Aruba R9F20A Reference guide

Category
Software
Type
Reference guide
HPE FlexFabric 12900E Switch Series
User Access and Authentication Command Reference
Software
version: Release 5210
Document version: 6W100-20230424
© Copyright 2023 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
AAA commands ····························································································· 1
General AAA commands···································································································································· 1
aaa normal-offline-record enable ··············································································································· 1
aaa offline-record enable ··························································································································· 1
aaa online-fail-record enable······················································································································ 2
aaa session-id mode ·································································································································· 3
aaa session-limit ········································································································································ 3
accounting command ································································································································· 4
accounting default ······································································································································ 5
accounting login ········································································································································· 6
authentication default ································································································································· 8
authentication login ···································································································································· 9
authentication super ································································································································· 11
authorization command ···························································································································· 12
authorization default ································································································································· 13
authorization login ···································································································································· 15
authorization-attribute (ISP domain view) ································································································ 16
display aaa normal-offline-record ············································································································· 17
display aaa offline-record ························································································································· 20
display aaa online-fail-record ··················································································································· 23
display domain ········································································································································· 27
domain ····················································································································································· 30
domain default enable ······························································································································ 31
domain if-unknown ··································································································································· 32
local-server log change-password-prompt ······························································································· 33
nas-id ······················································································································································· 34
reset aaa normal-offline-record ················································································································ 35
reset aaa offline-record ···························································································································· 35
reset aaa online-fail-record ······················································································································ 36
session-time include-idle-time ·················································································································· 36
state (ISP domain view) ··························································································································· 37
state block time-range name ···················································································································· 38
Local user commands ······································································································································ 39
access-limit ·············································································································································· 39
authorization-attribute (local user view/user group view) ········································································· 40
display local-user ····································································································································· 41
display user-group ···································································································································· 43
group ························································································································································ 45
local-user ·················································································································································· 45
password ·················································································································································· 47
service-type ·············································································································································· 48
state (local user view) ······························································································································ 49
user-group ················································································································································ 50
RADIUS commands ········································································································································· 50
aaa device-id ············································································································································ 50
accounting-on enable ······························································································································· 51
attribute 15 check-mode ··························································································································· 52
attribute 25 car ········································································································································· 53
attribute 30 mac-format ···························································································································· 53
attribute 31 mac-format ···························································································································· 54
attribute convert (RADIUS scheme view) ································································································· 55
attribute reject (RADIUS scheme view) ···································································································· 56
attribute remanent-volume ······················································································································· 57
attribute translate ····································································································································· 58
attribute vendor-id 2011 version··············································································································· 59
data-flow-format (RADIUS scheme view) ································································································ 60
display radius scheme ······························································································································ 61
ii
display radius server-load statistics ········································································································· 66
display radius statistics ···························································································································· 67
display stop-accounting-buffer (for RADIUS) ··························································································· 69
exclude ····················································································································································· 70
include ······················································································································································ 71
include-attribute 218 vendor-id 25506······································································································ 72
key (RADIUS scheme view) ····················································································································· 74
nas-ip (RADIUS scheme view)················································································································· 74
primary accounting (RADIUS scheme view) ···························································································· 76
primary authentication (RADIUS scheme view) ······················································································· 78
private accounting ···································································································································· 80
private authentication ······························································································································· 81
radius attribute extended ·························································································································· 83
radius attribute-test-group ························································································································ 85
radius dscp ··············································································································································· 85
radius enable ············································································································································ 86
radius nas-ip ············································································································································· 87
radius scheme ·········································································································································· 88
radius session-control client ····················································································································· 89
radius session-control enable ·················································································································· 90
radius source-ip ········································································································································ 91
radius-server test-profile ·························································································································· 92
reauthentication server-select ·················································································································· 94
reset radius server-load statistics ············································································································· 94
reset radius statistics ································································································································ 95
reset stop-accounting-buffer (for RADIUS) ······························································································ 95
retry ·························································································································································· 96
retry realtime-accounting ·························································································································· 97
retry stop-accounting (RADIUS scheme view) ························································································· 98
secondary accounting (RADIUS scheme view) ······················································································· 99
