No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
S12700 and S12700E V200R020C00 NETCONF YANG API Reference

This document describes the NETCONF YANG API functions supported by the switch, including the data model and samples.

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAC

NAC

This section describes the NAC configuration model and provides examples of packets.

Configuring an 802.1X Access Profile

This section describes the configuration model of 802.1X access profile and provides examples of XML packets.

Data Model

The configuration model file matching 802.1X access profile is huawei-nac-dot1x.yang.

Table 2-594 Data model

Object

Description

Value

Remarks

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile

Indicates that the request operation (creation or modification) object is an 802.1X access profile. This object is the root object. It is only used to contain sub-objects, but does not have any data meaning.

N/A

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/name

Indicates the name of the created 802.1X access profile.

The value is a string of 1 to 31 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %.

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/authentication-method

Indicates that an authentication mode is configured for 802.1X users.

Enumerated type:

  • chap: EAP termination authentication using the Challenge Handshake Authentication Protocol (CHAP)
  • pap: EAP termination authentication using the Password Authentication Protocol (PAP)
  • eap: relay authentication using the Extensible Authentication Protocol (EAP)

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/authorize-of-authentication-event

Indicates that network access rights are configured for users when the 802.1X client does not respond.

N/A

N/A

huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/unicast-trigger

Indicates whether 802.1X authentication triggered by unicast packets is enabled.

Boolean type:

  • true: enabled
  • false: disabled

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/enable

Indicates whether handshake with online 802.1X authentication users is enabled.

Boolean type:

  • true: enabled
  • false: disabled

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/trigger-packet

Indicates the type of packets that can trigger 802.1X authentication.

The value is of the enumerated type:

  • dhcp
  • arp
  • any-l2-packet
  • dhcpv6
  • nd

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/period-eth-trunk

Indicates the interval at which the device handshakes with an 802.1X client on an Eth-Trunk interface.

The value is an integer in the range from 30 to 7200, in seconds.

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/period-non-eth-trunk

Indicates the interval at which the device handshakes with an 802.1X client on a non-Eth-Trunk interface.

The value is an integer in the range from 5 to 7200, in seconds.

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/packet-type

Indicates the type of 802.1X authentication handshake packets.

The value is of the enumerated type:

  • request-identity
  • srp-sha1-part2

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/retry-function/max-retry

Indicates the maximum number of times an authentication request sent to an 802.1X user.

The value is an integer in the range from 1 to 10.

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/retry-function/client-time-out

Indicates the client authentication timeout interval.

The value is an integer in the range from 1 to 120, in seconds.

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/eap-notify-packet

Indicates whether to enable the device to send EAP packets with a code number to 802.1X users.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/port-control-function/mode

Indicates the authorization state of an interface.

The value is of the enumerated type:

  • auto: indicates the auto identification mode.
  • authorized-force: indicates the forcible authorization mode.
  • unauthorized-force: indicates the forcible unauthorized mode.

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/re-authenticate-function/re-authenticate-enable

Indicates whether to enable re-authentication for online 802.1X authentication users.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/re-authenticate-function/re-authenticate-period

Indicates the re-authentication interval for online 802.1X users.

The value is an integer in the range from 60 to 7200, in seconds.

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/dhcp-binding

Indicates whether to enable the device to automatically generate the DHCP snooping binding table.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac-dot1x:dot1x-access/quiet-function/enable

Indicates whether to enable the quiet function for 802.1X authentication users.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac-dot1x:dot1x-access/quiet-function/quiet-period

Indicates the quiet period for 802.1X authentication users who fail to be authenticated.

The value is an integer in the range from 1 to 3600, in seconds.

N/A

/huawei-nac-dot1x:dot1x-access/quiet-function/quiet-times

Indicates the maximum number of authentication failures within 60 seconds before the device quiets an 802.1X authentication user.

The value is an integer in the range from 1 to 10.

N/A

/huawei-nac-dot1x:dot1x-access/tx-period

Indicates the interval for sending authentication requests.

The value is an integer in the range from 1 to 120, in seconds.

N/A

/huawei-nac-dot1x:dot1x-access/url

Indicates the redirect URL for 802.1X authentication.

The value is a string of 1 to 200 case-sensitive characters without spaces and question marks (?). If the string is enclosed in double quotation marks (" "), the string can contain spaces.

N/A

/huawei-nac-dot1x:dot1x-access/multicast-trigger-function/enable

Indicates whether to enable the function of triggering 802.1X authentication through multicast packets.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac-dot1x:dot1x-access/multicast-trigger-function/port-up-enable

Indicates whether to enable the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/server-down-no-response-enable

Indicates whether the function of not responding to the EAPoL-Start packets sent by clients when the AAA server is Down is enabled.

The value is of the Boolean type:

  • true: The function is enabled.
  • false: The function is disabled.

N/A

Creating an 802.1X Access Profile

This section provides a sample of creating an 802.1X access profile using the merge method. You can also use the create method to create an 802.1X access profile.

Table 2-595 Creating an 802.1X access profile

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/name

Data Requirement

Table 2-596 Creating an 802.1X access profile

Item

Data

Description

name

test

Create the 802.1X access profile test.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <dot1x-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
    <dot1x-access-profile>
     <name>test</name>
    </dot1x-access-profile>
   </dot1x-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-app-tag>1</error-app-tag>
    <error-message>Service process failed.</error-message>
    <error-info>Error on node /huawei-nac-dot1x:dot1x-access/dot1x-access-profile[name="testtesttesttesttesttesttesttesttest"]/name</error-info>
  </rpc-error>
</rpc-reply>

Configuring an Authentication Mode for 802.1X Users

This section provides a sample of configuring an authentication mode for 802.1X users using the merge method. You can also use the create method to configure an authentication mode for 802.1X users.

Table 2-597 Configuring an authentication mode for 802.1X users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/authentication-method

Data Requirement

Table 2-598 Configuring an authentication mode for 802.1X users

Item

Data

Description

name

test

Set the authentication mode for 802.1X users to CHAP.

The 802.1X access profile must exist on the switch.

authentication-method

chap

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <dot1x-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
    <dot1x-access-profile>
     <name>test</name>
     <authentication-method>chap</authentication-method>
    </dot1x-access-profile>
   </dot1x-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Configuring Network Access Rights for Users When the 802.1X Client Does Not Respond

This section provides a sample of configuring network access rights for users when the 802.1X client does not respond using the merge method. You can also use the create method to configure network access rights for users when the 802.1X client does not respond.

Table 2-599 Configuring network access rights for users when the 802.1X client does not respond

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/authorize-of-authentication-event

Data Requirement

Table 2-600 Configuring network access rights for users when the 802.1X client does not respond

Item

Data

Description

name

test

Configure network access rights for users when the 802.1X client does not respond.

The 802.1X access profile must exist on the switch.

authentication-event

client-no-response

vlan-id

4000

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <dot1x-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
    <dot1x-access-profile>
     <name>test</name>
     <authorize-of-authentication-event>
      <authentication-event>client-no-response</authentication-event>
      <vlan-id>4000</vlan-id>
     </authorize-of-authentication-event>
    </dot1x-access-profile>
   </dot1x-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Enabling 802.1X Authentication Triggered by Unicast Packets

This section provides a sample of enabling 802.1X authentication triggered by unicast packets using the merge method. You can also use the create method to enable 802.1X authentication triggered by unicast packets.

Table 2-601 Enabling 802.1X authentication triggered by unicast packets

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/unicast-trigger

Data Requirement

Table 2-602 Enabling 802.1X authentication triggered by unicast packets

Item

Data

Description

name

test

Enable 802.1X authentication triggered by unicast packets.

The 802.1X access profile must exist on the switch.

unicast-trigger

true

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <dot1x-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
    <dot1x-access-profile>
     <name>test</name>
     <unicast-trigger>true</unicast-trigger>
    </dot1x-access-profile>
   </dot1x-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Enabling Handshake with Online 802.1X Authentication Users

This section provides a sample of enabling handshake with online 802.1X authentication users using the merge method. You can also use the create method to enable handshake with online 802.1X authentication users.

Table 2-603 Enabling handshake with online 802.1X authentication users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/enable

Data Requirement

Table 2-604 Enabling handshake with online 802.1X authentication users

Item

Data

Description

name

test

Enable handshake with online 802.1X authentication users.

The 802.1X access profile must exist on the switch.

enable

true

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <dot1x-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
    <dot1x-access-profile>
     <name>test</name>
     <handshake>
      <enable>true</enable>
     </handshake>
    </dot1x-access-profile>
   </dot1x-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Interval at Which the Device Handshakes with 802.1X Users

This section provides a sample of configuring the interval at which the device handshakes with 802.1X users using the merge method.

Table 2-605 Configuring the interval at which the device handshakes with 802.1X users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/period-eth-trunk

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/period-non-eth-trunk

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/handshake/packet-type

Data Requirements

Table 2-606 Configuring the interval at which the device handshakes with 802.1X users

Item

Data

Description

name

test

Configure the 802.1X access profile named test.

period-eth-trunk

51

Set the interval at which the device handshakes with an 802.1X client on an Eth-Trunk interface to 51 seconds.

period-non-eth-trunk

200

Set the interval at which the device handshakes with an 802.1X client on a non-Eth-Trunk interface to 200 seconds.

packet-type

srp-sha1-part2

Set the type of 802.1X authentication handshake packets to srp-sha1-part2.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:dot1x-access-profile xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-nac-dot1x:name>test</hw-nac-dot1x:name>
          <hw-nac-dot1x:handshake>
            <hw-nac-dot1x:period-eth-trunk>51</hw-nac-dot1x:period-eth-trunk>
            <hw-nac-dot1x:period-non-eth-trunk>200</hw-nac-dot1x:period-non-eth-trunk>
            <hw-nac-dot1x:packet-type>srp-sha1-part2</hw-nac-dot1x:packet-type>
          </hw-nac-dot1x:handshake>
        </hw-nac-dot1x:dot1x-access-profile>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="20">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-dot1x:dot1x-access/dot1x-access-profile[name='hu']/handshake/period-eth-trunk</error-path>
    <error-message>parse rpc config error.(Value "15" does not satisfy the constraint "30..7200" (range, length, or pattern).).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Type of Packets that Can Trigger 802.1X Authentication

This section provides a sample of configuring the type of packets that can trigger 802.1X authentication using the merge method.

Table 2-607 Configuring the type of packets that can trigger 802.1X authentication

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/trigger-packet

Data Requirements

Table 2-608 Configuring the type of packets that can trigger 802.1X authentication

Item

Data

Description

name

test

Configure the 802.1X access profile named test.

trigger-packet
  • dhcp
  • arp

Configure the device to use DHCP and ARP packets to trigger 802.1X authentication.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:dot1x-access-profile xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-nac-dot1x:name>test</hw-nac-dot1x:name>
          <hw-nac-dot1x:trigger-packet>arp</hw-nac-dot1x:trigger-packet>
    <hw-nac-dot1x:trigger-packet>dhcp</hw-nac-dot1x:trigger-packet>
        </hw-nac-dot1x:dot1x-access-profile>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="20">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-dot1x:dot1x-access/dot1x-access-profile[name='hu']/handshake/packet-type</error-path>
    <error-message>parse rpc config error.(Invalid value "request" in "packet-type" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Authentication Timeout Timer for 802.1X Clients

This section provides a sample of configuring the authentication timeout timer for 802.1X clients using the merge method.

Table 2-609 Configuring the authentication timeout timer for 802.1X clients

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/retry-function/client-time-out

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/retry-function/max-retry

Data Requirements

Table 2-610 Configuring the authentication timeout timer for 802.1X clients

Item

Data

Description

name

test

Configure the 802.1X access profile named test.

client-time-out

8

Set the client authentication timeout interval to 8 seconds.

max-retry

3

Set the number of times an authentication request packet retransmitted to an 802.1X user to 3.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:dot1x-access-profile xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-nac-dot1x:name>test</hw-nac-dot1x:name>
          <hw-nac-dot1x:retry-function>
            <hw-nac-dot1x:client-time-out>8</hw-nac-dot1x:client-time-out>
            <hw-nac-dot1x:max-retry>3</hw-nac-dot1x:max-retry>
          </hw-nac-dot1x:retry-function>
        </hw-nac-dot1x:dot1x-access-profile>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="6">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-dot1x:dot1x-access/dot1x-access-profile[name='hufeng']/retry-function/client-time-out</error-path>
    <error-message>parse rpc config error.(Value "121" does not satisfy the constraint "1..120" (range, length, or pattern).).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Device to Send EAP Packets with a Code Number to 802.1X Users

This section provides a sample of configuring the device to send EAP packets with a code number to 802.1X users using the merge method.

Table 2-611 Configuring the device to send EAP packets with a code number to 802.1X users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/eap-notify-packet

Data Requirements

Table 2-612 Configuring the device to send EAP packets with a code number to 802.1X users

Item

Data

Description

name

test

Configure the 802.1X access profile named test.

eap-code

10

Set the code number in EAP packets sent to users to 10.

data-type

12

Set the data type in EAP packets sent to users to 12.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:dot1x-access-profile xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-nac-dot1x:name>test</hw-nac-dot1x:name>
          <hw-nac-dot1x:eap-notify-packet>
            <hw-nac-dot1x:eap-code>10</hw-nac-dot1x:eap-code>
            <hw-nac-dot1x:data-type>12</hw-nac-dot1x:data-type>
          </hw-nac-dot1x:eap-notify-packet>
        </hw-nac-dot1x:dot1x-access-profile>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="12">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-dot1x:dot1x-access/dot1x-access-profile[name='hu']/eap-notify-packet/eap-code</error-path>
    <error-message>parse rpc config error.(Value "4" does not satisfy the constraint "5..255" (range, length, or pattern).).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Authorization State of an Interface

This section provides a sample of configuring the authorization state of an interface using the merge method.

Table 2-613 Configuring the authorization state of an interface

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/port-control-function/mode

Data Requirements

Table 2-614 Configuring the authorization state of an interface

Item

Data

Description

name

test

Configure the 802.1X access profile named test.

mode

unauthorized-force

Configure the authorization state of an interface to forcible unauthorized mode.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:dot1x-access-profile xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-nac-dot1x:name>test</hw-nac-dot1x:name>
          <hw-nac-dot1x:port-control-function>
            <hw-nac-dot1x:mode>unauthorized-force</hw-nac-dot1x:mode>
          </hw-nac-dot1x:port-control-function>
        </hw-nac-dot1x:dot1x-access-profile>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="8">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-dot1x:dot1x-access/dot1x-access-profile[name='hu']/port-control-function/mode</error-path>
    <error-message>parse rpc config error.(Invalid value "authorized" in "mode" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring Re-authentication for Online 802.1X Authentication Users

This section provides a sample of configuring re-authentication for online 802.1X authentication users using the merge method.

Table 2-615 Configuring re-authentication for online 802.1X authentication users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/re-authenticate-function/re-authenticate-enable

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/re-authenticate-function/re-authenticate-period

Data Requirements

Table 2-616 Configuring re-authentication for online 802.1X authentication users

Item

Data

Description

name

d1

Configure the 802.1X access profile named d1.

re-authenticate-enable

true

Configure re-authentication for online 802.1X users.

re-authenticate-period

70

Set the re-authentication interval for online 802.1X users to 70 seconds.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:dot1x-access-profile>
          <hw-nac-dot1x:name>d1</hw-nac-dot1x:name>
          <hw-nac-dot1x:re-authenticate-function>
            <hw-nac-dot1x:re-authenticate-enable>true</hw-nac-dot1x:re-authenticate-enable>
            <hw-nac-dot1x:re-authenticate-period>70</hw-nac-dot1x:re-authenticate-period>
          </hw-nac-dot1x:re-authenticate-function>
        </hw-nac-dot1x:dot1x-access-profile>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="15">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-dot1x:dot1x-access/dot1x-access-profile[name='d1']/re-authenticate-function/re-authenticate-enable</error-path>
    <error-message>parse rpc config error.(Invalid value "1" in "re-authenticate-enable" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Device to Automatically Generate the DHCP Snooping Binding Table for Static IP Users

This section provides a sample of configuring the device to automatically generate the DHCP snooping binding table for static IP users using the merge method.

Table 2-617 Configuring the device to automatically generate the DHCP snooping binding table for static IP users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/configure-mode/unified-mode/dot1x-access-profile/dhcp-binding

Data Requirements

Table 2-618 Configuring the device to automatically generate the DHCP snooping binding table for static IP users

Item

Data

Description

name

d1

Configure the 802.1X access profile named d1.

dhcp-binding

true

Configure the device to automatically generate the DHCP snooping binding table for static IP users.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:dot1x-access-profile>
          <hw-nac-dot1x:name>d1</hw-nac-dot1x:name>
          <hw-nac-dot1x:dhcp-binding>true</hw-nac-dot1x:dhcp-binding>
        </hw-nac-dot1x:dot1x-access-profile>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="12">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-dot1x:dot1x-access/dot1x-access-profile[name='d1']/dhcp-binding</error-path>
    <error-message>parse rpc config error.(Invalid value "1" in "dhcp-binding" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Quiet Function for 802.1X Authentication Users

This section provides a sample of configuring the quiet function for 802.1X authentication users using the merge method.

Table 2-619 Configuring the quiet function for 802.1X authentication users

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/quiet-function/enable

/huawei-nac-dot1x:dot1x-access/quiet-function/quiet-period

/huawei-nac-dot1x:dot1x-access/quiet-function/quiet-times

Data Requirements

Table 2-620 Configuring the quiet function for 802.1X authentication users

Item

Data

Description

enable

true

Configure the quiet function for 802.1X authentication users.

quiet-period

40

Set the quiet period for 802.1X authentication users to 40 seconds.

quiet-times

8

Set the maximum number of authentication failures within 60 seconds before the device quiets an 802.1X authentication user to 8.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:quiet-function>
          <hw-nac-dot1x:enable>true</hw-nac-dot1x:enable>
          <hw-nac-dot1x:quiet-period>40</hw-nac-dot1x:quiet-period>
          <hw-nac-dot1x:quiet-times>8</hw-nac-dot1x:quiet-times>
        </hw-nac-dot1x:quiet-function>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="11">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-dot1x:dot1x-access/quiet-function/enable</error-path>
    <error-message>parse rpc config error.(Invalid value "1" in "enable" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Interval for Sending 802.1X Authentication Request Packets

This section provides a sample of configuring the interval for sending 802.1X authentication request packets using the merge method.

Table 2-621 Configuring the interval for sending 802.1X authentication request packets

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/tx-period

Data Requirements

Table 2-622 Configuring the interval for sending 802.1X authentication request packets

Item

Data

Description

tx-period

40

Set the interval for sending 802.1X authentication request packets to 40 seconds.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:tx-period>40</hw-nac-dot1x:tx-period>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="20">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-dot1x:dot1x-access/quiet-function/quiet-times</error-path>
    <error-message>parse rpc config error.(Value "121" does not satisfy the constraint "1..10" (range, length, or pattern).).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the URL Redirection for 802.1X Authentication

This section provides a sample of configuring the URL redirection for 802.1X authentication using the merge method.

Table 2-623 Configuring the URL redirection for 802.1X authentication

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/url

Data Requirements

Table 2-624 Configuring the URL redirection for 802.1X authentication

Item

Data

Description

url

http://www.***.com.cn

Configure the URL redirection.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:url>http://www.***.com.cn</hw-nac-dot1x:url>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="7">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Wrong parameter.</error-message>
    <error-info>Error on node /huawei-nac-dot1x:dot1x-access/url</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Function of Triggering 802.1X Authentication Through Multicast Packets

This section provides a sample of configuring the function of triggering 802.1X authentication through multicast packets using the merge method.

