01-01 AAA Configuration

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - User Access and
Authentication 1 AAA Configuration
1 AAA Configuration
1.1 Overview of AAA

1.2 Understanding AAA
1.3 Application Scenarios for AAA
1.4 Licensing Requirements and Limitations for AAA
1.5 Default Settings for AAA
1.6 Summary of AAA Configuration Tasks
1.7 Configuring Local Authentication and Authorization
1.8 Using RADIUS to Perform Authentication, Authorization, and Accounting
1.9 Using HWTACACS to Perform Authentication, Authorization, and Accounting
1.10 Configuring HACA Authentication
1.11 Maintaining AAA
1.12 Configuration Examples for AAA
1.13 Troubleshooting AAA
1.14 FAQ About AAA
1.1 Overview of AAA

Access control is the way you control who is allowed access to the network server
and what services they are allowed to use once they have access. Authentication,
authorization, and accounting (AAA) network security services provide the primary
framework through which you set up access control on the Network Access Server
(NAS).
Definition
AAA is an architectural framework for configuring a set of three independent
security functions in a consistent manner. AAA provides a modular way of
performing the following services:
Issue 04 (2022-06-07) Copyright © Huawei Technologies Co., Ltd. 1

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● Authentication: confirms the identities of users accessing the network and

determines whether the users are authorized.
● Authorization: assigns differentiated rights to authorize users to use specific
services.
● Accounting: records all the operations of a user during the network service
process, including the used service type, start time, and data traffic, to collect
and record the network resource usage of the user for implementing time- or
traffic-based accounting and network monitoring.
Basic Architecture of AAA

AAA uses the client/server structure. The access device on which an AAA client
runs is usually called an NAS. The NAS is responsible for user identity verification
and user access management. An AAA server provides a collection of
authentication, authorization, and accounting functions and is responsible for
centralized user information management. Figure 1-1 shows the basic AAA
architecture.
Figure 1-1 Basic architecture of AAA
AAA can be implemented using multiple protocols. Currently, AAA can be

implemented on a device based on RADIUS or HWTACACS. RADIUS is most
commonly used in actual scenarios.
For the AAA server in Figure 1-1, you can determine which protocols that the AAA
server uses to implement authentication, authorization, and accounting functions
respectively based on actual networking requirements. Users can use only one or
two security services provided by AAA. For example, if a company only wants to
authenticate employees who access certain network resources, the network
administrator only needs to configure an authentication server. If the company
also wants to record operations performed by employees on the network, an
accounting server is required.
Purpose
AAA provides authentication, authorization, and accounting functions for users,
preventing unauthorized users from logging in to a switch and improving system
security.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1.2 Understanding AAA
1.2.1 Domain-based User Management

An NAS performs domain-based user management. A domain is a group of users
and each user belongs to a domain. A user uses only AAA configuration
information in the domain to which the user belongs.
As shown in Figure 1-2, the domain manages configuration information including
the AAA scheme, server template, and authorization information in a unified
manner.
● AAA scheme: is divided into authentication, authorization, and accounting
schemes that are used to define authentication, authorization, and accounting
methods and the order in which the methods take effect. For details about
the AAA scheme, see 1.2.2 AAA Scheme.
● Server template: is used to configure a server for authentication,
authorization, and accounting. When a server is configured for authorization,
you can obtain the authorization information from the server and domain. For
details, see Figure 1-3.
If local authentication or authorization is used, you need to configure
information related to the local user.
● Authorization information in the domain: can be configured in a domain. You
can bind a service scheme and a user group to a domain. Authorization
information includes the authorization ACL and VLAN can be configured in a
user group.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-2 AAA configuration information in a domain
Authorization information can be delivered by a server or configured in a domain.

Whether a user obtains authorization information delivered by a server or in a
domain depends on the authorization method configured in the authorization
scheme. For details, see Figure 1-3.
● If local authorization is used, the user obtains authorization information from
the domain.
● If server-based authorization is used, the user obtains authorization
information from the server or domain. Authorization information configured
in a domain has lower priority than that delivered by a server. If the two types
of authorization information conflicts, authorization information delivered by
the server takes effect. If no conflict occurs, the two types of authorization
information take effect simultaneously. In this manner, you can increase
authorization flexibly by means of domain management, regardless of the
authorization attributes provided by the AAA server.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-3 Two types of authorization information
Domain to Which a User Belongs

As shown in Figure 1-4, the domain to which a user belongs is determined by the
user name for logging in to the NAS. If the user name does not contain the
domain name or the domain name contained in the user name is not configured
on the NAS, the NAS cannot determine the domain to which the user belongs. In
this case, the NAS adds the user to the default domain based on the user type.
Figure 1-4 Determining domains based on user names
As shown in Table 1-1, AAA divides users into administrators and access users to
provide more refined and differentiated authentication, authorization, and
accounting services. An NAS has two global default domains, namely, the global
default administrative domain default_admin and the global default common
domain default. The two domains are used as the global default domains for
administrators and access users, respectively. Default configurations in the two
domains are different.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
The accounting scheme default is bound to the two global default domains. Modifying the
accounting scheme may affect configurations of the two domains.
The two global default domains cannot be deleted and can only be modified.
Table 1-1 Global default domain

User User Access Mode Global Default
Type Defaul Configurations in
t the Global Default
Domai Domain
n
Auth Accou Aut
entic nting hori
ation Sche zati
Sche me on
me Sch
em
e
Administr Is also called a login user and default defau defaul N/A
ator refers to the user who can log in to _admi lt t
NAS through FTP, HTTP, SSH, n (local (non-
Telnet, and the console port. authe accou
nticat nting)
ion)
Access Includes NAC users (including default radiu defaul N/A

user 802.1X authenticated, MAC address s t
authenticated, and Portal (local (non-
authenticated users). authe accou
nticat nting)
ion)
The global default domain can be customized based on actual requirements. The
customized global default domain can be the global default common domain and
the global default management domain at the same time.
You can run the display aaa configuration command to check the current global
default common domain and the global default management domain on the NAS.
The command output is as follows:
<HUAWEI> display aaa configuration
Domain Name Delimiter :@
Domainname parse direction : Left to right
Domainname location : After-delimiter
Administrator user default domain: default_admin //Global default management domain
Normal user default domain : default //Global default common domain
For some access modes, you can specify the domain to which a user belongs using
the command provided in the corresponding authentication profile to meet
requirements of the user authentication management policy. For example, you can
configure a default domain and a forcible domain for NAC access users on the
NAS based on the authentication profile and specify the user type (802.1X, MAC
address, or Portal authenticated user), achieving flexible configuration. The

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
forcible domain, default domain, and domain carried in the user name are listed in
descending order of the priority.
Forcible domain with a specified authentication method in the authentication

profile > Forcible domain in the authentication profile > Domain carried in the
user name > Default domain with a specified authentication method in the
authentication profile > Default domain in the authentication profile > Global
default domain. Note that a forcible domain specified for MAC address
authenticated users within a MAC address range has the highest priority and takes
precedence over that configured in an authentication profile.
Format of User Names Sent by an NAS to the RADIUS Server

NOTE
● Only RADIUS authentication supports modification of the user-entered original user names.
● You can change the user-entered original user name based on the RADIUS server template.
An NAS can determine whether a user name sent to the RADIUS server contains
the domain name based on the RADIUS server requirements. By default, an NAS
directly sends the user-entered original user name to the RADIUS server without
changing it.
You can set the format of user names sent by an NAS to the RADIUS server using
the commands in Table 1-2.
The following commands modify only the user name format in RADIUS packets
sent to the RADIUS server and do not modify the user name format in EAP
packets. During 802.1X authentication, the RADIUS server checks whether the user
name carried in EAP packets is the same as that on the RADIUS server. Therefore,
you cannot modify the original user name using the radius-server user-name
domain-included or undo radius-server user-name domain-included command
during 802.1X authentication; otherwise, authentication may fail.
Table 1-2 Setting the format of user names sent by an NAS to the RADIUS server
Command User Name User-entered User Name Sent by

Format User Name an NAS to the
RADIUS Server
radius-server user- User-entered user- user-

name original original user name@huawe name@huawei.com
name (default i.com
configuration)
user-name user-name
radius-server user- Domain name user- user-

name domain- included name@huawe name@huawei.com
included i.com
user-name user-name@default
Assume that users use
the default domain
default.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Command User Name User-entered User Name Sent by

Format User Name an NAS to the
RADIUS Server
undo radius-server Domain name user- user-name

user-name domain- excluded name@huawe
included i.com
user-name user-name
undo radius-server Domain name user- user-name

user-name domain- excluded name@huawe
included except-eap NOTE i.com
This command
takes effect user-name user-name
only for non-
EAP
authenticated
users.
1.2.2 AAA Scheme
During AAA implementation, you can define a set of AAA configuration policies
using an AAA scheme. An AAA scheme contains a collection of authentication,
authorization, and accounting methods defined on an NAS. Such methods can be
used in combination depending on access features of users and security
requirements.
1.2.2.1 Authentication Scheme
An authentication scheme is used to define methods for user authentication and

the order in which authentication methods take effect. An authentication scheme
is applied to a domain. It is combined with the authorization scheme, accounting
scheme, and server template in the domain for user authentication, authorization,
and accounting.
Authentication Methods Supported by a Device

● RADIUS authentication: User information is configured on the RADIUS server
through which user authentication is performed.
● HWTACACS authentication: User information is configured on the HWTACACS
server through which user authentication is performed.
● Local authentication: The device functions as an authentication server and
user information is configured on the device. This mode features fast
processing and low operation costs. However, the information storage
capacity is subject to the device hardware.
● Non-authentication: Users are completely trusted without validity check. This
mode is rarely used.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Order in Which Authentication Methods Take Effect

An authentication scheme enables you to designate one or more authentication
methods to be used for authentication, thus ensuring a backup system for
authentication in case the initial method does not respond. An NAS uses the first
method listed in the scheme to authenticate users; if that method does not
respond, the NAS selects the next authentication method in the authentication
scheme. This process continues until there is successful communication with a
listed authentication method or the authentication method list is exhausted, in
which case authentication fails.
NOTE
The NAS attempts authentication with the next listed authentication method only when there is
no response from the previous method. If authentication fails at any point in this cycle —
meaning that the AAA server responds by denying the user access — the authentication process
stops and no other authentication methods are attempted.
1.2.2.2 Authorization Scheme
An authorization scheme is used to define methods for user authorization and the
order in which authorization methods take effect. An authorization scheme is
applied to a domain. It is combined with the authentication scheme, accounting
scheme, and server template in the domain for user authentication, authorization,
and accounting.
Authorization Methods Supported by a Device

● HWTACACS authorization: An HWTACACS server is used to authorize users.
● Local authorization: The device functions as an authorization server to
authorize users based on user information configured on the device.
● Non-authorization: Authenticated users have unrestricted access rights on a
network.
● if-authenticated authorization: If passing authentication, a user passes
authorization; otherwise, the user fails authorization. This mode applies to
scenarios where users must be authenticated and the authentication process
can be separated from the authorization process.
NOTE
RADIUS authentication is combined with authorization and cannot be separated. If

authentication succeeds, authorization also succeeds. When RADIUS authentication is used, you
do not need to configure an authorization scheme.
In addition, the "authentication + rights level" method is typically used to control

access of the administrators (login users) to the device, improving the device
operation security. Authentication restricts the administrators' access to the device
and the rights level defines commands that the administrators can enter after
logging in to the device. For details about the method, see CLI Login Configuration
in S300, S500, S2700, S5700, and S6700 V200R021C00, C01 CLI-based
configuration - Basic Configuration Guide.
Order in Which Authorization Methods Take Effect

An authorization scheme enables you to designate one or more authorization
methods to be used for authorization, thus ensuring a backup system for

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
authorization in case the initial method does not respond. The first method listed
in the scheme is used to authorize users; if that method does not respond, the
next authorization method in the authentication scheme is selected. If the initial
method responds with an authorization failure message, the AAA server refuses to
provide services for the user. In this case, authorization ends and the next listed
method is not used.
Authorization Information
Authorization information can be delivered by a server or configured in a domain.
Whether a user obtains authorization information delivered by a server or in a
domain depends on the authorization method configured in the authorization
scheme. For details, see Figure 1-5.
● If local authorization is used, the user obtains authorization information from
the domain.
● If server-based authorization is used, the user obtains authorization
information from the server or domain. Authorization information configured
in a domain has lower priority than that delivered by a server. If the two types
of authorization information conflicts, authorization information delivered by
the server takes effect. If no conflict occurs, the two types of authorization
information take effect simultaneously. In this manner, you can increase
authorization flexibly by means of domain management, regardless of the
authorization attributes provided by the AAA server.
Figure 1-5 Two types of authorization information
Table 1-3 shows authorization information typically used by a server. Table 1-4
shows authorization information that can be configured in a domain.
Table 1-3 Common authorization information of a RADIUS server
Authorization Description
Information
ACL number Is delivered by the server. You need to configure ACL number-
related rules on the NAS.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Information
ACL rule Is directly delivered by the server. As defined in the rule, users
can access all network resources included in the ACL. You do
not need to configure the corresponding ACL on the NAS.
VLAN If dynamic VLAN delivery is configured on the server,

authorization information sent to the NAS includes the VLAN
attribute. After the NAS receives the authorization information,
it changes the VLAN to which the user belongs to the delivered
VLAN.
The delivered VLAN does not change or affect the interface
configuration. The delivered VLAN, however, takes precedence
over the user-configured VLAN. That is, the delivered VLAN
takes effect after the authentication succeeds, and the user-
configured VLAN takes effect after the user goes offline.
User The server delivers the user group name, UCL group name, or
group/UCL UCL group ID to the NAS. You need to configure the
group corresponding group and network resources in the group on
the NAS.
CAR The server delivers authorization to control the committed

information rate (CIR), peak information rate (PIR), committed
burst size (CBS), and peak burst size (PBS) for access between
the user and NAS.
Administrator Priority of an administrator (such as a Telnet user) delivered by

level the server. The priority ranges from 0 to 15. The value greater
than or equal to 16 is invalid.
Service Name of a service scheme delivered by the server. You need to

scheme configure the corresponding service scheme and the network
authorization and policy in the scheme on the NAS.
Idle-cut Idle-cut time delivered by the server. After a user goes online, if
the consecutive non-operation period or the duration when
traffic is lower than a specified value exceeds the idle-cut time,
the user is disconnected.
Reauthenticati Remaining service availability period delivered by the server. If

on or forcible the period expires, reauthentication is performed for the user
logout or the user is forced to go offline according to the server-
delivered action.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Table 1-4 Authorization information that can be configured in a domain

Parameter
VLAN VLAN-based authorization is easy to deploy and requires

low maintenance costs. It applies to scenarios where
employees in an office or a department have the same
access rights.
In local authorization, you only need to configure VLANs
and corresponding network resources in the VLAN on the
NAS.
An authorized VLAN cannot be delivered to online Portal
users. For MAC address-prioritized Portal authentication,
the Agile Controller-Campus V1 delivers the session
timeout attribute after Portal authentication succeeds so
that users go offline immediately, and then delivers an
authorized VLAN to users after the users pass MAC
address authentication.
After a user obtains VLAN-based authorization, the user
needs to manually request an IP address using DHCP.
Service scheme A service scheme and corresponding network resources in

the scheme need to be configured on the NAS.
User group A user group consists of users (terminals) with the same
(common mode) attributes such as the role and rights. For example, you
can divide users on a campus network into the R&D
group, finance group, marketing group, and guest group
based on the enterprise department structure, and grant
different security policies to different departments.
You need to configure a user group and corresponding
network resources in the group on the NAS.
UCL group (unified UCL groups identify the user types. The administrator can
mode) add the users requiring the same network access policy
to the same UCL group, and configure a set of network
access policies for the group.
You need to configure a UCL group and corresponding
network resources in the group on the NAS.
1.2.2.3 Accounting Scheme
An accounting scheme is used to define a user accounting method. An accounting

scheme is applied to a domain. It is combined with the authentication scheme,
authorization scheme, and server template in the domain for user authentication,
authorization, and accounting.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Accounting Methods Supported by a Device

● RADIUS accounting: A RADIUS server is used to perform user accounting.
● HWTACACS accounting: An HWTACACS server is used to perform user
accounting.
● Non-accounting: Users can access a network without being charged.
Order in Which Accounting Methods Take Effect

You can only specify an accounting method at one time in an accounting scheme.
RADIUS accounting packets in 1.2.4.2 RADIUS Packets indicate that accounting
packets are divided into Accounting-Request and Accounting-Response packets.
Accounting succeeds if each Accounting-Request packet sent by a device is
responded by the server with an Accounting-Response packet. If no Accounting-
Response packet is received from the server, accounting fails.
After the accounting function is enabled, the device sends Accounting-Request
packets recording user activities to the AAA server. The AAA server then performs
user accounting and auditing based on information in the packets. Take RADIUS
accounting as an example. Accounting-Request packets are divided into three
types:
● Accounting-Request (Start) packet: When a user is successfully authenticated
and begins to access network resources, the device sends an Accounting-
Request (Start) packet to the RADIUS server.
● Accounting-Request (Stop) packet: When a user is disconnected proactively
(or forcibly by the NAS), the device sends an Accounting-Request (Stop)
packet to the server.
● Accounting-Request (Interim-update) packet: To reduce accounting deviation
and ensure that the accounting server can receive Accounting-Request (Stop)
packets and stop user accounting, you can configure the real-time accounting
function on the device. In this case, the device periodically sends an
Accounting-Request (Interim-update) packet to the RADIUS server.
Typically, each Accounting-Request packet sent by a device is responded by the
server with an Accounting-Response packet. If the device does not receive a
corresponding Accounting-Response packet due to network faults, accounting
fails. In this case, the device determines whether the user can still be online
depending on the type of the Accounting-Request packet as follows:
● Accounting-start failure: The user goes offline by default.
● Real-time accounting failure: The user is allowed to be online by default.
● stop_acct_fail: The device retransmits the Accounting-Request(Stop) packet.
1.2.3 Local Authentication and Authorization
Local AAA Server

A device functioning as an AAA server is called a local AAA server that performs
user authentication and authorization and cannot perform user accounting.
Similar to the remote AAA server, the local AAA server requires the local user
names, passwords, and authorization information of local users. The

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
authentication and authorization speed of a local AAA server is faster than that of
a remote AAA server, which reduces operation costs. However, the information
storage capacity of a local AAA server is subject to the device hardware.
Security Policy for Local User Password

Password Length and Complexity
When an administrator creates local users on a device, the length and complexity
of local users' passwords have been controlled by commands on the device. The
complexity check requires that the password must be a combination of at least
two of the following: digits, lowercase letters, uppercase letters, and special
characters. In addition, a password must consist of at least eight characters.
Password Validity Period
After the local administrator password policy is enabled, the local administrator
can set the password validity period. The default validity period is 90 days and can
be changed.
If the password of a local user expires and the local user still uses this password to
log in to the device, the device prompts the user that the password has expired,
and asks the user whether to change the password. The device then performs the
following operations depending on the user selection:
● If the user enters Y, the user needs to enter the old password, new password,
and confirm password. The password can be successfully changed only when
the old password is correct and the new password and confirm password are
the same and meet password length and complexity requirements.
● If the user enters N or fails to change the password, the device does not allow
the user to log in.
The device also supports the password expiration prompt function. When a user
logs in to the device, the device checks how many days the password is valid for. If
the number of days is less than the prompt days set in the command, the device
notifies the user how long the password will expire and asks the user whether to
change the password.
● If the user changes the password, the device records the new password and
modification time.
● If the user does not change the password or fails to change the password, the
user can still log in to the device as long as the password has not expired.
Password Modification Policy
During password modification, you are not advised to use old passwords. By
default, the new password cannot be the same as those used for the last five
times.
The local administrator can change the password of an equal- or lower-level local
user.
1.2.4 RADIUS AAA

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1.2.4.1 Overview of RADIUS
AAA can be implemented using multiple protocols. RADIUS is most frequently

used in actual scenarios.
RADIUS is a protocol that uses the client/server model in distributed mode and
protects a network from unauthorized access. It is often used on networks that
require high security and control remote user access. It defines the UDP-based
RADIUS packet format and transmission mechanism, and specifies destination
UDP ports 1812 and 1813 as the default authentication and accounting ports
respectively.
At the very beginning, RADIUS was only the AAA protocol used for dial-up users.
As the user access mode diversifies, such as Ethernet access, RADIUS can also be
applied to these access modes. RADIUS provides the access service through
authentication and authorization and records the network resource usage of users
through accounting.
RADIUS has the following characteristics:
● Client/Server model
● Secure message exchange mechanism
● Fine scalability
Client/Server Model
● RADIUS client
RADIUS clients run on the NAS to transmit user information to a specified
RADIUS server and process requests (for example, permit or reject user access
requests) based on the responses from the server. RADIUS clients can locate
at any node on a network.
As a RADIUS client, a device supports:
– standard RADIUS protocol and its extensions, including RFC 2865 and RFC
2866
– Huawei extended RADIUS attributes
– RADIUS server status detection
– retransmission of Accounting-Request(Stop) packets in the local buffer
– active/standby and load balancing functions between RADIUS servers
● RADIUS server
RADIUS servers typically run on central computers and workstations to
maintain user authentication and network service access information. The
servers receive connection requests from users, authenticate the users, and
send all required information (such as permitting or rejecting authentication
requests) to the clients. A RADIUS server generally needs to maintain three
databases, as shown in Figure 1-6.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-6 Databases maintained by a RADIUS server
– Users: This database stores user information such as user names,

passwords, protocols, and IP addresses.
– Clients: This database stores RADIUS client information, such as the
shared keys and IP addresses.
– Dictionary: This database stores the attributes in the RADIUS protocol
and their value descriptions.
Secure Message Exchange Mechanism

Authentication messages between a RADIUS server and RADIUS clients are
exchanged using a shared key. The shared key is a character string that is
transmitted in out-of-band mode, is known to both clients and the server, and
does not need to be transmitted independently on the network.
A RADIUS packet has a 16-octet Authenticator field that contains the digital
signature data of the whole packet. The signature data is calculated using the
MD5 algorithm and shared key. The RADIUS packet receiver needs to verify
whether the signature is correct and discards the packet if the signature is
incorrect.
This mechanism improves security of message exchange between RADIUS clients
and the RADIUS server. In addition, user passwords contained in RADIUS packets
are encrypted using shared keys before the packets are transmitted to prevent the
user passwords from being stolen during transmission on an insecure network.
Fine Scalability
A RADIUS packet consists of a packet header and a certain number of attributes.
The protocol implementation remains unchanged even if new attributes are added
to a RADIUS packet.
1.2.4.2 RADIUS Packets
RADIUS Packet Format

RADIUS is based on the UDP protocol. Figure 1-7 shows the RADIUS packet
format.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-7 RADIUS packet format
Each RADIUS packet contains the following information:

● Code: The Code field is one octet and identifies type of a RADIUS packet.
Value of the Code field varies depending on the RADIUS packet type. For
example, the value 1 indicates an Access-Request packet and the value 2
indicates an Access-Accept packet.
● Identifier: The identifier field is one octet, and helps the RADIUS server match
requests and responses and detect duplicate requests retransmitted within a
certain period. After a client sends a request packet, the server sends a reply
packet with the same Identifier value as the request packet.
● Length: The Length field is two octets and specifies length of a RADIUS
packet. Octets outside the range of the Length field must be treated as
padding and ignored on reception. If a packet is shorter than the Length field,
it must be silently discarded.
● Authenticator: The Authenticator field is 16 octets. This value is used to
authenticate the reply from the RADIUS server and is used in the password
hiding algorithm.
● Attribute: This field is variable in length. RADIUS attributes carry the specific
authentication, authorization, accounting information and configuration
details for the request and reply packets. The Attribute field may contain
multiple attributes, each of which consists of Type, Length, and Value. For
details, see 1.2.4.8 RADIUS Attributes.
– Type: The Type field is one octet and indicates the RADIUS attribute ID.
The value ranges from 1 to 255.
– Length: The Length field is one octet, and indicates the length of the
RADIUS attribute (including the Type, Length and Value fields). The
Length is measured in octets.
– Value: The maximum length of the Value field is 253 bytes. The Value
field contains information specific to the RADIUS attribute. The format
and length of the Value field is determined by the Type and Length fields.
RADIUS Packet Type

RADIUS defines 16 types of packets. Table 1-5 describes types of the
authentication packets, Table 1-6 describes types of the accounting packets. For
RADIUS CoA/DM packets, see 1.2.4.7 RADIUS CoA/DM.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Table 1-5 RADIUS authentication packet

Packet Name Description
Access-Request Access-Request packets are sent from a client to a RADIUS

server and is the first packet transmitted in a RADIUS
packet exchange process. This packet conveys information
(such as the user name and password) used to determine
whether a user is allowed access to a specific NAS and any
special services requested for that user.
Access-Accept After a RADIUS server receives an Access-Request packet, it

must send an Access-Accept packet if all attribute values in
the Access-Request packet are acceptable (authentication
success). The user is allowed access to requested services
only after the RADIUS client receives this packet.
Access-Reject After a RADIUS server receives an Access-Request packet, it

must send an Access-Reject packet if any of the attribute
values are not acceptable (authentication failure).
Access-Challenge During an EAP relay authentication, when a RADIUS server

receives an Access-Request packet carrying the user name
from a client, it generates a random MD5 challenge and
sends the MD5 challenge to the client through an Access-
Challenge packet. The client encrypts the user password
using the MD5 challenge, and then sends the encrypted
password in an Access-Request packet to the RADIUS
server. The RADIUS server compares the encrypted
password received from the client with the locally
encrypted password. If they are the same, the server
determines the user is valid.
Table 1-6 RADIUS accounting packet

Accounting- If a RADIUS client uses RADIUS accounting, the client sends

Request(Start) this packet to a RADIUS server before accessing network
resources.
Accounting- The RADIUS server must send an Accounting-

Response(Start) Response(Start) packet after the server successfully receives
and records an Accounting-Request(Start) packet.
Accounting- You can configure the real-time accounting function on a

Request(Interim- RADIUS client to prevent the RADIUS server from
update) continuing user accounting if it fails to receive the
Accounting-Request(Stop) packet. The client then
periodically sends Accounting-Request(Interim-update)
packets to the server, reducing accounting deviation.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Response(Interim- Response(Interim-update) packet after the server
update) successfully receives and records an Accounting-
Request(Interim-update) packet.
Accounting- When a user goes offline proactively or is forcibly

Request(Stop) disconnected by the NAS, the RADIUS client sends this
packet carrying the network resource usage information
(including the online duration and number of incoming/
outgoing bytes) to the RADIUS server, requesting the server
to stop accounting.

Response(Stop) Response(Stop) packet after receiving an Accounting-
Request(Stop) packet.
1.2.4.3 RADIUS Authentication, Authorization, and Accounting Process

A device that functions as a RADIUS client collects user information, including the
user name and password, and sends the information to the RADIUS server. The
RADIUS server then authenticates users according to the information, after which
it performs authorization and accounting for the users. Figure 1-8 shows the
information exchange process between a user, a RADIUS client, and a RADIUS
server.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-8 RADIUS authentication, authorization, and accounting process
1. A user needs to access a network and sends a connection request containing

the user name and password to the RADIUS client (device).
2. The RADIUS client sends a RADIUS Access-Request packet containing the user
name and password to the RADIUS server.
3. The RADIUS server verifies the user identity:
– If the user identity is valid, the RADIUS server returns an Access-Accept
packet to the RADIUS client to permit further operations of the user. The
Access-Accept packet contains authorization information because RADIUS
provides both authentication and authorization functions.
– If the user identity is invalid, the RADIUS server returns an Access-Reject
packet to the RADIUS client to reject access from the user.
4. The RADIUS client notifies the user of whether authentication is successful.
5. The RADIUS client permits or rejects the user access request according to the
authentication result. If the access request is permitted, the RADIUS client
sends an Accounting-Request (Start) packet to the RADIUS server.
6. The RADIUS server sends an Accounting-Response (Start) packet to the
RADIUS client and starts accounting.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
7. The user starts to access network resources.

8. (Optional) If interim accounting is enabled, the RADIUS client periodically
sends an Accounting-Request (Interim-update) packet to the RADIUS server,
preventing incorrect accounting result caused by unexpected user
disconnection.
9. (Optional) The RADIUS server returns an Accounting-Response (Interim-
update) packet and performs interim accounting.
10. The user sends a logout request.
11. The RADIUS client sends an Accounting-Request (Stop) packet to the RADIUS
server.
12. The RADIUS server sends an Accounting-Response (Stop) packet to the
RADIUS client and stops accounting.
13. The RADIUS client notifies the user of the processing result, and the user
stops accessing network resources.
1.2.4.4 RADIUS Packet Retransmission Mechanism
When a user is authenticated, a device sends an Access-Request packet to the

RADIUS server. To ensure that the device can receive a response packet from the
server even if a network fault or delay occurs, a retransmission upon timeout
mechanism is used. The retransmission times and retransmission interval are
controlled using timers.
As shown in Figure 1-9, 802.1X authentication and client-initiated authentication
are used as an example. After receiving an EAP packet (EAP-Response/Identity)
containing the user name of the client, the device encapsulates the packet into a
RADIUS Access-Request packet and sends the packet to the RADIUS server. The
retransmission timer is enabled at the same time. The retransmission timer is
composed of the retransmission interval and retransmission times. If the device
does not receive any response packet from the RADIUS server when the
retransmission interval expires, it sends a RADIUS Access-Request packet again.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-9 RADIUS authentication packet retransmission flowchart
The device stops packet retransmission if any of the following conditions is met:
● The device receives a response packet from the RADIUS server. It then stops
packet retransmission and marks the RADIUS server status as Up.
● The device detects that the RADIUS server status is Down. After the device
marks the RADIUS server status as Down:
– If the number of retransmitted packets has reached the upper limit, the
device stops packet retransmission and retains the RADIUS server status
to Down.
– If the number of retransmitted packets has not reached the upper limit,
the device retransmits an Access-Request packet once again to the
RADIUS server. If the device receives a response packet from the server, it
stops packet retransmission and restores the RADIUS server status to Up.
Otherwise, it still stops packet retransmission and retains the RADIUS
server status to Down.
● The number of retransmitted packets has reached the upper limit. The device
then stops packet retransmission and performs the following:
– If the device receives a response packet from the RADIUS server, it marks
the RADIUS server status as Up.
– If the device has detected that the RADIUS server status is Down, it
marks the server status as Down.
– If the device receives no response packet from the RADIUS server and
does not detect that the server status is Down, the device does not
change the server status. Actually, the server does not respond.
NOTE
The device does not definitely mark the status of the server that does not respond as
Down. The device marks the server status as Down only if the corresponding
conditions are met.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
For the RADIUS server status introduction and conditions for a device to mark the
server status as Down, see 1.2.4.6 RADIUS Server Status Detection.
RADIUS packet retransmission discussed here applies only to a single server. If
multiple servers are configured in a RADIUS server template, the overall
retransmission period depends on the retransmission interval, retransmission
times, RADIUS server status, number of servers, and algorithm for selecting the
servers.
You can set the timer using the following commands:
Command Description
radius-server retransmit retry-times Specifies the retransmission

times. The default value is 3.
radius-server timeout time-value Specifies the retransmission

interval. The default value is
5 seconds.
1.2.4.5 RADIUS Server Selection Mechanism
Typically, multiple RADIUS servers are deployed on a large-scale enterprise

network. If a server is faulty, user access will not be disrupted. In addition, load
balancing is performed between these servers, preventing resources of a single
server from being exhausted in the event that a large number of users access the
network. If multiple servers are configured in a RADIUS server template and a
device needs to send a packet to a server, select one of the following algorithms
to select the RADIUS server based on the command configuration.
● RADIUS server primary/secondary algorithm (default)
● RADIUS server load balancing algorithm
In addition, the algorithm for selecting a RADIUS server can be set to the single
user-based or packet-based algorithm. If the algorithm for selecting a RADIUS
server is set to the single user-based algorithm, authentication server information
is saved in the authentication phase, and the device preferentially sends an
accounting request to the accounting server in the accounting phase when the
authentication server is also the accounting server. If the algorithm for selecting a
RADIUS server is set to the packet-based algorithm, authentication server
information is not saved in the authentication phase, and the accounting server is
reselected in the accounting phase, which may result in that authentication and
accounting for a user is not performed on the same server.
RADIUS Server Primary/Secondary Algorithm

The primary and secondary roles are determined by the weights configured for the
RADIUS authentication servers or RADIUS accounting servers. The server with the
largest weight is the primary server. If the weight values are the same, the earliest
configured server is the primary server. As shown in Figure 1-10, the device
preferentially sends an authentication or accounting packet to the primary server
among all servers in Up status. If the primary server does not respond, the device
then sends the packet to the secondary server.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-10 Diagram for the RADIUS server primary/secondary algorithm
RADIUS Server Load Balancing Algorithm

If this algorithm is used and a device sends an authentication or accounting
packet to a server, the device selects a server based on the weights configured for
the RADIUS authentication servers or RADIUS accounting servers. As shown in
Figure 1-11, RADIUS server1 is in Up status and its weight is 80, and RADIUS
server2 is also in Up status and its weight is 20. The possibility for the device to
send the packet to RADIUS server1 is 80% [80/(80 + 20)], and that for RADIUS
server2 is 20% [20/(80 + 20)].
Figure 1-11 Diagram for the RADIUS server load balancing algorithm
Regardless of which algorithm is used, if all the servers in Up status do not

respond to a packet sent by a device, the device retransmits the packet to a server
among the servers whose status is originally marked as Down (to which the device
has not sent any authentication or accounting packets) based on the server
weight. If the device does not receive any response in the current authentication
mode, the backup authentication mode is used, for example, local authentication
mode. The backup authentication mode needs to be already configured in the
authentication scheme. Otherwise, the authentication process ends.
1.2.4.6 RADIUS Server Status Detection
Availability and maintainability of a RADIUS server are the prerequisites of user

access authentication. If a device cannot communicate with the RADIUS server, the
server cannot perform authentication or authorization for users. To resolve this

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
issue, the device supports the user escape function upon transition of the RADIUS
server status to Down. To be specific, if the RADIUS server goes Down, users
cannot be authorized by the server but still have certain network access rights.
The user escape function upon transition of the RADIUS server status to Down can
be enabled only after the device marks the RADIUS server status as Down. If the
RADIUS server status is not marked as Down and the device cannot communicate
with the RADIUS server, users cannot be authorized by the server and the escape
function is also unavailable. As a result, users have no network access rights.
Therefore, the device must be capable of detecting the RADIUS server status in a
timely manner. If the device detects that the RADIUS server status transitions to
Down, users can obtain escape rights; if the device detects that the RADIUS server
status reverts to Up, escape rights are removed from the users and the users are
reauthenticated.
This section contains the following contents:
● RADIUS Server Status
● Conditions for Marking the RADIUS Server Status as Down
● Automatic Detection
● Consecutive Processing After the RADIUS Server Status Is Marked as
Down
RADIUS Server Status

A device can mark the RADIUS server status as Up, Down, or Force-up. The
following table lists descriptions of the three RADIUS server status and their
corresponding scenarios.
Status Whether the RADIUS Server Is Condition for Switching

Available the Server Status
Up The RADIUS server is available. ● The device initially marks

the RADIUS server status
as Up.
● The device marks the
RADIUS server status as
Up if receiving packets
from the server.
Down The RADIUS server is unavailable. The conditions for marking

the RADIUS server status as
Down are met.
Force-up When no RADIUS server is The device marks the

available, the device selects the RADIUS server status as
RADIUS server in Force-up status. Force-up if the timer
specified by dead-time
expires.
The RADIUS server status is initially marked as Up. After a RADIUS Access-Request
packet is received and the conditions for marking the RADIUS server status as

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Down are met, the RADIUS server status transitions to Down. The RADIUS Access-
Request packet that triggers the server status transition can be sent during user
authentication or constructed by the administrator. For example, the RADIUS
Access-Request packet can be a test packet sent when the test-aaa command is
run or detection packet sent during automatic detection.
The device changes toe RADIUS server status from Down to Up or to Force-up in
the following scenarios:
● Down to Force-up: The timer specified by dead-time starts after the device
marks the RADIUS server status as Down. The timer indicates the duration for
which the server status remains Down. After the timer expires, the device
marks the RADIUS server status as Force-up. If a new user needs to be
authenticated in RADIUS mode and no RADIUS server is available, the device
attempts to re-establish a connection with a RADIUS server in Force-up
status.
● Down to Up: After receiving packets from the RADIUS server, the device
changes the RADIUS server status from Down to Up. For example, after
automatic detection is configured, the device receives response packets from
the RADIUS server.
Conditions for Marking the RADIUS Server Status as Down

Whether the status of a RADIUS server can be marked as Down depends on the
following factors:
● Longest unresponsive interval of the RADIUS server (value of max-

unresponsive-interval)
● Number of times the RADIUS Access-Request packet is sent
● Interval of sending the RADIUS Access-Request packet
● Interval of detecting the RADIUS server status
● Number of RADIUS server detection interval cycles
● Maximum number of consecutive unacknowledged packets in each detection
interval
The device marks the RADIUS server status as Down as long as either of the
following conditions is met. Figure 1-12 shows the logic flowchart for marking the
RADIUS server status as Down. In this example, the detection interval cycles two
times:
● The device marks the RADIUS server status as Down during the RADIUS
server status detection.
After the system starts, the RADIUS server status detection timer runs. If the
device does not receive any packet from the RADIUS server after sending the
first RADIUS Access-Request packet to the server and the condition that the
number of times the device does not receive any packet from the server (n) is
greater than or equal to the maximum number of consecutive
unacknowledged packets (dead-count) is met in a detection interval, a
communication interruption is recorded. If the device still does not receive any
packet from the RADIUS server, the device marks the RADIUS server status as
Down when recording the communication interruption for the same times as
the detection interval cycles.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
If the device does not record any communication interruption in a detection interval, all
the previous communication interruption records are cleared.
● The device marks the status of a RADIUS server as Down if no response is
received from the server for a long period of time.
If the user access frequency is low, the device receives only a few RADIUS
Access-Request packets from users, conditions for marking the RADIUS server
status as Down during the RADIUS server status detection cannot be met, and
the interval for sending two consecutive unacknowledged RADIUS Access-
Request packets is greater than the value of max-unresponsive-interval, the
device marks the RADIUS server status as Down. This mechanism ensures that
users can obtain escape authorization.
If multiple servers are configured in the RADIUS server template, the overall status
detection time is related to the number of servers and the server selection
algorithm. If a user terminal uses the client software for authentication and the
timeout period of the terminal client software is less than the summary of all the
status detection time, the terminal client software may dial up repeatedly and
cannot access the network. If the user escape function is configured, the summary
of all the status detection time must be less than the timeout period of the
terminal client software to ensure that escape rights can be added to the users.
Figure 1-12 Logic flowchart for marking the RADIUS server status as Down
The following table lists the related commands.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Command Description
radius-server { dead-interval dead- Configures conditions for marking the

interval | dead-count dead-count | RADIUS server status as Down during
detect-cycle detect-cycle } the RADIUS server status detection.
● dead-interval dead-interval:
Specifies the detection interval. The
default value is 5 seconds.
● dead-count dead-count: Specifies
the maximum number of
consecutive unacknowledged
packets. The default value is 2.
● detect-cycle detect-cycle: Specifies
the number of detection interval
cycles. The default value is 2.
radius-server max-unresponsive- Configures the longest unresponsive

interval interval interval of the RADIUS server. The
If the interval for sending two
consecutive RADIUS Access-Request
packets is greater than the value of
max-unresponsive-interval, the
device marks the RADIUS server status
as Down.
radius-server dead-time dead-time Configures the duration for which the

RADIUS server status remains Down.
dead-time: Specifies the duration for
which the RADIUS server status
remains Down after the server status
is marked as Down. After the duration
expires, the device marks the server
status as Force-up. The default value
is 5 minutes.
Automatic Detection
After the RADIUS server status is marked as Down, you can configure the
automatic detection function to test the RADIUS server reachability.
The automatic detection function needs to be manually enabled. The automatic
server status detection function can be enabled only if the user name and
password for automatic detection are configured in the RADIUS server template
view on the device rather than on the RADIUS server. Authentication success is not
mandatory. If the device can receive the authentication failure response packet,
the RADIUS server is properly working.
After the automatic detection function is enabled, automatic detection is classified
into the following conditions depending on differences of the RADIUS server
status.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Server Whether Time When Condition for Switching the Server

