S5510 Series

H3C S5510 Series, S3610 Series Command Manual

  • Hello! I am an AI chatbot trained to assist you with the H3C S5510 Series Command Manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches Table of Contents
i
Table of Contents
Chapter 1 AAA & RADIUS & HWTACACS Configuration Commands .....................................1-1
1.1 AAA Configuration Commands.......................................................................................... 1-1
1.1.1 access-limit.............................................................................................................. 1-1
1.1.2 accounting default ................................................................................................... 1-2
1.1.3 accounting lan-access............................................................................................. 1-3
1.1.4 accounting login ...................................................................................................... 1-4
1.1.5 accounting optional ................................................................................................. 1-5
1.1.6 attribute ................................................................................................................... 1-6
1.1.7 authentication default .............................................................................................. 1-7
1.1.8 authentication lan-access........................................................................................ 1-8
1.1.9 authentication login ................................................................................................. 1-9
1.1.10 authorization command....................................................................................... 1-11
1.1.11 authorization default............................................................................................ 1-11
1.1.12 authorization lan-access ..................................................................................... 1-13
1.1.13 authorization login ............................................................................................... 1-14
1.1.14 cut connection ..................................................................................................... 1-15
1.1.15 display connection............................................................................................... 1-16
1.1.16 display domain .................................................................................................... 1-17
1.1.17 display local-user ................................................................................................ 1-19
1.1.18 domain................................................................................................................. 1-20
1.1.19 domain default..................................................................................................... 1-21
1.1.20 idle-cut................................................................................................................. 1-22
1.1.21 level ..................................................................................................................... 1-23
1.1.22 local-user............................................................................................................. 1-24
1.1.23 local-user password-display-mode...................................................................... 1-25
1.1.24 password............................................................................................................. 1-25
1.1.25 self-service-url..................................................................................................... 1-26
1.1.26 service-type......................................................................................................... 1-27
1.1.27 service-type ftp.................................................................................................... 1-28
1.1.28 state..................................................................................................................... 1-29
1.2 RADIUS Configuration Commands ................................................................................. 1-30
1.2.1 data-flow-format .................................................................................................... 1-30
1.2.2 display local-server statistics................................................................................. 1-31
1.2.3 display radius ........................................................................................................ 1-32
1.2.4 display radius statistics ......................................................................................... 1-34
1.2.5 display stop-accounting-buffer .............................................................................. 1-35
1.2.6 key......................................................................................................................... 1-37
1.2.7 local-server............................................................................................................ 1-38
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches Table of Contents
ii
1.2.8 local-server nas-ip................................................................................................. 1-39
1.2.9 nas-ip..................................................................................................................... 1-40
1.2.10 primary accounting.............................................................................................. 1-41
1.2.11 primary authentication......................................................................................... 1-42
1.2.12 radius client ......................................................................................................... 1-43
1.2.13 radius nas-ip........................................................................................................ 1-44
1.2.14 radius scheme..................................................................................................... 1-45
1.2.15 radius trap ........................................................................................................... 1-46
1.2.16 reset local-server statistics.................................................................................. 1-47
1.2.17 reset radius statistics........................................................................................... 1-47
1.2.18 reset stop-accounting-buffer ............................................................................... 1-48
1.2.19 retry ..................................................................................................................... 1-49
1.2.20 retry realtime-accounting..................................................................................... 1-50
1.2.21 retry stop-accounting........................................................................................... 1-51
1.2.22 secondary accounting ......................................................................................... 1-52
1.2.23 secondary authentication .................................................................................... 1-53
1.2.24 server-type .......................................................................................................... 1-54
1.2.25 state..................................................................................................................... 1-55
1.2.26 stop-accounting-buffer enable............................................................................. 1-56