secondary authentication (RADIUS scheme view) ················································································ 101
server-block-action (RADIUS scheme view) ·························································································· 103
server-load-sharing enable ···················································································································· 104
snmp-agent trap enable radius ·············································································································· 105
source-ip ················································································································································ 106
state primary ·········································································································································· 107
state private ············································································································································ 108
state secondary ······································································································································ 109
stop-accounting-buffer enable (RADIUS scheme view) ········································································· 110
stop-accounting-packet send-force ········································································································ 111
test-aaa ·················································································································································· 112
threshold remanent-volume ··················································································································· 116
timer quiet (RADIUS scheme view) ········································································································ 116
timer realtime-accounting (RADIUS scheme view) ················································································ 117
timer response-timeout (RADIUS scheme view) ···················································································· 118
user-name-format (RADIUS scheme view) ···························································································· 119
vpn-instance (RADIUS scheme view) ···································································································· 120
EAP profile commands··································································································································· 121
ca-file ······················································································································································ 121
certificate-file ·········································································································································· 121
eap-profile ·············································································································································· 122
method ··················································································································································· 123
private-key-file ········································································································································ 124
private-key-password ····························································································································· 125
ssl-server-policy ····································································································································· 126
HWTACACS commands ································································································································ 126
data-flow-format (HWTACACS scheme view) ······················································································· 126
display hwtacacs scheme ······················································································································ 127
display stop-accounting-buffer (for HWTACACS) ·················································································· 132
hwtacacs dscp ········································································································································ 133
hwtacacs nas-ip ····································································································································· 134
hwtacacs scheme ··································································································································· 135
iii
key (HWTACACS scheme view) ············································································································ 136
nas-ip (HWTACACS scheme view) ········································································································ 137
primary accounting (HWTACACS scheme view) ··················································································· 138
primary authentication (HWTACACS scheme view) ·············································································· 139
primary authorization ······························································································································ 141
reset hwtacacs statistics ························································································································ 142
reset stop-accounting-buffer (for HWTACACS) ····················································································· 143
retry stop-accounting (HWTACACS scheme view) ················································································ 143
secondary accounting (HWTACACS scheme view) ·············································································· 144
secondary authentication (HWTACACS scheme view) ········································································· 146
secondary authorization ························································································································· 147
server-block-action (HWTACACS view) ································································································· 149
stop-accounting-buffer enable (HWTACACS scheme view) ·································································· 150
timer quiet (HWTACACS scheme view) ································································································· 150
timer realtime-accounting (HWTACACS scheme view) ········································································· 151
timer response-timeout (HWTACACS scheme view) ············································································· 152
user-name-format (HWTACACS scheme view) ····················································································· 153
vpn-instance (HWTACACS scheme view) ····························································································· 153
Connection recording policy commands ········································································································ 154
aaa connection-recording policy ············································································································ 154
accounting hwtacacs-scheme ················································································································ 155
display aaa connection-recording policy ································································································ 156
Password control commands ····································································· 157
display password-control ························································································································ 157
display password-control blacklist ·········································································································· 158
password-control { aging | composition | history | length } enable ························································· 159
password-control aging ·························································································································· 161
password-control alert-before-expire ····································································································· 162
password-control authentication-timeout ······························································································· 163
password-control blacklist all-line··········································································································· 163
password-control change-password first-login enable ··········································································· 164
password-control change-password weak-password enable································································· 165
password-control complexity ·················································································································· 166
password-control composition ················································································································ 167
password-control enable ························································································································ 168
password-control expired-user-login ······································································································ 169
password-control history ························································································································ 170
password-control length ························································································································· 171
password-control login idle-time ············································································································· 172
password-control login-attempt ·············································································································· 173
password-control super aging ················································································································ 175
password-control super composition ······································································································ 176
password-control super length ··············································································································· 176
password-control update-interval ··········································································································· 177
reset password-control blacklist ············································································································· 178
reset password-control history-record ···································································································· 178
Document conventions and icons ······························································ 180
Conventions ··················································································································································· 180
Network topology icons ·································································································································· 181
Support and other resources ····································································· 182
Accessing Hewlett Packard Enterprise Support····························································································· 182
Accessing updates ········································································································································· 182
Websites ················································································································································ 183
Customer self repair ······························································································································· 183
Remote support ······································································································································ 183
Documentation feedback ······················································································································· 183
Index ·········································································································· 185
1
AAA commands
General AAA commands
aaa normal-offline-record enable
Use aaa normal-offline-record enable to enable user normal offline recording.
Use undo aaa normal-offline-record enable to disable user normal offline recording.
Syntax
aaa normal-offline-record enable
undo aaa normal-offline-record enable
Default
User normal offline recording is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature enables the system to record information about users that go offline normally. These
records help the administrator analyze causes of user offline events. To display user normal offline
records, use the display aaa normal-offline-record command.