Status Automatic an Automatic Status
Detection Is Detection
Supported Packet Is
Sent
Down Automatic An automatic If the device receives a response

detection is detection packet from the RADIUS server
supported by packet is sent within the timeout period for
default. after the detection packets, the device marks
automatic the RADIUS server status as Up;
detection otherwise, the RADIUS server status
period remains Down.
expires.
Up Automatic An automatic If the conditions for marking the

detection can detection RADIUS server status as Down are
be enabled packet is sent met, the device marks the RADIUS
using the after the server status as Down; otherwise,
radius-server automatic the RADIUS server status remains
detect-server detection Up.
up-server period
interval expires.
command.
Force- Automatic An automatic If the device receives a packet from

up detection is detection the RADIUS server within the
supported by packet is sent timeout period, the device marks
default. immediately. the RADIUS server status as Up;
otherwise, the device marks the
RADIUS server status as Down.
NOTE
On a large-scale network, you are not advised to enable automatic detection for RADIUS servers
in Up status. This is because if automatic detection is enabled on multiple NAS devices, the
RADIUS server periodically receives a large number of detection packets when processing
RADIUS Access-Request packets source from users, which may deteriorate processing
performance of the RADIUS server.
After the radius-server testuser command is configured, the dead-time timer configured using
the radius-server dead-time command does not take effect.
The following table lists commands related to automatic detection.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Command Description
radius-server testuser username user- Enables the automatic detection

name password cipher password function.
● user-name: Specifies the user name
for automatic detection.
● password: Specifies the password
for automatic detection.
radius-server detect-server interval Specifies the automatic detection

interval interval for RADIUS servers in Down
status. The default value is 60
seconds.
radius-server detect-server up-server Enables the automatic detection

interval interval function for the RADIUS server in Up
status and configures the automatic
detection interval. The default value is
0 seconds; that is, the device does not
automatically detect RADIUS servers
in Up status.
radius-server detect-server timeout Specifies the timeout period for

time-value automatic detection packets. The
Consecutive Processing After the RADIUS Server Status Is Marked as Down

After the device marks the RADIUS server status as Down, you can configure the
escape function to make users obtain escape authorization. After the device
detects that the RADIUS server status reverts to Up, you can configure the
reauthentication function to make users obtain authorization from the server
through reauthentication, as shown in Figure 1-13.
NOTE
For 802.1X authenticated users and MAC address authenticated users, after the RADIUS server
status reverts to Up, users exist from escape authorization and are reauthenticated. For Portal
authenticated users, after the RADIUS server status reverts to Up, users obtain pre-connection
authorization and can be redirected to the Portal server for authentication only if the users
attempt to access network resources.
After the radius-server testuser command is configured, the dead-time timer configured using
the radius-server dead-time command does not take effect.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-13 Consecutive processing after the RADIUS server status is marked as
Down
The following table lists the commands for configuring the escape rights upon
transition of the RADIUS server status to Down and configuring the
reauthentication function, respectively.
Command Description
authentication event authen-server- Configures the escape function upon

down action authorize { vlan vlan-id | transition of the RADIUS server status
service-scheme service-scheme-name | to Down.
ucl-group ucl-group-name }
[ response-fail ]

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Command Description
authentication event authen-server- Configures the reauthentication

up action re-authen function for users in escape status
when the RADIUS server status reverts
to Up.
1.2.4.7 RADIUS CoA/DM
The device supports the RADIUS Change of Authorization (CoA) and Disconnect
Message (DM) functions. CoA provides a mechanism to change the rights of
online users, and DM provides a mechanism to forcibly disconnect users. This
section contains the following contents:
● RADIUS CoA/DM packet
● Exchange Procedure
● Session Flag
● Error Code Description
RADIUS CoA/DM packet

Table 1-7 describes types of the CoA/DM packets.
Table 1-7 RADIUS CoA/DM packet
CoA-Request When an administrator needs to modify the rights of an

online user (for example, prohibit the user from accessing a
website), the RADIUS server sends this packet to the
RADIUS client, requesting the client to modify the user
rights.
CoA-ACK If the RADIUS client successfully modifies the user rights, it

returns this packet to the RADIUS server.
CoA-NAK If the RADIUS client fails to modify the user rights, it

returns this packet to the RADIUS server.
DM-Request When an administrator needs to disconnect a user, the

server sends this packet to the RADIUS client, requesting
the client to disconnect the user.
DM-ACK If the RADIUS client has disconnected the user, it returns

this packet to the RADIUS server.
DM-NAK If the RADIUS client fails to disconnect the user, it returns

this packet to the RADIUS server.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Exchange Procedure
CoA allows the administrator to change the rights of an online user or perform
reauthentication for the user through RADIUS after the user passes authentication.
Figure 1-14 shows the CoA interaction process.
Figure 1-14 CoA interaction process
1. The RADIUS server sends a CoA-Request packet to the device according to

service information, requesting the device to modify user authorization
information. This packet can contain authorization information including the
ACL.
2. Upon receiving the CoA-Request packet, the device performs a match check
between the packet and user information on the device to identify the user. If
the match succeeds, the device modifies authorization information of the user.
Otherwise, the device retains the original authorization information of the
user.
3. The device returns a CoA-ACK or CoA-NAK packet as follows:
– If authorization information is successfully modified, the device sends a
CoA-ACK packet to the RADIUS server.
– If authorization information fails to be modified, the device sends a CoA-
NAK packet to the RADIUS server.
When a user needs to be disconnected forcibly, the RADIUS server sends a DM
packet to the device. Figure 1-15 shows the DM interaction process.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-15 DM interaction process
1. The administrator forcibly disconnects a user on the RADIUS server. The

RADIUS server sends a DM-Request packet to the device, requesting the
device to disconnect the user.
2. Upon receiving the DM-Request packet, the device performs a match check
between the packet and user information on the device to identify the user. If
the match succeeds, the user is notified to go offline. Otherwise, the user
remains online.
3. The device returns a DM-ACK or DM-NAK packet as follows:
– If the user successfully goes offline, the device sends a DM-ACK packet to
the RADIUS server.
– Otherwise, the device sends a DM-NAK packet to the RADIUS server.
Different from the process in which authorization is performed for an online user
or a user proactively goes offline, the server sends a request packet and the device
sends a response packet in the CoA/DM process. If CoA/DM succeeds, the device
returns an ACK packet. Otherwise, the device returns a NAK packet.
Session Identification
Each service provided by the NAS to a user constitutes a session, with the
beginning of the session defined as the point where service is first provided and
the end of the session defined as the point where service is ended.
After the device receives a CoA-Request or DM-Request packet from the RADIUS
server, it identifies the user depending on some RADIUS attributes in the packet.
The following RADIUS attributes can be used to identify users:
● User-Name (IETF attribute #1)
● Acct-Session-ID (IETF attribute #44)
● Framed-IP-Address (IETF attribute #8)
● Calling-Station-Id (IETF attribute #31)
The match methods are as follows:
● any method
The device performs a match check between an attribute and user
information on the device. The priority for identifying the RADIUS attributes

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
used by the users is as follows: Acct-Session-ID (4) > Calling-Station-Id (31) >
Framed-IP-Address (8). The device searches for the attributes in the request
packet based on the priority, and performs a match check between the first
found attribute and user information on the device. If the attribute is
successfully matched, the device responds with an ACK packet; otherwise, the
device responds with a NAK packet.
● all method
The device performs a match check between all attributes and user
information on the device. The device identifies the following RADIUS
attributes used by the users: Acct-Session-ID (4), Calling-Station-Id (31),
Framed-IP-Address (8), and User-Name (1). The device performs a match
check between all the preceding attributes in the Request packet and user
information on the device. If all the preceding attributes are successfully
matched, the device responds with an ACK packet; otherwise, the device
responds with a NAK packet.
Error Code Description

When the CoA-Request or DM-Request packet from the RADIUS server fails to
match user information on the device, the device describes the failure cause using
the error code in the CoA-NAK or DM-NAK packet. For the error code description,
see Table 1-8 and Table 1-9.
Table 1-8 Error codes in a CoA-NAK packet

Name Value Description
RD_DM_ERRCODE_ 402 The request packet lacks key attributes, so that

MISSING_ATTRIBUT the integrity check of the RADIUS attributes
E fails.
RD_DM_ERRCODE_I 404 Parsing the attributes in the request packet

NVALID_REQUEST fails.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
RD_DM_ERRCODE_I 407 The request packet contains attributes that are

NVALID_ATTRIBUTE not supported by the device or do not exist, so
_VALUE that the attribute check fails.
Contents of the authorization check include
VLAN, ACL, CAR, number of the ACL used for
redirection, and whether Huawei RADIUS
extended attributes RD_hw_URL_Flag and
RD_hw_Portal_URL can be authorized to the
interface-based authenticated user.
Errors that may occur are as follows:
● The authorized service scheme does not
exist.
● The authorized QoS profile does not exist
or no user queue is configured in the QoS
profile.
● The authorized values of upstream and
downstream priorities exceed the maximum
values.
● The authorized index value of the UCL
group is not within the specification.
● The ISP VLAN and outbound interface
information are incorrectly parsed.
● Reauthentication attributes and other
attributes are authorized simultaneously.
RD_DM_ERRCODE_S 503 The session request fails. The cause includes:

ESSION_CONTEXT_ ● Authorization for the current request user is
NOT_FOUND being processed.
● The temporary RADIUS table fails to be
requested.
● User information does not match or no user
is found.
● The user is a non-RADIUS authentication
user.
RD_DM_ERRCODE_R 506 This error code is used for other authorization

ESOURCES_UNAVAI failures.
LABLE
Table 1-9 Error codes in a DM-NAK packet

RD_DM_ERRCODE_I 404 Parsing the attributes in the request packet

NVALID_REQUEST fails.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
RD_DM_ERRCODE_S 504 The user fails to be deleted or the user does

ESSION_CONTEXT_ not exist.
NOT_REMOVABLE
1.2.4.8 RADIUS Attributes

RADIUS attributes are Attribute fields in RADIUS packets, which carry dedicated
authentication, authorization, and accounting information. This chapter covers the
following sections:
● Standard RADIUS Attributes
● Huawei Proprietary RADIUS Attributes
● Huawei-supported Extended RADIUS Attributes of Other Vendors
● RADIUS Attributes Available in Packets
● RADIUS Attributes Precautions
Standard RADIUS Attributes

RFC2865, RFC2866, and RFC3576 define standard RADIUS attributes that are
supported by all mainstream vendors. For details, see Table 1-10.
Table 1-10 Standard RADIUS attributes
Att Attribute Attr Description

rib Name ibut
ute e
No. Typ
e
1 User-Name strin User name for authentication. The user name

g format can be user name@domain name or user
name.
2 User-Password strin User password for authentication, which is only
g valid for the Password Authentication Protocol
(PAP).
3 CHAP- strin User password for authentication, which is only

Password g valid for the Challenge Handshake Authentication
Protocol (CHAP).
4 NAS-IP- ipad Internet Protocol (IP) address of the NAS carried

Address dr in authentication request packets. By default, the
attribute value is the source IP address of the
authentication request packets sent by the NAS.
You can change the attribute value to the
specified IP address on the NAS or the IP address
of the AP using the radius-attribute nas-ip { ip-
address | ap-info } command.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

rib Name ibut
ute e
No. Typ
e
5 NAS-Port inte Physical port number of the network access server

ger that is authenticating the user, which is in either
of the following formats:
● new: slot ID (8 bits) + sub-slot ID (4 bits) +
port number (8 bits) + Virtual Local Area
Network (VLAN) ID (12 bits)
● old: slot ID (12 bits) + port number (8 bits) +
VLAN ID (12 bits)
6 Service-Type inte Service type of the user to be authenticated:

ger ● 2 (Framed): PPP users, 802.1X users, static
users, and MAC authentication users (with the
fixed user name format)
● 6 (Administrative): administrator
● 8 (Authenticate Only): reauthentication only
● 10 (Call Check): MAC authentication users
(with the MAC address as the user name) or
MAC address bypass authentication user
7 Framed- inte Encapsulation protocol of Frame services:

Protocol ger ● For a non-management user, the value is fixed
as 1.
● For a management user, the value is fixed as 6.
8 Framed-IP- ipad User IP address.

Address dr

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

rib Name ibut
ute e
No. Typ
e
11 Filter-Id strin UCL group name, user group name, or IPv4 Access
g Control List (ACL) ID.
NOTE
● When this attribute carries the IPv4 ACL ID, the IPv4
ACL IDs must range from 2000 to 3999 for wired
users or 2000 to 3031 for wireless users.
● A RADIUS packet cannot carry the user group name,
UCL group name, or IPv4 ACL ID simultaneously.
● When only the RADIUS server performs
authorization, the local device does not perform ACL
authorization, and the corresponding user group,
ACL, and ACL rules are configured on the local
device:
● If the server simultaneously delivers the user
group name or UCL group name carried in the
Filter-Id (11) attribute and IPv6 ACL ID carried in
the HW-IPv6-Filter-ID (26–251) attribute, only
the user group name takes effect.
● If the server simultaneously delivers the IPv4 ACL
ID carried in the Filter-Id (11) attribute and IPv6
ACL ID carried in the HW-IPv6-Filter-ID (26–
251) attribute, both the IPv4 and IPv6 ACL IDs
take effect.
● An ACL can be configured with a maximum of 128
rules. In wireless scenarios, ACLs need to be delivered
to APs, and a maximum of 128 rules can be
configured for an ACL on an AP.
12 Framed-Mtu inte Maximum transmission unit (MTU) of the data

ger link between user and NAS. For example, in
802.1X Extensible Authentication Protocol (EAP)
authentication, the NAS specifies the maximum
length of the EAP packet in this attribute. An EAP
packet larger than the link MTU may be lost.
14 Login-IP-Host ipad Management user IP address:

dr ● If the value is 0 or 0xFFFFFFFF, the IP address
of management user is not checked.
● If this attribute uses other values, the NAS
checks whether the management user IP
address is the same as the delivered attribute
value.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

rib Name ibut
ute e
No. Typ
e
15 Login-Service inte Service to use to connect the user to the login

ger host:
● 0: Telnet
● 5: X25-PAD
● 50: SSH
● 51: FTP
● 52: Terminal
NOTE
An attribute can contain multiple service types.
18 Reply- strin This attribute determines whether a user is

Message g authenticated:
● When an Access-Accept packet is returned, the
user is successfully authenticated.
● When an Access-Reject packet is returned, the
user fails authentication.
19 Callback- strin Information sent from the authentication server

Number g and to be displayed to a user, such as a mobile
number.
24 State strin If the RADIUS server sends a RADIUS Access-

g Challenge packet carrying this attribute to a
device, the subsequent RADIUS Access-Request
packets sent from the device must carry this
attribute with the same value.
25 Class strin If the RADIUS server sends a RADIUS Access-

g Accept packet carrying the Class attribute to the
NAS, the subsequent RADIUS Accounting-Request
packets sent from the NAS must carry the Class
attribute with the same value.
26 Vendor- strin Vendor-specific attribute. For details, see Table

Specific g 1-11. A packet can carry one or more private
attributes. Each private attribute contains one or
more sub-attributes.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

rib Name ibut
ute e
No. Typ
e
27 Session- inte In the Access-Accept packet, this attribute

Timeout ger indicates the maximum number of seconds a user
should be allowed to remain connected.
In the Access-Challenge packet, this attribute
indicates the duration for which EAP
authentication users are reauthenticated.
When the value of this attribute is 0:
● If the aaa-author session-timeout invalid-
value enable command is not configured, the
session-timeout attribute delivered by the
server does not take effect and the period for
disconnecting or reauthenticating users
depends on the device configuration.
● If the aaa-author session-timeout invalid-
value enable command is configured, the
session-timeout attribute delivered by the
server takes effect and the device does not
disconnect or reauthenticate users.
NOTE
This attribute is only valid for 802.1X, MAC address,
Portal, and PPPoE authentication users.
When the RADIUS server delivers only this attribute, the
value of attribute 29 Termination-Action is set to 0
(users are forced offline) by default.
28 Idle-Timeout inte Maximum number of consecutive seconds of idle

ger connection the user is allowed before termination
of the session or prompt.
NOTE
● This attribute is only valid for administrators and
wireless users.
● This attribute can be used together with the traffic
and direction configured using the idle-cut
command in the service scheme view. When no
authorization service scheme is configured or this
command is not configured in the service scheme,
and a user does not produce upstream traffic within
the idle-cut period, the user is disconnected.
● In V200R012C00 and later versions, idle-cut is
performed in seconds. In versions earlier than
V200R012C00, idle-cut is performed in minutes.
When a switch or an AC interconnects with an AP
running a version earlier than V200R009C00, the
idle-cut period is round up to an integer in seconds,
for example, 60s is round up to 1 minute, and values
61s to 119s are round up to 2 minutes.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

rib Name ibut
ute e
No. Typ
e
29 Termination- inte What action the NAS should take when the
Action ger specified service is completed:
● 0: forcible disconnection
● 1: reauthentication
NOTE
This attribute is only valid for 802.1X and MAC address
authentication users. When the authentication point is
deployed on a VLANIF interface, MAC address
authenticated users do not support the authorization of
Termination-Action=1.
When the RADIUS server delivers only this attribute, the
value of attribute 27 Session-Timeout is set to 3600s (for
802.1X authentication users) or 1800s (for MAC address
authentication users) by default.
30 Called- strin Number of the NAS:

Station-Id g ● For wired users, it is the NAS MAC address.
● For wireless users, it is the SSID and MAC
address of the AP. You can run the called-
station-id wlan-user-format command to set
the attribute encapsulation content to the AC's
MAC address, AC's IP address, AP name, name
of the AP group to which the AP belongs, outer
VLAN through which the user goes online, or
location information of the AP, and whether to
encapsulate the SSID into the RADIUS packet.
31 Calling- strin Identification number of the client. Generally, it is

Station-Id g the MAC address of the client.
32 NAS-Identifier strin String identifying the NAS device originating the

g Access-Request. By default, the attribute value is
the host name of the NAS device. You can change
the attribute value to the VLAN ID of the user or
the MAC address of the AP using the radius-
server nas-identifier-format { hostname | vlan-
id | ap-info } command.
40 Acct-Status- inte Accounting-Request type:

Type ger ● 1: Accounting-Start packet
● 2: Accounting-Stop packet
● 3: Interim-Accounting packet
41 Acct-Delay- inte Number of seconds the client has been trying to

Time ger send the accounting packet (excluding the
network transmission time).

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

rib Name ibut
ute e
No. Typ
e
42 Acct-Input- inte Number of bytes in upstream traffic,

Octets ger corresponding to the lower 32 bits in the data
structure for storing the upstream traffic. Contents
of this attribute and the RADIUS attribute 52
(Acct-Input-Gigawords) compose the upstream
traffic.
The traffic unit must be the same as that of the
RADIUS server and can be Byte, KByte, MByte, and
GByte. To set the traffic unit for each RADIUS
server, run the radius-server traffic-unit
command. By default, the unit is Byte.
NOTE
This attribute is only supported by the S5731-H, S5731S-
H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, and S6730S-S.
43 Acct-Output- inte Number of bytes in downstream traffic,

Octets ger corresponding to the lower 32 bits in the data
structure for storing the downstream traffic.
Contents of this attribute and the RADIUS
attribute 53 (Acct-Output-Gigawords) compose
the downstream traffic.
44 Acct-Session- strin Accounting session ID. The Accounting-Start,

Id g Interim-Accounting, and Accounting-Stop packets
of the same accounting session must have the
same session ID.
The format of this attribute is: Host name (7 bits)
+ Slot ID (2 bits) + Subcard number (1 bit) + Port
number (2 bits) + Outer VLAN ID (4 bits) + Inner
VLAN ID (5 bits) + Central Processing Unit (CPU)
Tick (6 bits) + User ID prefix (2 bits) + User ID (5
bits).
45 Acct- inte User authentication mode:

Authentic ger ● 1: RADIUS authentication
● 2: Local authentication
● 3: Other remote authentications

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

rib Name ibut
ute e
No. Typ
e
46 Acct-Session- inte How long (in seconds) the user has received
Time ger service.
NOTE
If the administrator modifies the system time after the
user goes online, the online time calculated by the
device may be incorrect.
47 Acct-Input- inte Number of incoming packets.

Packets ger NOTE
H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, and S6730S-S.
48 Acct-Output- inte Number of outgoing packets.

Packets ger

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

rib Name ibut
ute e
No. Typ
e
49 Acct- strin Cause of a terminated session:

Terminate- g ● User-Request (1): The user requests
Cause termination of service.
● Lost Carrier (2): The connection is torn down
due to a handshake failure or heartbeat
timeout, such as an ARP probe failure or PPP
handshake failure.
● Lost Service (3): The connection initiated by the
peer device is torn down.
● Idle Timeout (4): The idle timer expires.
● Session Timeout (5): The session times out or
the traffic threshold is reached.
● Admin Reset (6): The administrator forces the
user to go offline.
● Admin Reboot (7): The administrator restarts
the NAS.
● Port Error (8): A port fails.
● NAS Error (9): The NAS encounters an internal
error.
● NAS Request (10): The NAS ends the session
due to resource changes.
● NAS Reboot (11): The NAS automatically
restarts.
● Port Unneeded (12): The port is Down.
● Port Preempted (13): The port is preempted.
● Port Suspended (14): The port is suspended.
● Service Unavailable (15): The service is
unavailable.
● Callback (16): NAS is terminating the current
session to perform a callback for a new session.
● User Error (17): User authentication fails or
times out.
● Host Request (18): A host sends a request.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

rib Name ibut
ute e
No. Typ
e
52 Acct-Input- inte Number of times the number of bytes in upstream

Gigawords ger traffic is greater than 4 GB (2^32), corresponding
to the higher 32 bits in the data structure for
storing the upstream traffic. Contents of this
attribute and the RADIUS attribute 42 (Acct-Input-
Octets) compose the upstream traffic.
NOTE
H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, and S6730S-S.
53 Acct-Output- inte Number of times the number of bytes in

Gigawords ger downstream traffic is greater than 4 GB (2^32),
corresponding to the higher 32 bits in the data
structure for storing the downstream traffic.
Contents of this attribute and the RADIUS
attribute 43 (Acct-Output-Octets) compose the
downstream traffic.
55 Event- inte Time when an Accounting-Request packet is

Timestamp ger generated, represented by is the number of
seconds elapsed since 00:00:00 of January 1, 1970.
60 CHAP- strin Challenge field in CHAP authentication. This field

Challenge g is generated by the NAS for Message Digest
algorithm 5 (MD5) calculation.
61 NAS-Port-Type inte NAS port type. The attribute value can be

ger configured in the interface view. By default, the
type is Ethernet (15).
64 Tunnel-Type inte Protocol type of the tunnel. The value is fixed as

ger 13, indicating VLAN.
65 Tunnel- inte Medium type used on the tunnel. The value is

Medium-Type ger fixed as 6, indicating Ethernet.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

rib Name ibut
ute e
No. Typ
e
79 EAP-Message strin Encapsulates Extended Access Protocol (EAP)

g packets so that RADIUS supports EAP
authentication. When an EAP packet is longer
than 253 bytes, the packet is encapsulated into
multiple attributes. A RADIUS packet can carry
multiple EAP-Message attributes.
80 Message- strin Authenticates and verifies authentication packets

Authenticator g to prevent spoofing packets.
81 Tunnel- strin Tunnel private group ID, which is used to deliver

Private- g user VLANs.
Group-ID NOTE
If users are authorized with VLANs based on VLAN pools
in the Tunnel-Private-Group-ID attribute, both the
Tunnel-Type and Tunnel-Medium-Type attributes must
be configured, and their values must be 13 and 6
respectively.
The VLAN pool is configured as the service VLAN for
wireless users. If the authorized VLAN is in the VLAN
pool, the VLAN can be switched when an IP address fails
to be obtained. If the authorized VLAN is not in the
VLAN pool, the VLAN cannot be switched.
Authorization can be performed based on the VLAN ID,
VLAN description, VLAN name, and VLAN pool, which
are listed in descending order of priority.
Both wired and wireless users support authorization
based on the VLAN pool. In V200R013C00 and later
versions, wireless users support authorization based on
the VLAN pool.
When the VLAN pool is used to authorize the Tunnel-
Private-Group-ID attribute, the voice VLAN cannot be
authorized through the HW-VoiceVlan attribute.
Otherwise, the two attributes do not take effect.
For details, see 2.3 Licensing Requirements and
Limitations for NAC Unified Mode.
85 Acct-Interim- inte Interim accounting interval, in seconds. It is

Interval ger recommended that the interval be at least 600
seconds. The value ranges from 60 to 3932100.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

rib Name ibut
ute e
No. Typ
e
87 NAS-Port-Id strin Port of the NAS that is authenticating the user.

g The NAS-Port-Id attribute has the following
formats:
● New:
For Ethernet access users, the NAS-Port-Id is in
the format "slot=xx; subslot=xx; port=xxx;
vlanid=xxxx; interfaceName=port", in which
"slot" ranges from 0 to 15, "subslot" 0 to 15,
"port" 0 to 255, "vlanid" 1 to 4094,
"interfaceName" indicates the user access
interface, including the interface type and
number.
For ADSL access users, the NAS-Port-Id is in the
format "slot=xx; subslot=x; port=x; VPI=xxx;
VCI=xxxxx; interfaceName=port", in which
"slot" ranges from 0 to 15, "subslot" 0 to 9,
"port" 0 to 9, "VPI" 0 to 255, and "VCI" 0 to
65535, "interfaceName" indicates the user
access interface, including the interface type
and number.
● New client-option82:
When a PPPoE or DHCP user goes online, if the
PPPoE or DHCP packet sent by the user
contains the Option 82 field, the device
encapsulates the content of the circuit ID
suboption in the Option 82 field into the NAS-
Port-Id (87) attribute of a RADIUS packet, and
then sends the RADIUS packet to the RADIUS
server, binding the user account to the access
location and preventing an account from being
shared by multiple users. In this case, the
format of NAS-Port-Id (87) attribute in the
RADIUS packet is the same as that of the
circuit ID suboption in the Option 82 field. To
configure the format of the circuit ID
suboption, run the dhcp option82 format or
pppoe intermediate-agent information
format command.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

rib Name ibut
ute e
No. Typ
e
NOTE
● If the PPPoE or DHCP packet does not contain the
Option 82 field, the format of the NAS-Port-Id
(87) attribute in the RADIUS packet is new.
● If the new client-option82 parameter is selected,
the device encapsulates the content of the first
128 bytes in the Circuit ID suboption of the
Option 82 field into the NAS-Port-Id (87)
attribute of a RADIUS packet. If the first 128
bytes contain 0, the device only encapsulates
bytes before the first 0. If the first byte of the
Circuit ID value is 0 or no Circuit ID value exists,
the format of the NAS-Port-Id (87) attribute in
RADIUS packets is new.
● Old:
For Ethernet access users, the NAS-Port-Id is in
the format "port number (2 characters) + sub-
slot ID (2 bytes) + card number (3 bytes) +
VLAN ID (9 characters)."
For ADSL access users: port number (2
characters) + sub-slot ID (2 bytes) + card
number (3 bytes) + VPI (8 characters) + VCI
(16 characters). The fields are prefixed with 0s
if they contain fewer bytes than specified.
● vendor vendor-id:
The NAS port ID format is customized by the
vendor. The value of vendor-id currently can
only be 9. It is in the format of interface type
+interface number, indicating a user access
interface. To check the access interface of a
specified user, run the display access-user
user-id user-id command. In the command
output, the User access Interface field
indicates the access interface of a user.
89 Chargeable- strin Charging ID delivered by the server. To configure a

User-Identity g device to support this attribute, run the radius-
server support chargeable-user-identity [ not-
reject ] command.
95 NAS-IPv6- ipad IPv6 address carried in the authentication request

Address dr packet sent by the NAS. Both the NAS-IPv6-
Address and NAS-IP-Address fields can be included
in a packet.
96 Framed- strin IPv6 interface identifier to be configured for the

Interface-Id g user.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

rib Name ibut
ute e
No. Typ
e
97 Framed-IPv6- ipad IPv6 prefix to be configured for the user.

Prefix dr
168 Framed-IPv6- ipad IPv6 address of the user.

Address dr
195 HW- strin Security information of users in EAP relay

SecurityStr g authentication.
Huawei Proprietary RADIUS Attributes

RADIUS is a fully extensible protocol. The No. 26 attribute (Vendor-Specific)
defined in RFC2865 can be used to extend RADIUS for implementing functions not
supported by standard RADIUS attributes. Table2 Huawei proprietary RADIUS
attributes describes Huawei proprietary RADIUS attributes.
NOTE
Extended RADIUS attributes contain the vendor ID of the device. The vendor ID of Huawei
is 2011.
Table 1-11 Huawei proprietary RADIUS attributes

Attr Attribute Attr Description
ibut Name ibut
e e
No. Typ
e
26- HW-Input- inte Peak information rate (PIR) at which the user
1 Peak- ger accesses the NAS, which is the maximum rate of
Information- traffic that can pass through an interface. The
Rate value is a 4-byte integer, in bit/s. The minimum
value is 64. The HW-Input-Peak-Information-Rate
must be higher than or equal to the HW-Input-
Committed-Information-Rate. The default HW-
Input-Peak-Information-Rate is equal to the HW-
Input-Committed-Information-Rate.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW-Input- inte Committed information rate (CIR) at which the

2 Committed- ger user accesses the NAS, which is the allowed
Information- average rate of traffic that can pass through an
Rate interface. The value is a 4-byte integer, in bit/s.
The minimum value is 64.
NOTE
This attribute must be specified when the rate of
packets sent from the user to the NAS is limited.
26- HW-Input- inte Committed burst size (CBS) at which the user
3 Committed- ger accesses the NAS, which is the average volume of
Burst-Size burst traffic that can pass through an interface.
The value is a 4-byte integer, in bits. The
minimum value is 10000.
26- HW-Output- inte Peak information rate at which the NAS connects
4 Peak- ger to the user. The value is a 4-byte integer, in bit/s.
Information- The minimum value is 64. The HW-Output-Peak-
Rate Information-Rate must be higher than or equal to
the HW-Output-Committed-Information-Rate. The
default HW-Output-Peak-Information-Rate is
equal to the HW-Output-Committed-Information-
Rate.
26- HW-Output- inte Committed information rate at which the NAS

5 Committed- ger connects to the user. The value is a 4-byte integer,
Information- in bit/s. The minimum value is 64.
Rate NOTE
This attribute must be specified when the rate of
packets sent from the NAS to the user is limited.
26- HW-Output- inte Committed burst size at which the NAS connects
6 Committed- ger to the user. The value is a 4-byte integer, in bits.
Burst-Size The minimum value is 10000.
26- HW- inte Remaining traffic. The unit is KB.

15 Remanent- ger
Volume

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW- stri Name of the QoS profile.

17 Subscriber- ng NOTE
QoS-Profile ● Only the following models support the authorization
of this attribute:
S5731-S, S5731S-S, S5731-H, and S5731S-H
● This attribute can be authorized only to wired users.

● When this attribute is authorized to an NAS
remotely, ensure that the user queue has been
created in the QoS profile using the user-queue { pir
pir-value | flow-queue-profile flow-queue-profile-
name | flow-mapping-profile flow-mapping-profile-
name } * command to implement HQoS.
● If the server delivers both the downlink bandwidth
limit (equivalent to the RADIUS attribute HW-
Output-Committed-Information-Rate) and the
RADIUS attribute HW-Subscriber-QoS-Profile for user
authorization, only the RADIUS attribute HW-
Subscriber-QoS-Profile takes effect.
26- HW- inte Maximum number of users who are allowed to

18 UserName- ger access the network using the same user name.
Access-Limit The limit is indicated by a particular numeric
value as follows:
● 0: indicates that no user is allowed to access
the network.
● 0xFFFFFFFF (4294967295): indicates that the
number of users who are allowed to access the
network using the same user name is not
limited.
● 1: indicates that only one user is allowed to
access the network using a particular user
name.
● Other values: indicates a maximum number
(specified by the particular value) of users who
are allowed to access the network using the
same user name.
NOTE
This attribute can be carried only in Access-Accept
packets.
26- HW-Connect- inte Index of a user connection.

26 ID ger
26- HW-FTP- stri Initial directory of an FTP user.

28 Directory ng

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW-Exec- inte Management user (such as Telnet user) priority,

29 Privilege ger ranging from 0 to 15. The priority that is greater
than or equal to 16 is ineffective.
26- HW-Qos-Data stri Name of the QoS profile. The maximum length of
31 ng the name is 31 bytes. The RADIUS server uses this
field to deliver the QoS profile for traffic policing.
The QoS profile must exist on the device and
traffic policing has been configured using the car
(QoS profile view) command.
NOTE
This attribute is only supported by the S5731-H,S5731S-
H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, S6730S-S, S6735-S, S6720-EI, and S6720S-EI.
If the server delivers both the uplink or downlink
bandwidth limit (equivalent to the RADIUS attribute
HW-Input-Committed-Information-Rate or HW-Output-
Committed-Information-Rate) and the RADIUS attribute
HW-Qos-Data for user authorization, only the uplink or
downlink bandwidth limit take effect.
26- HW-VoiceVlan inte Voice VLAN authorization flag. The value 1

33 ger indicates that the authorized VLAN is the voice
VLAN. This attribute is used with VLAN
authorization attributes.
NOTE
After the authentication mode multi-share command is
configured in the authentication profile, authorization
voice VLAN will not be supported.
When the VLAN pool is used to authorize the Tunnel-
Private-Group-ID attribute, the voice VLAN cannot be
authorized through the HW-VoiceVlan attribute.
Otherwise, the two attributes do not take effect.
26- HW- inte Whether a RADIUS server is a proxy server:

35 ProxyRdsPkt ger ● If the Access-Accept packet returned by a
server carries the HW-Proxy-RDS attribute with
value 1, the server is the proxy server.
● If the Access-Accept packet returned by a
server carries the HW-Proxy-RDS attribute with
value 0, the server is not the proxy server.
26- HW-NAS- inte NAS start time, represented by the number of

59 Startup-Time- ger seconds elapsed since 00:00:00 of January 1, 1970.
Stamp

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW-IP-Host- stri User IP address and MAC address carried in

60 Address ng authentication and accounting packets, in the
format A.B.C.D hh:hh:hh:hh:hh:hh. The IP address
and MAC address are separated by a space.
If the user's IP address is detected to be invalid
during authentication, the IP address is set to
255.255.255.255.
26- HW-Up- inte 802.1p priority of upstream packets.

61 Priority ger
26- HW-Down- inte 802.1p priority of downstream packets.

62 Priority ger
26- HW-Primary- ipa Primary WINS server address delivered by the

75 WINS ddr RADIUS server after a user is successfully
authenticated.
26- HW-Second- ipa Secondary WINS server address delivered by the

76 WINS ddr RADIUS server after a user is successfully
authenticated.
26- HW-Input- inte Upstream peak rate, in bit/s. The minimum value
77 Peak-Burst- ger is 10000.
Size NOTE
H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, and S6730S-S.
26- HW-Output- inte Downstream peak rate, in bit/s. The minimum

78 Peak-Burst- ger value is 10000.
Size

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW-Data- stri Used by the RADIUS server to deliver IPv4 or IPv6
82 Filter ng ACL rules to users. ACL rules can be delivered in
two modes: delivering ACL rules through DACL
groups and delivering ACL rules directly. There are
old and new attribute formats for ACL rules.
Compared with the old attribute format, the new
attribute format shortens the length of an ACL
rule. Using a DACL group to deliver ACL rules
saves more ACL resources than delivering ACL
rules directly. The users in the same DACL group
share the ACL resources in the group, whereas
each user occupies ACL resources when ACL rules
are directly delivered.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
NOTE
● Only IPv4 users support the delivery of ACL rules
through DACL groups.
● A RADIUS packet may carry multiple 26-82
attributes. Currently, each 26-82 attribute can carry
only one ACL rule or DACL group.
● Only wireless users in tunnel forwarding mode and
wired users support this attribute. Wireless users in
direct forwarding mode can use RADIUS attribute 11
to deliver ACL rules.
● When wireless users go online on the same AP in the
same VLAN, user isolation must be configured in a
traffic profile to ensure that ACL rules can be
delivered to the AP through a DACL group and take
effect.
● If ACL rules are directly delivered, you can run the
display access-user user-id user-id command to
check whether this attribute takes effect. If Dynamic
ACL desc (Effective) is displayed in the command
output, this attribute takes effect. If Dynamic ACL
desc (Ineffective) is displayed in the command
output, this attribute does not take effect.
● If ACL rules are delivered through a DACL group, you
can run the display access-user user-id user-id
command to check whether this attribute takes
effect. If DACL group name(Effective) is displayed
in the command output, this attribute takes effect. If
DACL group name(Ineffective) is displayed in the
command output, this attribute does not take effect.
● A DACL group name is a string of 1 to 64 case-
sensitive characters, which cannot be configured to -
and --. It cannot contain spaces and the following
special characters: / \ : * ? " < > | @ ' %. If the DACL
group name does not meet the preceding
requirements, the authorization fails to be delivered.
● After rules in a DACL group are modified, the rules
delivered to the device will be modified when users
are re-authenticated or new users go online. The
rights of online users will also be modified.
● Only the following switches support DACL groups:
S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S,
S6730-H, S6730S-H, S6730-S, S6730S-S.
● This attribute described through IGMP does not take
effect on S5731-H, S5731-S, S5731S-S, S5731S-H,
S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-
S.
Directly delivering ACL rules in new attribute
format (fields in square brackets are optional)

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
The attribute format is: $number permit/deny

[ protocol ] [ direction ip-address [ port ] ]
The fields are described as follows:
● $: Start character of each ACL rule.
● number: Last three digits in an ACL rule
number, ranging from 0 to 999. The first two
digits of an ACL rule number are fixed to 10.
For example, if the value of this field is 12, the
ACL rule number is 10012.
● permit/deny: ACL action. permit indicates that
the user access is allowed. deny indicates that
the user access is denied.
● protocol: Protocol type. The value can be tcp,
udp, icmp or igmp. ICMP is classified into echo
and echo-reply.
● direction: IP address type. The value can be dst
or src. dst indicates a destination IP address
and src indicates a source IP address.
● ip-address: IP address. The value can be any,
IPv4 address/mask or IPv6 address/mask.
IPv4 address/mask: The IPv4 address is in
dotted decimal notation. The mask is a
hexadecimal number ranging from 0 to 32. The
IP address and mask are separated by a slash
(/). IPv6 address/mask: The IPv6 address is a
hexadecimal number. The mask is a decimal
number that ranges from 0 to 128. The IP
address and mask are separated by a slash (/).
● port: Port number. Currently, only one port is
supported.
The following examples are the attribute values
entered on the server:
$1 permit dst 10.0.239.192/26
$2 permit udp src any 8080
$3 permit icmp echo dst 10.1.1.1/24
$5 deny
Directly delivering ACL rules in old attribute
format
The attribute format is acl number key1 key-
value1... keyN key-valueN permit/deny.
The fields are described as follows:

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
All keywords are case-insensitive. All keywords are

separated from keyword values using spaces. The
location of keywords is not fixed. The keywords
permit and deny can be placed after number or
the whole command line.
● acl: Keyword, indicating that the ACL rule is
delivered.
● number: ACL rule number. The value ranges
from 10000 to 10999.
● keyM key-valueM(1≤M≤N): Keyword in an ACL
rule and its value. The keyword value can be:
– dest-ip ip-address: Specifies the destination
IPv4 address in dotted decimal notation. Or
specifies the destination IPv6 address. The
value is a hexadecimal number. When the
destination IP address is 0.0.0.0, this
parameter can be omitted without
configuration.
– dest-ipmask mask: Specifies the destination
IPv4 mask. NAC users support only the
destination IP mask that is an integer
ranging from 0 to 32. VM users support only
the destination IP mask that is in dotted
decimal notation.
Or specifies the destination IPv6 mask. The
value is an integer that ranges from 0 to
128.
When IP mask is 0, this parameter can be
omitted without configuration.
– tcp-srcport port: Specifies the source TCP
start port number that ranges from 0 to
65535.
– tcp-srcport-end port: Specifies the source
TCP end port number that ranges from 0 to
65535 and must be larger than the start
port number.
– tcp-dstport port: Specifies the destination
TCP start port number that ranges from 0 to
65535.
– tcp-dstport-end port: Specifies the
destination TCP end port number that
ranges from 0 to 65535 and must be larger
than the start port number.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
– udp-srcport port: Specifies the source UDP

start port number that ranges from 0 to
65535.
– udp-srcport-end port: Specifies the source
UDP end port number that ranges from 0 to
65535 and must be larger than the start
port number.
– udp-dstport port: Specifies the destination
UDP start port number that ranges from 0
to 65535.
– udp-dstport-end port: Specifies the
destination UDP end port number that
ranges from 0 to 65535 and must be larger
than the start port number.
● permit/deny: ACL action. permit indicates that
the user access is allowed. deny indicates that
the user access is denied.
acl 10005 deny
acl 10006 tcp-dstport 5080 permit
acl 10007 dest-ip 10.11.11.2 dest-ipmask 32
permit
acl 10008 dest-ip 10.11.11.3 dest-ipmask 32 udp-
dstport 5070 permit
acl 10009 dest-ip 11.11.11.2 dest-ipmask 32 udp-
dstport 5070 udp-dstport-end 5080 deny
Delivering ACL rules using DACL groups
The format of ACL rules in a DACL group can be
the new or old format. The new format is
recommended. When the device is connected to a
Cisco ISE server, an ACL rule starts with the
number sign (#).
$1 dacl-group-name example
$2 permit dst 10.0.239.192/26
$3 permit udp src any 8080
$4 deny

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW-Client- ipa Primary DNS address delivered by the RADIUS

135 Primary-DNS ddr server after a user is successfully authenticated.
26- HW-Client- ipa Secondary DNS address delivered by the RADIUS

136 Secondary- ddr server after a user is successfully authenticated.
DNS
26- HW-Domain- stri Name of the domain used for user authentication.
138 Name ng This attribute can be the domain name contained
in a user name or the name of a forcible domain.
26- HW-AP- stri AP's MAC address used for STA authentication, in
141 Information ng H-H-H format. H is a 4-digit hexadecimal number.
NOTE
H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, and S6730S-S.
26- HW-User- stri User security check information delivered by the

142 Information ng RADIUS server to an Extensible Authentication
Protocol over LAN (EAPoL) user to notify the user
of items that require security checks.
26- HW-User- stri Service scheme name. A service scheme contains

146 Policy ng user authorization information and policies.
26- HW-Access- inte User access type carried in the Access-Request or

153 Type ger Accounting-Request packets that the device sends
to the RADIUS server:
● 1: Dot1x user
● 2: MAC address authentication user or MAC
address bypass authentication
● 3: Portal authentication user
● 4: Static user
● 6: Management user
● 7: PPP users
26- HW-URL-Flag inte Whether a Uniform Resource Locator (URL) is

155 ger forcibly pushed when it is used together with
another attribute, for example, HW-Portal-URL:
● 0: No
● 1: Yes

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW-Portal- stri Forcibly pushed URL. The maximum length is 247
156 URL ng bytes.
If information delivered by the RADIUS server
matches the configured URL template, the URL
configured in the template is used. Otherwise, the
character string delivered by the RADIUS server is
used.
26- HW-Terminal- stri Terminal type of a user.

