AAA Management

S12700 and S12700E V200R019C10 NETCONF YANG API Reference

This document describes the NETCONF YANG API functions supported by the switch, including the data model and samples.

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

AAA Management

Data Model

The configuration model files matching AAA management are huawei-user-management.yang, huawei-aaa.yang, huawei-aaa-hwtacacs.yang, and huawei-aaa-radius.yang.

Table 2-486 Local user

Object	Description	Value	Remarks
/huawei-user-management/user-management/local-user/user-name	Indicates the user name of a local user.	The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.	N/A
/huawei-user-management/user-management/local-user/password	Indicates the password of a local user.	The value is a case-sensitive string without question marks (?) or spaces.	N/A
/huawei-user-management/user-management/local-user/privilege-level	Indicates the level of a local user.	The value is an integer that ranges from 0 to 15. A larger value indicates a higher level of a user.	N/A
/huawei-user-management/user-management/local-user/service-type	Indicates the access type of a local user.	The value can be: dot1x: 802.1X user api: API user ftp: FTP user http: HTTP user (typically used for web system login) bind: IP session user ppp: PPP user ssh: SSH user telnet: Telnet user (usually a network administrator) terminal: end user (usually a user connected using a console port) web: Portal authentication user x25pad: X25-PAD user	N/A
/huawei-user-management/user-management/local-user/ftp-directory	Indicates the directory that FTP users can access.	The value is a string of 1 to 64 case-sensitive characters without spaces.	N/A
/huawei-user-management/user-management/local-user/http-directory	Indicates the directory that HTTP users can access.	The value is a string of 1 to 64 case-sensitive characters without spaces.	N/A
/huawei-user-management:user-management/local-user/expire-date	Indicates the expiration time of a local account.	The value is an integer that ranges from 2000-01-01 to 2099-12-31.	N/A
/huawei-user-management:user-management/local-user/time-range	Indicates the access permission time range of local accounts.	The value is a string of 1 to 32 case-sensitive characters and must begin with a letter.	N/A
/huawei-user-management:user-management/local-user/device-type-group/device-type	Indicates the type of terminals that allow local users to access the network.	The value is a string of 1 to 31 case-insensitive characters without spaces.	N/A
/huawei-user-management:user-management/local-user/user-type	Indicates that a local user is an NMS user.	Enumerated type. The value is net-manager.	N/A
/huawei-user-management/user-management/local-user/access-limit	Indicates the maximum number of connections that can be created with a specified user name.	The value is an integer that ranges from 1 to 4294967295.	N/A
/huawei-user-management/user-management/local-user/idle-time	Indicates the timeout period of the user account.	The value is an integer that ranges from 0 to 2147519, in seconds.	N/A
/huawei-user-management/user-management/local-user/state	Indicates the state of a local user.	Enumerated type. The value can be: active: A local user is in active state. The device accepts and processes the authentication request from the user, and allows the user to change the password. block: A local user is in blocking state. The device rejects the authentication request from the user and does not allow the user to change the password.	N/A
/huawei-user-management:user-management/administrator-password-police	Indicates the password policy for local administrators. The object includes: enable: indicates whether the password policy is enabled for local administrators. expire-day: indicates the password validity period. alert-expire-day: indicates whether the password expiration prompt function is enabled. alert-original: indicates whether the initial password change prompt function is enabled. history-record-number: indicates the maximum number of historical passwords recorded for each user.	enable: The value is of the Boolean type: true: The password policy is enabled for local administrators. false: The password policy is disabled for local administrators. The default value is false. expire-day: The value is an integer that ranges from 0 to 999, in days. The default value is 90. alert-expire-day: The value is an integer that ranges from 0 to 999, in days. The default value is 30. alert-original: The value is of the Boolean type: true: indicates the initial password change prompt function is enabled. false: indicates the initial password change prompt function is disabled. The default value is true. history-record-number: The value is an integer that ranges from 0 to 12. The default value is 5.	N/A
/huawei-user-management:user-management/user-password-police	Indicates the password policy for local access users. The object includes: enable: indicates whether the password policy is enabled for local access users. history-record-number: indicates the maximum number of historical passwords recorded for each user.	enable: The value is of the Boolean type: true: indicates the password policy is enabled for local access users. false: indicates the password policy is disabled for local access users. history-record-number: The value is an integer that ranges from 0 to 12. The default value is 5.	N/A
/huawei-user-management:user-management/wrong-password-police	Indicates the local account locking function. The object includes: retry-interval: indicates the authentication retry interval of local users. retry-times: indicates the maximum number of consecutive incorrect password attempts of a local account. block-time: indicates the local account locking time.	retry-interval: The value is an integer that ranges from 5 to 65535, in minutes. retry-times: The value is an integer that ranges from 3 to 65535. block-time: The value is an integer that ranges from 5 to 65535, in minutes.	N/A
/huawei-user-management:user-management/password-option/complexity-check	Indicates whether the password complexity check function is enabled for local accounts.	The value is of the Boolean type: true: indicates the password complexity check function is enabled for local accounts. false: indicates the password complexity check function is disabled for local accounts.	N/A

Table 2-487 AAA

Object	Description	Value	Remarks
huawei-aaa:aaa/global/user-queue	Whether the user queue scheduling is set to single-user mode.	The value is of the Boolean type: true: The user queue scheduling is set to single-user mode. false: The user queue scheduling is set to user sharing mode. The default value is true.	NA
/huawei-aaa:aaa/authentication-scheme/name	Indicates the name of an authentication scheme.	The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > \| @ ' %.	N/A
/huawei-aaa:aaa/authentication-scheme/authentication-mode	Indicates the authentication mode in an authentication scheme.	The value can be: hwtacacs: Authenticates users using an HWTACACS server. local: Authenticates users locally. radius: Authenticates users using a RADIUS server. none: Indicates non-authentication. That is, users access the network without being authenticated.	N/A
/huawei-aaa:aaa/authentication-scheme/no-response-accounting	Whether the device continues sending accounting packets after the server does not respond to a user's authentication request and the user then is authenticated using the local authentication mode.	Boolean type. The value can be: true: The device continues sending accounting packets. false: The device does not send accounting packets. The default value is false.	NA
/huawei-aaa:aaa/authorization-scheme/name	Indicates the name of an authorization scheme.	The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > \| @ ' %.	N/A
/huawei-aaa:aaa/authorization-scheme/authorization-mode	Indicates the authorization mode in an authorization scheme.	The value can be: hwtacacs: Indicates that the user is authorized by an HWTACACS server. if-authenticated: Indicates that only the user who succeeds in authentication (authentication exemption excluded) is authorized. local: Indicates that the user is authorized locally. none: Indicates non-authorization.	N/A
/huawei-aaa:aaa/authorization-scheme/authorization-cmd/authorization-cmd-item	Configure the administrator of a specific level to run only commands that are authorized by the HWTACACS server. The object includes: privilege-level: Indicates the administrator level. authorization-cmd-mode: Indicates the authorization backup mode.	privilege-level: The value is an integer that ranges from 0 to 15. authorization-cmd-mode: The value can be: local: Indicates that the authorization backup mode is authorized locally. none: Indicates the authorization backup mode is non-authorization.	N/A
/huawei-aaa:aaa/accounting-scheme/name	Indicates the name of an accounting scheme.	The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > \| @ ' %.	N/A
/huawei-aaa:aaa/accounting-scheme/accounting-mode	Indicates the accounting mode in an accounting scheme.	The value can be: hwtacacs: Indicates that accounting is performed by an HWTACACS server. radius: Indicates that accounting is performed by a RADIUS server. none: Indicates non-accounting.	N/A
/huawei-aaa:aaa/accounting-scheme/start-accounting-fail/fail-policy	Indicates the policy for accounting-start failures.	Enumerated type. The value can be: offline: rejects users' online requests if accounting-start fails. online: allows users to go online if accounting-start fails.	N/A
/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-interval	Indicates the interval for real-time accounting.	The value is an integer that ranges from 0 to 65535, in minutes. When the value is set to 0, real-time accounting is disabled. The default value is 0.	N/A
/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-fail/fail-max-times	Indicates the maximum number of real-time accounting failures.	The value is an integer that ranges from 1 to 255. The default value is 3.	N/A
/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-fail/fail-policy	Indicates the policy for real-time accounting failures.	Enumerated type. The value can be: offline: disconnects users if real-time accounting fails. online: keeps users online if real-time accounting fails.	N/A
/huawei-aaa:aaa/service-scheme/name	Indicates the name of a service scheme.	The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > \| @ ' %.	N/A
/huawei-aaa:aaa/service-scheme/admin-user-privilege-level	Indicates the level of a user who logs in to the device as an administrator.	The value is an integer that ranges from 0 to 15.	N/A
/huawei-aaa:aaa/service-scheme/voice-vlan-enable	Whether to enable the voice VLAN function in a service scheme.	Boolean type. The value can be: true false	N/A
/huawei-aaa:aaa/service-scheme/vlan	Specifies a user VLAN in a service scheme.	The value is an integer that ranges from 1 to 4094.	N/A
/huawei-aaa:aaa/service-scheme/acl	Indicates the number of an ACL bound to a service scheme.	The value is an integer that ranges from 3000 to 3999.	N/A
/huawei-aaa:aaa/service-scheme/acl-ipv6	Indicates the number of an IPv6 ACL bound to a service scheme.	The value is an integer that ranges from 3000 to 3999.	N/A
/huawei-aaa:aaa/service-scheme/qos-profile	Indicates the QoS profile bound to a service scheme.	The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > \| @ ' %.	N/A
/huawei-aaa:aaa/service-scheme/ucl-group	Indicates the UCL group bound to a service scheme.	The value must be the name of an existing UCL group.	N/A
/huawei-aaa:aaa/service-scheme/idle-cut-function/idle-time	Indicates the period in which an idle user can stay online.	The value is an integer that ranges from 1 to 1440, in minutes.	N/A
/huawei-aaa:aaa/service-scheme/idle-cut-function/idle-flow/flow-value	Indicates the traffic threshold for the idle-cut function.	The value is an integer that ranges from 0 to 4294967295, in Kbytes.	N/A
/huawei-aaa:aaa/service-scheme/idle-cut-function/idle-flow/flow-direction	Indicates the direction of traffic on which the idle-cut function takes effect.	Enumerated type. The value can be: inbound: indicates that the idle-cut function takes effect only on upstream traffic of users. outbound: indicates that the idle-cut function takes effect only on downstream traffic of users.	N/A
/huawei-aaa:aaa/service-scheme/priority	Indicates the user priority configured in a service scheme.	The value is 0 or 1. A larger value indicates a higher priority.	This object takes effect only for wireless users.
/huawei-aaa:aaa/service-scheme/redirect-acl/acl	Configures a redirect IPv4 ACL in a service scheme: acl-id: indicates the number of a redirect ACL. acl-name: indicates the name of a redirect ACL.	acl-id is an integer in the range from 3000 to 3999. acl-name must be the name of an existing ACL.	N/A
/huawei-aaa:aaa/service-scheme/redirect-acl-ipv6/acl	Configures a redirect IPv6 ACL in a service scheme: acl-id: indicates the number of a redirect ACL. acl-name: indicates the name of a redirect ACL.	acl-id is an integer in the range from 3000 to 3999. acl-name must be the name of an existing ACL.	NA
/huawei-aaa:aaa/aaa-domain	Indicates an authentication domain.	The value is a string of 1 to 64 case-insensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: * ? ".	N/A
/huawei-aaa:aaa/aaa-domain/authentication-scheme	Indicates the name of an authentication scheme bound to a domain.	The value must be the name of an existing authentication scheme.	N/A
/huawei-aaa:aaa/aaa-domain/authorization-scheme	Indicates the name of an authorization scheme bound to a domain.	The value must be the name of an existing authorization scheme.	N/A
/huawei-aaa:aaa/aaa-domain/accounting-scheme	Indicates the name of an accounting scheme bound to a domain.	The value must be the name of an existing accounting scheme.	N/A
/huawei-aaa:aaa/aaa-domain/service-scheme	Indicates the name of a service scheme bound to a domain.	The value must be the name of an existing service scheme.	N/A
/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-radius:radius-server/huawei-aaa-radius:radius-server	Indicates the name of a RADIUS server template bound to a domain.	The value must be the name of an existing RADIUS server template.	N/A
/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-hwtacacs:hwtacacs-server/huawei-aaa-hwtacacs:hwtacacs-server	Indicates the name of the HWTACACS server template that is applied in a domain.	The HWTACACS server template must already exist.	N/A
/huawei-aaa:aaa/aaa-domain/statistics-enable	Indicates whether traffic statistics collection is enabled for users in a domain.	Boolean type. The value can be: true: Traffic statistics collection is enabled for users in a domain. false: Traffic statistics collection is disabled for users in a domain.	N/A
/huawei-aaa:aaa/aaa-domain/dual-stack-separate	Indicates whether separate statistics collection or separate rate limiting of IPv4 and IPv6 traffic is enabled.	The value is of the Boolean type: true: Separate statistics collection or separate rate limiting of IPv4 and IPv6 traffic is enabled for users in a domain. false: Separate statistics collection or separate rate limiting of IPv4 and IPv6 traffic is disabled for users in a domain.	NA
/huawei-aaa:aaa/remote-user-policy	Indicates that the remote AAA authentication account locking function is enabled. The object includes: retry-interval: Specifies the authentication retry interval. retry-times: Specifies the maximum number of consecutive authentication failures. block-time: Specifies the account locking period.	retry-interval: The value is an integer that ranges from 5 to 65535, in minutes. retry-times: The value is an integer that ranges from 3 to 65535. block-time: The value is an integer that ranges from 5 to 65535, in minutes.	N/A
/huawei-aaa:aaa/global/authentication-bypass	Indicates whether the bypass authentication function is configured. The object includes: bypass-enable: Whether the bypass authentication function is enabled. bypass-time: Specifies the bypass authentication timeout interval.	bypass-enable: The value is of the Boolean type and can be: true: Indicates that the bypass authentication function is enabled. false: Indicates that the bypass authentication function is disabled. The default value is false. bypass-time: The value is an integer that ranges from 1 to 1440, in minutes.	N/A
/huawei-aaa:aaa/global/authorization-bypass	Indicates whether the bypass authorization function is configured. The object includes: bypass-enable: Whether the bypass authorization function is enabled. bypass-time: Specifies the bypass authorization timeout interval.	bypass-enable: The value is of the Boolean type and can be: true: Indicates that the bypass authorization function is enabled. false: Indicates that the bypass authorization function is disabled. The default value is false. bypass-time: The value is an integer that ranges from 1 to 1440, in minutes.	N/A
/huawei-aaa:aaa/global/authorization-cmd-bypass	Indicates whether the command-line bypass authorization function is configured. The object includes: bypass-enable: Whether the command-line bypass authorization function is enabled. bypass-time: Specifies the command-line bypass authorization timeout interval.	bypass-enable: The value is of the Boolean type and can be: true: Indicates that the command-line bypass authorization function is enabled. false: Indicates that the command-line bypass authorization function is disabled. The default value is false. bypass-time: The value is an integer that ranges from 1 to 1440, in minutes.	N/A
/huawei-aaa:aaa/global/authorization-info-check/fail-policy	Indicates whether the device allows users to go online after the authorization information check fails.	online: Indicates that the device allows users to go online. offline: Indicates that the device prohibits users from going online. By default, the device allows users to go online after the authorization information check fails.	N/A
/huawei-aaa:aaa/test-aaa	Tests the server connectivity. The object includes: vsys-name: indicates the name of a virtual system. user-name: indicates the user name. user-password: indicates the user password. server-type: Indicates the server type. template-name: indicates the name of a server template. test-type: tests an accounting server. accounting-type: indicates the type of accounting packets to be sent.	vsys-name: The value is public. user-name: The value is a string of 1 to 253 case-insensitive characters. user-password: The value is a string of 1 to 128 case-sensitive characters. server-type: The value is radius or hwtacacs. template-name: The value must be the name of an existing server template. test-type: The value is accounting. accounting-type: The value is start, realtime, or stop.	N/A

