service-scheme

Indicates the name of a service scheme bound to a domain.

The value must be the name of an existing service scheme.

N/A

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-radius:radius-server/huawei-aaa-radius:radius-server Indicates the name of a RADIUS server template bound to a domain. The value must be the name of an existing RADIUS server template.

N/A

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-hwtacacs:hwtacacs-server/huawei-aaa-hwtacacs:hwtacacs-server Indicates the name of the HWTACACS server template that is applied in a domain. The HWTACACS server template must already exist.

N/A

/huawei-aaa:aaa/aaa-domain/statistics-enable Indicates whether traffic statistics collection is enabled for users in a domain.

Boolean type. The value can be:

  • true

  • false

N/A

/huawei-aaa:aaa/remote-user-policy Indicates that the remote AAA authentication account locking function is enabled. The object includes:
  • retry-interval: Specifies the authentication retry interval.
  • retry-time: Specifies the maximum number of consecutive authentication failures.
  • block-time: Specifies the account locking period.
  • retry-interval: The value is an integer that ranges from 5 to 65535, in minutes.
  • retry-time: The value is an integer that ranges from 3 to 65535.
  • block-time: The value is an integer that ranges from 5 to 65535, in minutes.
NA
/huawei-aaa:aaa/global/authentication-bypass Indicates whether the bypass authentication function is configured. The object includes:
  • bypass-enable: Whether the bypass authentication function is enabled.

  • bypass-time: Specifies the bypass authentication timeout interval.
  • bypass-enable: The value is of the Boolean type and can be:

    • true: Indicates that the bypass authentication function is enabled.
    • false: Indicates that the bypass authentication function is disabled.
    The default value is false.
  • bypass-time: The value is an integer that ranges from 1 to 1440, in minutes.

N/A

/huawei-aaa:aaa/global/authorization-bypass Indicates whether the bypass authorization function is configured. The object includes:
  • bypass-enable: Whether the bypass authorization function is enabled.

  • bypass-time: Specifies the bypass authorization timeout interval.
  • bypass-enable: The value is of the Boolean type and can be:

    • true: Indicates that the bypass authorization function is enabled.
    • false: Indicates that the bypass authorization function is disabled.
    The default value is false.
  • bypass-time: The value is an integer that ranges from 1 to 1440, in minutes.

N/A

/huawei-aaa:aaa/global/authorization-cmd-bypass Indicates whether the command-line bypass authorization function is configured. The object includes:
  • bypass-enable: Whether the command-line bypass authorization function is enabled.

  • bypass-time: Specifies the command-line bypass authorization timeout interval.
  • bypass-enable: The value is of the Boolean type and can be:

    • true: Indicates that the command-line bypass authorization function is enabled.
    • false: Indicates that the command-line bypass authorization function is disabled.
    The default value is false.
  • bypass-time: The value is an integer that ranges from 1 to 1440, in minutes.

N/A

/huawei-aaa:aaa/global/authorization-info-check/fail-policy Indicates whether the device allows users to go online after the authorization information check fails.
  • online: Indicates that the device allows users to go online.

  • offline: Indicates that the device prohibits users from going online.

By default, the device allows users to go online after the authorization information check fails.

NA

Table 2-313  RADIUS

Object

Description

Value

Remarks

/huawei-aaa-radius:radius/radius-server/name

Indicates the name of a RADIUS server template.

The value is a string of 1 to 32 case-sensitive characters, including letters, digits, dots (.), underscores (_), and hyphens (-). The value cannot be - or --.

N/A

/huawei-aaa-radius:radius/radius-server/authentication-server Configures a RADIUS authentication server. The object includes:
  • server-ip-address: indicates the IPv4 or IPv6 address of a RADIUS authentication server.
  • port: indicates the port number of a RADIUS authentication server.
  • vpn-instance: indicates the name of a VPN instance to which a RADIUS authentication server is bound. This parameter can be configured only when the RADIUS authentication server uses an IPv4 address.
  • weight: indicates the weight value of a RADIUS authentication server.
  • loopback-interface: indicates the number of a loopback interface.
  • server-ip-address: The value is an IPv4 address in dotted decimal notation or an IPv6 address in X:X:X:X:X:X:X:X format (a 32-bit hexadecimal number).
  • port: The value is an integer that ranges from 1 to 65535.
  • vpn-instance: The value must be the name of an existing VPN instance.
  • weight: The value is an integer that ranges from 0 to 100. The default value is 80.
  • loopback-interface: The loopback interface must already exist.

N/A

/huawei-aaa-radius:radius/radius-server/accounting-server

Configures a RADIUS accounting server. The object includes:
  • server-ip-address: indicates the IPv4 or IPv6 address of a RADIUS accounting server.
  • port: indicates the port number of a RADIUS accounting server.
  • vpn-instance: indicates the name of a VPN instance to which a RADIUS accounting server is bound. This parameter can be configured only when the RADIUS accounting server uses an IPv4 address.
  • weight: indicates the weight value of a RADIUS accounting server.
  • loopback-interface: indicates the number of a loopback interface.
  • server-ip-address: The value is an IPv4 address in dotted decimal notation or an IPv6 address in X:X:X:X:X:X:X:X format (a 32-bit hexadecimal number).
  • port: The value is an integer that ranges from 1 to 65535.
  • vpn-instance: The value must be the name of an existing VPN instance.
  • weight: The value is an integer that ranges from 0 to 100. The default value is 80.
  • loopback-interface: The loopback interface must already exist.

N/A

/huawei-aaa-radius:radius/radius-server/authentication-server/shared-key Indicates the shared key of a RADIUS authentication server.

The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.

N/A

/huawei-aaa-radius:radius/radius-server/accounting-server/shared-key Indicates the shared key of a RADIUS accounting server.

The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.

The shared key of the RADIUS accounting server must be the same as that of the RADIUS authentication server.

/huawei-aaa-radius:radius/dynamic-authorization-server
Configures a RADIUS authorization server. The object includes:
  • server-ip-address: indicates the IP address of a RADIUS authorization server.
  • shared-key: indicates the shared key of a RADIUS authorization server.
  • vpn-instance: indicates the name of a VPN instance to which a RADIUS authorization server is bound.
  • ack-reserved-interval: indicates the duration for retaining a RADIUS authorization response packet.
  • server-group: indicates the name of a RADIUS server template corresponding to a RADIUS authorization server.
  • server-ip-address: The value is a valid unicast address in dotted decimal notation.
  • shared-key: The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.
  • vpn-instance: The value must be the name of an existing VPN instance.
  • ack-reserved-interval: The value is an integer that ranges from 0 to 300, in seconds. The default value is 0.
  • server-group: The value is a string of 1 to 32 case-sensitive characters, including letters, digits, dots (.), underscores (_), and hyphens (-). The value cannot be - or --.

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/enable Indicates whether RADIUS attribute translation is enabled. Boolean type. The value can be:
  • true

  • false

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-normal Configures standard RADIUS attribute translation. The object includes:
  • source-attribute-name: indicates the name of a source attribute.

  • destination-attribute-name: indicates the name of a destination attribute.

  • packet-type: indicates the packet type in a standard RADIUS attribute to be translated.
  • source-attribute-name: The value is a string of 1 to 64 characters.

  • destination-attribute-name: The value is a string of 1 to 64 characters.

  • packet-type: The value is the enumerated type.
    • receive: translates RADIUS attributes for received packets.
    • send: translates RADIUS attributes for sent packets.
    • access-request: translates RADIUS attributes for Authentication Request packets.
    • account-request: translates RADIUS attributes for Accounting Request packets.
    • access-accept: translates RADIUS attributes for Authentication Accept packets.
    • account-response: translates RADIUS attributes for Accounting Response packets.

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-extend Translates extended RADIUS attributes, that is, translating the non-Huawei attributes not supported by the device to the attributes supported by the device. The object includes:
  • source-attribute-name: indicates the name of a source attribute.

  • destination-vendor-id: indicates the vendor ID in the extended RADIUS attribute to be translated.
  • destination-sub-vendor-id: indicates the sub ID in the extended RADIUS attribute to be translated.
  • packet-type: indicates the packet type in the extended RADIUS attribute to be translated.
  • source-attribute-name: The value is a string of 1 to 64 characters.

  • destination-vendor-id: The value is an integer that ranges from 1 to 4294967295.

  • destination-sub-vendor-id: The value is an integer that ranges from 1 to 255.

  • packet-type: The value is the enumerated type.
    • access-request: translates RADIUS attributes for Authentication Request packets.
    • account-request: translates RADIUS attributes for Accounting Request packets.

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-extend-vendor Translates extended RADIUS attributes, that is, translating the attributes supported by the device to the non-Huawei attributes not supported by the device. The object includes:
  • source-vendor-id: indicates the vendor ID in the extended RADIUS attribute to be translated.

  • source-sub-vendor-id: indicates the sub ID in the extended RADIUS attribute to be translated.
  • destination-attribute-name: indicates the name of a destination attribute.
  • packet-type: indicates the packet type in the extended RADIUS attribute to be translated.
  • source-vendor-id: The value is an integer that ranges from 1 to 4294967295.