Table 2-625 Configuring the function of triggering 802.1X authentication through multicast packets

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/multicast-trigger-function/enable

Data Requirements

Table 2-626 Configuring the function of triggering 802.1X authentication through multicast packets

Item

Data

Description

enable

true

Configure the function of triggering 802.1X authentication through multicast packets.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:multicast-trigger-function>
          <hw-nac-dot1x:enable>true</hw-nac-dot1x:enable>
        </hw-nac-dot1x:multicast-trigger-function>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="9">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-dot1x:dot1x-access/multicast-trigger-function/enable</error-path>
    <error-message>parse rpc config error.(Invalid value "1" in "enable" element.).</error-message>
  </rpc-error>
</rpc-reply>

Enabling the Function of Triggering 802.1X Authentication Through Multicast Packets Immediately After an Interface Goes Up

This section provides a sample of enabling the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up using the merge method.

Table 2-627 Enabling the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up

Operation

XPATH

edit-config:merge

/huawei-nac-dot1x:dot1x-access/multicast-trigger-function/port-up-enable

Data Requirements

Table 2-628 Enabling the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up

Item

Data

Description

port-up-enable

true

Enable the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-dot1x:dot1x-access xmlns:hw-nac-dot1x="urn:huawei:params:xml:ns:yang:huawei-nac-dot1x">
        <hw-nac-dot1x:multicast-trigger-function>
          <hw-nac-dot1x:port-up-enable>true</hw-nac-dot1x:port-up-enable>
        </hw-nac-dot1x:multicast-trigger-function>
      </hw-nac-dot1x:dot1x-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="12">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-dot1x:dot1x-access/multicast-trigger-function/port-up-enable</error-path>
    <error-message>parse rpc config error.(Invalid value "1" in "port-up-enable" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring a MAC Access Profile

This section describes the configuration model of MAC access profile and provides examples of XML packets.

Data Model

The configuration model file matching the MAC access profile is huawei-nac-mac.yang.

Table 2-629 Data model

Object

Description

Value

Remarks

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile

Indicates that the object of a request operation (create or modify) is a MAC access profile. It is a root object, which is only used to contain sub-objects and does not have any data meaning.

N/A

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/name

Indicates the name of the created MAC access profile.

The value is a string of 1 to 31 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/password

Specifies the password for a MAC address authentication user and displays the password in cipher text.

The value is a string of case-sensitive characters without spaces. The password is either a plain-text string of 1 to 128 characters or a cipher-text string of 48 to 188 characters.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/fixed-format/user-name

Configures a fixed user name for MAC address authentication.

The value is a string of 1 to 64 case-sensitive characters without spaces.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/mac-address/mac-address-format

Indicates the format of a MAC address.

The value is of the enumerated type:

  • with-hyphen: indicates that the MAC address contains hyphens (-), for example, 00e0-fc12-3456.
  • with-hyphen-normal: indicates that the MAC address contains hyphens (-), for example, 00-e0-fc-12-34-56.
  • without-hyphen: indicates that the MAC address does not contain hyphens (-), for example, 00e0fc123456.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/mac-address/letter

Configures a MAC address in uppercase or lowercase format as the user name for MAC address authentication.

The value is of the enumerated type:

  • uppercase: indicates that the MAC address is in uppercase format.
  • lowercase: indicates that the MAC address is in lowercase format.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/trigger-packet

Indicates the type of packets that can trigger MAC authentication.

The value is of the enumerated type:

  • dhcp
  • arp
  • any-l2-packet
  • dhcpv6
  • nd

N/A

/huawei-nac-mac:mac-access/quiet-function/quiet-period

Configures the quiet period for MAC address authentication users who fail to be authenticated.

The value is an integer in the range from 0 to 3600, in seconds.

N/A

/huawei-nac-mac:mac-access/quiet-function/quiet-times

Configures the maximum number of authentication failures within 60 seconds before the device quiets a MAC address authentication user.

The value is an integer in the range from 1 to 10.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/dhcp-option-format

Specifies a specified DHCP option as the user name for MAC address authentication.

The value is of the enumerated type:

  • circuit-id: specifies the circuit ID in the DHCP Option82 as the user name in MAC address authentication.
  • remote-id: specifies the remote ID in the DHCP Option82 as the user name in MAC address authentication.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/get-dhcp-option

Configures the device to send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets.

The value is an integer. In the current version, the value is fixed as 82.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/mac-re-authenticate/re-authenticate-dhcp-renew

Indicates whether to enable the device to re-authenticate the users when receiving DHCP lease renewal packets from MAC address authentication users.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/off-line-dhcp-release

Indicates whether to enable the device to clear user entries when receiving DHCP release packets from MAC address authentication users.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/permit-mac/permit-mac-authenticate/mac

Indicates a source MAC address segment allowed for MAC address authentication.

The value is in the format of H-H-H, in which H is a hexadecimal number of 1 to 4 digits.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/permit-mac/permit-mac-authenticate/prefix-length

Indicates the mask of a source MAC address segment allowed for MAC address authentication.

The value is an integer in the range from 1 to 48.

N/A

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/authentication-method

Indicates the authentication mode for MAC address authentication users.

The value is of the enumerated type:

  • chap
  • pap

The default value is pap.

N/A

Creating a MAC Access Profile

This section provides a sample of creating a MAC access profile using the merge method. You can also use the create method to create a MAC access profile.

Table 2-630 Creating a MAC access profile

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/name

Data Requirement

Table 2-631 Creating a MAC access profile

Item

Data

Description

name

test

Create the MAC access profile test.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>invalid mac-access-profile name</error-message>
    <error-info>Error on node /huawei-nac-mac:mac-access/mac-access-profile[name="mactestmactestmactestmactestmactest"]/name</error-info>
  </rpc-error>
</rpc-reply>

Configuring Passwords in Cipher Text for MAC Address Authentication

This section provides a sample of configuring passwords in cipher text for MAC address authentication using the merge method. You can also use the create method to configure passwords in cipher text for MAC address authentication.

Table 2-632 Configuring passwords in cipher text for MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/password

Data Requirement

Table 2-633 Configuring passwords in cipher text for MAC address authentication

Item

Data

Description

name

test

Configure passwords in cipher text for MAC address authentication.

The MAC access profile must exist on the switch.

mac-address-format

with-hyphen-normal

letter

uppercase

password

Example@123

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
     <mac-address-format>with-hyphen-normal</mac-address-format>
     <letter>uppercase</letter>
     <password>Example@123</password>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="11">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>CMD is incomplete, para fixed or macaddress must have one.</error-message>
    <error-info>Error on node /huawei-nac-mac:mac-access/mac-access-profile[name="mactest"]/letter</error-info>
  </rpc-error>
</rpc-reply>

Configuring Fixed User Names for MAC Address Authentication

This section provides a sample of configuring fixed user names for MAC address authentication using the merge method. You can also use the create method to configure fixed user names for MAC address authentication.

Table 2-634 Configuring fixed user names for MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/fixed-format/user-name

Data Requirement

Table 2-635 Configuring fixed user names for MAC address authentication

Item

Data

Description

name

test

Configure fixed user names for MAC address authentication.

The MAC access profile must exist on the switch.

user-name

huawei

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
      <user-name>huawei</user-name>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="12">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>CMD is incomplete, para fixed or macaddress must have one.</error-message>
    <error-info>Error on node /huawei-nac-mac:mac-access/mac-access-profile[name="mactest"]/user-name</error-info>
  </rpc-error>
</rpc-reply>

Configuring MAC Addresses as User Names for MAC Address Authentication

This section provides a sample of configuring MAC addresses as user names for MAC address authentication using the merge method. You can also use the create method to configure MAC addresses as user names for MAC address authentication.

Table 2-636 Configuring MAC addresses as user names for MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/mac-address/mac-address-format

Data Requirement

Table 2-637 Configuring MAC addresses as user names for MAC address authentication

Item

Data

Description

name

test

Configure MAC addresses as user names for MAC address authentication.

The MAC access profile must exist on the switch.

mac-address-format

with-hyphen-normal

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
     <mac-address-format>with-hyphen-normal</mac-address-format>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="11">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>CMD is incomplete, para fixed or macaddress must have one.</error-message>
    <error-info>Error on node /huawei-nac-mac:mac-access/mac-access-profile[name="mactest"]/letter</error-info>
  </rpc-error>
</rpc-reply>

Configuring MAC Addresses in the Uppercase Format as User Names for MAC Address Authentication

This section provides a sample of configuring MAC addresses in the uppercase format as user names for MAC address authentication using the merge method. You can also use the create method to configure MAC addresses in the uppercase format as user names for MAC address authentication.

Table 2-638 Configuring MAC addresses in the uppercase format as user names for MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/user-name-format/mac-address/letter

Data Requirement

Table 2-639 Configuring MAC addresses in the uppercase format as user names for MAC address authentication

Item

Data

Description

name

test

Configure MAC addresses in the uppercase format as user names for MAC address authentication.

The MAC access profile must exist on the switch.

mac-address-format

with-hyphen-normal

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
    <mac-access-profile>
     <name>test</name>
     <mac-address-format>with-hyphen-normal</mac-address-format>
     <letter>uppercase</letter>
    </mac-access-profile>
   </mac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="11">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>CMD is incomplete, para fixed or macaddress must have one.</error-message>
    <error-info>Error on node /huawei-nac-mac:mac-access/mac-access-profile[name="mactest"]/letter</error-info>
  </rpc-error>
</rpc-reply>

Configuring DHCP Options as User Names for MAC Address Authentication

This section provides a sample of configuring DHCP options as user names for MAC address authentication using the merge method.

Table 2-640 Configuring DHCP options as user names for MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/dhcp-option-format

Data Requirements

Table 2-641 Configuring DHCP options as user names for MAC address authentication

Item

Data

Description

name

test

Configure the MAC access profile named test.

dhcp-option-format

option82-circuit-id

Set the user name for MAC address authentication to a specified DHCP option.

separate

#

Set the delimiter in the user name of MAC address authentication to #.

code-format

format-hex

Set the user name for MAC address authentication in hexadecimal format.

password

Example@123

Set the password for MAC address authentication to Example@123.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-mac:mac-access xmlns:hw-nac-mac="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
        <hw-nac-mac:mac-access-profile>
          <hw-nac-mac:name>test</hw-nac-mac:name>
          <hw-nac-mac:dhcp-option-format>option82-circuit-id</hw-nac-mac:dhcp-option-format>
          <hw-nac-mac:separate>#</hw-nac-mac:separate>
          <hw-nac-mac:code-format>format-hex</hw-nac-mac:code-format>
          <hw-nac-mac:password>Example@123</hw-nac-mac:password>
        </hw-nac-mac:mac-access-profile>
      </hw-nac-mac:mac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-mac:mac-access/mac-access-profile[name='laoyu']/dhcp-option-format</error-path>
    <error-message>parse rpc config error.(Invalid value "circuit-id" in "dhcp-option-format" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Device to Send DHCP Option Information to the Authentication Server When Triggering MAC Address Authentication Through DHCP Packets

This section provides a sample of configuring the device to send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets using the merge method.

Table 2-642 Configuring the device to send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/get-dhcp-option

Data Requirements

Table 2-643 Configuring the device to send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets

Item

Data

Description

name

test

Configure the MAC access profile named test.

dhcp-option-format

option82-circuit-id

Set the user name for MAC address authentication to a specified DHCP option.

separate

#

Set the delimiter in the user name of MAC address authentication to #.

code-format

format-hex

Set the user name for MAC address authentication in hexadecimal format.

password

Example@123

Set the password for MAC address authentication to Example@123.

get-dhcp-option

option-82

Send DHCP option information to the authentication server.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-mac:mac-access xmlns:hw-nac-mac="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
        <hw-nac-mac:mac-access-profile>
          <hw-nac-mac:name>test</hw-nac-mac:name>
          <hw-nac-mac:dhcp-option-format>option82-circuit-id</hw-nac-mac:dhcp-option-format>
          <hw-nac-mac:separate>#</hw-nac-mac:separate>
          <hw-nac-mac:code-format>format-hex</hw-nac-mac:code-format>
          <hw-nac-mac:password>Example@123</hw-nac-mac:password>
          <hw-nac-mac:get-dhcp-option>option-82</hw-nac-mac:get-dhcp-option>
        </hw-nac-mac:mac-access-profile>
      </hw-nac-mac:mac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-mac:mac-access/mac-access-profile[name='laoyu']/get-dhcp-option[.='option-16']</error-path>
    <error-message>parse rpc config error.(Invalid value "option-16" in "get-dhcp-option" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Device to Re-authenticate the Users When Receiving DHCP Lease Renewal Packets From MAC Address Authentication Users

This section provides a sample of configuring the device to re-authenticate the users when receiving DHCP lease renewal packets from MAC address authentication users using the merge method.

Table 2-644 Configuring the device to re-authenticate the users when receiving DHCP lease renewal packets from MAC address authentication users

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/mac-re-authenticate/re-authenticate-dhcp-renew

Data Requirements

Table 2-645 Configuring the device to re-authenticate the users when receiving DHCP lease renewal packets from MAC address authentication users

Item

Data

Description

name

test

Configure the MAC access profile named test.

dhcp-option-format

option82-circuit-id

Set the user name for MAC address authentication to a specified DHCP option.

separate

#

Set the delimiter in the user name of MAC address authentication to #.

code-format

format-hex

Set the user name for MAC address authentication in hexadecimal format.

password

Example@123

Set the password for MAC address authentication to Example@123.

get-dhcp-option

option-82

Send DHCP option information to the authentication server.

re-authenticate-dhcp-renew

true

Re-authenticate the users when the device receives DHCP lease renewal packets from MAC address authentication users.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-mac:mac-access xmlns:hw-nac-mac="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
        <hw-nac-mac:mac-access-profile>
          <hw-nac-mac:name>test</hw-nac-mac:name>
          <hw-nac-mac:dhcp-option-format>option82-circuit-id</hw-nac-mac:dhcp-option-format>
          <hw-nac-mac:separate>#</hw-nac-mac:separate>
          <hw-nac-mac:code-format>format-hex</hw-nac-mac:code-format>
          <hw-nac-mac:password>Example@123</hw-nac-mac:password>
          <hw-nac-mac:get-dhcp-option>option-82</hw-nac-mac:get-dhcp-option>
          <hw-nac-mac:mac-re-authenticate>
            <hw-nac-mac:re-authenticate-dhcp-renew>true</hw-nac-mac:re-authenticate-dhcp-renew>
          </hw-nac-mac:mac-re-authenticate>
        </hw-nac-mac:mac-access-profile>
      </hw-nac-mac:mac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-mac:mac-access/mac-access-profile[name='laoyu']/mac-re-authenticate/re-authenticate-dhcp-renew</error-path>
    <error-message>parse rpc config error.(Invalid value "hahah" in "re-authenticate-dhcp-renew" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Device to Clear User Entries When Receiving DHCP Release Packets From MAC Address Authentication Users

This section provides a sample of configuring the device to clear user entries when receiving DHCP release packets from MAC address authentication users using the merge method.

Table 2-646 Configuring the device to clear user entries when receiving DHCP release packets from MAC address authentication users

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/mac-re-authenticate/off-line-dhcp-release

Data Requirements

Table 2-647 Configuring the device to clear user entries when receiving DHCP release packets from MAC address authentication users

Item

Data

Description

name

test

Configure the MAC access profile named test.

dhcp-option-format

option82-circuit-id

Set the user name for MAC address authentication to a specified DHCP option.

separate

#

Set the delimiter in the user name of MAC address authentication to #.

code-format

format-hex

Set the user name for MAC address authentication in hexadecimal format.

password

Example@123

Set the password for MAC address authentication to Example@123.

get-dhcp-option

option-82

Send DHCP option information to the authentication server.

re-authenticate-dhcp-renew

true

Re-authenticate the users when the device receives DHCP lease renewal packets from MAC address authentication users.

off-line-dhcp-release

true

Clear user entries when the device receives DHCP release packets from MAC address authentication users.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-mac:mac-access xmlns:hw-nac-mac="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
        <hw-nac-mac:mac-access-profile>
          <hw-nac-mac:name>test</hw-nac-mac:name>
          <hw-nac-mac:dhcp-option-format>option82-circuit-id</hw-nac-mac:dhcp-option-format>
          <hw-nac-mac:separate>#</hw-nac-mac:separate>
          <hw-nac-mac:code-format>format-hex</hw-nac-mac:code-format>
          <hw-nac-mac:password>Example@123</hw-nac-mac:password>
          <hw-nac-mac:get-dhcp-option>option-82</hw-nac-mac:get-dhcp-option>
          <hw-nac-mac:mac-re-authenticate>
            <hw-nac-mac:re-authenticate-dhcp-renew>true</hw-nac-mac:re-authenticate-dhcp-renew>
          </hw-nac-mac:mac-re-authenticate>
          <hw-nac-mac:off-line-dhcp-release>true</hw-nac-mac:off-line-dhcp-release>
        </hw-nac-mac:mac-access-profile>
      </hw-nac-mac:mac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-mac:mac-access/mac-access-profile[name='laoyu']/off-line-dhcp-release</error-path>
    <error-message>parse rpc config error.(Invalid value "sasa" in "off-line-dhcp-release" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring a Source MAC Address Segment Allowed for MAC Address Authentication

This section provides a sample of configuring a source MAC address segment allowed for MAC address authentication using the merge method.

Table 2-648 Configuring a source MAC address segment allowed for MAC address authentication

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/permit-mac/permit-mac-authenticate

Data Requirements

Table 2-649 Configuring a source MAC address segment allowed for MAC address authentication

Item

Data

Description

name

test

Configure the MAC access profile named test.

dhcp-option-format

option82-circuit-id

Set the user name for MAC address authentication to a specified DHCP option.

separate

#

Set the delimiter in the user name of MAC address authentication to #.

code-format

format-hex

Set the user name for MAC address authentication in hexadecimal format.

password

Example@123

Set the password for MAC address authentication to Example@123.

get-dhcp-option

option-82

Send DHCP option information to the authentication server.

re-authenticate-dhcp-renew

true

Re-authenticate the users when the device receives DHCP lease renewal packets from MAC address authentication users.

off-line-dhcp-release

true

Clear user entries when the device receives DHCP release packets from MAC address authentication users.

mac

00e0-fc23-fb11

Set the MAC address to 00e0-fc23-fb11.

prefix-length

24

Set the mask length of the MAC address to 24.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-mac:mac-access xmlns:hw-nac-mac="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
        <hw-nac-mac:mac-access-profile>
          <hw-nac-mac:name>test</hw-nac-mac:name>
          <hw-nac-mac:dhcp-option-format>option82-circuit-id</hw-nac-mac:dhcp-option-format>
          <hw-nac-mac:separate>#</hw-nac-mac:separate>
          <hw-nac-mac:code-format>format-hex</hw-nac-mac:code-format>
          <hw-nac-mac:password>Example@123</hw-nac-mac:password>
          <hw-nac-mac:get-dhcp-option>option-82</hw-nac-mac:get-dhcp-option>
          <hw-nac-mac:mac-re-authenticate>
            <hw-nac-mac:re-authenticate-dhcp-renew>true</hw-nac-mac:re-authenticate-dhcp-renew>
          </hw-nac-mac:mac-re-authenticate>
          <hw-nac-mac:off-line-dhcp-release>true</hw-nac-mac:off-line-dhcp-release>
          <hw-nac-mac:permit-mac>
            <hw-nac-mac:permit-mac-authenticate>
              <hw-nac-mac:mac>00e0-fc23-fb11</hw-nac-mac:mac>
              <hw-nac-mac:prefix-length>24</hw-nac-mac:prefix-length>
            </hw-nac-mac:permit-mac-authenticate>
          </hw-nac-mac:permit-mac>
        </hw-nac-mac:mac-access-profile>
      </hw-nac-mac:mac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="8">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-mac:mac-access/mac-access-profile[name='laoyu']/permit-mac/permit-mac-authenticate[mac='00e0-fc12-3456']/mac</error-path>
    <error-message>parse rpc config error.(Value "00e0-fc12-3456" does not satisfy the constraint "[0-9a-fA-F]{4}(-[0-9a-fA-F]{4}){2}" (range, length, or pattern).).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Quiet Function for MAC Address Authentication Users

This section provides a sample of configuring the quiet function for MAC address authentication users using the merge method.