1.2.27 timer quiet............................................................................................................ 1-57
1.2.28 timer realtime-accounting.................................................................................... 1-58
1.2.29 timer response-timeout ....................................................................................... 1-59
1.2.30 user-name-format................................................................................................ 1-60
1.3 HWTACACS Configuration Commands .......................................................................... 1-61
1.3.1 data-flow-format .................................................................................................... 1-61
1.3.2 display hwtacacs ................................................................................................... 1-62
1.3.3 display stop-accounting-buffer .............................................................................. 1-64
1.3.4 hwtacacs nas-ip..................................................................................................... 1-65
1.3.5 hwtacacs scheme.................................................................................................. 1-66
1.3.6 key......................................................................................................................... 1-67
1.3.7 nas-ip..................................................................................................................... 1-67
1.3.8 primary accounting................................................................................................ 1-68
1.3.9 primary authentication........................................................................................... 1-69
1.3.10 primary authorization........................................................................................... 1-70
1.3.11 reset hwtacacs statistics ..................................................................................... 1-71
1.3.12 reset stop-accounting-buffer ............................................................................... 1-72
1.3.13 retry stop-accounting........................................................................................... 1-73
1.3.14 secondary accounting ......................................................................................... 1-73
1.3.15 secondary authentication .................................................................................... 1-74
1.3.16 secondary authorization ...................................................................................... 1-75
1.3.17 stop-accounting-buffer enable............................................................................. 1-76
1.3.18 timer quiet............................................................................................................ 1-77
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches Table of Contents
iii
1.3.19 timer realtime-accounting.................................................................................... 1-78
1.3.20 timer response-timeout ....................................................................................... 1-79
1.3.21 user-name-format................................................................................................ 1-79
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-1
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1.1 AAA Configuration Commands
1.1.1 access-limit
Syntax
access-limit { disable | enable max-user-number }
undo access-limit
View
ISP domain view
Parameter
disable: Specifies not to limit the number of access users that can be contained in
current ISP domain.
enable max-user-number: Specifies the maximum number of access users that can be
contained in current ISP domain. Where, max-user-number ranges from 1 to 1024.
Description
Use the access-limit command to set the maximum number of access users that can
be contained in current ISP domain.
Use the undo access-limit command to restore the default maximum number.
By default, the number of access users that can be contained in current ISP domain is
unlimited.
Because resource contention may occur between access users, there is a need to
properly limit the number of access users in an ISP domain to provide reliable
performance to the users in the ISP domain.
Example
# Allow ISP domain aabbc.net to contain at most 500 access users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname]domain aabbcc.net
[Sysname-isp-aabbcc.net] access-limit enable 500
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-2
1.1.2 accounting default
Syntax
accounting default { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo accounting default
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32
characters.
local: Local accounting.
none: No accounting.
Description
Use the accounting default command to configure an accounting scheme for all
users.
Use the undo accounting default command to restore the default accounting scheme
for all users.
By default, the local scheme is configured.
It should be noted that:
z The accounting scheme configured by the accounting default command is
applicable to all users. The priority of this configuration is lower than that of a
specific access mode.
z Local accounting is only used to support the management of local user
connections without real statistical function. The management of local connections
takes effect for local accounting rather than local authentication and authorization.
z In the login access mode, accounting is not supported for FTP services.
Related command: authentication default and authorization default.
Example
# In the default ISP domain named system, configure local as the default accounting
scheme for all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting default local
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-3
# In the default ISP domain named system, configure radius as the default accounting
scheme named rd for all users and local as backup accounting. Note that the rd
scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting default radius-scheme rd local
# In the default ISP domain named system, restore the default accounting scheme for
all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo accounting default
1.1.3 accounting lan-access
Syntax
accounting lan-access { radius-scheme radius-scheme-name [ local ] | local
| none }
undo accounting lan-access
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
local: Local accounting.
none: No accounting.
Description
Use the accounting lan-access command to configure accounting for a lan-access
user. Use the undo accounting lan-access command to remove accounting for a
lan-access user.
Related command: accounting default.
Example
# In the default ISP domain named system, configure local as the accounting scheme
for the lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-4
[Sysname] domain system
[Sysname-isp-system]accounting lan-access local
# In the default ISP domain named system, configure radius as the accounting scheme
named rd for the lan-access user and local as backup accounting. Note that the rd
scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting lan-access radius-scheme rd local
# In the default ISP domain named system, remove the accounting scheme for the
lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo accounting lan-access
1.1.4 accounting login
Syntax
accounting login { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo accounting login
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32
characters.
local: Local accounting.
none: No accounting.