157 Type ng To configure this attribute, run the device-type
device-name command.
26- HW-DHCP- stri DHCP Option, encapsulated in Type-Length-Value
158 Option ng (TLV) format. A packet may contain multiple HW-
DHCP-Option attributes to carry Option
information.
Only Option 82 can be delivered.
26- HW-HTTP-UA stri User-Agent information in Hypertext Transfer

159 ng Protocol (HTTP) packets.
26- HW-UCL- inte Index of a UCL group.

160 Group ger NOTE
This attribute cannot be authorized together with ACLs.
Otherwise, only the authorized ACLs take effect.
26- HW- stri Delivers the Internet Service Provider (ISP) VLAN
161 Forwarding- ng for user packet forwarding.
VLAN NOTE
H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, S6730S-S.
26- HW- stri Outbound interface for forwarding user packets.

162 Forwarding- ng NOTE
Interface This attribute is only supported by the S5731-H, S5731S-
H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, S6730S-S.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW-LLDP stri LLDP information. A packet can contain multiple

163 ng HW-LLDP-Info attributes to carry different
options. The meanings of different options are as
follows:
● 1: Chassis ID TLV, indicating the bridge MAC
address of the device
● 2: Port ID TLV, indicating the port identifying
the LLD PDU transmit end
● 5: System Name TLV, indicating the device
name
● 6: System Description TLV, indicating the
system description
● 7: System Capabilities TLV, indicating the
system capabilities
● 8: Management Address TLV, indicating the
management address
● 127: Organization Specific TLV, indicating the
user-defined organization information
26- HW-CDP stri CDP information. A packet can contain multiple

164 ng HW-CDP attributes to carry different options. The
meanings of different options are as follows:
● 1: device ID, indicating the device ID
● 2: address, indicating the address of the
interface that sends CDP packets
● 3: port ID, indicating the ID of the interface
that sends CDP packets
● 4: function, indicates the device function
● 5: version, indicates the software version
● 6: platform, indicating the hardware platform
26- HW-Acct- inte Number of upstream bytes in an IPv6 flow. The

166 ipv6-Input- ger unit can be byte, kilobyte, megabyte, or gigabyte.
Octets
26- HW-Acct- inte Number of downstream bytes in an IPv6 flow. The

167 ipv6-Output- ger unit can be byte, kilobyte, megabyte, or gigabyte.
Octets
26- HW-Acct- inte Number of upstream packets in an IPv6 flow.

168 ipv6-Input- ger
Packets

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW-Acct- inte Number of downstream packets in an IPv6 flow.

169 ipv6-Output- ger
Packets
26- HW-Acct- inte This attribute specifies the number of times that
170 ipv6-Input- ger more than 4 GB upstream packets are carried in
Gigawords an IPv6 flow. This attribute is usually used with
the HW-Acct-ipv6-Input-Octets attribute.
26- HW-Acct- inte This attribute specifies the number of times that
171 ipv6-Output- ger more than 4 GB downstream packets are carried
Gigawords in an IPv6 flow. This attribute is usually used with
the HW-Acct-ipv6-Output-Octets attribute.
26- HW-Redirect- stri Redirection ACL. Redirection is performed for only

173 ACL ng the users matching the ACL rules. The ACL
number or ACL name can be delivered. The ACL
name must start with a character.
NOTE
The value range of acl-number is from 3000 to 3999 for
wired users and from 3000 to 3031 for wireless users.
After the authentication mode multi-share command
is configured in the authentication profile, authorization
redirection ACL will not be supported.
26- HW-IPv6- stri Redirection IPv6 ACL. Redirection is performed for

178 Redirect-ACL ng only the users matching the ACL rules. The ACL
number or ACL name can be delivered. The ACL
name must start with a character.
NOTE
● Only wired users support the authorization of this
attribute.
● The value range of acl-number is from 3000 to 3999.
● After the authentication mode multi-share
command is configured in the authentication profile,
authorization redirection ACL will not be supported.
● This attribute is supported only by the S2730S-S,
S5735-L-I, S5735-L1, S5735S-L1, S300, S5735-L,
S5735S-L, S5735S-L-M, S500, S5735-S, S5735-S-I,
S5735S-S, S6720-EI, S6735-S, and S6720S-EI.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW-User- stri Extended user information. This attribute is

201 Extend-Info ng contained in authentication and accounting
request packets. A packet can contain multiple
HW-User-Extend-Info attributes. The following
describes extended user information:
● User-Position: Service code of the location
where a user goes online
● User-Position-Type: Type of the location where
a user goes online
● AP-Device-Code: AP code
● AP-POS-X: Longitude of a moving AP
● AP-POS-Y: Latitude of a moving AP
● Wifi-Density: Field strength
● TERMINAL-POS-X: X coordinate of the terminal
against AP, in meters
● TERMINAL-POS-Y: Y coordinate of the terminal
against AP, in meters
● HW-Access-Time: user access time. The value is
the number of seconds elapsed since 00:00:00
of January 1, 1970.
This attribute applies only to MAC address
authentication and Portal authentication.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW-MUD- stri Identity information of iConnect terminals. The

202 URL ng information is carried in an authentication request
packet.
The RADIUS server determines whether a terminal
is an iConnect terminal based on the HW-MUD-
URL attribute. If the terminal is an iConnect
terminal, the RADIUS server searches for the
corresponding authorization policy based on the
user account and encapsulates an authentication
response packet with this policy. For an iConnect
terminal, you are advised to configure a
redirection-related RADIUS attribute (such as HW-
Redirect-ACL or HW-Portal-URL). In this way, the
iConnect terminal will be redirected to a URL to
download an EAP-TLS certificate after being
authenticated successfully. After the certificate is
downloaded, EAP-TLS authentication is triggered
for the terminal.
NOTE
The HW-MUD-URL attribute can be used only in
wireless scenarios.
The HW-MUD-URL attribute is supported only on the
S5731-H, S5731S-H, S5732-H, S6730S-H and S6730-H.
The RADIUS server must be iMaster NCE-Campus.
If a client sends an EAPoL-Start packet to trigger
authentication, iConnect-URL is not carried during
RADIUS authentication of an iConnect terminal.
26- HW-VIP-Level- inte User priority.

203 ID ger The value is 0 or 1. A larger value indicates a
higher priority. The default value is 0.
26- HW-SAC- stri SAC profile name.

204 Profile ng NOTE
This attribute is supported only by the S5731-S, S5731S-
S, S5731-H, and S5731S-H.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW-Web- stri Information sent from the portal server via the
237 Authen-Info ng device (which transparently transmits the
information) to the RADIUS server. For example, a
user selects the authentication-free option and
time information for next login, based on which
the RADIUS server saves the MAC address of the
user for a period of time. Upon the next login of
the user, the login page is not displayed. Instead,
MAC address authentication is preferentially used.
This attribute can be used for transparent
transmission in complex modes such as EAP.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW-Ext- stri User extended attributes:

238 Specific ng ● user-dscp-in: DSCP value of inbound user
packets. The value ranges from 0 to 63.
● user-dscp-out: DSCP value of outbound user
packets. The value ranges from 0 to 63.
NOTE
If the DSCP value of outbound user packets is small,
the Portal authentication success page may fail to be
pushed.
● user-command: is used in RADIUS CoA dynamic
authorization. The value can be 1, 2, or 3.
– 1: indicates that user reauthentication will
be performed. In this case, you need to set
the value of this attribute on the
authentication server to user-command=1.
– 2: indicates that the authentication interface
will be disconnected intermittently. In this
case, you need to run the undo radius-
server authorization hw-ext-specific
command bounce-port disable command
on the device to configure it to support this
attribute, and set the value of this attribute
on the authentication server to user-
command=2.
– 3: indicates that the authentication interface
will be disabled. In this case, you need to
run the undo radius-server authorization
hw-ext-specific command down-port
disable command on the device to
configure it to support this attribute, and set
the value of this attribute on the
authentication server to user-command=3.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
NOTE
During RADIUS CoA dynamic authorization, when the
value of user-command is 1, 2, or 3, other authorization
attributes are not supported.
The user-dscp-in and user-dscp-out attributes cannot be
authorized to wireless users in direct forwarding mode.
This attribute applies only to NAC users.
Pay attention to the following points if the value of the
user-command field in the RADIUS attribute HW-Ext-
Specific(26-238) carried in a CoA packet sent by the
RADIUS server is 2 or 3:
● Ensure that only one user resides on the
authentication port or the user to be authenticated is
directly connected to the authentication port;
otherwise, other users on the authentication port will
be affected if the port goes Down intermittently or
disabled.
● Only a physical port, as opposed to an Eth-Trunk, can
function as the authentication port.
● When the value is 2, SVF and policy association are
both supported. When the value is 3, SVF and policy
association are not supported.
26- HW-User- stri User context profile information.

239 Access-Info ng
26- HW-Access- stri The authentication and accounting request

240 Device-Info ng packets carry the IP addresses, MAC addresses,
and port numbers of access switches in policy
association. The format is ip=A.B.C.D;mac=XXXX-
XXXX-
XXXX;slot=XX;subslot=XXX;port=XXX;vlanid=XXXX;
interfaceName=port.
26- HW- stri Server reachability detection information.

244 Reachable- ng Authentication packets carrying this attribute are
Detect server detection packets.
26- HW-Tariff- stri Number of upstream bytes at the specified tariff

247 Input-Octets ng level sent to the accounting server. This field is
included in the accounting packets. The unit can
be byte, kilobyte, megabyte, or gigabyte. The
format is Tariff level:Number of upstream bytes.
An accounting packet can contain the traffic of at
most 8 tariff levels.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW-Tariff- stri Number of downstream bytes at the specified

248 Output-Octets ng tariff level sent to the accounting server. This field
is included in the accounting packets. The unit can
be byte, kilobyte, megabyte, or gigabyte. The
format is Tariff level:Number of downstream
bytes. An accounting packet can contain the
traffic of at most 8 tariff levels.
26- HW-Tariff- stri Number of times larger the number of upstream

249 Input- ng bytes at the specified tariff level is than 4G. This
Gigawords field and the HW-Tariff-Input-Octets field
specify the number of upstream bytes at the
specified tariff level.
26- HW-Tariff- stri Number of times larger the number of

250 Output- ng downstream bytes at the specified tariff level is
Gigawords than 4G. This field and the HW-Tariff-Output-
Octets field specify the number of downstream
bytes at the specified tariff level.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ibut Name ibut
e e
No. Typ
e
26- HW-IPv6- stri ID of a user IPv6 ACL. The value ranges from 2000
251 Filter-ID ng to 3999 (wired users) or 2000 to 3031 (wireless
users).
NOTE
● When only the RADIUS server performs
authorization, the local device does not perform ACL
authorization, and the corresponding user group,
ACL, and ACL rules are configured on the local
device:
● If the server simultaneously delivers the user
group name or UCL group name carried in the
Filter-Id (11) attribute and IPv6 ACL ID carried in
the HW-IPv6-Filter-ID (26–251) attribute, only
the user group name takes effect.
● If the server simultaneously delivers the IPv4 ACL
ID carried in the Filter-Id (11) attribute and IPv6
ACL ID carried in the HW-IPv6-Filter-ID (26–
251) attribute, both the IPv4 and IPv6 ACL IDs
take effect.
● IPv6 ACL authorization is supported only by the
S2730S-S, S5735-L-I, S5735-L1, S5735S-L1, S300,
S5735-L, S5735S-L, S5735S-L-M, S500, S5735-S,
S5735-S-I, S5735S-S, S6720-EI, S6735-S, and S6720S-
EI.
● If the deny IPv6 rule is configured during IPv6 ACL
authorization, run the rule rule-id permit icmpv6
icmp6-type neighbor-advertisement, rule rule-id
permit icmpv6 icmp6-type neighbor-solicitation,
and rule rule-id permit udp destination-port eq
port commands to allow IPv6 ND and DHCP packets
to pass through. Otherwise, services may be
interrupted.
26- HW-Framed- ipa IPv6 address to be configured for the user.

253 IPv6-Address ddr
26- HW-Version stri Software version of the device.

254 ng
26- HW-Product- stri NAS product name.

255 ID ng
Huawei-supported Extended RADIUS Attributes of Other Vendors

Huawei devices support some extended RADIUS attributes of Microsoft, Cisco, and
DSL Forum. For details, see

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Table 1-12 Huawei-supported extended RADIUS attributes of other vendors
Attri Attribute Attribute Type Description

bute Name
No.
MIC MS-MPPE- string This attribute indicates the

ROS Send-Key MPPE sending key.
OFT-
16
MIC MS-MPPE- string This attribute indicates the

ROS Recv-Key MPPE receiving key.
OFT-
17
CISC Cisco-avpair string This attribute indicates the

O-1 voice VLAN.
DSLF Agent-Circuit- string Circuit ID of the access

ORU Id device of the online user.
M-1
DSLF Agent- string Unique ID of the circuit

ORU Remote-Id associated with the online
M-2 user.
RADIUS Attributes Available in Packets

Different RADIUS packets carry different RADIUS attributes.
● For the RADIUS attributes available in authentication packets, see Table 1-13.
● For the RADIUS attributes available in accounting packets, see Table 1-14.
● For the RADIUS attributes available in authorization packets, see Table 1-15.
NOTE
● 1: indicates that the attribute must appear once in the packet.

● 0: indicates that the attribute cannot appear in the packet (it will be discarded if it is
contained).
● 0-1: indicates that the attribute can appear once or does not appear in the packet.
● 0+: indicates that the attribute may appear multiple times or does not appear in the
packet.
Table 1-13 RADIUS attributes available in authentication packets
Attribute No. Access- Access- Access- Access-

Request Accept Reject Challenge
User-Name(1) 1 0-1 0 0
User-Password(2) 0-1 0 0 0

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

CHAP-Password(3) 0-1 0 0 0
NAS-IP-Address(4) 1 0 0 0
NAS-Port(5) 1 0 0 0
Service-Type(6) 1 0-1 0 0
Framed-Protocol(7) 1 0-1 0 0
Framed-IP-Address(8) 0-1 0-1 0 0
Filter-Id(11) 0 0-1 0 0
Framed-Mtu(12) 0-1 0 0 0
Login-IP-Host(14) 0-1 0-1 0 0
Login-Service(15) 0 0-1 0 0
Reply-Message(18) 0 0-1 0-1 0-1
Callback-Number(19) 0 0-1 0 0
State(24) 0-1 0-1 0 0-1
Class(25) 0 0-1 0 0
Session-Timeout(27) 0 0-1 0-1 0-1
Idle-Timeout(28) 0 0-1 0 0
Termination-Action(29) 0 0-1 0 0-1
Called-Station-Id(30) 0-1 0 0 0
Calling-Station-Id(31) 1 0-1 0 0
NAS-Identifier(32) 1 0 0 0
Acct-Session-id(44) 1 0 0 0
CHAP-Challenge(60) 0-1 0 0 0
NAS-Port-Type(61) 1 0 0 0
Tunnel-Type(64) 0 0-1 0 0
Tunnel-Medium-Type(65) 0 0-1 0 0
EAP-Message(79) 0-1 0-1 0-1 0-1
Message- 0-1 0-1 0-1 0-1

Authenticator(80)
Tunnel-Private-Group- 0 0-1 0-1 0

ID(81)

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Acct-Interim-Interval(85) 0 0-1 0 0
NAS-Port-Id(87) 0-1 0 0 0
Chargeable-User- 0-1 0-1 0 0

Identity(89)
NAS-IPv6-Address(95) 0-1 0 0 0
Framed-Interface-Id(96) 0+ 0 0 0
Framed-IPv6-Prefix(97) 0+ 0 0 0
HW-SecurityStr(195) 0-1 0 0 0
HW-Input-Peak- 0 0-1 0 0
Information-Rate(26-1)
HW-Input-Committed- 0 0-1 0 0
HW-Input-Committed- 0 0-1 0 0
Burst-Size(26-3)
HW-Output-Peak- 0 0-1 0 0
HW-Output-Committed- 0 0-1 0 0
HW-Output-Committed- 0 0-1 0 0
Burst-Size(26-6)
HW-Remanent- 0 0-1 0 0
Volume(26-15)
HW-Subscriber-QoS- 0 0-1 0 0
Profile(26-17)
HW-UserName-Access- 0 0-1 0 0
Limit(26-18)
HW-Connect-ID(26-26) 1 0 0 0
Ftp-directory(26-28) 0 0-1 0 0
HW-Exec-Privilege(26-29) 0 0-1 0 0
HW-Qos-Data(26-31) 0 0-1 0 0
HW-VoiceVlan(26-33) 0 0-1 0 0
HW-ProxyRdsPkt(26-35) 0 0-1 0 0
HW-NAS-Startup-Time- 1 0 0 0
Stamp(26-59)

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

HW-IP-Host- 1 0 0 0
Address(26-60)
HW-Up-Priority(26-61) 0 0-1 0 0
HW-Down-Priority(26-62) 0 0-1 0 0
HW-Primary-WINS(26-75) 0 0-1 0 0
HW-Second-WINS(26-76) 0 0-1 0 0
HW-Input-Peak-Burst- 0 0-1 0 0
Size(26-77)
HW-Output-Peak-Burst- 0 0-1 0 0
Size(26-78)
HW-Data-Filter(26-82) 0 0-1 0-1 0
HW-Client-Primary- 0 0-1 0 0
DNS(26-135)
HW-Client-Secondary- 0 0-1 0 0
DNS(26-136)
HW-Domain- 1 0 0 0
Name(26-138)
HW-AP- 1 0 0 0
Information(26-141)
HW-User- 0 0-1 0 0
Information(26-142)
HW-User-Policy(26-146) 0 0-1 0 0
HW-Access-Type(26-153) 1 0-1 0 0
HW-URL-Flag(26-155) 0 0-1 0 0
HW-Portal-URL(26-156) 0 0-1 0 0
HW-Terminal- 0-1 0 0 0
Type(26-157)
HW-DHCP- 0+ 0 0 0
Option(26-158)
HW-UCL-Group(26-160) 0 0-1 0 0
HW-Forwarding- 0 0-1 0 0
VLAN(26-161)
HW-Forwarding- 0 0-1 0 0
Interface(26-162)

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

HW-LLDP(26-163) 0-1 0 0 0
HW-Redirect-ACL(26-173) 0 0-1 0 0
HW-IPv6-Redirect- 0 1 0 0
ACL(26-178)
HW-User-Extend- 0-1 0 0 0
Info(26-201)
HW-MUD-URL(26-202) 0-1 0 0 0
HW-VIP-Level-ID(26-203) 0 0-1 0 0
HW-SAC-Profile(26-204) 0 0-1 0 0
HW-Web-Authen- 1 0 0 0
Info(26-237)
HW-Ext-Specific(26-238) 0 0-1 0 0
HW-User-Access- 1 0 0 0
Info(26-239)
HW-Access-Device- 0-1 0 0 0
Info(26-240)
HW-Reachable- 0 0 0 0
Detect(26-244)
HW-Framed-IPv6- 0-1 0 0 0
Address(26-253)
HW-Version(26-254) 1 0 0 0
HW-Product-ID(26-255) 1 0 0 0
MS-MPPE-Send- 0 0-1 0 0
Key(MICROSOFT-16)
MS-MPPE-Recv- 0 0-1 0 0
Key(MICROSOFT-17)
Cisco-avpair(CISCO-1) 0 0-1 0 0
Agent-Circuit- 0-1 0 0 0
Id(DSLFORUM-1)
Agent-Remote- 0-1 0 0 0
Id(DSLFORUM-2)

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Table 1-14 RADIUS attributes available in accounting packets

Attribute No. Accou Accou Accou Accou Accou Accounti
nting- nting- nting- nting- nting- ng-
Reque Reque Reque Respo Respo Respons
st st st nse nse(In e
(Start) (Interi (Stop) (start) terim- (Stop)
m- Updat
Updat e)
e)
User-Name(1) 1 1 1 0 0 0
NAS-IP-Address(4) 1 1 1 0 0 0
NAS-Port(5) 1 1 1 0 0 0
Service-Type(6) 1 1 1 0 0 0
Framed-Protocol(7) 1 1 1 0 0 0
Framed-IP- 1 1 1 0 0 0
Address(8)
Class(25) 0-1 0-1 0-1 0 0 0
Session-Timeout(27) 0 0 0 0-1 0-1 0
Called-Station- 1 1 1 0 0 0
Id(30)
NOTE
For users who access
the network through
PPP authentication,
this attribute is
optional. If the
authentication
request packet does
not carry this
attribute, then
neither does the
accounting request
packet.
Calling-Station- 1 1 1 0 0 0
Id(31)
NAS-Identifier(32) 1 1 1 0 0 0
Acct-Status- 1 1 1 0 0 0
Type(40)
Acct-Delay-Time(41) 0-1 1 1 0 0 0
Acct-Input- 0-1 0-1 0-1 0 0 0

Octets(42)
Acct-Session-Id(44) 1 1 1 0 0 0

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

m- Updat
Updat e)
e)
Acct-Authentic(45) 1 1 1 0 0 0
Acct-Session- 0 1 1 0 0 0
Time(46)
Acct-Input- 0-1 0-1 0-1 0 0 0

Packets(47)
Acct-Output- 0-1 0-1 0-1 0 0 0

Packets(48)
Acct-Terminate- 0 0 1 0 0 0
Cause(49)
Acct-Input- 0-1 0-1 0-1 0 0 0

Gigawords(52)
Acct-Output- 0-1 0-1 0-1 0 0 0

Gigawords(53)
Event- 1 1 1 0 0 0
Timestamp(55)
NAS-Port-Type(61) 1 1 1 0 0 0
NAS-Port-Id(87) 1 1 1 0 0 0
Chargeable-User- 0-1 0-1 0-1 0 0 0

Identity(89)
NAS-IPv6- 0-1 0-1 0-1 0 0 0

Address(95)
HW-Input- 1 1 1 0 0 0
Committed-
Information-
Rate(26-2)
HW-Output- 1 1 1 0 0 0
Committed-
Information-
Rate(26-5)
HW-Connect- 1 1 1 0 0 0
ID(26-26)
HW-IP-Host- 1 1 1 0 0 0
Address(26-60)

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

m- Updat
Updat e)
e)
HW-Domain- 1 1 1 0 0 0
Name(26-138)
HW-AP- 0-1 0-1 0-1 0 0 0

Information(26-141)
HW-User- 0 0 0 0-1 0-1 0

Information(26-142)
HW-Access- 0-1 0-1 0-1 0 0 0

Type(26-153)
HW-Terminal- 0-1 0-1 0-1 0 0 0

Type(26-157)
HW-DHCP- 0+ 0+ 0+ 0 0 0
Option(26-158)
HW-HTTP- 0-1 0-1 0-1 0 0 0

UA(26-159)
HW-LLDP(26-163) 0-1 0-1 0-1 0 0 0
HW-User-Extend- 0-1 0-1 0-1 0 0 0

Info(26-201)
HW-MUD- 0 0 0 0 0 0
URL(26-202)
HW-VIP-Level- 0 0 0 0 0 0
ID(26-203)
HW-SAC- 0 0 0 0 0 0
Profile(26-204)
HW-Access-Device- 0-1 0-1 0-1 0 0 0

Info(26-240)
HW-Reachable- 0 0 0 0 0 0
Detect(26-244)
HW-Tariff-Input- 0 0-1 0-1 0 0 0

Octets(26-247)
HW-Tariff-Output- 0 0-1 0-1 0 0 0

Octets(26-248)

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

m- Updat
Updat e)
e)
HW-Tariff-Input- 0 0-1 0-1 0 0 0

Gigawords(26-249)
HW-Tariff-Output- 0 0-1 0-1 0 0 0

Gigawords(26-250)
HW-Framed-IPv6- 0-1 0-1 0-1 0 0 0

Address(26-253)
MS-MPPE-Send- 0 0 0 0 0 0
Key(MICROSOFT-16
)
MS-MPPE-Recv- 0 0 0 0 0 0
Key(MICROSOFT-17
)
Cisco- 0 0 0 0 0 0
avpair(CISCO-1)
Agent-Circuit- 0-1 0-1 0-1 0 0 0

Id(DSLFORUM-1)
Agent-Remote- 0-1 0-1 0-1 0 0 0

Id(DSLFORUM-2)
Table 1-15 RADIUS attributes available in CoA/DM packets

Attribute No. CoA CoA CoA DM DM DM NAK
REQUE ACK NAK REQUE ACK
ST ST
User-Name(1) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-IP-Address(4) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-Port(5) 0-1 0 0 0-1 0 0
Framed-IP- 0-1 0-1 0-1 0-1 0-1 0-1

Address(8)
Filter-Id(11) 0-1 0 0 0 0 0
Session-Timeout(27) 0-1 0 0 0 0 0

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ST ST
Idle-Timeout(28) 0-1 0 0 0 0 0
Termination- 0-1 0 0 0 0 0
Action(29)
Calling-Station- 0-1 0-1 0-1 0-1 0-1 0-1

Id(31)
NAS-Identifier(32) 0 0-1 0-1 0 0 0
Acct-Session-Id(44) 1 1 1 1 1 1
Tunnel-Type(64) 0-1 0 0 0 0 0
Tunnel-Medium- 0-1 0 0 0 0 0
Type(65)
Tunnel-Private- 0-1 0 0 0 0 0
Group-ID(81)
Acct-Interim- 0-1 0 0 0 0 0
Interval(85)
NAS-Port-Id(87) 0-1 0 0 0-1 0 0
HW-Input-Peak- 0-1 0 0 0 0 0
Information-
Rate(26-1)
HW-Input- 0-1 0 0 0 0 0
Committed-
Information-
Rate(26-2)
HW-Output-Peak- 0-1 0 0 0 0 0
Information-
Rate(26-4)
HW-Output- 0-1 0 0 0 0 0
Committed-
Information-
Rate(26-5)
HW-Output- 0-1 0 0 0 0 0
Committed-Burst-
Size(26-6)
HW-Subscriber-QoS- 0-1 0 0 0 0 0
Profile(26-17)
HW-Qos- 0-1 0 0 0 0 0
Data(26-31)

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ST ST
HW-Up- 0-1 0 0 0 0 0
Priority(26-61)
HW-Down- 0-1 0 0 0 0 0
Priority(26-62)
HW-Input-Peak- 0-1 0 0 0 0 0
Burst-Size(26-77)
HW-Output-Peak- 0-1 0 0 0 0 0
Burst-Size(26-78)
HW-Data- 0-1 0 0 0 0 0
Filter(26-82)
HW-User- 0-1 0 0 0 0 0
Policy(26-146)
HW-URL- 0-1 0 0 0 0 0
Flag(26-155)
HW-Portal- 0-1 0 0 0 0 0
URL(26-156)
HW-UCL-Group 0-1 0 0 0 0 0
(26-160)
HW-Forwarding- 0-1 0 0 0 0 0
VLAN(26-161)
HW-Forwarding- 0-1 0 0 0 0 0
Interface(26-162)
HW-Redirect- 0-1 0 0 0 0 0
ACL(26-173)
HW-IPv6-Redirect- 1 0 0 0 0 0
ACL(26-178)
HW-MUD- 0 0 0 0 0 0
URL(26-202)
HW-VIP-Level- 0-1 0 0 0 0 0
ID(26-203)
HW-SAC- 0-1 0 0 0 0 0
Profile(26-204)
HW-Ext- 1 0 0 0 0 0
Specific(26-238)
MS-MPPE-Send- 0 0 0 0 0 0
Key(MICROSOFT-16
)

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

ST ST
MS-MPPE-Recv- 0 0 0 0 0 0
Key(MICROSOFT-17
)
Cisco- 0-1 0 0 0 0 0
avpair(CISCO-1)
Agent-Circuit- 0-1 0 0 0 0 0
Id(DSLFORUM-1)
Agent-Remote- 0-1 0 0 0 0 0
Id(DSLFORUM-2)
RADIUS Attributes Precautions

Dynamic VLAN:
If dynamic VLAN delivery is configured on the server, authorization information

includes the delivered VLAN attribute. After the device receives the delivered VLAN
attribute, it changes the VLAN of the user to the delivered VLAN.
The delivered VLAN does not change or affect the interface configuration. The
delivered VLAN, however, takes precedence over the VLAN configured on the
interface. That is, the delivered VLAN takes effect after the authentication
succeeds, and the configured VLAN takes effect after the user goes offline.
The following standard RADIUS attributes are used for dynamic VLAN delivery:
● (064) Tunnel-Type (It must be set to VLAN or 13.)
● (065) Tunnel-Medium-Type (It must be set to 802 or 6.)
● (081)Tunnel-Private-Group-ID
To ensure that the RADIUS server delivers VLAN information correctly, all the three
RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-
Medium-Type attributes must be set to the specified values.
1.2.4.9 RADIUS Attribute Dictionary

RADIUS attribute dictionary defines Huawei proprietary private RADIUS attributes
(including attribute number, attribute name, and attribute type) and Huawei
vendor ID. When a Huawei device connects to a RADIUS server, the RADIUS server
can correctly identify and process Huawei-defined RADIUS attributes after loading
the attribute dictionary file. Different products of the same vendor may use the
same attribute number to represent different attribute values. Therefore, private
RADIUS attributes cannot be loaded on the same RADIUS server.
The following example describes how to install the freeRADIUS server of the Linux
SUSE 12.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configura
Step Description
tion
Configure Obtain the root permission on the

a local Obtain the root permission. Linux server where the RADIUS
server. server is installed.
Replace Open the directory where the

Open the directory /usr/share/
the RADIUS attribute dictionary is
freeradius on the RADIUS server.
RADIUS saved.
attribute
dictionary. Replace the original
dictionary.huawei file with the
RADIUS attribute dictionary. You
Replace dictionary attributes. are advised to back up the
original file and name the backup
file, for example,
dictionary.huawei.bak.
- After the replacement, restart the

RADIUS server and verify that the
RADIUS private attributes take
Verify the configuration.
effect based on onsite services
and that the replacement is
successful.
NOTE
● The RADIUS attribute dictionary contains the attributes supported on all S switch series
products. For details about the attributes supported by each product, see the RADIUS
attribute list of the specific product.
● The attachment is the RADIUS attribute dictionary in FreeRADIUS format.
RADIUS_Attribute.txt
1.2.4.10 RADIUS Attribute Disablement and Translation
Different vendors support different collections of RADIUS attributes and each

vendor may have their private attributes. As a result, RADIUS attributes of
different vendors may be incompatible and RADIUS attributes sent between
devices from different vendors fail to be parsed. To resolve this issue, the RADIUS
attribute disablement and translation functions are often used in interconnection
and replacement scenarios.
RADIUS Attribute Disablement

The RADIUS server may have RADIUS attributes with the same attribute IDs and
names as but different encapsulation formats or contents from those on the
device. In this case, you can configure the RADIUS attribute disablement function
to disable such attributes. The device then does not parse these attributes after
receiving them from the RADIUS server, and does not encapsulate these attributes
into RADIUS packets to be sent to the server.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Currently, Huawei-supported RADIUS attributes (with Huawei-supported attribute

names and IDs) in a sent or received packet can be disabled on a device.
RADIUS Attribute Translation

RADIUS attribute translation is used for achieve compatibility between RADIUS
attributes defined by different vendors. For example, a Huawei device delivers the
priority of an administrator using the Huawei proprietary attribute Exec-Privilege
(26-29), whereas another vendor's NAS and the RADIUS server deliver this priority
using the Login-service (15) attribute. In a scenario where the Huawei device and
another vendor's NAS share one RADIUS server, users want the Huawei device to
be compatible with the Login-service (15) attribute. After RADIUS attribute
translation is configured on the Huawei device, the device automatically processes
the Login-service (15) attribute in a received RADIUS authentication response
packet as the Exec-Privilege (26-29) attribute.
Devices translate RADIUS attributes in a sent or received packet based on the
Type, Length, and Value fields of the RADIUS attributes.
● If translation between attributes A and B is configured in the transmit
direction on the device and the device sends a packet containing attribute A,
the Type field of the attribute is attribute B but the Value field is encapsulated
based on the content and format of attribute A.
● If translation between attributes A and B is configured in the receive direction
on the device and the device receives a packet containing attribute A, it parses
the Value field of attribute A as that of attribute B. To be specific, it can be
understood that the device receives a packet containing attribute B instead of
attribute A after attribute translation is configured.
Huawei-supported and non-Huawei-supported RADIUS attributes can be
translated into each other. Table 1-16 shows the mode for translating Huawei-
supported and non-Huawei-supported RADIUS attributes into each other.
NOTE
● The device can translate a RADIUS attribute of another vendor only if the length of the Type
field in the attribute is 1 octet.
● The device can translate the RADIUS attribute only when the type of the source RADIUS
attribute is the same as that of the destination RADIUS attribute. For example, the types of
NAS-Identifier and NAS-Port-Id attributes are string, and they can be translated into each
other. The types of NAS-Identifier and NAS-Port attributes are string and integer respectively,
they cannot be translated into each other.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Table 1-16 RADIUS attribute translation mode

Whether Whether Supp Configuration Command (RADIUS
Huawei Huawei orted Server Template View)
Supports Supports the Trans
the Source Destination latio
RADIUS RADIUS n
Attribute Attribute Direc
tion
Supported Supported Trans radius-attribute translate src-

mit attribute-name dest-attribute-name
and { receive | send | access-accept |
receiv access-request | account-request |
e account-response } *
directi
ons
Supported Not supported Trans radius-attribute translate extend src-

mit attribute-name vendor-specific dest-
directi vendor-id dest-sub-id { access-request
on | account-request } *
Not Supported Recei radius-attribute translate extend

supported ve vendor-specific src-vendor-id src-sub-
directi id dest-attribute-name { access-accept
on | account-response } *
1.2.5 HWTACACS AAA
1.2.5.1 Overview of HWTACACS
HWTACACS is an information exchange protocol that uses the client/server model

to provide centralized validation of users who attempt to access your switch. It
uses Transmission Control Protocol (TCP) and TCP port number 49 to transmit
data. HWTACACS provides independent authentication, authorization, and
accounting for users accessing the Internet through Point-to-Point Protocol (PPP)
or Virtual Private Dial-up Network (VPDN) and for administrators. As an
enhancement to TACACS (RFC 1492), it can be implemented on different servers.
HWTACACS is compatible with Cisco's TACACS+. Huawei switches can function as
HWTACACS clients to interwork with TACACS+ servers to implement AAA. For
example, a switch running HWTACACS can communicate with a Cisco server (such
as ACS). However, HWTACACS may not be compatible with Cisco proprietary
attributes because different vendors define different fields and meanings for
proprietary attributes.
Both HWTACACS and RADIUS have the following characteristics:
● Client/Server model
– HWTACACS client: generally resides on the Network Access Server (NAS)
and can reside on the entire network. The client is responsible for

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
transmitting user information to the specified HWTACACS server and

then performs operations accordingly based on the server-returned
information.
– HWTACACS server: generally runs on the central computer or
workstation. The server maintains user authentication and network
access information, and is responsible for receiving user connection
requests, authenticating users, and returning required information to
clients.
● Share key used for encrypting user information
● Good scalability
However, HWTACACS takes advantages over RADIUS in transmission and

encryption reliability, and better suitability for security control. Table 1-17 lists the
differences between HWTACACS and RADIUS.
Table 1-17 Comparisons between HWTACACS and RADIUS
Item HWTACACS RADIUS
Data transmission Uses TCP, which is more Uses UDP, which is

reliable. more efficient.
Encryption Encrypts the entire body of Encrypts only the

the packet except the password in the
standard HWTACACS packet.
header.
Authentication and Separates authentication Combines

authorization from authorization so that authentication and
they can be implemented authorization.
on different security
servers.
Command line Supported. The commands Not supported. The

authorization that a user can use are commands that a
restricted by both the user can use depend
command level and AAA. on their user level. A
When a user enters a user can only use
command, the command is the commands of
executed only after being the same level as or
authorized by the lower level than the
HWTACACS server. user level.
Application Security control. Accounting.
1.2.5.2 HWTACACS Packets
Unlike RADIUS packets with the same format, HWTACACS packets (including
Authentication Packet, Authorization Packet, and Accounting Packet) are
formatted differently. HWTACACS packets all share the same HWTACACS Packet
Header.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
HWTACACS Packet Header

HWTACACS defines a 12-byte header that appears in all HWTACACS packets.
Figure 1-16 shows the header.
Figure 1-16 HWTACACS packet header
Table 1-18 Fields in HWTACACS packet header

Field Description
major version Major HWTACACS version number. The

current version is 0xc.
minor version Minor HWTACACS version number. The

current version is 0x0.
type HWTACACS packet type.

● 0x01 (authentication)
● 0x02 (authorization)
● 0x03 (accounting)
seq_no Packet sequence number in a session,

ranging from 1 to 254.
flags Encryption flag on the packet body.

This field contains 8 bits, of which only
the first bit has a valid value. The
value 0 indicates that the packet body
is encrypted, and the value 1 indicates
that the packet body is not encrypted.
session_id Session ID, which is the unique

identifier of a session.
length Total length of the HWTACACS packet

body, excluding the packet header.
HWTACACS Authentication Packet Format

HWTACACS defines three types of authentication packets:

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● Authentication Start: indicates the type of authentication to be performed,

and contains the user name and authentication data. This packet is only sent
as the first message in an HWTACACS authentication process.
● Authentication Continue: indicates that the authentication process has not
ended. This packet is sent by a client when the client receives an
Authentication Reply packet from the server.
● Authentication Reply: notifies the client of the current authentication status.
When the server receives an Authentication Start or Authentication Continue
packet from a client, the server sends this packet to the client.
The HWTACACS authentication packets have different formats.

