H3C S5510 Series Скачать руководство пользователя страница 17

Страница: 17 / 83

Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACACS

Configuration Commands

1-14

[Sysname-isp-system] authorization lan-access radius-scheme rd local

# In the default ISP domain named system, remove the authorization scheme for the
lan-access user.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain system

[Sysname-isp-system] undo authorization lan-access

1.1.13 authorization login

Syntax

authorization login

{

radius-scheme

radius-scheme-name

[

local

] |

hwtacacs-scheme

hwtacacs-scheme-name

[

local

] |

local

none

}

undo authorization login

View

ISP domain view

Parameter

radius-scheme-name

: Name of RADIUS scheme, a string not exceeding 32 characters.

hwtacacs-scheme-name:

Name of HWTACACS scheme, a string not exceeding 32

characters.

local

: Local authorization.

none

: Direct authorization. In this case, the user passes the authentication directly, but

only owns the default rights.

Description

Use the

authorization login

command to configure authorization for a login user.

Use the

undo authorization login

command to remove authorization for a login user.

Related command:

authorization default

Example

# In the default ISP domain named system, configure

local

as the authorization

scheme for the login user.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain system

[Sysname-isp-system] authorization login local

Содержание S5510 Series

Страница 1: ...fault 1 11 1 1 12 authorization lan access 1 13 1 1 13 authorization login 1 14 1 1 14 cut connection 1 15 1 1 15 display connection 1 16 1 1 16 display domain 1 17 1 1 17 display local user 1 19 1 1...

Страница 2: ...type 1 54 1 2 25 state 1 55 1 2 26 stop accounting buffer enable 1 56 1 2 27 timer quiet 1 57 1 2 28 timer realtime accounting 1 58 1 2 29 timer response timeout 1 59 1 2 30 user name format 1 60 1 3...

Страница 3: ...Command Manual AAA RADIUS HWTACACS H3C S3610 S5510 Series Ethernet Switches Table of Contents iii 1 3 19 timer realtime accounting 1 78 1 3 20 timer response timeout 1 79 1 3 21 user name format 1 79...

Страница 4: ...n Where max user number ranges from 1 to 1024 Description Use the access limit command to set the maximum number of access users that can be contained in current ISP domain Use the undo access limit c...

Страница 5: ...accounting scheme for all users By default the local scheme is configured It should be noted that z The accounting scheme configured by the accounting default command is applicable to all users The p...

Страница 6: ...e system view System View return to User View with Ctrl Z Sysname domain system Sysname isp system undo accounting default 1 1 3 accounting lan access Syntax accounting lan access radius scheme radius...

Страница 7: ...main named system remove the accounting scheme for the lan access user Sysname system view System View return to User View with Ctrl Z Sysname domain system Sysname isp system undo accounting lan acce...

Страница 8: ...y configured Related command radius scheme Sysname system view System View return to User View with Ctrl Z Sysname domain system Sysname isp system accounting login radius scheme rd local In the defau...

Страница 9: ...Sysname isp aabbcc net accounting optional 1 1 6 attribute Syntax attribute ip ip address mac mac address idle cut minute access limit max user number vlan vlan id location nas ip ip address port por...

Страница 10: ...is lan access Use the undo attribute command to cancel attribute settings of the user Related command display local user Example Set the IP address of user1 to 10 110 50 1 Sysname system view System...

Страница 11: ...r View with Ctrl Z Sysname domain system Sysname isp system authentication default local In the default ISP domain named system configure radius as the default authentication scheme named rd for all u...

Страница 12: ...rn to User View with Ctrl Z Sysname domain system Sysname isp system authentication lan access local In the default ISP domain named system configure radius as the default authentication named rd for...

Страница 13: ...fault ISP domain named system configure local as the authentication scheme for the login user Sysname system view System View return to User View with Ctrl Z Sysname domain system Sysname isp system a...

Страница 14: ...the authorization scheme for a CLI user Related command authorization default Example In the default ISP domain named system configure HWTACACS as the authorization scheme named hw for the CLI user N...

Страница 15: ...procedure RADIUS authorization takes effect when the radius schemes for authentication and authorization are similar In case of failure to all RADIUS authorization the reason returned to NAS is that...

