Aruba R9F19A Reference guide

HPE FlexFabric 12900E Switch Series

User Access and Authentication Command Reference

Software

version: Release 5210

Document version: 6W100-20230424

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard

Enterprise products and services are set forth in the express warranty statements accompanying such

products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett

Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or

copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s

standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard

Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise

website.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the

United States and other countries.

Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the

United States and/or other countries.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Java and Oracle are registered trademarks of Oracle and/or its affiliates.

UNIX® is a registered trademark of The Open Group.

i

Contents

AAA commands ····························································································· 1

General AAA commands···································································································································· 1

aaa normal-offline-record enable ··············································································································· 1

aaa offline-record enable ··························································································································· 1

aaa online-fail-record enable······················································································································ 2

aaa session-id mode ·································································································································· 3

aaa session-limit ········································································································································ 3

accounting command ································································································································· 4

accounting default ······································································································································ 5

accounting login ········································································································································· 6

authentication default ································································································································· 8

authentication login ···································································································································· 9

authentication super ································································································································· 11

authorization command ···························································································································· 12

authorization default ································································································································· 13

authorization login ···································································································································· 15

authorization-attribute (ISP domain view) ································································································ 16

display aaa normal-offline-record ············································································································· 17

display aaa offline-record ························································································································· 20

display aaa online-fail-record ··················································································································· 23

display domain ········································································································································· 27

domain ····················································································································································· 30

domain default enable ······························································································································ 31

domain if-unknown ··································································································································· 32

local-server log change-password-prompt ······························································································· 33

nas-id ······················································································································································· 34

reset aaa normal-offline-record ················································································································ 35

reset aaa offline-record ···························································································································· 35

reset aaa online-fail-record ······················································································································ 36

session-time include-idle-time ·················································································································· 36

state (ISP domain view) ··························································································································· 37

state block time-range name ···················································································································· 38

Local user commands ······································································································································ 39

access-limit ·············································································································································· 39

authorization-attribute (local user view/user group view) ········································································· 40

display local-user ····································································································································· 41

display user-group ···································································································································· 43

group ························································································································································ 45

local-user ·················································································································································· 45

password ·················································································································································· 47

service-type ·············································································································································· 48

state (local user view) ······························································································································ 49

user-group ················································································································································ 50

RADIUS commands ········································································································································· 50

aaa device-id ············································································································································ 50

accounting-on enable ······························································································································· 51

attribute 15 check-mode ··························································································································· 52

attribute 25 car ········································································································································· 53

attribute 30 mac-format ···························································································································· 53

attribute 31 mac-format ···························································································································· 54

attribute convert (RADIUS scheme view) ································································································· 55

attribute reject (RADIUS scheme view) ···································································································· 56

attribute remanent-volume ······················································································································· 57

attribute translate ····································································································································· 58

attribute vendor-id 2011 version··············································································································· 59

data-flow-format (RADIUS scheme view) ································································································ 60

display radius scheme ······························································································································ 61

ii

display radius server-load statistics ········································································································· 66

display radius statistics ···························································································································· 67

display stop-accounting-buffer (for RADIUS) ··························································································· 69

exclude ····················································································································································· 70

include ······················································································································································ 71

include-attribute 218 vendor-id 25506······································································································ 72

key (RADIUS scheme view) ····················································································································· 74

nas-ip (RADIUS scheme view)················································································································· 74

primary accounting (RADIUS scheme view) ···························································································· 76

primary authentication (RADIUS scheme view) ······················································································· 78

private accounting ···································································································································· 80

private authentication ······························································································································· 81

radius attribute extended ·························································································································· 83

radius attribute-test-group ························································································································ 85

radius dscp ··············································································································································· 85

radius enable ············································································································································ 86

radius nas-ip ············································································································································· 87

radius scheme ·········································································································································· 88

radius session-control client ····················································································································· 89

radius session-control enable ·················································································································· 90

radius source-ip ········································································································································ 91

radius-server test-profile ·························································································································· 92

reauthentication server-select ·················································································································· 94

reset radius server-load statistics ············································································································· 94

reset radius statistics ································································································································ 95

reset stop-accounting-buffer (for RADIUS) ······························································································ 95

retry ·························································································································································· 96

retry realtime-accounting ·························································································································· 97

retry stop-accounting (RADIUS scheme view) ························································································· 98

secondary accounting (RADIUS scheme view) ······················································································· 99

secondary authentication (RADIUS scheme view) ················································································ 101