● The following figure shows the HWTACACS Authentication Start packet body.
Figure 1-17 HWTACACS Authentication Start packet body
Table 1-19 Fields in HWTACACS Authentication Start packet
Field Description
action Authentication action to be performed. Only the login

authentication (0x01) action is supported.
priv_lvl Privilege level of a user. The value ranges from 0 to 15.
authen_t Authentication type.

ype ● 0x03 (CHAP authentication)
● 0x02 (PAP authentication)
● 0x01 (ASCII authentication)
service Type of the service requesting authentication. The PPP (0x03),

LOGIN (0x01), ENABLE (0x02), and NONE (0x00) types are
available, which correspond to PPP users, administrators,
administrators whose privilege level needs to be increased, and
other users.
user len Length of the user name entered by a login user.
port len Length of the port field.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Field Description
rem_addr rem_addr field length.

len
data len Authentication data length.
user Name of the user requesting authentication. The maximum

length is 129.
port Name of the user interface requesting authentication. The

maximum length is 47.
● For administrators, this field indicates the user terminal
interface, such as console0 and vty1. For example, the
authen_type of Telnet users is ASCII, service is LOGIN, and
port is vtyx.
● For other users, this field indicates the user access interface.
rem_addr IP address of the login user.
data Authentication data. Different data is encapsulated depending

on the values of action and authen_type. For example, when
PAP authentication is used, the value of this field is PAP plain-
text password.
● The following figure shows the HWTACACS Authentication Continue packet

body.
Figure 1-18 HWTACACS Authentication Continue packet body
Table 1-20 Fields in HWTACACS Authentication Continue packet

Field Description
user_msg Length of the character string entered by a login user.

len
flags Authentication continue flag. Allowed values are:

● 0: Authentication continues.
● 1: Authentication has ended.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Field Description
user_msg Character string entered by a login user. This field carries the
user login password to respond to the server_msg field in the
Authentication Reply packet.
data Authentication data. Different data is encapsulated depending

on the values of action and authen_type. For example, when
PAP authentication is used, the value of this field is PAP plain-
text password.
● The following figure shows the HWTACACS Authentication Reply packet body.
Figure 1-19 HWTACACS Authentication Reply packet body
Table 1-21 Fields in HWTACACS Authentication Reply packet
Field Description
status Current authentication status. Legal values are:

● PASS (0x01): Authentication succeeds.
● FAIL (0x02): Authentication fails.
● GETDATA (0x03): Request user information.
● GETUSER (0x04): Request user name.
● GETPASS (0x05): Request password.
● RESTART (0x06): Request reauthentication.
● ERROR (0x07): The authentication packets received by the
server have errors.
● FOLLOW (0x21): The server requests reauthentication.
flags Whether the client displays the password entered by user in

plain text. The value 1 indicates that the password is not
displayed in plain text.
server_ms Length of the server_msg field.

g len
server_ms Optional field. This field is sent by the server to the user to
g provide additional information.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Field Description
data Authentication data, providing information to the client.
HWTACACS Authorization Packet Format

HWTACACS defines two types of authorization packets:
● Authorization Request: HWTACACS separates authentication from
authorization. Therefore, a user can be authenticated by HWTACACS, and
authorized using another protocol. If a user needs to be authorized by
HWTACACS, the client sends an Authorization Request packet carrying
authorization information to the server.
● Authorization Response: After receiving an Authorization Request packet,
the server sends this packet carrying the authorization result to the client.
The following figure shows the HWTACACS Authorization Request packet body.
● HWTACACS Authorization Request packet
Figure 1-20 HWTACACS Authorization Request packet body
NOTE
The meanings of the following fields in the Authorization Request packet are the same
as those in the HWTACACS Authentication Start packet, and are therefore not
described here: priv_lvl, authen_type, authen_service, user len, port len, rem_addr len,
port, and rem_addr.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Table 1-22 Fields in HWTACACS Authorization Request packet

Field Description
authen_ Authentication method used by the client to acquire user

method information. Allowed values are:
● 0x00 (no authentication method configured)
● 0x01 (none authentication)
● 0x05 (local authentication)
● 0x06 (HWTACACS authentication)
● 0x10 (RADIUS authentication)
authen_s Type of the service requesting authentication. The value varies

ervice depending on the user type:
● PPP users: PPP (0x03)
● Administrators: LOGIN (0x01)
● Other users: NONE (0x00)
arg_cnt Number of attributes carried in the Authorization Request

packet.
argN Attribute of the Authorization Request packet:

● cmd: first argument in the command for authorization
request.
● cmd-arg: arguments in the command for authorization
request. The format is fixed as cmd-arg=command
parameter. The cmd-arg=<cr> is added at the end of the
command line. The total length of cmd-arg=command
parameter cannot exceed 255 bytes, and each command
parameter cannot be longer than 247 bytes.
● The following figure shows the HWTACACS Authentication Reply packet body.
NOTE
Meanings of the following fields are the same as those in the HWTACACS
Authentication Reply packet, and are therefore not described here: server_msg len,
data len, and server_msg.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-21 HWTACACS Authorization Response packet body
Table 1-23 Fields in HWTACACS Authorization Response packet
Field Description
status Authorization status. Legal values are:

● 0x01 (authorization is successful)
● 0x02 (the attributes in Authorization Request packets are
modified by the TACACS server)
● 0x10 (authorization fails)
● 0x11 (an error occurs on the authorization server)
● 0x21 (an authorization server is re-specified)
arg_cnt Number of attributes carried in an Authorization Response

packet.
argN Authorization attribute delivered by the HWTACACS

authorization server.
HWTACACS Accounting Packet Format

HWTACACS defines two types of accounting packets:
● Accounting Request: contains information used to provide accounting for a
service provided to a user.
● Accounting Response: After receiving and recording an Accounting Request
packet, the server returns this packet.
The following figure shows the HWTACACS Accounting Request packet body.
● The following figure shows the HWTACACS Accounting Request packet body.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-22 HWTACACS Accounting Request packet body
NOTE
Meanings of the following fields in the Accounting Request packet are the same as
those in the HWTACACS Authorization Request packet, and are therefore not
described here: authen_method, priv_lvl, authen_type, user len, port len, rem_addr len,
port, and rem_addr.
Table 1-24 Fields in HWTACACS Accounting Request packet
Field Description
flags Accounting type. Allowed values are:

● 0x02 (start accounting)
● 0x04 (stop accounting)
● 0x08 (interim accounting)
authen_s Type of the service requesting authentication, which varies by

ervice user type:
● PPP users: PPP (0X03)
● Administrators: LOGIN (0x01)
● Other users: NONE (0x00)
arg_cnt Number of attributes carried in the Accounting Request packet.
argN Attribute of the Accounting Request packet.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● The following figure shows the HWTACACS Accounting Response packet body.
Figure 1-23 HWTACACS Accounting Response packet body
Table 1-25 Fields in HWTACACS Accounting Response packet

Field Description
server_ms Length of the server_msg field.

g len
data len Length of the data field.
status Accounting status. Legal values are:

● 0x01 (accounting is successful)
● 0x02 (accounting fails)
● 0x03 (no response)
● 0x21 (the server requests reaccounting)
server_ms Information sent by the accounting server to the client.

g
data Information sent by the accounting server to the administrator.
1.2.5.3 HWTACACS Authentication, Authorization, and Accounting Process
This section describes how HWTACACS performs authentication, authorization,

and accounting for Telnet users. Figure 1-24 shows the message exchange
process.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-24 HWTACACS message interaction
The following describes the HWTACACS message exchange process shown in

Figure 1-24:
1. A Telnet user sends a request packet.
2. After receiving the request packet, the HWTACACS client sends an
Authentication Start packet to the HWTACACS server.
3. The HWTACACS server sends an Authentication Response packet to request
the user name.
4. After receiving the Authentication Response packet, the HWTACACS client
sends a packet to query the user name.
5. The user enters the user name.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
6. The HWTACACS client sends an Authentication Continue packet containing

the user name to the HWTACACS server.
7. The HWTACACS server sends an Authentication Response packet to request
the password.
8. After receiving the Authentication Response packet, the HWTACACS client
queries the password.
9. The user enters the password.
10. The HWTACACS client sends an Authentication Continue packet containing
the password to the HWTACACS server.
11. The HWTACACS server sends an Authentication Response packet, indicating
that the user has been authenticated.
12. The HWTACACS client sends an Authorization Request packet to the
HWTACACS server.
13. The HWTACACS server sends an Authorization Response packet, indicating
that the user has been authorized.
14. The HWTACACS client receives the Authorization Response packet and
displays the login page.
15. The HWTACACS client sends an Accounting Request (start) packet to the
HWTACACS server.
16. The HWTACACS server sends an Accounting Response packet.
17. The user requests to go offline.
18. The HWTACACS client sends an Accounting Request (stop) packet to the
HWTACACS server.
19. The HWTACACS server sends an Accounting Response packet.
NOTE
HWTACACS and TACACS+ protocols of other vendors can implement authentication,

authorization, and accounting. HWTACACS is compatible with other TACACS+ protocols
because their authentication procedures and implementations are the same.
1.2.5.4 HWTACACS Two-Factor Authentication
HWTACACS two-factor authentication indicates that the device interworks with an

HWTACACS server to authenticate users. This authentication requires users to
enter dynamic verification codes in addition to their user names and static PIN
codes. The following uses an SSH user as an example to describe the HWTACACS
two-factor authentication process.
NOTE
After a user logs in to the device through HWTACACS two-factor authentication,

HWTACACS two-factor authentication is supported when the super command is executed
to upgrade the user privilege level.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-25 HWTACACS two-factor authentication
1. A user enters a user name and PIN code. The client then sends the user name
and PIN code to the device.
2. The device sends the user name and PIN code to the HWTACACS server.
3. The HWTACACS server verifies the user name and PIN code based on its
database and returns the verification result to the device.
– If the user name and PIN code are incorrect, the HWTACACS server sends
an authentication failure message to the device.
– If both the user name and PIN code are correct, the HWTACACS server
sends a Challenge message to the device to request a dynamic
verification code.
4. The device sends the user name and PIN code verification result to the client.
– If the user name and PIN code are incorrect, the message "Access denied"
is displayed on the client. The authentication process ends, and the login
attempt of the user fails.
– If the user name and PIN code are correct, the dynamic verification code
authentication process starts.
5. The user enters the dynamic verification code.
6. The device sends the dynamic verification code to the HWTACACS server.
7. The HWTACACS server verifies the dynamic verification code and sends the
verification result to the device.
– If the dynamic verification code is correct, the HWTACACS server sends an
authentication success message to the device.
– If the dynamic verification code is incorrect, the HWTACACS server sends
an authentication failure message to the device.
8. The device sends the authentication result to the client.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1.2.5.5 HWTACACS Attributes

HWTACACS uses different attributes to define authorization and accounting to be
performed. The attributes are carried by the argN field. This section describes
HWTACACS attributes in detail.
Overview of HWTACACS Attributes

Table 1-26 describes the HWTACACS attributes supported by the device. The
device can only parse the attributes included in the table.
Table 1-26 HWTACACS attributes for common use

Attribute Description
Name
acl Authorization ACL ID.
addr A network address.
autocmd An auto-command to run after a user logs in to the device.
bytes_in Number of input bytes transmitted during this connection. K, M,

and G represent KByte, MByte, and GByte. No unit is displayed if
byte is used.
bytes_out Number of output bytes transmitted during this connection. K, M,

and G represent KByte, MByte, and GByte. No unit is displayed if
byte is used.
callback- Line number to use for a callback, such as a mobile number.

line
cmd Command name for a shell command that is to be run. The

maximum length is 251 characters. The complete command is
encapsulated when the command is recorded and the first
keyword is encapsulated when the command is authorized.
cmd-arg Parameter in the command line to be authorized. The cmd-

arg=<cr> is added at the end of the command line.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Name
disc_cause Cause for a connection to be taken offline. Only Accounting-Stop

packets carry this attribute. Disconnection causes include:
● 1 (a user requests to go offline)
● 2 (data forwarding is interrupted)
● 3 (service is interrupted)
● 4 (idle timeout)
● 5 (session timeout)
● 7 (the administrator requests to go offline)
● 9 (the NAS is faulty)
● 10 (the NAS requests to go offline)
● 12 (the port is suspended)
● 17 (user information is incorrect)
● 18 (a host requests to go offline)
disc_cause Extension of the disc-cause attribute to support vendor-specific

_ext causes for a connection to be taken offline. Only Accounting-Stop
packets carry this attribute. Extended disconnection causes include:
● 1022 (unknown reason)
● 1020 (the EXEC terminal tears down the connection)
● 1022 (an online Telnet user forcibly disconnects this user)
● 1023 (the user cannot be switched to the SLIP/PPP client due to
no remote IP address)
● 1042 (PPP PAP authentication fails)
● 1045 (PPP receives a Terminate packet from the remote end)
● 1046 (the upper-layer device requests the device to tear down
the PPP connection)
● 1063 (PPP handshake fails)
● 1100 (session times out)
dnaverage Average downstream rate, in bit/s.
dnpeak Peak downstream rate, in bit/s.
dns-servers IP address of the primary DNS server.
elapsed_ti Online duration of a user, in seconds.

me
ftpdir Initial directory of an FTP user.
gw- Password for the gateway during the L2TP tunnel authentication.
password The value is a string of 1 to 248 characters. If the value contains
more than 248 characters, only the first 248 characters are valid.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Name
idletime Period after which an idle session is terminated. If a user does not
perform any operation within this period, the system disconnects
the user.
NOTE
FTP users do not support this attribute.
l2tp-hello- Interval for sending L2TP Hello packets. This attribute is currently
interval not supported.
l2tp- Attribute value pair (AVP) of L2TP. This attribute is currently not
hidden-avp supported.
l2tp- Number of seconds that a tunnel remains active with no sessions

nosession- before timeout or shutdown. This attribute is currently not
timeout supported.
l2tp- L2TP group number. Other L2TP attributes take effect only if this
group-num attribute is delivered. Otherwise, other L2TP attributes are ignored.
l2tp-tos- TOS of L2TP. The device does not support this attribute.
reflect
l2tp- Whether an L2TP tunnel is authenticated:

tunnel- ● 0: not authenticated
authen
● 1: authenticated
l2tp-udp- Whether L2TP should perform UDP checksums for data packets.
checksum
nocallback No callback authentication is required.

-verify
nohangup Whether the device automatically disconnects a user who has

executed the autocmd command. This attribute is valid only after
the autocmd attribute is configured. The value can be true or
false:
● true: The user is not disconnected.
● false: The user is disconnected.
paks_in Number of packets received by the device.
paks_out Number of packets sent by the device.
priv-lvl User level.
protocol A protocol that is a subset of a service. It is valid only for PPP and
connection services. Legal values matching service types are as
follows:
● Connection service type: pad, telnet
● PPP service type: ip, vpdn
● Other service types: This attribute is not used.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Name
task_id Task ID. The task IDs recorded when a task starts and ends must
be the same.
timezone Time zone for all timestamps included in this packet.
tunnel-id User name used to authenticate a tunnel in establishment. The

value is a string of 1 to 29 characters. If the value contains more
than 29 characters, only the first 29 characters are valid.
tunnel- Tunnel type. The device supports only L2TP tunnels. For L2TP
type tunnels, the value is 3.
service Service type, which can be accounting or authorization.
source-ip Local IP address of a tunnel.
upaverage Average upstream rate, in bit/s.
uppeak Peak upstream rate, in bit/s.
HWTACACS Attributes Available in Packets

Depending on usage scenarios, HWTACACS authorization packets can also be
classified into EXEC authorization packets, command line authorization packets,
and access user authorization packets. Different authorization packets carry
different attributes. For details, see Table 1-27. The following describes the use of
HWTACACS authorization packets for different usage scenarios:
● EXEC authorization packets: Used by the HWTACACS server to control rights
of the management users logging in through Telnet, console port, SSH, and
FTP.
● Command line authorization packets: Used by the device to authorize each
command line executed by the user. Only authorized command lines can be
executed.
● Access user authorization packets: Used by the HWTACACS server to control
the rights of NAC users such as 802.1X and Portal users.
Depending on connection types, HWTACACS accounting packets can also be
classified into network accounting packets, connection accounting packets, EXEC
accounting packets, system accounting packets, and command accounting
packets. Different accounting packets carry different attributes. For details, see
Table 1-28. The following describes the use of HWTACACS accounting packets for
different connection types:
● Network accounting packets: Used when networks are accessed by PPP users.
For example, when a PPP user connects to a network, the server sends an
accounting start packet; when the user is using network services, the server
periodically sends interim accounting packets; when the user goes offline, the
server sends an accounting stop packet.
● Connection accounting packets: Used when users log in to the server through
Telnet or FTP clients. When a user connects to the device, the user can run

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
commands to access a remote server and obtain files from the server. The
device sends an accounting start packet when the user connects to the
remote server and an accounting stop packet when the user disconnects from
the remote server.
● EXEC accounting packets: Used when users log in to the device through Telnet
or FTP. When a user connects to a network, the server sends an accounting
start packet; when the user is using network services, the server periodically
sends interim accounting packets; when the user goes offline, the server sends
an accounting stop packet.
● System accounting packets: Used during fault diagnosis. The server records
the system-level events to help administrators monitor the device and locate
network faults.
● Command accounting packets: When an administrator runs any command on
the device, the device sends the command to the HWTACACS server through a
command accounting stop packet so that the server can record the operations
performed by the administrator.
NOTE
● Y: The packet supports this attribute.

● N: The packet does not support this attribute.
Table 1-27 HWTACACS attributes available in authorization packets
Attribute Command Line EXEC Access User

Authorization Authorization Authorization
Packet Response Response
Packet Packet
acl N Y N
addr N N Y
addr-pool N N Y
autocmd N Y N
callback-line N Y Y
cmd Y N N
cmd-arg Y N N
dnaverage N N Y
dnpeak N N Y
dns-servers N N Y
ftpdir N Y N
gw-password N N Y
idletime N Y N
ip-addresses N N Y

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Attribute Command Line EXEC Access User

Authorization Authorization Authorization
Packet Response Response
Packet Packet
l2tp-group-num N N Y
l2tp-tunnel-authen N N Y
nocallback-verify N Y N
nohangup N Y N
priv-lvl N Y N
source-ip N N Y
tunnel-type N N Y
tunnel-id N N Y
upaverage N N Y
Table 1-28 HWTACACS attributes available in accounting packets

Attribut Net Net Net Con Con EXE EXE EXE Syst Com
e wor wor wor nect nect C C C em man
k k k ion ion Acco Acco Inte Acco d
Acco Acco Inte Acco Acco unti unti rim unti Line
unti unti rim unti unti ng ng Acco ng Acco
ng ng Acco ng ng Star Stop unti Stop unti
Star Stop unti Star Stop t Pac ng Pac ng
t Pac ng t Pac Pac ket Pac ket Stop
Pac ket Pac Pac ket ket ket Pac
ket ket ket ket
addr Y Y Y Y Y N N N N N
bytes_in N Y Y N Y N Y Y N N
bytes_ou N Y Y N Y N Y Y N N
t
cmd N N N Y Y N N N N Y
disc_caus N Y N N N N Y Y N N
e
disc_caus N Y N N N N Y Y N N
e_ext
elapsed_ N Y Y N Y N Y Y Y N
time
paks_in N Y Y N Y N Y Y N N

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Attribut Net Net Net Con Con EXE EXE EXE Syst Com
e wor wor wor nect nect C C C em man
k k k ion ion Acco Acco Inte Acco d
Acco Acco Inte Acco Acco unti unti rim unti Line
unti unti rim unti unti ng ng Acco ng Acco
ng ng Acco ng ng Star Stop unti Stop unti
Star Stop unti Star Stop t Pac ng Pac ng
t Pac ng t Pac Pac ket Pac ket Stop
Pac ket Pac Pac ket ket ket Pac
ket ket ket ket
paks_out N Y Y N Y N Y Y N N
priv-lvl N N N N N N N N N Y
protocol Y Y Y Y Y N N N N N
service Y Y Y Y Y Y Y Y Y Y
task_id Y Y Y Y Y Y Y Y Y Y
timezon Y Y Y Y Y Y Y Y Y Y
e
tunnel-id N N N N N N N N N N
tunnel- Y N N N N N N N N N
type
1.2.6 HACA AAA
NOTE
Only the following switch models support HACA:

S5720I-SI, S5720-LI, S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L1, S5735S-L,
S5735S-L-M, S5720S-LI, S500, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H,
S5731S-H, S5732-H, S5731-S, S5731S-S, S6730-S, S6730S-S, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H .
1.2.6.1 Overview of HACA

Small- and medium-sized enterprises are characterized by small network scale, a
small number of concurrent online users, and dispersed network sites. To support
these enterprises, Huawei proposes the CloudCampus Solution to provide services
through the public cloud. This solution realizes centralized multi-tenant
management, plug-and-play network devices, and batch deployment of network
services. Compared with the traditional network architecture and deployment
mode, this solution provides a shorter network deployment period, lower
maintenance costs, and better network scalability.
The authentication server is deployed on the Internet, so packets between the
device and server may need to traverse a NAT device. However, Portal protocol
packets cannot traverse the NAT device. To address this issue, Huawei Agile Cloud

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Authentication (HACA) allows the device and server to establish a connection for
Portal authentication. Currently, only iMaster NCE-Campus can be used as an
HACA server.
HACA is implemented based on the mobile Internet HTTP 2.0:

● HACA supports Layer 2 Portal authentication or MAC address-prioritized Layer
2 Portal authentication. HACA does not support Layer 3 Portal authentication
or MAC address-prioritized Layer 3 Portal authentication.
● HACA does not support administrative access, IPSec, SSL VPN, IP session, L2TP,
VM, 802.1X, and independent MAC address authentication.
● HACA supports authorization UCL groups, IPv4 ACL, IPv6 ACL, VLAN, user
priority, SAC profile, HQoS, CAR, DSCP and service schemes, including the
VLAN, QoS profile (CAR and DSCP priority re-marking for IP packets), IPv4
ACL, and IPv6 ACL in service schemes.
1.2.6.2 HACA Packets

Service packets record messages exchanged between devices and the HACA server.
The following table describes service packet types specified by the msgType field.
Table 1-29 HACA service packet type
Service msgType Description

Packet Type
Registration 1 After setting up an HTTP/2 persistent

request connection with an HACA server, a device
packet sends this packet to the HACA server to
register device information.
Registration 2 The HACA server sends this packet to the

response device, indicating that a persistent connection
packet has been set up successfully and they can
exchange service packets.
Authenticatio 3 The device sends this packet to the HACA

n request server. The HACA server determines whether to
packet permit the access based on user information
carried in this packet.
Authenticatio 4 The HACA server sends an authentication

n response response packet to the device. If all attributes
packet in the authentication request packet are
acceptable, the server considers that the user
passes the authentication and sends this
packet. After receiving this packet, the device
grants network access rights to the user.
Proactive 6 The HACA server sends this packet to the

authorization device after the user passes authentication.
request
packet

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Service msgType Description

Packet Type
Proactive 5 The device sends this packet to the HACA

authorization server and modifies user rights.
response
packet
Accounting- 7 The device sends this packet to the HACA

start request server when the user starts to access network
packet resources.
Accounting 8 After receiving and recording an accounting-

response start request packet, the HACA server returns
packet an accounting response packet.
Logout 9 If the HACA server logs out the user, the device
notification sends a logout notification packet and the
packet HACA server does not need to reply. If
accounting has been performed for the user,
the packet carries accounting information.
Logout 11 If the device triggers user logout, it sends a

request logout request packet to the HACA server. If
packet the HACA server triggers user logout, it sends
this packet to notify the device that a specified
user has logged out.
Logout 12 If the device triggers user logout, the HACA

response server sends a logout response packet to the
packet device. If the HACA server triggers user logout,
the device sends a logout response packet to
the HACA server and releases the related
authorization entry.
User 13 User information can be periodically

synchronizatio synchronized between the HACA server and
n request device to ensure user information consistency.
packet Either the device or the HACA server sends a
user synchronization request packet to trigger
user information synchronization.
User 14 When the device or HACA server triggers user

synchronizatio information synchronization, the peer end
n response returns a user synchronization response packet.
packet
CoA-Request 15 When an administrator needs to modify the

packet rights of an online user (for example, prohibit
the user from accessing a website), the HACA
server sends this packet to the device,
requesting the device to modify the user rights.
CoA-Response 16 If the device successfully modifies the user

packet rights, it sends this packet to the HACA server.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1.2.6.3 HACA Authentication Process
iMaster NCE-Campus deployed on the cloud acts as an external Portal server and
an HACA server to provide authentication and accounting services. A switch acts
as a user authentication point to provide the user authentication function together
with the HACA server. User authorization information is configured on the HACA
server. After a user passes authentication, the HACA server authorizes network
access rights to the user. Figure 1-26 shows the HACA authentication,
authorization, and accounting process.
Figure 1-26 HACA authentication, authorization, and accounting process

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1. An access device sets up a persistent connection and register with the HACA
server using HTTP/2.
2. The client and device set up a pre-connection before authentication.
3. The client initiates an authentication request using HTTP. The HACA server
provides a web page for the client to enter the user name and password for
authentication.
4. The device and HACA server exchange authentication packets.
5. After the client passes authentication, the HACA server sends an authorization
packet to authorize network access rights to the client.
6. When the client starts to access network resources, the access device sends an
accounting-start request packet to the HACA server.
7. The HACA server sends an accounting response packet to the access device
and starts accounting.
8. (Optional) If real-time accounting is enabled, the access device periodically
sends real-time accounting request packets to the HACA server, preventing
incorrect accounting results caused by unexpected user disconnection.
9. (Optional) The HACA server returns real-time accounting response packets
and performs real-time accounting.
10. The client sends a logout request.
11. The HACA server sends a logout request packet to the access device.
12. The access device sends a logout response packet to the HACA server.
13. The access device sends an accounting-stop request packet to the HACA
server.
14. The HACA server sends an accounting-stop response packet to the access
device and stops accounting.
1.3 Application Scenarios for AAA

Deploying AAA for Internet Access Users
Figure 1-27 AAA deployment for Internet access users

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
As shown in Figure 1-27, the Switch functions as the network access server. Users
on the enterprise network need to connect to the Internet. To ensure network
security, the administrator controls the Internet access rights of the users.
The administrator configures AAA on the Switch to allow the Switch to
communicate with the AAA server. The AAA server then can manage users
centrally. After a user enters the user name and password on the client, the Switch
forwards the authentication information including user name and password to the
AAA server, and the AAA server authenticates the user. After being successfully
authenticated, the user can access the Internet. The AAA server also records the
network resource usage of the user.
To improve reliability, two AAA servers can be deployed in active/standby mode. If
the active server fails, the standby server takes over the AAA services, ensuring
uninterrupted services.
Deploying AAA for Management Users

As shown in Figure 1-28, the management user (Administrator) connects to the
Switch to manage, configure, and maintain the Switch.
After the management user logs in to the Switch with AAA configured, the Switch
sends the user name and password of the user to the AAA server. The AAA server
then authenticates the user and records the user operations.
Figure 1-28 AAA deployment for management users
1.4 Licensing Requirements and Limitations for AAA

Involved Network Elements
Table 1-30 Components involved in AAA networking
Role Product Model Description
AAA server Huawei server or third- Performs authentication,

party AAA server accounting, and
authorization for users.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Licensing Requirements
AAA is a basic feature of a switch and is not under license control.
Feature Support in V200R021C00 and V200R021C01

All models of S300, S500, S2700, S5700, and S6700 series switches support AAA.
NOTE
For details about software mappings, visit Info-Finder and search for the desired product
model.
Feature Limitations
● To prevent data transmission risks between the device and the RADIUS or
HWTACACS server, you are advised to deploy the device and RADIUS or
HWTACACS server in a security domain.
● The authorization scheme and UCL group are not supported in the traditional
NAC mode. The authorization user group is supported only in the traditional
NAC mode.
● If non-authentication is configured using the authentication-mode
(authentication scheme view) command, users can pass the authentication
using any user name or password. To protect the device and improve network
security, you are advised to enable authentication to allow only authenticated
users to access the device or network.
● By default, the global default common domain default and global default
management domain default_admin are bound to the accounting scheme
default. Modifying the accounting scheme default affects configurations of
the two domains. Exercise caution when modifying the accounting scheme to
prevent user accounting failures.
● After the NETCONF function is disabled, online HACA users will continue to
be online, but new HACA users cannot go online.
● When both DSCP priority mapping and 802.1p priority mapping are
authorized for uplink packets, DSCP priority mapping takes effect on the
S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6730-H, S6730S-H, S6730-
S, S6730S-S, and 802.1p priority mapping takes effect on the S6735-S, S6720-
EI, S6720S-EI ,S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I regardless of the
priority mapping mode trusted by interfaces.
● A specific VLAN cannot be specified as both the authorized VLAN and voice
VLAN.
● In versions earlier than V200R020C00, after a user is authorized with CAR, the
device collects the traffic statistics of the user. In V200R020C00 and later
versions, after a user is authorized with CAR, the device does not collect the
traffic statistics of the user until the traffic statistics collection is configured.
● The management interface of the device cannot send or receive RADIUS
packets.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● In RADIUS+local authentication mode, if the RADIUS retransmission time is

too long during 802.1X user login, some terminals cannot go online.
● If the default VPN instance is globally configured on the device, you need to
configure routes for interworking in the VPN instance and add the source IP
address bound to the HWTACACS server to the VPN instance. It is
recommended that you run the undo set net-manager vpn-instance
command to cancel the globally configured default VPN instance.
● In V200R013C00 and later versions, for the S5720-HI, S5730-HI, S5731-H,
S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H,
S6730-S and S6730S-S,if the RADIUS packets processed by the device exceed
1500 bytes, you are advised to configure the radius-attribute set framed-
mtu 1000 command in the RADIUS server template view.
● The device sends TACACS accounting packets to report the commands that
have been executed by administrators through SSH, Telnet, or web NMS
console. Therefore, a TACACS accounting server needs to be configured on the
device.
● The device can use TACACS authorization packets to authorize administrators
who log in through SSH or Telnet to run commands related to the HWTACACS
server. On the web NMS console, the commands that can be executed can be
controlled only based on the administrator privilege level, and HWTACACS
server authorization is not supported.
1.5 Default Settings for AAA

Table 1-31 describes the default settings for AAA.
Table 1-31 Default settings for AAA

Parameter Default Setting
Local user ● Name: admin

● Password:
● Access mode: SSH or HTTP (logging
in to the device through the web
system)
Local user No local user is created.
Global common default domain default: By default, the authentication

scheme radius and accounting scheme
default are bound, and no
authorization scheme is bound.
Global default management domain default_admin: By default, the

authentication scheme default and
accounting scheme default are bound,
and no authorization scheme is bound.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Parameter Default Setting
Authentication scheme default: Local authentication is used

by default.
radius: RADIUS authentication is used
by default.
Authorization scheme default: Local authorization is used by

default.
Accounting scheme default: Non-accounting is used by

default.
1.6 Summary of AAA Configuration Tasks

In theory, the device supports the combination of authentication, authorization,
and accounting. For example, the device can provide local authentication, local
authorization, and RADIUS accounting.
In practice, the schemes in Table 1-32 are often used separately. Multiple
authentication or authorization modes can be used in a scheme. For example,
local authentication is used as a backup of RADIUS authentication and
HWTACACS authentication, and local authorization is used as a backup of
HWTACACS authorization.
Table 1-32 AAA configuration tasks
Configuration Overview Task

Task
Local If users need to be 1.7 Configuring Local

authentication authenticated or authorized Authentication and
and but no RADIUS server or Authorization
authorization HWTACACS server is deployed
on the network, use local
authentication and
authorization. Local
authentication and
authorization feature fast
processing and low operation
costs; however, the amount of
local authentication and
authorization information
that can be stored is subject
to the device hardware
capacity.
Local authentication and
authorization are often used
for administrators.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Overview Task

Task
RADIUS RADIUS protects a network 1.8 Using RADIUS to

authentication, from unauthorized access, Perform Authentication,
authorization, and is often used on networks Authorization, and
and accounting demanding high security and Accounting
control of remote user access.
HWTACACS HWTACACS protects a 1.9 Using HWTACACS to

authentication, network from unauthorized Perform Authentication,
authorization, access and supports Authorization, and
and accounting command-line authorization. Accounting
HWTACACS is more reliable in
transmission and encryption
than RADIUS, and is more
suitable for security control.
1.7 Configuring Local Authentication and

Authorization
Local Authentication and Authorization

After local authentication and authorization are configured, the device
authenticates and authorizes access users based on local user information. In local
authentication and authorization, user information, including the local user name,
password, and attributes, is configured on the device. Local authentication and
authorization feature fast processing and low operation cost. However, the
amount of local authentication and authorization information that can be stored
is subject to the device hardware capacity.
Configuration Procedure
Configura
Procedure Description
tion
Create a local user. The device

Configure a local user. authenticates the local user using
Configure the created user information.
a local Create authorization rules. The
server. Configure local authorization device authorizes the user based
rules. on the created authorization
rules.
Configure
Configure authentication,
and apply
Configure AAA schemes. authorization, and accounting
AAA
schemes.
schemes.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configura
Procedure Description
tion
User authorization information

(Optional) Configure a service
can also be configured in the
scheme.
service scheme.
The created AAA schemes and

Apply the AAA schemes to a service scheme take effect only
domain. after they are applied to the
domain to which users belong.
- Verify the configuration. Verify the configuration.
1.7.1 Configuring a Local User
Context
When configuring a local user, you can configure the number of connections that
can be established by the local user, local user level, idle timeout period, and login
time, and allow the local user to change the password.
NOTE
● For device security purposes, do not disable password complexity check, and change the
password periodically.
● After you change the local account's rights (including the password, access type, FTP
directory, and level), the rights of users who are already online remain unchanged, and
new users obtain new rights when they go online.
● Local users' access types include:
● Administrative: api, ftp, http, ssh, telnet, x25-pad, and terminal
● Common: 8021x, ppp and web
● Security risks exist if the user login mode is set to Telnet or FTP. You are advised set the
user login mode to STelnet or SFTP and set the user access type to SSH.
When a device starts without any configuration, HTTP uses the randomly generated
self-signed certificate to support HTTPs. The self-signed certificate may bring risks.
Therefore, you are advised to replace it with the officially authorized digital certificate.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Create a local user.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedur
Command Description
e
By default, password complexity

(Optional
check is enabled on a device. The
) Enable
user-password complexity- password must contain at least
password
check [ three-of-kinds ] two of the following: uppercase
complexit
letters, lowercase letters, digits,
y check.
and special characters.
local-user user-name By default, the local account

password password is not configured.
This command should be entered
in interactive mode. This is
because directly entering a plain
text password without being in
interactive mode poses potential
security risks.
If a user name contains a domain
Create a name delimiter (such as @ | %)
local user and the domain name resolution
name and direction is not configured using
password the domainname-parse-
(using local-user user-name direction right-to-left command,
either of password { cipher | the character string before the
the irreversible-cipher } password delimiter is considered as the user
command name, and that after the
s). delimiter is considered as the
domain name. If a user name
does not contain a domain name
delimiter, the entire character
string is considered as the user
name. By default, common users
are authenticated in the default
domain, and administrative users
are authenticated in the
default_admin domain.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedur
Command Description
e
Configure By default, all access types are

an access disabled for a local user.
type for The access type configured for
the local Portal access users is web.
user.
If a local user already exists
before an access type is
configured for the user, note the
following:
● If the irreversible password
local-user user-name service- algorithm is used, the access
type { 8021x | api | ftp | http | type can only be
ppp | ssh | telnet | terminal | administrative.
web | x25-pad } * ● If the reversible password
algorithm is used, the access
type can be common or
administrative, but cannot be a
mixed type of common and
administrative. In addition,
when the access type is set to
an administrative type, the
password encryption algorithm
is automatically changed to
the irreversible algorithm.
Step 4 (Optional) Set the user level, user group, access time range, idle-cut function, and
number of connections that can be established by the user.
Procedur
Command Description
e
Set the
local-user user-name privilege The default level of a local user is
local user
level level 0.
level.
By default, a local user does not

Set the belong to any group.
local-user user-name user-
local user NOTE
group group-name
group. This command is supported only in
NAC common mode.
Set the
access
By default, no access time range
time local-user user-name time-
is configured and the local user
range for range time-name
can access the network anytime.
the local
user.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedur
Command Description
e
You can specify the idle timeout

period. If a local user is idle for
Set the longer than the specified period,
idle the user automatically goes
timeout offline.
local-user user-name idle-
period for If the idle timeout period is set to
timeout minutes [ seconds ]
a 0 or a large value, the terminal
specified remains logged in to a device,
user. posing security risks. You are
advised to run the lock command
to lock the connection.
Set the
maximum By default, the number of
number connections that can be
of established by a user is not
connectio local-user user-name access- limited.
ns that limit max-number
can be To configure the local account to
establishe log in through only one terminal,
d by the set max-number to 1.
local user.
Step 5 (Optional) Configure the local user security.
Procedure Command Description
Enable the
local account
lock function,
By default, the local account
and set the
local-aaa-user wrong- lock function is enabled, the
retry interval,
password retry-interval retry interval is 5 minutes, the
maximum
retry-interval retry-time maximum number of
number of
retry-time block-time block- consecutive authentication
consecutive
time failures is 3, and the account
authentication
lock period is 5 minutes.
failures, and
account lock
period.
Configure a aaa-quiet administrator By default, a user cannot

user to access except-list { ipv4-address | access the network when the
the network ipv6-address } &<1-32> account is locked.
using a To check information about the
specified IP specified IP addresses, run the
address when display aaa-quiet
the user administrator except-list
account is command.
locked.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Enable
the
passwor
d policy
for local
access
users By default, the password policy
local-aaa-user password
and for local access users is
policy access-user
enter disabled.
the local
Conf access
igur user
e passwor
the d policy
pas view.
swo
rd Set the
poli maximu
cy m
for number
loca of
By default, a maximum of five
l historica password history record
historical passwords are
acc l number number
recorded for each user.
ess passwor
use ds
rs. recorded
for each
user.
Exit the
local
access
user quit -
passwor
d policy
view.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Enable local-aaa-user password

the policy administrator
passwor
d policy
for local
administ
rators By default, the password policy
and for local administrators is
enter disabled.
the local
administ
rator
Conf passwor
igur d policy
e view.
the
Enable password alert before-
pas
the expire day
swo
passwor
rd
d
poli
expiratio
cy
n
for
prompt
loca By default, the system displays
function
l a prompt 30 days before the
and set
ad password expires.
the
min
passwor
istr
d
ator
expiratio
s.
n
prompt
period.
Enable password alert original

the
initial
passwor By default, the system prompts
d users to change initial
change passwords.
prompt
function
.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Enable password expire day

the
passwor
d
expiratio
n
By default, the password
function
validity period is 90 days.
and set
the
passwor
d
validity
period.
Set the password history record

maximu number number
m
number
of
By default, a maximum of five
historica
historical passwords are
l
recorded for each user.
passwor
ds
recorded
for each
user.
Exit the quit

local
administ
rator -
passwor
d policy
view.
When the device starts with the default configurations, it automatically performs
the following configurations and saves the configurations to the configuration file:
● Run the local-aaa-user password policy administrator command to enable
the password policy for local administrators.
● Run the password expire 0 command to configure the passwords of local
administrators to be permanently valid.
● Run the password history record number 0 command to configure the
device not to check whether a changed password of a local administrator is
the same as any historical password.
Step 6 (Optional) Set parameters of access rights for the local user.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedur
Command Description
e
By default, the type of terminals

allowed to access the network is
Set the
not configured.
type of
terminals For example, if the terminal is an
local-user user-name device- iPhone, you can set device-type to
allowed
type device-type &<1-8> iphone.
to access
the NOTE
network. This function is supported only by
S5731-H, S5731S-H, S6730S-H,
S5732-H, and S6730-H.
By default, the FTP directory that

FTP users can access is not
Configure configured.
the FTP If the access type of local users is
directory local-user user-name ftp- FTP, you must configure the FTP
that FTP directory directory directory, and set the local user
users can level to be lower than the
access. management level; otherwise,
FTP users cannot log in to the
device.
Configure
the HTTP
By default, the HTTP directory
directory local-user user-name http-
that HTTP users can access is not
that HTTP directory directory
configured.
users can
access.
By default, a local user is in the

active state.
The device processes requests
from users in different states as
follows:
Set the ● If a local user is in active state,
local-user user-name state
local user the device accepts and
{ active | block }
state. processes the authentication
request from the user.
● If a local user is in block state,
the device rejects the
authentication request from
the user.
Set the
expiration
local-user user-name expire- By default, a local account is
date for
date expire-date permanently valid.
the local
account.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedur
Command Description
e
When the number of login VTY

Configure users has reached the maximum,
the local local-user user-name user- an NMS user can log in using the
user as an type netmanager reserved VTY numbers 16-20.
NMS user. The user must pass the AAA local
authentication.
Step 7 Run the undo local-aaa-user change-password verify command to disable the
function of verifying the original password when local administrators change their
own passwords.
By default, when local administrators change their passwords using the local-user
user-name privilege level level command in the AAA view, the administrators
need to enter the original password for verification.
Step 8 (Optional) Change the login password of a local user.
Procedur
Command Description
e
Return to return -
the user
view.
Change local-user change-password -

the login
password
of a local
user.
Step 9 (Optional) When a web user logs in to the device for the first time, the browser
jumps to the page for creating a user interface.
navigator first-login enable
By default, no local user is created on the device. Therefore, the factory

configuration file of the device contains the navigator first-login enable
command. When a user logs in to the device through the web system for the first
time, the browser displays the user creation page. After a user is created, the
browser does not display the user creation page when the user logs in to the
device again through the web system.
In addition, after a user logs in to the device through the console port, the
browser does not display the user creation page but displays the user login page,
when the user logs in to the device through the web system for the first time.
Therefore, if you need to log in to the device through the web system, create a
local user for web-based login during a login through the console port.
The factory configuration file of the device contains the navigator first-login
enable command, removing the need to manually configure this command. The
navigator first-login enable command can be delivered only through the

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
configuration file, cannot be entered or executed on the device, and is not

recorded in buildrun information.
----End
1.7.2 Configuring Authorization Rules
Context
Table 1-33 describes authorization parameters that can be set locally during local
authorization configuration.
Table 1-33 Local authorization parameters
Authoriza Usage Scenario Description

tion
Paramete
r
VLAN VLAN-based authorization In local authorization, you only need

is easy to deploy and to configure VLANs and
maintenance costs are low. corresponding network resources on
It applies to scenarios the device.
where employees in an An authorized VLAN cannot be
office or a department have delivered to online Portal users.
the same access rights.
After a user is authorized based on a
VLAN, the user needs to manually
trigger an IP address request using
DHCP.
Service A service scheme and You need to configure a service

scheme corresponding network scheme and corresponding network
resources need to be resources on the device.
configured on the device. A service scheme can be applied to a
domain, and users in the domain
then can obtain authorization
information in the service scheme.
User A user group consists of In local authorization, all you need to

group users (terminals) with the do is configure user groups and
(common same attributes, such as the corresponding network resources on
mode) role and rights. For the device.
example, according to the A user group can be applied to a
enterprise department domain, and users in the domain
structure, you can divide then can obtain authorization
users on a campus network information in the user group.
into different groups, such
as R&D group, finance For details on how to configure a
group, marketing group, user group, see Configure an
and guest group, and authorization user group.
perform different security
policies for these groups.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Authoriza Usage Scenario Description

tion
Paramete
r
UCL A UCL group identifies a In local authorization, you can

group user type. The configure UCL groups and
(unified administrator can add the corresponding network resources on
mode) users using the same the device.
network access policy to A UCL group can be applied to a
the same UCL group, and domain, and users in the domain can
configure the network obtain authorization information in
access policy for the group. the UCL group.
For details on how to configure a
UCL group, see Configure an
authorization UCL group.
Procedure
● Configure an authorization VLAN.
Configure a VLAN and the network resources in the VLAN on the device.
● Configure a service scheme.
For details on how to configure a service scheme, see 1.7.4 Configuring a
Service Scheme.
● Configure an authorization user group.
Procedur
Command Description
e
Enter the system-view –

system
view.
Create a user-group group-name When using a user group in a

user hot standby scenario or a dual-
group link backup scenario, specify the
and enter user group index, and ensure
the user that the user group name and
group index specified on the active
view. device are the same as those
specified on the standby device.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedur
Command Description
e
Bind an acl-id acl-number By default, no ACL is bound to a

ACL to user group.
the user NOTE
group. Before running this command,
ensure that the ACL has been
created using the acl or acl name
command and ACL rules have been
configured using the rule
command.
Bind a user-vlan vlan-id By default, no VLAN is specified

VLAN to for a user group.
the user
group.
Set the remark { 8021p 8021p-value By default, the user group

priority | dscp dscp-value }* priority is not specified.
for the NOTE
user Only the S5731-H, S5731S-H,
group. S5731-S, S5731S-S, S5732-H,
S6730-H, S6730S-H, S6730-S,
S6730S-S, S6735-S, S6720-EI, and
S6720S-EI support this command.
Limit the car { outbound | inbound } By default, the rate of traffic

rate of cir cir-value [ pir pir-value | from users in the user group is
traffic cbs cbs-value | pbs pbs- not limited.
from value ] * NOTE
users in Only the S5731-H, S5731S-H,
the user S5731-S, S5731S-S, S5732-H,
group. S6730-H, S6730S-H, S6730-S,
S6730S-S, S6735-S, S6720-EI, and
S6720S-EI support this command,
and the user group CAR can only
be applied in the interface
outbound direction (outbound) on
the S6720-EI and S6720S-EI.
Return to quit –
the
system
view.
Enable user-group group-name The settings for a user group

the user enable are in effect only when the user
group group function is enabled.
function. By default, the user group
function is disabled.
● Configure an authorization UCL group.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedur
Command Description
e

system
view.
Create a ucl-group group-index By default, no UCL group is

UCL [ name group-name ] created.
group.
(Optional ucl-group ip ip-address By default, no IP address is

) { mask-length | ip-mask } configured for a static UCL
Configur { group-index | name group- group.
e an IP name } [ escape ] NOTE
address IP addresses in static UCL groups
for the are only supported by S5731-H,
static S5731S-H, S5731-S, S5731S-S,
S5732-H, S6730-H, S6730S-H,
UCL
S6730-S, S6730S-S, S6735-S,
group. S6720-EI, and S6720S-EI.
(Optional ucl-group domain domain- By default, no domain name is

) name domain-name { group- configured for a static UCL
Configur index | name group-name } group.
ea NOTE
domain Only the S5731-H, S5731-S,
name for S5731S-H, S5731S-S, S5732-H,
the static S6730-H, S6730S-H, S6730-S, and
S6730S-S support domain names
UCL
in static UCL groups.
group.
Configur For details, see Configuring a The ACL filters packets based
e a user User ACL or User ACL6 under on the UCL group.
ACL or "ACL Configuration" in the
user S300, S500, S2700, S5700,
ACL6. and S6700 V200R021C00,
C01 Configuration Guide -
Security.
Configur traffic-filter inbound acl By default, ACL-based packet
e ACL- [ ipv6 ] acl-number filtering is not configured.
based
packet
filtering.
----End
1.7.3 Configuring AAA Schemes

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Context
To use local authentication and authorization, set the authentication mode in an
authentication scheme to local authentication and the authorization mode in an
authorization scheme to local authorization.
By default, the device performs local authentication and authorization for access
users.
NOTE
If non-authentication is configured using the authentication-mode command, users can

pass the authentication using any user name or password. To protect the device and
improve network security, you are advised to enable authentication to allow only
authenticated users to access the device or network.
Procedure
● Configure an authentication scheme.
a. Run system-view
b. Run aaa
c. Run authentication-scheme authentication-scheme-name
An authentication scheme is created and the authentication scheme view
is displayed, or an existing authentication scheme view is displayed.
Two default authentication schemes named default and radius are
available on the device. These two authentication schemes can be
modified but not deleted.
d. Run authentication-mode { local | local-case }
The authentication mode is set to local.
By default, local authentication is used. The names of local users are
case-insensitive.
e. (Optional) Run authentication-super [ hwtacacs | radius | super ] *
none
An authentication mode for upgrading user levels is set.
The default mode is super (local authentication).
f. Run quit
g. (Optional) Run domainname-parse-direction { left-to-right | right-to-
left }
The direction in which the domain name is parsed is specified.
By default, a domain name is parsed from left to right.
h. Run quit

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
i. (Optional) Run aaa-authen-bypass enable time time-value

The bypass authentication duration is set.
By default, the bypass authentication function is disabled.
● Configure an authorization scheme.
a. Run system-view
b. Run aaa
c. Run authorization-scheme authorization-scheme-name
An authorization scheme is created and the authorization scheme view is
displayed, or an existing authorization scheme view is displayed.
A default authorization scheme named default is available on the device.
This authorization scheme can be modified but not deleted.
d. Run authorization-mode { local | local-case } [ none ]
The authorization mode is set.
By default, local authorization is used. The names of local users are case-
insensitive.
e. Run quit
f. (Optional) Run authorization-modify mode { modify | overlay }
The update mode of user authorization information delivered by the
authorization server is set.
The default mode is overlay.
g. Run quit
h. (Optional) Run aaa-author-bypass enable time time-value
The bypass authorization duration is set.
By default, the bypass authorization function is disabled.
----End
1.7.4 Configuring a Service Scheme

Context
Users must obtain authorization information before going online. You can
configure a service scheme to manage authorization information about users.
NOTE
When the device is switched to the NAC common mode, only the administrator level, number of
users who can access the network using the same user name, and redirection ACL can be
configured in the service scheme.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
Step 2 Run aaa
Step 3 Run service-scheme service-scheme-name
A service scheme is created and the service scheme view is displayed.
By default, no service scheme is configured on the device.
Step 4 Run admin-user privilege level level
The user is configured as the administrator and the administrator level for login is
specified.
The value range of level is from 0 to 15. By default, the user level is not specified.
Step 5 Configure server information.
Step Command Remarks
Configure
the IP
address of
By default, no primary DNS server
the dns ip-address
is configured in a service scheme.
primary
DNS
server.
Configure
the IP
address of By default, no secondary DNS
the dns ip-address secondary server is configured in a service
secondary scheme.
DNS
server.
Step 6 Run redirect-acl [ ipv6 ] { acl-number | name acl-name }
A redirection ACL is configured in the service scheme.
By default, no redirection ACL is configured in a service scheme.
NOTE
The ipv6 parameter is supported only by the S2730S-S, S5735-L-I, S5735-L1, S5735S-L1,
S300, S5735-L, S5735S-L, S5735S-L-M, S500, S5735-S, S5735-S-I, S5735S-S, S6720-EI,
S6735-S and S6720S-EI.
Only wired users support IPv6 ACL redirection.
Step 7 Run idle-cut idle-time flow-value [ inbound | outbound ]

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
The idle-cut function is enabled for domain users and the idle-cut parameters are
set.
By default, the idle-cut function is disabled for domain users.
NOTE
The idle-cut command configured in the service scheme view takes effect only for wireless
users.
Step 8 Run access-limit user-name max-num number

The maximum number of users who are allowed to access the network using the
same user name is configured.
By default, the number of users who are allowed to access the network using the
same user name is not limited, and is determined by the maximum number of
access users supported by the device.
NOTE
Only users who are successfully authenticated support the configurations for limiting the
number of access users based on the same user name, and pre-connection users do not support
such configurations.
This command does not take effect in inter-AC roaming scenarios.
Step 9 Run priority priority-value

The user priority is configured in the service scheme.
By default, the user priority is 0.
Step 10 Configure network access control parameters in the service scheme.
1. Run acl-id [ ipv6 ] acl-number
An ACL is bound to the service scheme.
By default, no ACL is bound to a service scheme.
NOTE
Only the S2730S-S, S5735-L-I, S5735-L1, S5735S-L1, S300, S5735-L, S5735S-L, S5735S-L-M,
S500, S5735-S, S5735-S-I, S5735S-S, S6720-EI, S6735-S, and S6720S-EI support the ipv6
parameter.
Before running this command, ensure that an ACL has been created using the acl or acl
name command and ACL rules have been configured using the rule command.
The priorities of the following access policies are in descending order:
ACL number delivered by the RADIUS server > ACL number configured on the local device
> ACL rule or DACL group delivered by the RADIUS server through the attribute HW-Data-
Filter numbered 26-82 > UCL group index delivered by the RADIUS server > UCL group
configured on the local device
IPv6 ACL authorization and IPv4 ACL authorization have the same priority. Therefore,
according to the preceding priority, when the server delivers the IPv4 ACL number, the
locally configured IPv6 ACL number does not take effect.
2. Run ucl-group { group-index | name group-name }
A UCL group is bound to the service scheme.
By default, no UCL group is bound to a service scheme.
Before running this command, ensure that a UCL group that identifies the
user category has been created and configured.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3. Run user-vlan vlan-id

A user VLAN is configured in the service scheme.
By default, no user VLAN is configured in a service scheme.
Before running this command, ensure that a VLAN has been created using the
vlan command.
4. Run voice-vlan
The voice VLAN function is enabled in the service scheme.
By default, the voice VLAN function is disabled in a service scheme.
For this configuration to take effect, ensure that a VLAN has been specified as
the voice VLAN using the voice-vlan enable command and the voice VLAN
function has been enabled on the interface.
5. Run qos-profile profile-name
A QoS profile is bound to the service scheme.
By default, no QoS profile is bound to a service scheme.
NOTE
The QoS profile is supported only by the S5731-H,S5731S-H, S5731-S, S5731S-S,

S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6735-S, S6720-EI, and S6720S-EI.
Before running this command, ensure that a QoS profile has been configured.
The procedure for configuring a QoS profile is as follows:
a. In the system view, run qos-profile name profile-name
A QoS profile is created and the QoS profile view is displayed.
b. Configure traffic policing, packet processing priority, and user queue in
the QoS profile view. (Of all parameters in the QoS profile bound to the
service scheme, only those configured using the following commands
take effect.)
▪ Run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ]
{ inbound | outbound }
Traffic policing is configured in the QoS profile.
By default, traffic policing is not configured in a QoS profile.
▪ Run remark dscp dscp-value { inbound | outbound }The action of

re-marking DSCP priorities of IP packets is configured in the QoS
profile.
NOTE
If both remark dscp dscp-value and voice-vlan remark dscp dscp-value are
configured, the DSCP priority of the former is higher.
By default, the action of re-marking DSCP priorities of IP packets is
not configured in a QoS profile.
▪ Run remark 8021p 8021p-value

The action of re-marking 802.1p priorities of VLAN packets is
configured in the QoS profile.
By default, the action of re-marking 802.1p priorities of VLAN
packets is not configured in a QoS profile.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
If both remark 8021p 8021p-value and voice-vlan remark 8021p 8021p-

value are configured, the 802.1p priority of the former is higher.
▪ Run user-queue { pir pir-value | flow-queue-profile flow-queue-

profile-name | flow-mapping-profile flow-mapping-profile-name } *
A user queue is created in the QoS profile to implement HQoS
scheduling.
By default, no user queue is configured in a QoS profile.
NOTE
Only the S5731-S, S5731S-S, S5731-H, and S5731S-H support the HQoS
scheduling.
6. Run sac-profile profile-name
An SAC profile is bound to the service scheme.
By default, no SAC profile is bound to a service scheme.
NOTE
For details about authorization HQoS configuration and guidelines, see Configuring a
Subscriber Queue.
Before running this command, ensure that an SAC profile has been
configured. To configure an SAC profile, perform the following operations:
a. Run sac-profile name profile-name
An SAC profile is created and the SAC profile view is displayed; or the
existing SAC profile view is displayed.
b. Run acl { ucl-number | name acl-name } remark local-precedence local-
precedence-value
The internal priority used for user-ACL-based remarking is configured.
By default, no internal priority is configured for user-ACL-based
remarking in an SAC profile.
7. Run quit
8. Run quit
----End
1.7.5 Applying AAA Schemes to a Domain
Context
The created authentication and authorization schemes take effect only after being
applied to a domain. When local authentication and authorization are used, the
default accounting scheme non-accounting is used.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
Step 2 Run aaa
Step 3 Run domain domain-name [ domain-index domain-index ]
A domain is created and the domain view is displayed, or the view of an existing
domain is displayed.
The device has two default domains:
● default: Used by common access users
● default_admin: Used by administrators
NOTE
● If a user enters a user name that does not contain a domain name, the user is authenticated
in the default domain. In this case, you need to run the domain domain-name [ admin ]
command and set domain-name to configure a global default domain on the device.
● If a user enters a user name that contains a domain name during authentication, the user
must enter the correct value of domain-name.
Step 4 Apply AAA schemes to the domain.

Procedur
Command Description
e
By default, the authentication

scheme named radius is applied
Apply an
to the default domain, the
authentic
authentication scheme named
ation authentication-scheme
default is applied to the
scheme to authentication-scheme-name
default_admin domain, and the
the
authentication scheme named
domain.
default is applied to other
domains.
Apply an
authorizat
ion authorization-scheme By default, no authorization
scheme to authorization-scheme-name scheme is applied to a domain.
the
domain.
Step 5 Configure local authorization rules.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
(Optional) Apply a By default, no user group is

user group to the applied to a domain.
domain. user-group group-name NOTE
This command is supported
only in NAC common mode.
(Optional) Apply a By default, no service

service-scheme service-
service scheme to the scheme is applied to a
scheme-name
domain. domain.
Step 6 (Optional) Specify the domain state and enable traffic statistics collection for the
domain.
When a domain is in the

state { active | block blocking state, users in this
Specify the domain
[ time-range time-name domain cannot log in. By
state.
&<1–4> ] } default, a created domain
is in the active state.
Step 7 (Optional) Configure the traffic statistics collection function.

1. Run statistic enable
The traffic statistics collection function is enabled for domain users.
By default, the traffic statistics collection is disabled for domain users.
2. Run accounting dual-stack separate
Separate statistics collection or separate rate limiting of IPv4 and IPv6 traffic
is enabled.
By default, the device does not distinguish between IPv4 and IPv6 traffic when
collecting statistics or rate limiting IPv4 and IPv6 traffic.
Step 8 (Optional) Configure a domain name parsing scheme. (If domain name parsing is
configured in both the AAA view and authentication profile view, the device
preferentially uses the configuration in the authentication profile. The
configuration in the authentication profile applies only to wireless users.)
A Exit
A from
A the
quit -
vi doma
e in
w view.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Specif
y the
doma The domain name can be parsed
in from left to right, or from right to
domainname-parse-direction left.
name
{ left-to-right | right-to-left }
parsin By default, the domain name is
g parsed from left to right.
direct
ion.
Set
the A domain name delimiter can be
doma any of the following: \ / : < > | @ '
domain-name-delimiter %.
in
delimiter
name The default domain name
delim delimiter is @.
iter.
Specif
y the The domain name can be placed
doma before or after the delimiter.
domain-location { after-
in By default, the domain name is
delimiter | before-delimiter }
name placed after the domain name
locati delimiter.
on.
Set
the
securi
security-name-delimiter By default, the security string
ty
delimiter delimiter is * (asterisk).
string
delim
iter.
A Exit
ut from
he the
nt AAA
ic view.
ati
on quit -
pr
ofi
le
vi
e
w

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Creat
e an
authe
nticat
By default, the device has six
ion
built-in authentication profiles:
profil
default_authen_profile,
e and
authentication-profile name dot1x_authen_profile,
enter
authentication-profile-name mac_authen_profile,
the
portal_authen_profile,
authe
dot1xmac_authen_profile, and
nticat
multi_authen_profile.
ion
profil
e
view.
Specif
y the
name
parsin By default, the domain name
g parsing direction is not specified.
direct
ion.
Set
in
delimiter
name By default, no domain name
delim delimiter is set.
iter.
Specif
y the
doma
domain-location { after- By default, the domain name
in
delimiter | before-delimiter } location is not specified.
name
locati
on.
Set
the
securi
security-name-delimiter By default, no security string
ty
delimiter delimiter is set.
string
delim
iter.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Step 9 (Optional) Specify a permitted domain for wireless users. (This step applies only to
wireless users.)
Procedur
Command Description
e
Return to
the
quit -
system
view.
Create an
authentic By default, the device has six
ation built-in authentication profiles:
profile default_authen_profile,
and enter authentication-profile name dot1x_authen_profile,
the authentication-profile-name mac_authen_profile,
authentic portal_authen_profile,
ation dot1xmac_authen_profile, and
profile multi_authen_profile.
view.
Specify a By default, no permitted domain

permitted is specified for wireless users.
domain After a permitted domain is
for permit-domain name specified in an authentication
wireless domain-name &<1-4> profile, only users in the
users. permitted domain can be subject
to authentication, authorization,
and accounting.
----End
1.7.6 Verifying the Local Authentication and Authorization

Configuration
Procedure
● Run the display aaa configuration command to check the AAA summary.
● Run the display authentication-scheme [ authentication-scheme-name ]
command to verify the authentication scheme configuration.
● Run the display authorization-scheme [ authorization-scheme-name ]
command to verify the authorization scheme configuration.
● To verify information about access users, run the following commands:
– display access-user [ domain domain-name | interface interface-type
interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-
address [ vpn-instance vpn-instance-name ] | ipv6-address ipv6-address
| access-slot slot-id | wired | wireless ] [ detail ]
– display access-user username user-name [ detail ]

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
– display access-user ssid ssid-name (This command is supported only by

the S5731-H, S5731S-H, S6730S-H, S5732-H, and S6730-H.)
– display access-user [ mac-address mac-address | service-scheme
service-scheme-name | user-id user-id | statistics ]
– display access-user access-type { admin [ ftp | ssh | telnet | terminal |
web ] | ppp } [ username user-name ]
● Run the display domain [ name domain-name ] command to verify the
domain configuration.
● Run the display local-user [ domain domain-name | state { active | block } |
username username ] * command to check the brief information about local
users.
● Run the display local-aaa-user password policy { access-user |
administrator } command to display the password policy for local users.
● Run the display local-user expire-time command to verify the time when
the local account expires.
● Run the display aaa statistics access-type-authenreq command to verify the
number of authentication requests.
● Run the display access-user user-name-table statistics { all | username
username } command to check statistics on users who are allowed to access
the network using the user name.
----End
1.8 Using RADIUS to Perform Authentication,

Authorization, and Accounting
RADIUS Authentication, Authorization, and Accounting
Remote Authentication Dial-In User Service (RADIUS) is often used to implement
authentication, authorization, and accounting (AAA). It uses the client/server
model and prevents unauthorized access to networks that require high security
and control of remote user access.
1.8.1 Configuring an AAA Scheme
Context
An AAA scheme defines the authentication, authorization, and accounting modes
used by users. If RADIUS AAA is used, set the authentication mode to RADIUS in
the authentication scheme, and set the accounting mode to RADIUS in the
accounting scheme. RADIUS authentication is combined with authorization and
cannot be separated. If authentication succeeds, authorization also succeeds. If
RADIUS authentication is used, you do not need to configure an authorization
scheme.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
To prevent authentication failures caused by no response from a single

authentication mode, configure local authentication or non-authentication as the
backup authentication mode in the authentication scheme.
NOTE

Procedure
a. Run system-view
b. Run aaa
c. Run authentication-scheme scheme-name
is displayed, or the view of an existing authentication scheme is
displayed.
By default, two authentication schemes named default and radius are
available on the device. The two schemes can only be modified, but
cannot be deleted.
d. Run authentication-mode radius
The authentication mode is set to RADIUS.
By default, local authentication is used, and the names of local users are
case-insensitive.
To configure local authentication as the backup authentication mode, run
the authentication-mode radius { local | local-case } command.
e. (Optional) Run undo server no-response accounting
The device is configured not to send accounting packets when the server
does not respond to a user's authentication request and the user then is
authenticated using the local authentication mode.
By default, when the accounting function is configured, the device does
not send accounting packets when the server does not respond to a
user's authentication request and the user then is authenticated using the
local authentication mode.
f. (Optional) Run radius-reject local
The administrator is configured to be authenticated using the local
authentication mode after the administrator's RADIUS authentication
request is rejected.
By default, an administrator is not authenticated using the local
authentication mode after the administrator's RADIUS authentication
request is rejected. After the RADIUS authentication request is rejected,

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
that is, the RADIUS server responds with an Access-Reject packet, the
authentication process ends and the administrator fails to be
authenticated.
NOTE
● This function takes effect only for administrators.

● The authentication method must be RADIUS authentication+local authentication.
g. (Optional) Run authentication-super [ hwtacacs | radius | super ] *
none
The authentication mode used to upgrade user levels in the current

authentication scheme is configured.
By default, the super mode is used. That is, local authentication is used.
h. (Optional) Run authentication-type radius chap access-type admin
[ ftp | ssh | telnet | terminal | http ] *
PAP authentication is replaced with CHAP authentication when RADIUS

authentication is performed on administrators.
By default, PAP authentication is used when RADIUS authentication is

performed on administrators.
i. Run quit
Return to the AAA view.

j. (Optional) Configure the account locking function.
i. Run the access-user remote authen-fail retry-interval retry-interval
retry-time retry-time block-time block-time command to enable the
account locking function for access users who fail remote
authentication.
Or: run the administrator remote authen-fail retry-interval retry-
interval retry-time retry-time block-time block-time command to
enable the account locking function for administrators who fail
remote authentication.
By default, the account locking function is disabled for access users
who fail remote authentication, and the account locking function is
enabled for administrators who fail remote authentication. The
authentication retry interval is 5 minutes, the maximum number of
consecutive authentication failures is 30, and the account locking
period is 5 minutes.
ii. Run aaa-quiet administrator except-list { ipv4-address | ipv6-
address } &<1-32>
A user is configured to access the network using a specified IP
address if the user account is locked.
By default, a user cannot access the network if the user account is
locked.
You can run the display aaa-quiet administrator except-list
command to query the specified IP addresses.
iii. Run remote-user authen-fail unblock { all | username username }

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
A remote AAA authentication account that has failed authentication

is unlocked.
k. (Optional) Run aaa-author session-timeout invalid-value enable
The device is disabled from disconnecting or reauthenticating users when
the RADIUS server delivers the Session-Timeout attribute with value 0.
By default, when the RADIUS server delivers the Session-Timeout
attribute with value 0, this attribute does not take effect.
l. Run quit
Return to the system view.
m. (Optional) Run aaa-authen-bypass enable time time-value
The bypass authentication timeout interval is configured.
● Configure an accounting scheme.
a. Run system-view
b. Run aaa
c. Run accounting-scheme accounting-scheme-name
An accounting scheme is created and the accounting scheme view is
displayed, or the view of an existing accounting scheme is displayed.
By default, the accounting scheme named default is available on the
device. This scheme can only be modified, but cannot be deleted.
d. Run accounting-mode radius
The accounting mode is set to RADIUS.
By default, the accounting mode is none.
e. (Optional) Configure policies for accounting failures.
▪ Configure a policy for accounting-start failures.

Run accounting start-fail { offline | online }
A policy for accounting-start failures is configured.
By default, users cannot go online if accounting-start fails.
▪ Configure a policy for real-time accounting failures.

1) Run accounting realtime interval
The real-time accounting function is enabled, and the interval
for real-time accounting is configured.
By default, the device performs accounting based on the user
online duration, and the real-time accounting function is
disabled.
2) Run accounting interim-fail [ max-times times ] { offline |
online }

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
The maximum number of real-time accounting failures and a

policy used after the number of real-time accounting failures
exceeds the maximum are configured.
By default, the maximum number of real-time accounting
failures is 3, and the device keeps users online after the number
of real-time accounting failures exceeds the maximum.
▪ Configure a policy for accounting-stop failures.

1) Run quit
2) Run quit
3) Run radius-server template template-name
The RADIUS server template view is displayed.
4) Run radius-server accounting-stop-packet resend [ resend-
times ]
Retransmission of accounting-stop packets is enabled, and the
number of accounting-stop packets that can be retransmitted
each time is configured.
By default, retransmission of accounting-stop packets is enabled,
and the retransmission times is 3.
f. (Optional) Run quit

g. (Optional) Run authentication-profile name authentication-profile-
name
The authentication profile view is displayed.
By default, the device has six built-in authentication profiles:

default_authen_profile, dot1x_authen_profile, mac_authen_profile,
portal_authen_profile, dot1xmac_authen_profile, and
NOTE
Only the NAC unified mode supports this command.

h. (Optional) Run authentication { roam-accounting | update-info-
accounting | update-ip-accounting } * enable
The device is configured to send accounting packets upon roaming,

terminal information, and address updating.
By default, the device sends accounting packets upon roaming, terminal

information, and address updating.
NOTE
Only the NAC unified mode supports this command.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Verifying the Configuration

command to view the authentication scheme configuration.
● Run the display accounting-scheme [ accounting-scheme-name ] command
to view the accounting scheme configuration.
1.8.2 Configuring a RADIUS Server Template

Context
You can specify the RADIUS server connected to the device in a RADIUS server
template. Such a template contains the server IP address, port number, source
interface, and shared key settings.
The settings in a RADIUS server template must be the same as those on the
RADIUS server.
Procedure
Step 2 Run radius-server template template-name
By default, the RADIUS server template named default is available on the device.
This template can only be modified and cannot be deleted.
Step 3 Configure RADIUS authentication and accounting servers.
● Configure an IPv4 RADIUS

authentication server: radius-server
authentication ipv4-address port
[ vpn-instance vpn-instance-name |
source { loopback interface-number |
ip-address ipv4-address | vlanif By default, no
Configure a interface-number } | weight weight- RADIUS
RADIUS value ] * authentication
authentication
● Configure an IPv6 RADIUS server is
server.
authentication server: radius-server configured.
authentication ipv6-address port
[ source { loopback interface-number
| ip-address ipv6-address | vlanif
interface-number } | weight weight-
value ] *

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configure a ● Configure an IPv4 RADIUS accounting

RADIUS server: radius-server accounting ipv4-
accounting address port [ vpn-instance vpn-
server. instance-name | source { loopback
interface-number | ip-address ipv4- By default, no
address | vlanif interface-number } | RADIUS
weight weight-value ] * accounting
● Configure an IPv6 RADIUS accounting server is
server: radius-server accounting ipv6- configured.
address port [ source { loopback
interface-number | ip-address ipv6-
address | vlanif interface-number } |
weight weight-value ] *
Step 4 Run radius-server shared-key cipher key-string
By default, no shared key is configured for a RADIUS server.
NOTE
When a RADIUS server is configured in multiple RADIUS server templates:

● If the RADIUS server templates use different shared keys, you need to configure the shared
keys in each RADIUS server template view.
● If the RADIUS server templates use the same shared key, you can configure the shared key in
the system view using the radius-serverip-address{ ipv4-address | ipv6-address }shared-
keycipherkey-string command.
● When shared keys are configured in both the RADIUS server template view and system view,
the configuration in the system view takes effect.
Step 5 (Optional) Run radius-server algorithm { loading-share | master-backup }

[ based-user ]
By default, the algorithm for selecting RADIUS servers is the single user-based
primary/secondary algorithm.
When multiple authentication or accounting servers are configured in a RADIUS

server template, the device selects RADIUS servers based on the configured
algorithm and the weight configured for each server.
● When the algorithm for selecting RADIUS servers is set to primary/secondary,
the server with a larger weight is the primary server. If servers have the same
weight, the server configured first is the primary server.
● If the algorithm for selecting RADIUS servers is set to load balancing, packets
are sent to RADIUS servers according to weights of the servers.
Step 6 (Optional) Run radius-server { retransmit retry-times | timeout time-value } *
The number of times that RADIUS authentication request packets are

retransmitted and the timeout interval are set.
By default, RADIUS authentication request packets can be retransmitted three

times, and the timeout interval is 5 seconds.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Step 7 (Optional) Configure the format of the user name in packets sent from the device
to the RADIUS server.
● Run radius-server user-name domain-included
The device is configured to encapsulate the domain name in the user name in
the RADIUS packets sent to a RADIUS server.
● Run radius-server user-name original
The device is configured not to modify the user name entered by a user in the
RADIUS packets sent to a RADIUS server.
● Run undo radius-server user-name domain-included
The device is configured not to encapsulate the domain name in the user
name in the RADIUS packets sent to a RADIUS server.
● Run undo radius-server user-name domain-included except-eap
The device is configured not to encapsulate the domain name in the user
name in the RADIUS packets sent to a RADIUS server (applicable to other
authentication modes except EAP authentication).
By default, the device does not modify the user name entered by a user in the
RADIUS packets sent to a RADIUS server.
Step 8 (Optional) Run radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit used by the RADIUS server is configured.
By default, the RADIUS traffic unit is byte on the device.
Step 9 (Optional) Run radius-attribute service-type with-authenonly-reauthen
The reauthentication mode is set to reauthentication only.
By default, the reauthentication mode is reauthentication and reauthorization.
This function takes effect when the Service-Type attribute on the RADIUS server is
set to Authenticate Only.
Step 10 (Optional) Run radius-server framed-ip-address no-user-ip enable
The device is enabled to encapsulate the RADIUS attribute Framed-IP-Address into
RADIUS authentication request packets when the RADIUS authentication request
packets sent by users do not carry user IP addresses.
By default, the device does not encapsulate the RADIUS attribute Framed-IP-
Address into a RADIUS authentication request packet when the RADIUS
authentication request packet sent by a user does not carry the user IP address.
----End

Run the display radius-server configuration [ template template-name ]
command to check the RADIUS server template configuration.
Verifying the Connectivity Between the Device and RADIUS Server

Run the test-aaa user-name user-password radius-template template-name
[ chap | pap | accounting [ start | realtime | stop ] ] command to test the

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
connectivity between the device and RADIUS authentication server or accounting

server and check whether the authentication server or accounting server can
perform authentication or accounting for users.
If an error message is displayed in the command output, troubleshoot the fault
according to Testing Whether a User Can Pass RADIUS Authentication or
Accounting.
1.8.3 (Optional) Configuring the RADIUS Server Status

Detection Function
Context
A device can detect the RADIUS server status using the RADIUS server status
detection function. If the RADIUS server status is Down, users can obtain escape
rights. If the RADIUS server status reverts to Up, escape rights are removed from
the users and the users are reauthenticated.
Procedure
● Configure conditions for setting the RADIUS server status to Down. Two
scenarios are involved in this configuration.
– Conditions for setting the RADIUS server status to Down during the
RADIUS server status detection.
i. Run system-view
ii. Run radius-server { dead-interval dead-interval | dead-count dead-
count | detect-cycle detect-cycle }
The RADIUS server detection interval, number of times the detection
interval cycles, and maximum number of consecutive
unacknowledged packets in each detection interval are configured.
By default, the RADIUS server detection interval is 5 seconds, the
number of times the detection interval cycles is 2, and the maximum
number of consecutive unacknowledged packets in each detection
interval is 2.
iii. Run the return command to return to the user view.
– Set the status of a RADIUS server to Down if no response is received from
the server for a long period of time. With this function enabled, you can
run the following commands to adjust the maximum unresponsive
interval of the RADIUS server.
i. Run system-view
ii. Run radius-server max-unresponsive-interval interval
The longest unresponsive interval for the RADIUS server is
configured.
By default, the longest unresponsive interval for a RADIUS server is
300 seconds.
iii. Run the return command to return to the user view.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● (Optional) Configure the automatic detection function.

a. Run system-view
b. Run radius-server template template-name
c. Run radius-server testuser username user-name password cipher
password
A user account for automatic RADIUS server detection is created.
By default, no RADIUS template-based user account for automatic
detection is configured.
After the user account for automatic RADIUS server detection is created,
the automatic detection function is enabled. By default, the automatic
detection function takes effect only for RADIUS servers in Down status.
d. (Optional) Run radius-server detect-server interval interval
The automatic detection interval for RADIUS servers in Down status is
configured.
By default, the automatic detection interval for RADIUS servers in Down
status is 60 seconds.
e. (Optional) Run radius-server detect-server up-server interval interval
Automatic detection for RADIUS servers in Up status is enabled and the
automatic detection interval is configured.
By default, a device does not automatically detect RADIUS servers in Up
status.
NOTE
On a large-scale network, you are not advised to enable automatic detection for
RADIUS servers in Up status. This is because if automatic detection is enabled on
multiple NAS devices, the RADIUS server periodically receives a large number of
detection packets when processing RADIUS Access-Request packets source from users,
which may deteriorate processing performance of the RADIUS server.
f. (Optional) Run radius-server detect-server timeout timeout
The timeout period for RADIUS detection packets is configured.
By default, the timeout period for RADIUS detection packets is 3 seconds.
g. Run the return command to return to the user view.
● (Optional) Configure the duration for which a RADIUS server remains Down,
namely, configure the Force-up timer.
NOTE
After setting the RADIUS server status to Force-up and automatic detection is enabled, the
device immediately sends a detection packet. If the device receives a response packet from
the RADIUS server within the timeout period, the device sets the RADIUS server status to
Up; otherwise, the device sets the RADIUS server status to Down.
a. Run system-view
b. Run radius-server template template-name

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
c. Run radius-server dead-time dead-time

The Force-up timer for RADIUS servers is configured.
By default, the Force-up timer for RADIUS servers is 5 minutes.
d. Run the return command to return to the user view.
● (Optional) Configure status synchronization between RADIUS authentication
and accounting servers.
a. Run system-view
b. Run the radius-server dead-detect-condition by-server-ip command to
configure IP address-based automatic detection for RADIUS servers.
By default, RADIUS authentication and accounting servers with the same
IP address in the same VPN instance are detected together and their
status are updated at the same time.
c. Run the return command to return to the user view.
----End

● Run the display radius-server { dead-interval | dead-count | detect-cycle }
command to check configuration information about the RADIUS server
detection interval, number of times the RADIUS server detection interval
cycles, and maximum number of consecutive unacknowledged packets in
each detection interval.
● Run the display radius-server configuration command to check
configuration information about the user account for automatic detection,
detection interval, and timeout period for detection packets in the RADIUS
server template.
● Run the display radius-server max-unresponsive-interval command to
check the configuration information about the longest unresponsive interval
of the RADIUS server.
Follow-up Procedure
1. Run the authentication event authen-server-down action authorize
command in the authentication profile view to configure the user escape
function if the authentication server goes Down. For details, see 2.9.3
(Optional) Configuring Authentication Event Authorization Information
in NAC Configuration (Unified Mode).
2. Run the authentication event authen-server-up action re-authen
command in the authentication profile view to configure the reauthentication
function after the authentication server reverts to the Up status. For details,
see 2.9.8 (Optional) Configuring Re-authentication for Users in NAC
Configuration (Unified Mode).
1.8.4 (Optional) Configuring RADIUS Attributes

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1.8.4.1 Disabling or Translating RADIUS Attributes
Context
RADIUS attributes supported by different vendors are incompatible with each
other, so RADIUS attributes must be disabled or translated in interoperation and
replacement scenarios.
Procedure
This template can only be modified, but cannot be deleted.
Step 3 Run radius-server attribute translate
The RADIUS attribute disabling and translation functions are enabled.
By default, the RADIUS attribute disabling and translation functions are disabled.
Step 4 Run radius-attribute disable attribute-name { receive | send } *
A RADIUS attribute is disabled.

By default, no RADIUS attribute is disabled.
Step 5 Configure the RADIUS attribute to be translated.
● radius-attribute translate src-attribute-name dest-attribute-name { receive |
send | access-accept | access-request | account-request | account-
response } *
● radius-attribute translate extend vendor-specific src-vendor-id src-sub-id
dest-attribute-name { access-accept | account-response } *
● radius-attribute translate extend src-attribute-name vendor-specific dest-
vendor-id dest-sub-id { access-request | account-request } *
By default, no RADIUS attribute is translated.
----End

● Run the display radius-attribute [ name attribute-name | type { attribute-
number1 | huawei attribute-number2 | microsoft attribute-number3 |
dslforum attribute-number4 } ] command to check the RADIUS attributes
supported by the device.
● Run the display radius-attribute [ template template-name ] disable
command to check the disabled RADIUS attributes.
● Run the display radius-attribute [ template template-name ] translate
command to check the RADIUS attribute translation configuration.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1.8.4.2 Configuring the RADIUS Attribute Check Function
Context
After the RADIUS attribute check function is configured, the device checks whether
the received RADIUS Access-Accept packets contain the specified attributes. If so,
the device considers that authentication is successful; if not, the device considers
that authentication fails and discards the packets.
Procedure
Step 3 Run radius-attribute check attribute-name
The device is configured to check whether the received RADIUS Access-Accept
packets contain the specified attribute.
By default, the device does not check whether RADIUS Access-Accept packets
contain the specified attribute.
----End
1.8.4.3 Modifying the Value of a RADIUS Attribute
Context
The value of the same RADIUS attribute may vary on RADIUS servers from
different vendors. Therefore, RADIUS attribute values need to be modified, so that
a Huawei device can successfully communicate with a third-party RADIUS server.
Procedure
Step 3 Run radius-attribute set attribute-name attribute-value [ auth-type { mac |
dot1x | portal } | user-type ipsession ]
The value of a RADIUS attribute is modified.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
By default, values of RADIUS attributes are not modified.
NOTE
When the Access-Challenge packet sent by the RADIUS server contains EAP information
longer than 1200 bytes, the terminal may fail to receive the EAP Request/Challenge packet.
In this case, you can run this command to set attribute-name to Framed-Mtu and reduce
the value of the Frame-Mtu attribute in the authentication request packet sent by the
device to the RADIUS server. The default value of the Frame-Mtu attribute is 1500. You can
change it to 1000.
----End
1.8.4.4 Configuring Standard RADIUS Attributes
Context
For details about RADIUS attributes supported by the device, see RADIUS
Attributes. The content or format of some standard RADIUS attributes can be
configured.
Procedure
Step 3 Configure standard RADIUS attributes.
● Configure RADIUS attribute 4 (NAS-IP-Address) or 95 (NAS-IPv6-
Address).
– Run radius-attribute nas-ip { ip-address | ap-info }
RADIUS attribute 4 (NAS-IP-Address) is configured.
By default, the source IP address of the NAS is the value of the NAS-IP-
Address attribute.
– Run radius-attribute nas-ipv6 ipv6-address
RADIUS attribute 95 (NAS-IPv6-Address) is configured.
By default, the NAS-IPv6-Address attribute is not configured.
● Configure RADIUS attribute 5 (NAS-Port).
a. Run radius-server nas-port-format { new | old }
The format of the NAS port is configured.
By default, the new NAS port format is used.
When the new NAS port format is used, you can perform the following
operation to configure the specific format.
b. Run radius-server format-attribute nas-port nas-port-sting [ decimal]
The new NAS port format is configured.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
By default, the default new NAS port format is used.

● Configure RADIUS attribute 30 (Called-Station-Id).
a. Run called-station-id wlan-user-format { ap-mac | ac-mac | ac-ip | ap-
name | ap-group-name | vlanid | ap-location } [ include-ssid
[ delimiter delimiter ] ]
The encapsulation content of RADIUS attribute 30 (Called-Station-Id) is
configured.
By default, the encapsulation content of the Called-Station-Id (30)
attribute is the AP's MAC address and SSID separated with a colon (:), in
the format of ap-mac:ssid.
You can perform the following operation to set the encapsulation format
of the AP or AC MAC address in the Called-Station-Id (30) attribute.
NOTE
Only the S5731-H, S5731S-H, S6730S-H, S5732-H, and S6730-H support this
command.
b. Run called-station-id mac-format { dot-split | hyphen-split | colon-
split} [ mode1 | mode2 ] [ lowercase | uppercase ]
Or run called-station-id mac-format unformatted [ lowercase |
uppercase ]
The encapsulation format of the MAC address in the Called-Station-Id
(30) attribute is configured.
By default, the MAC address format in the Called-Station-Id (30)
attribute is XX-XX-XX-XX-XX-XX, in uppercase.
● Configure RADIUS attribute 31 (Calling-Station-Id).
Run calling-Station-Id mac-format { dot-split | hyphen-split | colon-split }
[ mode1 | mode2 ] [ lowercase | uppercase ]
Or run calling-Station-Id mac-format { unformatted [ lowercase |
uppercase ] | bin }
The encapsulation format of the MAC address in the Calling-Station-Id (31)
attribute is configured.
By default, the MAC address format in the Calling-Station-Id (31) attribute is
xxxx-xxxx-xxxx, in lowercase
● Configure RADIUS attribute 32 (NAS-Identifier).
Run radius-server nas-identifier-format { hostname | vlan-id | ap-info }
The encapsulation format of the NAS-Identifier attribute is configured.
By default, the NAS-Identifier encapsulation format is the NAS device's
hostname.
● Configure RADIUS attribute 80 (Message-Authenticator).
Run radius-server attribute message-authenticator access-request
The device is configured to carry RADIUS attribute 80 (Message-
Authenticator) in RADIUS authentication packets.
By default, the device does not carry RADIUS attribute 80 (Message-
Authenticator) in RADIUS authentication packets.
● Configure RADIUS attribute 87 (NAS-Port-Id).