Страница 16: ...the default rights Description Use the authorization lan access command to configure authorization for a lan access user Use the undo authorization lan access command to remove authorization for a la...

Страница 17: ...on login View ISP domain view Parameter radius scheme name Name of RADIUS scheme a string not exceeding 32 characters hwtacacs scheme name Name of HWTACACS scheme a string not exceeding 32 characters...

Страница 18: ...er ip ip address mac mac address vlan vlan id ucibindex ucib index user name user name View System view Parameter all Cuts down all user connections access type dot1x mac authentication Cuts down user...

Страница 19: ...l user connections in the ISP domain named aabbcc net Sysname system view System View return to User View with Ctrl Z Sysname cut connection domain aabbcc net 1 1 15 display connection Syntax display...

Страница 20: ...cannot be longer than 55 characters and the whole string cannot be longer than 80 characters Description Use the display connection command to display information about specified or all user connecti...

Страница 21: ...e Self service Disable Default Domain Name system Total 1 domain s Table 1 1 Description on the fields of the display domain command Field Description Domain Domain name State State Access Limit Limit...

Страница 22: ...re vlan id ranges from 1 to 4094 service type Displays the local users of the specified type You can specify one of the following user types lan access generally this type of users are Ethernet access...

Страница 23: ...mand Field Description State State of the local user Active or Block ServiceType ServiceType ftp lan access ssh telnet or terminal Idle Cut State of the idle cut function Access Limit Limit on the num...

Страница 24: ...and to create an ISP domain and enter its view or enter the view of an existing ISP domain or configure the default ISP domain Use the undo domain command to delete a specified ISP domain After you ex...

Страница 25: ...command first Related command state display domain Example Create a new ISP domain with the name aabbcc net and configure it as the default ISP domain Sysname system view Sysname domain aabbcc net Sys...

Страница 26: ...0 Description Use the level command to set the priority level of the user Use the undo level command to restore the default priority level of the user Note that z If the configured authentication meth...

Страница 27: ...serA and usera as two different users all Specifies all local users service type Specifies the local users of the specified type You can specify one of the following user types ftp lan access generall...

Страница 28: ...command to set the password display mode of all local users Use the undo local user password display mode command to restore the default password display mode of all local users By default the passwor...

Страница 29: ...24 32 44 56 64 76 88 characters such as_ TT8F Y 5SQ Q MAF4 1 Description Use the password command to set a password for the local user Use the undo password command to cancel the password of the local...

Страница 30: ...es A server installed with the self service software is called a self service server z After this command is executed on the switch users can locate the self service server through the following opera...

Страница 31: ...hrough the Console port level level Specifies the level of the Telnet terminal or SSH user Where level is an integer ranging from 0 to 3 and defaulting to 0 Description Use the service type command to...

Страница 32: ...r with FTP server type Sysname system view System View return to User View with Ctrl Z Sysname local user user1 Sysname luser user1 service type ftp 1 1 28 state Syntax state active block View ISP dom...

Страница 33: ...aabbcc net Sysname isp aabbcc net state block Set user1 to the block state Sysname system view Sysname local user user1 Sysname luser user1 state block 1 2 RADIUS Configuration Commands 1 2 1 data flo...

Страница 34: ...s Example Specify to measure data and packets in data flows sent to RADIUS server in kilobytes and kilo packets respectively Sysname system view System View return to User View with Ctrl Z Sysname rad...

Страница 35: ...ion packets received Auth Send Number of authentication packets sent Acct Receive Number of accounting packets received Acct Send Number of accounting packets sent 1 2 3 display radius Syntax display...

Страница 36: ...RADIUS scheme Index Index number of the RADIUS scheme Type Type of the RADIUS servers Primary Auth IP Port State IP address access port status of the primary authentication server Primary Acct IP Port...

Страница 37: ...s a total of one RADIUS scheme 1 2 4 display radius statistics Syntax display radius statistics View Any view Parameter None Description Use the display radius statistics command to display the statis...

Страница 38: ...r Num 0 Err 0 Succ 0 PKT response Num 2 Err 0 Succ 2 EAP reauth_request Num 0 Err 0 Succ 0 PORTAL access Num 0 Err 0 Succ 0 Update ack Num 0 Err 0 Succ 0 PORTAL access ack Num 0 Err 0 Succ 0 Session c...