Description
Use the accounting login command to configure accounting for the login user.
Use the undo accounting login command to remove accounting for the login user.
Related command: accounting default.
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-5
Example
# In the default ISP domain named system, configure local as the accounting scheme
for the login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting login local
# In the default ISP domain named system, configure radius as the accounting scheme
named rd for the login user and local as backup accounting. Note that the rd scheme
must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting login radius-scheme rd local
# In the default ISP domain named system, remove the accounting scheme for the login
user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo accounting login
1.1.5 accounting optional
Syntax
accounting optional
undo accounting optional
View
ISP domain view
Parameter
None
Description
Use the accounting optional command to open the accounting-optional switch.
Use the undo accounting optional command to close the accounting-optional switch.
By default, the accounting-optional switch is closed.
Note that:
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-6
z When the system charges an online user but it does not find any available
RADIUS accounting server or fails to communicate with any RADIUS accounting
server, the user can continue the access to network resources if the accounting
optional command has been used; otherwise, the user is disconnected from the
system. The accounting optional command is often used in the cases where
only authentication is needed and no accounting is needed.
z With the accounting optional command executed, the system does not send real
time accounting updating packets and accounting-stop packets to all users in
RADIUS scheme.
Example
# Open the accounting-optional switch for the ISP domain named aabbcc.net.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
[Sysname-isp-aabbcc.net] accounting optional
1.1.6 attribute
Syntax
attribute { ip ip-address | mac mac-address | idle-cut minute | access-limit
max-user-number | vlan vlan-id | location { nas-ip ip-address port portnum | port
portnum } } *
undo attribute { ip | mac | idle-cut | access-limit | vlan | location }*
View
Local user view
Parameter
ip ip-address: Sets the IP address of the user. The attribute ip command for a local
user only applies to H3C 802.1x clients. If you configure this command on a non-H3C
client, local authentication will fail.
mac mac-address: Sets the MAC address of the user. Where, mac-address is in H-H-H
format.
idle-cut minute: Allows the local user to enable the idle-cut function. Where, minute is
the idle time before cutting down, which ranges from 1 minutes to 120 minutes.
access-limit max-user-number: Sets the maximum number of users who can access
the switch with current user name. Where, max-user-number ranges from 1 to 1024.
vlan vlan-id: Sets the VLAN attribute of the user (that is, which VLAN the user belongs
to). Where, vlan-id is an integer ranging from 1 to 4094.
location: Sets the port binding attribute of the user.
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-7
nas-ip ip-address: Sets the IP address of the remote access server port to which the
user is bound to. Where, ip-address is in dotted decimal notation and is 127.0.0.1
(representing this device) by default. If the user is bound to a remote port, you must
specify the nas-ip parameter. If the user is bound to a local port, you need not specify
the nas-ip parameter.
port port-number: Sets the port bound with the user.
Description
Use the attribute command to set the attributes of a user whose service type is
lan-access.
Use the undo attribute command to cancel attribute settings of the user.
Related command: display local-user.
Example
# Set the IP address of user1 to 10.110.50.1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user user1
[Sysname-luser-user1] attribute ip 10.110.50.1
1.1.7 authentication default
Syntax
authentication default { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo authentication default
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32
characters
local: Local authentication.
none: No authentication.
Description
Use the authentication default command to configure authentication scheme for all
users.
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-8
Use the undo authentication default command to restore the default authentication
scheme for all users.
By default, the local authentication is used.
The authentication scheme configured by the authentication default command is
applicable to all users. But its priority is lower than that configured by a special access
mode.
Related command: authorization default and accounting default.
Example
# In the default ISP domain named system, configure local as the default
authentication for all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication default local
# In the default ISP domain named system, configure radius as the default
authentication scheme named rd for all users and local as backup authentication. Note
that the rd scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication default radius-scheme rd local
# In the default ISP domain named system, restore the default authentication scheme
for all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authentication default
1.1.8 authentication lan-access
Syntax
authentication lan-access { radius-scheme radius-scheme-name [ local ] | local |
none }
undo authentication lan-access
View
ISP domain view
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-9
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
local: Local authentication.
none: No authentication.
Description
Use the authentication lan-access command to configure authentication scheme for
a lan-access user.
Use the undo authentication lan-access command to remove authentication scheme
for a lan-access user.
Related command: authentication default.
Example
# In the default ISP domain named system, configure local as the authentication
scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication lan-access local
# In the default ISP domain named system, configure radius as the default
authentication named rd for the lan-access user and local as backup authentication.
Note that rd authentication must be already configured. Related command: radius
scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication lan-access radius-scheme rd local
# In the default ISP domain named system, remove the authentication scheme for the
lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authentication lan-access
1.1.9 authentication login
Syntax
authentication login { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-10
undo authentication login
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32
characters.
local: Local authentication.
none: No authentication.
Description
Use the authentication login command to configure authentication for a login user.
Use the undo authentication login command to remove authentication for a login
user.
Related command: authentication default.
Example
# In the default ISP domain named system, configure local as the authentication
scheme for the login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication login local
# In the default ISP domain named system, configure radius as the default
authentication named rd for the login user and local as backup authentication. Note
that the rd authentication must be already configured. Related command: radius
scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication login radius-scheme rd local
# In the default ISP domain named system, remove the authentication scheme for the
login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authentication login
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-11
1.1.10 authorization command
Syntax
authorization command hwtacacs-scheme hwtacacs-scheme-name
undo authorization command
View
ISP domain view
Parameter
hwtacacs-scheme-name: Name of a HWTACACS scheme, a string of up to 32
characters.
Description
Use the authorization command command to configure the authorization scheme for
a CLI user
Use the undo authorization command command to remove the authorization
scheme for a CLI user
Related command: authorization default.
Example
# In the default ISP domain named system, configure HWTACACS as the authorization
scheme named hw for the CLI user. Note that the hw authorization must be already
configured. Related command: hwtacacs scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization command hwtacacs-scheme hw
1.1.11 authorization default
Syntax
authorization default { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo authorization default
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-12
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32
characters.
local: Local authorization.
none: Direct authorization. In this case, the user passes the authentication directly, but
only owns the default rights.
Description
Use the authorization default command to configure the default authorization for all
users.
Use the undo authorization default command to restore the default authorization
scheme for all users.
By default, the local authorization is used.
It should be noted that:
z The authorization scheme configured by the authorization default command is
applicable to all users. Its priority is lower than that configured by a specified
access mode.
z As a special procedure, RADIUS authorization takes effect when the radius
schemes for authentication and authorization are similar. In case of failure to all
RADIUS authorization, the reason returned to NAS is that the Server did not
respond.
Related command: authentication default and accounting default.
Example
# In the default ISP domain named system, configure local as the default authorization
for all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization default local
# In the default ISP domain named system, configure radius as the default
authorization named rd for all users and local as backup authorization. Note that the rd
scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization default radius-scheme rd local
# In the default ISP domain named system, restore the default authorization scheme for
all users.
<Sysname>system-view
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-13
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authorization default
1.1.12 authorization lan-access
Syntax
authorization lan-access { radius-scheme radius-scheme-name [ local ] | local |
none }
undo authorization lan-access
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
local: Local authorization.
none: Direct authorization. In this case, the user passes the authentication directly, but
only owns the default rights.
Description
Use the authorization lan-access command to configure authorization for a
lan-access user.
Use the undo authorization lan-access command to remove authorization for a
lan-access user.
Related command: authorization default.
Example
# In the default ISP domain named system, configure local as the authorization
scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system]authorization lan-access local
# In the default ISP domain named system, configure radius as the authorization
scheme named rd for the lan-access user and local as backup authorization. Note that
the rd scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-14
[Sysname-isp-system] authorization lan-access radius-scheme rd local
# In the default ISP domain named system, remove the authorization scheme for the
lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authorization lan-access
1.1.13 authorization login
Syntax
authorization login { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo authorization login
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32
characters.
local: Local authorization.
none: Direct authorization. In this case, the user passes the authentication directly, but
only owns the default rights.
Description
Use the authorization login command to configure authorization for a login user.
Use the undo authorization login command to remove authorization for a login user.
Related command: authorization default.
Example
# In the default ISP domain named system, configure local as the authorization
scheme for the login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization login local
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-15
# In the default ISP domain named system, configure radius as the authorization
scheme named rd for the login user and local as backup authorization. Note that the rd
scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization login radius-scheme rd local
# In the default ISP domain named system, remove the authorization scheme for the
login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authorization login
1.1.14 cut connection
Syntax
cut connection { all | access-type { dot1x | mac-authentication } | domain
domain-name | interface interface-type interface-number | ip ip-address | mac
mac-address | vlan vlan-id | ucibindex ucib-index | user-name user-name }
View
System view
Parameter
all: Cuts down all user connections.
access-type { dot1x | mac-authentication }: Cuts down user connections using the
specified access method. dot1x is used to cut down all 802.1x user connections, and
mac-authentication is used to cut down all MAC authentication user connections.
domain isp-name: Cuts down all user connections in the specified ISP domain. Where,
isp-name is the name of an ISP domain. It is a character string of up to 24 characters.
You can only specify an existing ISP domain.
interface interface-type interface-number: Cuts down all user connections under the
specified port. Where interface-type is the port type and interface-number is the port
number.
ip ip-address: Cuts down the connection of the user with the specified IP address.
mac mac-address: Cuts down the user connection with the specified MAC address.
Where, mac-address is in the H-H-H format.
vlan vlan-id: Cuts down all user connections of the specified VLAN. Where, vlan-id
ranges from 1 to 4094.
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-16
ucibindex ucib-index: Cuts down the user connection with the specified connection
index. Where, ucib-index ranges from 0 to 4294967295.
user-name user-name: Cuts down the user connection of the specified user. Where,
user-name is a character string of up to 80 characters. The string cannot contain the
following characters: /:*?<>. It can contain no more than one @ character. The pure
user name (user ID, that is, the part before @) cannot contain more than 55 characters,
Description
Use the cut connection command to cut down one user connection or one type of user
connections forcibly.
This command cannot cut down the connections of Telnet, SSH and FTP users.
Related command: display connection.
Example
# Cut down all user connections in the ISP domain named aabbcc.net.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] cut connection domain aabbcc.net
1.1.15 display connection
Syntax
display connection [ access-type { dot1x | mac-authentication } | domain
domain-name | interface interface-type interface-number | ip ip-address | mac
mac-address | vlan vlan-id | ucibindex ucib-index | user-name user-name ]
View
Any view
Parameter
access-type { dot1x | mac-authentication }: Displays the user connections in
specified access mode. Where, dot1x is used to display all 802.1x user connections,
and mac-authentication is used to display all MAC authentication user connections.
domain isp-name: Displays all user connections under the specified ISP domain.
Where, isp-name is the name of an ISP domain, a character string of up to 24
characters. You can only specify an existing ISP domain.
interface interface-type interface-number: Displays all user connections on the
specified port.
ip ip-address: Displays all user connections with the specified IP address.
Command Manual – AAA&RADIUS&HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1-17
mac mac-address: Displays the connection of the user with the specified MAC address.
Where, mac-address is in dotted hexadecimal notation (in the form of H.H.H).
vlan vlan-id: Displays all user connections of the specified VLAN. Where, vlan-id
ranges from 1 to 4094.
ucibindex ucib-index: Displays the user connection with the specified connection
index. Where, ucib-index ranges from 0 to 4294967295.
user-name user-name: Displays the user connection with the specified user name.
Where, user-name is a character string in the format of pure-username@domain-name.
The pure-username cannot be longer than 55 characters, and the whole string cannot
be longer than 80 characters.
Description
Use the display connection command to display information about specified or all
user connections.
If you execute this command without specifying any parameter, all user connections will
be displayed.
This command cannot display information about the connections of the FTP users.
Related command: cut connection.
Example
# Display information about all user connections.
<Sysname> display connection
Total 0 connections matched ,0 listed.
1.1.16 display domain
Syntax
display domain [ isp-name ]
View
Any view
Parameter
isp-name: Name of an ISP domain, a character string of up to 24 characters. This must
be the name of an existing ISP domain.
Description
Use the display domain command to display the configuration information about one
specific or all ISP domains.
Related command: access-limit, domain and state.
/