Table 2-650 Configuring the quiet function for MAC address authentication users

Operation

XPATH

edit-config:merge

/huawei-nac-mac:mac-access/quiet-function

Data Requirements

Table 2-651 Configuring the quiet function for MAC address authentication users

Item

Data

Description

quiet-period

2400

Set the quiet period of a MAC address authentication user to 2400 seconds.

quiet-times

7

Set the maximum number of authentication failures within 60 seconds before the device quiets the MAC address authentication user to 7.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">   
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac" xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <quiet-function>
     <quiet-period>2400</quiet-period>
     <quiet-times>7</quiet-times>
    </quiet-function>
   </mac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="9">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-mac:mac-access/mac-access-profile[name='laoyu']/permit-mac/permit-mac-authenticate[mac='00e0-fc12-3456']/prefix-length</error-path>
    <error-message>parse rpc config error.(Value "99" does not satisfy the constraint "0..32" (range, length, or pattern).).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Types of Packets That Can Trigger MAC Address Authentication

This section provides a sample of configuring the types of packets that can trigger MAC address authentication using the merge method.

Table 2-652 Configuring the types of packets that can trigger MAC address authentication

Operation

XPATH

edit-config:create

/huawei-nac-mac:mac-access/configure-mode/unified-mode/mac-access-profile/trigger-packet

Data Requirements

Table 2-653 Configuring the types of packets that can trigger MAC address authentication

Item

Data

Description

name

huawei

Set the name of a MAC access profile.

trigger-packet

  • dhcp

  • arp

Enable MAC address authentication that can be triggered by DHCP or ARP packets.

Request Example

<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <edit-config>
    <target>
      <running />
    </target>
    <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
      <mac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-mac">
        <mac-access-profile xc:operation="create">
          <name>huawei</name>
          <trigger-packet>dhcp</trigger-packet>
          <trigger-packet>arp</trigger-packet>
        </mac-access-profile>
      </mac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<?xml version="1.0" encoding="UTF-8"?><rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
    <ok/>
</rpc-reply>

Sample of failed response

<?xml version="1.0" encoding="utf-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac-mac:mac-access/mac-access-profile[name='huawei']/trigger-packet[.='ndnd']</error-path>
    <error-message>parse rpc config error. (Invalid value "ndnd" in "trigger-packet" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring a Portal Server Template

This section describes the configuration model of Portal server template and provides examples of XML packets.

Data Model

The configuration model file matching Portal server template is huawei-aaa-portal.yang.

Table 2-654 Data model

Object

Description

Value

Remarks

/huawei-aaa-portal/portal

Indicates that the request operation (creation or modification) object is a Portal server template. This object is the root object. It is only used to contain sub-objects, but does not have any data meaning.

N/A

N/A

/huawei-aaa-portal/portal/portal-server/name

Indicates the name of the created Portal server template.

The value is a string of 1 to 31 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa-portal/portal/portal-server/portal-server-ip

Indicates that the IP address for the Portal server is configured.
  • IPv4: The value is in dotted decimal notation.
  • IPv6: The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

N/A

/huawei-aaa-portal/portal/portal-server/destination-port

Indicates that the destination port number for the switch to send packets to the Portal server is configured.

The value is an integer that ranges from 1 to 65535.

N/A

/huawei-aaa-portal/portal/portal-server/shared-key

Indicates that the shared key for the switch to exchange information with the Portal server is configured.

The value is a string of case-sensitive characters without spaces. It can be a string of 48 characters in cipher text, or a string of 1 to 16 characters in plain text. If the string is enclosed in double quotation marks (" "), the string can contain spaces.

N/A

/huawei-aaa-portal:portal/portal-server/vpn-instance

Indicates that the VPN instance for the switch to communicate with the Portal server is configured.

The value must be an existing VPN instance.

N/A

/huawei-aaa-portal/portal/portal-server/server-url

Indicates that the URL for the Portal server is configured.

The value is a string of 1 to 200 case-sensitive characters without spaces and question marks (?). If the string is enclosed in double quotation marks (" "), the string can contain spaces.

N/A

/huawei-aaa-portal/portal/portal-server/url-template/name

Indicates the name of the URL template bound to the Portal server template.

The value must be the name of an existing URL template.

N/A

/huawei-aaa-portal/portal/portal-server/protocol

Indicates that the protocol used in Portal authentication is configured.

Enumerated type:

  • http
  • haca
  • portal
  • http-uam

N/A

/huawei-aaa-portal/portal/portal-server/web-redirection-disable

Indicates that the Portal authentication redirection function is disabled. By default, the Portal authentication redirection function is enabled.

Boolean type:

  • true: enabled
  • false: disabled

N/A

/huawei-aaa-portal/portal/portal-server/server-detect-function/server-detect-enable

Indicates that the Portal server detection function is enabled.

Boolean type:

  • true: enabled
  • false: disabled

N/A

/huawei-aaa-portal/portal/portal-server/user-sync-function

Indicates that the user information synchronization function is enabled for Portal authentication.

Boolean type:

  • true: enabled
  • false: disabled

N/A

/huawei-aaa-portal/portal/portal-server/source-ip-address/ip/ip-address

Indicates that the source IP address for the switch to communicate with the Portal server is configured.

The value is in dotted decimal notation.

N/A

/huawei-aaa-portal/portal/listening-port

Indicates that the number of the port through which the switch listens to Portal packets is configured.

The value is an integer that ranges from 1024 to 55535.

N/A

/huawei-aaa-portal/portal/url-template/name

Indicates the name of a created URL template.

The value is a string of 1 to 31 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa-portal/portal/url-template/url/url

Indicates that the redirect URL or pushed URL for the Portal server is configured.

The value is a string of 1 to 200 case-sensitive characters without spaces. If the string is enclosed in double quotation marks (" "), the string can contain spaces.

N/A

/huawei-aaa-portal/portal/url-template/url-parameter

Indicates that parameters carried in the URL are configured.

The value is a string of 1 to 16 case-sensitive characters without spaces. If the string is enclosed in double quotation marks (" "), the string can contain spaces.

N/A

/huawei-aaa-portal/portal/url-template/url-parameter/mac-address-format

Indicates that the MAC address format in the URL is configured.
  • normal: The MAC address format is set to XX-XX-XX-XX-XX-XX.
  • compact: The MAC address format is set to XXXX-XXXX-XXXX.
  • delimiter: The value is one case-sensitive character without spaces.

N/A

/huawei-aaa-portal:portal/url-template/mark-parameter/start-mark

Configuring the start character in the URL.

The value is one case-sensitive character without spaces.

N/A

/huawei-aaa-portal:portal/url-template/mark-parameter/assignment-mark

Configuring the assignment character in the URL.

The value is one case-sensitive character without spaces.

N/A

/huawei-aaa-portal:portal/url-template/mark-parameter/isolate-mark

Configuring the delimiter in the URL.

The value is one case-sensitive character without spaces.

N/A

/huawei-aaa-portal:portal/url-template/url-ssid

Indicates the SSID that users associate with in the redirect URL or pushed URL of the Portal server.

The value must be an existing SSID.

N/A

/huawei-aaa-portal:portal/reply-message-enable

Indicates whether to enable the device to transparently transmit user authentication responses sent by the authentication server to the Portal server.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-aaa-portal:portal/logout-resend-function/interval

Indicates the re-transmission interval of Portal authentication user logout packets.

The value is an integer in the range from 1 to 300, in seconds.

N/A

/huawei-aaa-portal:portal/logout-resend-function/times

Indicates the number of re-transmission times for Portal authentication user logout packets.

The value is an integer in the range from 0 to 15.

The value 0 indicates that the re-transmission function is disabled.

N/A

/huawei-aaa-portal:portal/version

Indicates the Portal protocol version supported by the device.

The value is of the enumerated type:

  • v2
  • v1v2

N/A

/huawei-aaa-portal:portal/logout-different-server-enable

Indicates whether to enable a device to process user logout requests sent by a Portal server other than the one from which users log in.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-aaa-portal:portal/global-source-ip/ip/ip-address

Indicates the source IP address used by the device to communicate with the Portal server in the system view.

The value is in dotted decimal notation.

N/A

/huawei-aaa-portal:portal/url-template/url-parameter/login-url/key

/huawei-aaa-portal:portal/url-template/url-parameter/login-url/value

Indicates the login URL of the access device.

  • key: indicates the identification keyword for the login URL sent to the Portal server during redirection.
  • value: indicates a specified URL of the access device.
  • key: The value is a string of 1 to 16 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).
  • value: The value is a string of 1 to 200 case-sensitive characters without spaces.

N/A

/huawei-aaa-portal:portal/portal-server/url-template/ciphered-parameter-name

Indicates the name of the encrypted URL template parameter.

The value is a string of 1 to 16 characters.

N/A

/huawei-aaa-portal:portal/portal-server/url-template/iv-parameter-name

Indicates the encryption vector name of the URL template parameter.

The value is a string of 1 to 16 characters.

N/A

/huawei-aaa-portal:portal/portal-server/url-template/key

Indicates the encryption key for encrypting the URL template parameter.

The value is either a plain-text string of 1-16 characters or a cipher-text string of 48 characters.

N/A

/huawei-aaa-portal:portal/portal-server/source-ip-address/interface/loopback-interface

Configures the IP address of a specified interface as the source IP address used by the device to communicate with the Portal server.

The value must be an existing interface number.

N/A

/huawei-aaa-portal:portal/portal-server/http-method-parameters/get-method-enable

Indicates whether to enable users to submit the user name and password to the device in GET mode during Portal authentication.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/cmd-key/cmd-key

Indicates the command identification keyword.

The value is a string of 1 to 16 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

N/A

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/cmd-key/login-key

Indicates the user login identification keyword.

The value is a string of 1 to 15 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

N/A

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/cmd-key/logout-key

Indicates the user logout identification keyword.

The value is a string of 1 to 15 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

N/A

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/password-key/password-key

Indicates the password identification keyword.

The value is a string of 1 to 16 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

N/A

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/initial-url-key/init-url-key

Indicates the identification keyword for the user initial login URL.

The value is a string of 1 to 16 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

N/A

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/user-ip-key/user-ip-key

Indicates the identification keyword for the user IP address.

The value is a string of 1 to 16 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

N/A

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/user-mac-key/user-mac-key

Indicates the identification keyword for the user MAC address.

The value is a string of 1 to 16 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

N/A

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/user-name-key/user-name-key

Indicates the user name identification keyword.

The value is a string of 1 to 16 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

N/A

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/response-parameters/login-fail

Indicates the response message upon a user login failure.

N/A

N/A

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/response-parameters/login-success

Indicates the response message upon a user login success.

N/A

N/A

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/response-parameters/logout-fail

Indicates the response message upon a user logout failure.

N/A

N/A

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/response-parameters/logout-success

Indicates the response message upon a user logout success.

N/A

N/A

/huawei-aaa-portal:portal/url-template/url-parameter/set-parameter-value/set-device-ip/ip-address

Indicates the device IP address carried in the URL.

The value is in dotted decimal notation.

N/A

/huawei-aaa-portal:portal/portal-server/detect-type

Indicates the mode in which a device detects Portal server status.

Enumerated type:

  • http
  • portal

N/A

Creating a Portal Server Template

This section provides a sample of creating a Portal server template using the merge method. You can also use the create method to create a Portal server template.

Table 2-655 Creating a Portal server template

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/name

Data Requirement

Table 2-656 Portal server template

Item

Data

Description

name

huawei

Create the Portal server template huawei.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xc:operation="merge">  
     <name>huawei</name>
    </portal-server> 
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="14">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Invalid server name</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="portalserverportalserverportalserver"]/name</error-info>
  </rpc-error>
</rpc-reply>

Configuring an IP Address for the Portal Server

This section provides a sample of configuring an IP address for the Portal server using the merge method. You can also use the create method to configure an IP address for the Portal server.

Table 2-657 Configuring an IP address for the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/portal-server-ip

Data Requirement

Table 2-658 Configuring an IP address for the Portal server

Item

Data

Description

portal-server-ip

10.10.10.10

Configure the IP address 10.10.10.10 for the Portal server.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
      <portal-server-ip>10.10.10.10</portal-server-ip>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="15">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Undo/config server-ip failed.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="huawei"]/portal-server-ip[.="255.255.255.255"]</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Source IP Address for the Switch to Communicate with the Portal Server

This section provides a sample of configuring the source IP address for the switch to communicate with the Portal server using the merge method. You can also use the create method to configure the source IP address for the switch to communicate with the Portal server.

Table 2-659 Configuring the source IP address for the switch to communicate with the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/source-ip-address/ip/ip-address

Data Requirement

Table 2-660 Configuring the source IP address for the switch to communicate with the Portal server

Item

Data

Description

ip-address

192.168.255.255

Configure the source IP address 192.168.255.255 for the switch to communicate with the Portal server.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xc:operation="merge">  
     <name>huawei</name>
     <ip-address xc:operation="merge">192.168.255.255</ip-address>
    </portal-server> 
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="16">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Source-ip cmd executing failed.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="huawei"]/ip-address</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Destination Port Number for the Switch to Send Packets to the Portal Server

This section provides a sample of configuring the destination port number for the switch to send packets to the Portal server using the merge method. You can also use the create method to configure the destination port number for the switch to send packets to the Portal server using the merge method.

Table 2-661 Configuring the destination port number for the switch to send packets to the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/destination-port/port

Data Requirement

Table 2-662 Configuring the destination port number for the switch to send packets to the Portal server

Item

Data

Description

port

555

Set the destination port number for the switch to send packets to the Portal server to 555.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
     <destination-port>
      <port>555</port>
      <always>true</always>
     </destination-port>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="17">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Shared Key for the Switch to Exchange Information with the Portal Server

This section provides a sample of configuring the shared key for the switch to exchange information with the Portal server using the merge method. You can also use the create method to configure the shared key for the switch to exchange information with the Portal server.

Table 2-663 Configuring the shared key for the switch to exchange information with the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/shared-key

Data Requirement

Table 2-664 Configuring the shared key for the switch to exchange information with the Portal server

Item

Data

Description

shared-key

zLUYANG12#$%()aa

Set the shared key for the switch to exchange information with the Portal server to zLUYANG12#$%()aa.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
     <shared-key>zLUYANG12#$%()aa</shared-key>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="18">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Invalid shared-key</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="huawei"]/shared-key</error-info>
  </rpc-error>
</rpc-reply>

Configuring a VPN Instance for the Switch to Communicate with the Portal Server

This section provides a sample of configuring a VPN instance for the switch to communicate with the Portal server using the merge method. You can also use the create method to configure a VPN instance for the switch to communicate with the Portal server.

Table 2-665 Configuring a VPN instance for the switch to communicate with the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/portal-server/vpn-instance

Data Requirement

Table 2-666 Configuring a VPN instance for the switch to communicate with the Portal server

Item

Data

Description

vpn-instance

vpna

Configure the VPN instance vpna for the switch to communicate with the Portal server.

The VPN instance must exist on the switch.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <hw-l3vpn:vpn-instances xmlns:hw-l3vpn="urn:huawei:params:xml:ns:yang:huawei-l3vpn">
    <hw-l3vpn:vpn-instance>
     <hw-l3vpn:vpn-instance-name>vpna</hw-l3vpn:vpn-instance-name>
    </hw-l3vpn:vpn-instance>
   </hw-l3vpn:vpn-instances>
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server>
     <name>webauth1</name>
     <vpn-instance>vpna</vpn-instance>
    </portal-server>
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="19">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message> The vpn-instance does not exist or is invalid.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="webauth1"]/vpn-instance</error-info>
  </rpc-error>
</rpc-reply>

Disabling the Portal Authentication Redirection Function

This section provides a sample of disabling the Portal authentication redirection function using the merge method.

Table 2-667 Disabling the Portal authentication redirection function

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/web-redirection-disable

Data Requirement

Table 2-668 Disabling the Portal authentication redirection function

Item

Data

Description

web-redirection-disable

true

Disable the Portal authentication redirection function.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
 <edit-config>
  <target>
   <running/>
  </target>
  <config>
   <hw-aaa-portal:portal xmlns:hw-aaa-portal="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <hw-aaa-portal:portal-server>
     <hw-aaa-portal:name>test</hw-aaa-portal:name>
     <hw-aaa-portal:web-redirection-disable>true</hw-aaa-portal:web-redirection-disable>
    </hw-aaa-portal:portal-server>
   </hw-aaa-portal:portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Configuring a URL for the Portal Server

This section provides a sample of configuring a URL for the Portal server using the merge method. You can also use the create method to configure a URL for the Portal server.

Table 2-669 Configuring a URL for the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/server-url

Data Requirement

Table 2-670 Configuring a URL for the Portal server

Item

Data

Description

server-url

http://www.***.com

Configure the URL http://www.***.com for the Portal server.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
     <server-url>http://www.***.com</server-url>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="22">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Invalid url</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="huawei"]/server-url</error-info>
  </rpc-error>
</rpc-reply>

Creating a URL Template

This section provides a sample of creating a URL template using the merge method. You can also use the create method to create a URL template.

Table 2-671 Creating a URL template

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/url-template

Data Requirement

Table 2-672 Creating a URL template

Item

Data

Description

name

test

Create the URL template test.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <listening-port>3210</listening-port>
    <url-template>
     <name>test</name>
    </url-template>
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="23">
  <rpc-error>
    <error-app-tag>1</error-app-tag>
    <error-message>Service process failed.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/url-template[name="abcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabc"]/name</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Redirect URL or Pushed URL for the Portal Server

This section provides a sample of configuring the redirect URL or pushed URL for the Portal server using the merge method. You can also use the create method to configure the redirect URL or pushed URL for the Portal server.

Table 2-673 Configuring the redirect URL or pushed URL for the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/url-template/url/url

Data Requirement

Table 2-674 Configuring the redirect URL or pushed URL for the Portal server

Item

Data

Description

url

12345

Configure the redirect URL or pushed URL for the Portal server.

url-type

push-only

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <listening-port>3210</listening-port>
    <url-template>
     <name>test</name>
     <url>
      <url>12345</url>
      <url-type>push-only</url-type>
     </url>
    </url-template>
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="24">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Invalid url</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/url-template[name="huawei"]/url[url-type="push-only"]/url</error-info>
  </rpc-error>
</rpc-reply>

Configuring the MAC Address Format in the URL

This section provides a sample of configuring the MAC address format in the URL using the merge method. You can also use the create method to configure the MAC address format in the URL.

Table 2-675 Configuring the MAC address format in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/url-template/url-parameter/mac-address-format

Data Requirement

Table 2-676 Configuring the MAC address format in the URL

Item

Data

Description

delimiter

7

Configure the MAC address format in the URL.

format

compact

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <listening-port>3210</listening-port>
    <url-template>
     <name>test</name>
     <url>
      <url>12345</url>
      <url-type>push-only</url-type>
     </url>
     <url-parameter>
      <redirect-url>Rede</redirect-url>
      <sysname>Sses</sysname>
      <user-ipaddress>User</user-ipaddress>
      <user-mac>User</user-mac>
      <mac-address-format>
       <delimiter>7</delimiter>
       <format>compact</format>
      </mac-address-format>
     </url-parameter>
    </url-template>
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="29">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Incomplete information.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/url-template[name="huawei"]/url-parameter</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Start Character in the URL

This section provides a sample of configuring the start character in the URL using the merge method. You can also use the create method to configure the start character in the URL.