This feature takes effect only when user offline recording is enabled.
The device can record a maximum of 32768 user normal offline records. When the maximum
number is reached, a new record overwrites the oldest record.
To reduce the memory usage, you can disable this feature.
Examples
# Enable user normal offline recording.
<Sysname> system-view
[Sysname] aaa normal-offline-record enable
Related commands
aaa offline-record enable
display aaa normal-offline-record
aaa offline-record enable
Use aaa offline-record enable to enable user offline recording.
Use undo aaa offline-record enable to disable user offline recording.
Syntax
aaa offline-record enable
undo aaa offline-record enable
2
Default
User offline recording is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
You must enable this feature so that user abnormal offline recording and user normal offline
recording can take effect. Then, the system can record information about users that go offline
normally and abnormally. To display user offline records, use the display aaa
offline-record command.
The device can record a maximum of 65536 user offline records. When the maximum number is
reached, a new record overwrites the oldest record.
To reduce the memory usage, you can disable this feature.
Examples
# Enable user offline recording.
<Sysname> system-view
[Sysname] aaa offline-record enable
Related commands
aaa abnormal-offline-record enable
aaa normal-offline-record enable
display aaa offline-record
aaa online-fail-record enable
Use aaa online-fail-record enable to enable user online failure recording.
Use undo aaa online-fail-record enable to disable user online failure recording.
Syntax
aaa online-fail-record enable
undo aaa online-fail-record enable
Default
User online failure recording is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature enables the system to record information about users that fail to come online. These
records help the administrator identify causes of user online failures and check for malicious users.
To display user online failure records, use the display aaa online-fail-record command.
The device can record a maximum of 32768 user online failure records. When the maximum number
is reached, a new record overwrites the oldest record.
3
To reduce the memory usage, you can disable this feature.
Examples
# Enable user online failure recording.
<Sysname> system-view
[Sysname] aaa online-fail-record enable
Related commands
display aaa online-fail-record
aaa session-id mode
Use aaa session-id mode to specify the format for attribute Acct-Session-Id.
Use undo aaa session-id mode to restore the default.
Syntax
aaa session-id mode { common | simplified }
undo session-id mode
Default
The device uses the common mode for attribute Acct-Session-Id.
Views
System view
Predefined user roles
network-admin
Parameters
common: Specifies the common format for attribute Acct-Session-Id. In this format, the
Acct-Session-Id attribute is a string of 37 characters. This string contains the prefix (indicating the
access type), date and time, sequence number, LIP address of the access node, device ID, and job
ID of the access process.
simplified: Specifies the simple format for attribute Acct-Session-Id. In this format, the
Acct-Session-Id attribute is a string of 16 characters. This string contains the prefix (indicating the
access type), month, sequence number, device ID, and LIP address of the access node.
Usage guidelines
Configure the format for attribute Acct-Session-Id to meet the requirements of the RADIUS servers.
Examples
# Specify the simple format for attribute Acct-Session-Id.
<Sysname> system-view
[Sysname] aaa session-id mode simplified
aaa session-limit
Use aaa session-limit to set the maximum number of concurrent users that can log on to the
device through the specified method.
Use undo aaa session-limit to restore the default maximum number of concurrent users for
the specified login method.
4
Syntax
aaa session-limit { ftp | http | https | ssh | telnet } max-sessions
undo aaa session-limit { ftp | http | https | ssh | telnet }
Default
The maximum number of concurrent users is 32 for each user type.
Views
System view
Predefined user roles
network-admin
Parameters
ftp: FTP users.
http: HTTP users.
https: HTTPS users.
ssh: SSH users.
telnet: Telnet users.
max-sessions: Specifies the maximum number of concurrent login users. The value range is 1 to
32 for SSH and Telnet services, and is 1 to 64 for FTP, HTTP, and HTTPS services.
Usage guidelines
After the maximum number of concurrent login users for a user type exceeds the upper limit, the
system denies the subsequent users of this type.
For HTTP and HTTPS services, the number of concurrent users of an application is separately
limited. For example, if the maximum number of concurrent HTTP users is 20, a maximum of 20
concurrent users are allowed for each HTTP-based application, such as RESTful, Web, and
NETCONF.
Examples
# Set the maximum number of concurrent FTP users to 4.
<Sysname> system-view
[Sysname] aaa session-limit ftp 4
accounting command
Use accounting command to specify the command line accounting method.