  • source-sub-vendor-id: The value is an integer that ranges from 1 to 255.

  • destination-attribute-name: The value is a string of 1 to 64 characters.

  • packet-type: The value is the enumerated type.
    • access-accept: translates RADIUS attributes for Authentication Accept packets.
    • account-response: translates RADIUS attributes for Accounting Response packets.

N/A

/huawei-aaa-radius:radius/radius-server/disable-attribute Disables a RADIUS attribute. The object includes:
  • attribute-name: indicates the name of a RADIUS attribute to be disabled.

  • option: indicates the packet type of a RADIUS attribute to be disabled.
  • attribute-name: The value is a string of 1 to 64 characters.

  • option: The value is the enumerated type and can be either of the following:
    • receive: disables a RADIUS attribute for received packets.
    • send: disables a RADIUS attribute for sent packets.

N/A

/huawei-aaa-radius:radius/radius-server/set-attribute Modifies the RADIUS attribute. The object includes:
  • attribute-name: Specifies the name of the attribute whose value needs to be modified.

  • attribute-value: Specifies the target value that the attribute value is to be changed to.
  • set-option: Specifies the packet type of the attribute whose value needs to be modified
  • attribute-name: The value is a string of 1 to 64 characters.
  • attribute-value: The value is automatically displayed.
  • set-option: The value is the enumerated type.
    • auth-type mac: sets the user authentication mode to MAC address authentication. Only the Service-Type attribute supports this parameter.
    • user-type ipsession: indicates an IP session user. Only the Service-Type attribute supports this parameter.

N/A

/huawei-aaa-radius:radius/radius-server/options/user-name/format Configures the device to encapsulate domain names in user names in RADIUS packets to be sent to a RADIUS server.
Enumerated type. The value can be:
  • original: The device does not modify the user name entered by the user.
  • domain-include: The user name includes the domain name.
  • domain-exclude: The user name does not include the domain name.
  • domain-exclude-except-eap: The user name does not include the domain name (for authentication modes excluding the EAP authentication).

N/A

/huawei-aaa-radius:radius/radius-server/options/traffic-unit Indicates the traffic unit used by a RADIUS server.

Enumerated type. The value can be:

  • byte
  • kbyte
  • mbyte
  • gbyte

N/A

/huawei-aaa-radius:radius/radius-server/options/dead-time Indicates the interval for the server to return to the active state. The value is an integer that ranges from 1 to 65535, in minutes.

N/A

/huawei-aaa-radius:radius/radius-server/options/timeout-timer Indicates the timeout interval of RADIUS request packets. The value is an integer that ranges from 1 to 10, in seconds.

N/A

/huawei-aaa-radius:radius/radius-server/options/retransmit-time Indicates the number of times RADIUS request packets can be retransmitted. The value is an integer that ranges from 1 to 5.

N/A

/huawei-aaa-radius:radius/radius-server/options/account-stop-packet-resend-times Enables retransmission of accounting-stop packets. The value is an integer that ranges from 0 to 300. The default value is 3.

N/A

/huawei-aaa-radius:radius/radius-server/service-type Indicates the reauthentication type. Enumerated type. The value is with-authenonly-reauthen.

N/A

/huawei-aaa-radius:radius/radius-server/message-authenticator Indicates the type of packets carrying the Message-Authenticator attribute. Enumerated type. The value is access-request.

N/A

/huawei-aaa-radius:radius/radius-server/hw-dhcp-option-format Indicates the format of Huawei extended attribute HW-DHCP-Option. Enumerated type. The value can be new or old.

N/A

/huawei-aaa-radius:radius/radius-server/mac-format-called-station-id

Sets the encapsulation format of the MAC address in the called-station-id attribute of RADIUS packets. The object includes:

  • mac-address-format: indicates the separator in a MAC address.

  • mode: indicates the format of a MAC address.
  • letter: indicates whether letters in a MAC address are in uppercase or lowercase.
  • mac-address-format: The value is the enumerated type.
    • dot-split: sets the separator to dot (.).
    • hyphen-split: sets the separator to hyphen (-).
    • unformatted: sets no separator.
  • mode: The value is the enumerated type.
    • mode1: indicates that the MAC address in the called-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.
    • mode2: indicates that the MAC address in the called-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format.
  • letter: The value is the enumerated type.
    • lowercase: indicates that the MAC address in the called-station-id attribute uses the lowercase.
    • uppercase: indicates that the MAC address in the called-station-id attribute uses the uppercase.

N/A

/huawei-aaa-radius:radius/radius-server/mac-format-calling-station-id

Sets the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets. The object includes:

  • mac-address-format: indicates the separator in a MAC address.
  • mode: indicates the format of a MAC address.
  • letter: indicates the style of letters in a MAC address.
  • mac-address-format: The value is the enumerated type.
    • dot-split: sets the separator to dot (.).
    • hyphen-split: sets the separator to hyphen (-).
    • unformatted: sets no separator.
  • mode: The value is the enumerated type.
    • mode1: indicates that the MAC address in the calling-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.
    • mode2: indicates that the MAC address in the calling-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format.
  • letter: The value is the enumerated type.
    • lowercase: indicates that the MAC address in the calling-station-id attribute uses the lowercase.
    • uppercase: indicates that the MAC address in the calling-station-id attribute uses the uppercase.
    • bin: indicates that the MAC address in the calling-station-id attribute is in binary notation.

N/A

/huawei-aaa-radius:radius/dynamic-authorization-option/decode-mac-format-calling-station-id

Sets the format of the MAC address that can be parsed by a device in the calling-station-id attribute carried in RADIUS dynamic authorization packets. The object includes:

  • mac-address-format: indicates the separator in a MAC address.
  • mode: indicates the format of a MAC address.
  • mac-address-format: The value is the enumerated type.
    • dot-split: sets the separator to dot (.).
    • hyphen-split: sets the separator to hyphen (-).
    • unformatted: sets no separator.
  • mode: The value is the enumerated type.
    • common: indicates that the MAC address in the calling-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format.
    • compress: indicates that the MAC address in the calling-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.

N/A

/huawei-aaa-radius:radius/dynamic-authorization-option/decode-attribute-sameastemplate Indicates whether the device is enabled to parse attributes in the RADIUS dynamic authorization packet based on the configurations in the system view. The value is of the Boolean type:
  • true: indicates the device is enabled to parse attributes in the RADIUS dynamic authorization packet based on the configurations in the system view.
  • false: indicates the device is disabled from parsing attributes in the RADIUS dynamic authorization packet based on the configurations in the system view.
The default value is true.
N/A
/huawei-aaa-radius:radius/session-manage-function/client/any/any-enable Indicates whether the session management function is enabled. The value is of the Boolean type:
  • true: indicates the session management function is enabled.
  • false: indicates the session management function is disabled.
The default value is false.
N/A
/huawei-aaa-radius:radius/session-manage-function/client/ip/client-item Indicates the session management server. The object includes:
  • ip-address: specifies the IP address of the session management server.
  • vpn-instance: specifies the VPN instance bound to the session management server.
  • shared-key: specifies the shared key of the session management server.
  • ip-address: The value is in dotted decimal notation.
  • vpn-instance: The value is a string of 1 to 31 case-sensitive characters without spaces.
  • shared-key: The value is a case-sensitive character string without spaces and question mask (?).
N/A
/huawei-aaa-radius:radius/radius-server/check-attribute/attribute-name Enables the function of checking whether a RADIUS Access-Accept packet carries a specified attribute.

The value is a string of 1 to 64 characters.

N/A

/huawei-aaa-radius:radius/radius-server/nas-ip-address Sets the NAS-IP-Address attribute in RADIUS packets sent by the device.

The value is a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-radius:radius/radius-server/nas-ipv6-address Sets the NAS-IPv6-Address attribute in RADIUS packets sent by the device.

The value is a 32-bit hexadecimal string in the X:X:X:X:X:X:X:X format.

N/A

/huawei-aaa-radius:radius/radius-server/server-detect-function
Creates a user account for automatic detection in the RADIUS server template.
  • server-detect-enable: indicates whether to enable automatic RADIUS server detection.
  • test-user-name: indicates the user name for automatic detection.
  • test-user-password: indicates the user password for automatic detection.
  • interval: indicates the RADIUS server automatic detection interval.
  • server-detect-enable: The value is Boolean that can only be true or false.
  • test-user-name: The value is a string of 1 to 253 case-sensitive characters without spaces.
  • test-user-password: The value is a string of case-sensitive characters without spaces or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.
  • interval: The value is an integer that ranges from 5 to 3600, in seconds.

N/A

/huawei-aaa-radius:radius/radius-server/shared-key Indicates the shared key of the RADIUS server in a RADIUS server template. The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.