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Run radius-server nas-port-id-format { new [ client-option82 ] | old |

vendor vendor-id }
The format of the NAS-Port-Id attribute is configured.
By default, the new format of the NAS-Port-Id attribute is used.
● Configure RADIUS attribute 89 (Chargeable-User-Identity).
Run radius-server support chargeable-user-identity [ not-reject ]
The device is configured to support the CUI attribute.
By default, the device does not support the CUI attribute.
● Run radius-attribute cut hw-portal-url key-words [ end mark ]
The device is configured to delete the specified content from the URL
contained in the Huawei RADIUS attribute 26-156 (HW-Portal-URL).
By default, the device does not process the URL contained in the Huawei
RADIUS attribute 26-156 (HW-Portal-URL).
----End
1.8.4.5 Configuring Huawei Proprietary RADIUS Attributes
Context
For details about RADIUS attributes supported by the device, see RADIUS
Attributes. The content or format of some Huawei proprietary RADIUS attributes
can be configured.
Procedure
Step 3 Configure Huawei proprietary RADIUS attributes.
● Run radius-server hw-ap-info-format include-ap-ip
The device is configured to carry the AP's IP address in Huawei proprietary
attribute 26-141 (HW-AP-Information).
By default, the device does not carry the AP's IP address in Huawei
proprietary attribute 26-141 (HW-AP-Information).
NOTE
This function is supported only by S5731-H, S5731S-H, S6730S-H, S5732-H, and

S6730-H.
● Run radius-server hw-dhcp-option-format { new | old }
The format of Huawei proprietary attribute 26-158 (HW-DHCP-Option) is
configured.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
By default, the format of Huawei proprietary attribute 26-158 (HW-DHCP-

Option) is old.
● Run radius-attribute cut hw-portal-url key-words [ end mark ]
The information to be deleted from the URL in the Huawei RADIUS attribute
26-156 (HW-Portal-URL) is configured.
By default, the device does not handle the URL in the Huawei RADIUS
attribute 26-156 (HW-Portal-URL).
----End
1.8.5 (Optional) Configuring Authorization Information
1.8.5.1 Configuring a Service Scheme
Context
NOTE
Procedure
Step 2 Run aaa
specified.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configure
the IP
address of
the dns ip-address
primary
DNS
server.
Configure
the IP
secondary scheme.
DNS
server.

NOTE

set.
NOTE
users.


S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE

NOTE
parameter.
vlan command.
4. Run voice-vlan

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

NOTE

take effect.)

profile.
NOTE

NOTE


scheduling.
NOTE
scheduling.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

NOTE
Subscriber Queue.
precedence-value
7. Run quit
8. Run quit
----End
1.8.5.2 Configuring a User Group
Context
configure a user group to manage authorization information about users.
NOTE
Only the NAC common mode supports authorization by a user group.
Procedure
● Configure a user group.
Enter the system-view -

system
view.
Create a user-group group-name When using a user group in a

user dual-link HSB scenario, specify
group the user group index and ensure
and enter that the user group names and
the user user group indexes configured
group on the active and standby
view. devices are the same.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Bind an acl-id acl-number By default, no ACL is bound to a

ACL to user group.
the user NOTE
group. Before running this command,
ensure that the ACL has been
created using the acl or acl name
command and ACL rules have been
configured using the rule
command.
Bind a user-vlan vlan-id By default, no VLAN is bound to

VLAN to a user group.
the user
group.
Configur remark { 8021p 8021p-value By default, the priority of a user

e the | dscp dscp-value }* group is not configured.
priority NOTE
of the Only the S5731-H, S5731S-H,
user S5731-S, S5731S-S, S5732-H,
group. S6730-H, S6730S-H, S6730-S,
S6730S-S, S6735-S, S6720-EI, and
S6720S-EI support this command.
Limit the car { outbound | inbound } By default, the rate of traffic

rate of cir cir-value [ pir pir-value | from users in a user group is
traffic cbs cbs-value | pbs pbs- not limited.
from value ] * NOTE
users in Only the S5731-H, S5731S-H,
the user S5731-S, S5731S-S, S5732-H,
group. S6730-H, S6730S-H, S6730-S,
S6730S-S, S6735-S, S6720-EI, and
S6720S-EI support this command,
and the user group CAR can only
be applied in the interface
outbound direction (outbound) on
the S6720-EI and S6720S-EI.
Return to quit -
the
system
view.
Enable user-group group-name The user group configuration

the user enable takes effect only after the user
group group function is enabled.
function. By default, the user group
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1.8.5.3 Configuring a UCL Group
Context
configure a UCL group to manage authorization information about users.
NOTE
Only the NAC common mode supports authorization by a UCL group.
Procedure
● Configure an authorization UCL group.

system
view.
Create a ucl-group group-index By default, no UCL group is

UCL [ name group-name ] created.
group.
(Optional ucl-group ip ip-address By default, no IP address is

) { mask-length | ip-mask } configured for a static UCL
Configur { group-index | name group- group.
e an IP name } [ escape ] NOTE
address IP addresses in static UCL groups
for the are only supported by S5731-H,
static S5731S-H, S5731-S, S5731S-S,
S5732-H, S6730-H, S6730S-H,
UCL
S6730-S, S6730S-S, S6735-S,
group. S6720-EI, and S6720S-EI.
(Optional ucl-group domain domain- By default, no domain name is

) name domain-name { group- configured for a static UCL
Configur index | name group-name } group.
ea NOTE
domain Only the S5731-H, S5731-S,
name for S5731S-H, S5731S-S, S5732-H,
the static S6730-H, S6730S-H, S6730-S, and
S6730S-S support domain names
UCL
in static UCL groups.
group.
Configur For details, see Configuring a The user ACL or user ACL6
e a user User ACL or User ACL6 under filters packets based on the UCL
ACL or "ACL Configuration" in the group.
user S300, S500, S2700, S5700,
ACL6. and S6700 V200R021C00,
C01 Configuration Guide -
Security.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configur traffic-filter inbound acl By default, ACL-based packet

e ACL- [ ipv6 ] acl-number filtering is not configured.
based
packet
filtering.
----End
1.8.5.4 Configuring a VLAN pool
Context
A VLAN pool is a set of VLANs and is used to simplify network deployment.
Perform the following operations to configure a VLAN pool.
● Set the standard RADIUS attribute Tunnel-Private-Group-ID assigned to
users who pass authentication by the RADIUS server so that wired users can
be added to the specified VLAN pool.
● For wireless users, three methods are available to apply a VLAN pool:
– Run the vap-profile profile-name wlan wlan-id radio { radio-id | all }
service-vlan vlan-pool pool-name command to configure the specified
VLAN pool as the service VLAN of wireless users in the specified VAP
profile.
– Run the service-vlan vlan-pool pool-name command in the VAP profile
view to configure the VLAN pool as the service VLAN of wireless users in
the VAP profile.
– On the RADIUS server, configure the standard RADIUS attribute Tunnel-
Private-Group-ID for authenticated users to add the users to the
specified VLAN pool.
Procedure
Step 2 Run vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10>
VLANs are created in a batch.
Step 3 Run vlan pool pool-name
A specified VLAN pool is created and its view is displayed.
By default, no VLAN pool is created.
Step 4 Run vlan { start-vlan [ to end-vlan ] } &<1-10> [ max-user number ]
The specified VLANs are added to the VLAN pool.
By default, no VLAN is available in a VLAN pool.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
max-user number is valid only for users authorized a VLAN pool and takes effect only
when the VLAN assignment algorithm of a VLAN pool is hash.
Step 5 (Optional) Run assignment { even | hash }

A VLAN assignment algorithm is configured for the VLAN pool.
By default, the VLAN assignment algorithm is hash for a VLAN pool.
Step 6 (Optional) Run hash mac-vlan lease { day day [ hour hour [ minute minute ] ] |
unlimited }
The aging time of user entries in the VLAN pool is set.
By default, the aging time of user entries in a VLAN pool is 8 days.
NOTE
● The hash mac-vlan lease command takes effect only for users authorized a VLAN pool.
● The hash mac-vlan lease command takes effect only when the VLAN assignment
algorithm of a VLAN pool is hash.
● The aging time takes effect only for entries of offline users.
Step 7 (Optional) Configure the function of reassigning VLANs in a VLAN pool for wired
users.
NOTE
This function takes effect only when the VLAN assignment algorithm of a VLAN pool is
hash.
Before configuring this function, enable DHCP snooping on the interface through which
users go online.
This function takes effect only for wired users.
Authentication access devices in the policy association scenario do not support this
function.
1. Run dhcp update vlan assignment
The function of reassigning VLANs in a VLAN pool is enabled.
By default, the function of reassigning VLANs in a VLAN pool is disabled.
2. (Optional) Run vlan block-time
The lockout time of VLANs in a VLAN pool is configured.
By default, the lockout time of VLANs in a VLAN pool is 5 minutes.
3. (Optional) Run dhcp update vlan assignment threshold count
The number of times the VLAN pool module receives a notification from the
DHCP module is set. The notification indicates that users fail to obtain IP
addresses from the IP address pool for a specific VLAN.
By default, if the VLAN pool module receives the notification from the DHCP
module three times, the VLAN is locked.
Step 8 (Optional) Configure the function of reassigning VLANs in a VLAN pool for
wireless users.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
This function takes effect only for wireless users.

Authentication access devices in the policy association scenario do not support this
function.
This function is supported only on the S5731-H, S5731S-H, S5732-H, S6730S-H, and S6730-
H.
1. Run dhcp update vlan assignment threshold count
The number of times the VLAN pool module receives a notification from the
2. Run dhcp update vlan assignment interval interval-value
The interval at which the VLAN pool module receives a notification from the
By default, if the VLAN pool module receives the notification from the DHCP
module three times within 3 minutes, the VLAN is locked.
----End

Run the display vlan pool { name pool-name | all [ verbose ] } command to
check the VLAN pool configuration.
1.8.6 Creating and Configuring a Domain
Context
A NAS performs domain-based user management. A domain is a group of users
and each user belongs to a domain. A user uses only AAA configuration
information in the domain to which the user belongs.
The device determines the domain to which a user belongs based on the user
name. Before performing authentication, authorization, and accounting on users,
you need to create the domain to which the users belong.
Procedure
Step 2 Run aaa

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
By default, the default and default_admin domains are available on the device.
The default domain is used by common access users and the default_admin
domain is used by administrators.
Step 4 (Optional) Run state { active | block [ time-range time-name &<1-4> ] }
The domain state is configured.
By default, a domain is in active state after being created. When a domain is in
blocking state, users in this domain cannot log in.
is enabled.
Step 6 (Optional) Configure the DNS function, which takes effect for all domains on the
device.
1. Run quit
2. Run domainname-parse-direction { left-to-right | right-to-left }
The domain name resolution direction is configured.
3. Run domain-name-delimiter delimiter
The domain name delimiter is configured.
By default, the domain name delimiter is @.
4. Run domain-location { after-delimiter | before-delimiter }
The position of a domain name is configured.
By default, a domain name is placed behind the domain name delimiter.
NOTE
The DNS function can also be configured in the authentication profile view. If the DNS function
is configured in both the AAA view and authentication profile view, the device preferentially
uses the configuration in the authentication profile, which applies only to wireless users.
Step 7 (Optional) Configure the security string function.

1. Run security-name enable
The security string function is enabled.
By default, the security string function is enabled.
2. Run security-name-delimiter delimiter
The security string delimiter is configured.
By default, the security string delimiter is an asterisk (*).

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
The security string delimiter can also be configured in the authentication profile view. If
the security string delimiter is configured in both the AAA view and authentication profile
view, the device preferentially uses the configuration in the authentication profile, which
applies only to wireless users.
wireless users.)
Procedur
Command Description
e
Return to
the
quit -
system
view.
Create an
view.

and accounting.
----End
1.8.7 Configuring Global Default Domains

Context
The device determines the domain to which a user belongs based on the user
name. If a user name does not contain a domain name, the device cannot
determine the domain to which the user belongs, and adds the user to a global
default domain. Based on user types (access users or administrators), global
default domains are classified into the global default common domain and global
default administrative domain.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
Step 2 Configure global default domains.
● Run domain domain-name
The global default common domain is configured.
● Run domain domain-name admin
The global default administrative domain is configured.
By default, two global default domains are available on the device: global default
common domain named default and global default administrative domain named
default_admin.
NOTE
The same domain name can be set for the global default common domain and global default
administrative domain.
----End
Verifying the Configuration of Global Default Domains

Run the display aaa configuration command to check the configuration of global
default domains.
<HUAWEI> display aaa configuration
Domain Name Delimiter :@
Domainname parse direction : Left to right
Domainname location : After-delimiter
Administrator user default domain: default_admin //Global default administrative domain
Normal user default domain : default //Global default common domain
1.8.8 Applying an AAA Scheme, a RADIUS Server Template,

and Authorization Information to a Domain
Context
AAA schemes, server templates, and authorization information are managed in a
domain. A user uses only AAA configuration information in the domain to which
the user belongs.
Procedure
Step 2 Run aaa

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
By default, the default and default_admin domains are available on the device.
The default domain is used by common access users and the default_admin
domain is used by administrators.
Step 4 Run authentication-scheme scheme-name
An authentication scheme is applied to the domain.
By default, the authentication scheme named default is applied to the

default_admin domain, and the authentication scheme named radius is applied
to the default domain and other domains.
Step 5 Run accounting-scheme accounting-scheme-name
An accounting scheme is applied to the domain.
By default, the default accounting scheme is applied to a domain. In the default

accounting scheme, non-accounting is used and the real-time accounting function
is disabled.
Step 6 Run radius-server template-name
A RADIUS server template is applied to the domain.
By default, no RADIUS server template is applied to the default_admin domain,

and the RADIUS server template named default is applied to the default domain
and other domains.
Step 7 (Optional) Run accounting-copy radius-server template-name
The RADIUS accounting packet copy function is enabled, and a RADIUS server
template for level-2 accounting is configured.
By default, the RADIUS accounting packet copy function is disabled.
NOTE
● Ensure that the IP address of the configured level-2 RADIUS accounting server is different
from that of the level-1 RADIUS accounting server (including the active/standby RADIUS
accounting server).
● Ensure that the level-2 RADIUS accounting server template configured in the domain is
different from the RADIUS server template for authentication and accounting in the domain.
If they are the same, the accounting-copy radius-server command cannot be configured and
the system displays an error message during the command configuration.
Step 8 (Optional) Configure authorization information in the domain.

NOTE
Only the NAC common mode supports authorization by a user group.

● Run user-group group-name
A user group is applied to the domain. That is, the device will deliver
authorization information of the user group to users in the domain.
By default, no user group is applied to a domain.
● Run service-scheme service-scheme-name
A service scheme is applied to the domain. That is, the device will deliver
authorization information in the service scheme to users in the domain.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
By default, no service scheme is applied to a domain.
----End

Run the display domain [ name domain-name ] command to check the domain
configuration.
1.8.9 Configuring the RADIUS CoA or DM Function

Context
The device supports the RADIUS CoA and DM functions. CoA provides a
mechanism to change the rights of online users, and DM provides a mechanism to
forcibly disconnect users.
NOTE
If the accounting function is not configured for MAC address authentication and 802.1X
authentication users, the RADIUS CoA/DM function does not take effect when the users
roam between ACs after going online.
Procedure
Step 2 Run radius-server authorization server-source { ip-address ip-address | all-
interface }
An IPv4 address used by the device to receive and respond to request packets of a
RADIUS authorization server is configured.
By default, the device does not receive or respond to request packets of a RADIUS
authorization server.
Step 3 Configure an authorization server.
Configure radius-server authorization

a RADIUS ip-address [ vpn-instance vpn-
authorizat instance-name ] { server-
ion server. group group-name shared-key By default, no RADIUS
cipher key-string | shared-key authorization server is configured.
cipher key-string [ server-
group group-name ] }
[ protect enable ]

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configure
the port
number By default, the port number of
radius-server authorization
of the the RADIUS authorization server
port port-id
RADIUS is 3799.
authorizat
ion server.
Step 4 (Optional) Run radius-server authorization match-type { any | all }

The device is configured to match RADIUS attributes in the received CoA or DM
Request packets against user information on the device.
By default, a device matches RADIUS attributes in the received CoA or DM
Request packets against user information on the device in any mode. That is, the
device matches an attribute with a high priority in a Request packet against user
information on the device.
Step 5 (Optional) Run authorization-info check-fail policy { online | offline }
The policy to be enforced after the authorization information check fails is
configured.
By default, the device allows users to go online after the authorization
information check fails.
Step 6 (Optional) Run radius-server session-manage { ip-address [ vpn-instance vpn-
instance-name ] shared-key cipher share-key | any }
Session management is enabled for the RADIUS server.
By default, session management is disabled for the RADIUS server.
Step 7 (Optional) Run radius-server session-manage server-source { ip-address ip-
address | all-interface }
An IPv4 address for receiving and responding to request packets of a RADIUS
session management server is configured.
By default, the device does not receive or respond to any request packet of a
RADIUS session management server.
NOTE
In V200R020C10SPC100 and later versions, you must run both the radius-server session-
manage server-source and radius-server session-manage commands so that the session
management function of the RADIUS server can take effect.
Step 8 (Optional) Configure the format of a RADIUS attribute to be parsed.

● Run radius-server authorization calling-station-id decode-mac-format
{ bin | ascii { unformatted | { dot-split | hyphen-split } [ common |
compress ] } }
The MAC address format in RADIUS attribute 31 (Calling-Station-Id) in
RADIUS CoA or DM packets is configured.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● Run radius-server authorization attribute-decode-sameastemplate

The device is configured to parse the MAC address format in RADIUS attribute
31 (Calling-Station-Id) in RADIUS CoA or DM packets based on RADIUS server
template configurations.
By default, the device is not configured to parse RADIUS attribute 31 in
RADIUS CoA or DM packets based on RADIUS server template configurations.
By default, the device parses the MAC address in the calling-station-id attribute
carried in RADIUS dynamic authorization packets based on the MAC address
length, without considering the MAC address format and delimiter.
Step 9 (Optional) Configure the format of a RADIUS attribute to be encapsulated.
Run radius-server authorization attribute-encode-sameastemplate
The device is configured to encapsulate the attributes in RADIUS CoA or DM

Response packets based on RADIUS server template configurations.
By default, the device is not configured to encapsulate the attributes in RADIUS

CoA or DM Response packets based on RADIUS server template configurations.
Table 1-34 lists the RADIUS attributes that can be configured in this step.
Table 1-34 Supported RADIUS attributes
RADIUS Attribute Command for Configuring Description

Attributes in a RADIUS Server
Template
RADIUS attribute 1 radius-server user-name User name

(User-Name) domain-included
RADIUS attribute 4 radius-attribute nas-ip NAS IP address

(NAS-IP-Address)
RADIUS attribute 31 calling-station-id mac-format MAC address

(Calling-Station-Id) format
Step 10 (Optional) Configure the function of ignoring the authorization attribute

indicating that the port goes Down intermittently or is disabled in a CoA packet.
● Run radius-server authorization hw-ext-specific command bounce-port
disable
The function of ignoring the authorization attribute indicating that the port
goes Down intermittently in a CoA packet is configured.
● Run radius-server authorization hw-ext-specific command down-port
disable
The function of ignoring the authorization attribute indicating that the port is
disabled in a CoA packet is configured.
By default, the device supports the authorization attributes indicating that the
port goes Down intermittently or is disabled in CoA packets.
Step 11 (Optional) Configure the update mode of user authorization information.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1. Run aaa
2. Run authorization-modify mode { modify | overlay }
The update mode of user authorization information delivered by the
authorization server is configured.
By default, the update mode of user authorization information delivered by
the authorization server is overlay.
----End

Run the display radius-server authorization configuration command to check
the RADIUS authorization server configuration.
1.9 Using HWTACACS to Perform Authentication,

Authorization, and Accounting
HWTACACS Authentication, Authorization, and Accounting
Similar to RADIUS, HWTACACS uses the client/server model to implement AAA for
access users by communicating with the HWTACACS server.
HWTACACS protects a network from unauthorized access and supports command-
line authorization. HWTACACS is more reliable in transmission and encryption
than RADIUS, and is more suitable for security control.
1.9.1 Configuring an HWTACACS Server

If HWTACACS authentication and authorization are used, users' authentication,
authorization, and accounting information needs to be configured on the
HWTACACS server.
If a user wants to establish a connection with the access device through a network
to obtain rights to access other networks and network resources, the access device
transparently transmits the user's authentication, authorization, and accounting
information to the HWTACACS server. The HWTACACS server determines whether
the user can pass authentication based on the configured information. If the user
passes the authentication, the RADIUS server sends an Access-Accept packet
containing the user's authorization information to the access device. The access
device then allows the user to access the network and grants rights to the user
based on information in the Access-Accept packet.
1.9.2 Configuring AAA Schemes
Context
To use HWTACACS authentication, authorization, and accounting, set the
authentication mode in the authentication scheme, authorization mode in the

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
authorization scheme, and accounting mode in the accounting scheme to

HWTACACS.
When configuring HWTACACS authentication, you can configure local

authentication or non-authentication as the backup. This allows local
authentication to be implemented if HWTACACS authentication fails. When
configuring HWTACACS authorization, you can configure local authorization or
non-authorization as the backup.
NOTE

Procedure
a. Run system-view

b. Run aaa


is displayed, or the view of an existing authentication scheme is
displayed.

available on the device. These two authentication schemes can be
modified but not deleted.
d. Run authentication-mode hwtacacs
The HWTACACS authentication mode is specified.

case-insensitive.
To use local authentication as the backup, run the authentication-mode

hwtacacs [ local | local-case ] command.
e. (Optional) Run undo server no-response authorization
The device uses the configured authorization mode instead of requesting

local authorization if local authentication is used when the server does
not respond to users' authentication requests.
By default, when both server authorization and local authorization are

configured, the device requests local authentication after local
authentication is used when the server does not respond to users'
authentication requests.
f. (Optional) Run undo server no-response accounting

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
g. (Optional) Run authentication-super { hwtacacs | radius | super } *
[ none ]
The authentication mode for upgrading user levels is specified.
The default mode is super (local authentication).
h. Run quit
i. (Optional) Configure the account locking function.
authentication.
address } &<1-32>
locked.
is unlocked.
j. (Optional) Run security-name enable
The security string function is enabled.
By default, the security string function is enabled.
k. (Optional) Run security-name-delimiter delimiter
A security string delimiter is set.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
The default security string delimiter is * (asterisk).

l. (Optional) Run domainname-parse-direction { left-to-right | right-to-
left }
The direction in which the user name and domain name are parsed is
specified.

m. Run quit

n. (Optional) Run aaa-authen-bypass enable time time-value
The bypass authentication duration is set.

● Configure an authorization scheme.
a. Run system-view

b. Run aaa

c. Run authorization-scheme authorization-scheme-name
An authorization scheme is created and the authorization scheme view is

displayed, or the view of an existing authorization scheme is displayed.
By default, an authorization scheme named default is available on the

device. The default authorization scheme can be modified but not
deleted.
d. Run authorization-mode hwtacacs [ local | local-case ] [ none ]
The authorization mode is specified.
By default, local authorization is used. The names of local users are case-
insensitive.
If HWTACACS authorization is configured, you must configure an

HWTACACS server template and apply the template to the corresponding
user domain.
e. (Optional) Run authorization-cmd privilege-level hwtacacs [ local ]
[ none ]
Command-line authorization is enabled for users at a certain level.
By default, command-line authorization is disabled for users at privilege

levels 0 to 15.
If command-line authorization is enabled, you must configure an

HWTACACS server template and apply the template to the corresponding
user domain.
f. Run quit

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
g. Run quit

h. (Optional) Run aaa-author-bypass enable time time-value
The bypass authorization duration is set.
By default, the bypass authorization is disabled.

i. (Optional) Run aaa-author-cmd-bypass enable time time-value
The bypass command-line authorization duration is set.
By default, the bypass command-line authorization is disabled.

● Configure an accounting scheme.
a. Run system-view

b. Run aaa

An accounting scheme is created and the accounting scheme view is

displayed, or the view of an existing accounting scheme is displayed.
By default, the accounting scheme named default is available on the

device. The default accounting scheme can be modified but not deleted.
d. Run accounting-mode hwtacacs
The hwtacacs accounting mode is specified.
The default accounting mode is none.

e. (Optional) Run accounting start-fail { offline | online }

f. (Optional) Run accounting realtime interval
Real-time accounting is enabled and the accounting interval is set.
By default, real-time accounting is disabled. The device performs

accounting for users based on their online duration.
g. (Optional) Run accounting interim-fail [ max-times times ] { offline |
online }
The maximum number of real-time accounting failures is set, and a

policy is specified for the device if the maximum number of real-time
accounting attempts fail.
The default maximum number of real-time accounting failures is 3. The

device will keep the users online if three real-time accounting attempts
fail.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1.9.3 Configuring an HWTACACS Server Template
Context
When configuring an HWTACACS server template, you must specify the IP address,
port number, and shared key of a specified HWTACACS server. Other settings, such
as the HWTACACS user name format and traffic unit, have default values and can
be modified based on network requirements.
The HWTACACS server template settings such as the HWTACACS user name
format and shared key must be the same as those on the HWTACACS server.
Procedure
Step 2 Run hwtacacs enable
HWTACACS is enabled.
By default, HWTACACS is enabled.
Step 3 Run hwtacacs-server template template-name
An HWTACACS server template is created and the HWTACACS server template

view is displayed.
By default, no HWTACACS server template is created on the device.
Step 4 Configure HWTACACS authentication, authorization, and accounting servers.

NOTE
IPv4 and IPv6 servers are configured at the same time in the same HWTACACS server template.
The order for selecting servers is as follows: primary IPv4 server -> primary IPv6 server -> second
secondary IPv4 server -> second secondary IPv6 server -> third secondary IPv4 server -> third
secondary IPv6 server -> fourth secondary IPv4 server -> fourth secondary IPv6 server.
Configura
Command Description
tion
Configure
hwtacacs-server
an
authentication { ipv4-address
HWTACA By default, no HWTACACS
| ipv6-address } [ port ]
CS authentication server is
[ public-net | vpn-instance
authentic configured.
vpn-instance-name ]
ation
[ secondary | third | fourth ]
server.
Configure hwtacacs-server
an authorization { ipv4-address |
HWTACA ipv6-address } [ port ] By default, no HWTACACS
CS [ public-net | vpn-instance authorization server is configured.
authorizat vpn-instance-name ]
ion server. [ secondary | third | fourth ]

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configura
Command Description
tion
Configure
hwtacacs-server accounting
an
{ ipv4-address | ipv6-address }
HWTACA By default, no HWTACACS
[ port ] [ public-net | vpn-
CS accounting server is configured.
instance vpn-instance-name ]
accountin
[ secondary | third | fourth ]
g server.
Step 5 Set parameters for interconnection between the device and an HWTACACS server.
Set the shared

key for the hwtacacs-server shared- By default, no shared key is set
HWTACACS key cipher key-string for an HWTACACS server.
server.
(Optional) ● Configure the user name

Configure the to contain the domain
format of the name: hwtacacs-server
user name in user-name domain-
the packet sent included
by the device to By default, the device does not
● Configure the original
the HWTACACS change the user name entered
user name: hwtacacs-
server. by the user when sending
server user-name
packets to the HWTACACS
original
server.
● Configure the user name
not to contain the
domain name: undo
hwtacacs-server user-
name domain-included
(Optional) Set hwtacacs-server traffic-

The default HWTACACS traffic
the HWTACACS unit { byte | kbyte | mbyte
unit on the device is bytes.
traffic unit. | gbyte }
(Optional) Set hwtacacs-server source-ip

the source IP { ip-address | source-
address for loopback interface- number
communication | source-vlanif interface- By default, the device uses the
between the number } IP address of the actual
device and outbound interface as the
Or hwtacacs-server source- source IP address encapsulated
HWTACACS ipv6 { ipv6-address |
server. in HWTACACS packets.
source-loopback interface-
number | ipv6 source-vlanif
interface- number }
Step 6 (Optional) Set the response timeout interval and activation interval for the
HWTACACS server.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
The default response timeout

interval for an HWTACACS server
is 5 seconds.
Set the
response If the device does not receive a
timeout response from an HWTACACS
hwtacacs-server timer server within the response
interval
response-timeout interval timeout interval, it considers that
for the
HWTACAC the HWTACACS server is
S server. unavailable. The device then
attempts to use other
authentication and authorization
methods.
Set the
interval at
which the
The default interval at which the
primary
hwtacacs-server timer quiet primary HWTACACS server
HWTACAC
interval restores to the active state is 5
S server
minutes.
restores to
the active
state.
Step 7 (Optional) Run hwtacacs-server authentication user-name in-authentication-

start
The device is configured to encapsulate the user name in the Authentication-Start
packets of administrators.
By default, the Authentication-Start packets of administrators do not carry the
user name.
NOTE
This function takes effect only for administrators.
Step 8 Run quit

Step 9 (Optional) Run hwtacacs-server accounting-stop-packetresend { disable |
enable number }
The function of retransmitting Accounting-Stop packets is configured.
By default, the function of retransmitting Accounting-Stop packets is enabled and
the number of retransmissions is 100.
Step 10 Run return
The user view is displayed.
Step 11 (Optional) Run hwtacacs-user change-password hwtacacs-servertemplate-
name

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
The password saved on the HWTACACS server is changed.
NOTE
To ensure device security, you are advised to frequently change the password.
----End
Context
NOTE
Procedure
Step 2 Run aaa
specified.
Configure
the IP
address of
the dns ip-address
primary
DNS
server.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configure
the IP
secondary scheme.
DNS
server.

NOTE

set.
NOTE
users.

NOTE


S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

NOTE
parameter.
vlan command.
4. Run voice-vlan
NOTE


S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

take effect.)

profile.
NOTE

NOTE


scheduling.
NOTE
scheduling.
NOTE
Subscriber Queue.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

precedence-value
7. Run quit
8. Run quit
----End
1.9.5 (Optional) Configuring a Recording Scheme

Context
Improper operations by a network administrator may sometimes cause a network
failure. After HWTACACS authentication and authorization are configured, the
server can record administrator's operations. These records can be used to locate
the problem if a network failure occurs.
Procedure
Step 2 Run aaa
Step 3 Run recording-scheme recording-scheme-name
A recording scheme is created and the recording scheme view is displayed.
By default, no recording scheme is configured on the device.
Step 4 Run recording-mode hwtacacs template-name
The recording scheme is associated with the HWTACACS server template.
By default, a recording scheme is not associated with any HWTACACS server
template.
Step 5 Run quit
Step 6 Run cmd recording-scheme recording-scheme-name
A policy is configured to record the commands that have been executed on the
device.
By default, the commands used on the device are not recorded.
Step 7 Run outbound recording-scheme recording-scheme-name

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
A policy is configured to record connection information.

By default, connection information is not recorded.
Step 8 Run system recording-scheme recording-scheme-name
A policy is configured to record system events.
By default, system events are not recorded.
----End
1.9.6 Applying AAA Schemes to a Domain
Context
The created authentication scheme, authorization scheme, accounting scheme,
and HWTACACS server template are in effect only when they are applied to a
domain.
Procedure
Step 2 Run aaa
The device has two default domains:
● default: Used by common access users
● default_admin: Used by administrators
NOTE
● If a user enters a user name that does not contain a domain name, the user is authenticated
in the default domain. In this case, you need to run the domain domain-name [ admin ]
command and set domain-name to configure a global default domain on the device.
● If a user enters a user name that contains a domain name during authentication, the user
must enter the correct value of domain-name.
Step 4 Apply AAA schemes to the domain.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedur
Command Description
e
Apply an By default, the authentication

authentic scheme default is applied to the
ation authentication-scheme default_admin domain, and the
scheme to scheme-name authentication scheme named
the radius is applied to the default
domain. domain and other domains.
Apply an
authorizat
ion authorization-scheme By default, no authorization
scheme to authorization-scheme-name scheme is applied to a domain.
the
domain.
Apply an By default, the accounting

accountin scheme default is applied to a
g scheme accounting-scheme domain. In this accounting
to the accounting-scheme-name scheme, non-accounting is used
domain. and real-time accounting is
disabled.
Step 5 Apply a service scheme and an HWTACACS server template to the domain.
(Optional)
Apply a
service service-scheme service- By default, no service scheme is
scheme to scheme-name applied to a domain.
the
domain.
Apply an
HWTACAC
S server hwtacacs-server template- By default, no HWTACACS server
template name template is applied to a domain.
to the
domain.
Step 6 (Optional) Configure other functions for the domain.

Procedur
Command Description
e
Specify When a domain is in the blocking

the state { active | block [ time- state, users in this domain cannot
domain range time-name &<1–4> ] } log in. By default, a created
state. domain is in the active state.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedur
Command Description
e
Apply a By default, no user group is

user applied to a domain.
group to user-group group-name NOTE
the This command is supported only in
domain. NAC common mode.

is enabled.
Step 8 (Optional) Configure a domain name parsing scheme. (If domain name parsing is
configured in both the AAA view and authentication profile view, the device
preferentially uses the configuration in the authentication profile. The
configuration in the authentication profile applies only to wireless users.)
Exit
from
the
quit -
doma
in
view.
Specif
y the
A doma The domain name can be parsed
A in from left to right, or from right to
A name
vi parsin By default, the domain name is
e g parsed from left to right.
w direct
ion.
Set
in
delimiter
name The default domain name
delim delimiter is @.
iter.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Specif
y the The domain name can be placed
doma before or after the delimiter.
domain-location { after-
in By default, the domain name is
delimiter | before-delimiter }
name placed after the domain name
locati delimiter.
on.
Set
the
securi
security-name-delimiter By default, the security string
ty
delimiter delimiter is * (asterisk).
string
delim
iter.
A Exit
ut from
he the quit -
nt AAA
ic view.
ati
on Creat
pr e an
ofi authe
le nticat
By default, the device has six
vi ion
built-in authentication profiles:
e profil
default_authen_profile,
w e and
authentication-profile name dot1x_authen_profile,
enter
authentication-profile-name mac_authen_profile,
the
portal_authen_profile,
authe
dot1xmac_authen_profile, and
nticat
ion
profil
e
view.
Specif
y the
name
parsin By default, the domain name
g parsing direction is not specified.
direct
ion.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Set
in
delimiter
name By default, no domain name
delim delimiter is set.
iter.
Specif
y the
doma
domain-location { after- By default, the domain name
in
delimiter | before-delimiter } location is not specified.
name
locati
on.
Set
the
securi
security-name-delimiter By default, no security string
ty
delimiter delimiter is set.
string
delim
iter.
wireless users.)
Procedur
Command Description
e
Return to
the
quit -
system
view.
Create an
view.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedur
Command Description
e

and accounting.
----End
1.9.7 Verifying the HWTACACS AAA Configuration
Procedure
● Run the display aaa configuration command to check the AAA summary.
command to verify the authentication scheme configuration.
● Run the display authorization-scheme [ authorization-scheme-name ]
command to verify the authorization scheme configuration.
● Run the display accounting-scheme [ accounting-scheme-name ] command
to verify the accounting scheme configuration.
● Run the display recording-scheme [ recording-scheme-name ] command to
verify the recording scheme configuration.
● Run the display service-scheme [ name name ] command to verify the
service scheme configuration.
● Run the display hwtacacs-server template [ template-name ] command to
verify the HWTACACS server template configuration.
● Run the display hwtacacs-server template template-name verbose
command to check statistics about HWTACACS authentication, accounting,
and authorization.
● Run the display hwtacacs-server accounting-stop-packet { all | number | ip
{ ipv4-address | ipv6-address } } command to verify information about
accounting-stop packets of the HWTACACS server.
● Run the display domain [ name domain-name ] command to verify the
domain configuration.
● Run the display aaa statistics access-type-authenreq command to display
the number of authentication requests.
● Run the display access-user user-name-table statistics { all | username
username } command to check statistics on users who are allowed to access
the network using the user name.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1.10 Configuring HACA Authentication

HACA Authentication
NOTE
Only the following switch models support HACA:

S5720I-SI, S5720-LI, S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L1, S5735S-L,
S5735S-L-M, S5720S-LI, S500, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H,
S5731S-H, S5732-H, S5731-S, S5731S-S, S6730-S, S6730S-S, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H .
Similar to the RADIUS protocol, the HACA protocol uses the client/server model to
authenticate access users.
1.10.1 Configuring an HACA Server
Context
When HACA authentication and authorization are used, the authentication and
authorization information must be configured on the HACA server.
When a user requests to access the Internet, the access device forwards
authentication information to the HACA server. The HACA server then decides
whether to allow the user to pass based on the configured information. If the user
is allowed, the HACA server sends an access-accept message carrying
authorization information to the access device. The access device then authorizes
network access rights to the user according to the access-accept message.
Procedure
Configure the HACA server according to the HACA server documentation.
1.10.2 Configuring an AAA Scheme
Context
If HACA authentication and authorization are used, set the authentication mode in
the authentication scheme to HACA and the accounting mode in an accounting
scheme to HACA.
NOTE


S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
a. Run system-view
b. Run aaa
An authentication scheme is created and its view is displayed, or the view
of an existing authentication scheme is displayed.
available on the device. The two authentication schemes can be modified
but not deleted.
d. Run authentication-mode haca
The authentication method is set to HACA.
case-insensitive.
To use local authentication as the backup authentication mode, run the
authentication-mode haca { local | local-case } command to configure
local authentication.
NOTE
If multiple authentication modes are configured in an authentication scheme, the

authentication modes are used according to the sequence in which they were
configured. The device uses the authentication mode that was configured later
only when it does not receive any response from the current authentication. The
device stops the authentication if the current authentication fails.
e. (Optional) Run undo server no-response authorization
f. (Optional) Run undo server no-response accounting
g. Run quit
h. (Optional) Configure the account locking function.
authentication.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

address } &<1-32>
locked.
is unlocked.
i. (Optional) Run domainname-parse-direction { left-to-right | right-to-
left }
The direction in which the domain name is parsed is configured.
By default, the domain name is parsed from left to right.
j. (Optional) Run aaa-author session-timeout invalid-value enable
The device will not disconnect or reauthenticate users when the RADIUS
server delivers session-timeout with value 0.
By default, the device disconnects or reauthenticates users when the
RADIUS server delivers session-timeout with value 0.
k. Run quit
● Configuring an accounting scheme
a. Run system-view
b. Run aaa
An accounting scheme is created, and the corresponding accounting
scheme view or an existing accounting scheme view is displayed.
There is a default accounting scheme named default on the device. This
default accounting scheme can be modified but not deleted.
d. Run accounting-mode haca
The haca accounting mode in an accounting scheme is configured.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
By default, the accounting mode is none.

e. (Optional) Run accounting start-fail { offline | online }
f. (Optional) Run accounting realtime interval
Real-time accounting is enabled and the interval for real-time accounting
is set.
By default, the device performs accounting based on user online duration,
the real-time accounting function is disabled.
g. (Optional) Run accounting interim-fail [ max-times times ] { offline |
online }
The maximum number of real-time accounting failures is set and a policy
used after the number of real-time accounting failures exceeds the
maximum is configured.
By default, the maximum number of real-time accounting failures is 3
and the device keeps users online after the number of real-time
accounting failures exceeds the maximum.
----End
1.10.3 Configuring an HACA Server Template
Context
In an HACA server template, you must specify the server IP address and port
number. Other settings such as the HACA user name format and HACA server
response timeout interval have default values and can be changed based on
network requirements.
Procedure
Step 2 Run haca-server template template-name
An HACA server template is created and its view is displayed.
By default, no HACA server template is created.
Step 3 Run haca-server server-address ip-address [ port ] pki-realm-name
The IP address and port number of the HACA server are configured.
By default, the IP address and port number of the HACA server are not configured
on the device.
Step 4 Run the following commands as required:
● To add the domain name to the user name in the packets sent to the HACA
server, run the haca-server user-name domain-included command.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● To retain the original user name in the packets sent to the HACA server, run
the haca-server user-name original command.
By default, the device does not modify the user name entered by the user in the
packets sent to the HACA server.
Step 5 Run haca-server source-ip ip-address
The source IP address is specified for HACA packets.
By default, no source IP address is specified for HACA packets. The device uses the
IP address of the actual outbound interface as the source IP address of HACA
packets.
Step 6 (Optional) Run haca-server timer response-timeout interval
The response timeout interval for the HACA server is set.
By default, the response timeout interval for the HACA server is 5 seconds.
Step 7 (Optional) Run haca-server timer down-delay interval
The delay after which an HACA server is disconnected is set.
By default, the delay after which an HACA server is disconnected is 30 seconds.
Step 8 (Optional) Run haca-server timer reconnection interval
The interval for reconnecting to the HACA server is set.
By default, the interval for reconnecting to the HACA server is 1 minute.
Step 9 (Optional) Run haca-server timer heart-beat interval
The interval for sending heartbeat packets is set.
By default, the interval for sending heartbeat packets is 5 minutes.
Step 10 (Optional) Run haca-server timer register-sync interval
The device is configured to send HACA registration synchronization packets to
iMaster NCE-Campus.
By default, a device sends HACA registration synchronization packets to iMaster
NCE-Campus at an interval of 15 minutes.
Step 11 (Optional) Run haca-server accounting-stop-packet resend [ resend-times ]
Retransmission of accounting-stop packets is enabled, and the number of
accounting-stop packets that can be retransmitted is set.
By default, retransmission of accounting-stop packets is enabled, and three
accounting-stop packets can be retransmitted.
Step 12 Run haca enable
HACA is enabled.
By default, HACA is disabled.
Step 13 Run quit

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Step 14 (Optional) Run haca-server timer user-syn interval
The interval for synchronizing user information to the HACA server is set.
By default, the interval for synchronizing user information to the HACA server is
10 minutes.
----End
Context
NOTE
Procedure
Step 2 Run aaa
specified.
Configure
the IP
address of
the dns ip-address
primary
DNS
server.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configure
the IP
secondary scheme.
DNS
server.

