Policy Association
- Data Model
- Configuring Policy Association on an Access Device
- Configuring the Access Device Authentication Mode
- Configuring a MAC Address Whitelist for Access Device Authentication
- Enabling Remote Access Control on the Interface of an Authentication Access Device
- Disabling Right Control of the Access Point
- Configuring the Maximum Number of Access Users Allowed on an Interface of an Authentication Access Device
- Configuring User Authorization Information to Be Delivered to Authentication Access Devices
- Configuring User Authorization Information to Be Delivered to Authentication Control Devices
- Configuring the Control Point That Directly Forwards User Traffic to Filter User Traffic Based on a User ACL Before Forwarding the Traffic
Data Model
The configuration model files matching policy association are ietf-interfaces.yang, huawei-nac.yang, and huawei-aaa.yang.
Object |
Description |
Value |
Remarks |
|---|---|---|---|
/huawei-nac:nac-access/policy-association/as-access/controller-ip |
Indicates an IP address of an authentication control device. |
The value is in dotted decimal notation. |
Only the authentication access device supports this object. |
/huawei-nac:nac-access/policy-association/as-access/vlanif |
Indicates the source VLANIF interface of the CAPWAP tunnel established between the authentication access device and authentication control device. |
The value is an integer that ranges from 1 to 4094. |
Only the authentication access device supports this object. |
/huawei-nac:nac-access/policy-association/as-auth/auth-mode |
Sets the authentication access device authentication mode to none authentication. |
The value can only be set to none. By default, authentication is required when an authentication access device establishes a CAPWAP tunnel with an authentication control device. |
Only the authentication control device supports this object. |
/huawei-nac:nac-access/policy-association/as-auth/whitelist-mac-address |
Adds the specified MAC address to an authentication access device authentication whitelist so that the authentication access device with this MAC address does not need to be authenticated when establishing a CAPWAP tunnel with the authentication control device. |
The value is a character string. Multiple MAC addresses can be configured. |
Only the authentication control device supports this object. |
/ietf-interfaces:interfaces/interface/huawei-nac:police-gang-control/access-point/ucl-policy-enabled |
Indicates whether a control point that directly forwards user traffic is configured to filter user traffic based on a user ACL before forwarding the traffic. |
The value is of the Boolean type:
The default value is false. |
Only the X series cards support this object. |
ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:police-gang-control/huawei-nac:access-point/huawei-nac:enable |
Indicates whether to enable the remote access control function on the interface of the authentication access device. |
The value is of the Boolean type:
The default value is false. |
Only the authentication access device supports this object. |
ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:police-gang-control/huawei-nac:access-point/huawei-nac:open |
Indicates whether to disable right control of the access point. |
The value is of the Boolean type:
The default value is false. |
Only the authentication access device supports this object. |
ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:police-gang-control/huawei-nac:access-point/huawei-nac:max-user-num |
Indicates the maximum number of access users allowed on an interface of an authentication access device. |
The value is an integer in the range from 1 to 256. |
Only the authentication access device supports this object. |
/huawei-aaa:aaa/service-scheme/name /huawei-aaa:aaa/service-scheme/remote-authorize/authorize-parameters |
Configures user authorization information to be delivered to authentication access devices. |
The value is the combination of ACL, UCL group, and CAR. |
Only the authentication control device supports this object. |
/huawei-aaa:aaa/service-scheme/name /huawei-aaa:aaa/service-scheme/local-authorize |
Configures user authorization information to be delivered to authentication control devices. |
The value is the combination of ACL, UCL group, and CAR. |
Only the authentication control device supports this object. |
/huawei-nac:nac-access/policy-association/user-sync/enable |
Indicates whether to configure user information synchronization on an authentication access device. |
The value is of the Boolean type:
The default value is true. |
Only the authentication access device supports this object. |
/huawei-nac:nac-access/policy-association/user-sync/interval |
Specifies the interval at which an authentication access device synchronizes user information. |
The value is an integer that ranges from 60 to 3600, in seconds. The default value is 60. |
Only the authentication access device supports this object. |
/huawei-nac:nac-access/policy-association/user-detect/enable |
Indicates whether to configure the online user detection function on an authentication access device. |
The value is of the Boolean type:
The default value is true. |