If shared keys are configured for the RADIUS authentication server, RADIUS accounting server, and RADIUS server template, the configurations for the servers have higher priorities. If no shared key is configured for the RADIUS authentication and accounting servers, the shared key configured in the RADIUS server template is used.

/huawei-aaa-radius:radius/server-shared-key/server-item Configures the shared key of the RADIUS server globally. The object includes:
  • shared-key: specifies the shared key.
  • ip-address: specifies the IP address of the RADIUS server.
  • shared-key: The value is a case-sensitive character string without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.
  • ip-address: indicates the format of the IPv4 or IPv6 address.
NA
/huawei-aaa-radius:radius/radius-server/server-algorithm

Indicates the algorithm for selecting RADIUS servers.

Enumerated type. The value can be:

  • loading-share: sets the algorithm for selecting RADIUS servers to load balancing.
  • master-backup: sets the algorithm for selecting RADIUS servers to primary/secondary.

N/A

/huawei-aaa-radius:radius/global/options
Configures keepalive detection for the RADIUS server. The object includes:
  • dead-interval: indicates the detection interval of the RADIUS server.
  • dead-count: indicates the maximum number of consecutive packets that are not acknowledged by the RADIUS server.
  • dead-detect-condition: indicates the RADIUS server detection mode.
  • dead-interval: The value is an integer that ranges from 1 to 300, in seconds.
  • dead-count: The value is an integer that ranges from 1 to 65535.
  • dead-detect-condition: Enumerated type. The value is by-server-ip.

N/A

/huawei-aaa-radius:radius/radius-server/format-attribute/nas-port-format
Indicates the encapsulation format of the NAS-Port attribute. The object includes:
  • self-designed-format: indicates the self-defined format of the NAS-Port attribute.
  • format: indicates the format of the NAS-Port attribute.
  • self-designed-format: The value is a string of 1 to 32 characters.
  • format: Enumerated type. The value can be new or old.

N/A

/huawei-aaa-radius:radius/radius-server/format-attribute/nas-identifier-format

Indicates the encapsulation content of the NAS-Identifier attribute.

Enumerated type. The value can be hostname and vlan-id.

N/A

/huawei-aaa-radius:radius/radius-server/format-attribute/nas-port-id-format

Indicates the encapsulation format of the NAS-Port-Id attribute.

Enumerated type. The value can be new and old. N/A

Configuring a Local User

This section describes how to configure a local user using the merge method.

Table 2-314  Configuring a local user

Operation

XPATH

edit-config:merge

/huawei-user-management/user-management/local-user

Data Requirements
Table 2-315  Configuring a local user

Item

Data

Description

User name of a local user

huawei123 Set the user name of a local user to huawei123.

Password of a local user

huawei@123

Set the password of a local user to huawei@123.

Level of a local user

15 Set the level of a local user to 15.

Access type of a local user

ftp

Set the access type of a local user to FTP.

Directory that FTP users can access

flash: Set the directory that FTP users can access to flash:.

Maximum number of connections that users can establish.

4294967295 Set the maximum number of connections that users can establish to 4294967295.

Timeout period of the user account.

110 Set the timeout period of the user account to 110 seconds.

State of a local user.

active Set the state of a local user to active.

Expiration time of a local user name

2019-09-21T16:10:21.52Z Set the expiration time of a local user name to 2019-09-21T16:10:21.52Z.

Access permission time range of a local user

time1 Set the access permission time range of a local user to time1.

Type of terminals that allow local users to access the network

ipphone Set the type of terminals that allow local users to access the network to ipphone.
Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-user-management:user-management xmlns:hw-user-management="urn:huawei:params:xml:ns:yang:huawei-user-management">
        <hw-user-management:local-user>
          <hw-user-management:user-name>huawei123</hw-user-management:user-name>
          <hw-user-management:privilege-level>15</hw-user-management:privilege-level>
          <hw-user-management:service-type>ftp</hw-user-management:service-type>
          <hw-user-management:password>huawei@123</hw-user-management:password>
          <hw-user-management:ftp-directory>flash:</hw-user-management:ftp-directory>
          <hw-user-management:access-limit>4294967295</hw-user-management:access-limit>
          <hw-user-management:idle-time>110</hw-user-management:idle-time>
          <hw-user-management:state>active</hw-user-management:state>
          <hw-user-management:expire-date>2019-09-21T16:10:21.52Z</hw-user-management:expire-date>
          <hw-user-management:time-range>time1</hw-user-management:time-range>
          <hw-user-management:device-type-group>
           <hw-user-management:device-type>ipphone</hw-user-management:device-type>
          </hw-user-management:device-type-group>
        </hw-user-management:local-user>
      </hw-user-management:user-management>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> The password length must range from 8 to 128</error-message>
  <error-info>Error on node /huawei-user-management:user-management/local-user[user-name="huawei123"]/password</error-info>
 </rpc-error>
</rpc-reply>

Configuring Security of the Local User Password

This section provides a sample of configuring security of the local user password using the merge method.

Table 2-316  Configuring security of the local user password

Operation

XPATH

edit-config:merge

  • /huawei-user-management:user-management/administrator-password-police
  • /huawei-user-management:user-management/user-password-police
  • /huawei-user-management:user-management/wrong-password-police
  • /huawei-user-management:user-management/password-option/complexity-check
Data Requirements
Table 2-317  Configuring security of the local user password

Item

Data

Description

Password policy of the local administrator

  • Whether to enable the password policy for the local administrator: true
  • Password expiration period: 90.
  • Password expiration prompt period: 5.
  • Whether to enable the initial password change prompt function: true
  • Maximum number of historical passwords recorded for each user: 5.

Enable the password policy for the local administrator, set the password expiration period to 90 days, configure the system to prompt users to change the password 5 days before the password expires, enable the initial password change prompt function, and set the maximum number of historical passwords recorded for each user to 5.

Password policy for local access users

  • Whether to enable the password policy for local access users: true
  • Maximum number of historical passwords recorded for each user: 5

Enable the password policy for local access users and set the maximum number of historical passwords recorded for each user to 5.

Local account locking function
  • Whether to enable the function of locking the password of a local account: true
  • Authentication retry interval of a user: 5
  • Maximum number of consecutive incorrect password attempts: 3
  • Account locking time: 10

Enable the function of locking the password of the local account, and set the user retry interval to 5 minutes, maximum number of consecutive incorrect password attempts to 3, and account locking time to 10 minutes.

Whether to enable the password complexity check true Enable the password complexity check.
Request Example
<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-user-management:user-management xmlns:hw-user-management="urn:huawei:params:xml:ns:yang:huawei-user-management">
        <hw-user-management:administrator-password-police>
          <hw-user-management:enable>true</hw-user-management:enable>
          <hw-user-management:expire-day>90</hw-user-management:expire-day>
          <hw-user-management:alert-expire-day>5</hw-user-management:alert-expire-day>
          <hw-user-management:alert-original>true</hw-user-management:alert-original>
          <hw-user-management:history-record-number>5</hw-user-management:history-record-number>
        </hw-user-management:administrator-password-police>
        <hw-user-management:user-password-police>
          <hw-user-management:enable>true</hw-user-management:enable>
          <hw-user-management:history-record-number>5</hw-user-management:history-record-number>
        </hw-user-management:user-password-police>
        <hw-user-management:wrong-password-police>
          <hw-user-management:retry-interval>5</hw-user-management:retry-interval>
          <hw-user-management:retry-times>3</hw-user-management:retry-times>
          <hw-user-management:block-time>10</hw-user-management:block-time>
        </hw-user-management:wrong-password-police>
        <hw-user-management:password-option>
          <hw-user-management:complexity-check>true</hw-user-management:complexity-check>
        </hw-user-management:password-option>
      </hw-user-management:user-management>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-user-management:user-management/administrator-password-police/expire-day</error-path>
    <error-message>parse rpc config error.(Value "1000" does not satisfy the constraint "0..999" (range, length, or pattern).).</error-message>
  </rpc-error>
</rpc-reply>

Configuring an AAA Scheme

This section describes how to configure an AAA scheme using the merge method.

Table 2-318  Configuring an AAA scheme

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa

Data Requirements
Table 2-319  Configuring an AAA scheme

Item

Data

Description

Name of an authentication scheme

authen1

Set the name of an authentication scheme to authen1.

Authentication mode in an authentication scheme

hwtacacs

Set the authentication mode in an authentication scheme to HWTACACS.

Name of an authorization scheme

author1

Set the name of an authorization scheme to author1.

HWTACACS server-based command line authorization. Authorization level: 15, backup authorization mode: local Configure the HWTACACS server-based command line authorization function for the level-15 administrator and change the command line authorization mode to the local authorization mode if the HWTACACS server does not respond to the command line authorization.

Authorization mode in an authorization scheme

hwtacacs

Set the authorization mode in an authorization scheme to HWTACACS.

Name of an accounting scheme acct1

Set the name of an accounting scheme to acct1.

Accounting mode in an accounting scheme hwtacacs

Set the accounting mode in an accounting scheme to HWTACACS.