Use undo accounting command to restore the default.
Syntax
accounting command hwtacacs-scheme hwtacacs-scheme-name
undo accounting command
Default
The default accounting methods of the ISP domain are used for command line accounting.
Views
ISP domain view
5
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,
a case-insensitive string of 1 to 32 characters.
Usage guidelines
The command line accounting feature works with the accounting server to record valid commands
that have been successfully executed on the device.
•
When the command line authorization feature is disabled, the accounting server records all
valid commands that have been successfully executed.
•
When the command line authorization feature is enabled, the accounting server records only
authorized commands that have been successfully executed.
Command line accounting can use only a remote HWTACACS server.
Examples
# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting command hwtacacs-scheme hwtac
Related commands
accounting default
command accounting (Fundamentals Command Reference)
hwtacacs scheme
accounting default
Use accounting default to specify default accounting methods for an ISP domain.
Use undo accounting default to restore the default.
Syntax
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme
radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme
hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] |
none | radius-scheme radius-scheme-name [ hwtacacs-scheme
hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting default
Default
The default accounting method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,
a case-insensitive string of 1 to 32 characters.
6
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a
case-insensitive string of 1 to 32 characters.
Usage guidelines
The default accounting method is used for all users that support this method and do not have an
accounting method configured.
Local accounting is only used for monitoring and controlling the number of local user connections. It
does not provide the statistics function that the accounting feature generally provides.
You can specify one primary default accounting method and multiple backup default accounting
methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence.
For example, the accounting default radius-scheme radius-scheme-name local
none command specifies the primary default RADIUS accounting method and two backup methods
(local accounting and no accounting). The device performs RADIUS accounting by default and
performs local accounting when RADIUS accounting is invalid. The device does not perform
accounting when both of the previous methods are invalid.
The remote accounting method is invalid in the following situations:
•
The specified accounting scheme does not exist.
•
Accounting packet sending fails.
•
The device does not receive any accounting response packets from an accounting server.
The local accounting method is invalid if the device fails to find the matching local user configuration.
When the primary accounting method is local, the following rules apply to the accounting of a user:
•
The device uses the backup accounting methods in sequence only if local accounting is invalid
for one of the following reasons:
ï‚¡ An exception occurs in the local accounting process.
ï‚¡ The user account is not configured on the device or the user is not allowed to use the
access service.
•
The device does not turn to the backup accounting methods if local accounting is invalid
because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, use RADIUS scheme rd as the primary default accounting method and use
local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting default radius-scheme rd local
Related commands
hwtacacs scheme
local-user
radius scheme
accounting login
Use accounting login to specify accounting methods for login users.
Use undo accounting login to restore the default.
7
Syntax
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme
radius-scheme-name ] [ local ] [ none ] | local [ hwtacacs-scheme
hwtacacs-scheme-name | radius-scheme radius-scheme-name ] * [ none ] | none
| radius-scheme radius-scheme-name [ hwtacacs-scheme
hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting login
Default
The default accounting methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,
a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a
case-insensitive string of 1 to 32 characters.
Usage guidelines
Accounting is not supported for FTP, SFTP, and SCP users.
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence.
For example, the accounting login radius-scheme radius-scheme-name local none
command specifies a primary default RADIUS accounting method and two backup methods (local
accounting and no accounting). The device performs RADIUS accounting by default and performs
local accounting when RADIUS accounting is invalid. The device does not perform accounting when
both of the previous methods are invalid.
The remote accounting method is invalid in the following situations:
•
The specified accounting scheme does not exist.
•
Accounting packet sending fails.
•
The device does not receive any accounting response packets from an accounting server.
The local accounting method is invalid if the device fails to find the matching local user configuration.
When the primary accounting method is local, the following rules apply to the accounting of a user:
•
The device uses the backup accounting methods in sequence only if local accounting is invalid
for one of the following reasons:
ï‚¡ An exception occurs in the local accounting process.
ï‚¡ The user account is not configured on the device.
•
The device does not turn to the backup accounting methods if local accounting is invalid
because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, perform local accounting for login users.
<Sysname> system-view
8
[Sysname] domain name test
[Sysname-isp-test] accounting login local
# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local
accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting login radius-scheme rd local
Related commands
accounting default
hwtacacs scheme
local-user
radius scheme
authentication default
Use authentication default to specify default authentication methods for an ISP domain.
Use undo authentication default to restore the default.