Table 2-677 Configuring the start character in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/url-template/mark-parameter/start-mark

Data Requirement

Table 2-678 Configuring the start character in the URL

Item

Data

Description

name

url1

Set the start character in the URL to a.

start-mark

a

Request Example

<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
<edit-config>
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
      <url-template>
        <name>url1</name>
        <mark-parameter>
          <start-mark>a</start-mark>
        </mark-parameter>
      </url-template>
    </portal>
  </config>
</edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="32">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Invalid mark-parameter start-mark</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/url-template[name="url1"]/mark-parameter/start-mark</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Assignment Character in the URL

This section provides a sample of configuring the assignment character in the URL using the merge method. You can also use the create method to configure the assignment character in the URL.

Table 2-679 Configuring the assignment character in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/url-template/mark-parameter/assignment-mark

Data Requirement

Table 2-680 Configuring the assignment character in the URL

Item

Data

Description

name

url1

Set the assignment character in the URL to an equal sign (=).

assignment-mark

=

Request Example

<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
      <url-template>
        <name>url1</name>
        <mark-parameter>
          <assignment-mark>=</assignment-mark>
        </mark-parameter>
      </url-template>
    </portal>
  </config>
</edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="33">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Invalid mark-parameter assignment-mark</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/url-template[name="url1"]/mark-parameter/assignment-mark</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Delimiter in the URL

This section provides a sample of configuring the delimiter in the URL using the merge method. You can also use the create method to configure the delimiter in the URL.

Table 2-681 Configuring the delimiter in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/url-template/mark-parameter/isolate-mark

Data Requirement

Table 2-682 Configuring the delimiter in the URL

Item

Data

Description

name

url1

Set the delimiter in the URL to l.

isolate-mark

l

Request Example

<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
      <url-template>
        <name>url1</name>
        <mark-parameter>
          <isolate-mark>1</isolate-mark>
        </mark-parameter>
      </url-template>
    </portal>
  </config>
</edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="34">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Invalid mark-parameter isolate-mark</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/url-template[name="url1"]/mark-parameter/isolate-mark</error-info>
  </rpc-error>
</rpc-reply>

Binding the URL Template to the Portal Server Template

This section provides a sample of binding the URL template to the Portal server template using the merge method. You can also use the create method to bind the URL template to the Portal server template.

Table 2-683 Binding the URL template to the Portal server template

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/url-template/name

Data Requirement

Table 2-684 Binding the URL template to the Portal server template

Item

Data

Description

name

abc

Bind the URL template abc to the Portal server template huawei.

The URL template abc and the Portal server template huawei must have been created.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <url-template>
     <name>abc</name>
    </url-template>
    <portal-server> 
     <name>huawei</name>
     <url-template xc:operation="merge">
      <name>abc</name>
     </url-template>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="35">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Undo/config url template failed.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="huawei"]/url-template/name</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Protocol Used in Portal Authentication

This section provides a sample of configuring the protocol used in Portal authentication using the merge method. You can also use the create method to configure the protocol used in Portal authentication.

Table 2-685 Configuring the protocol used in Portal authentication

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/protocol

Data Requirement

Table 2-686 Configuring the protocol used in Portal authentication

Item

Data

Description

protocol

portal

Set the protocol used in Portal authentication to the Portal protocol.

The Portal server template huawei must have been created.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server> 
     <name>huawei</name>
     <protocol>portal</protocol>
    </portal-server>  
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="19">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message> The vpn-instance does not exist or is invalid.</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="huawei"]/vpn-instance</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Number of the Port Through Which the Switch Listens to Portal Packets

This section provides a sample of configuring the number of the port through which the switch listens to Portal packets using the merge method. You can also use the create method to configure the number of the port through which the switch listens to Portal packets.

Table 2-687 Configuring the number of the port through which the switch listens to Portal packets

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/listening-port

Data Requirement

Table 2-688 Configuring the number of the port through which the switch listens to Portal packets

Item

Data

Description

listening-port

3210

Set the number of the port through which the switch listens to Portal packets to 3210.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <listening-port>3210</listening-port>
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="37">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Enabling the Portal Server Detection Function

This section provides a sample of enabling the Portal server detection function using the merge method. You can also use the create method to enable the Portal server detection function.

Table 2-689 Enabling the Portal server detection function

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/server-detect-function/server-detect-enable

Data Requirement

Table 2-690 Enabling the Portal server detection function

Item

Data

Description

server-detect-enable

true

Enable the Portal server detection function.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xc:operation="merge">  
     <name>huawei</name>
     <server-detect-function>
      <server-detect-enable xc:operation="merge">true</server-detect-enable>
     </server-detect-function>
    </portal-server> 
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="37">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Enabling the User Information Synchronization Function for Portal Authentication

This section provides a sample of enabling the user information synchronization function for Portal authentication using the merge method. You can also use the create method to enable the user information synchronization function for Portal authentication.

Table 2-691 Enabling the user information synchronization function for Portal authentication

Operation

XPATH

edit-config:merge

/huawei-aaa-portal/portal/portal-server/user-sync-function

Data Requirement

Table 2-692 Enabling the user information synchronization function for Portal authentication

Item

Data

Description

user-sync-enable

true

Enable the user information synchronization function for Portal authentication.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <portal-server xc:operation="merge">  
     <name>huawei</name>
     <user-sync-function>
      <user-sync-enable>true</user-sync-enable>
     </user-sync-function>    
    </portal-server> 
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Enabling the Device to Transparently Transmit User Authentication Responses Sent by the Authentication Server to the Portal Server

This section provides a sample of enabling the device to transparently transmit user authentication responses sent by the authentication server to the Portal server using the merge method. You can also use the create method to enable the device to transparently transmit user authentication responses sent by the authentication server to the Portal server.

Table 2-693 Enabling the device to transparently transmit user authentication responses sent by the authentication server to the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/reply-message-enable

Data Requirements

Table 2-694 Enabling the device to transparently transmit user authentication responses sent by the authentication server to the Portal server

Item

Data

Description

reply-message-enable

true

Enable the device to transparently transmit user authentication responses sent by the authentication server to the Portal server.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <reply-message-enable>true</reply-message-enable>
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Configuring the Re-transmission Times and Interval for Portal Authentication User Logout Packets

This section provides a sample of configuring the re-transmission times and interval for Portal authentication user logout packets using the merge method. You can also use the create method to configure the re-transmission times and interval for Portal authentication user logout packets.

Table 2-695 Configuring the re-transmission times and interval for Portal authentication user logout packets

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/logout-resend-function/interval

/huawei-aaa-portal:portal/logout-resend-function/times

Data Requirements

Table 2-696 Configuring the re-transmission times and interval for Portal authentication user logout packets

Item

Data

Description

interval

15

Configure the re-transmission times to 10 and interval to 15 seconds for Portal authentication user logout packets.

times

10

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> 
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
    <logout-resend-function>
     <interval>15</interval>
     <times>10</times>
    </logout-resend-function>
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Configuring the Portal Protocol Version Supported by the Device

This section provides a sample of configuring the Portal protocol version supported by the device using the merge method.

Table 2-697 Configuring the Portal protocol version supported by the device

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/version

Data Requirements

Table 2-698 Configuring the Portal protocol version supported by the device

Item

Data

Description

version

v1v2

Set the Portal protocol version supported by the device to version V1.0 or V2.0.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-portal:portal xmlns:hw-aaa-portal="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
        <hw-aaa-portal:version>v1v2</hw-aaa-portal:version>
      </hw-aaa-portal:portal>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-aaa-portal:portal</error-path>
    <error-message>parse rpc config error.(Unknown element "version".).</error-message>
  </rpc-error>
</rpc-reply>

Configuring a Device to Process User Logout Requests Sent by a Portal Server Other Than the One From Which Users Log In

This section provides a sample of configuring a device to process user logout requests sent by a Portal server other than the one from which users log in using the merge method.

Table 2-699 Configuring a device to process user logout requests sent by a Portal server other than the one from which users log in

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/logout-different-server-enable

Data Requirements

Table 2-700 Configuring a device to process user logout requests sent by a Portal server other than the one from which users log in

Item

Data

Description

logout-different-server-enable

true

Configure a device to process user logout requests sent by a Portal server other than the one from which users log in.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-portal:portal xmlns:hw-aaa-portal="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
        <hw-aaa-portal:logout-different-server-enable>true</hw-aaa-portal:logout-different-server-enable>
      </hw-aaa-portal:portal>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="12">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-aaa-portal:portal/logout-different-server-enable</error-path>
    <error-message>parse rpc config error.(Invalid value "1" in "logout-different-server-enable" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Source IP Address Used by the Device to Communicate with the Portal Server in the System View

This section provides a sample of configuring the source IP address used by the device to communicate with the Portal server in the system view using the merge method.

Table 2-701 Configuring the source IP address used by the device to communicate with the Portal server in the system view

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/global-source-ip/ip/ip-address

Data Requirements

Table 2-702 Configuring the source IP address used by the device to communicate with the Portal server in the system view

Item

Data

Description

ip-address

192.168.1.100

Set the source IP address used by the device to communicate with the Portal server in the system view to 192.168.1.100.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-portal:portal xmlns:hw-aaa-portal="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
        <hw-aaa-portal:ip-address>192.168.1.100</hw-aaa-portal:ip-address>
      </hw-aaa-portal:portal>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-aaa-portal:portal</error-path>
    <error-message>parse rpc config error.(Unknown element "ip-address".).</error-message>
  </rpc-error>
</rpc-reply>

Configuring Parameters in the URL

This section provides a sample of configuring parameters in the URL using the merge method.

Table 2-703 Configuring parameters in the URL

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/url-template/url-parameter

Data Requirements

Table 2-704 Configuring parameters in the URL

Item

Data

Description

ac-ip

ac-ip

Configure Parameters in the URL.

ac-mac

ac-mac

ap-ip

ap-ip

ap-mac

ap-mac

ssid

ssid

redirect-url

redirect-url

sysname

sysname

user-ipaddress

user-ipaddress

user-mac

user-mac

name

huawei

key

key1

value

12

set-device-ip

1.1.1.1

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal" xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
    <url-template>
     <name>huawei</name>
     <url-parameter>
      <ac-mac>ac-mac</ac-mac>
      <ap-ip>ap-ip</ap-ip>
      <ap-mac>ap-mac</ap-mac>
      <login-url>
       <key>key1</key>
       <value>12</value>
      </login-url>
      <ac-ip>ac-ip</ac-ip>
      <redirect-url>redirect-url</redirect-url>
      <sysname>sysname</sysname>
      <ssid>ssid</ssid>
      <user-ipaddress>user-ipaddress</user-ipaddress>
      <user-mac>a</user-mac>
      <set-parameter-value>
       <set-device-ip>
         <ip-address>1.1.1.1</ip-address>
       </set-device-ip>
      </set-parameter-value>
     </url-parameter>
    </url-template>
   </portal>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="6">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-aaa-portal:portal/url-template[name='huawei']/url-parameter</error-path>
    <error-message>parse rpc config error.(Unknown element "set-parameter-value".).</error-message>
  </rpc-error>
</rpc-reply>

Binding a URL Template to a Portal Server Template and Encrypting Parameters in the URL Template

This section provides a sample of binding a URL template to a Portal server template and encrypting parameters in the URL template using the merge method.

Table 2-705 Binding a URL template to a Portal server template and encrypting parameters in the URL template

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/portal-server/url-template/name

/huawei-aaa-portal:portal/portal-server/url-template/ciphered-parameter-name

/huawei-aaa-portal:portal/portal-server/url-template/iv-parameter-name

/huawei-aaa-portal:portal/portal-server/url-template/key

Data Requirements

Table 2-706 Binding a URL template to a Portal server template and encrypting parameters in the URL template

Item

Data

Description

name

huawei

Configure the Portal server template named huawei.

url-template

abc

Configure the URL template named abc.

ciphered-parameter-name

key1

Configure the name of the encrypted URL template parameter to key1.

iv-parameter-name

iv2

Configure the encryption vector name of the URL template parameter to iv2.

key

Example@123

Set the encryption key for encrypting the URL template parameter to Example@123.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-portal:portal xmlns:hw-aaa-portal="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
        <hw-aaa-portal:url-template>
          <hw-aaa-portal:name>abc</hw-aaa-portal:name>
        </hw-aaa-portal:url-template>
        <hw-aaa-portal:portal-server>
          <hw-aaa-portal:name>huawei</hw-aaa-portal:name>
          <hw-aaa-portal:url-template>
            <hw-aaa-portal:name>abc</hw-aaa-portal:name>
            <hw-aaa-portal:ciphered-parameter-name>key1</hw-aaa-portal:ciphered-parameter-name>
            <hw-aaa-portal:iv-parameter-name>iv2</hw-aaa-portal:iv-parameter-name>
            <hw-aaa-portal:key>Example@123</hw-aaa-portal:key>
          </hw-aaa-portal:url-template>
        </hw-aaa-portal:portal-server>
      </hw-aaa-portal:portal>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="18">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Exec cmd url template error</error-message>
    <error-info>Error on node /huawei-aaa-portal:portal/portal-server[name="huawei"]/url-template/name</error-info>
  </rpc-error>
</rpc-reply>

Configuring the IP Address of a Specified Interface as the Source IP Address Used by the Device to Communicate with the Portal Server

This section provides a sample of configuring the IP address of a specified interface as the source IP address used by the device to communicate with the Portal server using the merge method.

Table 2-707 Configuring the IP address of a specified interface as the source IP address used by the device to communicate with the Portal server

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/portal-server/source-ip-address/interface/loopback-interface

Data Requirements

Table 2-708 Configuring the IP address of a specified interface as the source IP address used by the device to communicate with the Portal server

Item

Data

Description

name

huawei

Configure the Portal server template named huawei.

loopback-interface

loopback1

Set the interface number to loopback1.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-portal:portal xmlns:hw-aaa-portal="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
        <hw-aaa-portal:portal-server>
          <hw-aaa-portal:name>huawei</hw-aaa-portal:name>
          <hw-aaa-portal:loopback-interface>loopback1</hw-aaa-portal:loopback-interface>
        </hw-aaa-portal:portal-server>
      </hw-aaa-portal:portal>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="20">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>invalid-value</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-aaa-portal:portal/portal-server[name='huawei']/loopback-interface</error-path>
    <error-message>validation failed(Leafref "/ietf-interfaces:interfaces/ietf-interfaces:interface/ietf-interfaces:name" of value "loopback100" points to a non-existing leaf.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Device to Allow Users to Submit the User Name and Password to the Device in GET Mode During Portal Authentication

This section provides a sample of configuring the device to allow users to submit the user name and password to the device in GET mode during Portal authentication using the merge method.

Table 2-709 Configuring the device to allow users to submit the user name and password to the device in GET mode during Portal authentication

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/portal-server/http-method-parameters/get-method-enable

Data Requirements

Table 2-710 Configuring the device to allow users to submit the user name and password to the device in GET mode during Portal authentication

Item

Data

Description

name

huawei

Configure the Portal server template named huawei.

get-method-enable

true

Configure the device to allow users to submit the user name and password to the device in GET mode during Portal authentication.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-portal:portal xmlns:hw-aaa-portal="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
        <hw-aaa-portal:portal-server>
          <hw-aaa-portal:name>huawei</hw-aaa-portal:name>
          <hw-aaa-portal:http-method-parameters>
            <hw-aaa-portal:get-method-enable>true</hw-aaa-portal:get-method-enable>
          </hw-aaa-portal:http-method-parameters>
        </hw-aaa-portal:portal-server>
      </hw-aaa-portal:portal>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-aaa-portal:portal/portal-server[name='huawei']/http-method-parameters/get-method-enable</error-path>
    <error-message>parse rpc config error.(Invalid value "1" in "get-method-enable" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring Parameters for Parsing and Replying to POST Request Packets of the HTTP or HTTPS Protocol

This section provides a sample of configuring parameters for parsing and replying to POST request packets of the HTTP or HTTPS protocol using the merge method.

Table 2-711 Configuring parameters for parsing and replying to POST request packets of the HTTP or HTTPS protocol

Operation

XPATH

edit-config:merge

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/cmd-key/cmd-key

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/cmd-key/login-key

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/cmd-key/logout-key

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/password-key/password-key

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/initial-url-key/init-url-key

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/user-ip-key/user-ip-key

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/user-mac-key/user-mac-key

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/user-name-key/user-name-key

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/response-parameters/login-fail

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/response-parameters/login-success

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/response-parameters/logout-fail

/huawei-aaa-portal:portal/portal-server/http-method-parameters/post-parameters/response-parameters/logout-success

Data Requirements

Table 2-712 Configuring parameters for parsing and replying to POST request packets of the HTTP or HTTPS protocol

Item

Data

Description

name

huawei

Configure the Portal server template named huawei.

cmd-key

key1

Set the user login identification keyword to key1.

login-key

key2

Set the user logout identification keyword to key2.

logout-key

key3

Set the command identification keyword to key3.

password-key

psw1

Set the password identification keyword to psw1.

init-url-key

key4

Set the identification keyword for the user initial login URL to key1.

user-ip-key

key5

Set the identification keyword for the user IP address to key1.

user-mac-key

key6

Set the identification keyword for the user MAC address to key1.

user-name-key

key7

Set the user name identification keyword to key1.

message

msg1

Set the response message upon a user login failure to msg1.

message

msg2

Set the response message upon a user login success to msg2.

message

msg3

Set the response message upon a user logout failure to msg3.

message

msg4

Set the response message upon a user logout success to msg4.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-aaa-portal:portal xmlns:hw-aaa-portal="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
        <hw-aaa-portal:portal-server>
          <hw-aaa-portal:name>huawei</hw-aaa-portal:name>
          <hw-aaa-portal:http-method-parameters>
            <hw-aaa-portal:post-parameters>
              <hw-aaa-portal:cmd-key>
                <hw-aaa-portal:cmd-key>key1</hw-aaa-portal:cmd-key>
                <hw-aaa-portal:login-key>key2</hw-aaa-portal:login-key>
                <hw-aaa-portal:logout-key>key3</hw-aaa-portal:logout-key>
              </hw-aaa-portal:cmd-key>
              <hw-aaa-portal:password-key>
                <hw-aaa-portal:password-key>psw1</hw-aaa-portal:password-key>
              </hw-aaa-portal:password-key>
              <hw-aaa-portal:initial-url-key>
                <hw-aaa-portal:init-url-key>key4</hw-aaa-portal:init-url-key>
              </hw-aaa-portal:initial-url-key>
              <hw-aaa-portal:user-ip-key>
                <hw-aaa-portal:user-ip-key>key5</hw-aaa-portal:user-ip-key>
              </hw-aaa-portal:user-ip-key>
              <hw-aaa-portal:user-mac-key>
                <hw-aaa-portal:user-mac-key>key6</hw-aaa-portal:user-mac-key>
              </hw-aaa-portal:user-mac-key>
              <hw-aaa-portal:user-name-key>
                <hw-aaa-portal:user-name-key>key7</hw-aaa-portal:user-name-key>
              </hw-aaa-portal:user-name-key>
              <hw-aaa-portal:response-parameters>
                <hw-aaa-portal:login-fail>
                  <hw-aaa-portal:message>msg1</hw-aaa-portal:message>
                </hw-aaa-portal:login-fail>
                <hw-aaa-portal:login-success>
                  <hw-aaa-portal:message>msg2</hw-aaa-portal:message>
                </hw-aaa-portal:login-success>
                <hw-aaa-portal:logout-fail>
                  <hw-aaa-portal:message>msg3</hw-aaa-portal:message>
                </hw-aaa-portal:logout-fail>
                <hw-aaa-portal:logout-success>
                  <hw-aaa-portal:message>msg4</hw-aaa-portal:message>
                </hw-aaa-portal:logout-success>
              </hw-aaa-portal:response-parameters>
            </hw-aaa-portal:post-parameters>
          </hw-aaa-portal:http-method-parameters>
        </hw-aaa-portal:portal-server>
      </hw-aaa-portal:portal>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="16">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-aaa-portal:portal/portal-server[name='huawei']/http-method-parameters/post-parameters/response-parameters/logout-fail/redirect-url</error-path>
    <error-message>parse rpc config error.(Data for more than one case branch of "response" choice present.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring a Portal Access Profile

This section describes the configuration model of Portal access profile and provides examples of XML packets.