server-block-action (RADIUS scheme view) ·························································································· 103

server-load-sharing enable ···················································································································· 104

snmp-agent trap enable radius ·············································································································· 105

source-ip ················································································································································ 106

state primary ·········································································································································· 107

state private ············································································································································ 108

state secondary ······································································································································ 109

stop-accounting-buffer enable (RADIUS scheme view) ········································································· 110

stop-accounting-packet send-force ········································································································ 111

test-aaa ·················································································································································· 112

threshold remanent-volume ··················································································································· 116

timer quiet (RADIUS scheme view) ········································································································ 116

timer realtime-accounting (RADIUS scheme view) ················································································ 117

timer response-timeout (RADIUS scheme view) ···················································································· 118

user-name-format (RADIUS scheme view) ···························································································· 119

vpn-instance (RADIUS scheme view) ···································································································· 120

EAP profile commands··································································································································· 121

ca-file ······················································································································································ 121

certificate-file ·········································································································································· 121

eap-profile ·············································································································································· 122

method ··················································································································································· 123

private-key-file ········································································································································ 124

private-key-password ····························································································································· 125

ssl-server-policy ····································································································································· 126

HWTACACS commands ································································································································ 126

data-flow-format (HWTACACS scheme view) ······················································································· 126

display hwtacacs scheme ······················································································································ 127

display stop-accounting-buffer (for HWTACACS) ·················································································· 132

hwtacacs dscp ········································································································································ 133

hwtacacs nas-ip ····································································································································· 134

hwtacacs scheme ··································································································································· 135

iii

key (HWTACACS scheme view) ············································································································ 136

nas-ip (HWTACACS scheme view) ········································································································ 137

primary accounting (HWTACACS scheme view) ··················································································· 138

primary authentication (HWTACACS scheme view) ·············································································· 139

primary authorization ······························································································································ 141

reset hwtacacs statistics ························································································································ 142

reset stop-accounting-buffer (for HWTACACS) ····················································································· 143

retry stop-accounting (HWTACACS scheme view) ················································································ 143

secondary accounting (HWTACACS scheme view) ·············································································· 144

secondary authentication (HWTACACS scheme view) ········································································· 146

secondary authorization ························································································································· 147

server-block-action (HWTACACS view) ································································································· 149

stop-accounting-buffer enable (HWTACACS scheme view) ·································································· 150

timer quiet (HWTACACS scheme view) ································································································· 150

timer realtime-accounting (HWTACACS scheme view) ········································································· 151

timer response-timeout (HWTACACS scheme view) ············································································· 152

user-name-format (HWTACACS scheme view) ····················································································· 153

vpn-instance (HWTACACS scheme view) ····························································································· 153

Connection recording policy commands ········································································································ 154

aaa connection-recording policy ············································································································ 154

accounting hwtacacs-scheme ················································································································ 155

display aaa connection-recording policy ································································································ 156

Password control commands ····································································· 157

display password-control ························································································································ 157

display password-control blacklist ·········································································································· 158

password-control { aging | composition | history | length } enable ························································· 159

password-control aging ·························································································································· 161

password-control alert-before-expire ····································································································· 162

password-control authentication-timeout ······························································································· 163

password-control blacklist all-line··········································································································· 163

password-control change-password first-login enable ··········································································· 164

password-control change-password weak-password enable································································· 165

password-control complexity ·················································································································· 166

password-control composition ················································································································ 167

password-control enable ························································································································ 168

password-control expired-user-login ······································································································ 169

password-control history ························································································································ 170

password-control length ························································································································· 171

password-control login idle-time ············································································································· 172

password-control login-attempt ·············································································································· 173

password-control super aging ················································································································ 175

password-control super composition ······································································································ 176

password-control super length ··············································································································· 176

password-control update-interval ··········································································································· 177

reset password-control blacklist ············································································································· 178

reset password-control history-record ···································································································· 178

Document conventions and icons ······························································ 180

Conventions ··················································································································································· 180

Network topology icons ·································································································································· 181

Support and other resources ····································································· 182

Accessing Hewlett Packard Enterprise Support····························································································· 182

Accessing updates ········································································································································· 182

Websites ················································································································································ 183

Customer self repair ······························································································································· 183

Remote support ······································································································································ 183

Documentation feedback ······················································································································· 183

Index ·········································································································· 185

1

AAA commands

General AAA commands

aaa normal-offline-record enable

Use aaa normal-offline-record enable to enable user normal offline recording.

Use undo aaa normal-offline-record enable to disable user normal offline recording.