Table 2-488 RADIUS

Object	Description	Value	Remarks
/huawei-aaa-radius:radius/radius-server/name	Indicates the name of a RADIUS server template.	The value is a string of 1 to 32 case-sensitive characters, including letters, digits, dots (.), underscores (_), and hyphens (-). The value cannot be - or --.	N/A
/huawei-aaa-radius:radius/radius-server/authentication-server	Configures a RADIUS authentication server. The object includes: server-ip-address: indicates the IPv4 or IPv6 address of a RADIUS authentication server. port: indicates the port number of a RADIUS authentication server. vpn-instance: indicates the name of a VPN instance to which a RADIUS authentication server is bound. This parameter can be configured only when the RADIUS authentication server uses an IPv4 address. weight: indicates the weight value of a RADIUS authentication server. loopback-interface: indicates the number of a loopback interface.	server-ip-address: The value is an IPv4 address in dotted decimal notation or an IPv6 address in X:X:X:X:X:X:X:X format (a 32-digit hexadecimal number). port: The value is an integer that ranges from 1 to 65535. vpn-instance: The value must be the name of an existing VPN instance. weight: The value is an integer that ranges from 0 to 100. The default value is 80. loopback-interface: The loopback interface must already exist.	N/A
/huawei-aaa-radius:radius/radius-server/accounting-server	Configures a RADIUS accounting server. The object includes: server-ip-address: indicates the IPv4 or IPv6 address of a RADIUS accounting server. port: indicates the port number of a RADIUS accounting server. vpn-instance: indicates the name of a VPN instance to which a RADIUS accounting server is bound. This parameter can be configured only when the RADIUS accounting server uses an IPv4 address. weight: indicates the weight value of a RADIUS accounting server. loopback-interface: indicates the number of a loopback interface.	server-ip-address: The value is an IPv4 address in dotted decimal notation or an IPv6 address in X:X:X:X:X:X:X:X format (a 32-bit hexadecimal number). port: The value is an integer that ranges from 1 to 65535. vpn-instance: The value must be the name of an existing VPN instance. weight: The value is an integer that ranges from 0 to 100. The default value is 80. loopback-interface: The loopback interface must already exist.	N/A
/huawei-aaa-radius:radius/radius-server/authentication-server/shared-key	Indicates the shared key of a RADIUS authentication server.	The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.	N/A
/huawei-aaa-radius:radius/radius-server/accounting-server/shared-key	Indicates the shared key of a RADIUS accounting server.	The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.	The shared key of the RADIUS accounting server must be the same as that of the RADIUS authentication server.
/huawei-aaa-radius:radius/dynamic-authorization-server	Configures a RADIUS authorization server. The object includes: server-ip-address: indicates the IP address of a RADIUS authorization server. shared-key: indicates the shared key of a RADIUS authorization server. vpn-instance: indicates the name of a VPN instance to which a RADIUS authorization server is bound. ack-reserved-interval: indicates the duration for retaining a RADIUS authorization response packet. server-group: indicates the name of a RADIUS server template corresponding to a RADIUS authorization server.	server-ip-address: The value is a valid unicast address in dotted decimal notation. shared-key: The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext. vpn-instance: The value must be the name of an existing VPN instance. ack-reserved-interval: The value is an integer that ranges from 0 to 300, in seconds. The default value is 0. server-group: The value is a string of 1 to 32 case-sensitive characters, including letters, digits, dots (.), underscores (_), and hyphens (-). The value cannot be - or --.	N/A
/huawei-aaa-radius:radius/radius-server/translate-attribute/enable	Indicates whether RADIUS attribute translation is enabled.	Boolean type. The value can be: true false	N/A
/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-normal	Configures standard RADIUS attribute translation. The object includes: source-attribute-name: indicates the name of a source attribute. destination-attribute-name: indicates the name of a destination attribute. packet-type: indicates the packet type in a standard RADIUS attribute to be translated.	source-attribute-name: The value is a string of 1 to 64 characters. destination-attribute-name: The value is a string of 1 to 64 characters. packet-type: The value is the enumerated type. receive: translates RADIUS attributes for received packets. send: translates RADIUS attributes for sent packets. access-request: translates RADIUS attributes for Authentication Request packets. account-request: translates RADIUS attributes for Accounting Request packets. access-accept: translates RADIUS attributes for Authentication Accept packets. account-response: translates RADIUS attributes for Accounting Response packets.	N/A
/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-extend	Translates extended RADIUS attributes, that is, translating the non-Huawei attributes not supported by the device to the attributes supported by the device. The object includes: source-attribute-name: indicates the name of a source attribute. destination-vendor-id: indicates the vendor ID in the extended RADIUS attribute to be translated. destination-sub-vendor-id: indicates the sub ID in the extended RADIUS attribute to be translated. packet-type: indicates the packet type in the extended RADIUS attribute to be translated.	source-attribute-name: The value is a string of 1 to 64 characters. destination-vendor-id: The value is an integer that ranges from 1 to 4294967295. destination-sub-vendor-id: The value is an integer that ranges from 1 to 255. packet-type: The value is the enumerated type. access-request: translates RADIUS attributes for Authentication Request packets. account-request: translates RADIUS attributes for Accounting Request packets.	N/A
/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-extend-vendor	Translates extended RADIUS attributes, that is, translating the attributes supported by the device to the non-Huawei attributes not supported by the device. The object includes: source-vendor-id: indicates the vendor ID in the extended RADIUS attribute to be translated. source-sub-vendor-id: indicates the sub ID in the extended RADIUS attribute to be translated. destination-attribute-name: indicates the name of a destination attribute. packet-type: indicates the packet type in the extended RADIUS attribute to be translated.	source-vendor-id: The value is an integer that ranges from 1 to 4294967295. source-sub-vendor-id: The value is an integer that ranges from 1 to 255. destination-attribute-name: The value is a string of 1 to 64 characters. packet-type: The value is the enumerated type. access-accept: translates RADIUS attributes for Authentication Accept packets. account-response: translates RADIUS attributes for Accounting Response packets.	N/A
/huawei-aaa-radius:radius/radius-server/disable-attribute	Disables a RADIUS attribute. The object includes: attribute-name: indicates the name of a RADIUS attribute to be disabled. option: indicates the packet type of a RADIUS attribute to be disabled.	attribute-name: The value is a string of 1 to 64 characters. option: The value is the enumerated type and can be either of the following: receive: disables a RADIUS attribute for received packets. send: disables a RADIUS attribute for sent packets.	N/A
/huawei-aaa-radius:radius/radius-server/options/user-name/format	Configures the device to encapsulate domain names in user names in RADIUS packets to be sent to a RADIUS server.	Enumerated type. The value can be: original: The device does not modify the user name entered by the user. domain-include: The user name includes the domain name. domain-exclude: The user name does not include the domain name. domain-exclude-except-eap: The user name does not include the domain name (for authentication modes excluding the EAP authentication).	N/A
/huawei-aaa-radius:radius/radius-server/options/traffic-unit	Indicates the traffic unit used by a RADIUS server.	Enumerated type. The value can be: byte kbyte mbyte gbyte	N/A
/huawei-aaa-radius:radius/radius-server/options/dead-time	Indicates the interval for the server to return to the active state.	The value is an integer that ranges from 1 to 65535, in minutes.	N/A
/huawei-aaa-radius:radius/radius-server/options/timeout-timer	Indicates the timeout interval of RADIUS request packets.	The value is an integer that ranges from 1 to 10, in seconds.	N/A
/huawei-aaa-radius:radius/radius-server/options/retransmit-time	Indicates the number of times RADIUS request packets can be retransmitted.	The value is an integer that ranges from 1 to 5.	N/A
/huawei-aaa-radius:radius/radius-server/options/account-stop-packet-resend-times	Enables retransmission of accounting-stop packets.	The value is an integer that ranges from 0 to 300. The default value is 3.	N/A
/huawei-aaa-radius:radius/radius-server/service-type	Indicates the reauthentication type.	Enumerated type. The value is with-authenonly-reauthen.	N/A
/huawei-aaa-radius:radius/radius-server/message-authenticator	Indicates the type of packets carrying the Message-Authenticator attribute.	Enumerated type. The value is access-request.	N/A
/huawei-aaa-radius:radius/radius-server/hw-dhcp-option-format	Indicates the format of Huawei extended attribute HW-DHCP-Option.	Enumerated type. The value can be new or old.	N/A
/huawei-aaa-radius:radius/radius-server/mac-format-called-station-id	Sets the encapsulation format of the MAC address in the called-station-id attribute of RADIUS packets. The object includes: mac-address-format: indicates the separator in a MAC address. mode: indicates the format of a MAC address. letter: indicates whether letters in a MAC address are in uppercase or lowercase.	mac-address-format: The value is the enumerated type. dot-split: sets the separator to dot (.). hyphen-split: sets the separator to hyphen (-). unformatted: sets no separator. mode: The value is the enumerated type. mode1: indicates that the MAC address in the called-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format. mode2: indicates that the MAC address in the called-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format. letter: The value is the enumerated type. lowercase: indicates that the MAC address in the called-station-id attribute uses the lowercase. uppercase: indicates that the MAC address in the called-station-id attribute uses the uppercase.	N/A
/huawei-aaa-radius:radius/radius-server/mac-format-calling-station-id	Sets the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets. The object includes: mac-address-format: indicates the separator in a MAC address. mode: indicates the format of a MAC address. letter: indicates the style of letters in a MAC address.	mac-address-format: The value is the enumerated type. dot-split: sets the separator to dot (.). hyphen-split: sets the separator to hyphen (-). unformatted: sets no separator. mode: The value is the enumerated type. mode1: indicates that the MAC address in the calling-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format. mode2: indicates that the MAC address in the calling-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format. letter: The value is the enumerated type. lowercase: indicates that the MAC address in the calling-station-id attribute uses the lowercase. uppercase: indicates that the MAC address in the calling-station-id attribute uses the uppercase. bin: indicates that the MAC address in the calling-station-id attribute is in binary notation.	N/A
/huawei-aaa-radius:radius/dynamic-authorization-option/decode-mac-format-calling-station-id	Sets the format of the MAC address that can be parsed by a device in the calling-station-id attribute carried in RADIUS dynamic authorization packets. The object includes: mac-address-format: indicates the separator in a MAC address. mode: indicates the format of a MAC address.	mac-address-format: The value is the enumerated type. dot-split: sets the separator to dot (.). hyphen-split: sets the separator to hyphen (-). unformatted: sets no separator. mode: The value is the enumerated type. common: indicates that the MAC address in the calling-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format. compress: indicates that the MAC address in the calling-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.	N/A
/huawei-aaa-radius:radius/dynamic-authorization-option/decode-attribute-sameastemplate	Indicates whether the device is enabled to parse attributes in the RADIUS dynamic authorization packet based on the configurations in the system view.	The value is of the Boolean type: true: indicates the device is enabled to parse attributes in the RADIUS dynamic authorization packet based on the configurations in the system view. false: indicates the device is disabled from parsing attributes in the RADIUS dynamic authorization packet based on the configurations in the system view. The default value is true.	N/A
/huawei-aaa-radius:radius/session-manage-function/client/any/any-enable	Indicates whether the session management function is enabled.	The value is of the Boolean type: true: indicates the session management function is enabled. false: indicates the session management function is disabled. The default value is false.	N/A
/huawei-aaa-radius:radius/session-manage-function/client/ip/client-item	Indicates the session management server. The object includes: ip-address: specifies the IP address of the session management server. vpn-instance: specifies the VPN instance bound to the session management server. shared-key: specifies the shared key of the session management server.	ip-address: The value is in dotted decimal notation. vpn-instance: The value is a string of 1 to 31 case-sensitive characters without spaces. shared-key: The value is a case-sensitive character string without spaces and question mask (?).	N/A
/huawei-aaa-radius:radius/radius-server/hw-ap-info-format	Sets the AP's IP address in Huawei extended attribute HW-AP-Information.	The value is include-ap-ip.	N/A
/huawei-aaa-radius:radius/radius-server/check-attribute/attribute-name	Enables the function of checking whether a RADIUS Access-Accept packet carries a specified attribute.	The value is a string of 1 to 64 characters.	N/A
/huawei-aaa-radius:radius/radius-server/nas-ip-address	Sets the NAS-IP-Address attribute in RADIUS packets sent by the device.	The value is a valid unicast address in dotted decimal notation.	N/A
/huawei-aaa-radius:radius/radius-server/nas-ipv6-address	Sets the NAS-IPv6-Address attribute in RADIUS packets sent by the device.	The value is a 32-bit hexadecimal string in the X:X:X:X:X:X:X:X format.	N/A
/huawei-aaa-radius:radius/radius-server/server-detect-function	Creates a user account for automatic detection in the RADIUS server template. server-detect-enable: indicates whether to enable automatic RADIUS server detection. test-user-name: indicates the user name for automatic detection. test-user-password: indicates the user password for automatic detection. interval: indicates the RADIUS server automatic detection interval.	server-detect-enable: The value is Boolean that can only be true or false. test-user-name: The value is a string of 1 to 253 case-sensitive characters without spaces. test-user-password: The value is a string of case-sensitive characters without spaces or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext. interval: The value is an integer that ranges from 5 to 3600, in seconds.	N/A
/huawei-aaa-radius:radius/radius-server/shared-key	Indicates the shared key of the RADIUS server in a RADIUS server template.	The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.	If shared keys are configured for the RADIUS authentication server, RADIUS accounting server, and RADIUS server template, the configurations for the servers have higher priorities. If no shared key is configured for the RADIUS authentication and accounting servers, the shared key configured in the RADIUS server template is used.
/huawei-aaa-radius:radius/server-shared-key/server-item	Configures the shared key of the RADIUS server globally. The object includes: shared-key: specifies the shared key. ip-address: specifies the IP address of the RADIUS server.	shared-key: The value is a case-sensitive character string without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext. ip-address: indicates the format of the IPv4 or IPv6 address.	NA
/huawei-aaa-radius:radius/radius-server/server-algorithm	Indicates the algorithm for selecting RADIUS servers.	Enumerated type. The value can be: loading-share: sets the algorithm for selecting RADIUS servers to load balancing. master-backup: sets the algorithm for selecting RADIUS servers to primary/secondary. load-sharing-byuser: sets the algorithm for selecting RADIUS servers to single user-based load balancing. master-backup-byuser: sets the algorithm for selecting RADIUS servers to single user-based primary/secondary.	N/A
/huawei-aaa-radius:radius/global/options	Configures keepalive detection for the RADIUS server. The object includes: dead-interval: indicates the detection interval of the RADIUS server. dead-count: indicates the maximum number of consecutive packets that are not acknowledged by the RADIUS server. dead-detect-condition: indicates the RADIUS server detection mode.	dead-interval: The value is an integer that ranges from 1 to 300, in seconds. dead-count: The value is an integer that ranges from 1 to 65535. dead-detect-condition: Enumerated type. The value is by-server-ip.	N/A
/huawei-aaa-radius:radius/radius-server/format-attribute/nas-port-format	Indicates the encapsulation format of the NAS-Port attribute. The object includes: format: indicates the format of the NAS-Port attribute.	self-designed-format: The value is a string of 1 to 32 characters. format: Enumerated type. The value can be new or old.	N/A
/huawei-aaa-radius:radius/radius-server/format-attribute/nas-identifier-format	Indicates the encapsulation content of the NAS-Identifier attribute.	Enumerated type. The value can be hostname and vlan-id.	N/A
/huawei-aaa-radius:radius/radius-server/format-attribute/nas-port-id-format	Indicates the encapsulation format of the NAS-Port-Id attribute.	Enumerated type. The value can be new and old.	N/A