Only the authentication access device supports this object. |
/huawei-nac:nac-access/policy-association/user-detect/interval |
Specifies the online user detection interval. |
The value is an integer that ranges from 1 to 65535, in seconds. The default value is 15. |
Only the authentication access device supports this object. |
/huawei-nac:nac-access/policy-association/user-detect/retry-times |
Specifies the number of online user detection packet retransmissions. |
The value is an integer that ranges from 1 to 255. The default value is 3. |
Only the authentication access device supports this object. |
/huawei-nac:nac-access/policy-association/control-down-offline/control-down-offline/delay/delay |
Configures the user logout delay on an authentication access device if a control tunnel is faulty. |
The value is an integer that ranges from 1 to 60, in seconds. The default value is 0, indicating that users immediately go offline if a control tunnel is faulty. |
Only the authentication access device supports this object. |
/huawei-nac:nac-access/policy-association/control-down-offline/control-down-offline/unlimited/unlimited |
Indicates whether to configure users not to go offline on an authentication access device if a control tunnel is faulty. |
The value is of the Boolean type:
The default value is false. |
Only the authentication access device supports this object. |
/huawei-nac:nac-access/policy-association/speed-limit/max-num-value |
Configures the maximum number of user association and disassociation request messages sent by an authentication access device. |
The value is an integer that ranges from 1 to 65535. The default value is 60. |
Only the authentication access device supports this object. |
/huawei-nac:nac-access/policy-association/speed-limit/interval |
Configures the interval for an authentication access device to send user association and disassociation request messages. |
The value is an integer that ranges from 1 to 65535, in seconds. The default value is 30. |
Only the authentication access device supports this object. |
/huawei-nac:nac-access/policy-association/alarm-restrain/enable |
Indicates whether to configure an authentication access device to suppress alarms that are generated due to excess associated users. |
The value is of the Boolean type:
The default value is true. |
Only the authentication access device supports this object. |
/huawei-nac:nac-access/policy-association/alarm-restrain/period |
Configures a period for an authentication access device to suppress alarms that are generated due to excess associated users. |
The value is an integer that ranges from 60 to 604800, in seconds. The default value is 300. |
Only the authentication access device supports this object. |
/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:police-gang-control/huawei-nac:user-sync/enable |
Indicates whether to configure user information synchronization on an authentication control device. |
The value is of the Boolean type:
The default value is true. |
Only the authentication control device supports this object. |
/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:police-gang-control/huawei-nac:user-sync/interval |
Specifies the interval at which an authentication control device synchronizes user information. |
The value is an integer that ranges from 60 to 3600, in seconds. The default value is 60. |
Only the authentication control device supports this object. |
/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:police-gang-control/huawei-nac:user-sync/retry-times |
Specifies the maximum number of user information synchronization attempts on an authentication control device. |
The value is an integer that ranges from 5 to 300. The default value is 10. |
Only the authentication control device supports this object. |
/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:police-gang-control/huawei-nac:control-down-offline/huawei-nac:control-down-offline/huawei-nac:delay/huawei-nac:delay |
Configures the user logout delay on an authentication control device if a control tunnel is faulty. |
The value is an integer that ranges from 1 to 60, in seconds. The default value is 0, indicating that users immediately go offline if a control tunnel is faulty. |
Only the authentication control device supports this object. |
/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:police-gang-control/huawei-nac:control-down-offline/huawei-nac:control-down-offline/huawei-nac:unlimited/huawei-nac:unlimited |
Indicates whether to configure users not to go offline on an authentication control device if a control tunnel is faulty. |
The value is of the Boolean type:
The default value is false. |
Only the authentication control device supports this object. |
/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:police-gang-control/huawei-nac:open-ucl-policy-enable |
Indicates whether to configure a control point to filter user traffic based on a user ACL before forwarding the traffic. |
The value is of the Boolean type:
The default value is false. |
Only the authentication control device supports this object. |
Configuring Policy Association on an Access Device
This section provides a sample of configuring policy association on an access device using the config method.