Policy for accounting-start failures online

Set the policy for accounting-start failures to online. That is, users are allowed to go online if accounting-start fails.

Interval for real-time accounting 15

Set the interval for real-time accounting to 15 minutes.

Maximum number of real-time accounting failures 5

Set the maximum number of real-time accounting failures to 5.

Policy for real-time accounting failures offline

Set the policy for real-time accounting failures to offline. That is, users are disconnected if real-time accounting fails.

Whether to enable the bypass authentication function. true

Enable the bypass authentication function and set the bypass authentication timeout interval to 13 minutes.

Bypass authentication timeout interval. 13
Request Example
<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
        <hw-aaa:authentication-scheme>
          <hw-aaa:name>authen1</hw-aaa:name>
          <hw-aaa:vsys>ads</hw-aaa:vsys>
          <hw-aaa:authentication-mode>hwtacacs</hw-aaa:authentication-mode>
        </hw-aaa:authentication-scheme>
        <hw-aaa:authorization-scheme>
          <hw-aaa:name>author1</hw-aaa:name>
          <hw-aaa:vsys>ads</hw-aaa:vsys>
          <hw-aaa:authorization-mode>hwtacacs</hw-aaa:authorization-mode>
          <hw-aaa:authorization-cmd>
            <hw-aaa:authorization-cmd-item>
              <hw-aaa:privilege-level>15</hw-aaa:privilege-level>
              <hw-aaa:authorization-cmd-mode>local</hw-aaa:authorization-cmd-mode>
            </hw-aaa:authorization-cmd-item>
          </hw-aaa:authorization-cmd>
        </hw-aaa:authorization-scheme>
        <hw-aaa:accounting-scheme>
          <hw-aaa:name>acct1</hw-aaa:name>
          <hw-aaa:vsys>ads</hw-aaa:vsys>
          <hw-aaa:accounting-mode>hwtacacs</hw-aaa:accounting-mode>
          <hw-aaa:start-accounting-fail>
            <hw-aaa:fail-policy>online</hw-aaa:fail-policy>
          </hw-aaa:start-accounting-fail>
          <hw-aaa:realtime-accounting>
            <hw-aaa:realtime-interval>15</hw-aaa:realtime-interval>
            <hw-aaa:realtime-fail>
              <hw-aaa:fail-policy>offline</hw-aaa:fail-policy>
              <hw-aaa:fail-max-times>5</hw-aaa:fail-max-times>
            </hw-aaa:realtime-fail>
          </hw-aaa:realtime-accounting>
        </hw-aaa:accounting-scheme>
        <hw-aaa:global>
          <hw-aaa:authentication-bypass>
            <hw-aaa:bypass-enable>true</hw-aaa:bypass-enable>
            <hw-aaa:bypass-time>13</hw-aaa:bypass-time>
          </hw-aaa:authentication-bypass>
        </hw-aaa:global>
      </hw-aaa:aaa>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>invalid authen scheme name</error-message>
  <error-info>Error on node /huawei-aaa:aaa/authentication-scheme[name="authen1authen1authen1authen1authen1",vsys="ads"]/name</error-info>
 </rpc-error>
</rpc-reply>

Configuring a Service Scheme

Creating a Service Scheme

This section describes how to creat a service scheme using the merge method.

Table 2-320  Creating a service scheme

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/service-scheme

Data Requirement
Table 2-321  Creating a service scheme

Item

Data

Description

Name of a service scheme

lsw_serv

Set the name of a service scheme to lsw_serv.

Level of a user who logs in to the device as an administrator

2

Set the level of a user who logs in to the device as an administrator to 2.

Whether to enable the voice VLAN function in a service scheme

true

Enable the voice VLAN function in a service scheme.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>vsys</vsys>
    <admin-user-privilege-level>2</admin-user-privilege-level>
    <voice-vlan-enable>true</voice-vlan-enable>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-app-tag>1</error-app-tag>
  <error-message>Service process failed.</error-message>
  <error-info>Error on node /huawei-aaa:aaa/service-scheme[name="lsw_servlsw_servlsw_servlsw_servlsw_serv",vsys="vsys"]/name</error-info>
 </rpc-error>
</rpc-reply> 
Configuring a User VLAN in a Service Scheme

This section describes how to configure a user VLAN in a service scheme using the rpc method.

Table 2-322  Configuring a user VLAN in a service scheme

Operation

XPATH

edit-config:create

/huawei-aaa:aaa/service-scheme

Data Requirement
Table 2-323  Configuring a user VLAN in a service scheme

Item

Data

Description

ID of the user VLAN configured in a service scheme 121

Configure user VLAN 121 in the service scheme.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <vlans xmlns="urn:huawei:params:xml:ns:yang:huawei-vlan">
   <vlan xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <id>121</id>
   </vlan>
  </vlans>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>public</vsys> 
    <vlan>121</vlan>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-app-tag>1</error-app-tag><error-message>Service process failed.</error-message>
  <error-info>Error on node /huawei-aaa:aaa/service-scheme[name="lsw_serv",vsys="public"]/vlan</error-info>
 </rpc-error>
</rpc-reply>
Binding an ACL to a Service Scheme

This section describes how to bind an ACL to a service scheme using the rpc method.

Table 2-324  Binding an ACL to a service scheme

Operation

XPATH

edit-config:create

/huawei-aaa:aaa/service-scheme

Data Requirement
Table 2-325  Binding an ACL to a service scheme

Item

Data

Description

Number of the ACL bound to a service scheme 3101

Bind ACL 3101 to a service scheme.

Request Example
NOTE:

Before binding an ACL to a service scheme, create the ACL first using the acl (system view) command.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>public</vsys>
    <acl>3101</acl>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Unrecognized information.</error-message>
  <error-info>Error on node /huawei-aaa:aaa/service-scheme[name="lsw_serv",vsys="public"]/acl[.="3101"]</error-info>
 </rpc-error>
</rpc-reply>
Binding a UCL Group to a Service Scheme

This section describes how to bind a UCL group to a service scheme using the rpc method.

Table 2-326  Binding a UCL group to a service scheme

Operation

XPATH

edit-config:create

/huawei-aaa:aaa/service-scheme

Data Requirement
Table 2-327  Binding a UCL group to a service scheme

Item

Data

Description

Name of a UCL group bound to a service scheme lsw_ucl

Bind the UCL group lsw_ucl to a service scheme.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
   <ucl-group xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <index>31</index>
    <name>lsw_ucl</name> 
    <ip>
     <ip>10.1.1.1</ip>
     <prefix-length>24</prefix-length>
    </ip>
   </ucl-group>
  </nac-access>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>public</vsys>
    <ucl-group>lsw_ucl</ucl-group>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> The ucl-group is not exist.</error-message>
  <error-info>Error on node /huawei-aaa:aaa/service-scheme[name="lsw_serv",vsys="public"]/ucl-group</error-info>
 </rpc-error>
</rpc-reply>

Configuring a RADIUS Server

Creating a RADIUS Server Template

This section describes how to create a RADIUS server template using the rpc method.

Table 2-328  Creating a RADIUS server template

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server

Data Requirement
Table 2-329  Creating a RADIUS server template

Item

Data

Description

Name of a RADIUS server template rds

Create a RADIUS server template named rds.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="b0bc2528-ebf8-494e-bedc-ca47ba18d578">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>rds</name>
    <vsys>public</vsys>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="b0bc2528-ebf8-494e-bedc-ca47ba18d578">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="b0bc2528-ebf8-494e-bedc-ca47ba18d578">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Invalid radius-server template name</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrds",vsys="public"]/name</error-info>
 </rpc-error>
</rpc-reply>
Configuring a RADIUS Authentication Server

This section describes how to configure a RADIUS authentication server using the rpc method.

Table 2-330  Configuring a RADIUS authentication server

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server

Data Requirement
Table 2-331  Configuring a RADIUS authentication server

Item

Data

Description

IPv4 address of the RADIUS authentication server 10.1.1.1

Set the IPv4 address of the RADIUS authentication server to 10.1.1.1.

Port number of the RADIUS authentication server 1816

Set the port number of the RADIUS authentication server to 1816.

Weight value of the RADIUS authentication server 100 Set the weight value of the RADIUS authentication server to 100.
Shared key of the RADIUS authentication server huawei@123 Set the shared key of the RADIUS authentication server to huawei@123.
Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>rds</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:authentication-server>
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address>
            <hw-aaa-radius:port>1816</hw-aaa-radius:port>
            <hw-aaa-radius:shared-key>huawei@123</hw-aaa-radius:shared-key>
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight>
          </hw-aaa-radius:authentication-server>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> The vpn-instance does not exist or is invalid.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/authentication-server[server-ip-address="10.1.1.1"]</error-info>
 </rpc-error>
</rpc-reply> 
Configuring a RADIUS Accounting Server

This section describes how to configure a RADIUS accounting server using the rpc method.