Syntax

aaa normal-offline-record enable

undo aaa normal-offline-record enable

Default

User normal offline recording is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the system to record information about users that go offline normally. These

records help the administrator analyze causes of user offline events. To display user normal offline

records, use the display aaa normal-offline-record command.

This feature takes effect only when user offline recording is enabled.

The device can record a maximum of 32768 user normal offline records. When the maximum

number is reached, a new record overwrites the oldest record.

To reduce the memory usage, you can disable this feature.

Examples

# Enable user normal offline recording.

<Sysname> system-view

[Sysname] aaa normal-offline-record enable

Related commands

aaa offline-record enable

display aaa normal-offline-record

aaa offline-record enable

Use aaa offline-record enable to enable user offline recording.

Use undo aaa offline-record enable to disable user offline recording.

Syntax

aaa offline-record enable

undo aaa offline-record enable

2

Default

User offline recording is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

You must enable this feature so that user abnormal offline recording and user normal offline

recording can take effect. Then, the system can record information about users that go offline

normally and abnormally. To display user offline records, use the display aaa

offline-record command.

The device can record a maximum of 65536 user offline records. When the maximum number is

reached, a new record overwrites the oldest record.

To reduce the memory usage, you can disable this feature.

Examples

# Enable user offline recording.

<Sysname> system-view

[Sysname] aaa offline-record enable

Related commands

aaa abnormal-offline-record enable

aaa normal-offline-record enable

display aaa offline-record

aaa online-fail-record enable

Use aaa online-fail-record enable to enable user online failure recording.

Use undo aaa online-fail-record enable to disable user online failure recording.

Syntax

aaa online-fail-record enable

undo aaa online-fail-record enable

Default

User online failure recording is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the system to record information about users that fail to come online. These

records help the administrator identify causes of user online failures and check for malicious users.

To display user online failure records, use the display aaa online-fail-record command.

The device can record a maximum of 32768 user online failure records. When the maximum number

is reached, a new record overwrites the oldest record.

3

To reduce the memory usage, you can disable this feature.

Examples

# Enable user online failure recording.

<Sysname> system-view

[Sysname] aaa online-fail-record enable

Related commands

display aaa online-fail-record

aaa session-id mode

Use aaa session-id mode to specify the format for attribute Acct-Session-Id.

Use undo aaa session-id mode to restore the default.

Syntax

aaa session-id mode { common | simplified }

undo session-id mode

Default

The device uses the common mode for attribute Acct-Session-Id.

Views

System view

Predefined user roles

network-admin

Parameters

common: Specifies the common format for attribute Acct-Session-Id. In this format, the

Acct-Session-Id attribute is a string of 37 characters. This string contains the prefix (indicating the

access type), date and time, sequence number, LIP address of the access node, device ID, and job

ID of the access process.

simplified: Specifies the simple format for attribute Acct-Session-Id. In this format, the

Acct-Session-Id attribute is a string of 16 characters. This string contains the prefix (indicating the

access type), month, sequence number, device ID, and LIP address of the access node.

Usage guidelines

Configure the format for attribute Acct-Session-Id to meet the requirements of the RADIUS servers.

Examples

# Specify the simple format for attribute Acct-Session-Id.

<Sysname> system-view

[Sysname] aaa session-id mode simplified

aaa session-limit

Use aaa session-limit to set the maximum number of concurrent users that can log on to the

device through the specified method.

Use undo aaa session-limit to restore the default maximum number of concurrent users for

the specified login method.

4

Syntax

aaa session-limit { ftp | http | https | ssh | telnet } max-sessions

undo aaa session-limit { ftp | http | https | ssh | telnet }

Default

The maximum number of concurrent users is 32 for each user type.

Views

System view

Predefined user roles

network-admin

Parameters

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

ssh: SSH users.

telnet: Telnet users.

max-sessions: Specifies the maximum number of concurrent login users. The value range is 1 to

32 for SSH and Telnet services, and is 1 to 64 for FTP, HTTP, and HTTPS services.

Usage guidelines

After the maximum number of concurrent login users for a user type exceeds the upper limit, the

system denies the subsequent users of this type.

For HTTP and HTTPS services, the number of concurrent users of an application is separately

limited. For example, if the maximum number of concurrent HTTP users is 20, a maximum of 20

concurrent users are allowed for each HTTP-based application, such as RESTful, Web, and

NETCONF.