Table 2-489 HACA

Object	Description
/huawei-aaa-haca:aca	Indicates that the operation request (creating and modifying) object is nac-access. It is a root object, which is only used to contain sub-objects, but does not have any data meaning.
/huawei-aaa-haca:aca/haca-server	Indicates the name of an HACA server template. The value is a string of 1 to 32 case-sensitive characters, including letters, digits, periods (.), hyphens (-), underscores (_), and a combination of the above characters. The value cannot be - or --.
/huawei-aaa-haca:aca/haca-server/enable	Enables the HACA function.
/huawei-aaa-haca:aca/haca-server/server/server-ip	Indicates the IP address of an HACA server. The value is a valid unicast IP address in dotted decimal notation.
/huawei-aaa-haca:aca/haca-server/server/port	Indicates the port number of an HACA server. The value is an integer that ranges from 1 to 65535. The default value is 49.
/huawei-aaa-haca:aca/haca-server/pki-domain	Indicates a PKI realm name. The PKI realm name must already exist.
/huawei-aaa-haca:aca/haca-server/heart-beat	Indicates the interval at which HACA heartbeat packets are sent. The value is an integer that ranges from 1 to 1440, in minutes.
/huawei-aaa-haca:aca/haca-server/detection-function/reconnect-interval	Indicates the interval for reconnecting to an HACA server. The value is an integer that ranges from 1 to 255, in minutes.
/huawei-aaa-haca:aca/haca-server/timeout	Indicates the response timeout interval of an HACA server. The value is an integer that ranges from 1 to 300, in seconds.
/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-haca:haca-server/huawei-aaa-haca:haca-server	Indicates the name of an HACA server template for a domain. The value must be an existing HACA server template name.

Configuring a Local User

This section describes how to configure a local user using the merge method.

Table 2-490 Configuring a local user

Operation	XPATH
edit-config:merge	/huawei-user-management/user-management/local-user

Data Requirements

Table 2-491 Configuring a local user

Item	Data	Description
User name of a local user	Example@123	Set the user name of a local user to Example@123.
Password of a local user	Example@123	Set the password of a local user to Example@123.
Level of a local user	15	Set the level of a local user to 15.
Access type of a local user	ftp	Set the access type of a local user to FTP.
Directory that FTP users can access	flash:	Set the directory that FTP users can access to flash:.
Maximum number of connections that users can establish.	4294967295	Set the maximum number of connections that users can establish to 4294967295.
Timeout period of the user account.	110	Set the timeout period of the user account to 110 seconds.
State of a local user.	active	Set the state of a local user to active.
Expiration time of a local user name	2019-09-21T16:10:21.52Z	Set the expiration time of a local user name to 2019-09-21T16:10:21.52Z.
Access permission time range of a local user	time1	Set the access permission time range of a local user to time1.
Type of terminals that allow local users to access the network	ipphone	Set the type of terminals that allow local users to access the network to ipphone.

Request Example

<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-user-management:user-management xmlns:hw-user-management="urn:huawei:params:xml:ns:yang:huawei-user-management">
        <hw-user-management:local-user>
          <hw-user-management:user-name>Example@123</hw-user-management:user-name>
          <hw-user-management:privilege-level>15</hw-user-management:privilege-level>
          <hw-user-management:service-type>ftp</hw-user-management:service-type>
          <hw-user-management:password>Example@123</hw-user-management:password>
          <hw-user-management:ftp-directory>flash:</hw-user-management:ftp-directory>
          <hw-user-management:access-limit>4294967295</hw-user-management:access-limit>
          <hw-user-management:idle-time>110</hw-user-management:idle-time>
          <hw-user-management:state>active</hw-user-management:state>
          <hw-user-management:expire-date>2019-09-21T16:10:21.52Z</hw-user-management:expire-date>
          <hw-user-management:time-range>time1</hw-user-management:time-range>
          <hw-user-management:device-type-group>
           <hw-user-management:device-type>ipphone</hw-user-management:device-type>
          </hw-user-management:device-type-group>
        </hw-user-management:local-user>
      </hw-user-management:user-management>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> The password length must range from 8 to 128</error-message>
  <error-info>Error on node /huawei-user-management:user-management/local-user[user-name="Example@123"]/password</error-info>
 </rpc-error>
</rpc-reply>

Configuring Security of the Local User Password

This section provides a sample of configuring security of the local user password using the merge method.

Table 2-492 Configuring security of the local user password

Operation	XPATH
edit-config:merge	/huawei-user-management:user-management/administrator-password-police /huawei-user-management:user-management/user-password-police /huawei-user-management:user-management/wrong-password-police /huawei-user-management:user-management/password-option/complexity-check

Data Requirements

Table 2-493 Configuring security of the local user password

Item	Data	Description
Password policy of the local administrator	Whether to enable the password policy for the local administrator: true Password expiration period: 90. Password expiration prompt period: 5. Whether to enable the initial password change prompt function: true Maximum number of historical passwords recorded for each user: 5.	Enable the password policy for the local administrator, set the password expiration period to 90 days, configure the system to prompt users to change the password 5 days before the password expires, enable the initial password change prompt function, and set the maximum number of historical passwords recorded for each user to 5.
Password policy for local access users	Whether to enable the password policy for local access users: true Maximum number of historical passwords recorded for each user: 5	Enable the password policy for local access users and set the maximum number of historical passwords recorded for each user to 5.
Local account locking function	Whether to enable the function of locking the password of a local account: true Authentication retry interval of a user: 5 Maximum number of consecutive incorrect password attempts: 3 Account locking time: 10	Enable the function of locking the password of the local account, and set the user retry interval to 5 minutes, maximum number of consecutive incorrect password attempts to 3, and account locking time to 10 minutes.
Whether to enable the password complexity check	true	Enable the password complexity check.

Request Example

<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-user-management:user-management xmlns:hw-user-management="urn:huawei:params:xml:ns:yang:huawei-user-management">
        <hw-user-management:administrator-password-police>
          <hw-user-management:enable>true</hw-user-management:enable>
          <hw-user-management:expire-day>90</hw-user-management:expire-day>
          <hw-user-management:alert-expire-day>5</hw-user-management:alert-expire-day>
          <hw-user-management:alert-original>true</hw-user-management:alert-original>
          <hw-user-management:history-record-number>5</hw-user-management:history-record-number>
        </hw-user-management:administrator-password-police>
        <hw-user-management:user-password-police>
          <hw-user-management:enable>true</hw-user-management:enable>
          <hw-user-management:history-record-number>5</hw-user-management:history-record-number>
        </hw-user-management:user-password-police>
        <hw-user-management:wrong-password-police>
          <hw-user-management:retry-interval>5</hw-user-management:retry-interval>
          <hw-user-management:retry-times>3</hw-user-management:retry-times>
          <hw-user-management:block-time>10</hw-user-management:block-time>
        </hw-user-management:wrong-password-police>
        <hw-user-management:password-option>
          <hw-user-management:complexity-check>true</hw-user-management:complexity-check>
        </hw-user-management:password-option>
      </hw-user-management:user-management>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-user-management:user-management/administrator-password-police/expire-day</error-path>
    <error-message>parse rpc config error.(Value "1000" does not satisfy the constraint "0..999" (range, length, or pattern).).</error-message>
  </rpc-error>
</rpc-reply>

Configuring an AAA Scheme

This section describes how to configure an AAA scheme using the merge method.

Table 2-494 Configuring an AAA scheme

Operation	XPATH
edit-config:merge	/huawei-aaa:aaa

Data Requirements

Table 2-495 Configuring an AAA scheme

Item	Data	Description
Name of an authentication scheme	authen1	Set the name of an authentication scheme to authen1.
Authentication mode in an authentication scheme	hwtacacs	Set the authentication mode in an authentication scheme to HWTACACS.
Name of an authorization scheme	author1	Set the name of an authorization scheme to author1.
HWTACACS server-based command line authorization.	Authorization level: 15, backup authorization mode: local	Configure the HWTACACS server-based command line authorization function for the level-15 administrator and change the command line authorization mode to the local authorization mode if the HWTACACS server does not respond to the command line authorization.
Authorization mode in an authorization scheme	hwtacacs	Set the authorization mode in an authorization scheme to HWTACACS.
Name of an accounting scheme	acct1	Set the name of an accounting scheme to acct1.
Accounting mode in an accounting scheme	hwtacacs	Set the accounting mode in an accounting scheme to HWTACACS.
Policy for accounting-start failures	online	Set the policy for accounting-start failures to online. That is, users are allowed to go online if accounting-start fails.
Interval for real-time accounting	15	Set the interval for real-time accounting to 15 minutes.
Maximum number of real-time accounting failures	5	Set the maximum number of real-time accounting failures to 5.
Policy for real-time accounting failures	offline	Set the policy for real-time accounting failures to offline. That is, users are disconnected if real-time accounting fails.
Whether to enable the bypass authentication function.	true	Enable the bypass authentication function and set the bypass authentication timeout interval to 13 minutes.
Bypass authentication timeout interval.	13

Request Example

<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
        <hw-aaa:authentication-scheme>
          <hw-aaa:name>authen1</hw-aaa:name>
          <hw-aaa:vsys>ads</hw-aaa:vsys>
          <hw-aaa:authentication-mode>hwtacacs</hw-aaa:authentication-mode>
        </hw-aaa:authentication-scheme>
        <hw-aaa:authorization-scheme>
          <hw-aaa:name>author1</hw-aaa:name>
          <hw-aaa:vsys>ads</hw-aaa:vsys>
          <hw-aaa:authorization-mode>hwtacacs</hw-aaa:authorization-mode>
          <hw-aaa:authorization-cmd>
            <hw-aaa:authorization-cmd-item>
              <hw-aaa:privilege-level>15</hw-aaa:privilege-level>
              <hw-aaa:authorization-cmd-mode>local</hw-aaa:authorization-cmd-mode>
            </hw-aaa:authorization-cmd-item>
          </hw-aaa:authorization-cmd>
        </hw-aaa:authorization-scheme>
        <hw-aaa:accounting-scheme>
          <hw-aaa:name>acct1</hw-aaa:name>
          <hw-aaa:vsys>ads</hw-aaa:vsys>
          <hw-aaa:accounting-mode>hwtacacs</hw-aaa:accounting-mode>
          <hw-aaa:start-accounting-fail>
            <hw-aaa:fail-policy>online</hw-aaa:fail-policy>
          </hw-aaa:start-accounting-fail>
          <hw-aaa:realtime-accounting>
            <hw-aaa:realtime-interval>15</hw-aaa:realtime-interval>
            <hw-aaa:realtime-fail>
              <hw-aaa:fail-policy>offline</hw-aaa:fail-policy>
              <hw-aaa:fail-max-times>5</hw-aaa:fail-max-times>
            </hw-aaa:realtime-fail>
          </hw-aaa:realtime-accounting>
        </hw-aaa:accounting-scheme>
        <hw-aaa:global>
          <hw-aaa:authentication-bypass>
            <hw-aaa:bypass-enable>true</hw-aaa:bypass-enable>
            <hw-aaa:bypass-time>13</hw-aaa:bypass-time>
          </hw-aaa:authentication-bypass>
        </hw-aaa:global>
      </hw-aaa:aaa>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>invalid authen scheme name</error-message>
  <error-info>Error on node /huawei-aaa:aaa/authentication-scheme[name="authen1authen1authen1authen1authen1",vsys="ads"]/name</error-info>
 </rpc-error>
</rpc-reply>

Configuring a Service Scheme

Creating a Service Scheme

This section describes how to create a service scheme using the merge method.

Table 2-496 Creating a service scheme

Operation	XPATH
edit-config:merge	/huawei-aaa:aaa/service-scheme

Data Requirement

Table 2-497 Creating a service scheme

Item	Data	Description
Name of a service scheme	lsw_serv	Set the name of a service scheme to lsw_serv.
Level of a user who logs in to the device as an administrator	2	Set the level of a user who logs in to the device as an administrator to 2.
Whether to enable the voice VLAN function in a service scheme	true	Enable the voice VLAN function in a service scheme.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>vsys</vsys>
    <admin-user-privilege-level>2</admin-user-privilege-level>
    <voice-vlan-enable>true</voice-vlan-enable>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-app-tag>1</error-app-tag>
  <error-message>Service process failed.</error-message>
  <error-info>Error on node /huawei-aaa:aaa/service-scheme[name="lsw_servlsw_servlsw_servlsw_servlsw_serv",vsys="vsys"]/name</error-info>
 </rpc-error>
</rpc-reply>

Configuring a User VLAN in a Service Scheme

This section describes how to configure a user VLAN in a service scheme using the rpc method.

Table 2-498 Configuring a user VLAN in a service scheme

Operation	XPATH
edit-config:create	/huawei-aaa:aaa/service-scheme

Data Requirement

Table 2-499 Configuring a user VLAN in a service scheme

Item	Data	Description
ID of the user VLAN configured in a service scheme	121	Configure user VLAN 121 in the service scheme.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <vlans xmlns="urn:huawei:params:xml:ns:yang:huawei-vlan">
   <vlan xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <id>121</id>
   </vlan>
  </vlans>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>public</vsys> 
    <vlan>121</vlan>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-app-tag>1</error-app-tag>
  <error-message>Service process failed.</error-message>
  <error-info>Error on node /huawei-aaa:aaa/service-scheme[name="lsw_serv",vsys="public"]/vlan</error-info>
 </rpc-error>
</rpc-reply>

Binding an ACL to a Service Scheme

This section describes how to bind an ACL to a service scheme using the rpc method.

Table 2-500 Binding an ACL to a service scheme

Operation	XPATH
edit-config:create	/huawei-aaa:aaa/service-scheme

Data Requirement

Table 2-501 Binding an ACL to a service scheme

Item	Data	Description
Number of the ACL bound to a service scheme	3101	Bind ACL 3101 to a service scheme.

Request Example

Before binding an ACL to a service scheme, create the ACL first using the acl command.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>public</vsys>
    <acl>3101</acl>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Unrecognized information.</error-message>
  <error-info>Error on node /huawei-aaa:aaa/service-scheme[name="lsw_serv",vsys="public"]/acl[.="3101"]</error-info>
 </rpc-error>
</rpc-reply>

Binding a QoS Profile to a Service Scheme

This section describes how to bind a QoS profile to a service scheme using the rpc method.

Table 2-502 Binding a QoS profile to a service scheme

Operation	XPATH
edit-config:create	/huawei-aaa:aaa/service-scheme

Data Requirement

Table 2-503 Binding a QoS profile to a service scheme

Item	Data	Description
Name of the QoS profile bound to a service scheme	lsw_qos	Bind the QoS profile lsw_qos to a service scheme.

Request Example

Before binding a QoS profile to a service scheme, create the QoS profile first using the qos-profile command.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>public</vsys>
    <qos-profile>lsw_qos</qos-profile>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> Config failed, QOS profile is not configured.</error-message>
  <error-info>Error on node /huawei-aaa:aaa/service-scheme[name="lsw_serv",vsys="public"]/qos-profile</error-info>
 </rpc-error>
</rpc-reply>

Binding a UCL Group to a Service Scheme

This section describes how to bind a UCL group to a service scheme using the rpc method.

Table 2-504 Binding a UCL group to a service scheme

Operation	XPATH
edit-config:create	/huawei-aaa:aaa/service-scheme

Data Requirement

Table 2-505 Binding a UCL group to a service scheme

Item	Data	Description
Name of a UCL group bound to a service scheme	lsw_ucl	Bind the UCL group lsw_ucl to a service scheme.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
   <ucl-group xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <index>31</index>
    <name>lsw_ucl</name> 
    <ip>
     <ip>10.1.1.1</ip>
     <prefix-length>24</prefix-length>
    </ip>
   </ucl-group>
  </nac-access>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>public</vsys>
    <ucl-group>lsw_ucl</ucl-group>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> The ucl-group is not exist.</error-message>
  <error-info>Error on node /huawei-aaa:aaa/service-scheme[name="lsw_serv",vsys="public"]/ucl-group</error-info>
 </rpc-error>
</rpc-reply>

Configuring Information Related to the DNS, WINS, and DHCP Servers in the Service Scheme

This section provides a sample of configuring information related to the DNS, WINS, and DHCP servers in the service scheme using the merge method.

Table 2-506 Configuring information related to the DNS, WINS, and DHCP servers in the service scheme

Operation	XPATH
edit-config:merge	/huawei-aaa:aaa/service-scheme/dns /huawei-aaa:aaa/service-scheme/wins /huawei-aaa:aaa/service-scheme/dhcp-group /huawei-aaa:aaa/service-scheme/ip-pool

Data Requirements

Table 2-507 Configuring information related to the DNS, WINS, and DHCP servers in the service scheme

Item	Data	Description
IP addresses of the master and slave DNS servers	IP address of the master DNS server: 10.1.1.1 IP address of the slave DNS server: 10.1.1.2 Default DNS domain name: huawei.com	Set the IP addresses of the master and slave DNS servers to 10.1.1.1 and 10.1.1.2 respectively in service scheme s1.
IP addresses of the master and slave WINS servers	IP address of the master WINS server: 10.2.1.1 IP address of the slave WINS server: 10.2.1.2	Set the IP addresses of the master and slave WINS servers to 10.2.1.1 and 10.2.1.2 respectively in service scheme s1.
Name of the DHCP server group and name of the IP address pool	Name of the DHCP server group: group1 NOTE: Ensure that the DHCP server group has been established. Name of the IP address pool: pool1	Set the name of the DHCP server group to group1 and name of the IP address pool that can be used to pool1 in service scheme s1.

Request Example

<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
        <hw-aaa:service-scheme xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-aaa:name>s1</hw-aaa:name>
          <hw-aaa:vsys>sys</hw-aaa:vsys>
          <hw-aaa:dns>
            <hw-aaa:primary-ip-address>10.1.1.1</hw-aaa:primary-ip-address>
            <hw-aaa:secondary-ip-address>10.1.1.2</hw-aaa:secondary-ip-address>
          </hw-aaa:dns>
          <hw-aaa:wins>             <hw-aaa:primary-ip-address>10.2.1.1</hw-aaa:primary-ip-address>             <hw-aaa:secondary-ip-address>10.2.1.2</hw-aaa:secondary-ip-address>           </hw-aaa:wins>
          <hw-aaa:ip-pool>pool1</hw-aaa:ip-pool>           <hw-aaa:dhcp-group>group1</hw-aaa:dhcp-group>
        </hw-aaa:service-scheme>
      </hw-aaa:aaa>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

Configuring a Redirection ACL in the Service Scheme

This section provides a sample of configuring a redirection ACL in the service scheme using the merge method.

Table 2-508 Configuring a redirection ACL in the service scheme

Operation	XPATH
edit-config:merge	/huawei-aaa:aaa/service-scheme/redirect-acl

Data Requirements

Table 2-509 Configuring a redirection ACL in the service scheme

Item	Data	Description
Number of the redirection ACL	3000 NOTE: Ensure that the redirection ACL has been created.	Set the number of the redirection ACL in service scheme s1 to 3000.

Request Example

<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
        <hw-aaa:service-scheme xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-aaa:name>s1</hw-aaa:name>
          <hw-aaa:vsys>sys</hw-aaa:vsys>
          <hw-aaa:redirect-acl>
            <hw-aaa:acl-id>3000</hw-aaa:acl-id>
          </hw-aaa:redirect-acl>
        </hw-aaa:service-scheme>
      </hw-aaa:aaa>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

Configuring the User Priority in a Service Scheme

This section provides a sample of configuring the user priority in a service scheme using the rpc method.

Table 2-510 Configuring the user priority in a service scheme

Operation	XPATH
edit-config:create	/huawei-aaa:aaa/service-scheme/priority

Data Requirements

Table 2-511 Configuring the user priority in a service scheme

Item	Data	Description
User priority	1	Set the priority of a VIP user to 1.

Request Example

<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
        <hw-aaa:service-scheme>
          <hw-aaa:name>test1</hw-aaa:name>
          <hw-aaa:vsys>pub</hw-aaa:vsys>
          <hw-aaa:priority xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">1</hw-aaa:priority>
        </hw-aaa:service-scheme>
      </hw-aaa:aaa>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <rpc-error>
  <error-app-tag>1</error-app-tag><error-message>Service process failed.</error-message>
  <error-info>Error on node /huawei-aaa:aaa/service-scheme[name="lsw_serv",vsys="public"]/priority</error-info>
 </rpc-error>
</rpc-reply>

Configuring a RADIUS Server

Creating a RADIUS Server Template

This section describes how to create a RADIUS server template using the rpc method.

Table 2-512 Creating a RADIUS server template

Operation	XPATH
edit-config:create	/huawei-aaa-radius:radius/radius-server

Data Requirement

Table 2-513 Creating a RADIUS server template

Item	Data	Description
Name of a RADIUS server template	rds	Create a RADIUS server template named rds.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="b0bc2528-ebf8-494e-bedc-ca47ba18d578">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>rds</name>
    <vsys>public</vsys>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="b0bc2528-ebf8-494e-bedc-ca47ba18d578">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="b0bc2528-ebf8-494e-bedc-ca47ba18d578">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Invalid radius-server template name</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrdsrds",vsys="public"]/name</error-info>
 </rpc-error>
</rpc-reply>

Configuring a RADIUS Authentication Server

This section describes how to configure a RADIUS authentication server using the rpc method.

Table 2-514 Configuring a RADIUS authentication server

Operation	XPATH
edit-config:create	/huawei-aaa-radius:radius/radius-server

Data Requirement

Table 2-515 Configuring a RADIUS authentication server

Item	Data	Description
IPv4 address of the RADIUS authentication server	10.1.1.1	Set the IPv4 address of the RADIUS authentication server to 10.1.1.1.
Port number of the RADIUS authentication server	1816	Set the port number of the RADIUS authentication server to 1816.
Weight value of the RADIUS authentication server	100	Set the weight value of the RADIUS authentication server to 100.
Shared key of the RADIUS authentication server	Example@123	Set the shared key of the RADIUS authentication server to Example@123.

Request Example

<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>rds</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:authentication-server>
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address>
            <hw-aaa-radius:port>1816</hw-aaa-radius:port>
            <hw-aaa-radius:shared-key>Example@123</hw-aaa-radius:shared-key>
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight>
          </hw-aaa-radius:authentication-server>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> The vpn-instance does not exist or is invalid.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/authentication-server[server-ip-address="10.1.1.1"]</error-info>
 </rpc-error>
</rpc-reply>

Configuring a RADIUS Accounting Server

This section describes how to configure a RADIUS accounting server using the rpc method.

Table 2-516 Configuring a RADIUS accounting server

Operation	XPATH
edit-config:create	/huawei-aaa-radius:radius/radius-server

Data Requirement

Table 2-517 Configuring a RADIUS accounting server

Item	Data	Description
IPv4 address of the RADIUS accounting server	10.1.1.1	Set the IPv4 address of the RADIUS accounting server to 10.1.1.1.
Port number of the RADIUS accounting server	1817	Set the port number of the RADIUS accounting server to 1817.
Weight value of the RADIUS accounting server	100	Set the weight value of the RADIUS accounting server to 100.
Shared key of the RADIUS accounting server	Example@123	Set the shared key of the RADIUS accounting server to Example@123.

Request Example

<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>rds</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:accounting-server>
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address>
            <hw-aaa-radius:port>1817</hw-aaa-radius:port>
            <hw-aaa-radius:shared-key>Example@123</hw-aaa-radius:shared-key>
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight>
          </hw-aaa-radius:accounting-server>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> The vpn-instance does not exist or is invalid.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/accounting-server[server-ip-address="10.1.1.1"]</error-info>
 </rpc-error>
</rpc-reply>

Configuring a RADIUS Authorization Server

This section describes how to configure a RADIUS authorization server using the rpc method.

Table 2-518 Configuring a RADIUS authorization server

Operation	XPATH
edit-config:create	/huawei-aaa-radius:radius/dynamic-authorization-server

Data Requirement

Table 2-519 Configuring a RADIUS authorization server

Item	Data	Description
IP address of the RADIUS authorization server	10.1.1.1	Set the IP address of the RADIUS authorization server to 10.1.1.1.
Shared key of the RADIUS authorization server	Example@123	Set the shared key of the RADIUS authorization server to Example@123.
Duration for retaining a RADIUS authorization response packet	10	Set the duration for retaining a RADIUS authorization response packet to 10s.
Name of the RADIUS server template corresponding to the RADIUS authorization server	rds	Configure the RADIUS server template rds for the RADIUS authorization server.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <edit-config>
 <target>
  <running/>
 </target>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>rds</name>
    <vsys>public</vsys>
   </radius-server>
   <dynamic-authorization-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <server-ip-address>10.1.1.1</server-ip-address>
    <vsys>public</vsys>
    <shared-key>Example@123</shared-key>
    <ack-reserved-interval>10</ack-reserved-interval>
    <server-group>rds</server-group>
   </dynamic-authorization-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> The server template does not exist.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/dynamic-authorization-server[server-ip-address="10.1.1.1",vsys="public"]</error-info>
 </rpc-error>
</rpc-reply>

Configuring RADIUS Attribute Translation

This section describes how to configure RADIUS attribute translation using the rpc method.

Table 2-520 Configuring RADIUS attribute translation

Operation	XPATH
edit-config:create	/huawei-aaa-radius:radius/radius-server/translate-attribute

Data Requirement

Table 2-521 Configuring RADIUS attribute translation

Item	Data	Description
Whether to enable RADIUS attribute translation	true	Enable RADIUS attribute translation.
Name of a source RADIUS attribute	nas-identifier	Set the source RADIUS attribute to nas-identifier.
Name of a destination RADIUS attribute	nas-port-id	Set the destination RADIUS attribute to nas-port-id.
Type of packets whose RADIUS attributes need to be translated	send	Translate RADIUS attributes for sent packets.
Name of an extended source RADIUS attribute	HW-URL-Flag	Set the source extended RADIUS attribute to HW-URL-Flag.
Vendor ID in the translated extended RADIUS attributes	9	Set the vendor ID in the translated extended RADIUS attributes to 9.
Sub ID in the translated extended RADIUS attributes	2	Set the sub ID in the translated extended RADIUS attributes to 2.
Type of packets whose extended RADIUS attributes need to be translated. (The non-Huawei attributes not supported by the device will be translated to the attributes supported by the device.)	access-request	Translate RADIUS attributes for Authentication Request packets.
Vendor ID in the extended RADIUS attributes to be translated	9	Set the vendor ID in the extended RADIUS attributes to be translated to 9.
Sub ID in the extended RADIUS attributes to be translated	11	Set the sub ID in the extended RADIUS attributes to be translated to 11.
Name of a translated destination attribute	HW-Access-Type	Set the translated destination attribute to HW-Access-Type.
Type of packets whose extended RADIUS attributes need to be translated. (The attributes supported by the device will be translated to the non-Huawei attributes not supported by the device.)	access-accept	Translate RADIUS attributes for Authentication Accept packets.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>test12345</name>
    <vsys>public</vsys>
    <translate-attribute xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <enable>true</enable>
      <translate-normal xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
      <source-attribute-name>nas-identifier</source-attribute-name>
      <destination-attribute-name>nas-port-id</destination-attribute-name>
      <packet-type>send</packet-type>
     </translate-normal>
     <translate-extend xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
      <source-attribute-name>HW-URL-Flag</source-attribute-name>
      <destination-vendor-id>9</destination-vendor-id>
      <destination-sub-vendor-id>2</destination-sub-vendor-id>
      <packet-type>access-request</packet-type>
     </translate-extend>
     <translate-extend-vendor xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
      <source-vendor-id>9</source-vendor-id>
      <source-sub-vendor-id>11</source-sub-vendor-id>
      <destination-attribute-name>HW-Access-Type</destination-attribute-name>
      <packet-type>access-accept</packet-type>
     </translate-extend-vendor>
    </translate-attribute>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Wrong parameter.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/translate-attribute/translate-normal[source-attribute-name="nas-identifier1"]</error-info>
 </rpc-error>
</rpc-reply>

Disabling a RADIUS Attribute

This section describes how to disable a RADIUS attribute using the rpc method.

Table 2-522 Disabling a RADIUS attribute

Operation	XPATH
edit-config:create	/huawei-aaa-radius:radius/radius-server/disable-attribute

Data Requirement

Table 2-523 Disabling a RADIUS attribute

Item	Data	Description
Name of the RADIUS attribute to be disabled	HW-Exec-Privilege	Set the RADIUS attribute to be disabled to HW-Exec-Privilege.
Type of packets in which the RADIUS attribute is to be disabled	receive	Disable the RADIUS attribute for received packets.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <edit-config>
 <target>
  <running/>
 </target>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>rds</name>
    <vsys>public</vsys>
    <disable-attribute xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
     <attribute-name>HW-Exec-Privilege</attribute-name>
     <option>receive</option>
    </disable-attribute>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Process radius-attribute return error</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/disable-attribute[attribute-name="HW-Exec-Privilege1"]</error-info>
 </rpc-error>
</rpc-reply>

Configuring the Format of User Names in RADIUS Packets to Be Sent to a RADIUS Server

This section describes how to configure the format of user names in RADIUS packets to be sent to a RADIUS server using the rpc method.

Table 2-524 Configuring the format of user names in RADIUS packets to be sent to a RADIUS server

Operation	XPATH
edit-config:create	/huawei-aaa-radius:radius/radius-server/options/user-name/format

Data Requirement

Table 2-525 Configuring the format of user names in RADIUS packets to be sent to a RADIUS server

Item	Data	Description
Whether to configure the device not to modify the user names entered by users in the packets sent to a RADIUS server	original	Configure the device not to modify the user names entered by users in the packets sent to a RADIUS server.

Request Example

<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>rds</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:options>
            <hw-aaa-radius:user-name>
              <hw-aaa-radius:format>original</hw-aaa-radius:format>
            </hw-aaa-radius:user-name>
          </hw-aaa-radius:options>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse rpc config error.</error-message>
 </rpc-error>
</rpc-reply>

Configuring the RADIUS Traffic Unit, Retransmission Times, Timeout Interval, and Back-to-Active Interval

This section describes how to configure the traffic unit used by a RADIUS server, number of times that RADIUS packets can be retransmitted, timeout interval of RADIUS request packets, and interval for the server to return to the active state using the rpc method.

Table 2-526 Configuring the RADIUS traffic unit, retransmission times, timeout interval, and back-to-active interval

Operation	XPATH
edit-config:create	/huawei-aaa-radius:radius/radius-server/options

Data Requirement

Table 2-527 Configuring the RADIUS traffic unit, retransmission times, timeout interval, and back-to-active interval

Item	Data	Description
Traffic unit used by a RADIUS server	byte	Set the traffic unit used by a RADIUS server to bytes.
Interval for the RADIUS server to return to the active state	3	Set the interval for the RADIUS server to return to the active state to 3 minutes.
Timeout interval of RADIUS request packets	3	Set the timeout interval of RADIUS request packets to 3 seconds.
Number of times RADIUS request packets can be retransmitted	2	Set the number of times RADIUS request packets can be retransmitted to 2.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <vsys>public</vsys>
    <name>test12345</name>
    <options xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <traffic-unit>byte</traffic-unit>
     <dead-time>3</dead-time>
     <timeout-timer>3</timeout-timer>
     <retransmit-time>2</retransmit-time>
    </options>   
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse rpc config error.</error-message>
 </rpc-error>
</rpc-reply>

Configuring the MAC Address Format in the RADIUS Packet Attribute Field

This section provides a sample of configuring the MAC address format in the RADIUS packet attribute field using the rpc method.

Table 2-528 Configuring the MAC address format in the RADIUS packet attribute field

Operation	XPATH
edit-config:create	/huawei-aaa-radius:radius/radius-server/mac-format-called-station-id or /huawei-aaa-radius:radius/radius-server/mac-format-calling-station-id

Data Requirements

Table 2-529 Configuring the MAC address format in the RADIUS packet attribute field

Item	Data	Description
MAC address separator in the encapsulated field called-station-id	dot-split	Use the dot (.) as the MAC address separator in the encapsulated field called-station-id.
MAC address separator in the encapsulated field called-station-id	hyphen-split	Use the hyphen (-) as the MAC address separator in the encapsulated field hyphen-split.
MAC address format in the encapsulated field called-station-id	mode1	Set the MAC address format in the encapsulated field called-station-id to XXXX-XXXX-XXXX or XXXX.XXXX.XXXX.
MAC address case (uppercase or lowercase) in the encapsulated field called-station-id	lowercase	Use the MAC address in lowercase in the encapsulated field called-station-id.
MAC address separator in the encapsulated field calling-station-id	dot-split	Use the dot (.) as the MAC address separator in the encapsulated field calling-station-id.
MAC address format in the encapsulated field calling-station-id	mode1	Set the MAC address format in the encapsulated field calling-station-id to XXXX-XXXX-XXXX or XXXX.XXXX.XXXX.
Uppercase or lowercase of the MAC address in the encapsulated field calling-station-id	lowercase	Use the MAC address in lowercase in the encapsulated field calling-station-id

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>test12345</name>
    <vsys>public</vsys>
    <mac-format-called-station-id>
     <mac-address-format>dot-split</mac-address-format>
     <mode>mode1</mode>
     <letter>lowercase</letter>
    </mac-format-called-station-id>
    <mac-format-calling-station-id>
     <mac-address-format>dot-split</mac-address-format>
     <mode>mode1</mode>
     <letter>lowercase</letter>
    </mac-format-calling-station-id>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Incomplete information.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/mac-format-called-station-id</error-info>
 </rpc-error>
</rpc-reply>

Configuring the Format of the MAC address That Can Be Parsed by a Device in RADIUS Dynamic Authorization Packets

This section describes how to configure the format of the MAC address that can be parsed by a device in RADIUS dynamic authorization packets using the rpc method.