Data Model

The configuration model file matching Portal access profile is huawei-nac-portal.yang.

Table 2-713 Data model

Object

Description

Value

Remarks

/huawei-nac-portal

Indicates that the request operation (creation, deletion, or modification) object is nac-portal. This object is the root object. It is only used to contain sub-objects, but does not have any data meaning.

N/A

N/A

/huawei-nac-portal/portal-access/configure-mode/unified-mode/portal-access-profile

Indicates that a Portal access profile is created.

The value is a string of 1 to 31 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %.

N/A

/huawei-nac-portal/portal-access/configure-mode/unified-mode/portal-access-profile/portal-server/portal-server

Indicates that a Portal server template is bound to the Portal access profile.

The value must be the name of an existing Portal server template.

N/A

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/portal-server/bak-portal-server

Indicates that a backup Portal server template is bound to the Portal access profile.

The value must be the name of an existing Portal server template.

N/A

/huawei-nac-portal/portal-access/configure-mode/unified-mode/portal-access-profile/portal-mode

Indicates that the Portal authentication mode for the Portal access profile is configured.

Enumerated type:

  • direct: Layer 2 Portal authentication
  • layer3: Layer 3 Portal authentication

N/A

/huawei-nac-portal/portal-access/configure-mode/unified-mode/portal-access-profile/portal-authentication-timer/offline-detect

Indicates that the offline detection interval for Portal authentication users is configured.

The value is 0 or an integer that ranges from 30 to 7200, in seconds. The default value is 300.

The value 0 indicates that user offline detection is not performed.

N/A

/huawei-nac-portal:portal-access/wired-https-redirect-enable

Indicates whether HTTPS redirection of wired Portal authentication is enabled.

Boolean type:

  • true: enabled
  • false: disabled

N/A

/huawei-nac-portal/portal-access/https-redirect-enable

Indicates whether HTTPS redirection of Portal authentication is enabled.

Boolean type:

  • true: enabled
  • false: disabled

N/A

huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/authorize-of-authentication-event/authorize-parameters/service-scheme

Indicates that network access rights are configured (using a service scheme) for users when the Portal server is Down.

N/A

N/A

/huawei-nac-portal/portal-access/configure-mode/unified-mode/portal-access-profile/authorize-of-authentication-event/authorize-parameters/ucl-group

Indicates that network access rights are configured (using a UCL group) for users when the Portal server is Down.

N/A

N/A

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/re-authen-trigger-event

Indicates that the switch is configured to re-authenticate users when the Portal server changes from Down to Up.

N/A

N/A

/huawei-nac-portal:portal-access/captive-option

Indicates that the CNA bypass function of iOS is enabled.

N/A

N/A

/huawei-nac-portal:portal-access/redirect-http-port

Indicates the user-defined destination port number for HTTP packets that trigger Portal redirection.

The value is an integer in the range from 1024 to 65535.

N/A

/huawei-nac-portal:portal-access/url-encode-enable

Indicates whether to enable URL encoding and decoding.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac-portal:portal-access/user-roam-reply-enable

Indicates whether to enable the device to respond to the Portal server with the IP address of the new AP after a wireless user roams to the new AP.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac-portal:portal-access/web-authen-server-protocol

Configures the Portal interconnection function of the HTTP or HTTPS protocol.

  • ssl-policy: indicates the SSL policy.
  • port: indicates the port number.
  • ssl-policy: The value must be the name of an existing SSL policy.
  • port: The value can be any integer in the range from 1025 to 65535.

N/A

/huawei-nac-portal:portal-access/portal-max-user-num

Indicates the maximum number of concurrent Portal authentication users allowed to access the device.

The value is an integer that varies depending on the card type.

N/A

/huawei-nac-portal:portal-access/user-alarm

Indicates the alarm threshold for the Portal authentication user count percentage.

The value is an integer in the range from 1 to 100, but the upper alarm threshold must be greater than or equal to the lower alarm threshold.

N/A

/huawei-nac-portal:portal-access/quiet-function/quiet-enable

Indicates whether to enable the quiet function for Portal authentication.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac-portal:portal-access/quiet-function/quiet-period

Indicates the quiet period of Portal authentication users who fail to be authenticated.

The value is an integer in the range from 10 to 3600, in seconds.

N/A

/huawei-nac-portal:portal-access/quiet-function/quiet-times

Indicates the maximum number of authentication failures within 60 seconds before the device quiets a Portal authentication user.

The value is an integer in the range from 1 to 10.

N/A

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/authentication-network

Indicates the source subnet for Portal authentication.

  • ip: indicates the IP address.
  • prefix-length: indicates the mask.
  • ip: The value is in dotted decimal notation.
  • prefix-length: The value is an integer in the range from 1 to 32.

N/A

Creating a Portal Access Profile

This section provides a sample of creating a Portal access profile using the merge method. You can also use the create method to create a Portal access profile.

Table 2-714 Creating a Portal access profile

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/portal-server/portal-server

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/portal-server/bak-portal-server

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/portal-mode

Data Requirement

Table 2-715 Portal access profile

Item

Data

Description

name

test

Create the Portal access profile test.

portal-server

webauthserver

Configure the Portal server template webauthserver bound to the Portal access profile test.

bak-portal-server

webauthbakserver

Configure the backup Portal server template webauthbakserver bound to the Portal access profile test.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
      <portal-access-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>test</name>
        <portal-server ns0:operation="merge">
          <portal-server>webauthserver</portal-server>
          <bak-portal-server>webauthbakserver</bak-portal-server>
        </portal-server>
        <portal-mode>direct</portal-mode>
      </portal-access-profile>
    </portal-access>
    <portal xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa-portal">
      <portal-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>webauthserver</name>
        <portal-server-ip>11.11.11.11</portal-server-ip>
        <destination-port>
          <port>50100</port>
          <always>true</always>
        </destination-port>
      </portal-server>
      <portal-server xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>webauthbakserver</name>
        <portal-server-ip>10.10.10.22</portal-server-ip>
        <destination-port>
          <port>50100</port>
          <always>true</always>
        </destination-port>
      </portal-server>
    </portal>
  </config>
</edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="38">
  <rpc-error>
    <error-app-tag>1</error-app-tag>
    <error-message>Service process failed.</error-message>
    <error-info>Error on node /huawei-nac-portal:portal-access/portal-access-profile[name="test"]/name</error-info>
  </rpc-error>
</rpc-reply>

Enabling the CNA Bypass Function of iOS

This section provides a sample of enabling the CNA bypass function of iOS using the merge method. You can also use the create method to enable the CNA bypass function of iOS.

Table 2-716 Enabling the CNA bypass function of iOS

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/captive-option

Data Requirement

Table 2-717 Enabling the CNA bypass function of iOS

Item

Data

Description

captive-option

bypass

Enable the CNA bypass function of iOS.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
      <captive-option xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">bypass</captive-option>
    </portal-access>
  </config>
</edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="39">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Enabling HTTPS Redirection of Portal Authentication

This section provides a sample of enabling HTTPS redirection of Portal authentication using the merge method. You can also use the create method to enable HTTPS redirection of Portal authentication.

Table 2-718 Enabling HTTPS redirection of Portal authentication

Operation

XPATH

edit-config:merge

/huawei-nac-portal/portal-access/https-redirect-enable

Data Requirement

Table 2-719 Enabling HTTPS redirection of Portal authentication

Item

Data

Description

https-redirect-enable

true

Enable HTTPS redirection of Portal authentication.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <portal-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
    <https-redirect-enable xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">true</https-redirect-enable>
   </portal-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="39">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Configuring Network Access Rights for Users When the Portal Server is Down (Using a Service Scheme)

This section provides a sample of configuring network access rights for users when the Portal server is Down (using a service scheme) using the merge method. You can also use the create method to configure network access rights for users when the Portal server is Down (using a service scheme).

Table 2-720 Configuring network access rights for users when the Portal server is Down (using a service scheme)

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/authorize-of-authentication-event/authorize-parameters/service-scheme

Data Requirement

Table 2-721 Configuring network access rights for users when the Portal server is Down (using a service scheme)

Item

Data

Description

service-scheme

serscheme_2

Configure network access rights for users when the Portal server is Down (using the service scheme serscheme_2).

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
      <portal-access-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>portal_1</name>
        <authorize-of-authentication-event>
          <authentication-event>portal-server-down</authentication-event>
          <service-scheme>serscheme_2</service-scheme>
        </authorize-of-authentication-event>
      </portal-access-profile>
    </portal-access>
    <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
      <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>serscheme_2</name>
        <vsys>vsys</vsys>
      </service-scheme>
    </aaa>
  </config>
</edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="41">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message> Service Scheme lsw_ss does not exist.</error-message>
    <error-info>Error on node /huawei-nac-portal:portal-access/portal-access-profile[name="portal_1"]/authorize-of-authentication-event[authentication-event="portal-server-down"]/service-scheme</error-info>
  </rpc-error>
</rpc-reply>

Configuring Network Access Rights for Users When the Portal Server Is Down (Using a UCL Group)

This section provides a sample of configuring network access rights for users when the Portal server is Down (using a UCL group) using the merge method. You can also use the create method to configure network access rights for users when the Portal server is Down (using a UCL group).

Table 2-722 Configuring network access rights for users when the Portal server is Down (using a UCL group)

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/authorize-of-authentication-event/authorize-parameters/user-group/ucl-group

Data Requirement

Table 2-723 Configuring network access rights for users when the Portal server is Down (using a UCL group)

Item

Data

Description

ucl-group

lsw_ucl

Configure network access rights for users when the Portal server is Down (using the UCL group lsw_ucl).

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <portal-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
      <portal-access-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>portal_1</name>
        <authorize-of-authentication-event>
          <authentication-event>portal-server-down</authentication-event>
          <ucl-group>lsw_ucl</ucl-group>
        </authorize-of-authentication-event>
      </portal-access-profile>
    </portal-access>
    <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
      <ucl-group xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <index>20</index>
        <name>lsw_ucl</name>
      </ucl-group>
    </nac-access>
  </config>
</edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="42">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message> UCL group lsw_ucl does not exist.</error-message>
    <error-info>Error on node /huawei-nac-portal:portal-access/portal-access-profile[name="portal_1"]/authorize-of-authentication-event[authentication-event="portal-server-down"]/ucl-group</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Switch to Re-authenticate Users When the Portal Server Changes from Down to Up

This section provides a sample of configuring the switch to re-authenticate users when the Portal server changes from Down to Up using the merge method. You can also use the create method to configure the switch to re-authenticate users when the Portal server changes from Down to Up.

Table 2-724 Configuring the switch to re-authenticate users when the Portal server changes from Down to Up

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/re-authen-trigger-event

Data Requirement

Table 2-725 Configuring the switch to re-authenticate users when the Portal server changes from Down to Up

Item

Data

Description

re-authen-trigger-event

portal-server-up

Configure the switch to re-authenticate users when the Portal server changes from Down to Up.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <portal-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
    <portal-access-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>test_name</name>
     <re-authen-trigger-event xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">portal-server-up</re-authen-trigger-event>
    </portal-access-profile>
   </portal-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="44">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Source Subnet for Portal Authentication

This section provides a sample of configuring the source subnet for Portal authentication using the merge method.

Table 2-726 Configuring the source subnet for Portal authentication

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/configure-mode/unified-mode/portal-access-profile/authentication-network

Data Requirements

Table 2-727 Configuring the source subnet for Portal authentication

Item

Data

Description

name

profile1

Configure the Portal access profile named profile1.

ip

10.1.1.0

Set the IP address to 10.1.1.0.

prefix-length

24

Set the prefix length to 24.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
        <hw-nac-portal:portal-access-profile>
          <hw-nac-portal:name>profile1</hw-nac-portal:name>
          <hw-nac-portal:authentication-network xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac-portal:ip>10.1.1.0</hw-nac-portal:ip>
            <hw-nac-portal:prefix-length>24</hw-nac-portal:prefix-length>
          </hw-nac-portal:authentication-network>
        </hw-nac-portal:portal-access-profile>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse configuration error.</error-message>
 </rpc-error>
</rpc-reply>

Configuring the Quiet Function for Portal Authentication

This section provides a sample of configuring the quiet function for Portal authentication using the merge method.

Table 2-728 Configuring the quiet function for Portal authentication

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/quiet-function/quiet-enable

/huawei-nac-portal:portal-access/quiet-function/quiet-period

/huawei-nac-portal:portal-access/quiet-function/quiet-times

Data Requirements

Table 2-729 Configuring the quiet function for Portal authentication

Item

Data

Description

quiet-enable

true

Configure the quiet function for Portal authentication.

quiet-period

100

Set the quiet period for Portal authentication users who fail to be authenticated to 100 seconds.

quiet-times

5

Configure the maximum number of authentication failures within 60 seconds before the device quiets a Portal authentication user to 5.

Request Example

# Configure the quiet function for Portal authentication.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
       <hw-nac-portal:quiet-function>
         <hw-nac-portal:quiet-enable>true</hw-nac-portal:quiet-enable>
        </hw-nac-portal:quiet-function>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>

# Configure the quiet period for Portal authentication users who fail to be authenticated.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">      
        <hw-nac-portal:quiet-function>
          <hw-nac-portal:quiet-period xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">100</hw-nac-portal:quiet-period>
        </hw-nac-portal:quiet-function>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>

# Configure the maximum number of authentication failures within 60 seconds before the device quiets a Portal authentication user.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
        <hw-nac-portal:quiet-function>
          <hw-nac-portal:quiet-times xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="create">5</hw-nac-portal:quiet-times>
        </hw-nac-portal:quiet-function>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse configuration error.</error-message>
 </rpc-error>
</rpc-reply>

Configuring HTTPS Redirection for Portal Authentication

This section provides a sample of configuring HTTPS redirection for Portal authentication using the merge method.

Table 2-730 Configuring HTTPS redirection for Portal authentication

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/https-redirect-enable

Data Requirements

Table 2-731 Configuring HTTPS redirection for Portal authentication

Item

Data

Description

https-redirect-enable

true

Configure HTTPS redirection for Portal authentication.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
        <hw-nac-portal:https-redirect-enable xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">true</hw-nac-portal:https-redirect-enable>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse configuration error.</error-message>
 </rpc-error>
</rpc-reply>

Configuring HTTPS Redirection for Wired Portal Authentication Users

This section provides a sample of configuring HTTPS redirection for wired Portal authentication users using the merge method.

Table 2-732 Configuring HTTPS redirection for wired Portal authentication users

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/wired-https-redirect-enable

Data Requirements

Table 2-733 Configuring HTTPS redirection for wired Portal authentication users

Item

Data

Description

wired-https-redirect-enable

true

Configure HTTPS redirection for wired Portal authentication users.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
        <hw-nac-portal:wired-https-redirect-enable xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="create">true</hw-nac-portal:wired-https-redirect-enable>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse configuration error.</error-message>
 </rpc-error>
</rpc-reply>

Configuring a User-defined Destination Port Number for HTTP Packets That Trigger Portal Redirection

This section provides a sample of configuring a user-defined destination port number for HTTP packets that trigger Portal redirection using the merge method.

Table 2-734 Configuring a user-defined destination port number for HTTP packets that trigger Portal redirection

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/redirect-http-port

Data Requirements

Table 2-735 Configuring a user-defined destination port number for HTTP packets that trigger Portal redirection

Item

Data

Description

redirect-http-port

1024

Set the user-defined destination port number for HTTP packets that trigger Portal redirection to 1024.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
        <hw-nac-portal:redirect-http-port xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">1024</hw-nac-portal:redirect-http-port>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse configuration error.</error-message>
 </rpc-error>
</rpc-reply>

Configuring URL Encoding and Decoding

This section provides a sample of configuring URL encoding and decoding using the merge method.

Table 2-736 Configuring URL encoding and decoding

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/url-encode-enable

Data Requirements

Table 2-737 Configuring URL encoding and decoding

Item

Data

Description

url-encode-enable

true

Configure URL encoding and decoding.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
        <hw-nac-portal:url-encode-enable xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="create">true</hw-nac-portal:url-encode-enable>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse configuration error.</error-message>
 </rpc-error>
</rpc-reply>

Configuring the Device to Respond to the Portal Server with the IP Address of the New AP After a Wireless User Roams to the New AP

This section provides a sample of configuring the device to respond to the Portal server with the IP address of the new AP after a wireless user roams to the new AP using the merge method.

Table 2-738 Configuring the device to respond to the Portal server with the IP address of the new AP after a wireless user roams to the new AP

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/user-roam-reply-enable

Data Requirements

Table 2-739 Configuring the device to respond to the Portal server with the IP address of the new AP after a wireless user roams to the new AP

Item

Data

Description

user-roam-reply-enable

true

Enable the device to respond to the Portal server with the IP address of the new AP after a wireless user roams to the new AP.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
        <hw-nac-portal:user-roam-reply-enable xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="create">true</hw-nac-portal:user-roam-reply-enable>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse configuration error.</error-message>
 </rpc-error>
</rpc-reply>

Configuring the Maximum Number of Concurrent Portal Authentication Users Allowed to Access the Device

This section provides a sample of configuring the maximum number of concurrent Portal authentication users allowed to access the device using the merge method.

Table 2-740 Configuring the maximum number of concurrent Portal authentication users allowed to access the device

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/portal-max-user-num

Data Requirements

Table 2-741 Configuring the maximum number of concurrent Portal authentication users allowed to access the device

Item

Data

Description

portal-max-user-num

90

Set the maximum number of concurrent Portal authentication users allowed to access the device to 90.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
        <hw-nac-portal:portal-max-user-num xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">90</hw-nac-portal:portal-max-user-num>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <rpc-error>
  <error-app-tag>255</error-app-tag>
  <error-message>Error: Wrong parameter found at '^' position.</error-message>
  <error-info>Error on node /huawei-nac-portal/portal-access/portal-max-user-num</error-info>
 </rpc-error>
</rpc-reply>

Configuring Alarm Thresholds for the Portal Authentication User Count Percentage

This section provides a sample of configuring alarm thresholds for the Portal authentication user count percentage using the merge method.

Table 2-742 Configuring alarm thresholds for the Portal authentication user count percentage

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/user-alarm

Data Requirements

Table 2-743 Configuring alarm thresholds for the Portal authentication user count percentage

Item

Data

Description

percent-lower

32

Set the lower alarm threshold to 32.

percent-upper

82

Set the upper alarm threshold to 82.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
        <hw-nac-portal:user-alarm xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-nac-portal:percent-lower>32</hw-nac-portal:percent-lower>
          <hw-nac-portal:percent-upper>82</hw-nac-portal:percent-upper>
        </hw-nac-portal:user-alarm>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="14">
 <rpc-error>
  <error-app-tag>255</error-app-tag>
  <error-message>Error: The upper value is smaller than the lower value.</error-message>
  <error-info>Error on node /huawei-nac-portal/portal-access/user-alarm</error-info>
 </rpc-error>
</rpc-reply>

Configuring the Portal Interconnection Function of the HTTP or HTTPS Protocol

This section provides a sample of configuring the Portal interconnection function of the HTTP or HTTPS protocol using the merge method.