Table 2-332  Configuring a RADIUS accounting server

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server

Data Requirement
Table 2-333  Configuring a RADIUS accounting server

Item

Data

Description

IPv4 address of the RADIUS accounting server 10.1.1.1

Set the IPv4 address of the RADIUS accounting server to 10.1.1.1.

Port number of the RADIUS accounting server 1817

Set the port number of the RADIUS accounting server to 1817.

Weight value of the RADIUS accounting server 100 Set the weight value of the RADIUS accounting server to 100.
Shared key of the RADIUS accounting server huawei@123 Set the shared key of the RADIUS accounting server to huawei@123.
Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>rds</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:accounting-server>
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address>
            <hw-aaa-radius:port>1817</hw-aaa-radius:port>
            <hw-aaa-radius:shared-key>huawei@123</hw-aaa-radius:shared-key>
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight>
          </hw-aaa-radius:accounting-server>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> The vpn-instance does not exist or is invalid.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/accounting-server[server-ip-address="10.1.1.1"]</error-info>
 </rpc-error>
</rpc-reply>
Configuring a RADIUS Authorization Server

This section describes how to configure a RADIUS authorization server using the rpc method.

Table 2-334  Configuring a RADIUS authorization server

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/dynamic-authorization-server

Data Requirement
Table 2-335  Configuring a RADIUS authorization server

Item

Data

Description

IP address of the RADIUS authorization server 10.1.1.1

Set the IP address of the RADIUS authorization server to 10.1.1.1.

Shared key of the RADIUS authorization server huawei@123

Set the shared key of the RADIUS authorization server to huawei@123.

Duration for retaining a RADIUS authorization response packet 10

Set the duration for retaining a RADIUS authorization response packet to 10s.

Name of the RADIUS server template corresponding to the RADIUS authorization server rds Configure the RADIUS server template rds for the RADIUS authorization server.
Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <edit-config>
 <target>
  <running/>
 </target>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>rds</name>
    <vsys>public</vsys>
   </radius-server>
   <dynamic-authorization-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <server-ip-address>10.1.1.1</server-ip-address>
    <vsys>public</vsys>
    <shared-key>huawei@123</shared-key>
    <ack-reserved-interval>10</ack-reserved-interval>
    <server-group>rds</server-group>
   </dynamic-authorization-server>
  </radius>
 </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> The server template does not exist.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/dynamic-authorization-server[server-ip-address="10.1.1.1",vsys="public"]</error-info>
 </rpc-error>
</rpc-reply> 
Configuring RADIUS Attribute Translation

This section describes how to configure RADIUS attribute translation using the rpc method.

Table 2-336  Configuring RADIUS attribute translation

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/translate-attribute

Data Requirement
Table 2-337  Configuring RADIUS attribute translation

Item

Data

Description

Whether to enable RADIUS attribute translation true

Enable RADIUS attribute translation.

Name of a source RADIUS attribute nas-identifier

Set the source RADIUS attribute to nas-identifier.

Name of a destination RADIUS attribute nas-port-id

Set the destination RADIUS attribute to nas-port-id.

Type of packets whose RADIUS attributes need to be translated send Translate RADIUS attributes for sent packets.
Name of an extended source RADIUS attribute HW-URL-Flag Set the source extended RADIUS attribute to HW-URL-Flag.
Vendor ID in the translated extended RADIUS attributes 9 Set the vendor ID in the translated extended RADIUS attributes to 9.
Sub ID in the translated extended RADIUS attributes 2 Set the sub ID in the translated extended RADIUS attributes to 2.
Type of packets whose extended RADIUS attributes need to be translated. (The non-Huawei attributes not supported by the device will be translated to the attributes supported by the device.) access-request Translate RADIUS attributes for Authentication Request packets.
Vendor ID in the extended RADIUS attributes to be translated 9 Set the vendor ID in the extended RADIUS attributes to be translated to 9.
Sub ID in the extended RADIUS attributes to be translated 11 Set the sub ID in the extended RADIUS attributes to be translated to 11.
Name of a translated destination attribute HW-Access-Type Set the translated destination attribute to HW-Access-Type.
Type of packets whose extended RADIUS attributes need to be translated. (The attributes supported by the device will be translated to the non-Huawei attributes not supported by the device.) access-accept Translate RADIUS attributes for Authentication Accept packets.
Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>test12345</name>
    <vsys>public</vsys>
    <translate-attribute xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <enable>true</enable>
      <translate-normal xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
      <source-attribute-name>nas-identifier</source-attribute-name>
      <destination-attribute-name>nas-port-id</destination-attribute-name>
      <packet-type>send</packet-type>
     </translate-normal>
     <translate-extend xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
      <source-attribute-name>HW-URL-Flag</source-attribute-name>
      <destination-vendor-id>9</destination-vendor-id>
      <destination-sub-vendor-id>2</destination-sub-vendor-id>
      <packet-type>access-request</packet-type>
     </translate-extend>
     <translate-extend-vendor xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
      <source-vendor-id>9</source-vendor-id>
      <source-sub-vendor-id>11</source-sub-vendor-id>
      <destination-attribute-name>HW-Access-Type</destination-attribute-name>
      <packet-type>access-accept</packet-type>
     </translate-extend-vendor>
    </translate-attribute>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Wrong parameter.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/translate-attribute/translate-normal[source-attribute-name="nas-identifier1"]</error-info>
 </rpc-error>
</rpc-reply>
Disabling a RADIUS Attribute

This section describes how to disable a RADIUS attribute using the rpc method.

Table 2-338  Disabling a RADIUS attribute

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/disable-attribute

Data Requirement
Table 2-339  Disabling a RADIUS attribute

Item

Data

Description

Name of the RADIUS attribute to be disabled HW-Exec-Privilege

Set the RADIUS attribute to be disabled to HW-Exec-Privilege.

Type of packets in which the RADIUS attribute is to be disabled receive Disable the RADIUS attribute for received packets.
Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <edit-config>
 <target>
  <running/>
 </target>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>rds</name>
    <vsys>public</vsys>
    <disable-attribute xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
     <attribute-name>HW-Exec-Privilege</attribute-name>
     <option>receive</option>
    </disable-attribute>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Process radius-attribute return error</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/disable-attribute[attribute-name="HW-Exec-Privilege1"]</error-info>
 </rpc-error>
</rpc-reply>
Modifying the Value of a RADIUS Attribute

This section describes how to modify the value of a RADIUS attribute using the rpc method.

Table 2-340  Modifying the value of a RADIUS attribute

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/set-attribute

Data Requirement
Table 2-341  Modifying the value of a RADIUS attribute

Item

Data

Description

Name of the RADIUS attribute to be modified Service-Type

Set the RADIUS attribute to be modified to Service-Type.

Modified value of the RADIUS attribute 5 Modify the value of the RADIUS attribute to 5.
User authentication mode auth-type-mac Set the user authentication mode to MAC address authentication.
Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>test12345</name>
    <vsys>public</vsys>
    <set-attribute xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <attribute-name>Service-Type</attribute-name>
     <attribute-value>5</attribute-value>
     <set-option>auth-type-mac</set-option>
    </set-attribute>  
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Wrong parameter.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/set-attribute[attribute-name="Service-Type1"]</error-info>
 </rpc-error>
</rpc-reply>
Configuring the Format of User Names in RADIUS Packets to Be Sent to a RADIUS Server

This section describes how to configure the format of user names in RADIUS packets to be sent to a RADIUS server using the rpc method.

Table 2-342  Configuring the format of user names in RADIUS packets to be sent to a RADIUS server

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/options/user-name/format

Data Requirement
Table 2-343  Configuring the format of user names in RADIUS packets to be sent to a RADIUS server

Item

Data

Description

Whether to configure the device not to modify the user names entered by users in the packets sent to a RADIUS server original Configure the device not to modify the user names entered by users in the packets sent to a RADIUS server.
Request Example
<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>rds</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:options>
            <hw-aaa-radius:user-name>
              <hw-aaa-radius:format>original</hw-aaa-radius:format>
            </hw-aaa-radius:user-name>
          </hw-aaa-radius:options>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse rpc config error.</error-message>
 </rpc-error>
</rpc-reply>
Configuring the RADIUS Traffic Unit, Retransmission Times, Timeout Interval, and Back-to-Active Interval

This section describes how to configure the traffic unit used by a RADIUS server, number of times that RADIUS packets can be retransmitted, timeout interval of RADIUS request packets, and interval for the server to return to the active state using the rpc method.

Table 2-344  Configuring the RADIUS traffic unit, retransmission times, timeout interval, and back-to-active interval

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/options

Data Requirement
Table 2-345  Configuring the RADIUS traffic unit, retransmission times, timeout interval, and back-to-active interval

Item

Data

Description

Traffic unit used by a RADIUS server byte Set the traffic unit used by a RADIUS server to bytes.
Interval for the RADIUS server to return to the active state 3 Set the interval for the RADIUS server to return to the active state to 3 minutes.
Timeout interval of RADIUS request packets 3 Set the timeout interval of RADIUS request packets to 3 seconds.
Number of times RADIUS request packets can be retransmitted 2 Set the number of times RADIUS request packets can be retransmitted to 2.
Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <vsys>public</vsys>
    <name>test12345</name>
    <options xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <traffic-unit>byte</traffic-unit>
     <dead-time>3</dead-time>
     <timeout-timer>3</timeout-timer>
     <retransmit-time>2</retransmit-time>
    </options>   
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse rpc config error.</error-message>
 </rpc-error>
</rpc-reply>
Configuring the Format of MAC Addresses in Attributes in RADIUS Packets

This section describes how to configure the format of MAC addresses in attributes in RADIUS packets using the rpc method.