NOTE

set.
NOTE
users.

NOTE


S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

NOTE
parameter.
vlan command.
4. Run voice-vlan
NOTE


S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

take effect.)

profile.
NOTE

NOTE


scheduling.
NOTE
scheduling.
NOTE
Subscriber Queue.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

precedence-value
7. Run quit
8. Run quit
----End
1.10.5 Applying an AAA Scheme to a Domain
Context
The created authentication scheme and HACA server template take effect only
after being applied to a domain.
Procedure
Step 2 Run aaa
Step 3 Run domain domain-name
The device has two default domains named default and default_admin. The two
domains can be modified but not deleted.
Step 4 Run authentication-scheme authentication-scheme-name
An authentication scheme is applied to the domain.
By default, the authentication scheme named radius is applied to the default
domain, the authentication scheme named default is applied to the
default_admin domain, and the authentication scheme named radius is applied
to other domains.
Step 5 Run accounting-scheme accounting-scheme-name
An accounting scheme is applied to the domain.
By default, the accounting scheme named default is applied to a domain. In this
default accounting scheme, non-accounting is used and the real-time accounting

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
A service scheme is applied to the domain.

By default, no service scheme is bound to a domain.
Step 7 Run haca-server template-name
An HACA server template is applied to the domain.
By default, no HACA server template is applied to a domain.
Step 8 (Optional) Run state { active | block [ time-range time-name &<1–4> ] }
The domain status is configured.
By default, a domain is in active state after being created. When a domain is in
blocking state, users in this domain cannot log in.
----End
1.10.6 Verifying the HACA Authentication Configuration
Procedure
● Run the display haca-server configuration [ template template-name ]
command to check the HACA server template configuration.
● Run the display haca-server statistics { all | message | packet
[ authentication | authorization | accounting | cut-notify | cut-request |
register | user-syn ] } [ template template-name ] command to check HACA
packet statistics.
● Run the display haca-server accounting-stop-packet all command to view
information about all accounting-stop packets on the HACA server.
----End
1.11 Maintaining AAA
1.11.1 Recording Login and Logout Information
Context
Enabling the recording of information related to normal logout, abnormal logout,
and login failure helps administrators locate and analyze problems.
Procedure
● Run the aaa offline-record command in the system view to record normal
logout information.
By default, the device is enabled to record normal logout information.
● Run the aaa abnormal-offline-record command in the system view to record
abnormal logout information.
By default, the device is enabled to record abnormal logout information.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● Run the aaa online-fail-record command in the system view to record login
failure information.
By default, the device is enabled to record login failure information.
----End
Follow-up Procedure
● Run the display aaa { offline-record | abnormal-offline-record | online-fail-
record } { all | reverse-order | domain domain-name | interface interface-
type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-
address [ vpn-instance vpn-instance-name ] | mac-address mac-address |
access-slot slot-number | time start-time end-time [ date start-date end-
date ] | username user-name [ time start-time end-time [ date start-date
end-date ] ] } [ brief ] command to check normal logout, abnormal logout,
and login failure records.
● Run the display aaa statistics offline-reason command in any view to check
the reasons for users to go offline.
1.11.2 Forcing Users to Go Offline
Context
You can force online users to go offline by specifying the domain name or
interface. This function is applicable to situations such as when the online users
are unauthorized, the number of online users reaches the maximum, or the AAA
configurations are modified. For example, when you modify the AAA
configurations of online users, the new AAA configurations take effect on these
users only after you force them to go offline.
NOTE
● If you delete the AAA configuration of online users, the users may be forced to go offline.
Procedure
● Run the cut access-user { domain domain-name | interface interface-type
interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address
[ vpn-instance vpn-instance-name ] | mac-address mac-address | access-slot
slot-id | user-id begin-number [ end-number ] | username user-name } or cut
access-user access-type { admin [ ftp | ssh | telnet | terminal | web ] |
ppp } [ username user-name ] command in the AAA view to disconnect one
or more sessions. After a session of a user is disconnected, the user is forced
to go offline.
● Run the cut access-user ssid ssid-name (supported by S5731-H, S5731S-H,
S6730S-H, S5732-H, and S6730-H) command in the AAA view to disconnect
one or more sessions based on SSIDs. After a session of a user is
disconnected, the user is forced to go offline.
● Run the cut access-user ucl-group { group-index | name group-name }
command in the AAA view to force UCL group users offline.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1.11.3 Testing Whether a User Can Pass RADIUS

Authentication or Accounting
Prerequisites
RADIUS authentication or accounting is configured.
Context
Test whether a user can pass RADIUS authentication or accounting, helping the
administrator locate faults.
Procedure
● Run the test-aaa user-name user-password radius-template template-name
[ chap | pap ] command in any view to test whether a specified user can pass
RADIUS authentication.
● Run the test-aaa user-name user-password radius-template template-name
[ accounting [ start | realtime | stop ] ] command in any view to check
whether RADIUS accounting can be performed for a specified user.
----End
Follow-up Procedure
● The test-aaa command returns an account test timeout message.
RADIUS authentication test for a single user times out.
<HUAWEI> test-aaa user1 test123 radius-template test
Info: Account test time out.
RADIUS accounting test for a single user times out.
<HUAWEI> test-aaa user1 test123 radius-template test accounting
Info: Account test time out.
– The possible causes are as follows:
▪ The route between the device and the server is unreachable.
▪ The NAS-IP in the RADIUS server template is different from the NAS-
IP configured on the RADIUS server.
▪ The authentication or accounting port in the RADIUS server template

is incorrect.
▪ The authentication or accounting port on the RADIUS server is used

by another application.
▪ The RADIUS server address in the RADIUS server template is

incorrect.
▪ The IP address of the access control device is incorrect or the RADIUS

server is not started.
– Handling procedure:
▪ Run the ping command to check whether a reachable route exists

between the device and the server. If there is no reachable route,

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
establish a static route or use a routing protocol to establish a

dynamic route between the device and the server.
▪ Run the display radius-server configuration [ template template-

name ] command in any view to check whether the port number and
NAS-IP in the RADIUS server template are the same as those on the
RADIUS server. If they are not the same, configure the same port
number and NAS-IP.
▪ Check whether the authentication and accounting port numbers on

the RADIUS server are 1812 and 1813, respectively. If not, configure
the correct authentication and accounting port numbers.
▪ When the controller functions as the RADIUS server, run the netstat
-nao | findstr 1812 and netstat -nao | findstr 1813 commands on
the server to check whether the port is used by another program. If
so, close the program that uses the port.
▪ Check whether the IP address of the access control device is correct.

If not, carry out the corresponding configuration to rectify this.
● The test-aaa command returns an account test failure.
RADIUS authentication test for a single user fails.
<HUAWEI> test-aaa user1 test123 radius-template test
Info: Account test failed.
RADIUS accounting test for a single user fails.

<HUAWEI> test-aaa user1 test123 radius-template test accounting
Info: Account test failed.
▪ The shared key of the RADIUS server is not configured.
▪ The IP address of the RADIUS server is not configured.

▪ Run the display radius-server configuration [ template template-

name ] command in any view to check whether the shared key and
IP address are configured in the RADIUS server template. If they are
not the same, reconfigure the shared key and IP address in the
RADIUS server template.
● After the test-aaa command is run, the test is passed, but authentication or
accounting cannot be performed for the user.
▪ The route between the device and the server is unreachable.
▪ The user authentication or accounting domain is different from the

RADIUS authentication or accounting domain configured on the
device.
▪ Run the ping command to check whether a reachable route exists

between the user and device. If there is no reachable route, establish
a static route or use a routing protocol to establish a dynamic route
between the device and the server.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
▪ Run the display this command in the AAA view to check whether
the user authentication or accounting domain is the same as the
RADIUS authentication or accounting domain configured on the
device.
○ When the user name entered by the user contains a domain
name, check whether RADIUS authentication or accounting has
been configured in the domain. If not, configure RADIUS
authentication or accounting in the domain.
○ When the user name entered by the user does not contain a
domain name, check whether RADIUS authentication or
accounting has been configured in the global default domain
(administrator uses default_admin and common users use
default). If not, configure RADIUS authentication or accounting
in the domain.
▪ Run the display this command in the AAA view to check whether
the AAA authentication or accounting scheme and RADIUS server
template have been applied to the domain. If not, apply the AAA
authentication or accounting scheme and RADIUS server template to
the domain.
▪ If NAC has been configured, check whether the NAC configuration is

correct. If not, correctly configure the NAC.
1.11.4 Configuring the AAA Alarm Report Function
Context
You can configure the alarm report function, which helps you obtain real-time
running status of AAA (for example, the status of the communication with the
RADIUS server becomes Down) and facilitates O&M.
Procedure
Step 2 Run snmp-agent trap enable feature-name radius [ trap-name

{ hwradiusacctserverdown | hwradiusacctserverup | hwradiusauthserverdown |
hwradiusauthserverup } ]
The alarm report function is enabled for the RDS module.
By default, the alarm report function is disabled for the RDS module.
----End

Run the display snmp-agent trap feature-name radius all command to view
alarm status of the RDS module.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1.11.5 Clearing AAA Statistics
Context
NOTICE
The AAA statistics cannot be restored after being cleared. Clear AAA statistics with
caution.
Run the following commands to clear the statistics.
Procedure
● Run the reset aaa { abnormal-offline-record | offline-record | online-fail-
record } command in the system view to clear records of abnormal logout,
logout, and login failures.
● Run the reset aaa statistics offline-reason command in any view to clear
the statistics on reasons why users go offline.
● Run the reset access-user statistics command in any view to clear the
statistics on access user authentication.
● Run the reset hwtacacs-server statistics { accounting | all | authentication
| authorization } command in the user view to clear the statistics on
HWTACACS authentication, accounting, and authorization.
● Run the reset hwtacacs-server accounting-stop-packet { all | ip { ipv4-
address | ipv6-address } } command in the user view to clear the statistics on
HWTACACS accounting-stop packets.
● Run the reset radius-server accounting-stop-packet { all | ip { ipv4-address |
ipv6-address } } command to clear remaining buffer information on RADIUS
accounting-stop packets.
● Run the reset local-user [ user-name ] password history record command in
the AAA view to clear historical passwords of local users.
● Run the reset aaa statistics access-type-authenreq command in any view to
clear the number of authentication requests.
----End
1.12 Configuration Examples for AAA
1.12.1 Overview of Configuration Examples

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Category Scenario Example
Authentication Local authentication: 1.12.2 Example for

mode of No authentication server is Configuring Local
administrators deployed on the network, and Authentication and
users are authenticated locally. User Level
Authorization for
Administrators
RADIUS or RADIUS+local 1.12.3 Example for

authentication: Configuring RADIUS
If a RADIUS authentication server +Local Authentication
is deployed on the network, you and User Level
can configure RADIUS Authorization for
authentication. The RADIUS Administrators
authentication server creates and
maintains user information in a
unified manner. When the RADIUS
authentication server does not
respond, the device performs local
authentication on users based on
the local authentication
configuration. This prevents user
authentication failures when the
connection between the device and
RADIUS authentication server
times out.
HWTACACS or HWTACACS+local 1.12.4 Example for

authentication: Configuring HWTACACS
If an HWTACACS authentication +Local Authentication
server is deployed on the network, and User Level
you can configure HWTACACS Authorization for
authentication. The HWTACACS Administrators
authentication server creates and
maintains user information in a
unified manner. When the
HWTACACS authentication server
does not respond, the device
performs local authentication on
users based on the local
authentication configuration. This
prevents user authentication
failures when the connection
between the device and
HWTACACS authentication server
times out.
Access mode Managing files using SFTP Example for Managing

of Files Using SFTP
administrators

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Logging in to the device through Example for Configuring

the web system Switch Login Through
the Web System
Logging in to the device through a Example for Configuring

console port Switch Login Through a
Console Port

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Privilege levels The following privilege-level In the following

of authorization modes are examples, only the user
administrators supported: privilege level for local
● If non-authentication is used, authentication needs to
the administrator privilege level be configured on the
is configured using the user device. In remote
privilege command in the VTY authentication, the user
interface view. privilege level needs to
be configured on the
● If local authentication is used, server.
the administrator privilege level
is configured using the local- ● 1.12.2 Example for
user privilege level command. Configuring Local
Authentication and
● If remote authentication is used, User Level
the following administrator Authorization for
privilege levels are listed in Administrators
descending order of priority:
● 1.12.3 Example for
1. User privilege level sent from Configuring RADIUS
the server to the switch after +Local
the authentication is Authentication and
successful User Level
2. Administrator privilege level Authorization for
configured using the admin- Administrators
user privilege level ● 1.12.4 Example for
command in a service Configuring
scheme HWTACACS+Local
3. User privilege level Authentication and
configured using the user User Level
privilege command in the Authorization for
VTY interface view Administrators
● Assume that both remote
authentication and local
authentication are configured
for a user and that remote
authentication is first configured
and then local authentication is
configured. The following
administrator levels are listed in
descending order of priority:
1. User privilege level sent from
the server to the switch after
the authentication is
successful
2. Local user privilege level
configured using the local-
user privilege level
command

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

NOTE
User privilege level if remote
authentication and
authorization are used:
● The RADIUS attribute HW-
Exec-Privilege (26-29) is
used to authorize the user
privilege level.
● The RADIUS attribute HW-
User-Policy (26-146) is used
to authorize a service
scheme, and the user
privilege level is configured
in the service scheme on the
device.
Changing the The super command is used to 1.12.4 Example for

privilege level change the privilege level from a Configuring HWTACACS
for higher level to a lower level or +Local Authentication
administrators from a lower level to a higher and User Level
level. Authorization for
Administrators
HWTACACS HWTACACS command 1.12.5 Example for

command authorization is supported. When Configuring HWTACACS
authorization the HWTACACS server does not +Local Authentication,
respond, local authorization is Command
used. Authorization, and
Command Auditing for
Administrators
Command Command execution records can 1.12.5 Example for

execution be viewed on the HWTACACS Configuring HWTACACS
records server. +Local Authentication,
Command
Authorization, and
Command Auditing for
Administrators
1.12.2 Example for Configuring Local Authentication and User

Level Authorization for Administrators
Networking Requirements
On the network shown in Figure 1-29, the network administrator of an enterprise
needs to remotely manage the device in an easy and secure manner. To achieve
this, local authentication can be configured for the administrator logging in
through Telnet. The requirements are as follows:
1. The administrator enters the correct user name and password to log in to the
device through Telnet.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
2. After logging in to the device through Telnet, the administrator can run the
commands at levels 0-15.
Figure 1-29 Configuring authentication for Telnet login users (local

authentication)
Configuration Roadmap
The configuration roadmap is as follows:
1. Assign an IP address to the interface on the switch that is connected to the

management network.
2. Enable the Telnet server function.
3. Configure AAA authentication for the VTY user interface.
4. Configure local authentication, including setting the user name and password,
access type, and user level.
Procedure
Step 1 Assign an IP address to the interface on the switch that is connected to the
management network.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.2.10 24
[Switch-Vlanif100] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 100
[Switch-GigabitEthernet0/0/1] quit
Step 2 Enable the Telnet server function.

[Switch] telnet server enable
[Switch] telnet server-source -i vlanif 100
Step 3 Configure AAA authentication for the VTY user interface.

[Switch] user-interface maximum-vty 15
[Switch] user-interface vty 0 14
[Switch-ui-vty0-14] authentication-mode aaa [Switch-ui-vty0-14] protocol inbound telnet
[Switch-ui-vty0-14] quit
Step 4 Configure local authentication.

[Switch] aaa
[Switch-aaa] local-user user1 password irreversible-cipher Example@123
[Switch-aaa] local-user user1 service-type telnet

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
[Switch-aaa] local-user user1 privilege level 15

[Switch-aaa] quit
NOTE
When the entered user name does not contain a domain name, the device authenticates the
user using the default management domain default_admin. By default, the default_admin
domain uses the authentication scheme default and accounting scheme default.
● Authentication scheme default: Uses the local authentication mode.
● Accounting scheme default: Uses the non-accounting mode.
Step 5 Verify the configuration.

Choose Start > Run on your computer and enter cmd to open the cmd window.
Run the telnet command and enter the user name user1 and password
Example@123 to log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.1.2.10
Username:user1
Password:***********
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 100
#
telnet server enable
telnet server-source -i Vlanif 100
#
aaa
local-user user1 password irreversible-cipher $1a$+:!j;\;$Z!$&%}p%ctzj"W`GM;APoC=XPLB=L-vJG3-'3Dhyci;$
local-user user1 privilege level 15
local-user user1 service-type telnet
#
interface Vlanif100
ip address 10.1.2.10 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
user-interface maximum-vty 15
user-interface vty 0 14
authentication-mode aaa protocol inbound telnet
#
return
1.12.3 Example for Configuring RADIUS+Local Authentication

and User Level Authorization for Administrators
Network Requirements
As shown in Figure 1-30, a RADIUS server is deployed on an enterprise network.
The enterprise requires that the administrator use RADIUS authentication and log
in to the device through STelnet.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1. The administrator can log in to the device through STelnet only after entering
a correct user name and password.
2. After the administrator logs in to the device through STelnet, the server
authorizes the privilege level 15 to the administrator, and the administrator
can execute all commands at levels 0 to 15.
3. If the link between the device and server is disconnected, the administrator
will be authenticated locally during a login to the device.
Figure 1-30 Network diagram
Configuration roadmap
1. Configure STelnet login on the switch: Set the authentication mode of
accessing VTY user interfaces to AAA, enable the STelnet service, and
configure the authentication mode and service type for SSH users.
2. Configure RADIUS authentication on the switch: Create a RADIUS server
template, configure an AAA scheme, and configure a global default
3. Configure a local user on the switch: Configure a local user name, password,
and privilege level.
4. Configure a RADIUS server.
Precautions
● Ensure that there are reachable routes between devices.
● Ensure that the shared key in the RADIUS server template is the same as that
configured on the RADIUS server.
● If the login account is created on the switch but not on the RADIUS server,
RADIUS authentication will fail and local authentication will not be
performed. Local authentication will be performed only when the RADIUS
server is Down or does not respond.
● If the accounting mode is set to RADIUS in an accounting scheme, the
administrator will pass local authentication but fail to log in to the device
because starting accounting will fail after the link between the device and
server is disconnected. To prevent this problem, run the accounting start-fail
online command in the accounting scheme view to allow users to go online
after initial accounting fails.
● If the RADIUS server does not accept the user name containing the domain
name, run the undo radius-server user-name domain-included command in
the RADIUS server template view to configure the device to send packets that
do not contain the domain name to the RADIUS server.
● After the domain is set to the global default administrative domain, and the
user name of the administrator carries the domain name or does not carry

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
any domain name, the administrator uses AAA configuration information in

the global default administrative domain.
● After the undo radius-server user-name domain-included command is run,
the device changes only the user name format in the sent packet, and the
domain to which the user belongs is not affected. For example, after this
command is run, the user with the user name user@example.com still uses
AAA configuration information in the domain namedexample.comm.
● When the administrator priority is authorized using the RADIUS extended
attribute HW-Exec-Privilege (26-29), the valid attribute value is in the range
from 0 to 15. The value greater than or equal to 16 is invalid.
Procedure
Step 1 Configure STelnet login.
# Generate a local key pair on the server.
[Switch] dsa local-key-pair create
Info: The key name will be: Switch_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
# Set the authentication mode and protocol for accessing VTY user interfaces 0 to
14 to AAA and SSH, respectively.
[Switch-ui-vty0-14] authentication-mode aaa
[Switch-ui-vty0-14] protocol inbound ssh
# Enable the SSH server function on the device.

[Switch] ssh server-source -i vlanif 10 //Specify the management Ethernet port (VLANIF 10 in this
example) as the source interface for the SSH server to improve system security. Perform this step on the
device that has a management Ethernet port.
[Switch] stelnet server enable
# Set the authentication mode of all SSH users to password authentication and
the service type to STelnet.
[Switch] ssh authentication-type default password
NOTE
If the authentication mode and service type of only a few SSH users are password
authentication and STelnet respectively, you can specify the SSH user name to set the
authentication mode and service type of a single SSH user. For example, set the
authentication mode and service type of an SSH user with the user name admin to
password authentication and STelnet, respectively.
[Switch] ssh user admin authentication-type password
[Switch] ssh user admin service-type stelnet
Step 2 Configure RADIUS authentication.

# Configure a RADIUS server template on the device to enable the device to
communicate with the RADIUS server.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
[Switch] radius-server template 1

[Switch-radius-1] radius-server authentication 10.1.6.6 1812
[Switch-radius-1] radius-server accounting 10.1.6.6 1813
[Switch-radius-1] radius-server shared-key cipher Example@123
[Switch-radius-1] quit
# Configure an AAA authentication scheme named sch1 and set the

authentication mode to RADIUS+local.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1
[Switch-aaa-authen-sch1] authentication-mode radius local
[Switch-aaa-authen-sch1] quit
# Configure an accounting scheme named acc1 and set the accounting mode to
RADIUS accounting.
[Switch-aaa] accounting-scheme acc1
[Switch-aaa-accounting-acc1] accounting-mode radius
[Switch-aaa-accounting-acc1] accounting start-fail online
[Switch-aaa-accounting-acc1] quit
# Apply the AAA authentication scheme and RADIUS server template to the
domain example.com.
[Switch-aaa] domain example.com
[Switch-aaa-domain-example.com] authentication-scheme sch1
[Switch-aaa-domain-example.com] accounting-scheme acc1
[Switch-aaa-domain-example.com] radius-server 1
[Switch-aaa-domain-example.com] quit
[Switch-aaa] quit
# Specify the domain example.com as a global default administrative domain.

[Switch] domain example.com admin

# Set the local account to user1, password to Example@123, and privilege level
to 15.
[Switch] aaa
[Switch-aaa] local-user user1 service-type ssh
[Switch-aaa] return
Step 4 Configure a RADIUS server.

The configuration includes adding a device, adding an administrator account, and
setting the administrator level to 15.
● Check whether the administrator can successfully log in to the switch through
STelnet.
Enter the user name user1 and password Example@123 configured on the
RADIUS server. The administrator is then successfully authenticated and logs
in to the switch through STelnet.
● When the link between the switch and RADIUS server is working properly, run
the display access-user username user-name detail command on the switch
to check information about the user user1.
In the command output, the values of User access type, User Privilege, User
authentication type, Current authentication method, Current

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
authorization method, and Current accounting method indicate that the

login mode, user level, authentication type, and AAA mode of the user are
SSH, 15, administrator authentication, and RADIUS, respectively.
<Switch> display access-user username user1 detail
------------------------------------------------------------------------------
Basic:
User ID : 11
User name : user1
Domain-name : example.com
User MAC :-
User IP address : 10.1.1.10
User IPv6 address :-
User access time : 2019/07/10 09:15:02
User accounting session ID : Switch255255000000000f****2016009
Option82 information :-
User access type : SSH
User Privilege :
AAA:
User authentication type : Administrator authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
------------------------------------------------------------------------------
● When the link between the switch and RADIUS server is disconnected, run the
display access-user username user-name detail command on the switch to
check information about the user user1.
login mode is SSH, the privilege level is 15, the authentication type is
administrator authentication, and the authentication mode is local
authentication.
------------------------------------------------------------------------------
Basic:
User ID : 11
User name : user1
User MAC :-
User access time : 2019/07/10 09:20:02
User accounting session ID : Switch255255000000000f****2016009
User Privilege :
AAA:
Current authentication method : Local
------------------------------------------------------------------------------
----End
Configuration Files

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
#
sysname Switch
#
radius-server template 1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 10.1.6.6 1812 weight 80
radius-server accounting 10.1.6.6 1813 weight 80
#
aaa
authentication-scheme sch1
authentication-mode radius local
accounting-scheme acc1
accounting-mode radius
accounting start-fail online
domain example.com
accounting-scheme acc1
radius-server 1
local-user user1 password irreversible-cipher $1a$&YTv-xg$H<$Rj=5*sUqT+0i<B<0lAELMMraNPQAp'cD1!
N~mjNI$
local-user user1 service-type ssh
#
authentication-mode aaa
#
stelnet server enable
ssh server-source -i Vlanif 10
#
return
1.12.4 Example for Configuring HWTACACS+Local

Authentication and User Level Authorization for
Administrators
Network Requirements
As shown in Figure 1-31, an HWTACACS server is deployed on an enterprise
network. The enterprise requires that the administrator log in to the device
through STelnet.
2. After the administrator logs in to the device through STelnet, the privilege
level 15 is authorized to the administrator.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
2. Configure HWTACACS authentication on the switch: Create an HWTACACS
server template, configure an AAA scheme, and configure a global default
3. (Optional) Configure the mode in which the user privilege level is raised on
the switch.
4. Configure a local user on the switch.
5. Configure an HWTACACS server.
Precautions
● Ensure that the shared key in the HWTACACS server template is the same as
that configured on the HWTACACS server.
● If the login account is created on the switch but not on the HWTACACS server,
HWTACACS authentication will fail and local authentication will not be
performed. Local authentication will be performed only when the HWTACACS
● If the accounting mode is set to HWTACACS in an accounting scheme, the
● When you run the super command to change a user privilege level to a lower
level or the same level, no authentication is required. When you run the super
command to change a user privilege level to a higher level, authentication is
required. A user's privilege level can be raised only when the user is
authenticated successfully.
Procedure

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches


# Set the authentication mode of all SSH users to password authentication and
the service type to STelnet.
NOTE
Step 2 Configure HWTACACS authentication.

# Configure an HWTACACS server template template1 on the device to enable
the device to communicate with the HWTACACS server.
[Switch] hwtacacs enable
[Switch] hwtacacs-server template template1
[Switch-hwtacacs-template1] hwtacacs-server authentication 10.1.6.6 49
[Switch-hwtacacs-template1] hwtacacs-server authorization 10.1.6.6 49
[Switch-hwtacacs-template1] hwtacacs-server accounting 10.1.6.6 49
[Switch-hwtacacs-template1] hwtacacs-server shared-key cipher Hello@1234
[Switch-hwtacacs-template1] quit
# Configure an authentication scheme named sch1 and set the authentication

mode to HWTACACS+local.
[Switch] aaa
[Switch-aaa-authen-sch1] authentication-mode hwtacacs local
# (Optional) Set the mode in which a user privilege level is raised to HWTACACS
Local.
[Switch-aaa-authen-sch1] authentication-super hwtacacs super
# Configure an authorization scheme sch2 and set the authorization mode to

HWTACACS+local.
[Switch-aaa] authorization-scheme sch2
[Switch-aaa-author-sch2] authorization-mode hwtacacs local
[Switch-aaa-author-sch2] quit
# Configure an accounting scheme named sch3 and set the accounting mode to
HWTACACS accounting.
[Switch-aaa] accounting-scheme sch3
[Switch-aaa-accounting-sch3] accounting-mode hwtacacs
[Switch-aaa-accounting-sch3] accounting start-fail online
[Switch-aaa-accounting-sch3] quit

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
# Reference the HWTACACS server template and AAA schemes to the domain
example.com.
[Switch-aaa-domain-example.com] hwtacacs-server template1
[Switch-aaa-domain-example.com] authorization-scheme sch2
[Switch-aaa-domain-example.com] accounting-scheme sch3
[Switch-aaa] quit


to 15.
[Switch] aaa
[Switch-aaa] return
Step 4 Configure an HWTACACS server.

The configuration includes adding a device, adding an administrator account, and
setting the administrator level to 15.
To allow raising the administrator's privilege level, you need to set the maximum
privilege level to 15 on the server and enable the server to deliver the initial
privilege level 10.
STelnet.
Enter the user name user1 and password Example@123 configured on the
HWTACACS server. After the authentication succeeds, the user can log in to
the switch through STelnet.
● When the link between the switch and HWTACACS server is working properly,
run the display access-user username user-name detail command on the
switch to check information about the user user1.
administrator authentication, and the authentication, authorization, as well as
accounting modes are HWTACACS.
------------------------------------------------------------------------------
Basic:
User ID : 11
User name : user1
User MAC :-
User access time : 2019/07/10 09:15:02
User accounting session ID : example255255000000000f****2016009

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
User Privilege : 10
AAA:
Current authentication method : HWTACACS
Current authorization method : HWTACACS
Current accounting method : HWTACACS
------------------------------------------------------------------------------
● Raise the administrator level from 10 to 15.

<Switch> super 15
Password:
Now user privilege is 15 level, and only those commands whose level is equal to or less than this level
can be used.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
● When the link between the switch and HWTACACS server is disconnected, run
the display access-user username user-name detail command on the switch
to check information about the user user1.
administrator authentication, the authentication and authorization modes are
local, and the accounting mode is HWTACACS.
------------------------------------------------------------------------------
Basic:
User ID : 11
User name : user1
User MAC :-
User access time : 2019/07/10 09:20:02
User Privilege : 15
AAA:
Current authorization method : Local
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
hwtacacs-server template template1
hwtacacs-server authentication 10.1.6.6
hwtacacs-server authorization 10.1.6.6
hwtacacs-server accounting 10.1.6.6
hwtacacs-server shared-key cipher %^%#)@1e81]jJP9}9O9|W>MT|TWbI,\rL4[.BT&@);rU%^%#

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
#
aaa
authentication-mode hwtacacs local
authentication-super hwtacacs super
authorization-scheme sch2
authorization-mode hwtacacs local
accounting-scheme sch3
accounting-mode hwtacacs
domain example.com
hwtacacs-server template1
N~mjNI$
#
#
#
return
1.12.5 Example for Configuring HWTACACS+Local

Authentication, Command Authorization, and Command
Auditing for Administrators
As shown in Figure 1-32, an HWTACACS server is deployed on an enterprise
network. The enterprise requires that the administrator log in to the device
through STelnet.
2. After the administrator logs in to the device through STelnet, the privilege
level 15 is authorized to the administrator, the range of commands that the
administrator can execute is limited, and commands that the administrator
has executed are recorded.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
2. Configure HWTACACS authentication on the switch: Create an HWTACACS
server template, configure an AAA scheme, record the scheme, and enable
command authorization.
3. Configure a local user on the switch: Configure a local user name, password,
and privilege level.
4. Configure an HWTACACS server.
Precautions
● Ensure that the shared key in the HWTACACS server template is the same as
that configured on the HWTACACS server.
● If the login account is not created on the server but exists on the local host,
HWTACACS authentication is considered failed, and local authentication is not
performed. Local authentication will be performed only when the HWTACACS
● If the accounting mode is set to HWTACACS in an accounting scheme, the
● After the authorization scheme containing command authorization is applied
in the administrator view, executing the undo authorization-cmd command
will cause the administrator unable to execute any command except the quit
command. In this case, the administrator needs to log in again.
● When the authorization and command authorization modes are set to
hwtacacs local, HWTACACS authorization will be performed before
commands are executed if the link between the device and server is
disconnected. If the server does not respond, local authorization will be
performed. As a result, there is a delay in executing commands.
● The device sends TACACS accounting packets to report the commands that
have been executed by administrators through SSH, Telnet, or web NMS
console. Therefore, a TACACS accounting server needs to be configured on the
device.
● The device can use TACACS authorization packets to authorize administrators
who log in through SSH or Telnet to run commands related to the HWTACACS
server. On the web NMS console, the commands that can be executed can be
controlled only based on the administrator privilege level, and HWTACACS
server authorization is not supported.
Procedure

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

# Set the authentication mode and service type of all SSH users to password
authentication and STelnet, respectively.
NOTE
Step 2 Configure HWTACACS authentication.

# Create an HWTACACS server template named template1 to enable the device
and the HWTACACS server to communicate with each other.
[Switch] hwtacacs-server template template1
[Switch-hwtacacs-template1] hwtacacs-server authentication 10.1.6.6 49
[Switch-hwtacacs-template1] hwtacacs-server authorization 10.1.6.6 49
[Switch-hwtacacs-template1] hwtacacs-server accounting 10.1.6.6 49
[Switch-hwtacacs-template1] hwtacacs-server shared-key cipher Hello@1234
[Switch-hwtacacs-template1] quit
# Create an authentication scheme named sch1 and set the authentication mode
to HWTACACS+local authentication.
[Switch] aaa
[Switch-aaa-authen-sch1] authentication-mode hwtacacs local
# Create an authorization scheme named sch2, set the authorization mode to

HWTACACS+local authorization, and enable command authorization for the
level-15 administrator.
[Switch-aaa] authorization-scheme sch2
[Switch-aaa-author-sch2] authorization-mode hwtacacs local

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
[Switch-aaa-author-sch2] authorization-cmd 15 hwtacacs local

[Switch-aaa-author-sch2] quit
# Create a recording scheme named sch0 to record commands that the

administrator has executed.
[Switch-aaa] recording-scheme sch0
[Switch-aaa-recording-sch0] recording-mode hwtacacs template1
[Switch-aaa-recording-sch0] quit
[Switch-aaa] cmd recording-scheme sch0
# Create an accounting scheme named sch3 and set the accounting mode to
HWTACACS accounting.
[Switch-aaa] accounting-scheme sch3
[Switch-aaa-accounting-sch3] accounting-mode hwtacacs
[Switch-aaa-accounting-sch3] accounting start-fail online
[Switch-aaa-accounting-sch3] quit
# Apply the HWTACACS server template and AAA scheme to the domain
example.com.
[Switch-aaa-domain-example.com] hwtacacs-server template1
[Switch-aaa-domain-example.com] authorization-scheme sch2
[Switch-aaa-domain-example.com] accounting-scheme sch3
[Switch-aaa] quit

to 15.
[Switch] aaa
[Switch-aaa] return
Step 4 Configure an HWTACACS server. Here, the Secure ACS is used as an example.
The configuration includes adding a device, adding an administrator account,

setting the administrator level to 15, and configuring command authorization.
Note that the reset hwtacacs-server statistics all command cannot be
configured.
You can check logs recording command execution successes and failures of all
users including non-HWTACACS-authenticated users under Reports and Activity
> TACACS+ Administration.

STelnet.
Enter the user name user1@example.com and password Example@123
configured on the HWTACACS server. The administrator is then successfully
authenticated and logs in to the switch through STelnet.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● When the link between the switch and server is working properly, run the
administrator authentication, and the authentication, authorization, as well as
accounting modes are HWTACACS.
------------------------------------------------------------------------------
Basic:
User ID : 11
User name : user1
User MAC :-
User access time : 2019/07/10 09:15:02
User Privilege : 15
AAA:
Current authentication method : HWTACACS
Current authorization method : HWTACACS
------------------------------------------------------------------------------
● After the administrator logs in to the switch, run the reset hwtacacs-server
statistics all command. The system displays the message "Error: Failed to
pass the authorization.", indicating command authorization succeeds.
<Switch> reset hwtacacs-server statistics all
Error: Failed to pass the authorization.
● When the link between the switch and RADIUS server is disconnected, run the
administrator authentication, the authentication and authorization modes are
local, and the accounting mode is HWTACACS.
------------------------------------------------------------------------------
Basic:
User ID : 11
User name : user1
User MAC :-
User access time : 2019/07/10 09:20:02
User Privilege : 15

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
AAA:
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
hwtacacs-server template template1
hwtacacs-server shared-key cipher %^%#)@1e81]jJP9}9O9|W>MT|TWbI,\rL4[.BT&@);rU%^%#
#
aaa
authorization-cmd 15 hwtacacs local
recording-scheme sch0
recording-mode hwtacacs template1
cmd recording-scheme sch0
domain example.com
hwtacacs-server template1
N~mjNI$
#
#
#
return
1.12.6 Example for Configuring the Primary and Secondary

RADIUS Servers
As shown in Figure 1-33, users belong to the domain huawei. Switch functions as
the network access server on the destination network, providing access to users
only after they are remotely authenticated by the server. The remote
authentication on Switch is described as follows:

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● The RADIUS server will authenticate access users for Switch. If RADIUS
authentication fails, local authentication is used.
● The RADIUS servers at 10.7.66.66/24 and 10.7.66.67/24 function as the
primary and secondary authentication and accounting servers, respectively.
The default authentication port and accounting port are 1812 and 1813,
respectively.
Figure 1-33 Networking diagram of RADIUS authentication and accounting
1. Configure a RADIUS server template.
2. Configure an authentication scheme and an accounting scheme.
3. Apply the RADIUS server template, authentication scheme, and accounting
scheme to a domain.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
● Ensure that the devices are routable before the configuration.

● Ensure that the shared key in the RADIUS server template is the same as the setting on the
RADIUS server.
● If the RADIUS server does not accept the user name containing the domain name, run the
undo radius-server user-name domain-included command in the RADIUS server template
view to configure the device to send packets that do not contain the domain name to the
RADIUS server.
● After the domain is set to the global default domain, and the user name of a user carries the
domain name or does not carry any domain name, the user uses AAA configuration
information in the global default domain.
● After the undo radius-server user-name domain-included command is run, the device
changes only the user name format in the sent packet, and the domain to which the user
belongs is not affected. For example, after this command is run, the user with the user name
user@huawei.com still uses AAA configuration information in the domain named
huawei.com.
Procedure
Step 1 Configure a RADIUS server template.
# Configure a RADIUS template named shiva.

[Switch] radius-server template shiva
# Set the IP address and port numbers for the primary RADIUS authentication and
accounting server.
[Switch-radius-shiva] radius-server authentication 10.7.66.66 1812 weight 80
[Switch-radius-shiva] radius-server accounting 10.7.66.66 1813 weight 80
# Set the IP address and port numbers for the secondary RADIUS authentication
and accounting server.
[Switch-radius-shiva] radius-server authentication 10.7.66.67 1812 weight 40
[Switch-radius-shiva] radius-server accounting 10.7.66.67 1813 weight 40
# Set the shared key and retransmission count for the RADIUS server, and
configure the device not to encapsulate the domain name in the user name when
sending RADIUS packets to the RADIUS server.
[Switch-radius-shiva] radius-server shared-key cipher Example@2012
[Switch-radius-shiva] radius-server retransmit 2
[Switch-radius-shiva] undo radius-server user-name domain-included
[Switch-radius-shiva] quit
Step 2 Configure authentication and accounting schemes.
# Create an authentication scheme named auth. Configure the authentication

scheme to use RADIUS authentication as the active authentication mode and local
authentication as the backup.
[Switch] aaa
[Switch-aaa] authentication-scheme auth
[Switch-aaa-authen-auth] authentication-mode radius local
[Switch-aaa-authen-auth] quit

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
# Create an accounting scheme named abc, and configure the accounting scheme
to use the RADIUS accounting mode. Configure a policy for the device to keep
users online upon accounting-start failures.
[Switch-aaa] accounting-scheme abc
[Switch-aaa-accounting-abc] accounting-mode radius
[Switch-aaa-accounting-abc] accounting start-fail online [Switch-aaa-accounting-abc] quit
Step 3 Create a domain named huawei, and apply the authentication scheme auth,
accounting scheme abc, and RADIUS server template shiva to the domain.
[Switch-aaa] domain huawei
[Switch-aaa-domain-huawei] authentication-scheme auth
[Switch-aaa-domain-huawei] accounting-scheme abc
[Switch-aaa-domain-huawei] radius-server shiva
[Switch-aaa-domain-huawei] quit
[Switch-aaa] quit
Step 4 Set the domain huawei to the global default domain.

[Switch] domain huawei
[Switch] domain huawei admin
Step 5 Configure AAA local authentication.

[Switch] aaa
[Switch-aaa] local-user user1 service-type http
[Switch-aaa] quit

# Run the display radius-server configuration template template-name
command on Switch to verify the RADIUS server template configuration.
[Switch] display radius-server configuration template shiva
------------------------------------------------------------------------------
Server-template-name : shiva
Server-template-index : 1
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : ******
Group-filter : class
Timeout-interval(in second) : 5
Retransmission : 2
EndPacketSendTime : 0
Dead time(in minute) : 5
Domain-included : NO
NAS-IP-Address : 0.0.0.0
Calling-station-id MAC-format : xxxx-xxxx-xxxx
Called-station-id MAC-format : XX-XX-XX-XX-XX-XX
NAS-Port-ID format : New
Service-type : -
NAS-IPv6-Address : ::
Detect-interval(in second) : 60
Authentication Server 1 : 10.7.66.66 Port:1812 Weight:80 [UP]
Vrf:- LoopBack:NULL Vlanif:NULL
Source IP: ::
Authentication Server 2 : 10.7.66.67 Port:1812 Weight:40 [UP]
Source IP: ::
Accounting Server 1 : 10.7.66.66 Port:1813 Weight:80 [UP]
Source IP: ::
Accounting Server 2 : 10.7.66.67 Port:1813 Weight:40 [UP]
Source IP: ::
------------------------------------------------------------------------------
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Files
#
sysname Switch
#
domain huawei
domain huawei admin
#
radius-server template shiva
radius-server shared-key cipher %^%#HN!rP_Lc1<+L+H/&YUzN]CBy;_09Z>9T5\.k{T1/%^%#
radius-server retransmit 2
undo radius-server user-name domain-included #
aaa
authentication-scheme auth
authentication-mode radius local
accounting-scheme abc
domain huawei
radius-server shiva
local-user user1 service-type http
#
return
1.12.7 Example for Configuring the Primary and Secondary

HWTACACS Servers
For the network shown in Figure 1-34, the customer requirements are as follows:
● The HWTACACS server will authenticate access users for Switch. If HWTACACS
authentication fails, local authentication is used.
● The HWTACACS server will authorize access users for Switch. If HWTACACS
authorization fails, local authorization is used.
● HWTACACS accounting is used by Switch for access users.
● Real-time accounting is performed every 3 minutes.
● The IP addresses of primary and secondary HWTACACS servers are
10.7.66.66/24 and 10.7.66.67/24, respectively. The port number for
authentication, accounting, and authorization is 49.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-34 Networking diagram of HWTACACS authentication, accounting, and

authorization
1. Configure an HWTACACS server template.