Examples

# Set the maximum number of concurrent FTP users to 4.

<Sysname> system-view

[Sysname] aaa session-limit ftp 4

accounting command

Use accounting command to specify the command line accounting method.

Use undo accounting command to restore the default.

Syntax

accounting command hwtacacs-scheme hwtacacs-scheme-name

undo accounting command

Default

The default accounting methods of the ISP domain are used for command line accounting.

Views

ISP domain view

5

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,

a case-insensitive string of 1 to 32 characters.

Usage guidelines

The command line accounting feature works with the accounting server to record valid commands

that have been successfully executed on the device.

•

When the command line authorization feature is disabled, the accounting server records all

valid commands that have been successfully executed.

•

When the command line authorization feature is enabled, the accounting server records only

authorized commands that have been successfully executed.

Command line accounting can use only a remote HWTACACS server.

Examples

# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting command hwtacacs-scheme hwtac

Related commands

accounting default

command accounting (Fundamentals Command Reference)

hwtacacs scheme

accounting default

Use accounting default to specify default accounting methods for an ISP domain.

Use undo accounting default to restore the default.

Syntax

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme

radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme

hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] |

none | radius-scheme radius-scheme-name [ hwtacacs-scheme

hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting default

Default

The default accounting method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,

a case-insensitive string of 1 to 32 characters.

6

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a

case-insensitive string of 1 to 32 characters.

Usage guidelines

The default accounting method is used for all users that support this method and do not have an

accounting method configured.

Local accounting is only used for monitoring and controlling the number of local user connections. It

does not provide the statistics function that the accounting feature generally provides.

You can specify one primary default accounting method and multiple backup default accounting

methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence.

For example, the accounting default radius-scheme radius-scheme-name local

none command specifies the primary default RADIUS accounting method and two backup methods

(local accounting and no accounting). The device performs RADIUS accounting by default and

performs local accounting when RADIUS accounting is invalid. The device does not perform

accounting when both of the previous methods are invalid.

The remote accounting method is invalid in the following situations:

•

The specified accounting scheme does not exist.

•

Accounting packet sending fails.

•

The device does not receive any accounting response packets from an accounting server.

The local accounting method is invalid if the device fails to find the matching local user configuration.

When the primary accounting method is local, the following rules apply to the accounting of a user:

•

The device uses the backup accounting methods in sequence only if local accounting is invalid

for one of the following reasons:

 An exception occurs in the local accounting process.

 The user account is not configured on the device or the user is not allowed to use the

access service.

•

The device does not turn to the backup accounting methods if local accounting is invalid

because of any other reason. Accounting fails for the user.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default accounting method and use

local accounting as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting default radius-scheme rd local

Related commands

hwtacacs scheme

local-user

radius scheme

accounting login

Use accounting login to specify accounting methods for login users.

Use undo accounting login to restore the default.

7

Syntax

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme

radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme

hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | none

| radius-scheme radius-scheme-name [ hwtacacs-scheme

hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting login

Default

The default accounting methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,

a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a

case-insensitive string of 1 to 32 characters.

Usage guidelines

Accounting is not supported for FTP, SFTP, and SCP users.

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence.

For example, the accounting login radius-scheme radius-scheme-name local none

command specifies a primary default RADIUS accounting method and two backup methods (local

accounting and no accounting). The device performs RADIUS accounting by default and performs

local accounting when RADIUS accounting is invalid. The device does not perform accounting when

both of the previous methods are invalid.

The remote accounting method is invalid in the following situations:

•

The specified accounting scheme does not exist.

•

Accounting packet sending fails.

•

The device does not receive any accounting response packets from an accounting server.

The local accounting method is invalid if the device fails to find the matching local user configuration.

When the primary accounting method is local, the following rules apply to the accounting of a user:

•

The device uses the backup accounting methods in sequence only if local accounting is invalid

for one of the following reasons:

 An exception occurs in the local accounting process.

 The user account is not configured on the device.

•

The device does not turn to the backup accounting methods if local accounting is invalid

because of any other reason. Accounting fails for the user.

Examples

# In ISP domain test, perform local accounting for login users.

<Sysname> system-view

8

[Sysname] domain name test

[Sysname-isp-test] accounting login local

# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local

accounting as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting login radius-scheme rd local

Related commands

accounting default

hwtacacs scheme

local-user

radius scheme

authentication default

Use authentication default to specify default authentication methods for an ISP domain.

Use undo authentication default to restore the default.