Table 2-346  Configuring the format of MAC addresses in attributes in RADIUS packets

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/mac-format-called-station-id or /huawei-aaa-radius:radius/radius-server/mac-format-calling-station-id

Data Requirement
Table 2-347  Configuring the format of MAC addresses in attributes in RADIUS packets

Item

Data

Description

Separator in the MAC address in the called-station-id attribute dot-split Configure the dot (.) as the separator in the MAC address in the called-station-id attribute.
Format of the MAC address in the called-station-id attribute mode1 Configure the MAC address in the called-station-id attribute to use the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.
Style of the MAC address in the called-station-id attribute lowercase Configure the MAC address in the called-station-id attribute to use the lowercase.
Separator in the MAC address in the calling-station-id attribute dot-split Configure the dot (.) as the separator in the MAC address in the calling-station-id attribute.
Format of the MAC address in the calling-station-id attribute mode1 Configure the MAC address in the calling-station-id attribute to use the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.
Style of the MAC address in the calling-station-id attribute lowercase Configure the MAC address in the calling-station-id attribute to use the lowercase.
Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>test12345</name>
    <vsys>public</vsys>
    <mac-format-called-station-id>
     <mac-address-format>dot-split</mac-address-format>
     <mode>mode1</mode>
     <letter>lowercase</letter>
    </mac-format-called-station-id>
    <mac-format-calling-station-id>
     <mac-address-format>dot-split</mac-address-format>
     <mode>mode1</mode>
     <letter>lowercase</letter>
    </mac-format-calling-station-id>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Incomplete information.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/mac-format-called-station-id</error-info>
 </rpc-error>
</rpc-reply>
Configuring the Format of the MAC address That Can Be Parsed by a Device in RADIUS Dynamic Authorization Packets

This section describes how to configure the format of the MAC address that can be parsed by a device in RADIUS dynamic authorization packets using the rpc method.

Table 2-348  Configuring the format of the MAC address that can be parsed by a device in RADIUS dynamic authorization packets

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/dynamic-authorization-option

Data Requirement
Table 2-349  Configuring the format of the MAC address that can be parsed by a device in RADIUS dynamic authorization packets

Item

Data

Description

Separator in the MAC address in the calling-station-id attribute dot-split Configure the dot (.) as the separator in the MAC address in the calling-station-id attribute.
Format of the MAC address in the calling-station-id attribute compress Configure the MAC address in the calling-station-id attribute to use the xxxx-xxxx-xxxx or xxxx.xxxx.xxxx format.
Whether the device parses attributes in the RADIUS dynamic authorization packet based on the configurations in the RADIUS server template true Configure the device to parse attributes in the RADIUS dynamic authorization packet based on the configurations in the RADIUS server template.
Request Example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:dynamic-authorization-option>
          <hw-aaa-radius:decode-mac-format-calling-station-id>
            <hw-aaa-radius:mac-address-format>dot-split</hw-aaa-radius:mac-address-format>
            <hw-aaa-radius:mode>compress</hw-aaa-radius:mode>
          </hw-aaa-radius:decode-mac-format-calling-station-id>
          <hw-aaa-radius:decode-attribute-sameastemplate>true</hw-aaa-radius:decode-attribute-sameastemplate>
        </hw-aaa-radius:dynamic-authorization-option>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Invalid mac-address-format</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/dynamic-authorization-option/decode-mac-format-calling-station-id</error-info>
 </rpc-error>
</rpc-reply>
Configuring an Attribute in the received RADIUS Access-Accept packets to Be Checked

This section describes how to configure an attribute in the received RADIUS Access-Accept packets to be checked using the rpc method.

Table 2-350  Configuring an attribute in the received RADIUS Access-Accept packets to be checked

Operation

XPATH

edit-config:create

/huawei-aaa-radius:radius/radius-server/check-attribute/attribute-name

Data Requirement
Table 2-351  Configuring an attribute in the received RADIUS Access-Accept packets to be checked

Item

Data

Description

Name of an RADIUS attribute framed-protocol Configure the framed-protocol attribute in RADIUS Access-Accept packets to be checked.
Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>test12345</name>
    <vsys>public</vsys>
    <check-attribute xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <attribute-name>framed-protocol</attribute-name>
    </check-attribute>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> Failed to find the attribute.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/check-attribute[attribute-name="abc"]/attribute-name</error-info>
 </rpc-error>
</rpc-reply>
Configuring NAS Attributes

This section describes how to configure NAS attributes using the rpc method.

Table 2-352  Configuring NAS attributes

Operation

XPATH

edit-config:create

  • /huawei-aaa-radius:radius/radius-server/nas-ip-address
  • /huawei-aaa-radius:radius/radius-server/nas-ipv6-address
  • /huawei-aaa-radius:radius/radius-server/format-attribute/nas-port-format
  • /huawei-aaa-radius:radius/radius-server/format-attribute
Data Requirement
Table 2-353  Configuring NAS attributes

Item

Data

Description

Value of the NAS-IP-Address attribute in RADIUS packets sent by the device 10.3.3.3 Set the NAS-IP-Address attribute in RADIUS packets sent by the device to 10.3.3.3.
Value of the NAS-IPv6-Address attribute in RADIUS packets sent by the device FC00::7 Set the NAS-IPv6-Address attribute in RADIUS packets sent by the device to FC00::7.
Encapsulation format of the NAS-Port attribute new, s2t2p6no10ni12 Set the encapsulation format of the NAS-Port attribute to new and then defines the format as 2t2p6no10ni12.
Encapsulation content of the NAS-Identifier attribute hostname Set the encapsulation content of the NAS-Identifier attribute to the host name.
Encapsulation format of the NAS-Port-Id attribute new Set the encapsulation format of the NAS-Port-Id attribute to new.
Request Example
<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>t1</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:nas-ip-address>10.3.3.3</hw-aaa-radius:nas-ip-address>
          <hw-aaa-radius:nas-ipv6-address>FC00::7</hw-aaa-radius:nas-ipv6-address>
          <hw-aaa-radius:format-attribute>
            <hw-aaa-radius:nas-port-format>
              <hw-aaa-radius:self-designed-format>s2t2p6no10ni12</hw-aaa-radius:self-designed-format>
              <hw-aaa-radius:format>new</hw-aaa-radius:format>
            </hw-aaa-radius:nas-port-format>
            <hw-aaa-radius:nas-identifier-format>hostname</hw-aaa-radius:nas-identifier-format>
            <hw-aaa-radius:nas-port-id-format>new</hw-aaa-radius:nas-port-id-format>
          </hw-aaa-radius:format-attribute>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Wrong parameter.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/nas-ip-address</error-info>
 </rpc-error>
</rpc-reply>
Configuring Automatic RADIUS Server Detection

This section describes how to configure automatic RADIUS server detection using the merge method.

Table 2-354  Configuring automatic RADIUS server detection

Operation

XPATH

edit-config:merge

/huawei-aaa-radius:radius/radius-server/server-detect-function

/huawei-aaa-radius:radius/global/options/dead-detect-condition

Data Requirement
Table 2-355  Configuring automatic RADIUS server detection

Item

Data

Description

User name used for automatic detection testusername Set the user name used for automatic detection to testusername.
User password for automatic detection huawei@123 Set the user password for automatic detection to huawei@123.
Automatic detection interval 100 Set the automatic detection interval to 100s.
RADIUS server detection mode by-server-ip Detect the RADIUS server based on the IP address of the RADIUS server.
Request Example
<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>t1</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:server-detect-function>
            <hw-aaa-radius:server-detect-enable>true</hw-aaa-radius:server-detect-enable>
            <hw-aaa-radius:test-user-name>testusername</hw-aaa-radius:test-user-name>
            <hw-aaa-radius:test-user-password>huawei@123</hw-aaa-radius:test-user-password>
            <hw-aaa-radius:interval>100</hw-aaa-radius:interval>
          </hw-aaa-radius:server-detect-function>
        </hw-aaa-radius:radius-server>
        <hw-aaa-radius:global>
          <hw-aaa-radius:options>
            <hw-aaa-radius:dead-detect-condition>by-server-ip</hw-aaa-radius:dead-detect-condition>
          </hw-aaa-radius:options>
        </hw-aaa-radius:global>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> Invalid character in the template shared-key.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/server-detect-function/server-detect-enable</error-info>
 </rpc-error>
</rpc-reply>
Configuring the Shared Key and Algorithm of the RADIUS Server

This section describes how to configure the shared key and algorithm of the RADIUS server using the merge method.