2. Configure authentication, authorization, and accounting schemes.
3. Apply the HWTACACS server template, authentication scheme, authorization
scheme, and accounting scheme to a domain.
NOTE
● Ensure that the devices are routable before the configuration.

● Ensure that the shared key in the HWTACACS server template is the same as the settings on
the HWTACACS server.
● If the HWTACACS server does not accept the user name containing the domain name, run
the undo hwtacacs-server user-name domain-included command in the HWTACACS
server template view to configure the device to send packets that do not contain the domain
name to the HWTACACS server.
● After the domain is set to the global default domain, and the user name of a user carries the
domain name or does not carry any domain name, the user uses AAA configuration
information in the global default domain.
● After the undo hwtacacs-server user-name domain-included command is run, the device
changes only the user name format in the sent packet, and the domain to which the user
belongs is not affected. For example, after this command is run, the user with the user name
user@huawei.com still uses AAA configuration information in the domain named
huawei.com.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
Step 1 Enable HWTACACS.
Step 2 Configure an HWTACACS server template.
# Create an HWTACACS server template named ht.

[Switch] hwtacacs-server template ht
# Set the IP addresses and port numbers for the primary HWTACACS
authentication, authorization, and accounting servers.
[Switch-hwtacacs-ht] hwtacacs-server authentication 10.7.66.66 49
[Switch-hwtacacs-ht] hwtacacs-server authorization 10.7.66.66 49
[Switch-hwtacacs-ht] hwtacacs-server accounting 10.7.66.66 49
# Set the IP addresses and port numbers for the secondary HWTACACS
authentication, authorization, and accounting servers.
[Switch-hwtacacs-ht] hwtacacs-server authentication 10.7.66.67 49 secondary
[Switch-hwtacacs-ht] hwtacacs-server authorization 10.7.66.67 49 secondary
[Switch-hwtacacs-ht] hwtacacs-server accounting 10.7.66.67 49 secondary
# Set the shared key for the HWTACACS server.

[Switch-hwtacacs-ht] hwtacacs-server shared-key cipher Example@2012
[Switch-hwtacacs-ht] quit
Step 3 Configure authentication, authorization, and accounting schemes.
# Create an authentication scheme named l-h. Configure the authentication

scheme to use HWTACACS authentication as the active authentication mode and
local authentication as the backup.
[Switch] aaa
[Switch-aaa] authentication-scheme l-h
[Switch-aaa-authen-l-h] authentication-mode hwtacacs local
[Switch-aaa-authen-l-h] quit
# Create an authorization scheme named hwtacacs. Configure the authorization

scheme to use HWTACACS authorization as the active authorization mode and
local authorization as the backup.
[Switch-aaa] authorization-scheme hwtacacs
[Switch-aaa-author-hwtacacs] authorization-mode hwtacacs local
[Switch-aaa-author-hwtacacs] quit
# Create an accounting scheme named hwtacacs, and configure the accounting

scheme to use the HWTACACS accounting mode. Configure a policy for the device
to keep users online upon accounting-start failures.
[Switch-aaa] accounting-scheme hwtacacs
[Switch-aaa-accounting-hwtacacs] accounting-mode hwtacacs [Switch-aaa-accounting-hwtacacs]
# Set the real-time accounting interval to 3 minutes.

[Switch-aaa-accounting-hwtacacs] accounting realtime 3
[Switch-aaa-accounting-hwtacacs] quit

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Step 4 Create a domain named huawei, and apply the authentication scheme l-h,
authorization scheme hwtacacs, accounting scheme hwtacacs, and the
HWTACACS server template ht to the domain.
[Switch-aaa] domain huawei
[Switch-aaa-domain-huawei] authentication-scheme l-h
[Switch-aaa-domain-huawei] authorization-scheme hwtacacs
[Switch-aaa-domain-huawei] accounting-scheme hwtacacs
[Switch-aaa-domain-huawei] hwtacacs-server ht
[Switch-aaa-domain-huawei] quit
[Switch-aaa] quit

[Switch] aaa
[Switch-aaa] local-user user1 service-type http
[Switch-aaa] quit
Step 6 Configure the global default domain for administrations.

[Switch] domain huawei admin

# Run the display hwtacacs-server template command on Switch to verify the
HWTACACS server template configuration.
[Switch] display hwtacacs-server template ht
---------------------------------------------------------------------------
HWTACACS-server template name : ht
Primary-authentication-server : 10.7.66.66:49 Vrf:- Status:UP
Primary-authorization-server : 10.7.66.66:49 Vrf:- Status:UP
Primary-accounting-server : 10.7.66.66:49 Vrf:- Status:UP
Secondary-authentication-server : 10.7.66.67:49 Vrf:- Status:UP
Secondary-authorization-server : 10.7.66.67:49 Vrf:- Status:UP
Secondary-accounting-server : 10.7.66.67:49 Vrf:- Status:UP
Third-authentication-server : -:0 Vrf:- Status:-
Third-authorization-server : -:0 Vrf:- Status:-
Third-accounting-server : -:0 Vrf:- Status:-
Current-authentication-server : 10.7.66.66:49 Vrf:- Status:UP
Current-authorization-server : 10.7.66.66:49 Vrf:- Status:UP
Current-accounting-server : 10.7.66.66:49 Vrf:- Status:UP
Source-IP-address :-
Source-LoopBack :-
Shared-key : ****************
Quiet-interval(min) :5
Response-timeout-Interval(sec) : 5
Domain-included : Original
Traffic-unit :B
---------------------------------------------------------------------------
# Run the display domain command on Switch to verify the domain

configuration.
[Switch] display domain name huawei
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : l-h
Accounting-scheme-name : hwtacacs
Authorization-scheme-name : hwtacacs
Service-scheme-name :-
RADIUS-server-template : default
HWTACACS-server-template : ht
User-group :-
Push-url-address :-
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Files
#
sysname Switch
#
domain huawei admin
#
hwtacacs-server template ht
hwtacacs-server authentication 10.7.66.67 secondary
hwtacacs-server authorization 10.7.66.67 secondary
hwtacacs-server accounting 10.7.66.67 secondary
hwtacacs-server shared-key cipher %^%#VznDEFI11##ZC>1@:=xUO^!OP~*<c1$FoD*zXPGJ%^%#
#
aaa
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
accounting realtime 3
domain huawei
authentication-scheme l-h
accounting-scheme hwtacacs
authorization-scheme hwtacacs
hwtacacs-server ht
local-user user1 service-type http
#
return
1.12.8 Example for Configuring Domain-based User

Management
As shown in Figure 1-35, enterprise users access the network through Switch. The
user names do not contain any domain names.
The enterprise requires that common users access the network and obtain rights
after passing RADIUS authentication and that administrators log in to the device
for management only after passing local authentication on Switch.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 1-35 Configuring domain-based user management
1. Create a VLAN and a VLANIF interface for Switch to communicate with the
RADIUS server.
2. Configure authentication and accounting schemes for common users and
apply the schemes to the default domain to authenticate common users,
such as users using 802.1X or Portal authentication. The user names of the
users do not contain domain names.
3. Configure authentication and authorization schemes for administrators and
apply the schemes to the default_admin domain to authenticate
administrators, such as a user logging in through Telnet, SSH, or FTP. The user
names of administrators do not contain domain names.
NOTE
Ensure that users have been configured on the RADIUS server. In this example, the user
with the user name test1 and password 123456 has been configured on the RADIUS server.
This example provides only the configuration for Switch. The configurations of the RADIUS
server are not described here.
Procedure
Step 1 Create a VLAN and configure interfaces.
# Create VLAN 11 on Switch.


S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
# Set the link type of GE0/0/2 of Switch that is connected to the RADIUS server to
access, and add GE0/0/2 to VLAN 11.
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 11
# Create VLANIF 11, and configure the IP address of 192.168.2.29/24 for VLANIF
11.
[Switch] interface vlanif 11
[Switch-Vlanif11] ip address 192.168.2.29 24
[Switch-Vlanif11] quit
Step 2 Configure RADIUS AAA for common users who use 802.1X authentication.
NOTE
Ensure that the shared key in the RADIUS server template is the same as that set on the RADIUS
server.
# Configure a RADIUS server template named rd1.

[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server accounting 192.168.2.30 1813
[Switch-radius-rd1] radius-server shared-key cipher Example@2012
[Switch-radius-rd1] radius-server retransmit 2
[Switch-radius-rd1] quit
# Create authentication and accounting schemes both named abc, and set the
authentication and accounting modes to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
[Switch-aaa] accounting-scheme abc
[Switch-aaa-accounting-abc] accounting-mode radius
[Switch-aaa-accounting-abc] quit
# Test connectivity between Switch and the RADIUS server. Ensure that the test1
user with the password 123456 has been configured on the RADIUS server.
[Switch-aaa] test-aaa test1 123456 radius-template rd1
# Apply the authentication scheme abc, accounting schemes abc, and RADIUS
server template rd1 to the default domain.
[Switch-aaa] domain default
[Switch-aaa-domain-default] authentication-scheme abc
[Switch-aaa-domain-default] accounting-scheme abc
[Switch-aaa-domain-default] radius-server rd1
[Switch-aaa-domain-default] quit
[Switch-aaa] quit
# Set the NAC mode to unified

[Switch] authentication unified-mode
NOTE
After the common mode is changed to unified mode, the device automatically restarts. By
default, the unified mode is used.
# Enable 802.1X authentication on an interface.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
[Switch] dot1x-access-profile name d1

[Switch-dot1x-access-profile-d1] quit
[Switch] authentication-profile name p1
[Switch-authen-profile-p1] dot1x-access-profile d1
[Switch-authen-profile-p1] authentication mode multi-authen max-user 100
[Switch-authen-profile-p1] quit
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] authentication-profile p1
# Set the global default domain for common users to default. After common
users enter their user names in the format of user@default, the device performs
AAA authentication for the users in the default domain. If a user name does not
contain a domain name or contains a non-existing domain name, the device
authenticates the common user in the default domain for common users.
[Switch] domain default
Step 3 Configure local authentication and authorization for the administrator test.
# Configure the device to use AAA for the Telnet user that logs in through the VTY
user interface.
[Switch] telnet server enable
[Switch] telnet server-source -i vlanif 10
[Switch-ui-vty0-14] protocol inbound telnet
# Configure a local user named test with password admin@12345, and set the
user level to 3.
[Switch] aaa
[Switch-aaa] local-user test password irreversible-cipher admin@12345 privilege level 3
# Set the access type of test to Telnet.

[Switch-aaa] local-user test service-type telnet
# Configure local account locking. Set the retry interval to 5 minutes, the
maximum number of consecutive authentication failures to 3, and the local
account locking duration to 5 minutes.
[Switch-aaa] local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5
# Create an authentication scheme named auth, and configure the authentication

scheme to use local authentication.
[Switch-aaa] authentication-scheme auth
[Switch-aaa-authen-auth] authentication-mode local
[Switch-aaa-authen-auth] quit
# Create an authorization scheme named autho, and configure the authorization

scheme to use local authorization.
[Switch-aaa] authorization-scheme autho
[Switch-aaa-author-autho] authorization-mode local
[Switch-aaa-author-autho] quit
# Apply the authentication scheme auth and authorization scheme autho to the
default_admin domain.
[Switch-aaa] domain default_admin
[Switch-aaa-domain-default_admin] authentication-scheme auth

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
[Switch-aaa-domain-default_admin] authorization-scheme autho

[Switch-aaa-domain-default_admin] quit
[Switch-aaa] quit
# Set the global default domain for administrators to default_admin. After

administrators enter user names in the format of user@default_admin, the device
performs AAA authentication for the administrators in the default_admin domain.
If the user name of an administrator does not contain a domain name or contains
a non-existing domain name, the device authenticates the administrator in the
default domain for administrators.
[Switch] domain default_admin admin
[Switch] quit

# Run the display dot1x interface command on Switch to verify the 802.1X
authentication configuration.
# If you log in as a common user, enter the user name test1 and password
123456 on an 802.1X client, and run the display access-user domain and display
access-user user-id commands to check the domain to which you belong and
your access type.
<Switch> display access-user domain default
------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
16040 test1 - 00e0-fc01-31f6 Success
------------------------------------------------------------------------------
Total: 1, printed: 1
<Switch> display access-user user-id 16040
Basic:
User id : 16040
User name : test1
Domain-name : default
User MAC : 00e0-4c97-31f6
User IP address :-
User access time : 2009/02/15 19:10:52
User accounting session ID : huawei255255000000000f****2016040
User access type : 802.1x
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
# If you log in through Telnet, enter the user name test and password
admin@12345, and run the display access-user domain and display access-user
user-id commands to check the domain to which you belong and your access
type.
<Switch> display access-user domain default_admin
------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
16009 test 10.135.18.217 - Success
------------------------------------------------------------------------------
Total: 1, printed: 1
<Switch> display access-user user-id 16009
Basic:
User id : 16009
User name : test

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Domain-name : default_admin
User MAC :-
User access time : 2009/02/15 05:10:52
User accounting session ID : huawei255255000000000f****2016009
User access type : Telnet
AAA:
Current accounting method : None
----End
Configuration File
#
sysname Switch
#
vlan batch 10 to 11
#
telnet server enable
telnet server-source -i Vlanif 10
#
authentication-profile name p1
dot1x-access-profile d1
authentication mode multi-authen max-user 100
#
radius-server template rd1
radius-server retransmit 2
#
aaa
authentication-scheme abc
authentication-mode radius
authorization-scheme autho
domain default
authentication-scheme abc
radius-server rd1
domain default_admin
authorization-scheme autho
local-user test password irreversible-cipher $1a$|^<)!}4$IN$9BrKBRY#L:pEc{P#HQ=OI#p["6tY
%94gGg2#@FzP$
local-user test privilege level 3
local-user test service-type telnet
#
interface Vlanif11
ip address 192.168.2.29 255.255.255.0
#
port link-type access
port default vlan 10
authentication-profile p1
#

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
#
protocol inbound telnet
#
dot1x-access-profile name d1
#
return
1.12.9 Example for Configuring the User Escape Function If a

RADIUS Server Fault Occurs
In Figure 1-36, SwitchA functions as a NAS device on the enterprise network, two
RADIUS servers are deployed on the network, users in the enterprise are
authenticated in 802.1X + RADIUS authentication mode and can access the
Internet after passing authentication. Now, the administrator wants users to
obtain escape authorization if a RADIUS server fault occurs. User rights during
escape are the same as those after successful authentication. After the RADIUS
server fault is rectified, users can be re-authenticated and re-authorized by the
RADIUS server.
Figure 1-36 Networking diagram for configuring the user escape function if a
RADIUS server fault occurs

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Data Plan
Configuration Item Data
Algorithm for selecting Primary/secondary (default value)

RADIUS servers
Conditions for setting the ● Detection interval: 5 seconds (default value)

RADIUS server status to ● Maximum number of consecutive
Down unacknowledged packets in each detection
interval: 2 (default value)
● Number of times the detection interval
cycles: 2 (default value)
● Longest unresponsive interval of the RADIUS
server: 300 seconds (default value)
Retransmission of RADIUS ● Number of times RADIUS request packets

request packets are retransmitted: 3 (default value)
● Timeout period: 5 seconds (default value)
Automatic detection ● Automatic detection user name and

password: test1 and abc@123
● Detection interval for RADIUS servers in
Down status: 60 seconds (default value)
● Timeout period for detection packets: 3
seconds (default value)
Escape rights if a RADIUS Enterprise users can access the Internet.

server fault occurs
1. Configure RADIUS authentication.
2. Configure the RADIUS server status detection function.
3. Configure 802.1X authentication.
4. Configure escape rights if a RADIUS server fault occurs and configure the
reauthentication function if the RADIUS server fault is rectified.
NOTE
Ensure that the Switch and RADIUS server are routable.
Procedure
Step 1 Configure VLANs and configure the allowed VLANs on the interfaces.
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type access
[SwitchA-GigabitEthernet0/0/2] port default vlan 20
[SwitchA-GigabitEthernet0/0/2] quit

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
[SwitchA] interface vlanif 20

[SwitchA-Vlanif20] ip address 192.168.2.10 24
[SwitchA-Vlanif20] quit
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 192.168.1.10 24
[SwitchA-Vlanif10] quit
Step 2 Configure a RADIUS server template.

# Create a RADIUS server template named controller.
[SwitchA] radius-server template controller
# Configure the RADIUS authentication key, configure IP addresses and interface

numbers of the primary and secondary RADIUS servers and the accounting server,
and set the algorithm for selecting RADIUS servers.
[SwitchA-radius-controller] radius-server authentication 10.7.66.66 1812 weight 80
[SwitchA-radius-controller] radius-server accounting 10.7.66.66 1813 weight 80
[SwitchA-radius-controller] radius-server authentication 10.7.66.67 1812 weight 40
[SwitchA-radius-controller] radius-server accounting 10.7.66.67 1813 weight 40
[SwitchA-radius-controller] radius-server algorithm master-backup
[SwitchA-radius-controller] radius-server shared-key cipher Example@123
# Configure the automatic detection function.

[SwitchA-radius-controller] radius-server testuser username test1 password cipher abc@123
# Configure the automatic detection interval for RADIUS servers in Down status
and the timeout period for detection packets. (The default values are used.)
[SwitchA-radius-controller] radius-server detect-server interval 60
[SwitchA-radius-controller] radius-server detect-server timeout 3
# Configure the number of retransmission times and interval of RADIUS Access-

Request packets. (The default values are used.)
[SwitchA-radius-controller] radius-server retransmit 3 timeout 5
[SwitchA-radius-controller] quit
Step 3 Configure conditions for setting the RADIUS server status to Down. (The default
values are used.)
[SwitchA] radius-server dead-interval 5
[SwitchA] radius-server dead-count 2
[SwitchA] radius-server detect-cycle 2
[SwitchA] radius-server max-unresponsive-interval 300
Step 4 Configure an authentication scheme and an accounting scheme.

# Configure the authentication scheme auth and set the authentication mode to
RADIUS authentication.
[SwitchA] aaa
[SwitchA-aaa] authentication-scheme auth
[SwitchA-aaa-authen-auth] authentication-mode radius
[SwitchA-aaa-authen-auth] quit
# Configure the accounting scheme acc and set the accounting mode to RADIUS
accounting.
[SwitchA-aaa] accounting-scheme acc
[SwitchA-aaa-accounting-acc] accounting-mode radius
[SwitchA-aaa-accounting-acc] quit

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Step 5 Configure domain huawei and apply the authentication scheme auth, accounting
scheme acc, and RADIUS server template controller to the domain.
[SwitchA-aaa] domain huawei
[SwitchA-aaa-domain-huawei] authentication-scheme auth
[SwitchA-aaa-domain-huawei] accounting-scheme acc
[SwitchA-aaa-domain-huawei] radius-server controller
[SwitchA-aaa-domain-huawei] quit
[SwitchA-aaa] quit
Step 6 Configure 802.1X authentication.
# Switch the NAC mode to unified.
NOTE
By default, the unified mode is used. After the NAC mode is switched, the device automatically
reboots. You can run the display authentication mode command to check the current NAC
mode of the device.
[SwitchA] authentication unified-mode
# Configure the 802.1X access profile d1.

[SwitchA] dot1x-access-profile name d1
[SwitchA-dot1x-access-profile-d1] quit
NOTE
By default, an 802.1X access profile uses the EAP relay authentication mode. Ensure that
the RADIUS server supports EAP; otherwise, the RADIUS server cannot process 802.1X
authentication request packets.
# Configure the authentication profile p1, bind the 802.1X access profile d1 to the
authentication profile, and specify the domain huawei as the forcible
authentication domain in the authentication profile.
NOTE
After a forcible domain is configured in the authentication profile, users using this
authentication profile are authenticated in the domain no matter whether the user names carry
domain names or carry what kind of domain names.
[SwitchA] authentication-profile name p1
[SwitchA-authen-profile-p1] dot1x-access-profile d1
[SwitchA-authen-profile-p1] access-domain huawei force
[SwitchA-authen-profile-p1] quit
# Configure escape rights if a RADIUS server fault occurs and configure the
reauthentication function if the RADIUS server fault is rectified. The authorization
service scheme during user escape is used as an example. For details about other
authorization information, see 2.9.3 (Optional) Configuring Authentication
Event Authorization Information.
[SwitchA] acl 3001
[SwitchA-acl-adv-3001] rule 1 permit ip source 192.168.2.0 0.0.0.255
[SwitchA-acl-adv-3001] quit
[SwitchA] aaa
[SwitchA-aaa] service-scheme s1
[SwitchA-aaa-service-s1] acl-id 3001
[SwitchA-aaa-service-s1] quit
[SwitchA-aaa] quit
[SwitchA] authentication-profile name p1
[SwitchA-authen-profile-p1] authentication event authen-server-down action authorize service-scheme
s1
[SwitchA-authen-profile-p1] authentication event authen-server-up action re-authen
[SwitchA-authen-profile-p1] quit

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
# Bind the authentication profile p1 to interfaces ranging from GE0/0/2 to

GE0/0/n and enable 802.1X authentication. Take GE0/0/2 as an example.
[SwitchA-GigabitEthernet0/0/2] authentication-profile p1
Step 7 Check the configuration.

# Run the display radius-server configuration template template-name
command on SwitchA to check the configuration of the RADIUS server template
controller.
[SwitchA] display radius-server configuration template controller
------------------------------------------------------------------------------
Server-template-name : controller
Server-template-index : 1
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : ******
Group-filter : class
Timeout-interval(in second) : 5
Retransmission : 3
EndPacketSendTime : 3
Dead time(in minute) : 5
Domain-included : Original
NAS-IP-Address : -
Calling-station-id MAC-format : xxxx-xxxx-xxxx
Called-station-id MAC-format : XX-XX-XX-XX-XX-XX
NAS-Port-ID format : New
Service-type : -
WLAN Called-station-id format : ap-mac:ssid
NAS-IPv6-Address : ::
Server algorithm : master-backup
Detect-interval(in second) : 60
Detect up-server(in second) : 0
Detect timeout(in second) : 3
Testuser-username : test1
Testuser-ciperpwd : %^%#sn\dDprW4(}@sqUZGhg&8vMD4PatvD@H56)p7]7$%^%#
Chargeable-user-identity : Not Support
CUI Not reject : No
Authentication Server 1 : 10.7.66.66 Port:1812 Weight:80 [up]
Source IP: ::
Authentication Server 2 : 10.7.66.67 Port:1812 Weight:40 [up]
Source IP: ::
Accounting Server 1 : 10.7.66.66 Port:1813 Weight:80 [up]
Source IP: ::
Accounting Server 2 : 10.7.66.67 Port:1813 Weight:40 [up]
Source IP: ::
------------------------------------------------------------------------------
# Run the display authentication-profile configuration name authentication-

profile-name command on SwitchA to check the configuration of the RADIUS
server template p1.
[SwitchA] display authentication-profile configuration name p1
Profile name : p1
Dot1x access profile name : d1
Mac access profile name :-
Portal access profile name :-
Free rule template :-
Force domain : huawei
Dot1x force domain :-
Mac-authen force domain :-

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Portal force domain :-

Default domain :-
Dot1x default domain :-
Mac-authen default domain :-
Portal default domain :-
Permit domain :-
Authentication handshake : Enable
Authentication handshake period : 300s
Auth-fail re-auth period : 60s
Pre-auth re-auth period : 60s
Auth-fail aging time : 82800s
Pre-auth aging time : 82800s
Dot1x-mac-bypass : Disable
Mac authen before 802.1x authen force : Disable
Single-access : Disable
Device-type authorize service-scheme :-
Mac move detect enable : Enable
Authentication mode : multi-authen
Authen-fail authorize service-scheme :-
Authen-server-down authorize service-scheme : s1
Pre-authen authorize service-scheme :-
Security-name-delimiter :-
Domain-name-delimiter :-
Domain-location :-
Domainname-parse-direction :-
WLAN max user number : 128
Bound vap profile :-
SVF flag : Disable
Ip-static-user : Disable
Roam-realtime-accounting : Disable
Update-IP-realtime-accounting : Enable
IP-address in-accounting-start : Disable
IP-address arp-delay : Disable
Update-session-mode : Disable
Linkdown offline delay time : 10
Termination action :-
Control direction : Inbound
Update-Info-realtime-accounting : Enable
Authentication roam pre-authen mac-authen : Disable

● When SwitchA and the RADIUS server are properly connected, run the display
radius-server item template controller command on SwitchA to check
whether the RADIUS server status is Up (STState = STState-up).
● When SwitchA is disconnected from the RADIUS server and conditions for
setting the RADIUS server status to Down are met, run the display radius-
server item template controller command on SwitchA to check whether the
RADIUS server status is Down (STState = STState-down).
● When the RADIUS server status is Down, users can access the Internet.
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
authentication-profile name p1
dot1x-access-profile d1
access-domain huawei force
authentication event authen-server-down action authorize service-scheme s1

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
authentication event authen-server-up action re-authen

#
radius-server template controller
radius-server shared-key cipher %^%#<1bHCyUgA+s\%jzV_Pwl`i1[e}HX=iRl1+qD+P%^%#
radius-server testuser username test1 password cipher %^%#sn
\dDprW4(}@sqUZGhg&8vMD4PatvD@H56)p7]7$%^%#
#
acl number 3001
rule 1 permit ip source 192.168.2.0 0.0.0.255
#
aaa
authentication-mode radius
accounting-scheme acc
service-scheme s1
acl-id 3001
domain huawei
accounting-scheme acc
radius-server controller
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
port link-type trunk
port trunk allow-pass vlan 10
#
authentication-profile p1
#
dot1x-access-profile name d1
#
return
1.13 Troubleshooting AAA
1.13.1 A User Cannot Log In to the Device Through Telnet

When AAA Local Authentication Is Used
Fault Description
After local authentication is used, a user cannot log in to the device through
Telnet.
Common Causes
1. The user does not have an account on the device.
2. The user name or password entered by the user is incorrect.
3. No authentication mode is configured for the user interface.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
1. Run the display this command in the AAA view to check whether the user
has an account on the device.
[HUAWEI] aaa
[HUAWEI-aaa] display this
#
aaa
local-user user1 password irreversible-cipher $1a$+:!j;\;$Z!$&%}p%ctzj"W`GM;APoC=XPLB=L-
vJG3-'3Dhyci;$ //The user name is user1, and displayed on the screen in cipher text. The
authentication password entered by the user is displayed in plain text.
#
– If the user does not have an account on the device, run the local-user
user-name password irreversible-cipher password command in the AAA
view to create a local user.
– If the user has an account on the device, ensure that the user name and
password entered by the user are the same as those configured on the
device.
The password is displayed in cipher text on the screen. If you forget the
password, run the local-user user-name password irreversible-cipher
password command in the AAA view to reconfigure the password.
2. Run the display this command in the user interface view to check whether
the authentication mode is set to aaa.
If not, run the authentication-mode aaa command in the user interface
view, for example, in the VTY user interface view.
[HUAWEI] user-interface maximum-vty 15
[HUAWEI] user-interface vty 0 14
[HUAWEI-ui-vty0-14] display this
#
user-interface maximum-vty 15
protocol inbound telnet
#
1.13.2 A User Cannot Enter the System View After Logging In

to the Device Through Telnet When Local Authentication Is
Used
Context
A user is only authorized to run commands at the same level as or below the user
level. For example, a user at level 2 can run only the commands at levels 0, 1, and
2.
Fault Description
A user successfully logs in to the device through Telnet, but cannot run the
system-view command to enter the system view or run other commands at the
configuration level.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Common Causes
A common cause of the fault is that the user is not authorized to run commands
at the configuration level (level 2).
If this is the case, the user level may be lower than level 2. There is a possibility
that no user level is specified for the user, so the user level is set to the default
level.
NOTE
By default, the users on the console port are at level 15 and the users on the VTY user interface
are at level 0.
Procedure
The following procedures can be used to rectify this fault:
● If the administrator resets the user level for the user:
– The administrator can log in to the device from the VTY user interface
through Telnet, and then run the local-user user-name privilege level
level command to reset the user level.
– The administrator can log in to the device through the console port, and
then run the local-user user-name privilege level level command to
reset the user level.
[HUAWEI] aaa
[HUAWEI-aaa] local-user user1 privilege level 15 //Set the user level of user1 to 15.
● If the user changes the user level online:
a. The administrator sets the password, which is used to change the user
level to 15.
[HUAWEI] super password level 15 cipher Test@5678
b. The user logs in to the device through Telnet and uses the password to
change the user level.
<HUAWEI> super 15
Password: //Enter the password Test@5678.
Now user privilege is 15 level, and only those commands whose level is equal to o
r less than this level can be used.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE //User level is raised successfully.
1.13.3 A User Fails to Pass RADIUS Authentication When the

Entered User Name Does Not Contain a Domain Name
Fault Description
When a user enters a user name that does not contain a domain name for
RADIUS authentication, the user cannot be authenticated.
Common Causes
If a user is authenticated in the global default domain (for which RADIUS
authentication is not configured) and enters a user name without the domain
name, the user cannot be authenticated.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
Global default domains include:

● default_admin: For administrators who log in through Telnet, SSH, FTP, HTTP, or console
port
● default: For common users who log in through MAC, Portal, 802.1X, or PPP authentication
Procedure
Ensure that the domain configured for RADIUS authentication is the same as the
domain used for user authentication. You can use one of the following methods:
● As an administrator, configure the domain for RADIUS authentication as the
global default domain.
– If the user that failed authentication is an administrator, run the domain
domain-name admin command in the system view.
– If the user that failed authentication is a common user, run the domain
domain-name command in the system view.
● As an administrator, configure RADIUS authentication in the global default
domain.
– If the user that failed authentication is an administrator, configure
RADIUS authentication in default_admin.
– If the user that failed authentication is a common user, configure RADIUS
authentication in default.
● The user enters a user name containing the RADIUS authentication domain
name.
1.14 FAQ About AAA
1.14.1 What Should I Be Aware of When Connecting the

Device to an H3C iMC RADIUS Server?
When the device connects to an H3C iMC RADIUS server to perform
authentication, authorization, or accounting for 802.1X users, configure security
check policies on the RADIUS server to improve security. For example, check
whether the 802.1X client has two network cards and whether the 802.1X client
version is correct. In addition, perform the following operations on the device:
1. Configure RADIUS accounting.
2. Run the dot1x authentication-method eap command to configure EAP relay
authentication for 802.1X users.
3. Run the dot1x eap-notify-packet eap-code 10 data-type 25 command to
configure the device to return the EAP packets with type value of 10 and data
type of 25 to the RADIUS server.
4. Run the radius-attribute translate HW-Up-Priority HW-User-Information
receive command to convert the HW-Up-Priority attribute in received RADIUS
packets into HW-User-Information.
5. If the RADIUS server needs to dynamically authorize AAA users, the attributes
delivered based on the security check policy may be different from the

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
attributes delivered during CoA. Therefore, run the authorization-modify

mode modify command to set the update mode for user authorization
information delivered by the RADIUS server to Modify. After the command is
executed, the attributes delivered by CoA will not overwrite the attributes
delivered by the security check policy.
6. (In V200R010C00 and later versions) To use the session management
function, run the radius-server session-manage ip-address shared-key
cipher share-key command to enable session management on the RADIUS
server and set the IP address and shared key for the RADIUS session
management server.
If the active server fails, the switch sends the authentication request packets to the
standby server. The timeout interval of the security check session on the iNode
client is short. Therefore, you are advised to run the following command to ensure
non-stop services:
Run the radius-server retransmit retry-times timeout time-value command to
set the number of RADIUS request packet retransmissions to 1 and timeout
interval to be shorter than 5s.

Device to a Ruijie RADIUS Server?
If you want to view the MAC addresses or IP addresses of online users on a Ruijie
RADIUS server, set the device type to H3C or Digital China on the RADIUS server.

Device to a Leagsoft RADIUS Server?
When the NAS-IP of the RADIUS client (device) is configured on the Leagsoft
RADIUS server, the MAC address of the device also needs to be configured.

Device to a Symantec RADIUS Server?
● The Symantec RADIUS server can only be used as an authentication server,
not as an authorization or accounting server. For this reason, when the device
connects to a Symantec RADIUS server, ensure that the RADIUS server is not
configured as an authorization or accounting server.
● When the Symantec RADIUS server performs 802.1X authentication for users,
perform the following configurations on the device:
– Run the undo dot1x handshake command to disable handshake
between the device and 802.1X online users.
– Run the dot1x authentication-method eap command to configure EAP
relay authentication for 802.1X users.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1.14.5 Why Online User Information Cannot Be Displayed or

Users Are Forced to Go Offline When a Switch Connects to the
Agile Controller-Campus or Policy Center Server?
● If the server cannot display information about online users when a device
connects to the Agile Controller-Campus or Policy Center server, a possible
cause is that no accounting scheme is configured on the device.
● If users are forced to go offline when a device connects to the Agile
Controller-Campus or Policy Center server, possible causes are as follows:
– The interim accounting interval configured on the device is short, yet
many access users connect to the device.
– The interim accounting interval configured on the server is different from
that configured on the device.
1.14.6 If Both RADIUS Authentication and Local

Authentication Are Configured, When Does the Device
Perform Local Authentication?
If multiple authentication modes are configured, the device chooses these

authentication modes according to the order in which they were configured. The
device uses the authentication mode that was configured later only when that
configured earlier does not respond. However, if the user fails authentication, the
device does not use other authentication modes.
For example, if both RADIUS authentication and local authentication are

configured in an authentication scheme using the authentication-mode radius
local command and RADIUS authentication is configured first, the device performs
local authentication only when the connection with the RADIUS server times out.
When local authentication is used, users can log in to the device only if local
authentication is correctly configured on the device. For example, the device must
be configured with the correct user name and password, access type, and
authentication mode. The following example is the configuration of local
authentication through Telnet login.
[HUAWEI] telnet server enable //Enable the Telnet service.
[HUAWEI] telnet server-source -i Vlanif 10 //Configure the source interface of the server as the
interface corresponding to 10.1.1.1. Assume that the interface is Vlanif 10.
[HUAWEI] user-interface maximum-vty 15 //Set the maximum number of VTY login users to 15.
[HUAWEI] user-interface vty 0 14 //Enter the view of VTY users at levels 0-14.
[HUAWEI-ui-vty0-14] authentication-mode aaa //Set the VTY authentication mode to AAA.
[HUAWEI-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface to support Telnet. By
default, switches in V200R006 and earlier versions support Telnet, and switches in V200R007 and later
versions support SSH.
[HUAWEI-ui-vty0-14] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user user1 password irreversible-cipher Example@123 //Create the local user user1
and set the password. The password is displayed in cipher text in the configuration file, so remember the
password. If you forget the password, run this command again to overwrite the old configuration.
[HUAWEI-aaa] local-user user1 service-type telnet //Set the access type of user1 to Telnet. This user can
only log in to the device through Telnet.
[HUAWEI-aaa] local-user user1 privilege level 15 //Set the user level of user1 to 15. After login, the user
can run the commands at level 0-15.
[HUAWEI-aaa] quit

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
This rule also applies to HWTACACS authentication and local authentication. That
is, the device performs local authentication only when the connection with the
HWTACACS server times out.
1.14.7 When Both RADIUS Authentication and Local

Authentication Are Configured, Why Is a User Disconnected
After Being Online for More than 10 Seconds?
When both RADIUS authentication and local authentication are configured, the
device performs local authentication if it does not receive any response from the
RADIUS server (for example, if the RADIUS server fails). As shown in the following
configuration file, RADIUS authentication and accounting are configured on the
device. Even though the user successfully logs in through local authentication,
RADIUS accounting fails because the RADIUS server does not respond. Therefore,
the user is disconnected.
#
radius-server template rad //Configure the RADIUS server template.
#
aaa
authentication-scheme default
authentication-mode radius local //In the authentication scheme named default, the authentication
mode is set to RADIUS authentication and local authentication.
authorization-scheme default
accounting-scheme default
accounting-mode radius //In the accounting scheme named default, the accounting mode is set to
RADIUS accounting.
domain default_admin
radius-server rad //Apply the RADIUS server template to the global default management domain. By
default, the domain uses the default authentication and accounting schemes.
local-user user1 password cipher %^%#9X%T3y\jN;_&5(FU-B4P;);/tc^%VI\mA1KeeH%^%#
local-user user1 service-type telnet terminal
#
Solution:
● For administrators (logging in through Telnet, SSH, FTP, HTTP, or console
port), accounting is not required, so RADIUS accounting configuration can be
deleted.
● For common users (logging in through MAC, Portal, 802.1X, or PPP
authentication), run the accounting start-fail online command in the
accounting scheme view to configure the device to keep the users online upon
accounting failures. However, executing this command can cause inaccurate
accounting results. Before using this method, ensure that services will not be
affected.
1.14.8 How Can I Restrict Local User Access Type to Telnet?
The device supports multiple user access types. A user can log in to the device
only when the user access type is the same as the access type configured for the
user on the device. If you want to restrict the user access type to Telnet, run the
local-user user-name service-type telnet command in the AAA view.

01-01 AAA Configuration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-01 AAA Configuration

Uploaded by

Copyright:

Available Formats

S300, S500, S2700, S5700, and S6700 Series

1.1 Overview of AAA

1.1 Overview of AAA

Issue 04 (2022-06-07) Copyright © Huawei Technologies Co., Ltd. 1

● Authentication: confirms the identities of users accessing the network and

Basic Architecture of AAA

Figure 1-1 Basic architecture of AAA

AAA can be implemented using multiple protocols. Currently, AAA can be

Issue 04 (2022-06-07) Copyright © Huawei Technologies Co., Ltd. 2

1.2 Understanding AAA

1.2.1 Domain-based User Management

Issue 04 (2022-06-07) Copyright © Huawei Technologies Co., Ltd. 3

Figure 1-2 AAA configuration information in a domain

Authorization information can be delivered by a server or configured in a domain.

Issue 04 (2022-06-07) Copyright © Huawei Technologies Co., Ltd. 4

Figure 1-3 Two types of authorization information

Domain to Which a User Belongs

Figure 1-4 Determining domains based on user names

Issue 04 (2022-06-07) Copyright © Huawei Technologies Co., Ltd. 5

Table 1-1 Global default domain

Access Includes NAC users (including default radiu defaul N/A

Issue 04 (2022-06-07) Copyright © Huawei Technologies Co., Ltd. 6

Forcible domain with a specified authentication method in the authentication

Format of User Names Sent by an NAS to the RADIUS Server

Command User Name User-entered User Name Sent by

radius-server user- User-entered user- user-

radius-server user- Domain name user- user-

Issue 04 (2022-06-07) Copyright © Huawei Technologies Co., Ltd. 7

Command User Name User-entered User Name Sent by

undo radius-server Domain name user- user-name

undo radius-server Domain name user- user-name

1.2.2 AAA Scheme

1.2.2.1 Authentication Scheme

An authentication scheme is used to define methods for user authentication and

Authentication Methods Supported by a Device

Issue 04 (2022-06-07) Copyright © Huawei Technologies Co., Ltd. 8

Order in Which Authentication Methods Take Effect

1.2.2.2 Authorization Scheme

Authorization Methods Supported by a Device

RADIUS authentication is combined with authorization and cannot be separated. If

In addition, the "authentication + rights level" method is typically used to control

Order in Which Authorization Methods Take Effect

Issue 04 (2022-06-07) Copyright © Huawei Technologies Co., Ltd. 9

Figure 1-5 Two types of authorization information

Table 1-3 Common authorization information of a RADIUS server

Issue 04 (2022-06-07) Copyright © Huawei Technologies Co., Ltd. 10

VLAN If dynamic VLAN delivery is configured on the server,

CAR The server delivers authorization to control the committed

Administrator Priority of an administrator (such as a Telnet user) delivered by

Service Name of a service scheme delivered by the server. You need to

Reauthenticati Remaining service availability period delivered by the server. If

Issue 04 (2022-06-07) Copyright © Huawei Technologies Co., Ltd. 11

Table 1-4 Authorization information that can be configured in a domain

VLAN VLAN-based authorization is easy to deploy and requires

Service scheme A service scheme and corresponding network resources in

1.2.2.3 Accounting Scheme

An accounting scheme is used to define a user accounting method. An accounting

Issue 04 (2022-06-07) Copyright © Huawei Technologies Co., Ltd. 12

Accounting Methods Supported by a Device

Order in Which Accounting Methods Take Effect

1.2.3 Local Authentication and Authorization

Local AAA Server

Issue 04 (2022-06-07) Copyright © Huawei Technologies Co., Ltd. 13

Security Policy for Local User Password