Table 2-744 Configuring the Portal interconnection function of the HTTP or HTTPS protocol

Operation

XPATH

edit-config:merge

/huawei-nac-portal:portal-access/web-authen-server-protocol

Data Requirements

Table 2-745 Configuring the Portal interconnection function of the HTTP or HTTPS protocol

Item

Data

Description

ssl-policy

sp1

Configure the SSL policy named sp1.

port

1111

Set the port number to 1111.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac-portal:portal-access xmlns:hw-nac-portal="urn:huawei:params:xml:ns:yang:huawei-nac-portal">
        <hw-nac-portal:web-authen-server-protocol>
          <hw-nac-portal:ssl-policy>sp1</hw-nac-portal:ssl-policy>
          <hw-nac-portal:port>1111</hw-nac-portal:port>
        </hw-nac-portal:web-authen-server-protocol>
      </hw-nac-portal:portal-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse configuration error.</error-message>
 </rpc-error>
</rpc-reply>

Creating an Authentication-Free Rule Profile

This section describes the configuration model of authentication-free rule profile and provides examples of XML packets.

Data Model

The configuration model file matching authentication-free rule profile is huawei-nac.yang.

Table 2-746 Data model

Object

Description

Value

Remarks

/huawei-nac/nac-access/authentication-free-rule-profile

Indicates that the request operation (creation or modification) object is an authentication-free rule profile. This object is the root object. It is only used to contain sub-objects, but does not have any data meaning.

N/A

N/A

/huawei-nac/nac-access/authentication-free-rule-profile/name

Indicates the name of the created authentication-free rule profile.

Currently, the switch supports only one authentication-free rule profile, that is, the built-in profile default_free_rule.

N/A

/huawei-nac/nac-access/authentication-free-rule-profile/free-acl/ipv4-acl

Indicates that the authentication-free rule is defined by IPv4 ACL.

The value must be the number of an existing IPv4 ACL.

N/A

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule

Indicates that an authentication-free rule is configured for users.

N/A

N/A
/huawei-nac:nac-access/authentication-free-rule-profile/free-acl/ipv6-acl

Indicates that the authentication-free rule is defined by IPv6 ACL.

The value must be the number of an existing IPv6 ACL.

N/A

Creating an Authentication-Free Rule Profile

This section provides a sample of creating an authentication-free rule profile using the merge method. You can also use the create method to create an authentication-free rule profile.

Table 2-747 Creating an authentication-free rule profile

Operation

XPATH

edit-config:merge

/huawei-nac/nac-access/authentication-free-rule-profile/name

Data Requirement

Table 2-748 Creating an authentication-free rule profile

Item

Data

Description

name

default_free_rule

Create the authentication-free rule profile default_free_rule.

ipv4-acl

6000

Configure an authentication-free rule defined by ACL.

rule-id

1

Configure a common authentication-free rule.

destination

any

Request Example

# Configure an authentication-free rule defined by ACL.
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac" xc:operation="replace">
    <authentication-free-rule-profile>  
     <name>default_free_rule</name>
     <free-acl>
      <ipv4-acl>6000</ipv4-acl>
     </free-acl>
    </authentication-free-rule-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>

# Configure a common authentication-free rule.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-free-rule-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>default_free_rule</name>
     <free-rule>
      <rule-id>1</rule-id>
      <destination>
       <any>any</any>
      </destination>
     </free-rule>
    </authentication-free-rule-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="45">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Free-rule-template name cmd executing failed.</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-free-rule-profile[name="default_free_rule1"]/name</error-info>
  </rpc-error>
</rpc-reply>

Configuring Authentication-free Rules

This section provides a sample of configuring authentication-free rules using the merge method.

Table 2-749 Configuring authentication-free rules

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/authentication-free-rule-profile/free-acl/ipv4-acl-name

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule/rule-id

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule/source/source/source-any/any

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule/source/source/source-ip/ip

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule/source/source/source-ip/subnet/prefix-length/prefix-length

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule/source/source/source-ip/subnet/net-mask/net-mask

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule/source/source/interface/interface

/huawei-nac:nac-access/authentication-free-rule-profile/free-rule/source/source/vlan/vlan-id

Data Requirements

Table 2-750 Configuring authentication-free rules

Item

Data

Description

name

default_free_rule

Configure the free-rule profile named default_free_rule.

ipv4-acl-name

acl1

Configure the IPv4 ACL named acl1.

rule-id

37

Set the rule number to 37.

any

any

Set any condition.

ip

1.1.1.1

Set the IP address to 1.1.1.1.

prefix-length

24

Set the prefix length to 24.

net-mask

255.255.255.0

Set the mask to 255.255.255.0.

interface

GigabitEthernet1/0/1

Set the interface to GigabitEthernet1/0/1.

vlan-id

1

Set the VLAN ID to VLAN 1.

Request Example

# Configure an ACL to define an authentication-free rule.
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-free-rule-profile>
          <hw-nac:name>default_free_rule</hw-nac:name>
          <hw-nac:free-acl>
            <hw-nac:ipv4-acl-name>acl1</hw-nac:ipv4-acl-name>
          </hw-nac:free-acl>
        </hw-nac:authentication-free-rule-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Configure any to define an authentication-free rule.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-free-rule-profile>
          <hw-nac:name>default_free_rule</hw-nac:name>
          <hw-nac:free-rule xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:rule-id>37</hw-nac:rule-id>
            <hw-nac:source>
              <hw-nac:any>any</hw-nac:any>
            </hw-nac:source>
          </hw-nac:free-rule>
        </hw-nac:authentication-free-rule-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Configure the IP address and prefix to define an authentication-free rule.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-free-rule-profile>
          <hw-nac:name>default_free_rule</hw-nac:name>
          <hw-nac:free-rule xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:rule-id>37</hw-nac:rule-id>
            <hw-nac:source>
              <hw-nac:ip>1.1.1.1</hw-nac:ip>
              <hw-nac:prefix-length>24</hw-nac:prefix-length>
            </hw-nac:source>
          </hw-nac:free-rule>
        </hw-nac:authentication-free-rule-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Configure the IP address and mask to define an authentication-free rule.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-free-rule-profile>
          <hw-nac:name>default_free_rule</hw-nac:name>
          <hw-nac:free-rule xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:rule-id>37</hw-nac:rule-id>
            <hw-nac:source>
              <hw-nac:ip>1.1.1.1</hw-nac:ip>
              <hw-nac:net-mask>255.255.255.0</hw-nac:net-mask>
            </hw-nac:source>
          </hw-nac:free-rule>
        </hw-nac:authentication-free-rule-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Configure an interface to define an authentication-free rule.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-free-rule-profile>
          <hw-nac:name>default_free_rule</hw-nac:name>
          <hw-nac:free-rule xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:rule-id>37</hw-nac:rule-id>
            <hw-nac:source>
              <hw-nac:interface>GigabitEthernet1/0/1</hw-nac:interface>
            </hw-nac:source>
          </hw-nac:free-rule>
        </hw-nac:authentication-free-rule-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Configure the VLAN ID to define an authentication-free rule.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-free-rule-profile>
          <hw-nac:name>default_free_rule</hw-nac:name>
          <hw-nac:free-rule xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:rule-id>37</hw-nac:rule-id>
            <hw-nac:source>
              <hw-nac:vlan-id>1</hw-nac:vlan-id>
            </hw-nac:source>
          </hw-nac:free-rule>
        </hw-nac:authentication-free-rule-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
  <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="5">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>invalid-value</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac:nac-access/authentication-free-rule-profile[name='default_free_rule']/free-rule[rule-id='37']/source/interface</error-path>
    <error-message>validation failed(Leafref "/ietf-interfaces:interfaces/ietf-interfaces:interface/ietf-interfaces:name" of value "sdfhsahda" points to a non-existing leaf.).</error-message>
  </rpc-error>
</rpc-reply>

Creating a UCL Group

This section describes the configuration model of UCL group and provides examples of XML packets.

Data Model

The configuration model file matching UCL group is huawei-nac.yang.

Table 2-751 Data model

Object

Description

Value

Remarks

/huawei-nac:nac-access/ucl-group

Indicates that the request operation (creation or modification) object is a UCL group.

N/A

N/A

/huawei-nac:nac-access/ucl-group/name

Indicates the name of a UCL group.

The value is a string of 1 to 31 case-sensitive characters without spaces.

N/A

/huawei-nac:nac-access/ucl-group/index

Indicates the index of a UCL group.

The value is an integer that ranges from 1 to 64000.

N/A

/huawei-nac:nac-access/ucl-group/ip/ip

Indicates the IP address of a UCL group.

The value is in dotted decimal notation.

N/A

/huawei-nac:nac-access/ucl-group/ip/prefix-length

Indicates the IP address prefix length of a UCL group.

The value is an integer in the range from 1 to 32.

N/A

/huawei-nac:nac-access/ucl-group/ip/net-mask

Indicates the IP address mask length of a UCL group.

The value is in dotted decimal notation.

N/A

/huawei-nac:nac-access/ucl-group/ip-escape/ip

Indicates the IP address of an escape UCL group.

The value is in dotted decimal notation.

N/A

/huawei-nac:nac-access/ucl-group/ip-escape/prefix-length

Indicates the IP address prefix length of an escape UCL group.

The value is an integer in the range from 1 to 32.

N/A

/huawei-nac:nac-access/ucl-group/ip-escape/net-mask

Indicates the IP address mask length of an escape UCL group.

The value is in dotted decimal notation.

N/A

/huawei-nac:nac-access/ip-group/group-service/ip-address

Indicates the IP address of a controller.

The value is in dotted decimal notation.

N/A

/huawei-nac:nac-access/ip-group/group-service/port

Indicates the port number of a controller.

The value is an integer in the range from 1 to 65535. The default value is 50304.

N/A

/huawei-nac:nac-access/ip-group/group-service/pki-realm

Indicates the name of a PKI realm.

The value is a string of 1 to 64 case-insensitive characters without spaces.

N/A

/huawei-nac:nac-access/ip-group/timer-heart-beat

Indicates the interval at which IP-GROUP channel heartbeat packets are sent.

The value is an integer in the range from 1 to 1440, in minutes.

N/A

/huawei-nac:nac-access/ip-group/timer-reconnection

Indicates the IP-GROUP channel reconnection interval.

The value is an integer in the range from 1 to 255, in minutes.

N/A

/huawei-nac:nac-access/ip-group/timer-down-delay

Indicates a delay in responding to the IP-GROUP channel interruption event.

The value is an integer in the range from 0 to 600, in seconds.

The value 0 indicates that the device responds to the IP-GROUP channel interruption event without any delay.

N/A

/huawei-nac:nac-access/ip-group/timer-up-delay

Indicates a delay in responding to the IP-GROUP channel Up event.

The value is an integer in the range from 0 to 600, in seconds.

The value 0 indicates that the device responds to the IP-GROUP channel Up event without any delay.

N/A

Creating a UCL Group

This section provides a sample of creating a UCL group using the merge method. You can also use the create method to create a UCL group.

Table 2-752 Creating a UCL group

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/ucl-group

Data Requirement

Table 2-753 Creating a UCL group

Item

Data

Description

index

20

Create a UCL group.

name

lsw_ucl

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <ucl-group xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <index>20</index>
     <name>lsw_ucl</name>
    </ucl-group>
   </nac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="13">
  <rpc-error>
    <error-app-tag>1</error-app-tag>
    <error-message>Service process failed.</error-message>
    <error-info>Error on node /huawei-nac:nac-access/ucl-group[index="2"]</error-info>
  </rpc-error>
</rpc-reply>

Configuring an Authentication Profile

This section describes the configuration model of authentication profile and provides examples of XML packets.

Data Model

The configuration model file matching authentication profile is huawei-nac.yang.

Table 2-754 Data model

Object

Description

Value

Remarks

/huawei-nac:nac-access/configure-mode/unified-mode

Indicates that the request operation (creation or modification) object is nac-access. This object is the root object. It is only used to contain sub-objects, but does not have any data meaning.

N/A

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile

Indicates that an authentication profile is configured.

The value is a string of 1 to 31 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/dot1x-access-profile

Indicates that an 802.1X access profile is bound to the authentication profile.

The value must be the name of an existing 802.1X access profile.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/mac-access-profile

Indicates that a MAC access profile is bound to the authentication profile.

The value must be the name of an existing MAC access profile.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/portal-access-profile

Indicates that a Portal access profile is bound to the authentication profile.

The value must be the name of an existing Portal access profile.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/free-rule-profile

Indicates that an authentication-free rule profile is bound to the authentication profile.

The value must be the name of an existing authentication-free rule profile.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/access-force-domain/domain-name

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/access-force-domain/access-type

Indicates that a forcible domain is configured based on the access type.

The value must be the name of an existing domain.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/access-default-domain/domain-name

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/access-default-domain/access-type

Indicates that the default domain is configured based on the access type.

The value must be the name of an existing domain.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/default-force-domain

Indicates that a forcible domain is configured.

The value must be the name of an existing domain.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/default-default-domain

Indicates that the default domain is configured.

The value must be the name of an existing domain.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-device/device-type

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-device/service-scheme

Indicates that the function of allowing voice terminals to go online without authentication is configured.

The value must be the name of an existing service scheme.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/mode

Indicates that the user access mode is configured.

Enumerated type:

  • single-terminal: The interface allows only one user to go online.
  • single-voice-with-data: The interface allows only one data user and one voice user to go online.
  • multi-share: The interface allows multiple users to go online. In this mode, the switch only authenticates the first access user. If the first user passes authentication, the subsequent users share the same network access rights with the first user. If the first user goes offline, other users also go offline.
  • multi-authen: The interface allows multiple users to go online. In this mode, the switch authenticates each access user. If a user passes authentication, the switch grants independent network access rights to the user. If a user goes offline, other users are not affected.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/max-user/multi-authen/user-num/max-user-num

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/max-user/multi-authen/user-num/access-type

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/mode

Indicates that the maximum numbers of access users in different authentication modes are configured.

The value is an integer that varies depending on the card type.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/authentication-event

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/response-fail

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/vlan-id

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/service-scheme

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/ucl-group

Indicates that network access rights are configured for users in each phase before authentication.

N/A

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/re-authen-trigger-event

Indicates that the switch is configured to re-authenticate users when the authentication server changes from Down to Up.

N/A

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/pre-authen-access

Indicates whether the pre-connection function is disabled.

Boolean type:

  • true: enabled
  • false: disabled

N/A

/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:authentication-profile/authentication-profile-name

Binding the authentication profile to an interface.

The value must be the name of an existing authentication profile.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/assigned-ip-address/in-accounting-start

Indicates whether accounting-start packets carry users' IP addresses.

The value is of the Boolean type:

  • true: Accounting-start packets carry users' IP addresses.
  • false: Accounting-start packets do not carry users' IP addresses.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/dot1x-mac-bypass

Indicates whether to enable MAC address bypass authentication in an authentication profile.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/single-access

Indicates whether to enable the device to allow users to access in only one authentication mode in the authentication profile.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/security-name-delimiter

Indicates the security string delimiter in the authentication profile.

The value is of the enumerated type. The value can be \ / : , < > | @ ' % or *.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-delimiter

Indicates the domain name delimiter in the authentication profile.

The value can only be one of the following characters: \ / : < > | @ ' %.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-direction

Indicates the direction in which a domain name is parsed in the authentication profile.

The value is of the enumerated type:

  • left-to-right: indicates the direction from left to right.
  • right-to-left: indicates the direction from right to left.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-location

Indicates the position of a domain name in the authentication profile.

The value is of the enumerated type:

  • after-delimiter: indicates that the domain name is placed behind the delimiter.
  • before-delimiter: indicates that the domain name is placed before the delimiter.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/re-authen-period/pre-authen

Indicates the interval for re-authenticating pre-connection users in the authentication profile.

The value can be 0 or any integer in the range from 30 to 7200, in seconds.

The value 0 indicates that the re-authentication function is disabled for pre-connection users.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/re-authen-period/authen-fail

Indicates the interval for re-authenticating users who fail to be authenticated in the authentication profile.

The value can be 0 or any integer in the range from 30 to 7200, in seconds.

The value 0 indicates that the re-authentication function is disabled for users who fail to be authenticated.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/re-authen-period/authen-fail-wlan-user

Indicates the interval for re-authenticating wireless users who fail to be authenticated in the authentication profile.

The value can be 0 or any integer in the range from 30 to 7200, in seconds.

The value 0 indicates that the re-authentication function is disabled for wireless users who fail to be authenticated.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/aging-period/pre-authen

Indicates the aging time for pre-connection user entries in the authentication profile.

The value can be 0 or any integer in the range from 60 to 4294860, in seconds.

The value 0 indicates that the entry does not age.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/aging-period/authen-fail

Indicates the aging time for entries of the users who fail to be authenticated in the authentication profile.

The value can be 0 or any integer in the range from 60 to 4294860, in seconds.

The value 0 indicates that the entry does not age.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/realtime-accounting-trigger/update-ip-accounting

Indicates whether to enable a device to send accounting packets for address updating in the authentication profile.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/realtime-accounting-trigger/roam-accounting

Indicates whether to enable a device to send accounting packets for roaming in the authentication profile.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/permit-domain-list/domain

Configures permitted domains for WLAN users in the authentication profile.

The value must be an existing domain name.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/wlan-max-user-num

Configures the maximum number of authenticated users allowed in the authentication profile.

The value is an integer in the range from 1 to 128.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/speed-limit-auto

Indicates whether to enable the device to dynamically adjust the rate of packets from NAC users in the system view.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/enable-vlan/all-vlan/all

Enables MAC address migration for all VLANs in the system view.

N/A

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/enable-vlan/vlan-params/vlan/range/begin

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/enable-vlan/vlan-params/vlan/range/end

Enables MAC address migration and specifies the VLAN range in the system view.

  • begin: indicates the start VLAN ID.
  • end: indicates the end VLAN ID.

The value is an integer in the range from 1 to 4094.

The end VLAN ID must be greater than the start VLAN ID.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/detect-function/enable

Indicates whether to enable a device to detect users' online status before user MAC address migration in the system view.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/detect-function/interval

Indicates the interval at which a device detects users' online status before user MAC address migration in the system view.

The value is an integer in the range from 1 to 5, in seconds.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/detect-function/times

Indicates the maximum number of detections before user MAC address migration in the system view.

The value is an integer in the range from 1 to 3.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-function/quiet-period

Indicates the period that MAC address migration users stay in the quiet state in the system view.

The value is an integer in the range from 0 to 3600.

The value 0 indicates that the MAC address migration quiet function is disabled.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-function/quiet-times

Indicates the number of times that MAC address migration users are allowed to migrate their MAC addresses within 60 seconds before the device quiets the users in the system view.

The value is an integer in the range from 1 to 10.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-log-function/enable

Indicates whether to enable the device to record logs about MAC address migration quiet in the system view.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-alarm-function/enable

Indicates whether to enable the device to send alarms about MAC address migration quiet in the system view.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-alarm-function/lower-threshold-percentage

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-alarm-function/upper-threshold-percentage

Indicates the upper and lower alarm thresholds for the percentage of MAC address migration users in quiet state in the system view.