Table 2-356  Configuring the shared key and algorithm of the RADIUS server

Operation

XPATH

edit-config:merge

  • /huawei-aaa-radius:radius/radius-server/shared-key

  • /huawei-aaa-radius:radius/radius-server/server-algorithm

  • /huawei-aaa-radius:radius/server-shared-key/server-item

Data Requirement
Table 2-357  Configuring the shared key and algorithm of the RADIUS server

Item

Data

Description

Shared key of the RADIUS server in a RADIUS server template huawei@123

Set the shared key of the RADIUS server in a RADIUS server template to huawei@123.

Algorithm for selecting RADIUS servers in a RADIUS server template loading-share

Set the algorithm for selecting RADIUS servers in a RADIUS server template to load balancing.

Shared key of the RADIUS server that is configured globally

IP address: 10.1.1.1

Shared key: huawei@1234

Set the shared key of the RADIUS server with the IP address 10.1.1.1 to huawei@1234 in the system view.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <edit-config>
 <target>
  <running/>
 </target>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>rds</name>
    <vsys>public</vsys>
    <shared-key>huawei@123</shared-key>
    <server-algorithm>load-sharing</server-algorithm>
   </radius-server>
   <hw-aaa-radius:server-shared-key>
     <hw-aaa-radius:server-item>
       <hw-aaa-radius:ip-address>10.1.1.1</hw-aaa-radius:ip-address>
       <hw-aaa-radius:shared-key>huawei@1234</hw-aaa-radius:shared-key>
     </hw-aaa-radius:server-item>
   </hw-aaa-radius:server-shared-key>
  </radius>
 </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Invalid radius-server shared key</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/shared-key</error-info>
 </rpc-error>
</rpc-reply>

Configuring an HWTACACS Server Template

This section describes the configuration model of an HWTACACS server template and provides examples of XML packets.

Data Model

The configuration model file matching the HWTACACS server template is huawei-aaa-hwtacacs.yang.

Table 2-358  Configurations of the HWTACACS server template

Object

Description

Value

Remarks

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/name

Indicates the name of an HWTACACS server template.

The value is a string of 1 to 32 case-insensitive characters, including letters, digits, periods (.), hyphens (-), underscores (_), and a combination of the above characters. The value cannot be - or --.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/vsys Indicates the vsys name. The value is a string of 1 to 31 characters. This object is of no significance for a switch.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/server-ip-address

Indicates the IP address of the primary HWTACACS authentication server.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/port

Indicates the port number of the primary HWTACACS authentication server.

The value is an integer ranging from 1 to 65535.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/vpn-instance

Indicates the VPN instance to which the primary HWTACACS authentication server belongs.

The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/public-net.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/public-net

Indicates whether to connect to the primary HWTACACS authentication server on the public network.

The value is of the Boolean type:
  • true: connects to the server on the public network.
  • false: disconnects from the server on the public network.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/vpn-instance.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/server-ip-address

Indicates the IP address of the secondary HWTACACS authentication server.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/port

Indicates the port number of the secondary HWTACACS authentication server.

The value is an integer ranging from 1 to 65535.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/vpn-instance

Indicates the VPN instance to which the secondary HWTACACS authentication server belongs.

The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/public-net.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/public-net

Indicates whether to connect to the secondary HWTACACS authentication server on the public network.

The value is of the Boolean type:
  • true: connects to the server on the public network.
  • false: disconnects from the server on the public network.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/vpn-instance.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/server-ip-address

Indicates the IP address of the primary HWTACACS authorization server.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/port

Indicates the port number of the primary HWTACACS authorization server.

The value is an integer ranging from 1 to 65535.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/vpn-instance

Indicates the VPN instance to which the primary HWTACACS authorization server belongs.

The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/public-net.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/public-net

Indicates whether to connect to the primary HWTACACS authorization server on the public network.

The value is of the Boolean type:
  • true: connects to the server on the public network.
  • false: disconnects from the server on the public network.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/vpn-instance.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/server-ip-address

Indicates the IP address of the secondary HWTACACS authorization server.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/port

Indicates the port number of the secondary HWTACACS authorization server.

The value is an integer ranging from 1 to 65535.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/vpn-instance

Indicates the VPN instance to which the secondary HWTACACS authorization server belongs.

The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/public-net.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/public-net

Indicates whether to connect to the secondary HWTACACS authorization server on the public network.

The value is of the Boolean type:
  • true: connects to the server on the public network.
  • false: disconnects from the server on the public network.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/vpn-instance.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/server-ip-address

Indicates the IP address of the primary HWTACACS accounting server.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/port

Indicates the port number of the primary HWTACACS accounting server.

The value is an integer ranging from 1 to 65535.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/vpn-instance

Indicates the VPN instance to which the primary HWTACACS accounting server belongs.

The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/public-net.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/public-net

Indicates whether to connect to the primary HWTACACS accounting server on the public network.

The value is of the Boolean type:
  • true: connects to the server on the public network.
  • false: disconnects from the server on the public network.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/vpn-instance.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/server-ip-address

Indicates the IP address of the secondary HWTACACS accounting server.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/port

Indicates the port number of the secondary HWTACACS accounting server.

The value is an integer ranging from 1 to 65535.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/vpn-instance

Indicates the VPN instance to which the secondary HWTACACS accounting server belongs.

The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/public-net.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/public-net

Indicates whether to connect to the secondary HWTACACS accounting server on the public network.

The value is of the Boolean type:
  • true: connects to the server on the public network.
  • false: disconnects from the server on the public network.

This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/vpn-instance.

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/ip-address Indicates the source IP address of the switch to communicate with HWTACACS server.

The value must be a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/shared-key Indicates the shared key of the switch and HWTACACS server.

The value is a string of 1 to 255 case-sensitive characters without question marks (?) or spaces.

N/A

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/options/user-name/domain-include Indicates whether the packets sent to the HWTACACS server contain domain name. The value is of the Boolean type:
  • true: contain domain name.
  • false: do not contain domain name.

N/A

Creating and Configuring an HWTACACS Server Template

This section provides a sample of creating and configuring an HWTACACS server template using the create method.

Table 2-359  Creating and configuring an HWTACACS server template

Operation

XPATH

edit-config:create

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server
Data Requirements

Item

Data

Description

Name of an HWTACACS server template test Create an HWTACACS server template named test.
Name of the vsys public Configure the name of vsys to public.
Primary HWTACACS authentication, authorization, and accounting servers IP address: 10.1.1.1 Set the IP address of primary HWTACACS authentication, authorization, and accounting servers to 10.1.1.1.
Port number: 1000 Set the port number of primary HWTACACS authentication, authorization, and accounting servers to 1000.
Secondary HWTACACS authentication, authorization, and accounting servers IP address: 10.2.2.2 Set the IP address of secondary HWTACACS authentication, authorization, and accounting servers to 10.2.2.2.
Port number: 1001 Set the port number of secondary HWTACACS authentication, authorization, and accounting servers to 1001.
VPN instance to which servers belong: vpn1 Set the VPN instance to which secondary HWTACACS authentication, authorization, and accounting servers belong to vpn1.
Source IP address of the switch to communicate with HWTACACS server 192.168.10.1 Set the source IP address for communication between the switch and HWTACACS servers to 192.168.10.1.
Shared key of the switch and HWTACACS server Huawei@123 Set the shared key of the HWTACACS servers to Huawei@123.
Whether the packets sent to the HWTACACS server contain domain name false Configure that the packets sent to the HWTACACS servers do not contain domain name.
Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-hwtacacs:hwtacacs xmlns:hw-aaa-hwtacacs="urn:huawei:params:xml:ns:yang:huawei-aaa-hwtacacs">
        <hw-aaa-hwtacacs:hwtacacs-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="create">
          <hw-aaa-hwtacacs:name>test</hw-aaa-hwtacacs:name>
          <hw-aaa-hwtacacs:vsys>public</hw-aaa-hwtacacs:vsys>
          <hw-aaa-hwtacacs:primary-authentication-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.1</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1000</hw-aaa-hwtacacs:port>
          </hw-aaa-hwtacacs:primary-authentication-server>
          <hw-aaa-hwtacacs:secondary-authentication-server>
            <hw-aaa-hwtacacs:server-ip-address>10.2.2.2</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1001</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:secondary-authentication-server>
          <hw-aaa-hwtacacs:primary-authorization-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.1</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1000</hw-aaa-hwtacacs:port>
          </hw-aaa-hwtacacs:primary-authorization-server>
          <hw-aaa-hwtacacs:secondary-authorization-server>
            <hw-aaa-hwtacacs:server-ip-address>10.2.2.2</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1001</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:secondary-authorization-server>
          <hw-aaa-hwtacacs:primary-accounting-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.1</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1000</hw-aaa-hwtacacs:port>
          </hw-aaa-hwtacacs:primary-accounting-server>
          <hw-aaa-hwtacacs:secondary-accounting-server>
            <hw-aaa-hwtacacs:server-ip-address>10.2.2.2</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1001</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:secondary-accounting-server>
          <hw-aaa-hwtacacs:ip-address>192.168.10.1</hw-aaa-hwtacacs:ip-address>
          <hw-aaa-hwtacacs:shared-key>Huawei@123</hw-aaa-hwtacacs:shared-key>
          <hw-aaa-hwtacacs:options>
            <hw-aaa-hwtacacs:user-name>
              <hw-aaa-hwtacacs:domain-include>false</hw-aaa-hwtacacs:domain-include>
            </hw-aaa-hwtacacs:user-name>
          </hw-aaa-hwtacacs:options>
        </hw-aaa-hwtacacs:hwtacacs-server>
      </hw-aaa-hwtacacs:hwtacacs>
    </config>
  </edit-config>
</rpc>
Response Example
# Sample of successful response
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>
# Sample of failed response
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message> The VPN instance does not exist.</error-message>
    <error-info>Error on node /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server[name="test",vsys="public"]/primary-accounting-server</error-info>
  </rpc-error>
</rpc-reply>
Deleting an HWTACACS Server Template

This section provides a sample of deleting an HWTACACS server template using the delete method.