Table 2-530 Configuring the format of the MAC address that can be parsed by a device in RADIUS dynamic authorization packets

Operation	XPATH
edit-config:create	/huawei-aaa-radius:radius/dynamic-authorization-option

Data Requirement

Table 2-531 Configuring the format of the MAC address that can be parsed by a device in RADIUS dynamic authorization packets

Item	Data	Description
Separator in the MAC address in the calling-station-id attribute	dot-split	Configure the dot (.) as the separator in the MAC address in the calling-station-id attribute.
Format of the MAC address in the calling-station-id attribute	compress	Configure the MAC address in the calling-station-id attribute to use the xxxx-xxxx-xxxx or xxxx.xxxx.xxxx format.
Whether the device parses attributes in the RADIUS dynamic authorization packet based on the configurations in the RADIUS server template	true	Configure the device to parse attributes in the RADIUS dynamic authorization packet based on the configurations in the RADIUS server template.

Request Example

<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:dynamic-authorization-option>
          <hw-aaa-radius:decode-mac-format-calling-station-id>
            <hw-aaa-radius:mac-address-format>dot-split</hw-aaa-radius:mac-address-format>
            <hw-aaa-radius:mode>compress</hw-aaa-radius:mode>
          </hw-aaa-radius:decode-mac-format-calling-station-id>
          <hw-aaa-radius:decode-attribute-sameastemplate>true</hw-aaa-radius:decode-attribute-sameastemplate>
        </hw-aaa-radius:dynamic-authorization-option>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Invalid mac-address-format</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/dynamic-authorization-option/decode-mac-format-calling-station-id</error-info>
 </rpc-error>
</rpc-reply>

Configuring a Huawei Extended Attribute

This section describes how to configure a Huawei extended attribute using the rpc method.

Table 2-532 Configuring a Huawei extended attribute

Operation	XPATH
edit-config:create	/huawei-aaa-radius:radius/radius-server/hw-ap-info-format

Data Requirement

Table 2-533 Configuring a Huawei extended attribute

Item	Data	Description
AP's IP address in Huawei extended attribute HW-AP-Information	include-ap-ip	Set the AP's IP address in Huawei extended attribute HW-AP-Information.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>test12345</name>
    <vsys>public</vsys>
    <hw-ap-info-format>include-ap-ip</hw-ap-info-format>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse rpc config error.</error-message>
 </rpc-error>
</rpc-reply>

Configuring an Attribute in the received RADIUS Access-Accept packets to Be Checked

This section describes how to configure an attribute in the received RADIUS Access-Accept packets to be checked using the rpc method.

Table 2-534 Configuring an attribute in the received RADIUS Access-Accept packets to be checked

Operation	XPATH
edit-config:create	/huawei-aaa-radius:radius/radius-server/check-attribute/attribute-name

Data Requirement

Table 2-535 Configuring an attribute in the received RADIUS Access-Accept packets to be checked

Item	Data	Description
Name of an RADIUS attribute	framed-protocol	Configure the framed-protocol attribute in RADIUS Access-Accept packets to be checked.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>test12345</name>
    <vsys>public</vsys>
    <check-attribute xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <attribute-name>framed-protocol</attribute-name>
    </check-attribute>
   </radius-server>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> Failed to find the attribute.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/check-attribute[attribute-name="abc"]/attribute-name</error-info>
 </rpc-error>
</rpc-reply>

Configuring NAS Attributes

This section describes how to configure NAS attributes using the rpc method.

Table 2-536 Configuring NAS attributes

Operation	XPATH
edit-config:create	/huawei-aaa-radius:radius/radius-server/nas-ip-address /huawei-aaa-radius:radius/radius-server/nas-ipv6-address /huawei-aaa-radius:radius/radius-server/format-attribute/nas-port-format /huawei-aaa-radius:radius/radius-server/format-attribute

Data Requirement

Table 2-537 Configuring NAS attributes

Item	Data	Description
Value of the NAS-IP-Address attribute in RADIUS packets sent by the device	10.3.3.3	Set the NAS-IP-Address attribute in RADIUS packets sent by the device to 10.3.3.3.
Value of the NAS-IPv6-Address attribute in RADIUS packets sent by the device	FC00::7	Set the NAS-IPv6-Address attribute in RADIUS packets sent by the device to FC00::7.
Encapsulation format of the NAS-Port attribute	new, s2t2p6no10ni12	Set the encapsulation format of the NAS-Port attribute to new and define the format as the binary format 2t2p6no10ni12.
Encapsulation content of the NAS-Identifier attribute	hostname	Set the encapsulation content of the NAS-Identifier attribute to the host name.
Encapsulation format of the NAS-Port-Id attribute	new	Set the encapsulation format of the NAS-Port-Id attribute to new.

Request Example

<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>t1</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:nas-ip-address>10.3.3.3</hw-aaa-radius:nas-ip-address>
          <hw-aaa-radius:nas-ipv6-address>FC00::7</hw-aaa-radius:nas-ipv6-address>
          <hw-aaa-radius:format-attribute>
             <hw-aaa-raidus:nas-port-format>
               <hw-aaa-radius:self-designed-format>s2t2p6no10ni12</hw-aaa-radius:self-designed-format>
               <hw-aaa-radius:format>new</hw-aaa-radius:format>
             </hw-aaa-raidus:nas-port-format>
             <hw-aaa-radius:nas-identifier-format>hostname</hw-aaa-radius:nas-identifier-format>
             <hw-aaa-radius:nas-port-id-format>new</hw-aaa-radius:nas-port-id-format>
           </hw-aaa-radius:format-attribute>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Wrong parameter.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="test12345",vsys="public"]/nas-ip-address</error-info>
 </rpc-error>
</rpc-reply>

Configuring Automatic RADIUS Server Detection

This section describes how to configure automatic RADIUS server detection using the merge method.

Table 2-538 Configuring automatic RADIUS server detection

Operation

XPATH

edit-config:merge

/huawei-aaa-radius:radius/radius-server/server-detect-function

/huawei-aaa-radius:radius/global/options/dead-detect-condition

Data Requirement

Table 2-539 Configuring automatic RADIUS server detection

Item	Data	Description
User name used for automatic detection	testusername	Set the user name used for automatic detection to testusername.
User password for automatic detection	Example@123	Set the user password for automatic detection to Example@123.
Automatic detection interval	100	Set the automatic detection interval to 100s.
RADIUS server detection mode	by-server-ip	Detect the RADIUS server based on the IP address of the RADIUS server.

Request Example

<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>t1</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:server-detect-function>
            <hw-aaa-radius:server-detect-enable>true</hw-aaa-radius:server-detect-enable>
            <hw-aaa-radius:test-user-name>testusername</hw-aaa-radius:test-user-name>
            <hw-aaa-radius:test-user-password>Example@123</hw-aaa-radius:test-user-password>
            <hw-aaa-radius:interval>100</hw-aaa-radius:interval>
          </hw-aaa-radius:server-detect-function>
        </hw-aaa-radius:radius-server>
        <hw-aaa-radius:global>
          <hw-aaa-radius:options>
            <hw-aaa-radius:dead-detect-condition>by-server-ip</hw-aaa-radius:dead-detect-condition>
          </hw-aaa-radius:options>
        </hw-aaa-radius:global>
      </hw-aaa-radius:radius>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message> Invalid character in the template shared-key.</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/server-detect-function/server-detect-enable</error-info>
 </rpc-error>
</rpc-reply>

Configuring the Shared Key and Algorithm of the RADIUS Server

This section describes how to configure the shared key and algorithm of the RADIUS server using the merge method.

Table 2-540 Configuring the shared key and algorithm of the RADIUS server

Operation	XPATH
edit-config:merge	/huawei-aaa-radius:radius/radius-server/shared-key /huawei-aaa-radius:radius/radius-server/server-algorithm /huawei-aaa-radius:radius/server-shared-key/server-item

Data Requirement

Table 2-541 Configuring the shared key and algorithm of the RADIUS server

Item

Data

Description

Shared key of the RADIUS server in a RADIUS server template

Example@123

Set the shared key of the RADIUS server in a RADIUS server template to Example@123.

Algorithm for selecting RADIUS servers in a RADIUS server template

loading-share

Set the algorithm for selecting RADIUS servers in a RADIUS server template to load balancing.

Shared key of the RADIUS server that is configured globally

IP address: 10.1.1.1

Shared key: huawei@1234

Set the shared key of the RADIUS server with the IP address 10.1.1.1 to huawei@1234 in the system view.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <edit-config>
 <target>
  <running/>
 </target>
 <config>
  <radius xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
   <radius-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
    <name>rds</name>
    <vsys>public</vsys>
    <authentication-server>
      <server-ip-address>10.1.1.1</server-ip-address>
      <port>1816</port>
    </authentication-server>
    <shared-key>Example@123</shared-key>
    <server-algorithm>load-sharing</server-algorithm>
   </radius-server>
   <server-shared-key>
    <server-item>
     <ip-address>10.1.1.1</ip-address>
     <shared-key>huawei@1234</shared-key>
    </server-item>
   </server-shared-key>
  </radius>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="cf1228d1-c9bc-4e95-9578-4e7d0cd90e25">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>Invalid radius-server shared key</error-message>
  <error-info>Error on node /huawei-aaa-radius:radius/radius-server[name="rds",vsys="public"]/shared-key</error-info>
 </rpc-error>
</rpc-reply>

Configuring an HWTACACS Server Template

This section describes the configuration model of an HWTACACS server template and provides examples of XML packets.

Data Model

The configuration model file matching the HWTACACS server template is huawei-aaa-hwtacacs.yang.

Table 2-542 Configurations of the HWTACACS server template

Object	Description	Value	Remarks
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/name	Indicates the name of an HWTACACS server template.	The value is a string of 1 to 32 case-insensitive characters, including letters, digits, periods (.), hyphens (-), underscores (_), and a combination of these characters. The value cannot be - or --.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/vsys	Indicates the vsys name.	The value is a string of 1 to 31 characters.	This object is of no significance for a switch.
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/server-ip-address	Indicates the IP address of the primary HWTACACS authentication server.	The value must be a valid unicast address in dotted decimal notation.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/port	Indicates the port number of the primary HWTACACS authentication server.	The value is an integer that ranges from 1 to 65535.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/vpn-instance	Indicates the VPN instance to which the primary HWTACACS authentication server belongs.	The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.	This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/public-net.
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/public-net	Indicates whether to connect to the primary HWTACACS authentication server on the public network.	The value is of the Boolean type: true: connects to the server on the public network. false: disconnects from the server on the public network.	This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server/vpn-instance.
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/server-ip-address	Indicates the IP address of the secondary HWTACACS authentication server.	The value must be a valid unicast address in dotted decimal notation.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/port	Indicates the port number of the secondary HWTACACS authentication server.	The value is an integer that ranges from 1 to 65535.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/vpn-instance	Indicates the VPN instance to which the secondary HWTACACS authentication server belongs.	The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.	This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/public-net.
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/public-net	Indicates whether to connect to the secondary HWTACACS authentication server on the public network.	The value is of the Boolean type: true: connects to the server on the public network. false: disconnects from the server on the public network.	This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server/vpn-instance.
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/server-ip-address	Indicates the IP address of the primary HWTACACS authorization server.	The value must be a valid unicast address in dotted decimal notation.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/port	Indicates the port number of the primary HWTACACS authorization server.	The value is an integer that ranges from 1 to 65535.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/vpn-instance	Indicates the VPN instance to which the primary HWTACACS authorization server belongs.	The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.	This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/public-net.
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/public-net	Indicates whether to connect to the primary HWTACACS authorization server on the public network.	The value is of the Boolean type: true: connects to the server on the public network. false: disconnects from the server on the public network.	This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server/vpn-instance.
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/server-ip-address	Indicates the IP address of the secondary HWTACACS authorization server.	The value must be a valid unicast address in dotted decimal notation.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/port	Indicates the port number of the secondary HWTACACS authorization server.	The value is an integer that ranges from 1 to 65535.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/vpn-instance	Indicates the VPN instance to which the secondary HWTACACS authorization server belongs.	The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.	This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/public-net.
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/public-net	Indicates whether to connect to the secondary HWTACACS authorization server on the public network.	The value is of the Boolean type: true: connects to the server on the public network. false: disconnects from the server on the public network.	This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server/vpn-instance.
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/server-ip-address	Indicates the IP address of the primary HWTACACS accounting server.	The value must be a valid unicast address in dotted decimal notation.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/port	Indicates the port number of the primary HWTACACS accounting server.	The value is an integer that ranges from 1 to 65535.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/vpn-instance	Indicates the VPN instance to which the primary HWTACACS accounting server belongs.	The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.	This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/public-net.
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/public-net	Indicates whether to connect to the primary HWTACACS accounting server on the public network.	The value is of the Boolean type: true: connects to the server on the public network. false: disconnects from the server on the public network.	This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server/vpn-instance.
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/server-ip-address	Indicates the IP address of the secondary HWTACACS accounting server.	The value must be a valid unicast address in dotted decimal notation.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/port	Indicates the port number of the secondary HWTACACS accounting server.	The value is an integer that ranges from 1 to 65535.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/vpn-instance	Indicates the VPN instance to which the secondary HWTACACS accounting server belongs.	The value must be the name of an existing VPN instance. For details about how to create a VPN instance, see IP VPN Management.	This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/public-net.
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/public-net	Indicates whether to connect to the secondary HWTACACS accounting server on the public network.	The value is of the Boolean type: true: connects to the server on the public network. false: disconnects from the server on the public network.	This object cannot be delivered together with /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server/vpn-instance.
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/source-ip-address	Indicates the source IPv4 address used by the device to communicate with an HWTACACS server. The object includes: ip-address: indicates the source IPv4 address used by the device to communicate with an HWTACACS server. loopback-interface: specifies the IPv4 address of a loopback interface as the source IPv4 address used by the device to communicate with an HWTACACS server. vlanif-id: specifies the IPv4 address of a VLANIF interface as the source IPv4 address used by the device to communicate with an HWTACACS server.	ip-address: The value is in dotted decimal notation. loopback-interface: The loopback interface must already exist. vlanif-id: The VLANIF interface must already exist.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/source-ipv6-address	Indicates the source IPv6 address used by the device to communicate with an HWTACACS server. The object includes: ipv6-address: specifies the source IPv6 address used by the device to communicate with an HWTACACS server. ipv6-loopback-interface: specifies the IPv6 address of a loopback interface as the source IPv6 address used by the device to communicate with an HWTACACS server. ipv6-vlanif-id: specifies the IPv6 address of a VLANIF interface as the source IPv6 address used by the device to communicate with an HWTACACS server.	ip-address: The value is a 32-digit hexadecimal number in the format X:X:X:X:X:X:X:X. loopback-interface: The loopback interface must already exist. vlanif-id: The VLANIF interface must already exist.	NA
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/shared-key	Indicates the shared key of the switch and HWTACACS server.	The value is a string of 1 to 255 case-sensitive characters without question marks (?) or spaces.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/options/user-name/domain-include	Indicates whether the packets sent to the HWTACACS server contain the domain name.	The value is of the Boolean type: true: The packets contain the domain name. false: The packets do not contain the domain name.	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authentication-server-ipv6	Indicates the primary HWTACACS authentication server with a specified IPv6 address. The object includes: server-ip-address: indicates the IPv6 address of the HWTACACS authentication server. port: indicates the port number of the HWTACACS authentication server. vpn-instance: indicates the VPN instance bound to the HWTACACS authentication server. public-net: indicates that the HWTACACS authentication server is connected to a public network.	server-ip-address: The value is a 32-digit hexadecimal number in the format X:X:X:X:X:X:X:X. port: The value is an integer that ranges from 1 to 65535. The default value is 49. vpn-instance: The VPN instance is already created. public-net: -	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authentication-server-ipv6	Indicates that the HWTACACS authentication server with the second IPv6 address functions as the secondary server. The object includes: server-ip-address: indicates the IPv6 address of the HWTACACS authentication server. port: indicates the port number of the HWTACACS authentication server. vpn-instance: indicates the VPN instance bound to the HWTACACS authentication server. public-net: indicates that the HWTACACS authentication server is connected to a public network.	server-ip-address: The value is a 32-digit hexadecimal number in the format X:X:X:X:X:X:X:X. port: The value is an integer that ranges from 1 to 65535. The default value is 49. vpn-instance: The VPN instance is already created. public-net: -	NA
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/third-authentication-server-ipv6	Indicates that the HWTACACS authentication server with the third IPv6 address functions as the secondary server. The object includes: server-ip-address: indicates the IPv6 address of the HWTACACS authentication server. port: indicates the port number of the HWTACACS authentication server. vpn-instance: indicates the VPN instance bound to the HWTACACS authentication server. public-net: indicates that the HWTACACS authentication server is connected to a public network.	server-ip-address: The value is a 32-digit hexadecimal number in the format X:X:X:X:X:X:X:X. port: The value is an integer that ranges from 1 to 65535. The default value is 49. vpn-instance: The VPN instance is already created. public-net: -	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-authorization-server-ipv6	Indicates the primary HWTACACS authorization server with a specified IPv6 address. The object includes: server-ip-address: indicates the IPv6 address of the HWTACACS authorization server. port: indicates the port number of the HWTACACS authorization server. vpn-instance: indicates the VPN instance bound to the HWTACACS authorization server. public-net: indicates that the HWTACACS authorization server is connected to a public network.	server-ip-address: The value is a 32-digit hexadecimal number in the format X:X:X:X:X:X:X:X. port: The value is an integer that ranges from 1 to 65535. The default value is 49. vpn-instance: The VPN instance is already created. public-net: -	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-authorization-server-ipv6	Indicates that the HWTACACS authorization server with the second IPv6 address functions as the secondary server. The object includes: server-ip-address: Indicates the IPv6 address of the HWTACACS authorization server. port: indicates the port number of the HWTACACS authorization server. vpn-instance: indicates the VPN instance bound to the HWTACACS authorization server. public-net: indicates that the HWTACACS authorization server is connected to a public network.	server-ip-address: The value is a 32-digit hexadecimal number in the format X:X:X:X:X:X:X:X. port: The value is an integer that ranges from 1 to 65535. The default value is 49. vpn-instance: The VPN instance is already created. public-net: -	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/third-authorization-server-ipv6	Indicates that the HWTACACS authorization server with the third IPv6 address functions as the secondary server. The object includes: server-ip-address: indicates the IPv6 address of the HWTACACS authorization server. port: indicates the port number of the HWTACACS authorization server. vpn-instance: indicates the VPN instance bound to the HWTACACS authorization server. public-net: indicates that the HWTACACS authorization server is connected to a public network.	server-ip-address: The value is a 32-digit hexadecimal number in the format X:X:X:X:X:X:X:X. port: The value is an integer that ranges from 1 to 65535. The default value is 49. vpn-instance: The VPN instance is already created. public-net: -	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/primary-accounting-server-ipv6	Indicates the primary HWTACACS accounting server with a specified IPv6 address. The object includes: server-ip-address: indicates the IPv6 address of the HWTACACS accounting server. port: indicates the port number of the HWTACACS accounting server. vpn-instance: indicates the VPN instance bound to the HWTACACS accounting server. public-net: indicates that the HWTACACS accounting server is connected to a public network.	server-ip-address: The value is a 32-digit hexadecimal number in the format X:X:X:X:X:X:X:X. port: The value is an integer that ranges from 1 to 65535. The default value is 49. vpn-instance: The VPN instance is already created. public-net: -	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/secondary-accounting-server-ipv6	Indicates that the HWTACACS accounting server with the second IPv6 address functions as the secondary server. The object includes: server-ip-address: indicates the IPv6 address of the HWTACACS accounting server. port: indicates the port number of the HWTACACS accounting server. vpn-instance: indicates the VPN instance bound to the HWTACACS accounting server. public-net: indicates that the HWTACACS accounting server is connected to a public network.	server-ip-address: The value is a 32-digit hexadecimal number in the format X:X:X:X:X:X:X:X. port: The value is an integer that ranges from 1 to 65535. The default value is 49. vpn-instance: The VPN instance is already created. public-net: -	N/A
/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server/third-accounting-server-ipv6	Indicates that the HWTACACS accounting server with the third IPv6 address functions as the secondary server. The object includes: server-ip-address: indicates the IPv6 address of the HWTACACS accounting server. port: indicates the port number of the HWTACACS accounting server. vpn-instance: indicates the VPN instance bound to the HWTACACS accounting server. public-net: indicates that the HWTACACS accounting server is connected to a public network.	server-ip-address: The value is a 32-digit hexadecimal number in the format X:X:X:X:X:X:X:X. port: The value is an integer that ranges from 1 to 65535. The default value is 49. vpn-instance: The VPN instance is already created. public-net: -	N/A

Creating and Configuring an HWTACACS Server Template

This section provides a sample of creating and configuring an HWTACACS server template using the create method.

Table 2-543 Creating and configuring an HWTACACS server template

Operation	XPATH
edit-config:create	/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server

Data Requirements

Item	Data	Description
Name of a VPN instance	vpn1	Create a VPN instance named vpn1.
Name of an HWTACACS server template	test	Create an HWTACACS server template named test.
Name of the vsys	public	Configure the name of vsys to public.
Primary HWTACACS authentication, authorization, and accounting servers	IP address: 10.1.1.1	Set the IP address of primary HWTACACS authentication, authorization, and accounting servers to 10.1.1.1.
	Port number: 1000	Set the port number of primary HWTACACS authentication, authorization, and accounting servers to 1000.
Secondary HWTACACS authentication, authorization, and accounting servers	IP address: 10.2.2.2	Set the IP address of secondary HWTACACS authentication, authorization, and accounting servers to 10.2.2.2.
	Port number: 1001	Set the port number of secondary HWTACACS authentication, authorization, and accounting servers to 1001.
	VPN instance to which servers belong: vpn1	Set the VPN instance to which secondary HWTACACS authentication, authorization, and accounting servers belong to vpn1.
Source IP address of the switch to communicate with HWTACACS server	192.168.10.1	Set the source IP address for communication between the switch and HWTACACS servers to 192.168.10.1.
Shared key of the switch and HWTACACS server	Example@123	Set the shared key of the HWTACACS servers to Example@123.
Whether the packets sent to the HWTACACS server contain domain name	false	Configure that the packets sent to the HWTACACS servers do not contain domain name.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-l3vpn:vpn-instances xmlns:hw-l3vpn="urn:huawei:params:xml:ns:yang:huawei-l3vpn">       
       <hw-l3vpn:vpn-instance>         
        <hw-l3vpn:vpn-instance-name>vpn1</hw-l3vpn:vpn-instance-name>       
       </hw-l3vpn:vpn-instance>     
      </hw-l3vpn:vpn-instances>
      <hw-aaa-hwtacacs:hwtacacs xmlns:hw-aaa-hwtacacs="urn:huawei:params:xml:ns:yang:huawei-aaa-hwtacacs">
        <hw-aaa-hwtacacs:hwtacacs-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="create">
          <hw-aaa-hwtacacs:name>test</hw-aaa-hwtacacs:name>
          <hw-aaa-hwtacacs:vsys>public</hw-aaa-hwtacacs:vsys>
          <hw-aaa-hwtacacs:primary-authentication-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.1</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1000</hw-aaa-hwtacacs:port>
          </hw-aaa-hwtacacs:primary-authentication-server>
          <hw-aaa-hwtacacs:secondary-authentication-server>
            <hw-aaa-hwtacacs:server-ip-address>10.2.2.2</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1001</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:secondary-authentication-server>
          <hw-aaa-hwtacacs:primary-authorization-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.1</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1000</hw-aaa-hwtacacs:port>
          </hw-aaa-hwtacacs:primary-authorization-server>
          <hw-aaa-hwtacacs:secondary-authorization-server>
            <hw-aaa-hwtacacs:server-ip-address>10.2.2.2</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1001</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:secondary-authorization-server>
          <hw-aaa-hwtacacs:primary-accounting-server>
            <hw-aaa-hwtacacs:server-ip-address>10.1.1.1</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1000</hw-aaa-hwtacacs:port>
          </hw-aaa-hwtacacs:primary-accounting-server>
          <hw-aaa-hwtacacs:secondary-accounting-server>
            <hw-aaa-hwtacacs:server-ip-address>10.2.2.2</hw-aaa-hwtacacs:server-ip-address>
            <hw-aaa-hwtacacs:port>1001</hw-aaa-hwtacacs:port>
            <hw-aaa-hwtacacs:vpn-instance>vpn1</hw-aaa-hwtacacs:vpn-instance>
          </hw-aaa-hwtacacs:secondary-accounting-server>
          <hw-aaa-hwtacacs:ip-address>192.168.10.1</hw-aaa-hwtacacs:ip-address>
          <hw-aaa-hwtacacs:shared-key>Example@123</hw-aaa-hwtacacs:shared-key>
          <hw-aaa-hwtacacs:options>
            <hw-aaa-hwtacacs:user-name>
              <hw-aaa-hwtacacs:domain-include>false</hw-aaa-hwtacacs:domain-include>
            </hw-aaa-hwtacacs:user-name>
          </hw-aaa-hwtacacs:options>
        </hw-aaa-hwtacacs:hwtacacs-server>
      </hw-aaa-hwtacacs:hwtacacs>
    </config>
  </edit-config>
</rpc>

Response Example

# Sample of successful response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

# Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message> The VPN instance does not exist.</error-message>
    <error-info>Error on node /huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server[name="test",vsys="public"]/primary-accounting-server</error-info>
  </rpc-error>
</rpc-reply>

Deleting an HWTACACS Server Template

This section provides a sample of deleting an HWTACACS server template using the delete method.