  • lower-threshold-percentage: indicates the lower alarm threshold.
  • upper-threshold-percentage: indicates the upper alarm threshold.
  • lower-threshold-percentage: The value is an integer in the range from 1 to 100.
  • upper-threshold-percentage: The value is an integer in the range from 1 to 100. The value must be greater than that of lower-threshold-percentage.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/default-detect-ip

Indicates the default source IP address of offline detection packets in the system view.

The value is in dotted decimal notation and can be 0.0.0.0 or 255.255.255.255.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/detect-source/detect-source-item/vlan

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/detect-source/detect-source-item/ip

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/detect-source/detect-source-item/mac

Indicates the source IP address and source MAC address of offline detection packets for a specified VLAN in the system view.

  • vlan: indicates the VLAN.
  • ip: indicates the IP address.
  • mac: indicates the MAC address.
  • vlan: The value is an integer in the range from 1 to 4094.
  • ip: The value is in dotted decimal notation.
  • mac: The value must be the unicast MAC addresses. The value is in the format of H-H-H, in which H is a hexadecimal number of 1 to 4 digits.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/band-width

Indicates whether to enable the bandwidth share mode in the system view.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/link-down-offline-parameters/off-line/unlimited

Indicates whether users are logged out when an interface link is faulty.

The value is of the Boolean type:

  • true: Users are logged out.
  • false: Users are not logged out.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/link-down-offline-parameters/off-line/delay-time

Indicates the user logout delay when an interface link is faulty.

The value is an integer in the range from 0 to 60, in seconds.

The default value is 10.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/syslog-restrain

Indicates whether to enable system log suppression.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/device-sensor/option

Specifies the DHCP option field that the device needs to resolve.

The option fields in a DHCP packet carry the control information and parameters, for example, terminal type.

The value is an integer in the range from 1 to 254. You can configure one to six Option fields.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/redirect-original-url

Indicates whether to configure the redirect URL to carry the original URL when Portal-authenticated users who match a redirect ACL are forcibly redirected for another forcible Portal authentication.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

The default value is false.

N/A

Creating an Authentication Profile

This section provides a sample of creating an authentication profile using the merge method. You can also use the create method to create an authentication profile.

Table 2-755 Creating an authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile

Data Requirement

Table 2-756 Creating an authentication profile

Item

Data

Description

name

authen_pro

Create the authentication profile authen_pro.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="create">
     <name>authen_pro</name>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="46">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>invalid authen profile name</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_proauthen_proauthen_proauthen_pro"]/name</error-info>
  </rpc-error>
</rpc-reply>

Binding an 802.1X Access Profile to the Authentication Profile

This section provides a sample of binding an 802.1X access profile to the authentication profile using the merge method. You can also use the create method to bind an 802.1X access profile to the authentication profile.

Table 2-757 Binding an 802.1X access profile to the authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/dot1x-access-profile

Data Requirement

Table 2-758 Binding an 802.1X access profile to the authentication profile

Item

Data

Description

dot1x-access-profile

dot1x_access_profile

Bind the 802.1X access profile dot1x_access_profile to the authentication profile authen_pro.

The 802.1X access profile must exist on the switch.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <dot1x-access-profile>dot1x_access_profile</dot1x-access-profile>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="47">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo access profile failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/dot1x-access-profile</error-info>
  </rpc-error>
</rpc-reply>

Binding a MAC Access Profile to the Authentication Profile

This section provides a sample of binding a MAC access profile to the authentication profile using the merge method. You can also use the create method to bind a MAC access profile to the authentication profile.

Table 2-759 Binding a MAC access profile to the authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/mac-access-profile

Data Requirement

Table 2-760 Binding a MAC access profile to the authentication profile

Item

Data

Description

mac-access-profile

mac_access_profile

Bind the MAC access profile mac_access_profile to the authentication profile authen_pro.

The MAC access profile must exist on the switch.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <mac-access-profile>mac_access_profile</mac-access-profile>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="49">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo access profile failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/mac-access-profile</error-info>
  </rpc-error>
</rpc-reply>

Binding a Portal Access Profile to the Authentication Profile

This section provides a sample of binding a Portal access profile to the authentication profile using the merge method. You can also use the create method to bind a Portal access profile to the authentication profile.

Table 2-761 Binding a Portal access profile to the authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/portal-access-profile

Data Requirement

Table 2-762 Binding a Portal access profile to the authentication profile

Item

Data

Description

portal-access-profile

portal_access_profile

Bind the Portal access profile portal_access_profile to the authentication profile authen_pro.

The Portal access profile must exist on the switch.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <portal-access-profile>portal_access_profile</portal-access-profile>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="48">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo access profile failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/portal-access-profile</error-info>
  </rpc-error>
</rpc-reply>

Binding an Authentication-Free Rule Profile to the Authentication Profile

This section provides a sample of binding an authentication-free rule profile to the authentication profile using the merge method. You can also use the create method to bind an authentication-free rule profile to the authentication profile.

Table 2-763 Binding an authentication-free rule profile to the authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/free-rule-profile

Data Requirement

Table 2-764 Binding an authentication-free rule profile to the authentication profile

Item

Data

Description

free-rule-profile

default_free_rule

Bind the authentication-free rule profile default_free_rule to the authentication profile authen_pro.

The authentication-free rule profile must exist on the switch.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
      <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>authen_pro</name>
        <free-rule-profile>default_free_rule</free-rule-profile>
      </authentication-profile>
    </nac-access>
  </config>
</edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="50">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo access profile failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/free-rule-profile</error-info>
  </rpc-error>
</rpc-reply>

Configuring a Forcible Domain Based on the Access Type

This section provides a sample of configuring a forcible domain based on the access type using the merge method. You can also use the create method to configure a forcible domain based on the access type.

Table 2-765 Configuring a forcible domain based on the access type

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/access-force-domain/domain-name

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/access-force-domain/access-type

Data Requirement

Table 2-766 Configuring a forcible domain based on the access type

Item

Data

Description

domain-name

domain2

Configure a forcible domain based on the access type.

The domain must exist on the switch.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
    <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>domain2</name>
     <vsys>ads</vsys>
    </aaa-domain>
   </aaa>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <force-domain>
      <access-force-domain>
       <access-type>dot1x</access-type>
       <domain-name>domain2</domain-name>
      </access-force-domain>
      <access-force-domain>
       <access-type>mac</access-type>
       <domain-name>domain2</domain-name>
      </access-force-domain>
      <access-force-domain>
       <access-type>portal</access-type>
       <domain-name>domain2</domain-name>
      </access-force-domain>
     </force-domain>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="51">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo access domain failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/force-domain/access-force-domain[access-type="dot1x"]/domain-name</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Default Domain Based on the Access Type

This section provides a sample of configuring the default domain based on the access type using the merge method. You can also use the create method to configure the default domain based on the access type.

Table 2-767 Configuring the default domain based on the access type

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/access-default-domain/domain-name

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/access-default-domain/access-type

Data Requirement

Table 2-768 Configuring the default domain based on the access type

Item

Data

Description

domain-name

domain2

Configure the default domain based on the access type.

The domain must exist on the switch.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
      <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>domain2</name>
        <vsys>public</vsys>
      </aaa-domain>
    </aaa>
    <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
      <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>authen_pro</name>
        <default-domain>
          <access-default-domain>
            <access-type>dot1x</access-type>
            <domain-name>domain2</domain-name>
          </access-default-domain>
          <access-default-domain>
            <access-type>mac</access-type>
            <domain-name>domain2</domain-name>
          </access-default-domain>
          <access-default-domain>
            <access-type>portal</access-type>
            <domain-name>domain2</domain-name>
          </access-default-domain>
        </default-domain>
      </authentication-profile>
    </nac-access>
  </config>
</edit-config>
<rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="52">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo access domain failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/default-domain/access-default-domain[access-type="dot1x"]/domain-name</error-info>
  </rpc-error>
</rpc-reply>

Configuring a Forcible Domain

This section provides a sample of configuring a forcible domain using the remove method.

Table 2-769 Configuring a forcible domain

Operation

XPATH

edit-config:remove

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/default-force-domain

Data Requirement

Table 2-770 Configuring a forcible domain

Item

Data

Description

domain-name

domain1

Configure a forcible domain.

The domain must exist on the switch.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
    <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>domain1</name>
     <vsys>ads</vsys>
    </aaa-domain>
   </aaa>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
     <name>authen_pro</name>
     <force-domain>
      <default-force-domain>domain1</default-force-domain>
     </force-domain>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="54">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo  access domain failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/force-domain/default-force-domain</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Default Domain

This section provides a sample of configuring the default domain using the merge method. You can also use the create method to configure the default domain.

Table 2-771 Configuring the default domain

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/default-default-domain

Data Requirement

Table 2-772 Configuring the default domain

Item

Data

Description

default-default-domain

domain1

Configure the default domain.

The domain must exist on the switch.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
    <aaa-domain xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>domain1</name>
     <vsys>ads</vsys>
    </aaa-domain>
   </aaa>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen</name>
     <default-domain>
      <default-default-domain>domain1</default-default-domain>
     </default-domain>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="55">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>config/undo  access domain failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/default-domain/default-default-domain</error-info>
  </rpc-error>
</rpc-reply>

Configuring the User Access Mode

This section provides a sample of configuring the user access mode using the merge method. You can also use the create method to configure the user access mode.

Table 2-773 Configuring the user access mode

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/mode

Data Requirement

Table 2-774 Configuring the user access mode

Item

Data

Description

name

lsw_auth

Set the user access mode to multi-share.

The authentication profile must exist on the switch.

mode

multi-share

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
        <authentication-profile>
          <name>lsw_auth</name>
          <authentication-mode-parameters xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <mode>multi-share</mode>
          </authentication-mode-parameters>
        </authentication-profile>
      </nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="56">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Configuring Network Access Rights for Users in Each Phase Before Authentication

This section provides a sample of configuring network access rights for users in each phase before authentication using the merge method. You can also use the create method to configure network access rights for users in each phase before authentication.

Table 2-775 Configuring network access rights for users in each phase before authentication

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/authentication-event

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/response-fail

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/vlan-id

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/service-scheme

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/ucl-group

Data Requirement

Table 2-776 Configuring network access rights for users in each phase before authentication

Item

Data

Description

name

authen_pro

Configure network access rights for users in each phase before authentication.

authentication-event

pre-authen

authen-fail

authen-server-down

vlan-id 1200

1200

response-fail

true

service-scheme

lsw_service

ucl-group

lsw_ucl

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
        <authentication-profile>
          <name>authen_pro</name>
          <authorize-of-authentication-event xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <authentication-event>pre-authen</authentication-event>
            <vlan-id>1200</vlan-id>
          </authorize-of-authentication-event>
    <authorize-of-authentication-event xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <authentication-event>authen-fail</authentication-event>
   <response-fail>true</response-fail>
            <service-scheme>lsw_service</service-scheme>
          </authorize-of-authentication-event>
    <authorize-of-authentication-event xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <authentication-event>authen-server-down</authentication-event>
   <response-fail>true</response-fail>
            <ucl-group>lsw_ucl</ucl-group>
          </authorize-of-authentication-event>
        </authentication-profile>
      </nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="57">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Authorize event failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/authorize-of-authentication-event[authentication-event="authen-fail"]</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Function of Allowing Voice Terminals to Go Online Without Authentication

This section provides a sample of configuring the function of allowing voice terminals to go online without authentication using the merge method. You can also use the create method to configure the function of allowing voice terminals to go online without authentication.

Table 2-777 Configuring the function of allowing voice terminals to go online without authentication

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-device/device-type

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-device/service-scheme

Data Requirement

Table 2-778 Configuring the function of allowing voice terminals to go online without authentication

Item

Data

Description

name

authen_pro

Configure the function of allowing voice terminals to go online without authentication. The service scheme must exist on the switch.

device-type

voice

service-scheme

lsw_service

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <aaa xmlns="urn:huawei:params:xml:ns:yang:huawei-aaa">
    <service-scheme xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>lsw_service</name>
     <vsys>asd</vsys>
    </service-scheme>
   </aaa>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>authen_pro</name>
     <authorize-of-device>
      <device-type>voice</device-type>
      <service-scheme>lsw_service</service-scheme>
     </authorize-of-device>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="58">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>bind authen profile failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="authen_pro"]/authorize-of-device[device-type="voice"]</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Maximum Number of Access Users Allowed on the Interface in Multi-Authen Mode

This section provides a sample of configuring the maximum number of access users allowed on the interface in multi-authen mode using the merge method. You can also use the create method to configure the maximum number of access users allowed on the interface in multi-authen mode.

Table 2-779 Configuring the maximum number of access users allowed on the interface in multi-authen mode

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/max-user/multi-authen/user-num/max-user-num

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/max-user/multi-authen/user-num/access-type

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/mode

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/max-user/multi-authen/default-max-user-num

Data Requirement

Table 2-780 Configuring the maximum number of access users allowed on the interface in multi-authen mode

Item

Data

Description

name

lsw_auth

Configure the maximum number of access users allowed on the interface in multi-authen mode.

mac

200

dot1x

210

portal

220

default-max-user-num

1000

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
        <authentication-profile>
          <name>lsw_auth</name>
          <authentication-mode-parameters xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <mode>multi-authen</mode>
            <user-num xc:operation="merge">
              <access-type xc:operation="merge">mac</access-type>
              <max-user-num xc:operation="merge">200</max-user-num>
            </user-num>
             <user-num xc:operation="merge">
              <access-type xc:operation="merge">dot1x</access-type>
              <max-user-num xc:operation="merge">210</max-user-num>
            </user-num>
             <user-num xc:operation="merge">
              <access-type xc:operation="merge">portal</access-type>
              <max-user-num xc:operation="merge">220</max-user-num>
            </user-num>
              <default-max-user-num>1000</default-max-user-num>
          </authentication-mode-parameters>
        </authentication-profile>
      </nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="61">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Authorize mode multi-authen failed</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="lsw_auth"]/authentication-mode-parameters/user-num[access-type="mac"]/max-user-num</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Switch to Re-authenticate Users When the Authentication Server Changes from Down to Up

This section provides a sample of configuring the switch to re-authenticate users when the authentication server changes from Down to Up using the merge method. You can also use the create method to configure the switch to re-authenticate users when the authentication server changes from Down to Up.

Table 2-781 Configuring the switch to re-authenticate users when the authentication server changes from Down to Up

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/re-authen-trigger-event

Data Requirement

Table 2-782 Configuring the switch to re-authenticate users when the authentication server changes from Down to Up

Item

Data

Description

name

lsw_auth

Configure the switch to re-authenticate users when the authentication server changes from Down to Up.

re-authen-trigger-event

authen-server-up

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <name>lsw_auth</name>
     <re-authen-trigger-event>authen-server-up</re-authen-trigger-event>
    </authentication-profile>
   </nac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="62">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Disabling the Pre-connection Function

This section provides a sample of disabling the pre-connection function using the merge method. You can also use the create method to disable the pre-connection function.

Table 2-783 Disabling the pre-connection function

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/pre-authen-access

Data Requirement

Table 2-784 Disabling the pre-connection function

Item

Data

Description

pre-authen-access

false

Disable the pre-connection function.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
    <pre-authen-access xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">false</pre-authen-access>
   </nac-access>
  </config>
 </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
 <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="62">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Binding the Authentication Profile to an Interface

This section provides a sample of binding the authentication profile to an interface using the merge method. You can also use the create method to bind the authentication profile to an interface.

Table 2-785 Binding the authentication profile to an interface

Operation

XPATH

edit-config:merge

/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:authentication-profile/authentication-profile-name

Data Requirement

Table 2-786 Binding the authentication profile to an interface

Item

Data

Description

interface name

GigabitEthernet1/0/1

Bind the authentication profile lzl to GigabitEthernet1/0/1.

authentication-profile-name

lzl

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <target>
    <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
    <nac-access xmlns="urn:huawei:params:xml:ns:yang:huawei-nac">
      <authentication-profile xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
        <name>lzl</name>
      </authentication-profile>
    </nac-access>
    <if:interfaces xmlns:if="urn:ietf:params:xml:ns:yang:ietf-interfaces">
      <if:interface xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
        <if:name>GigabitEthernet1/0/1</if:name>
        <if:type xmlns:iana-if-type="urn:ietf:params:xml:ns:yang:iana-if-type">iana-if-type:ethernetCsmacd</if:type>
        <hw-nac:authentication-profile xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
          <hw-nac:authentication-profile-name>lzl</hw-nac:authentication-profile-name>
        </hw-nac:authentication-profile>
      </if:interface>
    </if:interfaces>
  </config>
</edit-config>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>invalid-value</error-tag>
  <error-severity>error</error-severity>
  <error-message>The request specifies an unacceptable value for one or more parameters.</error-message>
 </rpc-error>
</rpc-reply>

Configuring the Device to Allow Users to Access in Only One Authentication Mode

This section provides a sample of configuring the device to allow users to access in only one authentication mode using the merge method.

Table 2-787 Configuring the device to allow users to access in only one authentication mode

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/single-access

Data Requirements

Table 2-788 Configuring the device to allow users to access in only one authentication mode

Item

Data

Description

name

p1

Configure the authentication profile named p1.

single-access

true

Configure the device to allow users to access in only one authentication mode.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:single-access>true</hw-nac:single-access>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="7">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac:nac-access/authentication-profile[name='xuan']/single-access</error-path>
    <error-message>parse rpc config error.(Invalid value "we" in "single-access" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring a Domain Name Resolution Scheme

This section provides a sample of configuring a domain name resolution scheme using the merge method.

Table 2-789 Configuring a domain name resolution scheme

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/security-name-delimiter

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-delimiter

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-direction

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-location

Data Requirements

Table 2-790 Configuring a domain name resolution scheme

Item

Data

Description

name

p1

Configure the authentication profile named p1.

security-name-delimiter

\

Configure the security string delimiter.

domain-name-delimiter

/

Configure the domain name delimiter.

domain-name-direction

left-to-right

Set the domain name resolution direction to left-to-right.

domain-name-location

after-delimiter

Set the domain name location to after-delimiter.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:domain-name-parameters>
            <hw-nac:security-name-delimiter>\</hw-nac:security-name-delimiter>
            <hw-nac:domain-name-delimiter>/</hw-nac:domain-name-delimiter>
            <hw-nac:domain-name-direction>left-to-right</hw-nac:domain-name-direction>
            <hw-nac:domain-name-location>after-delimiter</hw-nac:domain-name-location>
          </hw-nac:domain-name-parameters>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Unrecognized information.</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="xuan"]/domain-name-parameters/domain-name-delimiter</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Interval for Re-authenticating Pre-connection Users

This section provides a sample of configuring the interval for re-authenticating pre-connection users using the merge method.

Table 2-791 Configuring the interval for re-authenticating pre-connection users

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/re-authen-period/pre-authen

Data Requirements

Table 2-792 Configuring the interval for re-authenticating pre-connection users

Item

Data

Description

name

p1

Configure the authentication profile named p1.

pre-authen

40

Set the interval for re-authenticating pre-connection users to 40 seconds.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:timer>
            <hw-nac:re-authen-period>
              <hw-nac:pre-authen>40</hw-nac:pre-authen>
            </hw-nac:re-authen-period>
          </hw-nac:timer>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Wrong parameter.</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="xuan"]/timer/re-authen-period/pre-authen</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Interval for Re-authenticating Users Who Fail to be Authenticated

This section provides a sample of configuring the interval for re-authenticating users who fail to be authenticated using the merge method.