Table 2-360  Deleting an HWTACACS server template

Operation

XPATH

edit-config:delete

/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server
Data Requirements

Item

Data

Description

Name of an HWTACACS server template test Delete an HWTACACS server template named test with vsys named public.
Name of the vsys public
Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="2" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-hwtacacs:hwtacacs xmlns:hw-aaa-hwtacacs="urn:huawei:params:xml:ns:yang:huawei-aaa-hwtacacs">
        <hw-aaa-hwtacacs:hwtacacs-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="delete">
          <hw-aaa-hwtacacs:name>test</hw-aaa-hwtacacs:name>
          <hw-aaa-hwtacacs:vsys>public</hw-aaa-hwtacacs:vsys>
        </hw-aaa-hwtacacs:hwtacacs-server>
      </hw-aaa-hwtacacs:hwtacacs>
    </config>
  </edit-config>
</rpc>
Response Example
# Sample of successful response
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
  <ok/>
</rpc-reply>
# Sample of failed response
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>data-missing</error-tag>
    <error-severity>error</error-severity>
    <error-path/>
    <error-message>edit operation failed.</error-message>
  </rpc-error>
</rpc-reply>

Configuring a Domain

Applying an AAA Scheme to a Domain

This section describes how to apply an AAA scheme to a domain using the merge method.

Table 2-361  Applying an AAA scheme to a domain

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/aaa-domain

Data Requirement
Table 2-362  Applying an AAA scheme to a domain

Item

Data

Description

Domain name

domain1

Create a domain named domain1.

Name of an authentication scheme bound to the domain

authen1

Bind the authentication scheme authen1 to the domain.

Name of an accounting scheme bound to the domain

acc1

Bind the accounting scheme acc1 to the domain.

Name of a service scheme bound to the domain

ser1

Bind the service scheme ser1 to the domain.

Whether to enable traffic statistics collection for domain users true Enable traffic statistics collection for domain users.
Request Example
<rpc message-id="10" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
        <hw-aaa:authentication-scheme>
          <hw-aaa:name>authen1</hw-aaa:name>
          <hw-aaa:vsys>public</hw-aaa:vsys>
          <hw-aaa:authentication-mode>radius</hw-aaa:authentication-mode>
        </hw-aaa:authentication-scheme>
        <hw-aaa:accounting-scheme>
          <hw-aaa:name>acc1</hw-aaa:name>
          <hw-aaa:vsys>public</hw-aaa:vsys>
          <hw-aaa:accounting-mode>radius</hw-aaa:accounting-mode>
        </hw-aaa:accounting-scheme>
        <hw-aaa:service-scheme>
          <hw-aaa:name>ser1</hw-aaa:name>
          <hw-aaa:vsys>public</hw-aaa:vsys>
        </hw-aaa:service-scheme>
        <hw-aaa:aaa-domain>
          <hw-aaa:name>domain1</hw-aaa:name>
          <hw-aaa:vsys>ads</hw-aaa:vsys>
          <hw-aaa:authentication-scheme>authen1</hw-aaa:authentication-scheme>
          <hw-aaa:accounting-scheme>acc1</hw-aaa:accounting-scheme>
          <hw-aaa:service-scheme>ser1</hw-aaa:service-scheme>
          <hw-aaa:statistics-enable>true</hw-aaa:statistics-enable>
        </hw-aaa:aaa-domain>
      </hw-aaa:aaa>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="10">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="10">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>config/undo scheme failed</error-message>
  <error-info>Error on node /huawei-aaa:aaa/aaa-domain[name="domain1",vsys="ads"]/authentication-scheme</error-info>
 </rpc-error>
</rpc-reply>
Applying the RADIUS Server Template in a Domain

This section describes how to apply the RADIUS server template in a domain using the merge method.

Table 2-363  Applying the RADIUS server template in a domain

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-radius:radius-server/huawei-aaa-radius:radius-server

Data Requirements
Table 2-364  Applying the RADIUS server template in a domain

Item

Data

Description

Domain name.

domain1

Create a domain named domain1.

Name of the RADIUS server template that is applied in the domain.

rds Apply the RADIUS server template named rds in the domain.
Request Example
<rpc message-id="10" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>rds</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:authentication-server>
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address>
            <hw-aaa-radius:port>1816</hw-aaa-radius:port>
            <hw-aaa-radius:shared-key>huawei@123</hw-aaa-radius:shared-key>
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight>
          </hw-aaa-radius:authentication-server>
          <hw-aaa-radius:accounting-server>
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address>
            <hw-aaa-radius:port>1817</hw-aaa-radius:port>
            <hw-aaa-radius:shared-key>huawei@123</hw-aaa-radius:shared-key>
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight>
          </hw-aaa-radius:accounting-server>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
        <hw-aaa:aaa-domain>
          <hw-aaa:name>domain1</hw-aaa:name>
          <hw-aaa:vsys>public</hw-aaa:vsys>
          <hw-aaa-radius:radius-server xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
            <hw-aaa-radius:radius-server>rds</hw-aaa-radius:radius-server>
          </hw-aaa-radius:radius-server>
        </hw-aaa:aaa-domain>
      </hw-aaa:aaa>
    </config>
  </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="10">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="10">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>config/undo scheme failed</error-message>
  <error-info>Error on node /huawei-aaa:aaa/aaa-domain[name="domain1",vsys="ads"]/authentication-scheme</error-info>
 </rpc-error>
</rpc-reply>
Applying the HWTACACS Server Template in a Domain

This section describes how to apply the HWTACACS server template in a domain using the merge method.

Table 2-365  Applying the HWTACACS server template in a domain

Operation

XPATH

edit-config:merge

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-hwtacacs:hwtacacs-server/huawei-aaa-hwtacacs:hwtacacs-server

Data Requirements
Table 2-366  Applying the HWTACACS server template in a domain

Item

Data

Description

Domain name.

domain1

Create a domain named domain1.

Name of the HWTACACS server template that is applied in a domain.

tac1
NOTE:
Make sure that this template has been created on the device.
Apply the HWTACACS server template named tac1 in the domain.
Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
 <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" >
  <name>domain1</name>
  <vsys>public</vsys>
  <hwtacacs-server xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-hwtacacs">
   <hwtacacs-server ns0:operation="merge">tac1</hwtacacs-server>
  </hwtacacs-server>
 </aaa-domain>
</aaa>
</config>
</edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config hwtacacs server failed</error-message>
    <error-info>Error on node /huawei-aaa:aaa/aaa-domain[name="domain2",vsys="public"]/huawei-aaa-hwtacacs:hwtacacs-server/hwtacacs-server</error-info>
  </rpc-error>
</rpc-reply>
Configuring the Idle-Cut Function for Domain Users

This section describes how to configure the idle-cut function for domain users using the rpc method.

Table 2-367  Configuring the idle-cut function for domain users

Operation

XPATH

edit-config:create

/huawei-aaa:aaa/service-scheme/idle-cut-function

Data Requirement
Table 2-368  Configuring the idle-cut function for domain users

Item

Data

Description

Period in which an idle user can stay online 12

Set the period in which an idle user can stay online to 12 minutes.

Traffic threshold for the idle-cut function 22

Set the traffic threshold for the idle-cut function to 22 kbytes.

Direction of traffic on which the idle-cut function takes effect inbound

Configure the idle-cut function to take effect on inbound traffic.

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>public</vsys>
    <idle-cut-function>
     <idle-time>12</idle-time>
     <idle-flow>
      <flow-value>22</flow-value>
      <flow-direction>inbound</flow-direction>
     </idle-flow>
    </idle-cut-function>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse rpc config error.</error-message>
 </rpc-error>
</rpc-reply>
Translation
Download
Updated: 2018-09-01

Document ID: EDOC1100037962

Views: 6239

Downloads: 8

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next