H3C S5510 Series Command Manual Download Page 42

Page: 42 / 83

Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACACS

Configuration Commands

1-39

when the switch serves as a RADIUS authentication server, it can support at most
16 network access servers simultaneously to provide authentication.

Related command:

radius scheme

and

state

Example

# Create a network access server granted by the RADIUS authentication server with an
IP address of 10.110.1.2 and a shared key of aabbcc.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] local-server nas-ip 10.110.1.2 key aabbcc

1.2.8 local-server nas-ip

Syntax

local-server nas-ip ip-address key password

undo local-server nas-ip ip-address

View

System view

Parameter

nas-ip ip-address

: Sets the IP address, represented in dotted decimal notation, of the

network access server allowed by the local RADIUS server.

key password

: Sets the shared key, a string of up to 16 characters, of the local server.

Description

Use the

local-server nas-ip

command to configure the related parameters of the local

RADIUS server.

Use the

undo local-server nas-ip

command to remove a local RADIUS server

configured.

By default, the system has created a local RADIUS server with 127.0.0.1 as NAS-IP
address and a null string as shared key.

Note that:

When the local RADIUS authentication server function is used, the UDP port
number used for authentication/authorization must be 1645 and that for
accounting must be 1646.

The shared key configured with this command and that configured with the

key

{

accounting

authentication

} command in RADIUS scheme view for

authentication/authorization or accounting packets must be the same.

The device supports up to 16 local RADIUS authentication servers.

Summary of Contents for S5510 Series

Page 1: ...fault 1 11 1 1 12 authorization lan access 1 13 1 1 13 authorization login 1 14 1 1 14 cut connection 1 15 1 1 15 display connection 1 16 1 1 16 display domain 1 17 1 1 17 display local user 1 19 1 1...

Page 2: ...type 1 54 1 2 25 state 1 55 1 2 26 stop accounting buffer enable 1 56 1 2 27 timer quiet 1 57 1 2 28 timer realtime accounting 1 58 1 2 29 timer response timeout 1 59 1 2 30 user name format 1 60 1 3...

Page 3: ...Command Manual AAA RADIUS HWTACACS H3C S3610 S5510 Series Ethernet Switches Table of Contents iii 1 3 19 timer realtime accounting 1 78 1 3 20 timer response timeout 1 79 1 3 21 user name format 1 79...

Page 4: ...n Where max user number ranges from 1 to 1024 Description Use the access limit command to set the maximum number of access users that can be contained in current ISP domain Use the undo access limit c...

Page 5: ...accounting scheme for all users By default the local scheme is configured It should be noted that z The accounting scheme configured by the accounting default command is applicable to all users The p...

Page 6: ...e system view System View return to User View with Ctrl Z Sysname domain system Sysname isp system undo accounting default 1 1 3 accounting lan access Syntax accounting lan access radius scheme radius...

Page 7: ...main named system remove the accounting scheme for the lan access user Sysname system view System View return to User View with Ctrl Z Sysname domain system Sysname isp system undo accounting lan acce...

Page 8: ...y configured Related command radius scheme Sysname system view System View return to User View with Ctrl Z Sysname domain system Sysname isp system accounting login radius scheme rd local In the defau...

Page 9: ...Sysname isp aabbcc net accounting optional 1 1 6 attribute Syntax attribute ip ip address mac mac address idle cut minute access limit max user number vlan vlan id location nas ip ip address port por...

Page 10: ...is lan access Use the undo attribute command to cancel attribute settings of the user Related command display local user Example Set the IP address of user1 to 10 110 50 1 Sysname system view System...

Page 11: ...r View with Ctrl Z Sysname domain system Sysname isp system authentication default local In the default ISP domain named system configure radius as the default authentication scheme named rd for all u...

Page 12: ...rn to User View with Ctrl Z Sysname domain system Sysname isp system authentication lan access local In the default ISP domain named system configure radius as the default authentication named rd for...

Page 13: ...fault ISP domain named system configure local as the authentication scheme for the login user Sysname system view System View return to User View with Ctrl Z Sysname domain system Sysname isp system a...

Page 14: ...the authorization scheme for a CLI user Related command authorization default Example In the default ISP domain named system configure HWTACACS as the authorization scheme named hw for the CLI user N...

Page 15: ...procedure RADIUS authorization takes effect when the radius schemes for authentication and authorization are similar In case of failure to all RADIUS authorization the reason returned to NAS is that...

Page 16: ...the default rights Description Use the authorization lan access command to configure authorization for a lan access user Use the undo authorization lan access command to remove authorization for a la...

Page 17: ...on login View ISP domain view Parameter radius scheme name Name of RADIUS scheme a string not exceeding 32 characters hwtacacs scheme name Name of HWTACACS scheme a string not exceeding 32 characters...

Page 18: ...er ip ip address mac mac address vlan vlan id ucibindex ucib index user name user name View System view Parameter all Cuts down all user connections access type dot1x mac authentication Cuts down user...

Page 19: ...l user connections in the ISP domain named aabbcc net Sysname system view System View return to User View with Ctrl Z Sysname cut connection domain aabbcc net 1 1 15 display connection Syntax display...

Page 20: ...cannot be longer than 55 characters and the whole string cannot be longer than 80 characters Description Use the display connection command to display information about specified or all user connecti...

Page 21: ...e Self service Disable Default Domain Name system Total 1 domain s Table 1 1 Description on the fields of the display domain command Field Description Domain Domain name State State Access Limit Limit...

Page 22: ...re vlan id ranges from 1 to 4094 service type Displays the local users of the specified type You can specify one of the following user types lan access generally this type of users are Ethernet access...

Page 23: ...mand Field Description State State of the local user Active or Block ServiceType ServiceType ftp lan access ssh telnet or terminal Idle Cut State of the idle cut function Access Limit Limit on the num...

Page 24: ...and to create an ISP domain and enter its view or enter the view of an existing ISP domain or configure the default ISP domain Use the undo domain command to delete a specified ISP domain After you ex...

Page 25: ...command first Related command state display domain Example Create a new ISP domain with the name aabbcc net and configure it as the default ISP domain Sysname system view Sysname domain aabbcc net Sys...

Page 26: ...0 Description Use the level command to set the priority level of the user Use the undo level command to restore the default priority level of the user Note that z If the configured authentication meth...

Page 27: ...serA and usera as two different users all Specifies all local users service type Specifies the local users of the specified type You can specify one of the following user types ftp lan access generall...

Page 28: ...command to set the password display mode of all local users Use the undo local user password display mode command to restore the default password display mode of all local users By default the passwor...

Page 29: ...24 32 44 56 64 76 88 characters such as_ TT8F Y 5SQ Q MAF4 1 Description Use the password command to set a password for the local user Use the undo password command to cancel the password of the local...

Page 30: ...es A server installed with the self service software is called a self service server z After this command is executed on the switch users can locate the self service server through the following opera...

Page 31: ...hrough the Console port level level Specifies the level of the Telnet terminal or SSH user Where level is an integer ranging from 0 to 3 and defaulting to 0 Description Use the service type command to...

Page 32: ...r with FTP server type Sysname system view System View return to User View with Ctrl Z Sysname local user user1 Sysname luser user1 service type ftp 1 1 28 state Syntax state active block View ISP dom...

Page 33: ...aabbcc net Sysname isp aabbcc net state block Set user1 to the block state Sysname system view Sysname local user user1 Sysname luser user1 state block 1 2 RADIUS Configuration Commands 1 2 1 data flo...

Page 34: ...s Example Specify to measure data and packets in data flows sent to RADIUS server in kilobytes and kilo packets respectively Sysname system view System View return to User View with Ctrl Z Sysname rad...

Page 35: ...ion packets received Auth Send Number of authentication packets sent Acct Receive Number of accounting packets received Acct Send Number of accounting packets sent 1 2 3 display radius Syntax display...

Page 36: ...RADIUS scheme Index Index number of the RADIUS scheme Type Type of the RADIUS servers Primary Auth IP Port State IP address access port status of the primary authentication server Primary Acct IP Port...

Page 37: ...s a total of one RADIUS scheme 1 2 4 display radius statistics Syntax display radius statistics View Any view Parameter None Description Use the display radius statistics command to display the statis...

Page 38: ...r Num 0 Err 0 Succ 0 PKT response Num 2 Err 0 Succ 2 EAP reauth_request Num 0 Err 0 Succ 0 PORTAL access Num 0 Err 0 Succ 0 Update ack Num 0 Err 0 Succ 0 PORTAL access ack Num 0 Err 0 Succ 0 Session c...

Page 39: ...g requests from the start time to the end time user name user name Displays the buffered stop accounting requests of the specified user Where user name is a character string of up to 80 characters Des...

Page 40: ...rs Description Use the key command to set a shared key for the RADIUS authentication authorization packets or accounting packets Use the undo key command to restore the corresponding default shared ke...

Page 41: ...tion server By default a local RADIUS authentication server with NAS IP 127 0 0 1 has already been created Note that z The switch not only supports the traditional RADIUS client service to accomplish...

Page 42: ...epresented in dotted decimal notation of the network access server allowed by the local RADIUS server key password Sets the shared key a string of up to 16 characters of the local server Description U...

Page 43: ...l zero address class D address or loopback address Description Use the nas ip command to set the source IP address used by the switch to send RADIUS packets Use the undo nas ip command to remove the s...

Page 44: ...rt for accounting service is 1813 Description Use the primary accounting command to set the IP address and port number of the primary RADIUS accounting server Use the undo primary accounting command t...

Page 45: ...DP port number as 1646 for a newly defined RADIUS scheme the IP address of the primary accounting server is 127 0 0 1 and UDP port number is 1812 Note that z After creating a new RADIUS scheme you sho...

Page 46: ...client port Use the undo radius client command to disable the RADIUS client port By default a RADIUS client port is enabled Note that z After the RADIUS client port is disabled for online users Accoun...

Page 47: ...address used by the switch to send RADIUS packets Use the undo radius nas ip command to restore the default setting By default no source IP address is specified and the IP address of the outbound inte...

Page 48: ...display radius keywords you are not recommended to define radius scheme name as statistics or the first several characters Description Use the radius scheme command to create a RADIUS scheme and ente...

Page 49: ...ntication server down undo radius trap accounting server down authentication server down View System view Parameter accounting server down Enables sending traps when the RADIUS accounting server gives...

Page 50: ...nse Sysname system view Sysname radius trap accounting server down Disable sending traps when the RADIUS accounting server gives no response Sysname undo radius trap accounting server down 1 2 16 rese...

Page 51: ...e This name is a character string of up to 32 characters session id session id Deletes the buffered stop accounting requests depending on the specified session ID Where session id is a character strin...

Page 52: ...ion attempts Use the undo retry command to restore maximum number of RADIUS packet transmission attempts to the default value By default the maximum number of RADIUS packet transmission attempts is 3...

Page 53: ...to restore the default maximum number of real time accounting request attempts By default the system can allow five real time accounting request attempts at most Note that z Generally the RADIUS serv...

Page 54: ...switch does not receive a response within 3 seconds after it sends out an accounting request it resends the request if the switch continuously sends the accounting request for three times but does not...

Page 55: ...tempts is reached in this case it discards the request z Assume the response timeout timer for the RADIUS server is set to 3 seconds with the timer response timeout command transmission attempts to 5...

Page 56: ...ss and port number of the secondary RADIUS accounting server You are not allowed to assign the same IP address to both primary and secondary accounting servers otherwise unsuccessful operation is prom...

Page 57: ...ry authentication authorization server used by the RADIUS scheme radius1 to 10 110 1 2 and 1812 Sysname system view System View return to User View with Ctrl Z Sysname radius scheme radius1 New Radius...

Page 58: ...imary secondary accounting authentication block active View RADIUS scheme view Parameter primary Specifies the server to be set is a primary RADIUS server secondary Specifies the server to be set is a...

Page 59: ...f the secondary server unchanged z When both the primary and secondary servers are in the active state the switch sends packets only to the primary server Related command radius scheme primary authent...

Page 60: ...hed in this case it discards the request Related command reset stop accounting buffer radius scheme and display stop accounting buffer Example Enable the switch to buffer the stop accounting requests...

Page 61: ...o timer realtime accounting command to restore the default real time accounting interval Note that z To charge the users in real time you should set the interval of real time accounting After the sett...

Page 62: ...S servers ranging from 1 second to 10 seconds Description Use the timer response timeout command to set the response timeout time of RADIUS servers Use the undo timer response timeout command to resto...

Page 63: ...without domain View RADIUS scheme view Parameter with domain Specifies to include ISP domain names in the user names to be sent to RADIUS servers without domain Specifies to exclude ISP domain names...

Page 64: ...r names sent to a RADIUS server in RADIUS scheme radius1 does not carry ISP domain names Sysname system view System View return to User View with Ctrl Z Sysname radius scheme radius1 New Radius scheme...

Page 65: ...view System View return to User View with Ctrl Z Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 data flow format data kilo byte Sysname hwtacacs hwt1 data flow format packet kilo packet 1 3 2 disp...

Page 66: ...c 5 Acct stop PKT retransmit times 100 Domain included Yes Data traffic unit B Packet traffic unit one packet Total 1 HWTACACS scheme s 1 listed Table 1 6 Description on the fields of the display hwta...

Page 67: ...e session id session id time range start time stop time user name user name View Any view Parameter hwtacacs scheme hwtacacs scheme name Displays information on buffered stop accounting requests accor...

Page 68: ...nas ip Syntax hwtacacs nas ip ip address undo hwtacacs nas ip View System view Parameter ip address Specifies a source IP address for the switch which cannot be an all zero address class D address or...

Page 69: ...Z Sysname hwtacacs nas ip 129 10 10 1 1 3 5 hwtacacs scheme Syntax hwtacacs scheme hwtacacs scheme name undo hwtacacs scheme hwtacacs scheme name View System view Parameter hwtacacs scheme name Specif...

Page 70: ...Specifies a shared key for HWTACACS authorization packets string Shared key a string of 1 to 16 characters Description Use the key command to configure a shared key for HWTACACS authentication authori...

Page 71: ...ddress therefore the newly configured source address may overwrite the original one z The nas ip command in HWTACACS scheme view only takes effect for the current HWTACACS scheme while that in system...

Page 72: ...P connections and the removal impacts only packets forwarded afterwards Example Configure a primary accounting server Sysname system view System View return to User View with Ctrl Z Sysname hwtacacs s...

Page 73: ...to User View with Ctrl Z Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 primary authentication 10 163 155 13 49 1 3 10 primary authorization Syntax primary authorization ip address port number und...

Page 74: ...stem View return to User View with Ctrl Z Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 primary authorization 10 163 155 13 49 1 3 11 reset hwtacacs statistics Syntax reset hwtacacs statistics ac...

Page 75: ...range start time stop time Displays information on buffered stop accounting requests according to the request time where start time is the start time of the stop accounting request stop time is the en...

Page 76: ...ure the maximum number of stop accounting request attempts Use the undo retry stop accounting command to restore the default setting By default stop accounting packet retransmission is enabled and has...

Page 77: ...and secondary accounting servers otherwise unsuccessful operation is prompted z If you repeatedly use this command the latest configuration overwrites the previous one z You can remove an accounting s...

Page 78: ...any active TCP connections Related command display hwtacacs Example Configure a secondary authentication server Sysname system view System View return to User View with Ctrl Z Sysname hwtacacs scheme...

Page 79: ...yntax stop accounting buffer enable undo stop accounting buffer enable View HWTACACS scheme view Parameter None Description Use the stop accounting buffer enable command to enable the switch to buffer...

Page 80: ...t1 Sysname hwtacacs hwt1 stop accounting buffer enable 1 3 18 timer quiet Syntax timer quiet minutes undo timer quiet View HWTACACS scheme view Parameter minutes Length of the timer in minutes in the...

Page 81: ...s 12 minutes Note that z Real time accounting interval is necessary for real time accounting After an interval value is set the switch transmits the accounting information of online users to the TACAC...

Page 82: ...the response timer in seconds It ranges from 1 to 300 and defaults to 5 Description Use the timer response timeout command to set the response timeout timer of the TACACS server Use the undo timer re...

Page 83: ...nding ISP domain However some earlier TACACS servers reject the user name including an ISP domain name In this case the user name is sent to the TACACS server after its domain name is removed Accordin...

Search results

Summary of Contents for S5510 Series

Reviews:

Related manuals for S5510 Series

Brands by name

Popular brands

H3C S5510 Series, Command Manual

Search results

Summary of Contents for S5510 Series

Reviews:

Related manuals for S5510 Series

Brands by name

Popular brands