Страница 39: ...g requests from the start time to the end time user name user name Displays the buffered stop accounting requests of the specified user Where user name is a character string of up to 80 characters Des...

Страница 40: ...rs Description Use the key command to set a shared key for the RADIUS authentication authorization packets or accounting packets Use the undo key command to restore the corresponding default shared ke...

Страница 41: ...tion server By default a local RADIUS authentication server with NAS IP 127 0 0 1 has already been created Note that z The switch not only supports the traditional RADIUS client service to accomplish...

Страница 42: ...epresented in dotted decimal notation of the network access server allowed by the local RADIUS server key password Sets the shared key a string of up to 16 characters of the local server Description U...

Страница 43: ...l zero address class D address or loopback address Description Use the nas ip command to set the source IP address used by the switch to send RADIUS packets Use the undo nas ip command to remove the s...

Страница 44: ...rt for accounting service is 1813 Description Use the primary accounting command to set the IP address and port number of the primary RADIUS accounting server Use the undo primary accounting command t...

Страница 45: ...DP port number as 1646 for a newly defined RADIUS scheme the IP address of the primary accounting server is 127 0 0 1 and UDP port number is 1812 Note that z After creating a new RADIUS scheme you sho...

Страница 46: ...client port Use the undo radius client command to disable the RADIUS client port By default a RADIUS client port is enabled Note that z After the RADIUS client port is disabled for online users Accoun...

Страница 47: ...address used by the switch to send RADIUS packets Use the undo radius nas ip command to restore the default setting By default no source IP address is specified and the IP address of the outbound inte...

Страница 48: ...display radius keywords you are not recommended to define radius scheme name as statistics or the first several characters Description Use the radius scheme command to create a RADIUS scheme and ente...

Страница 49: ...ntication server down undo radius trap accounting server down authentication server down View System view Parameter accounting server down Enables sending traps when the RADIUS accounting server gives...

Страница 50: ...nse Sysname system view Sysname radius trap accounting server down Disable sending traps when the RADIUS accounting server gives no response Sysname undo radius trap accounting server down 1 2 16 rese...

Страница 51: ...e This name is a character string of up to 32 characters session id session id Deletes the buffered stop accounting requests depending on the specified session ID Where session id is a character strin...

Страница 52: ...ion attempts Use the undo retry command to restore maximum number of RADIUS packet transmission attempts to the default value By default the maximum number of RADIUS packet transmission attempts is 3...

Страница 53: ...to restore the default maximum number of real time accounting request attempts By default the system can allow five real time accounting request attempts at most Note that z Generally the RADIUS serv...

Страница 54: ...switch does not receive a response within 3 seconds after it sends out an accounting request it resends the request if the switch continuously sends the accounting request for three times but does not...

Страница 55: ...tempts is reached in this case it discards the request z Assume the response timeout timer for the RADIUS server is set to 3 seconds with the timer response timeout command transmission attempts to 5...

Страница 56: ...ss and port number of the secondary RADIUS accounting server You are not allowed to assign the same IP address to both primary and secondary accounting servers otherwise unsuccessful operation is prom...

Страница 57: ...ry authentication authorization server used by the RADIUS scheme radius1 to 10 110 1 2 and 1812 Sysname system view System View return to User View with Ctrl Z Sysname radius scheme radius1 New Radius...

Страница 58: ...imary secondary accounting authentication block active View RADIUS scheme view Parameter primary Specifies the server to be set is a primary RADIUS server secondary Specifies the server to be set is a...

Страница 59: ...f the secondary server unchanged z When both the primary and secondary servers are in the active state the switch sends packets only to the primary server Related command radius scheme primary authent...

Страница 60: ...hed in this case it discards the request Related command reset stop accounting buffer radius scheme and display stop accounting buffer Example Enable the switch to buffer the stop accounting requests...

Страница 61: ...o timer realtime accounting command to restore the default real time accounting interval Note that z To charge the users in real time you should set the interval of real time accounting After the sett...

Страница 62: ...S servers ranging from 1 second to 10 seconds Description Use the timer response timeout command to set the response timeout time of RADIUS servers Use the undo timer response timeout command to resto...

Страница 63: ...without domain View RADIUS scheme view Parameter with domain Specifies to include ISP domain names in the user names to be sent to RADIUS servers without domain Specifies to exclude ISP domain names...

Страница 64: ...r names sent to a RADIUS server in RADIUS scheme radius1 does not carry ISP domain names Sysname system view System View return to User View with Ctrl Z Sysname radius scheme radius1 New Radius scheme...

Страница 65: ...view System View return to User View with Ctrl Z Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 data flow format data kilo byte Sysname hwtacacs hwt1 data flow format packet kilo packet 1 3 2 disp...

Страница 66: ...c 5 Acct stop PKT retransmit times 100 Domain included Yes Data traffic unit B Packet traffic unit one packet Total 1 HWTACACS scheme s 1 listed Table 1 6 Description on the fields of the display hwta...

Страница 67: ...e session id session id time range start time stop time user name user name View Any view Parameter hwtacacs scheme hwtacacs scheme name Displays information on buffered stop accounting requests accor...

Страница 68: ...nas ip Syntax hwtacacs nas ip ip address undo hwtacacs nas ip View System view Parameter ip address Specifies a source IP address for the switch which cannot be an all zero address class D address or...

Страница 69: ...Z Sysname hwtacacs nas ip 129 10 10 1 1 3 5 hwtacacs scheme Syntax hwtacacs scheme hwtacacs scheme name undo hwtacacs scheme hwtacacs scheme name View System view Parameter hwtacacs scheme name Specif...

Страница 70: ...Specifies a shared key for HWTACACS authorization packets string Shared key a string of 1 to 16 characters Description Use the key command to configure a shared key for HWTACACS authentication authori...

Страница 71: ...ddress therefore the newly configured source address may overwrite the original one z The nas ip command in HWTACACS scheme view only takes effect for the current HWTACACS scheme while that in system...

Страница 72: ...P connections and the removal impacts only packets forwarded afterwards Example Configure a primary accounting server Sysname system view System View return to User View with Ctrl Z Sysname hwtacacs s...

Страница 73: ...to User View with Ctrl Z Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 primary authentication 10 163 155 13 49 1 3 10 primary authorization Syntax primary authorization ip address port number und...

Страница 74: ...stem View return to User View with Ctrl Z Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 primary authorization 10 163 155 13 49 1 3 11 reset hwtacacs statistics Syntax reset hwtacacs statistics ac...

Страница 75: ...range start time stop time Displays information on buffered stop accounting requests according to the request time where start time is the start time of the stop accounting request stop time is the en...

Страница 76: ...ure the maximum number of stop accounting request attempts Use the undo retry stop accounting command to restore the default setting By default stop accounting packet retransmission is enabled and has...

Страница 77: ...and secondary accounting servers otherwise unsuccessful operation is prompted z If you repeatedly use this command the latest configuration overwrites the previous one z You can remove an accounting s...

Страница 78: ...any active TCP connections Related command display hwtacacs Example Configure a secondary authentication server Sysname system view System View return to User View with Ctrl Z Sysname hwtacacs scheme...

Страница 79: ...yntax stop accounting buffer enable undo stop accounting buffer enable View HWTACACS scheme view Parameter None Description Use the stop accounting buffer enable command to enable the switch to buffer...

Страница 80: ...t1 Sysname hwtacacs hwt1 stop accounting buffer enable 1 3 18 timer quiet Syntax timer quiet minutes undo timer quiet View HWTACACS scheme view Parameter minutes Length of the timer in minutes in the...

Страница 81: ...s 12 minutes Note that z Real time accounting interval is necessary for real time accounting After an interval value is set the switch transmits the accounting information of online users to the TACAC...

Страница 82: ...the response timer in seconds It ranges from 1 to 300 and defaults to 5 Description Use the timer response timeout command to set the response timeout timer of the TACACS server Use the undo timer re...

Страница 83: ...nding ISP domain However some earlier TACACS servers reject the user name including an ISP domain name In this case the user name is sent to the TACACS server after its domain name is removed Accordin...

Результаты поиска

Содержание S5510 Series

Отзывы:

Похожие инструкции для S5510 Series

Бренды по названию

Популярные бренды

H3C S5510 Series, Руководство по управлению

Результаты поиска

Содержание S5510 Series

Отзывы:

Похожие инструкции для S5510 Series

Бренды по названию

Популярные бренды