Operation |
XPATH |
|---|---|
edit-config:config |
|
Data Requirements
| Item | Data | Description |
|---|---|---|
| IP address of the control device | 10.1.1.1 | - |
| Source VLANIF interface of the CAPWAP tunnel established between the access device and control device | 100 | - |
Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
<hw-nac:policy-association>
<hw-nac:as-access>
<hw-nac:controller-ip>10.1.1.1</hw-nac:controller-ip>
<hw-nac:vlanif>100</hw-nac:vlanif>
</hw-nac:as-access>
</hw-nac:policy-association>
</hw-nac:nac-access>
</config>
</edit-config>
</rpc>
Response Example
# Sample of successful response.
<?xml version='1.0' encoding='UTF-8'?> <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0"> <ok/> </rpc-reply>
# Sample of failed response.
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
<rpc-error>
<error-type>application</error-type>
<error-tag>operation-failed</error-tag>
<error-severity>error</error-severity>
<error-path>/huawei-nac:nac-access/policy-association/as-access/vlanif</error-path>
<error-message>parse rpc config error.(Value "5000" does not satisfy the constraint "1..4094" (range, length, or pattern).).</error-message>
</rpc-error>
</rpc-reply>
Configuring the Access Device Authentication Mode
This section provides a sample of configuring the access device authentication mode using the edit-config method.
Operation |
XPATH |
|---|---|
| edit-config | /huawei-nac:nac-access/policy-association/as-auth/auth-mode |
Data Requirements
Item |
Data |
Description |
|---|---|---|
| Authentication mode | none | - |
Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
<hw-nac:policy-association>
<hw-nac:as-auth>
<hw-nac:auth-mode>none</hw-nac:auth-mode>
</hw-nac:as-auth>
</hw-nac:policy-association>
</hw-nac:nac-access>
</config>
</edit-config>
</rpc>
Response Example
# Sample of successful response.
<?xml version='1.0' encoding='UTF-8'?> <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0"> <ok/> </rpc-reply>
# Sample of failed response.
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
<rpc-error>
<error-app-tag>-1</error-app-tag>
<error-message>The configuration/operation does not support.</error-message>
<error-info>Error on node /huawei-nac:nac-access/policy-association/as-auth/auth-mode</error-info>
</rpc-error>
</rpc-reply>
Item |
Data |
Description |
|---|---|---|
| Authentication mode | none | - |
Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="5" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
<hw-nac:policy-association xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="delete">
<hw-nac:as-auth>
<hw-nac:auth-mode>none</hw-nac:auth-mode>
</hw-nac:as-auth>
</hw-nac:policy-association>
</hw-nac:nac-access>
</config>
</edit-config>
</rpc>
Response Example
# Sample of successful response.
<?xml version='1.0' encoding='UTF-8'?> <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="5"> <ok/> </rpc-reply>
# Sample of failed response.
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="5">
<rpc-error>
<error-type>application</error-type>
<error-tag>data-missing</error-tag>
<error-severity>error</error-severity>
<error-path/>
<error-message>edit operation failed.</error-message>
</rpc-error>
</rpc-reply>
Configuring a MAC Address Whitelist for Access Device Authentication
This section provides a sample of configuring a MAC address whitelist for access device authentication.
Operation |
XPATH |
|---|---|
| edit-config | /huawei-nac:nac-access/policy-association/as-auth/whitelist-mac-address |
Data Requirements
Item |
Data |
Description |
|---|---|---|
| MAC address whitelist for access device authentication | 00:aa:aa:aa:aa:aa | Multiple MAC address whitelists can be configured at a time. |
Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="5" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
<hw-nac:policy-association>
<hw-nac:as-auth>
<hw-nac:whitelist-mac-address>00:aa:aa:aa:aa:aa</hw-nac:whitelist-mac-address>
</hw-nac:as-auth>
</hw-nac:policy-association>
</hw-nac:nac-access>
</config>
</edit-config>
</rpc>
Response Example
# Sample of successful response.
<?xml version='1.0' encoding='UTF-8'?> <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="5"> <ok/> </rpc-reply>
# Sample of failed response.
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="5">
<rpc-error>
<error-app-tag>-1</error-app-tag>
<error-message>The configuration/operation does not support.</error-message>
<error-info>Error on node /huawei-nac:nac-access/policy-association/as-auth/whitelist-mac-address[.="00:aa:aa:aa:aa:aa"]</error-info>
</rpc-error>
</rpc-reply>
Item |
Data |
Description |
|---|---|---|
| MAC address whitelist for access device authentication | 00:aa:aa:aa:aa:aa | Multiple MAC address whitelists can be deleted at a time. |
Request Example
?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="6" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
<hw-nac:policy-association xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="delete">
<hw-nac:as-auth>
<hw-nac:whitelist-mac-address>00:aa:aa:aa:aa:aa</hw-nac:whitelist-mac-address>
</hw-nac:as-auth>
</hw-nac:policy-association>
</hw-nac:nac-access>
</config>
</edit-config>
</rpc>
Response Example
# Sample of successful response.
<?xml version='1.0' encoding='UTF-8'?> <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="6"> <ok/> </rpc-reply>
# Sample of failed response.
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="6">
<rpc-error>
<error-app-tag>-1</error-app-tag>
<error-message>The configuration/operation does not support.</error-message>
<error-info>Error on node /huawei-nac:nac-access/policy-association/as-auth/whitelist-mac-address[.="00:aa:aa:aa:aa:aa"]</error-info>
</rpc-error>
</rpc-reply>
Enabling Remote Access Control on the Interface of an Authentication Access Device
This section provides a sample of enabling remote access control on the interface of an authentication access device using the merge method.
Operation |
XPATH |
|---|---|
edit-config:merge |
ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:police-gang-control/huawei-nac:access-point/huawei-nac:enable |
Data Requirements
Item |
Data |
Description |
|---|---|---|
name |
GigabitEthernet1/0/13 |
- |
enabled |
true |
- |
Request Example
<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces" xc:operation="merge">
<interface>
<name>GigabitEthernet1/0/13</name>
<type xmlns:iana="urn:ietf:params:xml:ns:yang:iana-if-type">iana:ethernetCsmacd</type>
<enabled>true</enabled>
<police-gang-control xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
<access-point>
<enable>true</enable>
</access-point>
</police-gang-control>
</interface>
</interfaces>
</config>
</edit-config>
</rpc>
Response Example
Sample of successful response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0"> <ok/> </rpc-reply>
Sample of failed response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
<rpc-error>
<error-type>application</error-type>
<error-tag>operation-failed</error-tag>
<error-severity>error</error-severity>
<error-path>/ietf-interfaces:interfaces/interface[name='GigabitEthernet1/0/13']/huawei-nac:police-gang-control/access-point/enable</error-path>
<error-message>parse rpc config error.(Invalid value "error" in "enable" element.).</error-message>
</rpc-error>
</rpc-reply>
Disabling Right Control of the Access Point
This section provides a sample of disabling right control of the access point using the merge method.
Operation |
XPATH |
|---|---|
edit-config:merge |
ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:police-gang-control/huawei-nac:access-point/huawei-nac:open |
Data Requirements
Item |
Data |
Description |
|---|---|---|
open |
true |
- |
Request Example
<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces" xc:operation="merge">
<interface>
<name>GigabitEthernet1/0/13</name>
<type xmlns:iana="urn:ietf:params:xml:ns:yang:iana-if-type">iana:ethernetCsmacd</type>
<enabled>true</enabled>
<police-gang-control xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
<access-point>
<open>true</open>
</access-point>
</police-gang-control>
</interface>
</interfaces>
</config>
</edit-config>
</rpc>
Response Example
Sample of successful response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0"> <ok/> </rpc-reply>
Sample of failed response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
<rpc-error>
<error-type>application</error-type>
<error-tag>operation-failed</error-tag>
<error-severity>error</error-severity>
<error-path>/ietf-interfaces:interfaces/interface[name='GigabitEthernet1/0/13']/huawei-nac:police-gang-control/access-point/open</error-path>
<error-message>parse rpc config error.(Invalid value "error" in "open" element.).</error-message>
</rpc-error>
</rpc-reply>
Configuring the Maximum Number of Access Users Allowed on an Interface of an Authentication Access Device
This section provides a sample of configuring the maximum number of access users allowed on the interface of an authentication access device using the merge method.
Operation |
XPATH |
|---|---|
edit-config:merge |
ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:police-gang-control/huawei-nac:access-point/huawei-nac:max-user-num |
Data Requirements
Item |
Data |
Description |
|---|---|---|
max-user-num |
10 |
- |
Request Example
<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces" xc:operation="merge">
<interface>
<name>GigabitEthernet1/0/13</name>
<type xmlns:iana="urn:ietf:params:xml:ns:yang:iana-if-type">iana:ethernetCsmacd</type>
<enabled>true</enabled>
<police-gang-control xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
<access-point>
<max-user-num>10</max-user-num>
</access-point>
</police-gang-control>
</interface>
</interfaces>
</config>
</edit-config>
</rpc>
Response Example
Sample of successful response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0"> <ok/> </rpc-reply>
Sample of failed response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
<rpc-error>
<error-app-tag>-1</error-app-tag>
<error-message>Unrecognized information.</error-message>
<error-info>Error on node /ietf-interfaces:interfaces/interface[name="GigabitEthernet1/0/13"]/huawei-nac:police-gang-control/access-point/max-user-num</error-info>
</rpc-error>
</rpc-reply>
Configuring User Authorization Information to Be Delivered to Authentication Access Devices
This section provides a sample of configuring user authorization information to be delivered to authentication access devices using the merge method.
Operation |
XPATH |
|---|---|
edit-config:merge |
/huawei-aaa:aaa/service-scheme/name /huawei-aaa:aaa/service-scheme/remote-authorize/authorize-parameters |
Data Requirements
Item |
Data |
Description |
|---|---|---|
authorize-parameters |
acl car ucl-group |
- |
Request Example
<?xml version="1.0" encoding="UTF-8"?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
<hw-aaa:service-scheme>
<hw-aaa:name>xuandong_001</hw-aaa:name>
<hw-aaa:vsys>pub</hw-aaa:vsys>
<hw-aaa:remote-authorize>
<hw-aaa:authorize-parameters>acl car ucl-group</hw-aaa:authorize-parameters>
</hw-aaa:remote-authorize>
</hw-aaa:service-scheme>
</hw-aaa:aaa>
</config>
</edit-config>
</rpc>
Response Example
Sample of successful response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0"> <ok/> </rpc-reply>
Sample of failed response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="6">
<rpc-error>
<error-type>application</error-type>
<error-tag>operation-failed</error-tag>
<error-severity>error</error-severity>
<error-path>/huawei-aaa:aaa/service-scheme[name='xuandong_001'][vsys='pub']/remote-authorize/authorize-parameters</error-path>
<error-message>parse rpc config error.(Invalid value "error" in "authorize-parameters" element.).</error-message>
</rpc-error>
</rpc-reply>
Configuring User Authorization Information to Be Delivered to Authentication Control Devices
This section provides a sample of configuring user authorization information to be delivered to authentication control devices using the merge method.
Operation |
XPATH |
|---|---|
edit-config:merge |
/huawei-aaa:aaa/service-scheme/name /huawei-aaa:aaa/service-scheme/local-authorize |
Data Requirements
Item |
Data |
Description |
|---|---|---|
authorize-parameters |
acl car ucl-group priority vlan |
- |
none |
true |
- |
Request Example
# Configure user authorization information to be delivered to authentication control devices.
<?xml version="1.0" encoding="UTF-8"?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
<hw-aaa:service-scheme>
<hw-aaa:name>xuandong_001</hw-aaa:name>
<hw-aaa:vsys>pub</hw-aaa:vsys>
<hw-aaa:local-authorize>
<hw-aaa:authorize-parameters>acl car ucl-group priority vlan</hw-aaa:authorize-parameters>
</hw-aaa:local-authorize>
</hw-aaa:service-scheme>
</hw-aaa:aaa>
</config>
</edit-config>
</rpc>
# Configure not to deliver user authorization information to authentication control devices.
<rpc message-id="7" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
<hw-aaa:service-scheme>
<hw-aaa:name>xuandong_001</hw-aaa:name>
<hw-aaa:vsys>pub</hw-aaa:vsys>
<hw-aaa:local-authorize>
<hw-aaa:none>true</hw-aaa:none>
</hw-aaa:local-authorize>
</hw-aaa:service-scheme>
</hw-aaa:aaa>
</config>
</edit-config>
</rpc>
Response Example
Sample of successful response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0"> <ok/> </rpc-reply>
Sample of failed response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="8">
<rpc-error>
<error-type>application</error-type>
<error-tag>operation-failed</error-tag>
<error-severity>error</error-severity>
<error-path>/huawei-aaa:aaa/service-scheme[name='xuandong_001'][vsys='pub']/local-authorize/none</error-path>
<error-message>parse rpc config error.(Invalid value "error" in "none" element.).</error-message>
</rpc-error>
</rpc-reply>
Configuring the Control Point That Directly Forwards User Traffic to Filter User Traffic Based on a User ACL Before Forwarding the Traffic
This section provides a sample of configuring the control point that directly forwards user traffic to filter user traffic based on a user ACL before forwarding the traffic.
Operation |
XPATH |
|---|---|
edit-config:config |
/ietf-interfaces:interfaces/interface/huawei-nac:police-gang-control/access-point/ucl-policy-enabled |
Data Requirements
| Item | Data | Description |
|---|---|---|
| Interface | XGigabitEthernet1/0/1 | - |
Whether the control point that directly forwards user traffic is configured to filter user traffic based on a user ACL before forwarding the traffic. |
true | - |
Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<if:interfaces xmlns:if="urn:ietf:params:xml:ns:yang:ietf-interfaces">
<if:interface>
<if:name>XGigabitEthernet1/0/1</if:name>
<if:type xmlns:iana-if-type="urn:ietf:params:xml:ns:yang:iana-if-type">iana-if-type:ethernetCsmacd</if:type>
<hw-nac:police-gang-control xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
<hw-nac:access-point>
<hw-nac:ucl-policy-enabled>true</hw-nac:ucl-policy-enabled>
</hw-nac:access-point>
</hw-nac:police-gang-control>
</if:interface>
</if:interfaces>
</config>
</edit-config>
</rpc>
Response Example
# Sample of successful response.
<?xml version='1.0' encoding='UTF-8'?> <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> <ok/> </rpc-reply>
# Sample of failed response.
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<rpc-error>
<error-type>application</error-type>
<error-tag>operation-failed</error-tag>
<error-severity>error</error-severity>
<error-path>/ietf-interfaces:interfaces/interface[name='XGigabitEthernet1/0/1']/huawei-nac:police-gang-control/access-point/ucl-policy-enabled</error-path>
<error-message>parse rpc config error.(Invalid value in "ucl-policy-enabled" element.).</error-message>
</rpc-error>
</rpc-reply>
- Data Model
- Configuring Policy Association on an Access Device
- Configuring the Access Device Authentication Mode
- Configuring a MAC Address Whitelist for Access Device Authentication
- Enabling Remote Access Control on the Interface of an Authentication Access Device
- Disabling Right Control of the Access Point
- Configuring the Maximum Number of Access Users Allowed on an Interface of an Authentication Access Device
- Configuring User Authorization Information to Be Delivered to Authentication Access Devices
- Configuring User Authorization Information to Be Delivered to Authentication Control Devices
- Configuring the Control Point That Directly Forwards User Traffic to Filter User Traffic Based on a User ACL Before Forwarding the Traffic