Table 2-544 Deleting an HWTACACS server template

Operation	XPATH
edit-config:delete	/huawei-aaa-hwtacacs:hwtacacs/hwtacacs-server

Data Requirements

Item	Data	Description
Name of an HWTACACS server template	test	Delete an HWTACACS server template named test with vsys named public.
Name of the vsys	public

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="2" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-hwtacacs:hwtacacs xmlns:hw-aaa-hwtacacs="urn:huawei:params:xml:ns:yang:huawei-aaa-hwtacacs">
        <hw-aaa-hwtacacs:hwtacacs-server xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="delete">
          <hw-aaa-hwtacacs:name>test</hw-aaa-hwtacacs:name>
          <hw-aaa-hwtacacs:vsys>public</hw-aaa-hwtacacs:vsys>
        </hw-aaa-hwtacacs:hwtacacs-server>
      </hw-aaa-hwtacacs:hwtacacs>
    </config>
  </edit-config>
</rpc>

Response Example

# Sample of successful response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
  <ok/>
</rpc-reply>

# Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>data-missing</error-tag>
    <error-severity>error</error-severity>
    <error-path/>
    <error-message>edit operation failed.</error-message>
  </rpc-error>
</rpc-reply>

Configuring an HACA Server

Configuring an HACA Server Template

This section provides a sample of configuring an HACA server template using the merge method. You can also use the create method to configure an HACA server template.

Table 2-545 Configuring an HACA server template

Operation	XPATH
edit-config:merge	/huawei-aaa-haca:aca

Data Requirements

Table 2-546 Configuring an HACA server template

Item	Data	Description
Name of an HACA server template	hacaserver1	Configure an HACA server template named hacaserver1, enable HACA, set the IP address of the HACA server to 10.1.1.1, set the port number of the HACA server to 1111, configure a PKI realm named default, set the interval at which HACA heartbeat packets are sent to 200 minutes, set the interval for reconnecting to the HACA server to 200 minutes, and set the response timeout interval of the HACA server to 200 seconds.
Whether to enable HACA	true
IP address of an HACA server	10.1.1.1
Port number of an HACA server	1111
Name of a PKI realm	default
Interval at which HACA heartbeat packets are sent	200
Interval for reconnecting to the HACA server	200
Response timeout interval of an HACA server	200

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <aca xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-haca">
    <haca-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>hacaserver1</name>
     <vsys>public</vsys>
     <enable>true</enable>
     <server>
      <server-ip>10.1.1.1</server-ip>
      <port>1111</port>
     </server>
     <pki-domain>default</pki-domain>
     <heart-beat>200</heart-beat>
     <detection-function>
      <reconnect-interval>200</reconnect-interval>
     </detection-function>
     <timeout>200</timeout>
    </haca-server>
   </aca>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of a successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Configuring a Device to Retransmit Accounting-stop Packets

This section provides a sample of configuring a device to retransmit accounting-stop packets using the merge method. You can also configure a device to retransmit accounting-stop packets using the create method.

Table 2-547 Configuring a device to retransmit accounting-stop packets

Operation	XPATH
edit-config:merge	/huawei-aaa-haca:aca/haca-server/accounting-stop-packet-resend-times

Data Requirements

Table 2-548 Configuring a device to retransmit accounting-stop packets

Item	Data	Description
Number of retransmitted accounting-stop packets.	10	Set the number of retransmitted accounting-stop packets to 10.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<aca xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-haca">
 <haca-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="create">
  <name>haca_server</name>
  <vsys>public</vsys>
  <accounting-stop-packet-resend-times>55</accounting-stop-packet-resend-times>
 </haca-server>
</aca>
</config>
</edit-config>
</rpc>

Response Example

Sample of a successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Configuring a Domain

Applying an AAA Scheme to a Domain

This section describes how to apply an AAA scheme to a domain using the merge method.

Table 2-549 Applying an AAA scheme to a domain

Operation	XPATH
edit-config:merge	/huawei-aaa:aaa/aaa-domain

Data Requirement

Table 2-550 Applying an AAA scheme to a domain

Item	Data	Description
Domain name	domain1	Create a domain named domain1.
Name of an authentication scheme bound to the domain	authen1	Bind the authentication scheme authen1 to the domain.
Name of an accounting scheme bound to the domain	acc1	Bind the accounting scheme acc1 to the domain.
Name of a service scheme bound to the domain	ser1	Bind the service scheme ser1 to the domain.
Whether to enable traffic statistics collection for domain users	true	Enable traffic statistics collection for domain users.

Request Example

<rpc message-id="10" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
        <hw-aaa:authentication-scheme>
          <hw-aaa:name>authen1</hw-aaa:name>
          <hw-aaa:vsys>public</hw-aaa:vsys>
          <hw-aaa:authentication-mode>radius</hw-aaa:authentication-mode>
        </hw-aaa:authentication-scheme>
        <hw-aaa:accounting-scheme>
          <hw-aaa:name>acc1</hw-aaa:name>
          <hw-aaa:vsys>public</hw-aaa:vsys>
          <hw-aaa:accounting-mode>radius</hw-aaa:accounting-mode>
        </hw-aaa:accounting-scheme>
        <hw-aaa:service-scheme>
          <hw-aaa:name>ser1</hw-aaa:name>
          <hw-aaa:vsys>public</hw-aaa:vsys>
        </hw-aaa:service-scheme>
        <hw-aaa:aaa-domain>
          <hw-aaa:name>domain1</hw-aaa:name>
          <hw-aaa:vsys>ads</hw-aaa:vsys>
          <hw-aaa:authentication-scheme>authen1</hw-aaa:authentication-scheme>
          <hw-aaa:accounting-scheme>acc1</hw-aaa:accounting-scheme>
          <hw-aaa:service-scheme>ser1</hw-aaa:service-scheme>
          <hw-aaa:statistics-enable>true</hw-aaa:statistics-enable>
        </hw-aaa:aaa-domain>
      </hw-aaa:aaa>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="10">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="10">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>config/undo scheme failed</error-message>
  <error-info>Error on node /huawei-aaa:aaa/aaa-domain[name="domain1",vsys="ads"]/authentication-scheme</error-info>
 </rpc-error>
</rpc-reply>

Applying the RADIUS Server Template in a Domain

This section describes how to apply the RADIUS server template in a domain using the merge method.

Table 2-551 Applying the RADIUS server template in a domain

Operation	XPATH
edit-config:merge	/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-radius:radius-server/huawei-aaa-radius:radius-server

Data Requirements

Table 2-552 Applying the RADIUS server template in a domain

Item	Data	Description
Domain name.	domain1	Create a domain named domain1.
Name of the RADIUS server template that is applied in the domain.	rds	Apply the RADIUS server template named rds in the domain.

Request Example

<rpc message-id="10" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-radius:radius xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
        <hw-aaa-radius:radius-server>
          <hw-aaa-radius:name>rds</hw-aaa-radius:name>
          <hw-aaa-radius:vsys>public</hw-aaa-radius:vsys>
          <hw-aaa-radius:authentication-server>
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address>
            <hw-aaa-radius:port>1816</hw-aaa-radius:port>
            <hw-aaa-radius:shared-key>Example@123</hw-aaa-radius:shared-key>
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight>
          </hw-aaa-radius:authentication-server>
          <hw-aaa-radius:accounting-server>
            <hw-aaa-radius:server-ip-address>10.1.1.1</hw-aaa-radius:server-ip-address>
            <hw-aaa-radius:port>1817</hw-aaa-radius:port>
            <hw-aaa-radius:shared-key>Example@123</hw-aaa-radius:shared-key>
            <hw-aaa-radius:weight>100</hw-aaa-radius:weight>
          </hw-aaa-radius:accounting-server>
        </hw-aaa-radius:radius-server>
      </hw-aaa-radius:radius>
      <hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
        <hw-aaa:aaa-domain>
          <hw-aaa:name>domain1</hw-aaa:name>
          <hw-aaa:vsys>public</hw-aaa:vsys>
          <hw-aaa-radius:radius-server xmlns:hw-aaa-radius="urn:huawei:params:xml:ns:yang:huawei-aaa-radius">
            <hw-aaa-radius:radius-server>rds</hw-aaa-radius:radius-server>
          </hw-aaa-radius:radius-server>
        </hw-aaa:aaa-domain>
      </hw-aaa:aaa>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="10">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="10">
 <rpc-error>
  <error-app-tag>-1</error-app-tag>
  <error-message>config/undo scheme failed</error-message>
  <error-info>Error on node /huawei-aaa:aaa/aaa-domain[name="domain1",vsys="ads"]/authentication-scheme</error-info>
 </rpc-error>
</rpc-reply>

Applying the HWTACACS Server Template in a Domain

This section describes how to apply the HWTACACS server template in a domain using the merge method.

Table 2-553 Applying the HWTACACS server template in a domain

Operation	XPATH
edit-config:merge	/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-hwtacacs:hwtacacs-server/huawei-aaa-hwtacacs:hwtacacs-server

Data Requirements

Table 2-554 Applying the HWTACACS server template in a domain

Item	Data	Description
Domain name.	domain1	Create a domain named domain1.
Name of the HWTACACS server template that is applied in a domain.	tac1 NOTE: Make sure that this template has been created on the device.	Apply the HWTACACS server template named tac1 in the domain.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
 <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" >
  <name>domain1</name>
  <vsys>public</vsys>
  <hwtacacs-server xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-hwtacacs">
   <hwtacacs-server ns0:operation="merge">tac1</hwtacacs-server>
  </hwtacacs-server>
 </aaa-domain>
</aaa>
</config>
</edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config hwtacacs server failed</error-message>
    <error-info>Error on node /huawei-aaa:aaa/aaa-domain[name="domain2",vsys="public"]/huawei-aaa-hwtacacs:hwtacacs-server/hwtacacs-server</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Idle-Cut Function for Domain Users

This section describes how to configure the idle-cut function for domain users using the rpc method.

Table 2-555 Configuring the idle-cut function for domain users

Operation	XPATH
edit-config:create	/huawei-aaa:aaa/service-scheme/idle-cut-function

Data Requirement

Table 2-556 Configuring the idle-cut function for domain users

Item	Data	Description
Period in which an idle user can stay online	12	Set the period in which an idle user can stay online to 12 minutes.
Traffic threshold for the idle-cut function	22	Set the traffic threshold for the idle-cut function to 22 kbytes.
Direction of traffic on which the idle-cut function takes effect	inbound	Configure the idle-cut function to take effect on inbound traffic.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <edit-config>
 <target>
  <running/>
 </target>
 <error-option>rollback-on-error</error-option>
 <config>
  <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
   <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <name>lsw_serv</name>
    <vsys>public</vsys>
    <idle-cut-function>
     <idle-time>12</idle-time>
     <idle-flow>
      <flow-value>22</flow-value>
      <flow-direction>inbound</flow-direction>
     </idle-flow>
    </idle-cut-function>
   </service-scheme>
  </aaa>
 </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="43a8e485-35d2-499e-895c-e2d2d5f555a8">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse rpc config error.</error-message>
 </rpc-error>
</rpc-reply>

Data Model
Configuring a Local User
Configuring Security of the Local User Password
Configuring an AAA Scheme
Configuring a Service Scheme
Configuring a RADIUS Server
Configuring an HWTACACS Server Template
Configuring an HACA Server
- Configuring an HACA Server Template
- Configuring a Device to Retransmit Accounting-stop Packets
Configuring a Domain

Translation

简体中文

Download

Updated: 2022-05-25

Document ID: EDOC1100126933

Downloads: 83

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

This document describes the NETCONF YANG API functions supported by the switch, including the data model and samples.

Data Model

Configuring a Local User

Data Requirements

Request Example

Response Example

Configuring Security of the Local User Password

Data Requirements

Request Example

Response Example

Configuring an AAA Scheme

Data Requirements

Request Example

Response Example

Configuring a Service Scheme

Creating a Service Scheme

Data Requirement

Request Example

Response Example

Configuring a User VLAN in a Service Scheme

Data Requirement

Request Example

Response Example

Binding an ACL to a Service Scheme

Data Requirement

Request Example

Response Example

Binding a QoS Profile to a Service Scheme

Data Requirement

Request Example

Response Example

Binding a UCL Group to a Service Scheme

Data Requirement

Request Example

Response Example

Configuring Information Related to the DNS, WINS, and DHCP Servers in the Service Scheme

Data Requirements

Request Example

Response Example

Configuring a Redirection ACL in the Service Scheme

Data Requirements

Request Example

Response Example

Configuring the User Priority in a Service Scheme

Data Requirements

Request Example

Response Example

Configuring a RADIUS Server

Creating a RADIUS Server Template

Data Requirement

Request Example

Response Example

Configuring a RADIUS Authentication Server

Data Requirement

Request Example

Response Example

Configuring a RADIUS Accounting Server

Data Requirement

Request Example

Response Example

Configuring a RADIUS Authorization Server

Data Requirement

Request Example

Response Example

Configuring RADIUS Attribute Translation

Data Requirement

Request Example

Response Example

Disabling a RADIUS Attribute

Data Requirement

Request Example

Response Example

Configuring the Format of User Names in RADIUS Packets to Be Sent to a RADIUS Server

Data Requirement