Table 2-793 Configuring the interval for re-authenticating users who fail to be authenticated

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/re-authen-period/authen-fail

Data Requirements

Table 2-794 Configuring the interval for re-authenticating users who fail to be authenticated

Item

Data

Description

name

p1

Configure the authentication profile named p1.

authen-fail

200

Set the interval for re-authenticating users who fail to be authenticated to 200 seconds.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:timer>
            <hw-nac:re-authen-period>
              <hw-nac:authen-fail>200</hw-nac:authen-fail>
            </hw-nac:re-authen-period>
          </hw-nac:timer>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="7">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Wrong parameter.</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="xuan"]/timer/re-authen-period/authen-fail</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Aging Time for Pre-connection User Entries

This section provides a sample of configuring the aging time for pre-connection user entries using the merge method.

Table 2-795 Configuring the aging time for pre-connection user entries

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/aging-period/pre-authen

Data Requirements

Table 2-796 Configuring the aging time for pre-connection user entries

Item

Data

Description

name

p1

Configure the authentication profile named p1.

pre-authen

1000

Set the aging time for pre-connection user entries to 1000 seconds.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:timer>
            <hw-nac:aging-period>
              <hw-nac:pre-authen>1000</hw-nac:pre-authen>
            </hw-nac:aging-period>
          </hw-nac:timer>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="15">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Wrong parameter.</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="xuan"]/timer/aging-period/pre-authen</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Aging Time for Entries of the Users Who Fail to be Authenticated

This section provides a sample of configuring the aging time for entries of the users who fail to be authenticated using the merge method.

Table 2-797 Configuring the aging time for entries of the users who fail to be authenticated

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/aging-period/authen-fail

Data Requirements

Table 2-798 Configuring the aging time for entries of the users who fail to be authenticated

Item

Data

Description

name

p1

Configure the authentication profile named p1.

authen-fail

1000

Set the aging time for entries of the users who fail to be authenticated to 1000 seconds.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:timer>
            <hw-nac:aging-period>
              <hw-nac:authen-fail>1000</hw-nac:authen-fail>
            </hw-nac:aging-period>
          </hw-nac:timer>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="19">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Wrong parameter.</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="xuan"]/timer/aging-period/authen-fail</error-info>
  </rpc-error>
</rpc-reply>

Configuring a Device to Send Accounting Packets for Address Updating

This section provides a sample of configuring a device to send accounting packets for address updating using the merge method.

Table 2-799 Configuring a device to send accounting packets for address updating

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/realtime-accounting-trigger/update-ip-accounting

Data Requirements

Table 2-800 Configuring a device to send accounting packets for address updating

Item

Data

Description

name

p1

Configure the authentication profile named p1.

update-ip-accounting

true

Configure a device to send accounting packets for address updating.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:realtime-accounting-trigger xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:update-ip-accounting>true</hw-nac:update-ip-accounting>
          </hw-nac:realtime-accounting-trigger>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="6">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac:nac-access/authentication-profile[name='xuandong']/realtime-accounting-trigger/update-ip-accounting</error-path>
    <error-message>parse rpc config error.(Invalid value "error" in "update-ip-accounting" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring a Device to Send Accounting Packets for Roaming

This section provides a sample of configuring a device to send accounting packets for roaming using the merge method.

Table 2-801 Configuring a device to send accounting packets for roaming

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/realtime-accounting-trigger/roam-accounting

Data Requirements

Table 2-802 Configuring a device to send accounting packets for roaming

Item

Data

Description

name

p1

Configure the authentication profile named p1.

roam-accounting

true

Configure a device to send accounting packets for roaming.

Request Example

<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:realtime-accounting-trigger xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:roam-accounting>true</hw-nac:roam-accounting>
          </hw-nac:realtime-accounting-trigger>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="6">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac:nac-access/authentication-profile[name='xuandong']/realtime-accounting-trigger/roam-accounting</error-path>
    <error-message>parse rpc config error.(Invalid value "error" in "roam-accounting" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring Permitted Domains for WLAN Users

This section provides a sample of configuring permitted domains for WLAN users using the merge method.

Table 2-803 Configuring permitted domains for WLAN users

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/permit-domain-list/domain

Data Requirements

Table 2-804 Configuring permitted domains for WLAN users

Item

Data

Description

name

p1

Configure the authentication profile named p1.

domain

d1

Configure permitted domains for WLAN users.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:permit-domain-list>
            <hw-nac:domain>d1</hw-nac:domain>
          </hw-nac:permit-domain-list>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="11">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Wrong parameter.</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="xuandong"]/permit-domain-list</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Maximum Number of Authenticated Users Allowed in an Authentication Profile

This section provides a sample of Configuring the maximum number of authenticated users allowed in an authentication profile using the merge method.

Table 2-805 Configuring the maximum number of authenticated users allowed in an authentication profile

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/WLAN-max-user-num

Data Requirements

Table 2-806 Configuring the maximum number of authenticated users allowed in an authentication profile

Item

Data

Description

name

p1

Configure the authentication profile named p1.

WLAN-max-user-num

100

Set the maximum number of authenticated users allowed in an authentication profile to 100.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>p1</hw-nac:name>
          <hw-nac:WLAN-max-user-num>100</hw-nac:WLAN-max-user-num>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="11">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Wrong parameter.</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="xuandong"]/WLAN-max-user-num</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Device to Dynamically Adjust the Rate of Packets From NAC Users

This section provides a sample of configuring the device to dynamically adjust the rate of packets from NAC users using the merge method.

Table 2-807 Configuring the device to dynamically adjust the rate of packets from NAC users

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/speed-limit-auto

Data Requirements

Table 2-808 Configuring the device to dynamically adjust the rate of packets from NAC users

Item

Data

Description

speed-limit-auto

true

Configure the device to dynamically adjust the rate of packets from NAC users.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:speed-limit-auto>true</hw-nac:speed-limit-auto>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="20">
 <rpc-error>
  <error-type>application</error-type>
  <error-tag>operation-failed</error-tag>
  <error-severity>error</error-severity>
  <error-message>parse configuration error.</error-message>
 </rpc-error>
</rpc-reply>

Configuring the Bandwidth Share Mode

This section provides a sample of configuring the bandwidth share mode using the merge method.

Table 2-809 Configuring the bandwidth share mode

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/band-width

Data Requirements

Table 2-810 Configuring the bandwidth share mode

Item

Data

Description

band-width

true

Configure the bandwidth share mode.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:band-width>true</hw-nac:band-width>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac:nac-access/band-width</error-path>
    <error-message>parse rpc config error.(Invalid value "error" in "band-width" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the Default Source IP Address of Offline Detection Packets

This section provides a sample of configuring the default source IP address of offline detection packets using the merge method.

Table 2-811 Configuring the default source IP address of offline detection packets

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/default-detect-ip

Data Requirements

Table 2-812 Configuring the default source IP address of offline detection packets

Item

Data

Description

default-detect-ip

0.0.0.0

Set the default source IP address of offline detection packets to 0.0.0.0.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:arp-detect xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <hw-nac:default-detect-ip>0.0.0.0</hw-nac:default-detect-ip>
        </hw-nac:arp-detect>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message> Invalid IP address.</error-message>
    <error-info>Error on node /huawei-nac:nac-access/arp-detect/default-detect-ip</error-info>
  </rpc-error>
</rpc-reply>

Configuring the Source IP Address and Source MAC Address of Offline Detection Packets in a VLAN

This section provides a sample of configuring the source IP address and source MAC address of offline detection packets in a VLAN using the merge method.

Table 2-813 Configuring the source IP address and source MAC address of offline detection packets in a VLAN

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/detect-source/detect-source-item/vlan

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/detect-source/detect-source-item/ip

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/detect-source/detect-source-item/mac

Data Requirements

Table 2-814 Configuring the source IP address and source MAC address of offline detection packets in a VLAN

Item

Data

Description

vlan

1

Set the VLAN ID to VLAN 1.

ip

192.168.1.1

Set the IP address to 192.168.1.1.

mac

00e0-fc12-3456

Set the MAC address to 00e0-fc12-3456.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:arp-detect>
          <hw-nac:detect-source>
            <hw-nac:detect-source-item xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
              <hw-nac:vlan>1</hw-nac:vlan>
              <hw-nac:ip>192.168.1.1</hw-nac:ip>
              <hw-nac:mac>00e0-fc12-3456</hw-nac:mac>
            </hw-nac:detect-source-item>
          </hw-nac:detect-source>
        </hw-nac:arp-detect>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="5">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path/>
    <error-message>Target datastore cannot be configured.</error-message>
  </rpc-error>
</rpc-reply>

Configuring MAC Address Migration

This section provides a sample of configuring MAC address migration using the merge method.

Table 2-815 Configuring MAC address migration

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/enable-vlan/all-vlan/all

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/enable-vlan/vlan-params/vlan/range/begin

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/enable-vlan/vlan-params/vlan/range/end

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/detect-function/enable

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/detect-function/interval

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/detect-function/times

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-function/quiet-period

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-function/quiet-times

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-log-function/enable

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-alarm-function/enable

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-alarm-function/lower-threshold-percentage

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-alarm-function/upper-threshold-percentage

Data Requirements

Table 2-816 Configuring MAC address migration

Item

Data

Description

all

all

Configure all the VLANs.

begin

2

Set the start VLAN ID to VLAN 2.

end

3

Set the end VLAN ID to VLAN 3.

enable

true

Enable MAC address migration.

interval

5

Set the interval at which a device detects users' online status before user MAC address migration to 5 seconds.

times

3

Set the maximum number of detections before user MAC address migration to 3.

quiet-period

100

Set the period that MAC address migration users stay in the quiet state to 100 seconds.

quiet-times

10

Set the number of times that MAC address migration users are allowed to migrate their MAC addresses within 60 seconds before the device quiets the users to 10.

lower-threshold-percentage

10

Set the lower alarm threshold for the percentage of MAC address migration users in quiet state to 10.

upper-threshold-percentage

20

Set the upper alarm threshold for the percentage of MAC address migration users in quiet state to 20.

Request Example

# Enable MAC address migration in all VLANs.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:mac-move>
          <hw-nac:all>all</hw-nac:all>
        </hw-nac:mac-move>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Enable MAC address migration in a specified VLAN.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:mac-move>
          <hw-nac:vlan>
            <hw-nac:range>
              <hw-nac:begin>2</hw-nac:begin>
              <hw-nac:end>3</hw-nac:end>
            </hw-nac:range>
          </hw-nac:vlan>
        </hw-nac:mac-move>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Configure a device to detect users' online status before user MAC address migration.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:mac-move>
          <hw-nac:detect-function xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:enable>true</hw-nac:enable>
            <hw-nac:interval>5</hw-nac:interval>
            <hw-nac:times>3</hw-nac:times>
          </hw-nac:detect-function>
        </hw-nac:mac-move>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Enable the MAC address migration quiet function.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:mac-move>
          <hw-nac:quiet-function xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:quiet-period>100</hw-nac:quiet-period>
            <hw-nac:quiet-times>10</hw-nac:quiet-times>
          </hw-nac:quiet-function>
        </hw-nac:mac-move>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Enable the device to record logs about MAC address migration quiet.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:mac-move>
          <hw-nac:quiet-log-function xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <hw-nac:enable>true</hw-nac:enable>
          </hw-nac:quiet-log-function>
        </hw-nac:mac-move>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Enable the device to send alarms about MAC address migration quiet.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <default-operation>merge</default-operation>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:mac-move>
          <hw-nac:quiet-alarm-function>
            <hw-nac:enable>true</hw-nac:enable>
          </hw-nac:quiet-alarm-function>
        </hw-nac:mac-move>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

# Configure the upper and lower alarm thresholds for the percentage of MAC address migration users in quiet state.

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <default-operation>merge</default-operation>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:mac-move>
          <hw-nac:quiet-alarm-function>
            <hw-nac:lower-threshold-percentage>10</hw-nac:lower-threshold-percentage>
            <hw-nac:upper-threshold-percentage>20</hw-nac:upper-threshold-percentage>
          </hw-nac:quiet-alarm-function>
        </hw-nac:mac-move>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message> The VLAN list is invalid.</error-message>
    <error-info>Error on node /huawei-nac:nac-access/mac-move/vlan/range[begin="100"]</error-info>
  </rpc-error>
</rpc-reply>

Configuring not to Log Out Users When an Interface Link Is Faulty

This section provides a sample of configuring not to log out users when an interface link is faulty using the merge method.

Table 2-817 Configuring not to log out users when an interface link is faulty

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/link-down-offline-parameters/off-line/unlimited

Data Requirements

Table 2-818 Configuring not to log out users when an interface link is faulty

Item

Data

Description

unlimited

true

-

Request Example

<?xml version="1.0" encoding="UTF-8"?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>firstgo</hw-nac:name>
          <hw-nac:link-down-offline-parameters>
            <hw-nac:unlimited>true</hw-nac:unlimited>
          </hw-nac:link-down-offline-parameters>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/huawei-nac:nac-access/authentication-profile[name='firstgo']/link-down-offline-parameters/unlimited</error-path>
    <error-message>parse rpc config error.(Invalid value "lass" in "unlimited" element.).</error-message>
  </rpc-error>
</rpc-reply>

Configuring the User Logout Delay When an Interface Link Is Faulty

This section provides a sample of configuring the user logout delay when an interface link is faulty using the merge method.

Table 2-819 Configuring the user logout delay when an interface link is faulty

Operation

XPATH

edit-config:merge

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/link-down-offline-parameters/off-line/delay-time

Data Requirements

Table 2-820 Configuring the user logout delay when an interface link is faulty

Item

Data

Description

delay-time

45

-

Request Example

<?xml version="1.0" encoding="UTF-8"?>
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-nac:nac-access xmlns:hw-nac="urn:huawei:params:xml:ns:yang:huawei-nac">
        <hw-nac:authentication-profile>
          <hw-nac:name>firstgo</hw-nac:name>
          <hw-nac:link-down-offline-parameters>
            <hw-nac:delay-time>45</hw-nac:delay-time>
          </hw-nac:link-down-offline-parameters>
        </hw-nac:authentication-profile>
      </hw-nac:nac-access>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
 <ok/>
</rpc-reply>

Sample of failed response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Wrong parameter.</error-message>
    <error-info>Error on node /huawei-nac:nac-access/authentication-profile[name="firstgo"]/link-down-offline-parameters</error-info>
  </rpc-error>
</rpc-reply>

Configuring mDNS-based Terminal Type Identification

This section describes the configuration model of mDNS-based terminal type identification and provides examples of XML packets.

Data Model

The configuration model file matching mDNS-based terminal type identification is huawei-mdns-snooping.yang.

Table 2-821 Data model

Object

Description

Value

Remarks

/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-mdns-snooping:mdns-snooping/huawei-mdns-snooping:snooping-enable

Whether the mDNS snooping function is enabled to identify the IP address, MAC address, and service name of a terminal based on information in mDNS packets sent by the terminal.

The value is of the Boolean type:

  • true: The function is enabled.

  • false: The function is disabled.

N/A

/huawei-mdns-snooping:mdns-snooping/vlans/vlan/snooping-enable

Whether the mDNS snooping function is enabled to identify the IP address, MAC address, and service name of a terminal based on information in mDNS packets sent by the terminal.

The value is of the Boolean type:

  • true: The function is enabled.

  • false: The function is disabled.

N/A

Configuring mDNS-based Terminal Type Identification

This section provides a sample of configuring mDNS-based terminal type identification using the merge method. You can also use the create method to configure this function.

Table 2-822 Configuring mDNS-based terminal type identification

Operation

XPATH

edit-config:merge

/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-mdns-snooping:mdns-snooping/huawei-mdns-snooping:snooping-enable

Data Requirements

Table 2-823 Configuring mDNS-based terminal type identification

Item

Data

Description

mDNS snooping function

true

Enable the mDNS snooping function.

Request Example

<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <edit-config>
    <target>
      <running />
    </target>
    <config xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0">
      <interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces" xmlns:hw-mdns-snooping="urn:huawei:yang:huawei-mdns-snooping">
        <interface>
          <name>GigabitEthernet1/0/1</name>
          <type xmlns:ianaift="urn:ietf:params:xml:ns:yang:iana-if-type">ianaift:ethernetCsmacd</type>
          <hw-mdns-snooping:mdns-snooping ns0:operation="merge">
            <hw-mdns-snooping:snooping-enable>true</hw-mdns-snooping:snooping-enable>
          </hw-mdns-snooping:mdns-snooping>
        </interface>
      </interfaces>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Unrecognized information.</error-message>
    <error-info>Error on node /ietf-interfaces:interfaces/interface[name="GigabitEthernet1/0/10"]/huawei-mdns-snooping:mdns-snooping/snooping-enable</error-info>
  </rpc-error>
</rpc-reply>

Configuring DNS Snooping

This section describes the configuration model of DNS snooping and provides examples of XML packets.

Data Model

The configuration model files of DNS snooping are huawei-mdns-snooping.yang and huawei-dns-snooping.yang.

Table 2-824 Data model

Object

Description

Value

Remarks

/if:interfaces/if:interface/huawei-dns-snooping:dns-snooping/huawei-dns-snooping:snooping-enable

Indicates whether to enable DNS snooping. After this function is enabled, the device parses the received DNS response packets to obtain IP addresses and generates mappings between the IP addresses and domain names.

The value is of the Boolean type:

  • true: The function is enabled.

  • false: The function is disabled.

N/A

/huawei-dns-snooping:dns-snooping/huawei-dns-snooping:global/huawei-dns-snooping:ttl-delay-time

Specifies the delay in aging DNS snooping IP address and domain name entries.

The value is an integer in the range from 0 to 43200, in minutes. The default value is 5760 minutes.

/huawei-dns-snooping:dns-snooping/global/server-ip-addresss/ip-address

Specifies the IP address of a DNS server.

The value is in dotted decimal notation.

N/A

Configuring DNS Snooping

This section provides a sample of configuring DNS snooping using the merge method. You can also use the create method to configure DNS snooping.

Table 2-825 Configuring DNS snooping

Operation

XPATH

edit-config:merge

/if:interfaces/if:interface/huawei-dns-snooping:dns-snooping

Data Requirements

Table 2-826 Configuring DNS snooping

Item

Data

Description

Whether to enable DNS snooping

true

Enable DNS snooping.

Delay in aging DNS snooping IP address and domain name entries.

5700

Set the delay in aging IP address and domain name entries to 5700 minutes.

Request Example

<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <edit-config>
    <target>
      <running />
    </target>
    <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
      <interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces" xmlns:hw-dns-snooping="urn:huawei:yang:huawei-dns-snooping">
        <interface>
          <name>GigabitEthernet1/0/1</name>
          <type xmlns:iana="urn:ietf:params:xml:ns:yang:iana-if-type">iana:ethernetCsmacd</type>
          <hw-dns-snooping:dns-snooping xc:operation="merge">
            <hw-dns-snooping:snooping-enable>true</hw-dns-snooping:snooping-enable>
          </hw-dns-snooping:dns-snooping>
        </interface>
      </interfaces>
      <dns-snooping xmlns="urn:huawei:yang:huawei-dns-snooping">
        <global>
          <ttl-delay-time>5700</ttl-delay-time>
        </global>
      </dns-snooping>
    </config>
  </edit-config>
</rpc>

Response Example

Sample of successful response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

Sample of failed response

<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-path>/ietf-interfaces:interfaces/interface[name='GigabitEthernet1/0/1']/huawei-dns-snooping:dns-snooping/snooping-enable</error-path>
    <error-message>parse rpc config error. (Invalid value "true12" in "snooping-enable" element.).</error-message>
  </rpc-error>
</rpc-reply>
Translation
简体中文
Download
Updated: 2022-06-24

Document ID: EDOC1100176413

Views: 43535

Downloads: 17

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :