No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Maintaining AAA and User Management

Maintaining AAA and User Management

Maintaining AAA and user management involves displaying AAA configurations, clearing AAA statistics, and forcing users to log out of the network.

Displaying the AAA Operation Information

You can view the AAA operation information if necessary.

Prerequisites

In routine maintenance, you can run the following commands in any view to view the AAA operating status.

Procedure

  • Run display aaa configuration

    The summary of AAA is displayed.

  • Run display aaa offline-record

    User logout records are displayed.

    User logout is recorded only after the record user logout function is enabled.

    By default, this function is enabled.

    If this function is disabled, you can run the aaa offline-record command to enable this function again.

  • Run display aaa online-fail-record

    User login failure records are displayed.

    User login failures are recorded only after the record user login failure function is enabled.

    By default, this function is enabled.

    If this function is disabled, you can run the aaa online-fail-record command to enable this function again.

  • Run display max-onlineusers

    The history maximum number of online users is displayed.

  • Run display aaa abnormal-offline-record

    The unexpected logout records are displayed.

  • Run display accounting-scheme

    The configuration of the accounting scheme is displayed.

  • Run display authentication-scheme

    The configuration of the authentication scheme is displayed.

  • Run display authorization-scheme

    The configuration of the authorization scheme is displayed.

  • Run display domain domain-name

    The domain configuration is displayed.

  • Run display hwtacacs current-status

    The current status information about the HWTACACS server is displayed.

  • Run display hwtacacs-server template

    The configuration of the HWTACACS server is displayed.

  • Run display local-user

    The attributes of the local user are displayed.

  • Run display radius-attribute packet-count

    The count of attributes in RADIUS packets is displayed.

  • Run display radius-server configuration [ group group-name ]

    The configuration of the RADIUS server is displayed.

  • Run display recording-scheme

    The configuration of the recording scheme is displayed.

  • Run display task-group [ task-group-name ]

    Related information about the task group is displayed.

  • Run display aaa user-group [ user-group-name ]

    Related information about the user group is displayed.

Clearing AAA Statistics

You can clear AAA statistics by running the reset command.

Context

Statistics cannot be restored after being cleared. Therefore, confirm the action before you run the following commands.

Procedure

  • After confirming that the statistics on the user login failures need to be cleared, run the following command in the user view.

    reset aaa online-fail-record

  • After confirming that the statistics on the user offline records need to be cleared, run the following command in the user view.

    reset aaa offline-record

  • After confirming that the statistics on the user offline records need to be cleared, run the following command in the user view.

    reset aaa abnormal-offline-record

  • After confirming that the statistics on the HWTACACS server need to be cleared, run the following command in the user view.

    reset hwtacacs-server statistics { all | authentication | authorization | accounting | common }

  • After confirming that the count of attributes in RADIUS packets need to be cleared, run the following command in the user view.

    reset radius-attribute packet-count

Forcing Users to Log out

You can force users to log out of the network based on AAA in certain scenarios, such as the scenario when the user access duration expires.

Context

NOTE:
  • When connections are disconnected according to the domain name, all online users under the disconnected domain will be forced to log out of the network.

  • When connections are disconnected according to the user name or user ID, all connections conforming to the disconnection condition will be disconnected.

Procedure

  • You can run the following commands in the AAA view to force users to log out of the network.

    • Run the cut access-user username user-name { all | hwtacacs | local | none | radius | radius-proxy } command to force users to log out of the network according to the user name.
    • Run the cut access-user domain domain-name command to force users to log out of the network according to the domain name.
    • Run the cut access-user mac-address mac-address command to force users to log out of the network according to the MAC address.
    • Run the cut access-user ipv6-address ipv6-address [ vpn-instance instance-name ] command to force users to log out of the network according to the IPv6 address.
    • Run the cut access-user ip-address ip-address [ end-ip-address ] [ vpn-instance instance-name ] command to force users to log out of the network according to the IP address.
    • Run the cut access-user interface interface-type interface-number [ pevlan pevlan-id [ cevlan cevlan-id ] ] command to force users to log out of the network according to the interface.
    • Run the cut access-user user-id start-no [ end-no ] command to forcibly log out online users with specified user IDs.
    • Run the cut access-user ip-pool pool-name command to forcibly log out all online users using a specified IP address pool.
    • Run the cut access-user slot slot-id command to forcibly log out all online users on the board in a specified slot.
    • Run the cut access-user ipv6-pool pool-name command to forcibly log out all online users using a specified IPv6 address pool.
    • Run the cut access-user ipv6-prefix prefix-address/prefix-length [ vpn-instance instance-name ] command to log out all online users for whom a specified IPv6 prefix is assigned.
    • Run the cut access-user authen-method authen-method-type command to log out online users using a specified authentication method.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 26088

Downloads: 52

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next