Syntax
authentication default { hwtacacs-scheme hwtacacs-scheme-name
[ radius-scheme radius-scheme-name ] [ local ] [ none ] | local
[ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme
radius-scheme-name ] * [ none ] | local [ none ] | none | radius-scheme
radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ]
[ none ] }
undo authentication default
Default
The default authentication method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,
a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a
case-insensitive string of 1 to 32 characters.
Usage guidelines
The default authentication method is used for all users that support this method and do not have an
authentication method configured.
You can specify one primary default authentication method and multiple backup default
authentication methods.
9
When the primary method is invalid, the device attempts to use the backup methods in sequence.
For example, the authentication default radius-scheme radius-scheme-name
local none command specifies a primary default RADIUS authentication method and two backup
methods (local authentication and no authentication). The device performs RADIUS authentication
by default and performs local authentication when RADIUS authentication is invalid. The device
does not perform authentication when both of the previous methods are invalid.
The remote authentication method is invalid in the following situations:
•
The specified authentication scheme does not exist.
•
Authentication packet sending fails.
•
The device does not receive any authentication response packets from an authentication
server.
The local authentication method is invalid if the device fails to find the matching local user
configuration.
When the primary authentication method is local, the following rules apply to the authentication of a
user:
•
The device uses the backup authentication methods in sequence only if local authentication is
invalid for one of the following reasons:
ï‚¡ An exception occurs in the local authentication process.
ï‚¡ The user account is not configured on the device or the user is not allowed to use the
access service.
•
The device does not turn to the backup authentication methods if local authentication is invalid
because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, use RADIUS scheme rd as the primary default authentication method and use
local authentication as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication default radius-scheme rd local
Related commands
hwtacacs scheme
local-user
radius scheme
authentication login
Use authentication login to specify authentication methods for login users.
Use undo authentication login to restore the default.
Syntax
authentication login { hwtacacs-scheme hwtacacs-scheme-name
[ radius-scheme radius-scheme-name ] [ local ] [ none ] | local
[ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme
radius-scheme-name ] * [ none ] | local [ none ] | none | radius-scheme
radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ]
[ none ] }
undo authentication login
10
Default
The default authentication methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,
a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a
case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence.
For example, the authentication login radius-scheme radius-scheme-name local
none command specifies the default primary RADIUS authentication method and two backup
methods (local authentication and no authentication). The device performs RADIUS authentication
by default and performs local authentication when RADIUS authentication is invalid. The device
does not perform authentication when both of the previous methods are invalid.
The remote authentication method is invalid in the following situations:
•
The specified authentication scheme does not exist.
•
Authentication packet sending fails.
•
The device does not receive any authentication response packets from an authentication
server.
The local authentication method is invalid if the device fails to find the matching local user
configuration.
When the primary authentication method is local, the following rules apply to the authentication of a
user:
•
The device uses the backup authentication methods in sequence only if local authentication is
invalid for one of the following reasons:
ï‚¡ An exception occurs in the local authentication process.
ï‚¡ The user account is not configured on the device or the user is not allowed to use the
service for accessing the device.
•
The device does not turn to the backup authentication methods if local authentication is invalid
because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for login users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication login local
# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use
local authentication as the backup.
<Sysname> system-view
11
[Sysname] domain name test
[Sysname-isp-test] authentication login radius-scheme rd local
Related commands
authentication default
hwtacacs scheme
local-user
radius scheme
authentication super
Use authentication super to specify a method for user role authentication.
Use undo authentication super to restore the default.
Syntax
authentication super { hwtacacs-scheme hwtacacs-scheme-name |
radius-scheme radius-scheme-name } *
undo authentication super
Default
The default authentication methods of the ISP domain are used for user role authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,
a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a
case-insensitive string of 1 to 32 characters.
Usage guidelines
To enable a user to obtain another user role without reconnecting to the device, you must configure
user role authentication. The device supports local and remote methods for user role authentication.
For more information about user role authentication, see RBAC configuration in Fundamentals
Configuration Guide.
You can specify one authentication method and one backup authentication method to use in case
that the previous authentication method is invalid.
Examples
# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.
<Sysname> system-view
[Sysname] super authentication-mode scheme
[Sysname] domain name test
[Sysname-isp-test] authentication super hwtacacs-scheme tac
Related commands
authentication default
12
hwtacacs scheme
radius scheme
authorization command
Use authorization command to specify command authorization methods.
Use undo authorization command to restore the default.