Syntax

authentication default { hwtacacs-scheme hwtacacs-scheme-name

[ radius-scheme radius-scheme-name ] [ local ] [ none ] | local

[ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme

radius-scheme-name ] * [ none ] | local [ none ] | none | radius-scheme

radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ]

[ none ] }

undo authentication default

Default

The default authentication method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,

a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a

case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authentication method is used for all users that support this method and do not have an

authentication method configured.

You can specify one primary default authentication method and multiple backup default

authentication methods.

9

When the primary method is invalid, the device attempts to use the backup methods in sequence.

For example, the authentication default radius-scheme radius-scheme-name

local none command specifies a primary default RADIUS authentication method and two backup

methods (local authentication and no authentication). The device performs RADIUS authentication

by default and performs local authentication when RADIUS authentication is invalid. The device

does not perform authentication when both of the previous methods are invalid.

The remote authentication method is invalid in the following situations:

•

The specified authentication scheme does not exist.

•

Authentication packet sending fails.

•

The device does not receive any authentication response packets from an authentication

server.

The local authentication method is invalid if the device fails to find the matching local user

configuration.

When the primary authentication method is local, the following rules apply to the authentication of a

user:

•

The device uses the backup authentication methods in sequence only if local authentication is

invalid for one of the following reasons:

 An exception occurs in the local authentication process.

 The user account is not configured on the device or the user is not allowed to use the

access service.

•

The device does not turn to the backup authentication methods if local authentication is invalid

because of any other reason. Authentication fails for the user.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default authentication method and use

local authentication as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authentication default radius-scheme rd local

Related commands

hwtacacs scheme

local-user

radius scheme

authentication login

Use authentication login to specify authentication methods for login users.

Use undo authentication login to restore the default.

Syntax

authentication login { hwtacacs-scheme hwtacacs-scheme-name

[ radius-scheme radius-scheme-name ] [ local ] [ none ] | local

[ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme

radius-scheme-name ] * [ none ] | local [ none ] | none | radius-scheme

radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ]

[ none ] }

undo authentication login

10

Default

The default authentication methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,

a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a

case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence.

For example, the authentication login radius-scheme radius-scheme-name local

none command specifies the default primary RADIUS authentication method and two backup

methods (local authentication and no authentication). The device performs RADIUS authentication

by default and performs local authentication when RADIUS authentication is invalid. The device

does not perform authentication when both of the previous methods are invalid.

The remote authentication method is invalid in the following situations:

•

The specified authentication scheme does not exist.

•

Authentication packet sending fails.

•

The device does not receive any authentication response packets from an authentication

server.

The local authentication method is invalid if the device fails to find the matching local user

configuration.

When the primary authentication method is local, the following rules apply to the authentication of a

user:

•

The device uses the backup authentication methods in sequence only if local authentication is

invalid for one of the following reasons:

 An exception occurs in the local authentication process.

 The user account is not configured on the device or the user is not allowed to use the

service for accessing the device.

•

The device does not turn to the backup authentication methods if local authentication is invalid

because of any other reason. Authentication fails for the user.

Examples

# In ISP domain test, perform local authentication for login users.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authentication login local

# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use

local authentication as the backup.

<Sysname> system-view

11

[Sysname] domain name test

[Sysname-isp-test] authentication login radius-scheme rd local

Related commands

authentication default

hwtacacs scheme

local-user

radius scheme

authentication super

Use authentication super to specify a method for user role authentication.

Use undo authentication super to restore the default.

Syntax

authentication super { hwtacacs-scheme hwtacacs-scheme-name |

radius-scheme radius-scheme-name } *

undo authentication super

Default

The default authentication methods of the ISP domain are used for user role authentication.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,

a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a

case-insensitive string of 1 to 32 characters.

Usage guidelines

To enable a user to obtain another user role without reconnecting to the device, you must configure

user role authentication. The device supports local and remote methods for user role authentication.

For more information about user role authentication, see RBAC configuration in Fundamentals

Configuration Guide.

You can specify one authentication method and one backup authentication method to use in case

that the previous authentication method is invalid.

Examples

# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.

<Sysname> system-view

[Sysname] super authentication-mode scheme

[Sysname] domain name test

[Sysname-isp-test] authentication super hwtacacs-scheme tac

Related commands

authentication default

12

hwtacacs scheme

radius scheme

authorization command

Use authorization command to specify command authorization methods.

Use undo authorization command to restore the default.

Syntax

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ]

[ none ] | local [ none ] | none }

undo authorization command

Default

The default authorization methods of the ISP domain are used for command authorization.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,

a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The authorization server does not verify whether the entered

commands are permitted by the user role. The commands are executed successfully if the user role

has permission to the commands.

Usage guidelines

Command authorization restricts login users to execute only authorized commands by employing an

authorization server to verify whether each entered command is permitted.

When local command authorization is configured, the device compares each entered command with

the user's configuration on the device. The command is executed only when it is permitted by the

user's authorized user roles.

The commands that can be executed are controlled by both the access permission of user roles and

command authorization of the authorization server. Access permission only controls whether the

authorized user roles have access to the entered commands, but it does not control whether the user

roles have obtained authorization to these commands. If a command is permitted by the access

permission but denied by command authorization, this command cannot be executed.

You can specify one primary command authorization method and multiple backup command

authorization methods.

When the default authorization method is invalid, the device attempts to use the backup

authorization methods in sequence. For example, the authorization command

hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default

HWTACACS authorization method and two backup methods (local authorization and no

authorization). The device performs HWTACACS authorization by default and performs local

authorization when the HWTACACS server is invalid. The device does not perform command

authorization when both of the previous methods are invalid.

The remote authorization method is invalid in the following situations:

13

•

The specified authorization scheme does not exist.

•

Authorization packet sending fails.

•

The device does not receive any authorization response packets from an authorization server.

The local authorization method is invalid if the device fails to find the matching local user

configuration.

Examples

# In ISP domain test, configure the device to perform local command authorization.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization command local

# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and

use local authorization as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

Related commands

command authorization (Fundamentals Command Reference)

hwtacacs scheme

local-user

authorization default

Use authorization default to specify default authorization methods for an ISP domain.

Use undo authorization default to restore the default.

Syntax

authorization default { hwtacacs-scheme hwtacacs-scheme-name

[ radius-scheme radius-scheme-name ] [ local ] [ none ] | local

[ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme

radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name

[ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization default

Default

The default authorization method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,

a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after

users pass authentication:

14

•

Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and

terminal users. Terminal users can access the device through the console port. For more

information about the level-0 user role, see RBAC configuration in Fundamentals Configuration

Guide.

•

The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS.

However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a

case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authorization method is used for all users that support this method and do not have an

authorization method configured.

The RADIUS authorization configuration takes effect only when the authentication method and

authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup

authorization methods in sequence. For example, the authorization default

radius-scheme radius-scheme-name local none command specifies the default RADIUS

authorization method and two backup methods (local authorization and no authorization). The

device performs RADIUS authorization by default and performs local authorization when RADIUS

authorization is invalid. The device does not perform authorization when both of the previous

methods are invalid.

The remote authorization method is invalid in the following situations:

•

The specified authorization scheme does not exist.

•

Authorization packet sending fails.

•

The device does not receive any authorization response packets from an authorization server.

The local authorization method is invalid if the device fails to find the matching local user

configuration.

When the primary authorization method is local, the following rules apply to the authorization of a

user:

•

The device uses the backup authorization methods in sequence only if local authorization is

invalid for one of the following reasons:

 An exception occurs in the local authorization process.

 The user account is not configured on the device or the user is not allowed to use the

access service.

•

The device does not turn to the backup authorization methods if local authorization is invalid

because of any other reason. Authorization fails for the user.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use

local authorization as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization default radius-scheme rd local

Related commands

hwtacacs scheme

local-user

radius scheme

15

authorization login

Use authorization login to specify authorization methods for login users.

Use undo authorization login to restore the default.

Syntax

authorization login { hwtacacs-scheme hwtacacs-scheme-name

[ radius-scheme radius-scheme-name ] [ local ] [ none ] | local

[ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme

radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name

[ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization login

Default

The default authorization methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,

a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after

users pass authentication:

•

Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and

terminal users. Terminal users can access the device through the console port. For more

information about the level-0 user role, see RBAC configuration in Fundamentals Configuration

Guide.

•

The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS.

However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a

case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and

authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup

authorization methods in sequence. For example, the authorization login radius-scheme

radius-scheme-name local none command specifies the default RADIUS authorization

method and two backup methods (local authorization and no authorization). The device performs

RADIUS authorization by default and performs local authorization when RADIUS authorization is

invalid. The device does not perform authorization when both of the previous methods are invalid.

The remote authorization method is invalid in the following situations:

•

The specified authorization scheme does not exist.

•

Authorization packet sending fails.

Page is loading ...

Aruba R9F19A Reference guide

Aruba R9F19A Reference guide

Related papers

Other documents