Syntax
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ]
[ none ] | local [ none ] | none }
undo authorization command
Default
The default authorization methods of the ISP domain are used for command authorization.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,
a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The authorization server does not verify whether the entered
commands are permitted by the user role. The commands are executed successfully if the user role
has permission to the commands.
Usage guidelines
Command authorization restricts login users to execute only authorized commands by employing an
authorization server to verify whether each entered command is permitted.
When local command authorization is configured, the device compares each entered command with
the user's configuration on the device. The command is executed only when it is permitted by the
user's authorized user roles.
The commands that can be executed are controlled by both the access permission of user roles and
command authorization of the authorization server. Access permission only controls whether the
authorized user roles have access to the entered commands, but it does not control whether the user
roles have obtained authorization to these commands. If a command is permitted by the access
permission but denied by command authorization, this command cannot be executed.
You can specify one primary command authorization method and multiple backup command
authorization methods.
When the default authorization method is invalid, the device attempts to use the backup
authorization methods in sequence. For example, the authorization command
hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default
HWTACACS authorization method and two backup methods (local authorization and no
authorization). The device performs HWTACACS authorization by default and performs local
authorization when the HWTACACS server is invalid. The device does not perform command
authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
13
•
The specified authorization scheme does not exist.
•
Authorization packet sending fails.
•
The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user
configuration.
Examples
# In ISP domain test, configure the device to perform local command authorization.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization command local
# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and
use local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local
Related commands
command authorization (Fundamentals Command Reference)
hwtacacs scheme
local-user
authorization default
Use authorization default to specify default authorization methods for an ISP domain.
Use undo authorization default to restore the default.
Syntax
authorization default { hwtacacs-scheme hwtacacs-scheme-name
[ radius-scheme radius-scheme-name ] [ local ] [ none ] | local
[ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme
radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name
[ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization default
Default
The default authorization method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,
a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The following default authorization information applies after
users pass authentication:
14
•
Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and
terminal users. Terminal users can access the device through the console port. For more
information about the level-0 user role, see RBAC configuration in Fundamentals Configuration
Guide.
•
The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS.
However, the users do not have permission to access the root directory.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a
case-insensitive string of 1 to 32 characters.
Usage guidelines
The default authorization method is used for all users that support this method and do not have an
authorization method configured.
The RADIUS authorization configuration takes effect only when the authentication method and
authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup
authorization methods in sequence. For example, the authorization default
radius-scheme radius-scheme-name local none command specifies the default RADIUS
authorization method and two backup methods (local authorization and no authorization). The
device performs RADIUS authorization by default and performs local authorization when RADIUS
authorization is invalid. The device does not perform authorization when both of the previous
methods are invalid.
The remote authorization method is invalid in the following situations:
•
The specified authorization scheme does not exist.
•
Authorization packet sending fails.
•
The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user
configuration.
When the primary authorization method is local, the following rules apply to the authorization of a
user:
•
The device uses the backup authorization methods in sequence only if local authorization is
invalid for one of the following reasons:
ï‚¡ An exception occurs in the local authorization process.
ï‚¡ The user account is not configured on the device or the user is not allowed to use the
access service.
•
The device does not turn to the backup authorization methods if local authorization is invalid
because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use
local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization default radius-scheme rd local
Related commands
hwtacacs scheme
local-user
radius scheme
15
authorization login
Use authorization login to specify authorization methods for login users.
Use undo authorization login to restore the default.
Syntax
authorization login { hwtacacs-scheme hwtacacs-scheme-name
[ radius-scheme radius-scheme-name ] [ local ] [ none ] | local
[ hwtacacs-scheme hwtacacs-scheme-name | radius-scheme
radius-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name
[ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization login
Default
The default authorization methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name,
a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The following default authorization information applies after
users pass authentication:
•
Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and
terminal users. Terminal users can access the device through the console port. For more
information about the level-0 user role, see RBAC configuration in Fundamentals Configuration
Guide.
•
The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS.
However, the users do not have permission to access the root directory.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a
case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and
authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup
authorization methods in sequence. For example, the authorization login radius-scheme
radius-scheme-name local none command specifies the default RADIUS authorization
method and two backup methods (local authorization and no authorization). The device performs
RADIUS authorization by default and performs local authorization when RADIUS authorization is
invalid. The device does not perform authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
•
The specified authorization scheme does not exist.
•
Authorization packet sending fails.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192

Aruba R9F20A Reference guide

Category
Software
Type
Reference guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI