S1720, S2700, S5700, and S6720 Series Ethernet

Switches
Command Reference 13 User Access and Authentication Commands

13 User Access and Authentication

Commands

About This Chapter

13.1 AAA Configuration Commands

13.2 RADIUS Configuration Commands
13.3 HWTACACS Configuration Commands
13.4 NAC Configuration Commands (Unified Mode)
13.5 NAC Configuration Commands (Common Mode)
13.6 Policy Association Configuration Commands

13.1 AAA Configuration Commands

13.1.1 Command Support
13.1.2 aaa
13.1.3 aaa abnormal-offline-record
13.1.4 aaa offline-record
13.1.5 aaa online-fail-record
13.1.6 aaa-authen-bypass
13.1.7 aaa-author-bypass
13.1.8 aaa-author-cmd-bypass
13.1.9 aaa-author session-timeout invalid-value enable
13.1.10 accounting interim-fail
13.1.11 accounting realtime

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8476

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.12 accounting start-fail

13.1.13 accounting-mode
13.1.14 accounting-scheme (AAA domain view)
13.1.15 accounting-scheme (AAA view)
13.1.16 admin-user privilege level
13.1.17 authentication ipv6-statistics enable
13.1.18 authentication-mode (authentication scheme view)
13.1.19 authentication-scheme (AAA domain view)
13.1.20 authentication-scheme (AAA view)
13.1.21 authentication-super
13.1.22 authentication-type radius chap access-type admin
13.1.23 authorization-cmd
13.1.24 authorization-info check-fail policy
13.1.25 authorization-mode
13.1.26 authorization-modify mode
13.1.27 authorization-scheme (AAA domain view)
13.1.28 authorization-scheme (AAA view)
13.1.29 cmd recording-scheme
13.1.30 cut access-user
13.1.31 display aaa
13.1.32 display aaa configuration
13.1.33 display aaa statistics offline-reason
13.1.34 display access-user (All views)
13.1.35 display accounting-scheme
13.1.36 display authentication ipv6-statistics status
13.1.37 display authentication-scheme
13.1.38 display authorization-scheme
13.1.39 display domain
13.1.40 display local-user
13.1.41 display local-user expire-time
13.1.42 display local-aaa-user password policy
13.1.43 display recording-scheme
13.1.44 display remote-user authen-fail

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8477

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.45 display service-scheme

13.1.46 dns (service scheme view)
13.1.47 domain (AAA view)
13.1.48 domain (system view)
13.1.49 domain-location
13.1.50 domain-name-delimiter
13.1.51 domainname-parse-direction
13.1.52 idle-cut (service scheme view)
13.1.53 local-aaa-user wrong-password
13.1.54 local-user
13.1.55 local-user change-password
13.1.56 local-user device-type
13.1.57 local-user expire-date
13.1.58 local-user password
13.1.59 local-aaa-user password policy access-user
13.1.60 local-aaa-user password policy administrator
13.1.61 local-user service-type
13.1.62 local-user time-range
13.1.63 local-user user-type netmanager
13.1.64 outbound recording-scheme
13.1.65 password alert before-expire
13.1.66 password alert original
13.1.67 password expire
13.1.68 password history record number
13.1.69 permit-domain
13.1.70 recording-mode hwtacacs
13.1.71 recording-scheme
13.1.72 redirect-acl
13.1.73 remote-aaa-user authen-fail
13.1.74 remote-user authen-fail unblock
13.1.75 reset aaa
13.1.76 reset aaa statistics offline-reason
13.1.77 reset access-user statistics

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8478

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.78 reset local-user password history record

13.1.79 security-name enable
13.1.80 security-name-delimiter
13.1.81 service-scheme (aaa domain view)
13.1.82 service-scheme (AAA view)
13.1.83 state (AAA domain view)
13.1.84 statistic enable (AAA domain view)
13.1.85 system recording-scheme
13.1.86 user-group (AAA domain view)
13.1.87 user-password complexity-check

13.1.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

13.1.2 aaa

Function
The aaa command displays the AAA view.

Format
aaa

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
Using the aaa command in the system view, you can enter the AAA view and
perform the following security configurations for access users:
● Creating users

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8479

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● Configuring user levels

● Creating an authentication scheme
● Creating an authorization scheme
● Creating a domain

Example
# Access the AAA view.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa]

13.1.3 aaa abnormal-offline-record

Function
The aaa abnormal-offline-record command enables the device to record users'
abnormal logout information.
The undo aaa abnormal-offline-record command disables the device from
recording users' abnormal logout information.
By default, the device records users' abnormal logout information.

Format
aaa abnormal-offline-record
undo aaa abnormal-offline-record

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
If users abnormally log out, run aaa abnormal-offline-record command to
enable the record function for fault locating.
After the undo aaa abnormal-offline-record command is run, no abnormal
logout information is recorded unless the aaa abnormal-offline-record command
is run.

Example
# Enable the device to record users' abnormal logout information.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8480

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] aaa abnormal-offline-record

# Disable the device from recording users' abnormal logout information.

<HUAWEI> system-view
[HUAWEI] undo aaa abnormal-offline-record

13.1.4 aaa offline-record

Function
The aaa offline-record command enables the device to record users' normal
logout information.
The undo aaa offline-record command disables the device from recording users'
normal logout information.
By default, the device is enabled to record user normal logout information.

Format
aaa offline-record
undo aaa offline-record

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
If users fail to get online, run aaa offline-record command to enable the record
function for fault locating.
After the undo aaa offline-record command is run, no logout information is
recorded unless the aaa offline-record command is run.

Example
# Enable the device to record users' normal logout information.
<HUAWEI> system-view
[HUAWEI] aaa offline-record

# Disable the device from recording users' normal logout information.

<HUAWEI> system-view
[HUAWEI] undo aaa offline-record

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8481

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.5 aaa online-fail-record

Function
The aaa online-fail-record command enables the device to record users' online
failures.

The undo aaa online-fail-record command disables the device from recording
users' online failures.

By default, the device records users' online failures.

Format
aaa online-fail-record

undo aaa online-fail-record

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
If you want to query the login failure records to find out unauthorized users, run
the aaa online-fail-record command to enable the device to record users' online
failures.

After the undo aaa online-fail-record command is run, no online failure is

recorded unless the aaa online-fail-record command is run.

Example
# Enable the device to record users' online failures.
<HUAWEI> system-view
[HUAWEI] aaa online-fail-record

# Disable the device from recording users' online failures.

<HUAWEI> system-view
[HUAWEI] undo aaa online-fail-record

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8482

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.6 aaa-authen-bypass
Function
The aaa-authen-bypass command sets the bypass authentication timeout
interval.
The undo aaa-authen-bypass command cancels the bypass authentication
timeout interval.
By default, no bypass authentication timeout interval is set.

Format
aaa-authen-bypass enable time time-value
undo aaa-authen-bypass enable

Parameters
Parameter Description Value

enable Enables remote bypass -

authentication.

time time-value Specifies the bypass The value is an integer

authentication timeout that ranges from 1 to
interval. 1440, in minutes.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
This command applies to the scenarios that require fast authentication response.
When a user in a user domain where multiple authentication modes (for example,
RADIUS authentication and local authentication) are configured, bypass
authentication is enabled, and the bypass authentication timeout interval is
configured, the user will be authenticated using the local authentication mode
and the bypass authentication timer is enabled simultaneously if the RADIUS
server does not respond to the authentication request. When other users in the
same domain are authenticated during the configured bypass authentication
timeout interval, the users are directly authenticated using the local
authentication mode, so that the users can be authenticated without waiting until
the RADIUS server responds to their authentication requests, accelerating the
authentication response.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8483

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Precautions
When only one authentication mode is configured in a user domain and the
bypass authentication timer is enabled, other users in the same domain are
directly considered to fail the authentication during the bypass authentication
timeout interval.

Example
# Set the bypass authentication timeout interval to 3 minutes.
<HUAWEI> system-view
[HUAWEI] aaa-authen-bypass enable time 3

Related Topics
13.1.7 aaa-author-bypass
13.1.8 aaa-author-cmd-bypass

13.1.7 aaa-author-bypass
Function
The aaa-author-bypass command sets the bypass authorization timeout interval.
The undo aaa-author-bypass command cancels the bypass authorization timeout
interval.
By default, no bypass authorization timeout interval is set.

Format
aaa-author-bypass enable time time-value
undo aaa-author-bypass enable

Parameters
Parameter Description Value

enable Enables remote bypass -

authorization.

time time-value Specifies the bypass The value is an integer

authorization timeout that ranges from 1 to
interval. 1440, in minutes.

Views
System view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8484

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario

This command applies to the scenarios that require fast authorization response.
When a user in a user domain where multiple authorization modes (for example,
HWTACACS authorization and local authorization) are configured, bypass
authorization is enabled, and the bypass authorization timeout interval is
configured, the user will be authorized using the local authorization mode and the
bypass authorization timer is enabled simultaneously if the HWTACACS server
does not respond to the authorization request. When other users in the same
domain are authorized during the configured bypass authorization timeout
interval, the users are directly authorized using the local authorization mode, so
that the users can be authorized without waiting until the HWTACACS server
responds to their authorization requests, accelerating the authorization response.

Precautions

When only one authorization mode is configured in a user domain and the bypass
authorization timer is enabled, other users in the same domain are directly
considered to fail the authorization during the bypass authorization timeout
interval.

Example
# Set the bypass authorization timeout interval to 3 minutes.
<HUAWEI> system-view
[HUAWEI] aaa-author-bypass enable time 3

Related Topics
13.1.6 aaa-authen-bypass
13.1.8 aaa-author-cmd-bypass

13.1.8 aaa-author-cmd-bypass

Function
The aaa-author-cmd-bypass command sets the command-line bypass
authorization timeout interval.

The undo aaa-author-cmd-bypass command cancels the command-line bypass

authorization timeout interval.

By default, no command-line bypass authorization timeout interval is set.

Format
aaa-author-cmd-bypass enable time time-value

undo aaa-author-cmd-bypass enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8485

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

enable Enables remote -

command-line bypass
authorization.

time time-value Specifies the command- The value is an integer

line bypass authorization that ranges from 1 to
timeout interval. 1440, in minutes.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

This command applies to the scenarios that require fast command-line

authorization response. When a user in a user domain where multiple command-
line authorization modes (for example, HWTACACS authorization and local
authorization) are configured, command-line bypass authorization is enabled, and
the command-line bypass authorization timeout interval is configured, the user
will be authorized using the local authorization mode and the command-line
bypass authorization timer is enabled simultaneously if the HWTACACS server
does not respond to the command-line authorization request. When other users in
the same domain are authorized during the configured command-line bypass
authorization timeout interval, the users are directly authorized using the local
authorization mode, so that the users can be authorized without waiting until the
HWTACACS server responds to their authorization requests, accelerating the
authorization response.

Precautions

When only one command-line authorization mode is configured in a user domain

and the command-line bypass authorization timer is enabled, other users in the
same domain are directly considered to fail the command-line authorization
during the command-line bypass authorization timeout interval.

Example
# Set the command-line bypass authorization timeout interval to 3 minutes.
<HUAWEI> system-view
[HUAWEI] aaa-author-cmd-bypass enable time 3

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8486

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.1.6 aaa-authen-bypass
13.1.7 aaa-author-bypass

13.1.9 aaa-author session-timeout invalid-value enable

Function
The aaa-author session-timeout invalid-value enable command prevents a
device from disconnecting or reauthenticating users when the RADIUS server
delivers session-timeout with value 0.

The undo aaa-author session-timeout invalid-value enable command restores

the default setting.

By default, when the RADIUS server delivers session-timeout with value 0, this
attribute does not take effect.

Format
aaa-author session-timeout invalid-value enable

undo aaa-author session-timeout invalid-value enable

Parameters
None

Views
AAA view

Default Level
3: Management level

Usage Guidelines
When the RADIUS server delivers session-timeout with value 0:

● If the aaa-author session-timeout invalid-value enable command is not

configured, the session-timeout attribute delivered by the server does not
take effect and the period for disconnecting or reauthenticating users
depends on the device configuration.
● If the aaa-author session-timeout invalid-value enable command is
configured, the session-timeout attribute delivered by the server takes effect
and the device does not disconnect or reauthenticate users.

You can run the dot1x timer reauthenticate-period reauthenticate-period-value

or mac-authen timer reauthenticate-period reauthenticate-period-value
command to configure the period for disconnecting or reauthenticating users on
the device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8487

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Prevent the device from disconnecting or reauthenticating users when the
RADIUS server delivers session-timeout with value 0.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] aaa-author session-timeout invalid-value enable

13.1.10 accounting interim-fail

Function
The accounting interim-fail command sets the maximum number of real-time
accounting failures and configures a policy used after the number of real-time
accounting failures exceeds the maximum.

The undo accounting interim-fail command restores the default maximum

number of real-time accounting failures and the default policy.

By default, the maximum number of real-time accounting failures is 3 and the

device keeps users online after the number of real-time accounting failures
exceeds the maximum.

Format
accounting interim-fail [ max-times times ] { offline | online }

undo accounting interim-fail

Parameters
Parameter Description Value

max-times times Specifies the maximum The value is an integer

number of real-time that ranges from 1 to
accounting failures. If 255. The default value is
the maximum number of 3.
real-time accounting
failures is reached and
the next accounting
request still has no
response, the device
considers that
accounting fails and
takes a policy for users.

offline Disconnects users if real- -

time accounting fails.

online Keeps users online if -

real-time accounting
fails.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8488

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
Accounting scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

After the real-time accounting function takes effect, the device sends real-time
accounting requests to an accounting server, and the accounting server responds
to the accounting requests. If the network is unstable, for example, a jitter occurs,
the device may not receive response packets. As a result, accounting is interrupted
for a short period of time. To reduce or prevent accounting interruption, run the
accounting interim-fail command to set the maximum number of real-time
accounting failures. The device considers that real-time accounting fails only after
the number of consecutive real-time accounting failures exceeds the maximum.

Choose one of the following policies to be applied after the maximum number of
real-time accounting failures is reached:

● online: To prevent users from being affected by network faults, use the
online policy to allow paid users to go online.
● offline: To stop providing services when accounting fails, use the offline
policy to force paid users to go offline.

Prerequisites

The real-time accounting function has been enabled by using the accounting
realtime command.

Precautions

The accounting interim-fail command does not take effect for online users, but
takes effect for the users who go online after the command is executed.

Example
# In the accounting scheme scheme1, set the maximum number of real-time
accounting failures to 5 and use the offline policy.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] accounting-scheme scheme1
[HUAWEI-aaa-accounting-scheme1] accounting realtime 3
[HUAWEI-aaa-accounting-scheme1] accounting interim-fail max-times 5 offline

Related Topics
13.1.11 accounting realtime

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8489

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.11 accounting realtime

Function
The accounting realtime command enables the real-time accounting function
and sets the interval for real-time accounting in an accounting scheme.
The undo accounting realtime command disables the real-time accounting
function.
By default, the device performs accounting based on user online duration, the
real-time accounting function is disabled.

Format
accounting realtime interval
undo accounting realtime

Parameters
Parameter Description Value

interval Specifies the interval for The value is an integer

real-time accounting. that ranges from 0 to
65535, in minutes. When
the value is set to 0,
real-time accounting is
disabled. The default
value is 0.

Views
Accounting scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
This command applies to the users who are charged based on online duration. If a
user goes offline unexpectedly, the accounting server cannot receive the
accounting-stop packet, so it keeps charging the user while they are not receiving
a service. To solve the problem, configure the real-time accounting function on the
device. After the real-time accounting function is configured, the device
periodically sends real-time accounting packets to the accounting server. After
receiving the real-time accounting packets, the accounting server charges the user.
If the device detects that the user goes offline, it stops sending real-time
accounting packets and the accounting server stops accounting. The result of real-
time accounting is precise.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8490

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Precautions
● When the accounting interval is set using both the accounting realtime
command and the Acct-Interim-Interval attribute, if the Acct-Interim-Interval
value range is 60-3932100, the interval set by Acct-Interim-Interval has a
higher priority. Otherwise, the interval set by the accounting realtime
command takes effect.
● If an accounting scheme is applied to a domain, the accounting realtime
command does not affect online users, but only takes effect for the users who
go online after the command is executed.
● If interval is set to 0 and the IP address of the client is changed, the device
still sends a real-time accounting packet carrying the changed IP address
information to the RADIUS server.
● A short interval for real-time accounting requires high performance of the
device and accounting server. If there are more than 1000 users, setting a
long interval for real-time accounting is recommended. The following table
lists the suggested real-time accounting intervals for different user quantities.

Table 13-1 Real-time accounting interval for different user quantities

User Quantity Interval for Real-Time Accounting
(Minutes)

1-99 3

100-499 6

500-999 12

≥ 1000 ≥ 15

Example
# In the accounting scheme scheme1, enable the real-time accounting function
and set the interval for real-time accounting to 6 minutes.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] accounting-scheme scheme1
[HUAWEI-aaa-accounting-scheme1] accounting realtime 6

Related Topics
13.1.10 accounting interim-fail

13.1.12 accounting start-fail

Function
The accounting start-fail command configures a policy for accounting-start
failures.
The undo accounting start-fail command restores the default policy for
accounting-start failures.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8491

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

By default, users cannot go online if accounting-start fails. That is, the offline
policy is used.

Format
accounting start-fail { offline | online }
undo accounting start-fail

Parameters
Parameter Description Value

offline Rejects users' online -

requests if accounting-
start fails.

online Allows users to go online -

if accounting-start fails.

Views
Accounting scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
If a user goes online after an accounting scheme is applied, the device sends an
accounting-start packet to an accounting server. When the network is working
properly, the accounting server responds to the accounting-start packet. If a fault
occurs on the network, the device may not receive the response packet from the
accounting server. As a result, accounting fails. The device provides the following
policies for accounting failures:
● online: To prevent users from being affected by network faults, use the
online policy to allow paid users to go online.
● offline: To stop providing services when accounting fails, use the offline
policy to force paid users to go offline.
Precautions
The command takes effect only when the accounting mode configured using the
13.1.13 accounting-mode command is HWTACACS or RADIUS.

Example
# In the accounting scheme scheme1, use the online policy for accounting-start
failures.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8492

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] accounting-scheme scheme1
[HUAWEI-aaa-accounting-scheme1] accounting start-fail online

13.1.13 accounting-mode

Function
The accounting-mode command configures an accounting mode in an
accounting scheme.

The undo accounting-mode command restores the default accounting mode in

an accounting scheme.

By default, the accounting mode is none.

Format
accounting-mode { hwtacacs | none | radius }

undo accounting-mode

Parameters
Parameter Description Value

hwtacacs Indicates that accounting -

is performed by an
HWTACACS server.

none Indicates non- -

accounting.

radius Indicates that accounting -

is performed by a
RADIUS server.

Views
Accounting scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

Enterprises or carriers need to generate revenue by charging users who are

accessing the Internet.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8493

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

When a user goes online, accounting starts after the user is authenticated and
authorized. When the user goes offline, accounting stops. The client sends the
account packet containing the user's online duration to the accounting server.
To charge users, set the accounting mode to RADIUS or HWTACACS. Generally, the
accounting mode is consistent with the authentication mode. If you do not need
to charge users, set the accounting mode to none.
Precautions
The device does not support local accounting. When the authentication scheme
configured using the 13.1.18 authentication-mode (authentication scheme
view) command defines local authentication, you need to run the accounting-
mode none command to configure non-accounting or run the 13.1.12
accounting start-fail command to configure a policy for accounting-start failures.
Follow-up Procedure
Apply the accounting scheme to a domain to enable the device to charge the
users in the domain using the 13.1.47 domain (AAA view) command.

Example
# Set the accounting mode to RADIUS in the accounting scheme scheme1.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] accounting-scheme scheme1
[HUAWEI-aaa-accounting-scheme1] accounting-mode radius

13.1.14 accounting-scheme (AAA domain view)

Function
The accounting-scheme command applies an accounting scheme to a domain.
The undo accounting-scheme command restores the default accounting scheme
of a domain.
By default, the accounting scheme named default is applied to a domain. In this
default accounting scheme, non-accounting is used and the real-time accounting
function is disabled.

Format
accounting-scheme accounting-scheme-name
undo accounting-scheme

Parameters
Parameter Description Value

accounting-scheme- Specifies the name of an The accounting scheme

name accounting scheme. must already exist.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8494

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
AAA domain view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
To charge users in a domain, create an accounting scheme and perform
configurations in the accounting scheme, for example, set the accounting mode
and policy for accounting-start failures. Run the accounting-scheme command in
the AAA domain view to apply the accounting scheme to the domain.
Prerequisites
An accounting scheme has been created and configured using the 13.1.15
accounting-scheme (AAA view) command. For example, the accounting mode
and policy for accounting-start failures have been configured.

Example
# Apply the accounting scheme account1 to the domain isp1.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] accounting-scheme account1
[HUAWEI-aaa-accounting-account1] quit
[HUAWEI-aaa] domain isp1
[HUAWEI-aaa-domain-isp1] accounting-scheme account1

# Restore the default accounting scheme of the domain isp2.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain isp2
[HUAWEI-aaa-domain-isp2] undo accounting-scheme

Related Topics
13.1.15 accounting-scheme (AAA view)
13.1.35 display accounting-scheme

13.1.15 accounting-scheme (AAA view)

Function
The accounting-scheme command creates an accounting scheme and displays
the accounting scheme view.
The undo accounting-scheme command deletes an accounting scheme.
By default, there is an accounting scheme named default in the system. This
default accounting scheme can be modified but cannot be deleted. In this default
accounting scheme, non-accounting is used and the real-time accounting function
is disabled.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8495

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
accounting-scheme accounting-scheme-name
undo accounting-scheme accounting-scheme-name

Parameters
Parameter Description Value

accounting-scheme- Specifies the name of an The value is a string of 1

name accounting scheme. to 32 case-sensitive
characters. It cannot
contain spaces or the
following symbols: / \ :
* ? " < > | @ ' %. The
value cannot be - or --.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
To charge users in a domain, create and configure an accounting scheme, for
example, the accounting mode and policy for accounting-start failures. Run the
accounting-scheme command in the AAA domain view to apply the accounting
scheme to the domain.
Follow-up Procedure
After an accounting scheme is created:
● Run the accounting interim-fail command to set the maximum number of
real-time accounting failures and configure a policy used after a real-time
accounting failure.
● Run the accounting realtime command to enable the real-time accounting
function and set the interval for real-time accounting in an accounting
scheme.
● Run the accounting start-fail command to configure a policy for accounting-
start failures.
● Run the accounting-mode command to configure an accounting mode in an
accounting scheme.
After an accounting scheme is configured, run the 13.1.14 accounting-scheme
(AAA domain view) command in the AAA domain view to apply the accounting
scheme to a domain.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8496

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Precautions
If the configured accounting scheme does not exist, the accounting-scheme
command in the AAA view creates an accounting scheme and displays the
accounting scheme view. If the configured accounting scheme already exists, the
accounting-scheme command in the AAA view displays the accounting scheme
view directly.
To delete an accounting scheme applied to a domain, run the undo accounting-
scheme (AAA domain view) command.

Example
# Create an accounting scheme named scheme1.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] accounting-scheme scheme1
[HUAWEI-aaa-accounting-scheme1]

# Enter the default accounting scheme view.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] accounting-scheme default
[HUAWEI-aaa-accounting-default]

Related Topics
13.1.14 accounting-scheme (AAA domain view)

13.1.16 admin-user privilege level

Function
The admin-user privilege level command configures a user as an administrator
to log in to the device and sets the user level.
The undo admin-user privilege level command cancels the default user level.
By default, the user level is not configured.

Format
admin-user privilege level level
undo admin-user privilege level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8497

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

level Specifies the level of a The value is an integer

user. that ranges from 0 to 15.
A larger value indicates a
higher user level. After
logging in to the device,
a user can run only the
commands of the same
level or lower levels.

Views
Service scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
The device provides hierarchical management of commands. A command has a
level, and a user can run only the commands of the same level or lower levels. By
using the admin-user privilege level command to set the user level, the device
controls commands used by users.
By default, commands are classified into the following levels:
● Level 0 (visit level): Commands at level 0 include diagnosis commands such as
ping and tracert commands and commands that are used to access a remote
device such as the Telnet client. Commands at level 0 cannot be used to save
configuration files.
● Level 1 (monitoring level): Commands at level 1 are used for system
maintenance, including display commands. Commands at level 1 cannot be
used to save configuration files.
● Level 2 (configuration level): Commands at level 2 are used for service
configuration, including routing commands and commands at each network
layer to provide network services for users.
● Level 3 (management level): Commands at level 3 are used for basic
operations of the system to support services, including file system, FTP, Trivial
File Transfer Protocol (TFTP), configuration file switching commands, slave
board control commands, user management commands, command level
configuration commands, and debugging commands.
To manage users refinedly, upgrade command levels to levels 0 to 15. You can run
the command-privilege level command to upgrade command levels in a batch.
You can also run the command-privilege level rearrange command to upgrade
levels.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8498

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● If non-authentication is used, the administrator level is specified using the

user privilege command in the VTY interface view.
● If local authentication is used, the administrator level is specified using the
local-user privilege level command.
● If remote authentication is used, the administrator level can be set in the
following ways, in descending order of priority:
a. Using the user level sent by an authentication server to the device after
authentication has succeeded
b. Running the admin-user privilege level command to set the
administrator level in a service scheme
c. Running the user privilege command to set the user level in the VTY
interface view
● If remote authentication and local authentication are configured, remote
authentication is first used. If remote authentication fails, local authentication
is used. The administrator level can be set in the following ways, in
descending order of priority:
a. Using the user level sent by an authentication server to the device after
authentication has succeeded
b. Running the local-user privilege level command to set the local user
level
NOTE

The local user level is used only when the remote authentication server is faulty.
If the remote authentication server responds to authentication requests but does
not deliver user levels, the configured local user level does not take effect.

The device can update the configuration in a domain dynamically. After a service
scheme is applied to a domain, you can directly modify the user level in the
service scheme but cannot unbind the service scheme from the domain. To delete
the service scheme, run the undo service-scheme (AAA domain view) command.
Follow-up Procedure
Run the display service-scheme command to view the user level in a service
scheme.

Example
# Configure a user as an administrator to log in to the device and set the
administrator level to 15.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme svcscheme1
[HUAWEI-aaa-service-svcscheme1] admin-user privilege level 15

Related Topics
13.1.45 display service-scheme
13.1.54 local-user
13.1.82 service-scheme (AAA view)
2.5.27 user privilege

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8499

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.17 authentication ipv6-statistics enable

Function
The authentication ipv6-statistics enable command enables IPv6 traffic statistics
collection.

The undo authentication ipv6-statistics enable command disables IPv6 traffic

statistics collection.

By default, IPv6 traffic statistics collection is disabled.

NOTE

This function is only supported by the S5720HI.

You can configure this command on the S5720EI, S6720EI, and S6720S-EI, but the function
does not take effect.

Format
authentication ipv6-statistics enable

undo authentication ipv6-statistics enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After the statistic enable (AAA domain view) command is run to collect user
traffic statistics, the switch does not collect statistics on IPv6 traffic by default. To
enable IPv6 traffic statistics collection, run the authentication ipv6-statistics
enable command.

Precautions
● The switch does not support IPv6 traffic statistics collection for Layer 2 Portal
authentication users and user terminals with one MAC address and multiple
IP addresses.
● The switch does not support IPv6 traffic statistics collection for Layer 3 Portal
authentication users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8500

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Enable IPv6 traffic statistics collection.
<HUAWEI> system-view
[HUAWEI] authentication ipv6-statistics enable

13.1.18 authentication-mode (authentication scheme view)

Function
The authentication-mode command configures an authentication mode for an
authentication scheme.
The undo authentication-mode command restores the default authentication
mode in an authentication scheme.
By default, local authentication is used.

Format
authentication-mode { hwtacacs | local | radius } * [ none ]
authentication-mode none
undo authentication-mode

Parameters
Parameter Description Value
hwtacacs Authenticates users using an HWTACACS server. To perform -
HWTACACS authentication, configure an HWTACACS
authentication server in an HWTACACS server template.
local Authenticates users locally. -
radius Authenticates users using a RADIUS server. To perform -
RADIUS authentication, configure a RADIUS authentication
server in a RADIUS server template.
none Indicates non-authentication. That is, users access the -
network without being authenticated.

Views
Authentication scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8501

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

To authenticate users, configure an authentication mode in an authentication

scheme.
If multiple authentication modes are configured in an authentication scheme, the
authentication modes are used according to the sequence in which they were
configured.
● In the sequence of local authentication followed by remote authentication:
If a login account is not created locally but exists on the remote server, the
authentication mode is changed from local authentication to remote
authentication.
If a login account is created locally and on the remote server, and local
authentication fails because the password is incorrect, remote authentication
will not be performed.
● In the sequence of remote authentication followed by local authentication:
If a login account is created locally but not on the remote server, remote
authentication fails and local authentication will not be performed.
A user is authenticated using the local authentication mode only when the
remote server is Down or does not respond to the user's authentication
request.
NOTE

Normally, if the remote server is Down or does not respond, local authentication is
used. If a large number of users need to go online through the device, the device may
be unable to process responses from the server in a timely manner. As a result, the
AAA module of the device cannot receive responses from the server until the
protection timer expires. These users then cannot go online and cannot be
authenticated using local authentication. In this case, reconnect these offline users to
the device.

You can configure multiple authentication modes in an authentication scheme to

reduce authentication failure possibilities.
● After the authentication-mode radius local command is used, the device
cannot complete RADIUS authentication if it fails to connect to the RADIUS
authentication server. In this case, the device starts local authentication.
● After the authentication-mode local radius command is used, if the entered
user name exists on the device but the entered password is incorrect, the user
fails the authentication; if the entered user name does not exist on the device,
the user is redirected to the RADIUS authentication mode and is
authenticated based on user information on the RADIUS server.

NOTE

● When both RADIUS authentication and non-authentication are configured, if the user
fails the RADIUS authentication, non-authentication cannot be used. As a result, a user
fails to log in.
● If you run the authentication-mode command to configure non-authentication and run
the authentication-mode (user interface view) command to configure AAA
authentication, the device does not allow administrators to log in from the user
interface view.

Precautions
If non-authentication is configured using the authentication-mode command,
users can pass the authentication using any user name or password. Therefore, to

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8502

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

protect the device and improve network security, you are advised to enable
authentication, allowing only authenticated users to access the device or network.

Example
# Configure the authentication scheme named scheme1 to use RADIUS
authentication.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme scheme1
[HUAWEI-aaa-authen-scheme1] authentication-mode radius

13.1.19 authentication-scheme (AAA domain view)

Function
The authentication-scheme command applies an authentication scheme to a
domain.
The undo authentication-scheme command restores the default configuration of
the authentication scheme in a domain.
By default, the authentication scheme named radius is applied to the default
domain, the authentication scheme named default is applied to the
default_admin domain, and the authentication scheme named radius is applied
to other domains.

Format
authentication-scheme scheme-name
undo authentication-scheme

Parameters
Parameter Description Value
scheme-name Specifies the name of an The value must be an existing
authentication scheme. authentication scheme name.

Views
AAA domain view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
To authenticate users in a domain, run the authentication-scheme (AAA domain
view) command to apply an authentication scheme to a domain.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8503

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Prerequisites
An authentication scheme has been created and configured with required
parameters, for example, the authentication mode and authentication mode for
upgrading user levels.

Example
# Apply the authentication scheme named scheme1 to a domain named
domain1.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain domain1
[HUAWEI-aaa-domain-domain1] authentication-scheme scheme1

Related Topics
13.1.20 authentication-scheme (AAA view)
13.1.37 display authentication-scheme

13.1.20 authentication-scheme (AAA view)

Function
The authentication-scheme command creates an authentication scheme and
displays its view.
The undo authentication-scheme command deletes an authentication scheme.
By default, the default authentication scheme is used. This default authentication
scheme can be modified but cannot be deleted. In the default authentication
scheme:
● Local authentication is used.
● The offline policy is used for authentication failures.
By default, the system also provides the authentication scheme radius. The radius
authentication scheme can be modified, but cannot be deleted. In the radius
authentication scheme:
● RADIUS authentication is used.
● The offline policy is used for authentication failures.

Format
authentication-scheme scheme-name
undo authentication-scheme scheme-name

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8504

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value
scheme-name Specifies the name of The value is a string of 1 to 32 case-
an authentication sensitive characters. It cannot contain
scheme. spaces or the following symbols: / \ : * ? "
< > | @ ' %. The value cannot be - or --.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
To authenticate users, run the authentication-scheme command to create an
authentication scheme. Creating an authentication scheme is necessary before
performing authentication-relevant configurations.
Follow-up Procedure
After an authentication scheme is created, run the authentication-mode
(authentication scheme view) command to configure an authentication mode in
an authentication scheme.
After an authentication scheme is configured, run the authentication-scheme
(AAA domain view) command to apply the authentication scheme to a domain.
Precautions
If the configured authentication scheme does not exist, the authentication-
scheme command creates an authentication scheme and displays the
authentication scheme view. If the configured authentication scheme already
exists, the authentication-scheme command directly displays the authentication
scheme view.
To delete an authentication scheme applied to a domain, run the undo
authentication-scheme (AAA domain view) command.

Example
# Create an authentication scheme named newscheme.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme newscheme
[HUAWEI-aaa-authen-newscheme]

# Access the default authentication scheme view.

<HUAWEI> system-view
[HUAWEI] aaa

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8505

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

[HUAWEI-aaa] authentication-scheme default

[HUAWEI-aaa-authen-default]

Related Topics
13.1.19 authentication-scheme (AAA domain view)
13.1.37 display authentication-scheme

13.1.21 authentication-super
Function
The authentication-super command configures an authentication mode for
upgrading user levels in an authentication scheme.
The undo authentication-super command restores the default authentication
mode for upgrading user levels in an authentication scheme.
By default, the super mode is used. That is, local authentication is used.

Format
authentication-super { hwtacacs | radius | super } * [ none ]
authentication-super none
undo authentication-super

Parameters
Parameter Description Value

hwtacacs Uses HWTACACS -

authentication to
upgrade user levels.

radius Uses RADIUS -

authentication to
upgrade user levels.

super Uses local authentication -

to upgrade user levels.

none Indicates that user levels -

can be upgraded without
authentication.

Views
Authentication scheme view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8506

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
If users in a domain need to upgrade their levels, the device requests the users to
enter the password to authenticate the users. If AAA authentication has been
configured using the authentication-mode (user interface view) command, run
the authentication-super command to configure an authentication mode for
upgrading user levels.
When you use the super command to switch a user level to a lower level or the
same level, no authentication is required. When you use the super command to
switch a user level to a higher level, authentication is required. The user can be
granted rights only after being authenticated.
● If super is used and the local authentication is specified, run the local-user
command in the AAA view to create a local user and set parameters for the
local user.
● If hwtacacs is used and the HWTACACS authentication is specified, perform
configurations relevant to HWTACACS authentication.
● If radius is used and the RADIUS authentication is specified, perform
configurations relevant to RADIUS authentication.
● If none is used, no authentication is required.
Precautions
If multiple authentication modes are configured in an authentication scheme,
these authentication modes are used in the sequence in which they were
configured. The device uses another authentication mode only when it does not
receive any response in the current authentication. The device does not switch to
another authentication mode if the user fails to pass one authentication mode.

Example
# Set the authentication mode to HWTACACS authentication in the authentication
scheme scheme1.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme scheme1
[HUAWEI-aaa-authen-scheme1] authentication-super hwtacacs

Related Topics
2.5.3 authentication-mode (user interface view)
13.1.19 authentication-scheme (AAA domain view)
13.1.20 authentication-scheme (AAA view)
13.1.37 display authentication-scheme

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8507

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.22 authentication-type radius chap access-type admin

Function
The authentication-type radius chap access-type admin command replaces PAP
authentication with CHAP authentication when RADIUS authentication is
performed on administrators.
The undo authentication-type radius chap access-type admin command
restores PAP authentication when RADIUS authentication is performed on
administrators.
By default, PAP authentication is used when RADIUS authentication is performed
on administrators.

Format
authentication-type radius chap access-type admin [ ftp | ssh | telnet |
terminal | http ] *
undo authentication-type radius chap access-type admin

Parameters
Parameter Description Value

ftp Replaces PAP -

authentication with
CHAP authentication
when RADIUS
authentication is
performed on
administrators who
access the device using
FTP.

ssh Replaces PAP -

authentication with
CHAP authentication
when RADIUS
authentication is
performed on
administrators who
access the device using
SSH.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8508

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

telnet Replaces PAP -

authentication with
CHAP authentication
when RADIUS
authentication is
performed on
administrators who
access the device using
Telnet.

terminal Replaces PAP -

authentication with
CHAP authentication
when RADIUS
authentication is
performed on
administrators who
access the device using a
terminal.

http Replaces PAP -

authentication with
CHAP authentication
when RADIUS
authentication is
performed on
administrators who
access the device using a
web management
system.

Views
Authentication scheme view

Default Level
3: Management level

Usage Guidelines
CHAP is ciphertext authentication protocol. During CHAP authentication, the NAS
device sends the user name, encrypted password, and 16-byte random code to the
RADIUS server. The RADIUS server searches for the database according to the user
name and obtains the password that is the same as the encrypted password at the
user side. The RADIUS server then encrypts the received 16-byte random code and
compares the result with the password. If they are the same, the user is
authenticated. If they are different, the user fails to be authenticated. In addition,
if the user is authenticated, the RADIUS server generates a 16-byte random code
to challenge the user. CHAP is more secure and reliable than PAP.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8509

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If no parameter is specified when you run the authentication-type radius chap

access-type admin command, the configuration takes effect on the
administrators who access the device using FTP, SSH, Telnet, Terminal, and HTTP.

When the device is connected to the RADIUS server that supports CHAP
authentication, this function needs to be configured.

Example
# Replace PAP authentication with CHAP authentication when RADIUS
authentication is performed on administrators who access the device using FTP.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme scheme1
[HUAWEI-aaa-authen-scheme1] authentication-type radius chap access-type admin ftp

Related Topics
13.1.37 display authentication-scheme

13.1.23 authorization-cmd

Function
The authorization-cmd command configures command-specific authorization for
an administrator of a specific level. After command-specific authorization is
enabled and an administrator of a specific level logs in to the device, the
commands that the administrator enters can be executed only after being
authorized by the HWTACACS server.

The undo authorization-cmd command disables command-specific authorization

for an administrator of a specific level.

By default, the command-specific authorization is disabled. That is, an

administrator of any level can execute only commands of or below its level after
logging in to the device.

Format
authorization-cmd privilege-level hwtacacs [ local ] [ none ]

undo authorization-cmd privilege-level

Parameters
Parameter Description Value
privilege-level Specified the administrator level. The value is an
integer that ranges
from 0 to 15.
hwtacacs Indicates HWTACACS authorization. -
local Indicates local authorization. -

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8510

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

none Indicates that command line authorization -
is directly performed for a user if the
HWTACACS server does not respond to the
authorization request of the user.

Views
Authorization scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
After being authorized, the users at a certain level can run the commands of the
same or lower levels. Command line authorization can be configured to
implement minimum user rights control. When command line authorization is
enabled, each command entered by users can be executed only after being
authorized. After command line authorization is enabled for users at a certain
level, the commands run by the users at that level must be authorized by an
HWTACACS server.
Precautions
You are advised to configure local authorization as a backup of command line
authorization. If command line authorization cannot be performed because of a
failure on an HWTACACS server, the device starts local authorization.
After the authorization-cmd command is executed, command line authorization
does not take effect immediately. Command line authorization takes effect only
when an authorization scheme containing command line authorization is applied
to administrator view correctly.

NOTICE

After an authorization scheme containing command line authorization is applied

to administrator view, if you run the undo authorization-cmd command, an
online administrator at a certain level cannot run any commands except for the
quit command. The administrator needs to log in again.

Example
# Configure command line authorization administrators at level 2.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authorization-scheme scheme1
[HUAWEI-aaa-author-scheme1] authorization-cmd 2 hwtacacs

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8511

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.24 authorization-info check-fail policy

Function
The authorization-info check-fail policy command determines whether the
device allows users to go online after the authorization information check fails.
The undo authorization-info check-fail policy command restores the default
configuration.
By default, the device allows users to go online after the authorization
information check fails.

Format
authorization-info check-fail policy { online | offline }
undo authorization-info check-fail policy

Parameters
Parameter Description Value

online Indicates that the device allows users to -

go online after the authorization
information check fails.

offline Indicates that the device prohibits users -

from going online after the authorization
information check fails.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The device supports user authorization through the ACL, UCL Group, User Group
and VLAN delivered from the RADIUS server. If the ACL, UCL Group, User Group
and VLAN delivered from the RADIUS server are not configured on the device, the
authorization information check fails on the device.
You can use this command to configure the users to go online and the
authorization information delivered by the RADIUS server does not take effect.

Example
# Configure the device to allow users to go online after the authorization
information check fails.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8512

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] authorization-info check-fail policy online

13.1.25 authorization-mode

Function
The authorization-mode command configures an authorization mode for an
authorization scheme.

The undo authorization-mode command restores the default authorization mode

in an authorization scheme.

By default, local authorization is used.

Format
authorization-mode { hwtacacs | if-authenticated | local } * [ none ]

authorization-mode none

undo authorization-mode

Parameters
Parameter Description Value

hwtacacs Indicates that the user is -

authorized by an
HWTACACS server.

if-authenticated Indicates that only the -

user who succeeds in
authentication
(authentication
exemption excluded) is
authorized.
The configuration of if-
authenticated
authorization does not
take effect in RADIUS
authentication.

local Authenticates users -

locally

none Indicates non- -

authorization.

Views
Authorization scheme view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8513

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
3: Management level

Usage Guidelines
Usage Scenario
To authorize users, configure an authorization mode in an authorization scheme.
You can configure multiple authorization modes in an authorization scheme to
reduce the chance of authorization failures.
After the authorization-mode hwtacacs local command is used, if it fails to
connect to the HWTACACS authentication server and HWTACACS authorization
cannot be performed, the device starts local authorization.
Precautions
● If multiple authorization modes are used in an authorization scheme, the if-
authenticated mode or none mode must be used as the last authorization
mode.
● When the authorization mode is if-authenticated or none, the user privilege
level is inherited from the user domain or is the same as that set in the VTY
user view.
● If multiple authorization modes are configured in an authorization scheme,
the authorization modes are used according to the sequence in which they
were configured. The device uses another authorization mode only when it
does not receive any response in the current authorization.

Example
# Configure the authorization scheme named scheme1 to apply HWTACACS
authorization.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authorization-scheme scheme1
[HUAWEI-aaa-author-scheme1] authorization-mode hwtacacs

13.1.26 authorization-modify mode

Function
The authorization-modify mode command configures the update mode for user
authorization information delivered by the authorization server.
The undo authorization-modify mode command restores the default update
mode for user authorization information delivered by the authorization server.
By default, the update mode of user authorization information delivered by the
authorization server is overlay. That is, the new user authorization information
overwrites all existing user authorization information.

Format
authorization-modify mode { modify | overlay }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8514

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo authorization-modify mode

Parameters
Parameter Description Value

modify Indicates the modify -

mode.

overlay Indicates the overlay -

mode.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
The authorization server can deliver all or part of user authorization information,
such as the ACL rule and dynamic VLAN.

You can run the authorization-modify mode command to configure one of the
following update modes for user authorization information delivered by the
authorization server:
● modify: modification mode indicating that new user authorization
information overwrites only existing user authorization information of the
same type.
● overlay: overwriting mode indicating that new user authorization information
overwrites all existing user authorization information.

If the authorization server has delivered ACL 3001 to a user, and the administrator
needs to deliver new authorization information:
● In the modify mode, if the new authorization information is ACL 3002, the
authorization information of the user is ACL 3002. If the new authorization
information is VLAN 100, the authorization information of the user is ACL
3001 and VLAN 100.
● In the overlay mode, no matter whether the new authorization information is
ACL 3002 or VLAN 100, the authorization information of the user is the new
ACL or VLAN.

This command takes effect for only the authorization information delivered by the
RADIUS server.

After a user group or service scheme is authorized to a user on the device and a
certain attribute configured in the user group or service scheme is modified on the
server, if other configured attributes need to be modified, the authorization
information on the server must contain the previously modified attribute.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8515

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Otherwise, the original attribute value in the user group or service scheme will be
restored. For example, to modify an attribute in a user group:
1. The device authorizes the user group configured with the VLAN and ACL
attributes to a user.
2. To modify the VLAN attribute, authorize the new VLAN attribute to the user
through the RADIUS server.
3. To modify the ACL attribute after the VLAN attribute is modified, you must
authorize the modified VLAN attribute and new ACL attribute through the
RADIUS server. Otherwise, the original VLAN attribute in the user group will
be restored.

Example
# Set the update mode of user authorization information delivered by the
authorization server to modify.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authorization-modify mode modify

13.1.27 authorization-scheme (AAA domain view)

Function
The authorization-scheme command applies an authorization scheme to a
domain.

The undo authorization-scheme command unbinds an authorization scheme

from a domain.

By default, no authorization scheme is applied to a domain.

Format
authorization-scheme authorization-scheme-name

undo authorization-scheme

Parameters
Parameter Description Value

authorization-scheme- Specifies the name of an The authorization

name authorization scheme. scheme must already
exist.

Views
AAA domain view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8516

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
3: Management level

Usage Guidelines
Usage Scenario
RADIUS integrates authentication and authorization; therefore, RADIUS
authorization and authentication must be used together. HWTACACS separates
authentication from authorization; therefore, you can configure another
authorization type even if HWTACACS authentication, local authentication, or
non-authentication is used.
To authorize users in a domain, run the authorization-scheme (AAA domain
view) command.
Prerequisites
An authorization scheme has been created and configured with required
parameters, for example, the authorization mode and command line
authorization.

Example
# Apply the authorization scheme author1 to the domain isp1.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authorization-scheme author1
[HUAWEI-aaa-author-author1] quit
[HUAWEI-aaa] domain isp1
[HUAWEI-aaa-domain-isp1] authorization-scheme author1

Related Topics
13.1.28 authorization-scheme (AAA view)
13.1.38 display authorization-scheme

13.1.28 authorization-scheme (AAA view)

Function
The authorization-scheme command creates an authorization scheme and enters
the authorization scheme view, or directly enters an existing authorization scheme
view.
The undo authorization-scheme command deletes an authorization scheme.
By default, the default authorization scheme is used. This default authorization
scheme can be modified but cannot be deleted. In the default authorization
scheme, local authorization is used and command line authorization is disabled.

Format
authorization-scheme authorization-scheme-name
undo authorization-scheme authorization-scheme-name

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8517

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

authorization-scheme- Specifies the name of an The value is a string of 1

name authorization scheme. to 32 case-sensitive
characters. It cannot
contain spaces or the
following symbols: / \ :
* ? " < > | @ ' %. The
value cannot be - or --.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
RADIUS integrates authentication and authorization; therefore, RADIUS
authorization and authentication must be used together. HWTACACS separates
authentication from authorization; therefore, you can configure another
authorization type even if HWTACACS authentication, local authentication, or
non-authentication is used. You must run the authorization-scheme command to
create an authorization scheme before performing authorization-relevant
configurations, for example, setting the authorization mode and command line
authorization function.
Follow-up Procedure
After an authorization scheme is created:
● Run the authorization-mode command to configure an authorization mode
in an authorization scheme.
● Run the authorization-cmd command to configure command line
authorization for users at a certain level.
After an authorization scheme is configured, run the authorization-scheme (AAA
domain view) command to apply the authorization scheme to a domain.
Precautions
● If the configured authorization scheme does not exist, the authorization-
scheme (AAA view) command creates an authorization scheme and displays
the authorization scheme view.
● If the configured authorization scheme already exists, the authorization-
scheme (AAA view) command directly displays the authorization scheme
view.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8518

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

To delete the authorization scheme applied to a domain, run the undo

authorization-scheme (AAA domain view) command.

Example
# Create an authorization scheme named scheme0.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authorization-scheme scheme0
[HUAWEI-aaa-author-scheme0]

# Enter the default authorization scheme view.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authorization-scheme default
[HUAWEI-aaa-author-default]

Related Topics
13.1.27 authorization-scheme (AAA domain view)

13.1.29 cmd recording-scheme

Function
The cmd recording-scheme command applies a policy in a recording scheme to
record the commands executed on the device.
The undo cmd recording-scheme command deletes a policy from a recording
scheme.
By default, the commands that are used on the device are not recorded.

Format
cmd recording-scheme recording-scheme-name
undo cmd recording-scheme

Parameters
Parameter Description Value

recording-scheme-name Specifies the name of a The recording scheme

recording scheme. must already exist.

Views
AAA view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8519

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario

During the device configuration, incorrect operations may result in network faults.
After the cmd recording-scheme command is executed, you can view records of
the commands executed on the device to locate the network faults.

Prerequisites

A recording scheme has been created by using the recording-scheme command

and a recording mode has been configured by using the recording-mode
hwtacacs command.

Example
# Configure a policy in the recording scheme scheme0 to record the commands
executed on the device.
<HUAWEI> system-view
[HUAWEI] hwtacacs-server template hw1
[HUAWEI-hwtacacs-hw1] quit
[HUAWEI] aaa
[HUAWEI-aaa] recording-scheme scheme0
[HUAWEI-aaa-recording-scheme0] recording-mode hwtacacs hw1
[HUAWEI-aaa-recording-scheme0] quit
[HUAWEI-aaa] cmd recording-scheme scheme0

Related Topics
13.1.43 display recording-scheme
13.1.70 recording-mode hwtacacs
13.1.71 recording-scheme

13.1.30 cut access-user

Function
The cut access-user command terminates one or multiple access user
connections, also forcibly disconnecting online users.

Format
cut access-user { domain domain-name | interface interface-type interface-
number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-
instance vpn-instance-name ] | mac-address mac-address | service-scheme
service-scheme-name | access-slot slot-id | user-id begin-number [ end-number ]
| username user-name }

cut access-user ssid ssid-name (This command is only supported by the S5720HI.)

cut access-user access-type { admin [ ftp | ssh | telnet | terminal | web ] | ppp }
[ username user-name ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8520

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Parameters
Parameter Description Value

domain domain- Disconnects sessions in a The value must be the name

name specified domain. of an existing domain.

interface interface- Disconnects sessions on a -

type interface- specified interface.
number ● interface-type specifies
the interface type.
● interface-number
specifies the interface
number.

vlan vlan-id [ qinq Disconnects sessions in a The values of vlan-id and

qinq-vlan-id ] specified VLAN. qinq-vlan-id are integers that
● vlan-id specifies the ID range from 1 to 4094.
of a VLAN. In QinQ
applications, this
parameter specifies the
inner VLAN ID.
● qinq-vlan-id specifies
the outer VLAN ID.

ip-address ip- Disconnects sessions The value is in dotted

address initiated by a specified IP decimal notation.
address.

vpn-instance vpn- Indicates the name of the The value must be an

instance-name VPN instance that the existing VPN instance name.
specified IP address
belongs to.

mac-address mac- Disconnects sessions The value is in H-H-H

address initiated by a specified format. An H contains 4
MAC address. hexadecimal digits.

service-scheme Terminates connections The value must be the name

service-scheme- based on the service of an existing service
name scheme. scheme.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8521

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

access-slot slot-id Disconnects sessions on a The value range depends on

specified device. the model of the device.
NOTE
This parameter is valid for
only users that go online
through physical interfaces
of the device, and is invalid
for users that go online
through Eth-Trunks.

ssid ssid-name Disconnects sessions The SSID must already exist.

initiated by a service set NOTE
identifier (SSID) for a SSID is supported only in the
service set. NAC unified mode.

user-id begin- Disconnects sessions of a The user-id must exist on the

number [ end- specified user. device.
number ]
username user- Disconnects sessions of a The value must be the name
name user with a specified user of an existing user.
name.

access-type Displays information -

about the users using the
specified authentication
mode.

admin [ ftp | ssh | Displays information -

telnet | terminal | about the administrators
web ] using the specified
authentication mode.
● ftp: FTP user
● ssh: SSH user
● telnet: Telnet user
● terminal: Terminal
user
● web: Web user

ppp Displays information -

about online users using
PPP authentication.

Views
AAA view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8522

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario

Performing some configurations, such as AAA, on the device, requires that no

users be online. You can run the cut access-user command to disconnect sessions.

Precautions

The cut access-user command interrupts all services of the user whose session is
torn down.

If the character string of the user name contains spaces (for example, a b), you
can run the display access-user username "a b" command to view online users.

If the character string of the user name contains spaces and quotation marks ("")
simultaneously, you cannot use the user name to view online users. In this case,
you can run the display access-user | include username command to view the
user ID of the online user, and then run the display access-user user-id user-id
command to view the user. Alternatively, you can run the cut access-user user-id
user-id command to force the user to go offline.

Example
# Tear down the session initiated by the IP address 10.1.1.1.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] cut access-user ip-address 10.1.1.1

Related Topics
13.1.34 display access-user (All views)

13.1.31 display aaa

Function
The display aaa command displays information about normal logout, abnormal
logout, and login failures.

Format
display aaa { offline-record | abnormal-offline-record | online-fail-record } { all
| reverse-order | domain domain-name | interface interface-type interface-
number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-
instance vpn-instance-name ] | mac-address mac-address | access-slot slot-
number | time start-time end-time [ date start-date end-date ] | username user-
name [ time start-time end-time [ date start-date end-date ] ] } [ brief ]

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8523

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

offline-record Displays normal logout -

records.

abnormal-offline- Displays abnormal -

record logout records.

online-fail-record Displays login failure -

records.

all Displays all login and -

logout records.

reverse-order Displays the records in a -

sequence reverse to the
sequence in which they
were generated. That is,
the latest records are
displayed first.

domain domain-name Specifies the name of a The value is a string of 1

domain. to 64 case-insensitive
characters, excluding
spaces, *, ?, and ".

interface interface-type Specifies the type and -

interface-number number of an interface.

ip-address ip-address Specifies an IP address. The value is in dotted

decimal notation.

vlan vlan-id Specifies the inner VLAN The value is an integer

ID. that ranges from 1 to
4094.

qinq qinq-vlan-id Specifies the outer VLAN The value is an integer

ID. that ranges from 1 to
4094.

vpn-instance vpn- Specifies the name of a The value must be an

instance-name VPN instance. existing VPN instance
name.

mac-address mac- Specifies a MAC address. The value is in H-H-H

address format. An H is a
hexadecimal number of
4 digits.

access-slot slot-number Specifies the slot ID. The value is an integer.

The value range depends
on the model of the
device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8524

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

username user-name Specifies a user. The value must be an

existing user.

time start-time end-time Specifies a time range. The format is HH:MM:SS,

indicating
hour:minute:second.

date start-date end-date Specifies a date. The format is

YYYY/MM/DD. YYYY is
the year, MM is the
month, and DD is the
day.

brief Displays brief login and -

logout information.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
This command allows you to view information about user normal logouts,
abnormal logouts, and login failures based on the domain name, interface, IP
address, VPN instance, MAC address, or slot ID.
Precautions
Only letters, digits, and special characters can be displayed for username.
When the value of username contains special characters or characters in other
languages except English, the device displays dots (.) for these characters. If there
are more than three such consecutive characters, three dots (.) are displayed.
Here, the special characters are the ASCII codes smaller than 32 (space) or larger
than 126 (~).
When the value of username is longer than 20 characters, the device displays up
to three dots (.) for the characters following 19; that is, only 22 characters are
displayed.

Example
# View information about user normal logouts in domain rds.
<HUAWEI> display aaa offline-record domain rds
-------------------------------------------------------------------
User name : test@rds
Domain name : rds

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8525

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

User MAC : 0021-9746-b67c

User access type : 802.1x
User access interface : GigabitEthernet10/0/2
Qinq vlan/User vlan : 0/1
User IP address : 192.168.2.2
User IPV6 address :-
User ID : 19
User login time : 2008/10/01 04:49:39
User offline time : 2008/10/01 04:59:43
User offline reason : EAPOL user request
-------------------------------------------------------------------
Are you sure to display some information?(y/n)[y]:

Table 13-2 Description of the display aaa offline-record domain command

output
Item Description

User name User name.

Domain name Domain of a user.

User MAC MAC address of a user.

User access type Access type of a user.

● 802.1x indicates that the user
accesses the network through
802.1X.
● API indicates that the user accesses
the network through the API.
● FTP indicates that the user
accesses the network through FTP.
● Telnet indicates that the user
accesses the network through
Telnet.
● Terminal indicates that the user
accesses the network through
terminal.
● SSH indicates that the user
accesses the network through SSH.
● x25-pad indicates that the user
accesses the network through x25-
pad.
● HTTP indicates that the user
accesses the network through
HTTP.
● Web indicates that the user
accesses the network through web.
For the related command, see 13.1.61
local-user service-type.

User access interface Access interface of a user.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8526

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Qinq vlan/User vlan VLAN that a user belongs to.

● In QinQ application, QinQvlan
indicates the outer VLAN ID and
Uservlan indicates the inner VLAN
ID.
● For a common VLAN, Uservlan
indicates the VLAN ID, and
QinQvlan is 0.

User IP address IP address of a user.

User IPV6 address IPv6 address of a user.

User ID Index of a user.

User login time Time when a user goes online.

User offline time Time when a user goes offline.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8527

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

User offline reason Reason why a user fails to go online

or offline. The common reasons are as
follows:
● The value "EAPOL user request"
indicates that an 802.1X user
requests to go offline.
● The value "PPP user request"
indicates that a PPP user requests
to go offline.
● The value "Web user request"
indicates that a web user requests
to go offline.
● The value "AAA cut command"
indicates that a user is deleted
using command line.
● The value "Session time out"
indicates that a session times out.
● The value "Idle cut" indicates that
a user is disconnected because the
user does not perform any
operation within a specified period.
● The value "PPP authentication fail"
indicates a PPP authentication
failure.
● The value "STA disassociation"
indicates that an STA is
disassociated.
● The value "console reset or disable
port" indicates that the
management interface is down.
● The value "Interface net down"
indicates that an interface is down.
● The value "No authentication
server configured" indicates that
no authentication server is
configured.
● The value "No radius-server
template bound" indicates that no
RADIUS server template is bound.
● The value "No tacacs-server
template bound" indicates that no
TACACS server template is bound.
● The value "No accounting server
configured" indicates that no
accounting server is configured.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8528

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

● The value "Accounting server no

response" indicates that the
accounting server does not
respond.
● The value "Local Authentication
user block" indicates that the local
user is locked.
● The value "Authorize vlan error"
indicates that VLAN authorization
fails.

13.1.32 display aaa configuration

Function
The display aaa configuration command displays the AAA configurations, for
example, the domain, authentication scheme, authorization scheme, and
accounting scheme.

Format
display aaa configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
AAA configurations are limited by system specifications. Before performing AAA
configurations, run the display aaa configuration command to check whether
there are sufficient resources.

Example
# Display the AAA summary.
<HUAWEI> display aaa configuration

Domain Name Delimiter :@

Domainname parse direction : Left to right

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8529

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Domainname location : After-delimiter

Administrator user default domain: default_admin
Normal user default domain : default
Domain : total: 32 used: 3
Authentication-scheme : total: 17 used: 3
Accounting-scheme : total: 16 used: 2
Authorization-scheme : total: 16 used: 2
Service-scheme : total: 16 used: 0
Recording-scheme : total: 3 used: 1
Local-user : total: 1000 used: 3
Local-user block retry-interval : 5 Min(s)
Local-user block retry-time :3
Local-user block time : 5 Min(s)
Remote-user block retry-interval : 30 Min(s)
Remote-user block retry-time : 30
Remote-user block time : 30 Min(s)

Table 13-3 Description of the display aaa configuration command output

Item Description

Domain Name Delimiter Domain name delimiter, which can be any of the
following characters: \ / : < > | @ ' %. The default
domain name delimiter is @.
To configure a domain name delimiter, run the
13.1.50 domain-name-delimiter command.

Domain Number of domains.

● total: indicates the total number of domains
that can be created.
● used: indicates the number of domains that
have been created.

Domainname parse Parsing direction of the domain name.

direction ● Left to right
● Right to left
To configure this parameter, run the 13.1.51
domainname-parse-direction command.

Domainname location Domain name location.

● After-delimiter: The domain name is placed
behind the domain name delimiter.
● Before-delimiter: The domain name is placed
before the domain name delimiter.
To configure this parameter, run the 13.1.49
domain-location command.

Administrator user default Domain name of administrator users.

domain

Normal user default Domain name of normal users.

domain

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8530

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Authentication-scheme Number of authentication schemes.

● total: indicates the total number of
authentication schemes that can be created.
● used: indicates the number of authentication
schemes that have been created.

Accounting-scheme Number of accounting schemes.

● total: indicates the total number of accounting
schemes that can be created.
● used: indicates the number of accounting
schemes that have been created.

Authorization-scheme Number of authorization schemes.

● total: indicates the total number of
authorization schemes that can be created.
● used: indicates the number of authorization
schemes that have been created.

Service-scheme Number of service schemes.

● total: indicates the total number of service
schemes that can be created.
● used: indicates the number of service schemes
that have been created.

Recording-scheme Number of recording schemes.

● total: indicates the total number of recording
schemes that can be created.
● used: indicates the number of recording
schemes that have been created.

Local-user Number of local users.

● total: indicates the total number of local users
that can be created.
● used: indicates the number of local users that
have been created.

Local-user block retry- Authentication retry interval of a local account.

interval To configure this parameter, run the 13.1.53
local-aaa-user wrong-password command.

Local-user block retry-time Maximum number of consecutive authentication

failures for a local account.
To configure this parameter, run the 13.1.53
local-aaa-user wrong-password command.

Local-user block time Locking time of a local account.

To configure this parameter, run the 13.1.53
local-aaa-user wrong-password command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8531

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Remote-user block retry- Authentication retry interval of a remote AAA

interval authentication user.
To configure this parameter, run the 13.1.73
remote-aaa-user authen-fail command.

Remote-user block retry- Maximum number of consecutive authentication

time failures for a remote AAA authentication user.
To configure this parameter, run the 13.1.73
remote-aaa-user authen-fail command.

Remote-user block time Locking time of a remote AAA authentication

user.
To configure this parameter, run the 13.1.73
remote-aaa-user authen-fail command.

Session timeout invalid ● Yes: The device will not disconnect or

enable reauthenticate users when the RADIUS server
delivers session-timeout with value 0.
● No: The device will disconnect or
reauthenticate users when the RADIUS server
delivers session-timeout with value 0.
To configure this parameter, run the 13.1.9 aaa-
author session-timeout invalid-value enable
command.

Related Topics
13.1.2 aaa
13.1.47 domain (AAA view)

13.1.33 display aaa statistics offline-reason

Function
The display aaa statistics offline-reason command displays the reasons why
users go offline.

Format
display aaa statistics offline-reason

Parameters
None

Views
All views

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8532

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
1: Monitoring level

Usage Guidelines
The display aaa statistics offline-reason command helps you know the reason
why a user goes offline. You can locate network faults according to the command
output.

Example
# Display reasons why users go offline.
<HUAWEI> display aaa statistics offline-reason
19 User request to offline :2
87 AAA cut command :1

Table 13-4 Description of the display aaa statistics offline-reason command

output

Item Description

19/87 Reason code.

User request to offline A user requested to go offline.

2/1 Number of times users go offline.

AAA cut command A user is disconnected by the 13.1.30

cut access-user command.

13.1.34 display access-user (All views)

Function
The display access-user command displays information about online users
(including access users and administrators).

Format
display access-user [ domain domain-name | interface interface-type interface-
number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-
instance vpn-instance-name ] | ipv6-address ipv6-address | access-slot slot-id ]
[ detail ]
display access-user username user-name [ detail ]
display access-user ssid ssid-name (Only the S5720HI support this command.)
display access-user [ mac-address mac-address | service-scheme service-
scheme-name | user-id user-id ]
display access-user statistics (Only the S5720HI support this command.)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8533

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

display access-user access-type { admin [ ftp | ssh | telnet | terminal | web ] |

ppp } [ username user-name ]

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Parameters
Parameter Description Value

domain domain-name Displays information The domain name must

about users in a specified already exist.
domain.

interface interface-type Displays information -

interface-number about users on a
specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

vlan vlan-id [ qinq qinq- Displays information The values of vlan-id and
vlan-id ] about users in a VLAN. qinq-vlan-id are integers
● vlan-id specifies the that range from 1 to
ID of a VLAN. In QinQ 4094.
applications, this
parameter specifies
the inner VLAN ID.
● qinq-vlan-id specifies
the outer VLAN ID.
In the authorized ISP
VLAN scenario, you can
view the user
information only when
the specified VLAN ID is
the ISP VLAN ID.

ip-address ip-address Displays information The value of ip-address

about the user with a is in dotted decimal
specified IP address. notation.
NOTE
When the user type is NAC
or static, details about the
user are displayed. When
the user is in another type,
brief information about
the user is displayed.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8534

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

vpn-instance vpn- Indicates the name of The value must be an

instance-name the VPN instance that existing VPN instance
the specified IP address name.
belongs to.

ipv6-address ipv6- Displays information The value consists of 128

address about the user with a octets, which are
specified IPv6 address. classified into 8 groups.
Each group contains 4
hexadecimal numbers in
the format
X:X:X:X:X:X:X:X.

mac-address mac- Displays information The value is in H-H-H

address about the user with a format. An H contains
specified MAC address. four hexadecimal digits.

service-scheme service- Displays information The service scheme must

scheme-name about the user with a already exist.
specified service scheme.

access-slot slot-id Displays information The value range depends

about users connecting on the model of the
to a specified device. device.

ssid ssid-name Specifies the SSID for a The SSID must already
service set. exist.
NOTE
SSID is supported only in
the NAC unified mode.

username user-name Displays information The user name must

about the user with a already exist.
user name.

statistics Displays user statistics The keyword statistics is

on the device. supported only in the
● Historical user NAC unified mode.
statistics: displays
historical wireless user
statistics on the
device.
● Current online user
statistics: displays
current user statistics
on the device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8535

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

user-id user-id Displays information The user-id must exist on

about sessions of a the device.
specified user. If this
parameter is specified,
detailed information
about the user is
displayed.

detail Displays detailed -

information about users.

access-type Displays information -

about the users using
the specified
authentication mode.

admin [ ftp | ssh | Displays information -

telnet | terminal | web ] about the administrators
using the specified
authentication mode.
● ftp: FTP user
● ssh: SSH user
● telnet: Telnet user
● terminal: Terminal
user
● web: Web user

ppp Displays information -

about online users using
PPP authentication.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

This command displays information about user sessions on the device.

Precautions

If the character string of the user name contains spaces (for example, a b), you
can run the display access-user username "a b" command to view online users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8536

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If the character string of the user name contains spaces and quotation marks ("")
simultaneously, you cannot use the user name to view online users. In this case,
you can run the display access-user | include username command to view the
user ID of the online user, and then run the display access-user user-id user-id
command to view the user. Alternatively, you can run the cut access-user user-id
user-id command to force the user to go offline.
When displaying VPN user entries based on user IP address, you must set the vpn-
instance vpn-instance-name parameter to specify the VPN instance to which the
IP address belongs.
If user-id is specified, detailed information about the specified user is displayed. If
user-id is not specified, brief information about all online users is displayed,
including the user ID, user name, IP address, and MAC address of each user.
Only letters, digits, and special characters can be displayed for username.
When the value of username contains special characters or characters in other
languages except English, the device displays dots (.) for these characters. If there
are more than three such consecutive characters, three dots (.) are displayed.
Here, the special characters are the ASCII codes smaller than 32 (space) or larger
than 126 (~).
When the value of username is longer than 20 characters, the device displays up
to three dots (.) for the characters following 19; that is, only 22 characters are
displayed.
When interface is specified, the device displays the connection information of
online wired users on the interface.
When querying user information based on interfaces, MAC addresses, or VLANs,
the device only displays information about 802.1X, MAC address, or Portal
authentication users.

Example
# Display information about user sessions on the device.
<HUAWEI> display access-user
-----------------------------------------------------------------------------------------------
UserID Username IP address MAC Status
-----------------------------------------------------------------------------------------------
1 normal@local - 001b-21c4-3b56 Success
62 005500000001 192.168.1.121 0055-0000-0001 Open
32675 fztest - 4611-97a4-0000 Success
16019 b002404 192.168.1.2 0000-c055-0102 Success
-----------------------------------------------------------------------------------------------
Total: 4, printed: 4

NOTE

If you specify the include or exclude parameter in the command, the values of Total and
printed are still the total number of users.

# Display the user with the user ID being 1.

<HUAWEI> display access-user user-id 1
Basic:
User ID :1
User name : normal
Domain-name : rds
User MAC : 3039-26e0-e5a6

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8537

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

User IP address : 10.124.1.253

User vpn-instance :-
User IPv6 address :-
User access Interface : GigabitEthernet0/0/1
User vlan event : Success
QinQVlan/UserVlan : 0/20
User access time : 2014/03/31 15:38:55
User accounting session ID : esap_lm000000000001245e5878016032
Option82 information :-
User access type : MAC
Redirect ACL ID(Effective) : 3001
User Privilege : 15
Terminal Device Type : Data Terminal
Dynamic ACL number(Effective) : 3100
Dynamic group index(Effective) : 10
Dynamic group name(Effective) : group10
Session Timeout : 1800(s)
Termination Action : RE-AUTHENTICATION

AAA:
User authentication type : MAC authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS

# Display the user with the user ID being 62.

<HUAWEI> display access-user user-id 62
Basic:
User ID : 62
User name : 005500000001
Domain-name :-
User MAC : 0055-0000-0001
User IP address : 192.168.1.121
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-Dbss3:152
User vlan event : Open
QinQVlan/UserVlan : 0/125
User access time : 2015/07/10 11:27:12
User accounting session ID : esap_lm000000000001245e5878016032
Option82 information :-
User access type : None
Redirect ACL ID(Effective) : 3001
User Privilege : 15
AP ID : 152
AP name : ap-152
Radio ID :0
AP MAC : 0000-0000-0002
SSID : 57-open
Online time : 23(s)

AAA:
User authentication type : None
Current authentication method : None
Current authorization method : Local
Current accounting method : None

# Display the user with the user ID being 32675.

<HUAWEI> display access-user user-id 32675
Basic:
User ID : 32675
User name : fztest
Domain-name : fz
User MAC : 4611-97a4-0000
User IP address :-
User IPv6 address :-
User access Interface : Eth-Trunk1
User vlan event : Success

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8538

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

QinQVlan/UserVlan : 0/18
User access time : 2015/02/11 21:51:58
User accounting session ID : esap_lm000000000001245e5878016032
Option82 information :-
User access type : 802.1x
Redirect ACL ID(Effective) : 3001
User Privilege : 15
AS ID :1
AS name : test
AS IP : 192.168.1.11
AS MAC : 0012-0016-4578
AS Interface : GigabitEthernet0/0/1
Terminal Device Type : Data Terminal

AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS

# Display the user with the user ID being 16019.

<HUAWEI> display access-user user-id 16019
Basic:
User ID : 16019
User name : b002404
Domain-name : abc
User MAC : 0000-c055-0102
User IP address : 192.168.1.2
User vpn-instance :-
User IPv6 address : FC00:3::5689:98FF:FE01:583D
User IPv6 link local address : FE80::5689:98FF:FE01:583D
User access Interface : GigabitEthernet0/0/1
User vlan event : Success
QinQVlan/UserVlan : 20/21
User vlan source : user request
User access time : 2016/08/16 18:32:16
User accounting session ID : esap_lm000000000001245e5878016032
Option82 information :-
User PIR(Kbps) : 5000
User flow mapping name : zt
User flow queue name : zt
User access type : MAC
Redirect ACL ID(Effective) : 3001
Terminal Device Type : Data Terminal
User inbound data flow(Packet) : -
User inbound data flow(Byte) : -
User outbound data flow(Packet) : -
User outbound data flow(Byte) : -
DAA Inbound data flow(Packet/Byte)
Tariff level 1 : -/-
DAA Outbound data flow(Packet/Byte)
Tariff level 1 : -/-
User Lease : 600(s)
ISP VLAN : 1000
ISP Interface : GigabitEthernet0/1/17

AAA:
User authentication type : MAC authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : None

Table 13-5 Description of the display access-user command output

Item Description

Basic Basic information about a user.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8539

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

UserID/User ID Index of a user.

Username/User name User name.

Domain-name Authentication domain of a user.

MAC/User MAC MAC address of a user.

IP address/User IP address IP address of a user.

User vpn-instance User VPN instance.

User IPv6 address IPv6 address of a user.

User IPv6 link local address IPv6 link-local address.

User access Interface Access interface of a user.

Status/User vlan event Whether a user joins a VLAN.

● Open: For a wired user, the user
goes online through the open
function upon authentication
failure. For wireless users, no
authentication is performed.
● Success: authentication is successful
● Pre-authen: pre-authentication
● Client-no-resp: the client does not
respond
● Fail-authorized: authorization upon
authentication failure
● Web-server-down: web server is
Down
● Aaa-server-down: AAA server is
Down

QinQVlan/UserVlan VLAN that a user belongs to.

● In QinQ applications, QinQVlan
indicates the outer VLAN ID and
UserVlan indicates the inner VLAN
ID.
● For a common VLAN, UserVlan
indicates the VLAN ID, and
QinQVlan is 0.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8540

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

User vlan source Source of a user VLAN.

● server vlan: The VLAN is delivered
by the remote server.
● user group vlan: the VLAN is bound
to a user group.
● service scheme vlan: The VLAN is
configured in the service scheme
view.
● local event vlan: The authorized
VLAN (visitor or survival) is
configured locally.
● user request: The VLAN is carried in
the user request (authentication
request).

User access time Time when a user goes online.

If a time zone is configured and the
daylight saving time begins, the time is
displayed in the format of
YYYY/MM/DD HH:MM:SS UTC
±HH:MM DST.

User accounting session ID ID of an accounting session.

Option82 information Option 82 of a user.

User PIR(Kbps) Peak Information Rate (PIR) in kbit/s.

User flow mapping name Name of the user flow mapping

template.

User flow queue name Name of the user flow queue.

User access type Access type of a user. For the related

command, see local-user service-
type.

Redirect ACL ID(Effective) User Redirect ACL ID:

● Effective: The redirection ACL has
taken effect.
● Ineffective: The redirection ACL
does not take effect. The possible
reason is that the ACL is not
configured on the device.

User Privilege Level of a user.

Terminal Device Type Terminal device type of a user.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8541

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Dynamic ACL number(Effective) ACL number:

● Effective: The dynamic ACL has
taken effect.
● Ineffective: The dynamic ACL does
not take effect. The possible causes
are as follows: Dynamic RADIUS
authorization fails; the ACL does
not exist on the device; the wired
user fails to obtain an IP address.
NOTE
This field is displayed only when ACL is
dynamically delivered by the RADIUS
server.

Dynamic ACL desc Used by the RADIUS server to deliver

IPv4 or IPv6 ACL rules to users.
● Effective: The dynamic ACL rules
have taken effect.
● Ineffective: The dynamic ACL rules
do not take effect.

Dynamic group index(Effective) Index of a UCL group. This option is

available only in NAC unified mode.

Dynamic group name(Effective) Name of a UCL group. This option is

available only in NAC unified mode.

Session Timeout Timeout interval of sessions.

Termination Action Action taken when a session times out.

● RE-AUTHENTICATION:
authentication is performed again
● OFFLINE: the user is disconnected.

AP ID ID of the AP connected to users.

AP name Name of the AP connected to users.

Radio ID ID of the radio.

AP MAC MAC address of the AP connected to

users.

SSID SSID of a STA.

Online time STA online time.

AAA AAA information about a user.

User authentication type Authentication type of a user, which

depends on the access type of the user.

Current authentication method Authentication method used for a user.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8542

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Current authorization method Current authorization method.

Current accounting method Current accounting method.

AS ID ID of the access devices in policy

association network.

AS name Name of the access devices in policy

association network.

AS IP IP address of the access devices in

policy association network.

AS MAC MAC address of the access devices in

policy association network.

AS Interface Interface of the access devices in policy

association network.

User inbound data flow(Packet) Data traffic (number of packets) from

users to the device.

User inbound data flow(Byte) Data traffic (number of bytes) from

users to the device.

User outbound data flow(Packet) Data traffic (number of packets) from

the device to users.

User outbound data flow(Byte) Data traffic (number of bytes) from

the device to users.

DAA Inbound data flow(Packet/Byte) DAA incoming traffic (number of

(The Eth-Trunk contains a card that packets or bytes)(The Eth-Trunk
does not support this function) contains a card that does not support
this function).
NOTE
The device does not support this item.

Tariff level 1 Tariff level.

NOTE
The device does not support this item.

DAA Outbound data flow(Packet/Byte) DAA outgoing traffic (number of

packets or bytes).
NOTE
The device does not support this item.

User Lease User lease.

ISP VLAN Authorized outbound interface VLAN.

ISP Interface Authorized outbound interface.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8543

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.35 display accounting-scheme

Function
The display accounting-scheme command displays the configuration of
accounting schemes, including accounting scheme names and accounting modes.

Format
display accounting-scheme [ accounting-scheme-name ]

Parameters
Parameter Description Value

accounting-scheme- Specifies the name of an The accounting scheme

name accounting scheme. must already exist.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
After the accounting scheme configuration is complete, run the display
accounting-scheme command to view the configuration of accounting schemes.
Before applying an accounting scheme to a domain, run the display accounting-
scheme command to check whether configuration of the accounting scheme is
correct.
Precautions
The display accounting-scheme command displays the detailed configuration if
the name of an accounting scheme is specified. Otherwise, this command displays
only the summary of accounting schemes.

Example
# Display the summary of all accounting schemes.
<HUAWEI> display accounting-scheme
-------------------------------------------------------------------
Accounting-scheme-name Accounting-method
-------------------------------------------------------------------
default None
radius-1 RADIUS
tacas-1 HWTACACS

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8544

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

-------------------------------------------------------------------
Total of accounting-scheme: 3

# Display the detailed configuration of the default accounting scheme.

<HUAWEI> display accounting-scheme default

Accounting-scheme-name : default
Accounting-method : None
Realtime-accounting-switch : Disabled
Realtime-accounting-interval(min) :-
Start-accounting-fail-policy : Offline
Realtime-accounting-fail-policy : Online
Realtime-accounting-failure-retries : 3

Table 13-6 Description of the display accounting-scheme command output

Item Description

Accounting-scheme-name Name of an accounting scheme. To

create an accounting scheme, run
the accounting-scheme (AAA
view) command.

Accounting-method Accounting mode in the accounting

scheme. The accounting modes are
as follows:
● HWTACACS: indicates that an
HWTACACS server performs
accounting.
● None: indicates non-accounting.
● RADIUS: indicates that a RADIUS
server performs accounting.
To configure an accounting mode,
run the accounting-mode
command.

Realtime-accounting-switch Whether the real-time accounting

function is enabled:
● Disabled: indicates that the real-
time accounting function is
disabled.
● Enabled: indicates that the real-
time accounting function is
enabled.
To set the interval for real-time
accounting, run the accounting
realtime command.

Realtime-accounting-interval(min) Interval for real-time accounting. To

set the interval for real-time
accounting, run the accounting
realtime command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8545

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Start-accounting-fail-policy Policy used for accounting-start

failures.
● Offline: disconnects users.
● Online: keeps users online.
To configure a policy for accounting-
start failures, run the accounting
start-fail command.

Realtime-accounting-fail-policy Policy used for real-time accounting

failures.
● Offline: disconnects users.
● Online: keeps users online.
To configure the policy used for real-
time accounting failures, run the
accounting interim-fail command.

Realtime-accounting-failure-retries Number of retries before a real-time

accounting failure is confirmed.
To set the number of real-time
retries before a real-time accounting
failure is confirmed, run the
accounting interim-fail command.

13.1.36 display authentication ipv6-statistics status

Function
The display authentication ipv6-statistics status command to displays whether
IPv6 statistics collection takes effect.

NOTE

Only S5720EI, S5720HI, S6720EI, and S6720S-EI support this command.

Format
display authentication ipv6-statistics status

Parameters
None

Views
User view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8546

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
1: Monitoring level

Usage Guidelines
After IPv6 traffic statistics collection is globally enabled using the 13.1.17
authentication ipv6-statistics enable command, you can run this command to
check whether the function takes effect.

Example
# Check whether IPv6 traffic statistics collection takes effect.
<HUAWEI> display authentication ipv6-statistics status
-------------------------------------------------------------------------------
Slot-id State
-------------------------------------------------------------------------------
6 success
8 not support
-------------------------------------------------------------------------------
Total: 2

Table 13-7 Description of the display authentication ipv6-statistics status

command output

Item Description

Slot-id Slot ID.

State Whether IPv6 traffic statistics

collection takes effect:
● success: The function takes effect.
● failure: The function does not
take effect.
● not support: The device does not
support the function.
● unknown: Unknown error.
To configure the IPv6 traffic
statistics collection function, run the
13.1.17 authentication ipv6-
statistics enable command.

13.1.37 display authentication-scheme

Function
The display authentication-scheme command displays the configuration of
authentication schemes.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8547

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
display authentication-scheme [ authentication-scheme-name ]

Parameters
Parameter Description Value

authentication-scheme- Specifies the name of an The authentication

name authentication scheme. scheme must already
exist.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

After the authentication scheme configuration is complete, run the display

authentication-scheme command to view the configuration of authentication
schemes.

Precautions

The display authentication-scheme command displays the detailed configuration

if the command is executed in the authentication scheme view or the name of an
authentication scheme is specified. Otherwise, this command displays only the
summary of authentication schemes.

Example
# Display the summary of all authentication schemes.
<HUAWEI> display authentication-scheme
-------------------------------------------------------------------
Authentication-scheme-name Authentication-method
-------------------------------------------------------------------
default Local
radius RADIUS
-------------------------------------------------------------------
Total of authentication scheme: 2

# Display the detailed configuration of the default authentication scheme.

<HUAWEI> display authentication-scheme default

Authentication-scheme-name : default
Authentication-method : Local
Radius authentication-type of admin : PAP(all)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8548

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-8 Description of the display authentication-scheme command output

Item Description

Authentication-scheme-name Name of an authentication scheme. To

create an authentication scheme, run the
13.1.20 authentication-scheme (AAA
view) command.

Authentication-method Authentication mode in an authentication

scheme. To configure an authentication
mode in an authentication scheme, run the
13.1.18 authentication-mode
(authentication scheme view) command.

Radius authentication-type of Access type of administrators on whom

admin CHAP authentication is performed. The
value can be:
● PAP(all): PAP authentication is performed
on the administrators of all access types
when they are authenticated using
RADIUS.
● CHAP(ftp) PAP (other): CHAP
authentication is performed on FTP users
whose access types are displayed in
brackets () when they are authenticated
using RADIUS, and PAP authentication is
performed on the administrators of other
access types.
To configure the access type, run the
13.1.22 authentication-type radius chap
access-type admin command.

13.1.38 display authorization-scheme

Function
The display authorization-scheme command displays the configuration of
authorization schemes.

Format
display authorization-scheme [ authorization-scheme-name ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8549

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

authorization-scheme- Specifies the name of an The authorization

name authorization scheme. scheme must already
exist.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
After the authorization scheme configuration is complete, run the display
authorization-scheme command to view the configuration of authorization
schemes.
Before applying an authorization scheme to a domain, run the display
authorization-scheme command to check whether configuration of the
authorization scheme is correct.
Precautions
The display authorization-scheme command displays the detailed configuration
if the name of an authorization scheme is specified. Otherwise, this command
displays only the summary of authorization schemes.

Example
# Display the summary of all authorization schemes.
<HUAWEI> display authorization-scheme
-------------------------------------------------------------------
Authorization-scheme-name Authorization-method
-------------------------------------------------------------------
default Local
scheme0 Local
-------------------------------------------------------------------
Total of authorization-scheme: 2

# Display the detailed configuration of the authorization scheme scheme0.

<HUAWEI> display authorization-scheme scheme0
---------------------------------------------------------------------------
Authorization-scheme-name : scheme0
Authorization-method : Local
Authorization-cmd level 0 : Disabled
Authorization-cmd level 1 : Disabled
Authorization-cmd level 2 : Disabled
Authorization-cmd level 3 : Disabled
Authorization-cmd level 4 : Disabled

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8550

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Authorization-cmd level 5 : Disabled

Authorization-cmd level 6 : Disabled
Authorization-cmd level 7 : Disabled
Authorization-cmd level 8 : Disabled
Authorization-cmd level 9 : Disabled
Authorization-cmd level 10 : Disabled
Authorization-cmd level 11 : Disabled
Authorization-cmd level 12 : Disabled
Authorization-cmd level 13 : Disabled
Authorization-cmd level 14 : Disabled
Authorization-cmd level 15 : Disabled
Authorization-cmd no-response-policy : Online
---------------------------------------------------------------------------

Table 13-9 Description of the display authorization-scheme command output

Item Description

Authorization-scheme-name Name of the authorization scheme. To

create an authorization scheme, run the
authorization-scheme (AAA view)
command.

Authorization-method Authorization mode set for the

authorization scheme. To configure an
authorization mode, run the authorization-
mode command.

Authorization-cmd level Whether the command line authorization

function is enabled for a user with a
specified level:
● Disabled: indicates that the command
line authorization function is disabled.
● Enabled: indicates that the command
line authorization function is enabled.
To set the command line authorization
function, run the authorization-cmd
command.

Authorization-cmd no-response- Policy for command line authorization

policy failures, in which users are allowed to go
online.

13.1.39 display domain

Function
The display domain command displays the domain configuration.

Format
display domain [ name domain-name ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8551

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

name domain-name Specifies the name of a The domain name must

domain. already exist.
If this parameter is not
specified, brief
information about all
domains is displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After a domain is created by the domain command with required parameters
specified, you can run the display domain command to view the domain
configuration.

Example
# Display brief information about all domains.
<HUAWEI> display domain
-------------------------------------------------------------------------
index DomainName
-------------------------------------------------------------------------
0 default
1 default_admin
-------------------------------------------------------------------------
Total: 2

Table 13-10 Description of the display domain command output

Item Description

index Index of a domain.

To configure this parameter, run the 13.1.47 domain
(AAA view) command.

DomainName Name of a domain.

To configure this parameter, run the 13.1.47 domain
(AAA view) command.

# Display the configuration of the domain default.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8552

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> display domain name default

Domain-name : default
Domain-index :0
Domain-state : Active
Authentication-scheme-name : default
Accounting-scheme-name : default
Authorization-scheme-name :-
Service-scheme-name :-
RADIUS-server-template :-
HWTACACS-server-template :-
User-group :-
Push-url-address :-

Table 13-11 Description of the display domain name command output

Item Description

Domain-name Name of a domain.

To configure this parameter, run the 13.1.47 domain
(AAA view) command.

Domain-index Index of a domain.

To configure this parameter, run the 13.1.47 domain
(AAA view) command.

Domain-state Status of a domain.

● Active: indicates that the domain is activated.
● Block: indicates that the domain is blocked.
To configure this parameter, run the 13.1.83 state
(AAA domain view) command.

Authentication-scheme- Name of the authentication scheme used in a

name domain.
To configure this parameter, run the 13.1.19
authentication-scheme (AAA domain view)
command.

Accounting-scheme- Name of the accounting scheme used in a domain.

name To configure this parameter, run the 13.1.14
accounting-scheme (AAA domain view) command.

Authorization-scheme- Name of the authorization scheme used in a domain.

name To configure this parameter, run the 13.1.27
authorization-scheme (AAA domain view)
command.

Service-scheme-name Name of the service scheme used in a domain.

To configure this parameter, run the 13.1.81 service-
scheme (aaa domain view) command.

RADIUS-server-template Name of the RADIUS server template used in a

domain.
To configure this parameter, run the 13.2.22 radius-
server (aaa domain view) command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8553

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

HWTACACS-server- Name of the HWTACACS server template used in a

template domain.
To configure this parameter, run the 13.3.6
hwtacacs-server command.

User-group Name of the user group for the users in a domain.

To configure this parameter, run the 13.1.86 user-
group (AAA domain view) command.

Push-url-address The output displays a pushed URL used in the

domain.
To configure this parameter, run the 13.4.119 force-
push command.

13.1.40 display local-user

Function
The display local-user command displays information about local users.

Format
display local-user [ domain domain-name | state { active | block } | username
user-name ] *

Parameters
Parameter Description Value

domain domain-name Displays information The domain name must

about local users in a already exist.
specified domain.

state { active | block } Displays the attributes of -

local users in the
specified state.
● active: indicates the
active state.
● block: indicates the
blocking state.

username user-name Displays information The user name must

about a specified local already exist.
user name.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8554

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
All views

Default Level
3: Management level

Usage Guidelines
Usage Scenario
The display local-user command output helps you check the configuration of
local users and isolate faults related to the local users.
Precautions
If no parameter is specified, brief information about all local users is displayed. If a
parameter is specified, detailed information about the specified local user is
displayed.
Low-level users cannot view information about high-level users.

Example
# Display brief information about local users.
<HUAWEI> display local-user
----------------------------------------------------------------------------
User-name State AuthMask AdminLevel
----------------------------------------------------------------------------
user-a A A 0
user-c A A 0
----------------------------------------------------------------------------
Total 2 user(s)

# Display detailed information about the local user user-a.

<HUAWEI> display local-user username user-a
The contents of local user(s):
Password : ****************
State : active
Service-type-mask : A
Privilege level :-
Ftp-directory :-
HTTP-directory :-
Access-limit : Yes
Access-limit-max : 4294967295
Accessed-num :0
Idle-timeout :-
User-group :-
Original-password : No
Password-set-time : 2019-12-01 18:42:57+01:00 DST
Password-expired : No
Password-expire-time : -
Account-expire-time : -

NOTE

For a local user who fails to log in to the device but is not locked, Retry-time-left is displayed.
For a local user whose initial password is changed, Change password retry-count-left is
displayed. When the number of continuous login failures or the number of initial password
change failures reaches the limit specified using the 13.1.53 local-aaa-user wrong-password
command, the user is locked.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8555

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

# Display information about local user user1 who fails to log in to the device.
<HUAWEI> display local-user username
user1
The contents of local user(s):
Password : ****************
State : active
Service-type-mask : T
Privilege level :0
Ftp-directory :-
HTTP-directory :-
Access-limit :-
Accessed-num :0
Idle-timeout :-
Retry-interval : 4 Min(s)
Retry-time-left :1
Original-password : Yes
Password-set-time : 2019-01-27 13:26:55+08:00
Password-expired : No
Password-expire-time : -
Account-expire-time : -

# Display information about local user user1 whose initial password fails to be
changed.
<HUAWEI> display local-user username user1
The contents of local user(s):
Password : ****************
State : active
Service-type-mask : T
Privilege level :0
Ftp-directory :-
HTTP-directory :-
Access-limit :-
Accessed-num :1
Idle-timeout :-
Change password retry-interval : 4 Min(s)
Change password retry-count-left: 3
Original-password : Yes
Password-set-time : 2019-01-27 13:26:55+08:00
Password-expired : No
Password-expire-time : -
Account-expire-time : -

# Display information about local users in blocking state.

<HUAWEI> display local-user state block
-----------------------------------------------------------
User-name State AuthMask AdminLevel
-----------------------------------------------------------
test2 B T 0
-----------------------------------------------------------

# Display information about local user test2 in blocking state.

<HUAWEI> display local-user state block username test2
The contents of local user(s):
Password : ****************
State : block
Service-type-mask : T
Privilege level :0
Ftp-directory :-
HTTP-directory :-
Access-limit :-
Accessed-num :0
Idle-timeout :-
Block-time-left : 8 Min(s)
Original-password : Yes
Password-set-time : 2019-01-27 13:26:55+08:00
Password-expired : No
Password-expire-time : -
Account-expire-time : -

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8556

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-12 Description of the display local-user command output

Item Description

User-name Name of the local user.

To configure this parameter, run the 13.1.54 local-
user command.

State State of the local user:

● A: Active
● B: Block
To configure this parameter, run the 13.1.54 local-
user command.

AuthMask Access type of the local user.

● T: indicates the Telnet users.
● M: indicates the terminal users, which usually refer
to the console users.
● S: indicates the SSH users.
● F: indicates the FTP users.
● W: indicates the web users.
● X: indicates the 802.1X users.
● A: indicates all access types.
● H: indicates the HTTP users.
● D: indicates the X25-PAD users.
● P: indicates the PPP users.
● Combination: For example, MH indicates either a
terminal user or an HTTP user.
To configure this parameter, run the 13.1.61 local-
user service-type command.

AdminLevel Local user level.

To configure this parameter, run the 13.1.54 local-
user command.

Password Password of the local user.

To configure this parameter, run the 13.1.54 local-
user command.

Service-type-mask Service type of the local user. Same as the AuthMask

type.
To configure this parameter, run the 13.1.61 local-
user service-type command.

Privilege level Local user level.

To configure this parameter, run the 13.1.54 local-
user command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8557

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Ftp-directory FTP directory of the local user.

To configure this parameter, run the 13.1.54 local-
user command.

HTTP-directory HTTP directory of the local user.

To configure this parameter, run the 13.1.54 local-
user command.

Access-limit Whether the maximum number of sessions of the

local user is configured.
To configure this parameter, run the 13.1.54 local-
user command.

Access-limit-max Maximum number of sessions of the local user.

To configure this parameter, run the 13.1.54 local-
user command.

Accessed-num Number of established sessions.

Idle-timeout Idle timeout interval.

To configure this parameter, run the 13.1.54 local-
user command.

User-group Authorization information of the user group to which

the local user is bound.
To configure this parameter, run the 13.1.54 local-
user command.

Original-password Whether the password of a local user is the initial

password:
● Yes
● No
To configure this parameter, run the 13.1.66
password alert original command.

Password-set-time Time when the local user's password is created. The

value is in format local time + DST offset.

Password-expired Whether a local user's password has expired:

● Yes
● No

Password-expire-time Time when the local user's password expires. The

value is in format local time + DST offset.
To configure this parameter, run the 13.1.67
password expire command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8558

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Account-expire-time Expiry time of a local user account. The value is in

format local time + DST offset.
To configure this parameter, run the 13.1.57 local-
user expire-date command.

Retry-interval Login retry interval before a local user is locked.

To configure this parameter, run the 13.1.53 local-
aaa-user wrong-password command.

Retry-time-left Remaining number of login retries before a local user

is locked.
To configure this parameter, run the 13.1.53 local-
aaa-user wrong-password command.

Change password retry- Retry interval for changing the initial password of a
interval local user before the user is locked.
To configure this parameter, run the 13.1.53 local-
aaa-user wrong-password command.

Change password retry- Remaining number of initial password change retries

count-left before a local user is locked.
To configure this parameter, run the 13.1.53 local-
aaa-user wrong-password command.

Related Topics
13.1.54 local-user

13.1.41 display local-user expire-time

Function
The display local-user expire-time command displays the time when local
accounts expire.

Format
display local-user expire-time

Parameters
None

Views
All views

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8559

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
3: Management level

Usage Guidelines
The command output helps you diagnose and rectify the faults related to local
user passwords.

Example
# Display the time when local accounts expire.
<HUAWEI> display local-user expire-time
-------------------------------------------------------------------------------
Username Password-expire Account-expire Expired
-------------------------------------------------------------------------------
zsh 2014-12-01 21:25:44 - NO
mm001 2014-12-01 21:29:58 - NO
-------------------------------------------------------------------------------
Total: 2, printed: 2

Table 13-13 Description of the display local-user expire-time command output

Item Description

Username Local account name.

To configure this parameter, run the 13.1.54 local-
user command.

Password-expire Number of days after which the password expires.

To configure this parameter, run the 13.1.67
password expire command.

Account-expire Account expiration time.

To configure this parameter, run the 13.1.57 local-
user expire-date command.

Expired Whether the local account has expired:

● YES
● NO
NOTE
The displayed value and actual value may have a difference
within one minute; there is a possibility that the password
has expired, but the displayed value is NO.
When the local user account or password has expired, the
local user becomes invalid.

Related Topics
13.1.57 local-user expire-date
13.1.67 password expire

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8560

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.42 display local-aaa-user password policy

Function
The display local-aaa-user password policy command displays the password
policy of local user.

Format
display local-aaa-user password policy { access-user | administrator }

Parameters
Parameter Description Value
access-user Indicates the password policy of local access users. -
administrator Indicates the password policy of local administrator. -

Views
All views

Default Level
3: Management level

Usage Guidelines
After configuring the password policy for local users, you can run the display
local-aaa-user password policy command to check whether the configuration is
correct.

Example
# Display the password policy of local access users.
<HUAWEI> display local-aaa-user password policy access-user
Password control : Enable
Password history : Enable (history records:5)

Table 13-14 Description of the display local-aaa-user password policy access-

user command output

Item Description

Password control Whether the password control function is enabled:

● Enable
● Disable
To configure this function, run the 13.1.59 local-aaa-
user password policy access-user command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8561

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Password history Whether the historical password recording function is

enabled and the maximum number of historical
passwords of each user.
To configure this function, run the 13.1.68 password
history record number command.

# Display the password policy of local administrator.

<HUAWEI> display local-aaa-user password policy administrator
Password control : Enable
Password expiration : Enable (180 days)
Password history : Enable (history records:5)
Password alert before expiration : 30 days
Password alert original : Enable

Table 13-15 Description of the display local-aaa-user password policy

administrator command output

Item Description

Password control Whether the password control function is enabled:

● Enable
● Disable
To configure this function, run the 13.1.60 local-aaa-
user password policy administrator command.

Password expiration Whether the password expiration function is enabled

and password expiration time.
To configure this function, run the 13.1.67 password
expire command.

Password history Whether the historical password recording function is

enabled and the maximum number of historical
passwords of each user.
To configure this function, run the 13.1.68 password
history record number command.

Password alert before Password expiration prompt days.

expiration To configure this function, run the 13.1.65 password
alert before-expire command.

Password alert original Whether the device prompt users to change the
initial passwords:
● Enable
● Disable
To configure this function, run the 13.1.66 password
alert original command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8562

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.1.59 local-aaa-user password policy access-user
13.1.60 local-aaa-user password policy administrator
13.1.67 password expire
13.1.65 password alert before-expire
13.1.66 password alert original
13.1.68 password history record number

13.1.43 display recording-scheme

Function
The display recording-scheme command displays the configuration of recording
schemes.

Format
display recording-scheme [ recording-scheme-name ]

Parameters
Parameter Description Value

recording-scheme-name Specifies the name of a The recording scheme

recording scheme. must already exist.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The display recording-scheme command displays the configuration of recording
schemes.

Example
# Display the configuration of the recording scheme scheme0.
<HUAWEI> display recording-scheme scheme0
-----------------------------------------------------------------
Recording-scheme-name : scheme0
HWTACACS-template-name : tacas-1
----------------------------------------------------------------

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8563

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-16 Description of the display recording-scheme command output

Item Description

Recording-scheme-name Name of the recording scheme. To create

a recording scheme, run the recording-
scheme command.

HWTACACS-template-name Name of the HWTACACS server template

associated with the recording scheme. To
associate an HWTACACS server template
with a recording scheme, run the
recording-mode hwtacacs command.

Related Topics
13.1.70 recording-mode hwtacacs
13.1.71 recording-scheme

13.1.44 display remote-user authen-fail

Function
The display remote-user authen-fail command displays the accounts that fail in
remote AAA authentication.

Format
display remote-user authen-fail [ blocked | username username ]

Parameters
Parameter Description Value

blocked Displays all the remote -

AAA authentication
accounts that have been
locked.

username username Displays details about It is a string of 1 to 253

the accounts that fail in case-insensitive
remote AAA characters without
authentication. spaces.
If the username
parameter is not
specified, basic
information about all
accounts that fail in
remote AAA
authentication is
displayed.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8564

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
All views

Default Level
3: Management level

Usage Guidelines
Usage Scenario
After the account locking function is enabled for the users who fail in AAA remote
authentication, the device records all failed accounts, including:
● The accounts that failed in authentication and are locked, for example, when
the user entered the wrong account name or password too many times.
● The accounts that failed in authentication, but are not locked, for example,
when the number of times the account name or password was entered
incorrectly did not exceed the limit.
Prerequisites
The 13.1.73 remote-aaa-user authen-fail command has been enabled to lock the
accounts that fail in remote AAA authentication.
Precautions
The device cannot back up a recorded account that fails the AAA authentication. If
an active/standby switchover policy has been configured on the device, all user
entries are cleared when the device completes an active/standby switchover.

Example
# Display all accounts that have failed in remote AAA authentication.
<HUAWEI> display remote-user authen-fail
----------------------------------------------------------------------------
Username RetryInterval(Mins) RetryTimeLeft BlockTime(Mins)
----------------------------------------------------------------------------
test@rds 5 2 0
t@rds 0 0 5
----------------------------------------------------------------------------
Total 2, 2 printed

# Display all locked accounts.

<HUAWEI> display remote-user authen-fail blocked
----------------------------------------------------------------------------
Username RetryInterval(Mins) RetryTimeLeft BlockTime(Mins)
----------------------------------------------------------------------------
t@rds 0 0 4
----------------------------------------------------------------------------
Total 1, 1 printed

# Display details about the account test that failed in remote AAA authentication.
<HUAWEI> display remote-user authen-fail username test
The contents of the user:
Retry-interval : 0 Min(s)
Retry-time-left : 0
Block-time-left : 4 Min(s)
User-state : Block

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8565

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-17 Description of the display remote-user authen-fail command

output

Item Description

Username User name.

RetryInterval(Mins) Authentication retry interval, in minutes.

To configure this parameter, run the 13.1.73
remote-aaa-user authen-fail command.

Retry-interval Authentication retry interval.

To configure this parameter, run the 13.1.73
remote-aaa-user authen-fail command.

RetryTimeLeft Remaining number of consecutive authentication

failures.
To configure this parameter, run the 13.1.73
remote-aaa-user authen-fail command.

Retry-time-left Remaining number of consecutive authentication

failures.
To configure this parameter, run the 13.1.73
remote-aaa-user authen-fail command.

BlockTime(Mins) Remaining locking time of an account.

To configure this parameter, run the 13.1.73
remote-aaa-user authen-fail command.

Block-time-left Remaining locking time of an account.

To configure this parameter, run the 13.1.73
remote-aaa-user authen-fail command.

User-state User status:

● Block
● Active

Related Topics
13.1.73 remote-aaa-user authen-fail

13.1.45 display service-scheme

Function
The display service-scheme command displays the configuration of service
schemes.

Format
display service-scheme [ name name ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8566

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

name name Specifies the name of a The service scheme must

service scheme. already exist.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
The display service-scheme command displays the configuration of service
schemes.
Before applying a service scheme to a domain, run the display service-scheme
command to check whether the service scheme is correct.
Precautions
The display service-scheme command displays the detailed configuration if the
command is executed in the service scheme view or the name of a service scheme
is specified. Otherwise, this command displays only the summary of service
schemes.

Example
# Display information about all service schemes.
<HUAWEI> display service-scheme
-------------------------------------------------------------------
service-scheme-name scheme-index
-------------------------------------------------------------------
svcscheme1 0
svcscheme2 1
-------------------------------------------------------------------
Total of service scheme: 2

# Display the configuration of the service scheme svcscheme1.

<HUAWEI> display service-scheme name svcscheme1

service-scheme-name : svcscheme1
service-scheme-primary-dns : -
service-scheme-secondary-dns : -
service-scheme-adminlevel : 15
service-scheme-uclgroup-ID : 10
service-scheme-uclgroup-name : u1
service-scheme-acl-id : 3001
service-scheme-redirect-acl-id: 3001
service-scheme-vlan : 10
service-scheme-voicevlan : enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8567

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-18 Description of the display service-scheme command output

Item Description

service-scheme-name Name of a service scheme.

To create a service scheme, run the service-scheme
(AAA view) command.

scheme-index Index of a service scheme.

service-scheme-primary- Address of the primary DNS server.

dns To configure this item, run the 13.1.46 dns (service
scheme view) command.

service-scheme- Address of the secondary DNS server.

secondary-dns To configure this item, run the 13.1.46 dns (service
scheme view) command.

service-scheme- Level of an administrator.

adminlevel To configure this item, run the admin-user privilege
level command.

service-scheme- Index of the bound UCL group.

uclgroup-ID To configure this item, run the 13.4.193 ucl-group
(service scheme view) command.

service-scheme- Name of the bound UCL group.

uclgroup-name To configure this item, run the 13.4.193 ucl-group
(service scheme view) command.

service-scheme-acl-id Bound ACL number.

To configure this item, run the 13.4.12 acl-id
(service scheme view) command.

service-scheme-redirect- Number of the ACL used for redirection in the

acl-id service scheme.
To configure this item, run the 13.1.72 redirect-acl
command.

service-scheme-vlan User VLAN ID.

To configure this item, run the 13.4.205 user-vlan
(service scheme view) command.

service-scheme-voicevlan Whether voice VLAN is enabled.

To configure this item, run the 13.4.206 voice-vlan
(service scheme view) command.

Related Topics
13.1.82 service-scheme (AAA view)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8568

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.46 dns (service scheme view)

Function
The dns command configures the primary or secondary DNS server in a service
scheme.
The undo dns command cancels the configuration of the primary or secondary
DNS server in a service scheme.
By default, no primary or secondary DNS server is configured in a service scheme.

Format
dns ip-address [ secondary ]
undo dns [ ip-address ]

Parameters
Parameter Description Value
ip-address The value is in dotted
Specifies the IP address of a DNS server.
decimal notation.
secondary Specifies the secondary DNS server. -

Views
Service scheme view

Default Level
3: Management level

Usage Guidelines
If no DNS server is specified when a local address pool, DHCP server, or RADIUS
server assigns IP addresses to users, the DNS server configured in the service
scheme view is used.

Example
# Set the IP address of the primary DNS server in the service scheme svcscheme1
to 10.10.10.1.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme svcscheme1
[HUAWEI-aaa-service-svcscheme1] dns 10.10.10.1

# Set the IP address of the secondary DNS server in the service scheme
svcscheme1 to 10.10.20.1.
<HUAWEI> system-view
[HUAWEI] aaa

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8569

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

[HUAWEI-aaa] service-scheme svcscheme1

[HUAWEI-aaa-service-svcscheme1] dns 10.10.20.1 secondary

Related Topics
13.1.45 display service-scheme

13.1.47 domain (AAA view)

Function
The domain command creates a domain and displays its view.

The undo domain command deletes a domain.

By default, the device has two domains: default and default_admin. The two
domains can be modified but cannot be deleted.

Format
domain domain-name [ domain-index domain-index ]

undo domain domain-name

Parameters
Parameter Description Value
domain-name Specifies the name of The value is a string of 1 to 64 case-
a domain. insensitive characters. It cannot contain
spaces or the following symbols: * ? ".
The value cannot be - or --.
domain-index Specifies the index of The value is an integer that ranges
domain-index a domain. from 0 to 31.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

The device can manage users through domains. A domain is the minimum user
management unit. A domain name can be an ISP name or the name of a service
provided by an ISP. A domain can use the default authorization attribute, and be
configured with a RADIUS template and authentication and accounting schemes.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8570

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If the domain to be configured already exists, the domain command displays the
domain view.
If a user that belongs to this domain is online, you cannot run the undo domain
command to delete the domain.
Prerequisites
To perform AAA for access users, you need to apply the authentication schemes,
authorization schemes, and accounting schemes in the domain view. Therefore,
authentication, authorization, and accounting schemes must be configured in the
AAA view in advance.
Precautions
● The domain default is a global default common domain for user access, for
example, NAC. By default, the domain is activated, and is bound to the
authentication scheme radius and accounting scheme default, but is not
bound to any authorization scheme.
● The domain default_admin is a global default management domain for users
who log in to the device through HTTPS, SSH, Telnet, and the Web system,
namely, administrators. By default, the domain is activated, and is bound to
the authentication scheme default and accounting scheme default, but is not
bound to any authorization scheme.

Example
# Specify the domain named domain1 and access the domain view.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain domain1
[HUAWEI-aaa-domain-domain1]

Related Topics
13.1.39 display domain

13.1.48 domain (system view)

Function
The domain command configures a global default domain.
The undo domain command restores the default setting.
By default, there are two global default domains: common domain default and
administrative domain default_admin. The former is used as the global default
domain of access users, while the latter as the global default domain of
administrators.

Format
Common domain default:
domain domain-name

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8571

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo domain
Administrative domain default_admin:
domain domain-name admin
undo domain admin

Parameters
Parameter Description Value

domain-name Specifies the name of a The domain must

global default domain. already exist.

admin Configures a domain for -

administrators.
If this parameter is not
specified, the domain for
common access users is
configured.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
After the global default domain is configured, a user must be managed by the
global default domain if their domain cannot be identified.
Precautions
You must create a domain before configuring the domain as the global default
domain.

Example
# Create domain abc and configure it as the global default common domain.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain abc
[HUAWEI-aaa-domain-abc] quit
[HUAWEI-aaa] quit
[HUAWEI] domain abc

Related Topics
13.1.47 domain (AAA view)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8572

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.39 display domain

13.1.49 domain-location
Function
The domain-location command configures the position of a domain name.
The undo domain-location command restores the default position of a domain
name.
By default, the domain name in the AAA view is placed behind the domain name
delimiter, and no position is configured in the authentication profile view.

Format
domain-location { after-delimiter | before-delimiter }
undo domain-location

Parameters
Parameter Description Value

after-delimiter Indicates that the -

domain name is placed
behind the domain name
delimiter.

before-delimiter Indicates that the -

domain name is placed
before the domain name
delimiter.

Views
AAA view, authentication profile view

Default Level
In the AAA view, the default level is management level.
In the authentication profile view, the default level is configuration level.

Usage Guidelines
Usage Scenario
The format of a user name is user name@domain name. If before-delimiter is
specified, the format domain name@user name is used.
You can use the domain-location command only when there is no online user.
Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8573

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If you run the domain-location command in the AAA view, the position of a
domain is configured globally and the configuration takes effect for all users.
When this command is executed in the authentication profile, the configuration
takes effect only after the authentication profile is bound to a VAP profile.
When the command is executed in the AAA view, the configuration takes effect for
all users. When the command is executed in the authentication profile, the
configuration takes effect for only the users connected to this authentication
profile.

Example
# Configure the domain name before the domain name delimiter.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain-location before-delimiter

Related Topics
13.1.32 display aaa configuration

13.1.50 domain-name-delimiter

Function
The domain-name-delimiter command configures a domain name delimiter.
The undo domain-name-delimiter command restores the default domain name
delimiter.
By default, the domain name delimiter in the AAA view is @, and no delimiter is
available in the authentication profile view.

Format
domain-name-delimiter delimiter
undo domain-name-delimiter

Parameters
Parameter Description Value
delimiter Specifies a domain name The value can only be one of the
delimiter of only one bit. following characters: \ / : < > | @ ' %.

Views
AAA view, authentication profile view

Default Level
In the AAA view, the default level is management level.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8574

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

In the authentication profile view, the default level is configuration level.

Usage Guidelines
Usage Scenario

Different AAA servers may use different domain name delimiters. To ensure that
an AAA server obtains the correct user name and domain name, configure the
same domain name delimiter on the device and the AAA server.

For example, if the domain name delimiter is %, the user name of user1 in the
domain dom1 is user1%dom1 or dom1%user1.

Precautions

Before using the domain-name-delimiter command, ensure that no local user

exists.

If you run the domain-name-delimiter command in the AAA view, the domain
name delimiter is configured globally and the configuration takes effect for all
users.

When this command is executed in the authentication profile, the configuration

takes effect only after the authentication profile is bound to a VAP profile.

When the command is executed in the AAA view, the configuration takes effect for
all users. When the command is executed in the authentication profile, the
configuration takes effect for only the users connected to this authentication
profile.

Example
# Configure the domain name delimiter as / in the AAA view.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain-name-delimiter /

Related Topics
13.1.32 display aaa configuration
13.1.54 local-user

13.1.51 domainname-parse-direction

Function
The domainname-parse-direction command configures the direction in which a
domain name is parsed.

The undo domainname-parse-direction command restores the default direction

in which a domain name is parsed.

By default, the domain name is parsed in the AAA view from left to right, and no
direction is configured in which a domain name is parsed.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8575

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
domainname-parse-direction { left-to-right | right-to-left }
undo domainname-parse-direction

Parameters
Parameter Description Value

left-to-right Parses a domain name -

form left to right.

right-to-left Parses a domain name -

form right to left.

Views
AAA view, authentication profile view

Default Level
In the AAA view, the default level is management level.
In the authentication profile view, the default level is configuration level.

Usage Guidelines
Usage Scenario
In AAA implementations, users belong to different domains. A network access
server (NAS) centrally manages users in a domain. During a user's login, the NAS
parses the entered user name. A user is authenticated only when the user has the
correct user name and domain name. When configuring an AAA scheme, run the
domainname-parse-direction { left-to-right | right-to-left } command to
configure the direction in which a domain name is parsed.
Assume that the user name is username@dom1@dom2.
● If the domain-location command configures the domain name behind the
domain name delimiter:
– When left-to-right is specified, the user name is username and the
domain name is dom1@dom2.
– When right-to-left is specified, the user name is username@dom1 and
the domain name is dom2.
● If the domain-location command configures the domain name before the
domain name delimiter:
– When left-to-right is specified, the user name is dom1@dom2 and the
domain name is username.
– When right-to-left is specified, the user name is dom2 and the domain
name is username@dom1.
Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8576

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If you run the domainname-parse-direction command in the AAA view, the

direction in which a domain name is parsed is configured globally and the
configuration takes effect for all users.

When this command is executed in the authentication profile, the configuration

takes effect only after the authentication profile is bound to a VAP profile.

When the command is executed in the AAA view, the configuration takes effect for
all users. When the command is executed in the authentication profile, the
configuration takes effect for only the users connected to this authentication
profile.

Example
# Configure the device to parse a domain name from right to left in the AAA view.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domainname-parse-direction right-to-left

Related Topics
13.1.32 display aaa configuration

13.1.52 idle-cut (service scheme view)

Function
The idle-cut command enables the idle-cut function for domain users and sets
the idle-cut parameters.

The undo idle-cut command disables the idle-cut function.

By default, the idle-cut function is disabled for domain users.

Format
idle-cut idle-time flow-value [ inbound | outbound ]

undo idle-cut

Parameters

Parameter Description Value

idle-time Specifies the period in which an idle user The value is an integer
can stay online. that ranges from 1 to
1440, in minutes.
flow-value Specifies the traffic threshold for idle-cut The value is an integer
function. When the traffic of a user stays that ranges from 0 to
below this threshold for a certain period, 4294967295, in kbytes.
the device considers that the user is in idle
state.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8577

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

inbound Indicates that the idle-cut function takes -
effect for only upstream traffic of users.

outbound Indicates that the idle-cut function takes -

effect for only downstream traffic of users.
NOTE
If neither inbound nor outbound is specified, the
idle-cut function takes effect for both upstream
and downstream traffic.

Views
Service scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
If a user uses no or a little network traffic for a long time, the user still occupies
certain bandwidth, which reduces access rate of other users. The idle-cut function
disconnects the users whose traffic volume stays below the traffic threshold within
the idle time, to save resources and improve service experience of other users.
Precautions
● The idle-cut command configured in the service scheme view takes effect
only for administrators.

Example
# Enable the idle-cut function for the domain, and set the idle time to 1 minute
and the traffic threshold to 10 kbytes.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme huawei
[HUAWEI-aaa-service-huawei] idle-cut 1 10

Related Topics
13.1.45 display service-scheme

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8578

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.53 local-aaa-user wrong-password

Function
The local-aaa-user wrong-password command enables local account locking
function and sets the retry interval, consecutive incorrect password attempts, and
locking duration.
The undo local-aaa-user wrong-password command disables local account
locking function.
By default, the local account locking function is enabled, retry interval is 5
minutes, maximum number of consecutive incorrect password attempts is 3, and
account locking period is 5 minutes.

Format
local-aaa-user wrong-password retry-interval retry-interval retry-time retry-
time block-time block-time
undo local-aaa-user wrong-password

Parameters
Parameter Description Value

retry-interval retry- Specifies the retry The value is an integer

interval interval of a local that ranges from 5 to
account. 65535, in minutes.

retry-time retry-time Specifies the consecutive The value is an integer

incorrect password that ranges from 3 to
attempts. 65535.

block-time block-time Specifies the local The value is an integer

account locking duration. that ranges from 5 to
In actual application, 65535, in minutes.
there is a one minute
difference in locking
time.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8579

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

This command applies to the following scenarios:

● The command locks a local account to improve password security of the local
user. If the password is entered incorrectly more than a certain number of
times within the given retry period, the account is locked. The device does not
authenticate the user when the account is locked.
● The command locks a local account to ensure that the password will not be
cracked by a brute force from a malicious user. When attempting to change
the password, if the original password is entered incorrectly more than a
certain number of times within the given retry period, the account is locked.
The user cannot modify the password when the account is locked.
Follow-up Procedure
After a local account is locked, you can run the local-user user-name state active
command to unlock the local account.
Precautions
Only entering the incorrect password can lock the account. Other local
authentication failures will not lock the account.

Example
# Enable local account locking, and set the authentication retry interval to 5
minutes, maximum number of consecutive incorrect password attempts to 3, and
account locking period to 5 minutes.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5

13.1.54 local-user
Function
The local-user command creates a local user and sets parameters of the local
user.
The undo local-user command deletes a local user.
By default, a local user exists in the system. The irreversible encryption algorithm
is used, the level is 15, and service type is http and terminal. The default username
and password are available in S Series Switches Default Usernames and Passwords
(Enterprise Network or Carrier). If you have not obtained the access permission
of the document, see Help on the website to find out how to obtain it.

Format
local-user user-name { password { cipher | irreversible-cipher } password |
access-limit max-number | ftp-directory directory | idle-timeout minutes
[ seconds ] | privilege level level | state { block | active } | user-group group-
name } *
local-user user-name http-directory directory
undo local-user user-name [ access-limit | ftp-directory | http-directory | idle-
timeout | privilege level | user-group group-name ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8580

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

user-name Specifies the user name. The value is a string of 1

If the user name to 64 case-insensitive
contains a delimiter "@", characters. It cannot
the character before "@" contain spaces, asterisk,
is the user name and the double quotation mark
character after "@" is the and question mark.
domain name. If the
value does not contain
"@", the entire character
string represents the user
name and the domain
name is the default one.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8581

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

password { cipher | Specifies the password of The value is a case-

irreversible-cipher } a local user. sensitive string without
password ● The cipher parameter question marks (?) or
indicates that the user spaces.
password is encrypted ● If the cipher
using the reversible parameter is specified,
encryption algorithm. the value of password
Unauthorized users can be a plain text of
can obtain the plain 8 to 128 characters or
text by using the a cipher-text
corresponding password of 48, 68,
decryption algorithm, 88, 108, 128, 148,
so security is low. 168, or 188
● The irreversible- characters.
cipher parameter ● If the irreversible-
indicates that the user cipher parameter is
password is encrypted specified, the value of
using the irreversible password can be a
encryption algorithm. plain text of 8 to 128
Unauthorized users characters or a cipher-
cannot obtain the text password of 68
plain text by using the characters.
special encryption A simple local user
algorithm. User password may bring
security is ensured. security risks. The user
If a user is allowed to password must consist of
encrypt the local user two types of characters,
password using the including uppercase
irreversible encryption letters, lowercase letters,
algorithm, the device numerals, and special
does not support CHAP characters. In addition,
authentication for the the password cannot be
user. the same as the user
NOTICE name or user name in an
It is recommended that inverse order.
you set the user password
when creating a user. The
interaction method using
the 13.1.58 local-user
password command is
recommended.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8582

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

access-limit max- Specifies the number of The value is an integer

number connections that can be that ranges from 1 to
created with a specified 4294967295.
user name. The actual number of
If this parameter is not connections is the
specified, a user can smaller value between
establish a maximum of max-number and the
4294967295 connections maximum number of
by default. users of a type on
different models.

ftp-directory directory Specifies the directory The value is a string of 1

that FTP users can to 64 case-sensitive
access. characters without
If this parameter is not spaces.
specified, the FTP
directory of the local
user is empty. The device
will check whether the
default FTP directory has
been set using the 2.7.75
set default ftp-
directory command. If
no FTP directory exists,
FTP users cannot log in
to the device.
NOTE
Ensure that the configured
FTP directory is an
absolute path; otherwise,
the configuration does not
take effect.

http-directory directory Specifies the directory The value is a string of 1

that HTTP users can to 64 case-sensitive
access. characters without
If this parameter is not spaces.
specified, the HTTP
directory of the local
user is empty.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8583

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

idle-timeout minutes Specifies the timeout ● minutes: the value is

[ seconds ] period for disconnection an integer ranging
of the user. from 0 to 35791
● minutes is the period minutes.
when the user ● seconds: the value is
interface is an integer ranging
disconnected in from 0 to 59 seconds.
minutes.
● seconds is the period
when the user
interface is
disconnected in
seconds.
If this parameter is not
specified, the device uses
the idle timeout interval
configured by the 2.5.16
idle-timeout command
in the user view.
If minutes [ seconds ] is
set to 0 0, the idle
disconnection function is
disabled.
NOTICE
If the idle timeout interval
is set to 0 or a large value,
the terminal will remain in
the login state, resulting in
security risks. You are
advised to run the lock
command to lock the
current connection.

privilege level level Specifies the level of a The value is an integer

local user. After logging that ranges from 0 to 15.
in to the device, a user The greater the value,
can run only the the higher the level of a
commands of the same user.
level or lower levels.
NOTE
If this parameter is not
specified, the user level is
0.
The permission of API
users is not controlled by
this parameter. Therefore,
you do not need to
configure this parameter.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8584

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

state { active | block } Specifies the status of a -

local user.
● active indicates that a
local user is in active
state. The device
accepts and processes
the authentication
request from the user,
and allows the user to
change the password.
● block indicates that a
local user is in
blocking state. The
device rejects the
authentication
request from the user
and does not allow
the user to change
the password.
If a user has established
a connection with the
device, when the user is
set in blocking state, the
connection still takes
effect but the device
rejects subsequent
authentication requests
from the user.
If this parameter is not
specified, the status of a
local user is active.

user-group group-name Specifies the name of a The value is a string of 1

user group. to 64 case-sensitive
NOTE characters without
This parameter is spaces. It cannot contain
supported only by the spaces or the following
switches in the NAC symbols: / \ : * ? " < > |
common mode.
@ ' %. The value cannot
be - or --.

Views
AAA view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8585

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
To facilitate device maintenance, run the local-user command on the device to
create a local user and set parameters such as the password, user level, and FTP
directory.
Prerequisites
Before adding a local user to a user group, ensure that the user group has been
created using the 13.5.156 user-group command.
Precautions
● For device security purposes, change the password periodically.
● Security risks exist if the user login mode is set to Telnet or FTP. You are
advised set the user login mode to STelnet or SFTP and set the user access
type to SSH.
When a device starts without any configuration, HTTP uses the randomly
generated self-signed certificate to support HTTPs. The self-signed certificate
may bring risks. Therefore, you are advised to replace it with the officially
authorized digital certificate.
● After a local administrator logs in to the device, the administrator can create,
modify, or delete attributes of other local users of the same or a lower level.
The attributes include password, user level, maximum number of access users,
and account validity period.
After you change the rights (for example, the password, level, FTP directory,
idle timeout interval, or status) of a local account, the rights of users already
online do not change. The change takes effect when the user next goes
online.
● Online users cannot be deleted. When the user is offline or the cut access-
user username user-name command is executed in the AAA view to
disconnect the user, delete the user.
● The user name function may be invalid due to improper configuration of the
domain name delimiter.
● One user group can be used by multiple local users. However, a local user
belongs to only one user group. If the user groups have been configured for
the local user and in the service template, only the user group configured for
the local user takes effect. The user groups that are used by a local user or an
online user cannot be deleted.
● The idle-cut command configured in the service scheme view takes effect
only for administrators.

Example
# Create a local user user1, and set the domain name to vipdomain, the
password to admin@12345 in cipher text, the maximum number of connections
to 100, and the idle timeout interval to 10 minutes.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user user1@vipdomain password irreversible-cipher admin@12345 access-limit
100 idle-timeout 10

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8586

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.1.40 display local-user

13.1.55 local-user change-password

Function
The local-user change-password command enables local users to change their
passwords.

Format
local-user change-password

Parameters
None

Views
User view

Default Level
0: Visit level

Usage Guidelines
Usage Scenario
If you are a low-level administrator, to ensure security of the password, you can
run the local-user change-password command in the user view to change your
password after passing the authentication.
Precautions
● To modify the password, a local user must enter the old password.
● After the user that passes local authentication changes the password, the user
must type the new password to pass local authentication.
● The local-user change-password command is used to change the password
of a local user. It does not save the configuration, but the result of changing
the password is saved through the local-user password command. If the
server does not receive old password, new password, or confirmed password
from the user within 30 seconds, it terminates the password change process.
When the user presses Ctrl+C to cancel password change, the password
change process is terminated.
● A simple password of a local user may bring security risks. When a local user
changes the password, the new password must be a string of 8 to 128
characters and must contain at least two types of the following: uppercase
letters, lowercase letters, digits, and special characters. In addition, the new
password cannot be the same as the user name or the user name in a reverse
order.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8587

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● For device security purposes, change the password periodically.

Example
# The local user changes the password.
<HUAWEI> local-user change-password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, including lowercase letters,
uppercase letters, numer
als and special characters.
Please enter old password:
Please enter new password:
Please confirm new password:
Info: The password is changed successfully.

13.1.56 local-user device-type

Function
The local-user device-type command configures the type of terminals allowed to
access the network.

The undo local-user device-type command deletes the type of terminals allowed
to access the network.

By default, the type of terminals allowed to access the network is not configured.

NOTE

This function is supported only by S5720HI.

Format
local-user user-name device-type device-type &<1-8>

undo local-user user-name device-type

Parameters

Parameter Description Value

user-name Specifies the name of a local The value is a string of 1 to 64
user. case-insensitive characters. It
When querying and modifying cannot contain spaces, asterisk,
the user account, you can use double quotation mark and
the wildcard *, for example, question mark.
*@isp, user@*, and *@*.

device-type Specifies a terminal type. The value is a string of 1 to 31

case-insensitive characters without
spaces.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8588

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
AAA view

Default Level
3: Management level

Usage Guidelines
You can run the local-user device-type command to configure the type of
terminals allowed to access the network. In local authentication and
authorization, the device checks whether a terminal is allowed to access the
network. If so, the device checks the user name and password of the terminal.

Example
# Set the type of the terminal that local user hello uses to access the network to
iphone.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user hello device-type iphone

13.1.57 local-user expire-date

Function
The local-user expire-date command sets the expiration date of a local account.

The undo local-user expire-date command restores the default expiration date of
a local account.

By default, a local account is permanently valid.

Format
local-user user-name expire-date expire-date

undo local-user user-name expire-date

Parameters

Parameter Description Value

user-name Specifies a local The value is a string of 1 to 64 case-
account. insensitive characters. It cannot contain
spaces, asterisk, double quotation mark and
question mark.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8589

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

expire-date Specifies the The value is in YYYY/MM/DD format. YYYY
expiration date of specifies the year, MM specifies the month,
the local account. and DD specifies the day. The value ranges
from 2000/1/1 to 2099/12/31.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
After a local account is created, the account has no expiration date by default. You
can run the local-user expire-date command to set the expiration date of a local
account. When the expiration date is reached, the account expires. This
configuration enhances network security.
Precautions
● For example, if the expiration date of the local account is set to 2013-10-1,
the account becomes invalid at 00:00 on 2013-10-1.
● This function takes effect only for users who go online after this function is
successfully configured.

Example
# Set the expiration date of local account [email protected] to 2013/10/1.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user [email protected] expire-date 2013/10/1

Related Topics
13.1.54 local-user

13.1.58 local-user password

Function
The local-user password command configures a password for a local account.
By default, the password of a local account is empty.

Format
local-user user-name password

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8590

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

This command is an interactive command. After you enter local-user user-name password
and press Enter, you can set the password as prompted. The local user password is a string
of 8~128 case-sensitive characters.

Parameters
Parameter Description Value
user-name Specifies the local The value is a string of 1 to 64 case-
user name. insensitive characters. It cannot contain
spaces, asterisk, double quotation mark and
question mark.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
If no password is configured when a local user is created, the password is empty,
and the local user cannot log in to the device.

NOTICE

A simple local user password may bring security risks. The user password must
consist of two types of characters, including uppercase letters, lowercase letters,
numerals, and special characters. In addition, the password cannot be the same as
the user name or user name in a reverse order.

Example
# Set the password to abc@#123456 for the local account [email protected].
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user [email protected] password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, i
ncluding lowercase letters, uppercase letters, numerals and special characters.
Please enter password: //Enter the password abc@#123456
Please confirm password: //Confirm the password abc@#123456
Info: Add a new user.

Related Topics
13.1.40 display local-user

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8591

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.59 local-aaa-user password policy access-user

Function
The local-aaa-user password policy access-user command enables the password
policy for local access users and enters the local access user password policy view.

The undo local-aaa-user password policy access-user command disables the

password policy of local access users.

By default, the password policy of local access users is disabled.

Format
local-aaa-user password policy access-user

undo local-aaa-user password policy access-user

Parameters
None

Views
AAA view

Default Level
3: Management level

Usage Guidelines
After a local user is created using the local-user command, the minimum length
and complexity of the password are limited. If you want to improve password
security, run this command to configure password policy. The new password
cannot be the same as any previously used password stored on the device.

Example
# Enable the local access user password policy and enter the local access user
password policy view.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user password policy access-user
[HUAWEI-aaa-lupp-acc]

Related Topics
13.1.68 password history record number

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8592

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.60 local-aaa-user password policy administrator

Function
The local-aaa-user password policy administrator command enables the
password policy for local administrators and enters the local administrator
password policy view.

The undo local-aaa-user password policy administrator command disables the

password policy of local administrators.

By default, the password policy of local administrators is disabled.

Format
local-aaa-user password policy administrator

undo local-aaa-user password policy administrator

Parameters
None

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

After a local user is created using the local-user command, the minimum length
and complexity of the password are limited. If you want to improve password
security, you can run the following commands to configure the password policy for
the local administrators:
● Run the password expire command to set the password validity period.
● Run the password alert before-expire command to set the password
expiration prompt days.
● Run the password alert original command to enable the device to prompt
users to change initial passwords.
● Run the password history record number command to set the maximum
number of previously used passwords recorded for each user.

Precautions

After the undo local-aaa-user password policy administrator command is

executed, the administrator password policy will be disabled, causing a security
risk.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8593

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

In V200R010C00 and later versions, when the device starts with the default
configurations, it automatically performs the following configurations and saves
the configurations to the configuration file:
● Run the local-aaa-user password policy administrator command to enable
the password policy for local administrators.
● Run the password expire 0 command to configure the passwords of local
administrators to be permanently valid.
● Run the password history record number 0 command to configure the
device not to check whether a changed password of a local administrator is
the same as any historical password.

Example
# Enable the local administrator password policy and enter the local administrator
password policy view.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user password policy administrator
[HUAWEI-aaa-lupp-admin]

Related Topics
13.1.54 local-user
13.1.67 password expire
13.1.65 password alert before-expire
13.1.66 password alert original
13.1.68 password history record number

13.1.61 local-user service-type

Function
The local-user service-type command sets the access type for a local user.

The undo local-user service-type command restores the default access type for a
local user.

By default, a local user cannot use any access type.

Format
local-user user-name service-type { 8021x | api | ftp | http | ppp | ssh | telnet |
terminal | web | x25-pad } *

undo local-user user-name service-type

NOTE

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the api parameter.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8594

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

user-name Specifies a user name. The value is a string of 1

If the user name to 64 case-insensitive
contains a domain name characters. It cannot
delimiter such as @, the contain spaces, asterisk,
character before @ is the double quotation mark
user name and the and question mark.
character behind @ is
the domain name. If the
value does not contain
@, the entire character
string is the user name
and the domain name is
the default one.

8021x Indicates an 802.1X user. -

api Indicates an API user, -

which is typically used
for NETCONF access.
NOTE
If the access type of a user
is API, the user name
cannot be set to root.

ftp Indicates an FTP user. -

http Indicates an HTTP user, -

which is usually used for
web system login.

ppp Indicates a PPP user. -

ssh Indicates an SSH user. -

telnet Indicates a Telnet user, -

which is usually a
network administrator.

terminal Indicates a terminal user, -

which is usually a user
connected using a
console port.

web Indicates a Portal -

authentication user.

x25-pad Indicates an X25-PAD -

user.
NOTE
Currently, the device does
not support X25-PAD.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8595

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

The device can manage access types of local users. After you specify the access
type of a user, the user can successfully log in only when the configured access
type is the same as the actual access type of the user.

Local users have the following access types:

● Administrative: api, FTP, HTTP, SSH, Telnet, x25-pad, and Terminal
● Common: 802.1X, ppp, and web

Precautions

● When MAC authentication users use AAA local authentication, the device
does not match or check the access type of local users. However, the access
type must be configured; otherwise, local authentication for MAC address
authentication users fails.
● Security risks exist if the user login mode is set to Telnet or FTP. You are
advised set the user login mode to STelnet or SFTP and set the user access
type to SSH.
When a device starts without any configuration, HTTP uses the randomly
generated self-signed certificate to support HTTPs. The self-signed certificate
may bring risks. Therefore, you are advised to replace it with the officially
authorized digital certificate.
● Common access types cannot be configured together with administrative
access types.
The API access type cannot be configured together with other access types.
If a user has been created and the password uses an irreversible encryption
algorithm, the access type can only be set to an administrative one.
If a user has been created and the password uses a reversible encryption
algorithm, the access type can be set to an administrative or common one.
When the access type is set to an administrative one, the encryption
algorithm of the password is automatically converted into an irreversible
encryption algorithm.

Example
# Set the access type of the local user user1@vipdomain to SSH.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user user1@vipdomain service-type ssh

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8596

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.1.54 local-user
13.1.40 display local-user

13.1.62 local-user time-range

Function
The local-user time-range command sets the access permission time range for a
local user.
The undo local-user time-range command deletes the access permission time
range for a local user.
By default, a local account can access the network anytime.

Format
local-user user-name time-range time-name
undo local-user user-name time-range

Parameters
Parameter Description Value
user-name Indicates the local The value is a string of 1 to 64 case-
account. insensitive characters. It cannot contain
spaces, asterisk, double quotation mark
and question mark.

time-name Indicates the access The value is a string of 1 to 32 case-

permission time range of sensitive characters and must begin
the local account. time- with a letter. In addition, the word all
name specifies the name cannot be specified as a time range
of the access permission name.
time range.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Use Scenario
After a local account is created, the account has no expiration date by default. To
restrict the network access time of a local account, run the local-user time-range

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8597

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

command. After the command is executed, the account can access network
resources only in the specified time range.
Prerequisite
The time range has been created using the 14.1.26 time-range command.
Precautions
If you run the local-user time-range and 13.1.57 local-user expire-date
commands in the AAA view multiple times, only the latest configuration takes
effect.
After the access permission time range of an online local user is changed, the
access permission time range of the user will take effect only when the user goes
online next time.

Example
# Set the access permission time segment of local account [email protected] to
9:00-18:00 from Monday to Friday.
<HUAWEI> system-view
[HUAWEI] time-range huawei 9:00 to 18:00 working-day
[HUAWEI] aaa
[HUAWEI-aaa] local-user [email protected] time-range huawei

Related Topics
13.1.40 display local-user

13.1.63 local-user user-type netmanager

Function
The local-user user-type netmanager command configures a local user as the
NMS user.
The undo local-user user-type netmanager command cancels to configure a
local user as the NMS user.
By default, no local user is configured as the NMS user.

Format
local-user user-name user-type netmanager
undo local-user user-name user-type netmanager

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8598

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters

Parameter Description Value

user-name Specifies a user The value is a string of 1 to 64 case-
name. insensitive characters. It cannot contain
spaces, asterisk, double quotation mark and
question mark.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

When a VTY user logging in to the device is an NMS user, you need to run this
command to set the user type. When the number of login VTY users has reached
the maximum, an NMS user can log in using the reserved VTY numbers 16-20. The
NMS user is allowed to log in to the device only after passing the AAA local
authentication.

Prerequisite

The local user has been created using the local-user command. This user must
pass the AAA local authentication.

Example
# Configure the local user user1@vipdomain as the NMS user.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user user1@vipdomain password cipher Huawei@1234
[HUAWEI-aaa] local-user user1@vipdomain user-type netmanager

13.1.64 outbound recording-scheme

Function
The outbound recording-scheme command applies a policy to a recording
scheme to record the connection information.

The undo outbound recording-scheme command deletes a policy from a

recording scheme. Connection information is not recorded then.

By default, connection information is not recorded.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8599

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
outbound recording-scheme recording-scheme-name
undo outbound recording-scheme

Parameters
Parameter Description Value

recording-scheme-name Specifies the name of a The recording scheme

recording scheme. must already exist.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
Incorrect connections may result in network faults, for example, loops. The
connection information recorded on a server helps you monitor devices. When
network faults occur, you can locate faults based on the connection information
recorded on the server.
Prerequisites
A recording scheme has been created using the recording-scheme command in
the AAA view and an HWTACACS server template has been associated with a
recording scheme using the recording-mode hwtacacs command in the recording
scheme view.

Example
# Apply a policy to the recording scheme scheme to record the connection
information.
<HUAWEI> system-view
[HUAWEI] hwtacacs-server template hw1
[HUAWEI-hwtacacs-hw1] quit
[HUAWEI] aaa
[HUAWEI-aaa] recording-scheme scheme
[HUAWEI-aaa-recording-scheme] recording-mode hwtacacs hw1
[HUAWEI-aaa-recording-scheme] quit
[HUAWEI-aaa] outbound recording-scheme scheme

Related Topics
13.1.43 display recording-scheme
13.1.71 recording-scheme

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8600

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.65 password alert before-expire

Function
The password alert before-expire command to set the password expiration
prompt days.
The undo password alert before-expire command restores the default password
expiration prompt days.
By default, the number of password expiration prompt days is 30 days.

Format
password alert before-expire day
undo password alert before-expire

Parameters
Parameter Description Value
day Indicates how long the system displays a The value is an integer
prompt before the password expires. that ranges from 0 to
999, in days. The default
If the value is set to 0, the device does not value is 30.
prompt users that the passwords will
expire.

Views
Local administrator password policy view

Default Level
3: Management level

Usage Guidelines
When a user logs in to the device, the device checks how many more days the
password is valid for. If the number of days is less than the prompt days set in this
command, the device notifies the user in how many days the password will expire
and asks the user whether they want to change the password.
● If the user changes the password, the device records the new password and
modification time.
● If the user does not change the password or fails to change the password, the
user can still log in as long as the password has not expired.

Example
# Set the number of password expiration prompt days to 90.
<HUAWEI> system-view
[HUAWEI] aaa

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8601

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

[HUAWEI-aaa] local-aaa-user password policy administrator

[HUAWEI-aaa-lupp-admin] password alert before-expire 90

13.1.66 password alert original

Function
The password alert original command enables the device to prompt users to
change initial passwords.
The undo password alert original command disables the device from prompting
users to change initial passwords.
By default, the device prompts users to change initial passwords.

Format
password alert original
undo password alert original

Parameters
None

Views
Local administrator password policy view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
To improve device security, use this command to enable the initial password
change prompt function. When a user logs in to the device:
● If the user enters the initial password, the device displays a message to ask
whether to change the initial password. The user can select Y or N:
– If the user selects Y to change the password, the user needs to enter the
old password, new password, and confirm password. The password can
be successfully changed only when the old password is correct and the
new password and confirm password are the same and meet
requirements (password length and complexity). After the password is
changed, the user can log in to the device successfully.
– If the user selects N or fails to change the password, and the initial
password is the default password, the device does not allow the user to
log in. If the initial password is not the default password, the device
allows the user to log in.
● If the entered password is not the initial password, the device does not display
any message and the user can successfully log in.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8602

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

After the undo password alert original command is executed, the initial
password alert will be disabled, causing a security risk.

NOTE

The initial password may be the default password, the password created by a local user in
the first login, or the password changed by another user (for example, user B changes user
A's password, and user A uses the changed password to log in. The device displays a
prompt message in this situation).

Precautions
This function is only valid for Telnet users, SSH users, and terminal users.

Example
# Enable the device to prompt users to change initial passwords.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user password policy administrator
[HUAWEI-aaa-lupp-admin] password alert original

13.1.67 password expire

Function
The password expire command sets the password validity period.
The undo password expire command restores the default password validity
period.
By default, the password validity period is 90 days.

Format
password expire day
undo password expire

Parameters
Parameter Description Value
day Indicates the password validity The value is an integer that
period. ranges from 0 to 999, in days.
The default value is 90.
If the value is 0, the password is
permanently valid.

Views
Local administrator password policy view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8603

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
To improve password security, the administrator can use this command to set the
validity period for local user's password. When the validity period expires, the
password becomes invalid.
If the local user still uses this password to log in to the device, the device allows
the user to log in, prompts the user that the password has expired, and asks the
user whether to change the password:
● If the user selects Y, the user needs to enter the old password, new password,
and confirm password. The password can be successfully changed only when
the old password is correct and the new password and confirm password are
the same and meet requirements (password length and complexity). After the
password is changed, the user can log in to the device successfully.
● If the user selects N or fails to change the password, the user cannot log in.
Precautions
Changing the system time will affect the password validity status.
After this command is executed, the device checks whether the password expires
every minute; therefore, there may be a time difference within 1 minute.
In V200R010C00 and later versions, when the device starts with the default
configurations, it automatically performs the following configurations and saves
the configurations to the configuration file:
● Run the local-aaa-user password policy administrator command to enable
the password policy for local administrators.
● Run the password expire 0 command to configure the passwords of local
administrators to be permanently valid.
● Run the password history record number 0 command to configure the
device not to check whether a changed password of a local administrator is
the same as any historical password.

Example
# Set the password validity period to 120 days.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user password policy administrator
[HUAWEI-aaa-lupp-admin] password expire 120

13.1.68 password history record number

Function
The password history record number command sets the maximum number of
historical passwords recorded for each user.
The undo password history record number command restores the default
maximum number of historical passwords recorded for each user.
By default, five historical passwords are recorded for each user.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8604

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
password history record number number

undo password history record number

Parameters
Parameter Description Value
number Indicates the maximum number of historical The value is an integer
passwords recorded for each user. that ranges from 0 to
12. The default value
If the value is set to 0, the device will not is 5.
check whether a changed password is the
same as any historical password.

Views
Local administrator password policy view, local access user password policy view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

To improve password security, it is not recommended that you use a previously

used password. You can set the maximum number of historical passwords
recorded for each user. When a user changes the password, the device compares
the new password against the historical passwords stored on the device. If the
new password is the same as a stored password, the device displays an error
message to prompt the user that password change fails.

Precautions

When the number of recorded historical passwords reaches the maximum value,
the later password will overwrite the earliest password on the device.

After the historical password recording function is disabled, the device does not
record historical passwords; however, the passwords that have been stored are not
deleted.

In V200R010C00 and later versions, when the device starts with the default
configurations, it automatically performs the following configurations and saves
the configurations to the configuration file:
● Run the local-aaa-user password policy administrator command to enable
the password policy for local administrators.
● Run the password expire 0 command to configure the passwords of local
administrators to be permanently valid.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8605

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● Run the password history record number 0 command to configure the

device not to check whether a changed password of a local administrator is
the same as any historical password.

Example
# Set the maximum number of historical passwords recorded for each
administrator to 10.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user password policy administrator
[HUAWEI-aaa-lupp-admin] password history record number 10

# Set the maximum number of historical passwords recorded for each local access
user to 10.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user password policy access-user
[HUAWEI-aaa-lupp-acc] password history record number 10

13.1.69 permit-domain
Function
The permit-domain command specifies permitted domains for WLAN users.
The undo permit-domain command deletes the permitted domains of WLAN
users.
By default, no permitted domain is specified for WLAN users.

NOTE

This function is supported only by S5720HI.

Format
permit-domain name domain-name &<1-4>
undo permit-domain { name domain-name | all }

Parameters
Item Description Value

name domain-name Specifies the name of a The domain must

permitted domain for already exist.
WLAN users.

all Deletes the permitted -

domain for all WLAN
users.

Views
Authentication profile view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8606

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After a permitted domain is specified on an authentication profile, only the WLAN

users in the permitted domain can be authenticated, authorized, or charged.

Prerequisites

Permitted domains have been created using the domain command.

Precautions

This command applies only to wireless users.

When this command is executed in the authentication profile, the configuration

takes effect only after the authentication profile is bound to a VAP profile.

This command is only available in the NAC unified mode.

Example
# Specify permitted domain dom for WLAN users to the authentication profile
john.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain dom
[HUAWEI-aaa-domain-dom] quit
[HUAWEI-aaa] quit
[HUAWEI] authentication-profile name john
[HUAWEI-authen-profile-john] permit-domain name dom

Related Topics
13.1.47 domain (AAA view)

13.1.70 recording-mode hwtacacs

Function
The recording-mode hwtacacs command associates an HWTACACS server
template with a recording scheme.

The undo recording-mode command unbinds an HWTACACS server template

from a recording scheme.

By default, no HWTACACS server template is associated with a recording scheme.

Format
recording-mode hwtacacs template-name

undo recording-mode

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8607

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

template-name Specifies the name of an The HWTACACS server

HWTACACS server template must already
template. exist.

Views
Recording scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
The device needs to send the records such as the executed commands, connection
information, and system events to the specified HWTACACS accounting server;
therefore, an HWTACACS server template needs to be associated with a recording
scheme.
Prerequisites
The HWTACACS server template has been created by using the 13.3.13 hwtacacs-
server template command.

Example
# Associate the recording scheme scheme0 with the HWTACACS server template
tacacs1.
<HUAWEI> system-view
[HUAWEI] hwtacacs-server template tacacs1
[HUAWEI-hwtacacs-tacacs1] quit
[HUAWEI] aaa
[HUAWEI-aaa] recording-scheme scheme0
[HUAWEI-aaa-recording-scheme0] recording-mode hwtacacs tacacs1

Related Topics
13.3.3 display hwtacacs-server template
13.1.43 display recording-scheme
13.3.13 hwtacacs-server template
13.1.71 recording-scheme

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8608

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.71 recording-scheme

Function
The recording-scheme command creates a recording scheme and displays the
recording scheme view.

The undo recording-scheme command deletes a recording scheme.

By default, no recording scheme is configured on the device.

Format
recording-scheme recording-scheme-name

undo recording-scheme recording-scheme-name

Parameters
Parameter Description Value

recording-scheme-name Specifies the name of a The value is a string of 1

recording scheme. to 32 case-sensitive
characters. It cannot
contain spaces or the
following symbols: / \ :
* ? " < > | @ ' %. The
value cannot be - or --.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

After a recording scheme takes effect, you can view the records such as the
executed commands, connection information, and system-level events on the
recording server. The records help you locate network faults. Because a recording
scheme needs to be associated with an HWTACACS server template, the recording
scheme is configured only when HWTACACS authentication or authorization is
performed.

Creating a recording template using the recording-scheme command is

mandatory for configuration.

Follow-up Procedure

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8609

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Run the recording-mode hwtacacs command to associate an HWTACACS server

template with the recording scheme.
After a recording scheme is created and associated with an HWTACACS server
template, perform the following configurations in the AAA view:
● Run the cmd recording-scheme command to apply a policy in a recording
scheme to record the commands executed on the device.
● Run the outbound recording-scheme command to apply a policy in a
recording scheme to record the connection information.
● Run the system recording-scheme command to apply a policy in a recording
scheme to record the system events.
Precautions
If the recording scheme to be configured does not exist, the recording-scheme
command creates a recording scheme and displays the recording scheme view. If
the recording scheme to be configured already exists, the recording-scheme
command displays the recording scheme view.
Before deleting a recording scheme, ensure that the scheme has not been
referenced by the cmd recording-scheme or outbound recording-scheme or
system recording-scheme command.

Example
# Create a recording scheme scheme0.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] recording-scheme scheme0
[HUAWEI-aaa-recording-scheme0]

Related Topics
13.1.29 cmd recording-scheme
13.1.43 display recording-scheme
13.1.64 outbound recording-scheme
13.1.70 recording-mode hwtacacs
13.1.85 system recording-scheme

13.1.72 redirect-acl
Function
The redirect-acl command configures the ACL used for redirection in a service
scheme.
The undo redirect-acl command deletes the ACL used for redirection in a service
scheme.
By default, no ACL for redirection is configured in the service scheme.

Format
redirect-acl { acl-number | name acl-name }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8610

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo redirect-acl

Parameters
Parameter Description Value
acl-number Specifies the number of The value ranges from 3000 to
the ACL used for 3999 for wired users and from
redirection. 3000 to 3031 for wireless users,
and it must exist.

name acl-name Specifies the name of the The ACL name must exist. The
ACL used for redirection. length ranges from 1 to 64.

Views
Service scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
In some authentication scenarios, after users succeed in authentication, the
administrator needs to redirect HTTP/HTTPS traffic matching ACL permit rules to
the Portal authentication page where users are authenticated again.
Precautions
Before running this command, you are advised to run the 14.1.5 acl (system
view) or 14.1.4 acl name command to create an ACL.
If the ACL is not created before and after this command is run, the redirection ACL
will fail to be delivered.
To redirect HTTPS traffic, run the 13.4.142 portal https-redirect enable
command to configure the HTTPS redirection function.

Example
# Configure ACL 3001 for redirection in the service scheme svcscheme1.
<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] quit
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme svcscheme1
[HUAWEI-aaa-service-svcscheme1] redirect-acl 3001

Related Topics
13.1.45 display service-scheme

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8611

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.73 remote-aaa-user authen-fail

Function
The remote-aaa-user authen-fail command enables the remote AAA
authentication account locking function, and sets the authentication retry interval,
maximum number of consecutive authentication failures, and account locking
period.
The undo remote-aaa-user authen-fail command disables the remote AAA
authentication account locking function.
By default, the remote AAA account locking function is enabled, authentication
retry interval is 30 minutes, maximum number of consecutive authentication
failures is 30, and account locking period is 30 minutes.

Format
remote-aaa-user authen-fail retry-interval retry-interval retry-time retry-time
block-time block-time
undo remote-aaa-user authen-fail

Parameters
Parameter Description Value

retry-interval retry- Specifies the The value is an integer

interval authentication retry that ranges from 5 to
interval. 65535, in minutes.

retry-time retry-time Specifies the maximum The value is an integer

number of consecutive that ranges from 3 to
authentication failures. 65535.

block-time block-time Specifies the account The value is an integer

locking period. that ranges from 5 to
65535, in minutes.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
To ensure account security, you can enable the device to lock the accounts that
fail in remote AAA authentication. If a user enters incorrect account and password

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8612

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

more than the maximum number of consecutive authentication failures within the
given period, the account is locked. After a certain period, the account is unlocked.

Precautions

● This command is valid only for remote AAA authentication and is invalid for
local authentication.
● In scenarios where an active/standby switchover is performed, the originally
locked account is automatically unlocked.
● After the remote AAA authentication account locking function is disabled
using the undo remote-aaa-user authen-fail command, the originally locked
account is automatically unlocked.

Example
# Enable the remote AAA account locking function, and set the authentication
retry interval to 5 minutes, maximum number of consecutive authentication
failures to 3, and account locking period to 5 minutes.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] remote-aaa-user authen-fail retry-interval 5 retry-time 3 block-time 5

Related Topics
13.1.44 display remote-user authen-fail
13.1.74 remote-user authen-fail unblock

13.1.74 remote-user authen-fail unblock

Function
The remote-user authen-fail unblock command unlocks remote AAA
authentication accounts.

Format
remote-user authen-fail unblock { all | username username }

Parameters
Parameter Description Value

all Unlocks all accounts that -

fail the remote AAA
authentication.

username username Unlocks a specified The value is a string of 1

account that fails the to 253 case-insensitive
remote AAA characters without
authentication. spaces.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8613

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
AAA view

Default Level
3: Management level

Usage Guidelines
You may need to unlock remote AAA authentication accounts in the following
situations:
● When a user enters an incorrect user name or password fewer times than the
maximum permitted, run the remote-user authen-fail unblock command to
unlock the user and delete the incorrect record of the user from the device.
● When a user is incorrectly locked or needs to be unlocked due to special
reasons, run the remote-user authen-fail unblock command to unlock the
user.

Example
# Unlock the remote AAA authentication account test.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] remote-user authen-fail unblock username test

Related Topics
13.1.44 display remote-user authen-fail

13.1.75 reset aaa

Function
Using the reset aaa command, you can clear records of abnormal offline, user
offline and failure to get online.

Format
reset aaa { abnormal-offline-record | offline-record | online-fail-record }

Parameters
Parameter Description Value
abnormal-offline-record Clears records of user abnormal offline. -

offline-record Clears records of user offline. -

online-fail-record Clears records of user failure to get online. -

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8614

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
System view

Default Level
3: Management level

Usage Guidelines
This command allows you to clear records of user offline, abnormal offline, and
failure to get online. After the records are cleared, the function of recording
information is enabled.

Example
# Clear user offline records.
<HUAWEI> system-view
[HUAWEI] reset aaa offline-record

13.1.76 reset aaa statistics offline-reason

Function
Using the reset aaa statistics offline-reason command, you can clear the
statistics about reasons why users go offline.

Format
reset aaa statistics offline-reason

Parameters
None

Views
All views

Default Level
3: Management level

Usage Guidelines
You can use the reset aaa statistics offline-reason command to delete the
statistics about reasons why users go offline, and then collect new statistics.

Example
# Clear the statistics about reasons why users go offline.
<HUAWEI> reset aaa statistics offline-reason

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8615

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.1.77 reset access-user statistics

Function
The reset access-user statistics command deletes the statistics on access user
authentication.

Format
reset access-user statistics

Parameters
None

Views
All views

Default Level
3: Management level

Usage Guidelines
When diagnosing and locating faults related to access user authentication, you
need to collect statistics on user login and logout information within a period of
time. Before the statistics collection, you can run the reset access-user statistics
command to clear the historical statistics, and then run the display access-user
statistics command to view the current statistics.

Example
# Delete the statistics on access user authentication.
<HUAWEI> reset access-user statistics

13.1.78 reset local-user password history record

Function
The reset local-user password history record command clears historical
passwords stored for the local user.

Format
reset local-user [ user-name ] password history record

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8616

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value
user-name Clears the historical passwords of the specified The local user must
user. exist on the device.

If this parameter is not specified, the historical

passwords of all local users are cleared.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
If the administrator wants to record historical passwords of local users again, this
command can be used to clear existing historical passwords.
Precautions
After this command is used, all historical passwords on the device are deleted and
cannot be restored. This operation has security risks, so exercise caution when
using it.

Example
# Clear historical passwords of all local users.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] reset local-user password history record

Related Topics
13.1.68 password history record number

13.1.79 security-name enable

Function
The security-name enable command enables the security string function.
The undo security-name enable command disables the security string function.
By default, the security string function is enabled.

NOTE

This function is supported only by S5720HI.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8617

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
security-name enable

undo security-name enable

Parameters
None

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Some special clients use user names in the format of
username@domain*securitystring in which a security string and a security string
delimiter (*) are added to the user name. To ensure that the AAA server can
identify such user names, run the security-name enable command to enable the
security string function on the device. When sending a user name to the AAA
server, the device deletes *securitystring and only uses username@domain for
authentication.

You can run the 13.1.80 security-name-delimiter command to modify the

security string delimiter.

Example
# Enable the security string function.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] security-name enable

13.1.80 security-name-delimiter

Function
The security-name-delimiter command configures a delimiter for a security
string.

The undo security-name-delimiter command restores the default delimiter for a

security string.

By default, the delimiter for a security string in the AAA view is *, and no delimiter
is available in the authentication profile view.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8618

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

This command only applies to 802.1X users. If the CHAP or PAP authentication is configured
for 802.1X users, the device removes the security string, but does not encapsulate it into the
HW-SecurityStr attribute. If the EAP authentication is configured for 802.1X users, the
device removes the security string and encapsulates it into the HW-SecurityStr attribute.
This function is supported only by S5720HI.

Format
security-name-delimiter delimiter
undo security-name-delimiter

Parameters
Parameter Description Value

delimiter Specifies a delimiter for The value is \ / : < > | @ '

a security string. % or *.

Views
AAA view, authentication profile view

Default Level
In the AAA view, the default level is management level.
In the authentication profile view, the default level is configuration level.

Usage Guidelines
Usage Scenario
Some STAs may use the user name in the format of
username@domain*securitystring. * is the security string delimiter. To enable the
AAA server to identify this type of user name, you need to configure a delimiter
for a security string on the device. In this way, when sending the user name to the
AAA server, the device deletes the *securitystring and only uses
username@domain for authentication.
Precautions
When the command is executed in the AAA view, the configuration takes effect for
all users. When the command is executed in the authentication profile, the
configuration takes effect for only the users connected to this authentication
profile.
The delimiter for a security string cannot be the same as the domain name
delimiter.
If you run the security-name-delimiter command in the AAA view, the delimiter
for a security string is configured globally.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8619

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

When this command is executed in the authentication profile, the configuration

takes effect only after the authentication profile is bound to a VAP profile.

Example
# Configure the delimiter for a security string as / in the AAA view.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] security-name-delimiter /

13.1.81 service-scheme (aaa domain view)

Function
The service-scheme command applies a service scheme to a domain.

The undo service-scheme command unbinds a service scheme from a domain.

By default, no service scheme is bound to a domain.

Format
service-scheme service-scheme-name

undo service-scheme

Parameters
Parameter Description Value

service-scheme-name Specifies the name of a The value must be an

service scheme. existing service scheme
name.

Views
AAA domain view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

The authorization configuration in a service scheme takes effect only when the
service scheme is applied to a domain.

Prerequisites

A service scheme has been created and configured with required parameters.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8620

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Apply the service scheme srvscheme1 to the domain huawei.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme srvscheme1
[HUAWEI-aaa-service-srvscheme1] quit
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] service-scheme srvscheme1

Related Topics
13.1.45 display service-scheme
13.1.82 service-scheme (AAA view)

13.1.82 service-scheme (AAA view)

Function
The service-scheme command creates a service scheme and displays the service
scheme view.

The undo service-scheme command deletes a service scheme.

By default, no service scheme is configured.

Format
service-scheme service-scheme-name

undo service-scheme service-scheme-name

Parameters
Parameter Description Value

service-scheme-name Specifies the name of a The value is a string of 1

service scheme. to 32 case-sensitive
characters. It cannot
contain spaces or the
following symbols: /, \, :,
*, ?, ", <, >, |, @, ', and %.
The value cannot be - or
--.

Views
AAA view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8621

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario

The service scheme is used to assign IP address pool and DNS server parameters
to users.

Follow-up Procedure

Run the service-scheme (AAA domain view) command to apply the service
scheme to a domain.

Precautions

In traditional NAC mode, the authorization scheme is not supported.

If the service scheme to be configured does not exist, the service-scheme (AAA
view) command creates a service scheme and displays the service scheme view. If
the service scheme to be configured already exists, the service-scheme (AAA
view) command displays the service scheme view.

To delete or modify the service scheme applied to a domain, run the undo
service-scheme (AAA domain view) command to unbind the service scheme
from the domain.

Example
# Create a service scheme srvscheme1.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme srvscheme1
[HUAWEI-aaa-service-srvscheme1]

Related Topics
13.1.45 display service-scheme
13.1.81 service-scheme (aaa domain view)

13.1.83 state (AAA domain view)

Function
The state command configures the state of a domain.

The undo state command restores the state of a domain.

By default, a domain is in active state after being created.

Format
state { active | block [ time-range time-name &<1-4> ] }

undo state [ block time-range [ time-name &<1-4> ] ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8622

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

active Sets the domain state to -

active.

block Sets the domain state to -

blocking.

time-range time-name Indicates the block time The value is a string of 1

range of the domain. to 32 case-sensitive
time-name specifies the characters and must
name of the block time begin with a letter. In
range. If this parameter addition, the word all
is not specified, the cannot be specified as a
domain is always time range name.
blocked.

Views
AAA domain view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
If exceptions occur during service configuration, set the domain in blocking state
to block access of new users. After the service configuration is complete, set the
domain in active state.
Prerequisite
Before specifying the time-name parameter, ensure that the time range has been
created using the 14.1.26 time-range command.
Precautions
After the state block command is run to set the domain state to block, online
users in the domain are not affected.
After the state block time-range command is run to set the state of a domain
including online users to block, the domain state turns from active to block within
the specified time range, and online users are forced to go offline.

Example
# Set the state of the domain vipdomain to blocking.
<HUAWEI> system-view
[HUAWEI] aaa

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8623

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

[HUAWEI-aaa] domain vipdomain

[HUAWEI-aaa-domain-vipdomain] state block

# Set the name of the time range in which the vipdomain domain state turns to
block to tim.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain vipdomain
[HUAWEI-aaa-domain-vipdomain] state block time-range tim
Warning: This operation may cause online users to go offline. Continue? [Y/N]Y

Related Topics
13.1.47 domain (AAA view)

13.1.84 statistic enable (AAA domain view)

Function
The statistic enable command enables traffic statistics collection for domain
users.

The undo statistic enable command disables traffic statistics collection for
domain users.

By default, traffic statistics collection is disabled for domain users.

NOTE

On the S1720GW-E, S1720GWR-E, S1720GW, S1720GW-E, S1720GWR, S1720GWR-E,

S5700-10P-LI, S5700LI, S5700S-LI, S5720LI, and S5720S-LI, after an authentication profile in
multi-share mode is applied to an Eth-Trunk interface, the device does not support the
collection of statistics about both IPv4 and IPv6 upstream and downstream traffic for the
users bound to the authentication profile.
Only the S5720EI, S1720GF, S1720GFR-P, S1720GW, S1720GW-E, S1720GWR, S1720GWR-E,
S5700-10P-LI, S5700LI, S5700S-LI, S5720HI, S5720LI, S5720S-LI, S6720EI, and S6720S-EI
support this command.

Format
statistic enable

undo statistic enable

Parameters
None

Views
AAA domain view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8624

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
To implement traffic-based accounting, you can use this command to enable
traffic statistics collection for a domain. Then the device collects traffic statistics
for the users in the domain. If an accounting server is configured, the device sends
traffic statistics to the accounting server through accounting packets so that the
server performs accounting for the users based on traffic statistics.
Follow-up Procedure
Run the 13.1.34 display access-user (All views) command to view traffic
statistics of users.
Precautions
This command collects service statistics for domain users. The device sends the
statistics to the accounting server.
On the S5700LI, S5700S-LI, S1720GW, S1720GW-E, S1720GWR, S1720GWR-E,
S5720LI, and S5720S-LI:
● This statistics collection function is only available for 802.1X authentication
users.
● Traffic statistics are collected based on interfaces.
● The traffic statistics collection is valid for domain users only when interfaces
are physical interface and each interface connects to only one domain user.
● The interface traffic statistics for the first 15s when a user goes online are not
collected.
● When users are online, you cannot run the reset_counters_interface
command to clear interface traffic statistics. Otherwise, the user traffic
statistics are inaccurate.
After this command is run, the device does not collect IPv6 traffic statistics for
users. To enable IPv6 statistics collection, run the authentication ipv6-statistics
enable command.

Example
# Enable traffic statistics collection for domain users.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] statistic enable

Related Topics
13.1.39 display domain

13.1.85 system recording-scheme

Function
The system recording-scheme command applies a policy in a recording scheme
to record the system events.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8625

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo system recording-scheme command deletes a policy from a recording

scheme. System events are not recorded then.
By default, system events are not recorded.

Format
system recording-scheme recording-scheme-name
undo system recording-scheme

Parameters
Parameter Description Value

recording-scheme-name Specifies the name of a The recording scheme

recording scheme. must already exist.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
The system events recorded on an HWTACACS server helps you monitor devices.
When network faults occur, you can isolate faults based on the system events
recorded on the HWTACACS server.
Prerequisites
A recording scheme has been created using the recording-scheme command in
the AAA view and an HWTACACS server template has been associated with a
recording scheme using the recording-mode hwtacacs command in the recording
scheme view.
Precautions
Currently, the device can record only the events caused by the reboot command.

Example
# Apply a policy in the recording scheme scheme to record the system events.
<HUAWEI> system-view
[HUAWEI] hwtacacs-server template hw1
[HUAWEI-hwtacacs-hw1] quit
[HUAWEI] aaa
[HUAWEI-aaa] recording-scheme scheme
[HUAWEI-aaa-recording-scheme] recording-mode hwtacacs hw1

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8626

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

[HUAWEI-aaa-recording-scheme] quit
[HUAWEI-aaa] system recording-scheme scheme

Related Topics
13.1.43 display recording-scheme
13.1.71 recording-scheme

13.1.86 user-group (AAA domain view)

Function
The user-group command binds the users in a domain to the authorization
information of a user group.
The undo user-group command unbinds the users in a domain from the
authorization information of a user group.
By default, no authorization information of a user group is bound to the users in a
domain.

NOTE

This command is supported only in the NAC common mode.

Format
user-group group-name
undo user-group

Parameters
Parameter Description Value
group-name Specifies the name of a user group. The user group name must
already exist.

Views
AAA domain view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
You can run the user-group command in the AAA domain to bind the users in a
domain to the authorization information of a user group.
Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8627

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● The user group to be specified using the local-user user-group command

must have been created using the user-group command.
● A user group cannot be deleted after being referenced to a domain using this
command.
● Huawei proprietary attribute 82 delivered by RADIUS cannot be used together
with the function of binding authentication information of a user group to a
domain.
● The priority of the authorization information delivered using this command is
lower than that of the authorization information delivered using the portal
free-rule rule-id source ip ip-address mask { mask-length | ip-mask } [ mac
mac-address ] [ interface interface-type interface-number ] destination
user-group group-name command.

Example
# Bind the user group group1 to the domain test.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain test
[HUAWEI-aaa-domain-test] user-group group1

Related Topics
13.5.156 user-group
13.5.157 user-group enable

13.1.87 user-password complexity-check

Function
The user-password complexity-check command enables password complexity
check.

The undo user-password complexity-check command disables password

complexity check.

By default, a device checks password complexity.

Format
user-password complexity-check

undo user-password complexity-check

Parameters
None

Views
AAA view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8628

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
3: Management level

Usage Guidelines
Usage Scenario

In the versions earlier than V200R003, the device uses simple user name and
password rules, so the user names and passwords are easy to manage and
remember; however, weak passwords have security risks. In V200R003 and later
versions, the device poses stricter requirements on user names and passwords.
After you create a local user by using the local-user command, the password
must pass a complexity check performed by the device.

In V200R005 and later versions, you can choose whether to enable password
complexity check.

Precautions

To ensure device security, do not disable password complexity check, and change
the password periodically.

Example
# Disable password complexity check.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] undo user-password complexity-check

Related Topics
13.1.54 local-user

13.2 RADIUS Configuration Commands

13.2.1 Command Support
13.2.2 called-station-id mac-format
13.2.3 calling-station-id mac-format
13.2.4 display radius-attribute
13.2.5 display radius-attribute check
13.2.6 display radius-attribute disable
13.2.7 display radius-attribute translate
13.2.8 display radius-server accounting-stop-packet
13.2.9 display radius-server authorization configuration
13.2.10 display radius-server configuration
13.2.11 display radius-server dead-interval dead-count

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8629

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.2.12 display radius-server item

13.2.13 display radius-server session-manage configuration
13.2.14 display snmp-agent trap feature-name radius all
13.2.15 radius-attribute check
13.2.16 radius-attribute disable
13.2.17 radius-attribute nas-ip
13.2.18 radius-attribute nas-ipv6
13.2.19 radius-attribute service-type with-authenonly-reauthen
13.2.20 radius-attribute set
13.2.21 radius-attribute translate
13.2.22 radius-server (aaa domain view)
13.2.23 radius-server accounting
13.2.24 radius-server accounting-stop-packet resend
13.2.25 radius-server algorithm
13.2.26 radius-server attribute message-authenticator access-request
13.2.27 radius-server attribute translate
13.2.28 radius-server authentication
13.2.29 radius-server authorization
13.2.30 radius-server authorization attribute-decode-sameastemplate
13.2.31 radius-server authorization calling-station-id decode-mac-format
13.2.32 radius-server dead-detect-condition by-server-ip
13.2.33 radius-server dead-interval dead-count
13.2.34 radius-server detect-server interval
13.2.35 radius-server format-attribute
13.2.36 radius-server hw-ap-info-format include-ap-ip
13.2.37 radius-server hw-dhcp-option-format
13.2.38 radius-server nas-identifier-format
13.2.39 radius-server nas-port-format
13.2.40 radius-server nas-port-id-format
13.2.41 radius-server retransmit timeout dead-time
13.2.42 radius-server session-manage
13.2.43 radius-server shared-key (RADIUS server template view)
13.2.44 radius-server shared-key (system view)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8630

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.2.45 radius-server template

13.2.46 radius-server testuser
13.2.47 radius-server traffic-unit
13.2.48 radius-server user-name domain-included
13.2.49 reset radius-server accounting-stop-packet
13.2.50 snmp-agent trap enable feature-name radius
13.2.51 test-aaa

13.2.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

13.2.2 called-station-id mac-format

Function
The called-station-id mac-format command sets the encapsulation format of the
MAC address in the called-station-id (Type 30) attribute of RADIUS packets.

The undo called-station-id mac-format command restores the default

encapsulation format of the MAC address in the called-station-id attribute of
RADIUS packets.

By default, the encapsulation format of the MAC address in the called-station-id

attribute of RADIUS packets is XX-XX-XX-XX-XX-XX, in uppercase.

Format
called-station-id mac-format { dot-split | hyphen-split } [ mode1 | mode2 ]
[ lowercase | uppercase ]

called-station-id mac-format unformatted [ lowercase | uppercase ]

undo called-station-id mac-format

Parameters

Parameter Description Value

dot-split Indicates that the dot (.) is used as the separator in a MAC -
address.
hyphen-split Indicates that the hyphen (-) is used as the separator in a -
MAC address.
unformatted Indicates that no separator is used in a MAC address. -

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8631

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

mode1 Indicates that the MAC address in the called-station-id -
attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX
format.
mode2 Indicates that the MAC address in the called-station-id -
attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX
format.
lowercase Indicates that the MAC address in the called-station-id -
attribute uses the lowercase.
uppercase Indicates that the MAC address in the called-station-id -
attribute uses the uppercase.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
The Called-station-id (Type 30) attribute indicates the MAC address and SSID of
an AP. The default format of the MAC address in the called-station-id attribute of
RADIUS packets from the device is XX-XX-XX-XX-XX-XX. If the RADIUS server does
not support the default format, run the called-station-id mac-format command
to change the format.

Example
# Set the dot as the separator in a MAC address and the encapsulation format of
the MAC address in the called-station-id attribute to XX.XX.XX.XX.XX.XX in
uppercase.
<HUAWEI> system-view
[HUAWEI] radius-server template huawei
[HUAWEI-radius-huawei] called-station-id mac-format dot-split mode2 uppercase

Related Topics
13.2.10 display radius-server configuration

13.2.3 calling-station-id mac-format

Function
The calling-station-id mac-format command sets the encapsulation format of
the MAC address in the calling-station-id (Type 31) attribute of RADIUS packets.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8632

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo calling-station-id mac-format command restores the default

encapsulation format of the MAC address in the calling-station-id attribute of
RADIUS packets.

By default, the encapsulation format of the MAC address in the calling-station-id

attribute of RADIUS packets is xxxx-xxxx-xxxx, in lowercase.

Format
calling-station-id mac-format { dot-split | hyphen-split | colon-split } [ mode1 |
mode2 ] [ lowercase | uppercase ]

calling-station-id mac-format unformatted [ lowercase | uppercase ]

calling-station-id mac-format bin

undo calling-station-id mac-format

Parameters
Parameter Description Value
dot-split Indicates that the dot (.) is used as the separator in a MAC -
address.
hyphen-split Indicates that the hyphen (-) is used as the separator in a MAC -
address.
colon-split Indicates that the colon (:) is used as the separator in a MAC -
address.
unformatted Indicates that no separator is used in a MAC address. -
mode1 Indicates that the MAC address in the calling-station-id attribute -
uses the "xxxxseparatorxxxxseparatorxxxx" format.
mode2 Indicates that the MAC address in the calling-station-id attribute -
uses the
"xxseparatorxxseparatorxxseparatorxxseparatorxxseparatorxx"
format.
lowercase Indicates that the MAC address in the calling-station-id attribute -
uses the lowercase.
uppercase Indicates that the MAC address in the calling-station-id attribute -
uses the uppercase.
bin Indicates that the MAC address in the calling-station-id attribute -
uses the binary form.

Views
RADIUS server template view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8633

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
The default format of the MAC address in the calling-station-id (Type 31) attribute
of RADIUS packets from the device is xxxx-xxxx-xxxx. If the RADIUS server does
not support the default format, run the calling-station-id mac-format command
to change the format.

Example
# Set the dot as the separator in a MAC address and the encapsulation format of
the MAC address in the calling-station-id attribute to XX.XX.XX.XX.XX.XX in
uppercase.
<HUAWEI> system-view
[HUAWEI] radius-server template huawei
[HUAWEI-radius-huawei] calling-station-id mac-format dot-split mode2 uppercase

Related Topics
13.2.10 display radius-server configuration

13.2.4 display radius-attribute

Function
The display radius-attribute command displays the RADIUS attributes supported
by the device.

Format
display radius-attribute [ name attribute-name | type { attribute-number1 |
huawei attribute-number2 | microsoft attribute-number3 | dslforum attribute-
number4 } ]

Parameters
Parameter Description Value

name attribute-name Displays a specified The value is a string of 1

RADIUS attribute. to 64 characters. After
the name is entered, the
system automatically
associates the RADIUS
attribute with the name.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8634

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

type { attribute- Displays the RADIUS The value of attribute-

number1 | huawei attribute of a specified number1, attribute-
attribute-number2 | type: number2, attribute-
microsoft attribute- ● attribute-number1 number3, or attribute-
number3 | dslforum specifies the standard number4 is an integer
attribute-number4 } attribute. that ranges from 1 to
2048.
● huawei attribute-
number2 specifies a
Huawei attribute.
● microsoft attribute-
number3 specifies a
Microsoft attribute.
● dslforum attribute-
number4 specifies a
Digital Subscriber Line
Forum attribute.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Before connecting the device to a RADIUS server, run the display radius-attribute
command to view the RADIUS attributes supported by the device. If the device
and RADIUS server support different RADIUS attributes according to the command
output, run the 13.2.16 radius-attribute disable command on the device to
disable RADIUS attributes that are not supported by the RADIUS server or run the
13.2.21 radius-attribute translate command to translate RADIUS attributes.

Example
# Display the RADIUS attributes supported by the device.
<HUAWEI> display radius-attribute
Codes: Auth(Authentication), Acct(Accounting)
Req(Request), Accp(Accept), Rej(Reject)
Resp(Response), COA(Change-of-Authorization)
0(Can not exist in this packet)
1(Can exist in this packet)
--------------------------------------------------------------------------------
Attribute Service Auth Auth Auth Acct Acct COA COA
Name(Type) Type Req Accp Rej Req Resp Req Ack
--------------------------------------------------------------------------------
User-Name(1) All 1 0 0 1 0 1 1
User-Password(2) All 1 0 0 0 0 0 0
CHAP-Password(3) All 1 0 0 0 0 0 0

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8635

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NAS-IP-Address(4) All 1 0 0 1 0 1 1
NAS-Port(5) All 1 0 0 1 0 1 1
Service-Type(6) All 1 1 0 0 0 0 0
......

NOTE

The preceding information is an example. The displayed attribute type depends on the
actual situation.

Table 13-19 Description of the display radius-attribute command output

Item Description

0(Can not exist in this packet) Attribute not supported in packets.

1(Can exist in this packet) Attribute supported in packets.

Attribute Name(Type) Attribute name and type.

Service Type Protocol type of the attribute.

Auth Req Authentication request packet.

Auth Accp Authentication accept packet.

Auth Rej Authentication reject packet.

Acct Req Accounting request packet.

Acct Resp Accounting response packet.

COA Req Change of Authorization (COA) request

packet.

COA Ack COA acknowledgement packet.

# Display the RADIUS attribute numbered 2.

<HUAWEI> display radius-attribute type 2
Radius Attribute Type :2
Radius Attribute Name : User-Password
Radius Attribute Description : This Attribute indicates the password of the user to be authenticated. Only
valid for the PAP authentication.
Supported Packets : Auth Request

Table 13-20 Description of the display radius-attribute type command output

Item Description

Radius Attribute Type Type of the RADIUS attribute.

Radius Attribute Name Name of the RADIUS attribute.

Radius Attribute Description Description of the RADIUS attribute.

Supported Packets Packets that support the RADIUS

attribute.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8636

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.2.16 radius-attribute disable
13.2.21 radius-attribute translate

13.2.5 display radius-attribute check

Function
The display radius-attribute check command displays the attributes to be
checked in RADIUS Access-Accept packets.

Format
display radius-attribute [ template template-name ] check

Parameters
Parameter Description Value

template template- Displays the RADIUS The RADIUS server

name attribute check template must already
configuration of a exist.
specified RADIUS server
template.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After the radius-attribute check command is executed to configure the attributes
to be checked in RADIUS Access-Accept packets, you can use the display radius-
attribute check command to view these attributes.

Example
# Check the attributes to be checked in RADIUS Access-Accept packets.
<HUAWEI> display radius-attribute check
Server-template-name: test1
--------------------------------------------------
check-attr
--------------------------------------------------
Framed-Protocol
--------------------------------------------------

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8637

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-21 Description of the display radius-attribute check command output

Item Description

Server-template-name Name of the RADIUS server template.

check-attr Attributes to be checked in RADIUS

Access-Accept packets.

Framed-Protocol Encapsulation protocol for services of the

Frame type.

Related Topics
13.2.15 radius-attribute check

13.2.6 display radius-attribute disable

Function
The display radius-attribute disable command displays the disabled RADIUS
attributes.

Format
display radius-attribute [ template template-name ] disable

Parameters
Parameter Description Value

template template- Displays the disabled The value must be an

name RADIUS attributes in a existing RADIUS server
specified RADIUS server template name.
template.
If this parameter is not
specified, the disabled
RADIUS attributes in all
the RADIUS server
templates are displayed.

Views
All views

Default Level
1: Monitoring level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8638

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
You can use the display radius-attribute disable command to view the RADIUS
attributes disabled by using the radius-attribute disable command.

To enable a RADIUS attribute, run the undo radius-attribute disable command in

the RADIUS server template view.

Example
# Display the disabled RADIUS attributes on the device.
<HUAWEI> display radius-attribute disable
Packet-Type: Type of the RADIUS packets to be modified. 1 indicates valid; 0 ind
icates invalid. Bit 1 to bit 4 indicate the authentication request, authenticati
on accept, accounting request, and accounting response packets.

Server-template-name: d
--------------------------------------------------------------------------------
Source-Vendor-ID Source-Sub-ID Dest-Vendor-ID Dest-Sub-ID Direct Packet-Type
--------------------------------------------------------------------------------
0 7 0 0 send 0000
--------------------------------------------------------------------------------

Table 13-22 Description of the display radius-attribute disable command output

Item Description

Server-template-name RADIUS server template name.

Source-Vendor-ID Vendor ID of the source attribute.

Source-Sub-ID ID of the source attribute's sub-attribute.

Dest-Vendor-ID Vendor ID of the destination attribute.

Dest-Sub-ID ID of the destination attribute's sub-

attribute.

Direct Direction in which the attribute is

translated.
● receive: Translates RADIUS attributes
for received packets.
● send: Translates RADIUS attributes for
sent packets.

Packet-Type Type of RADIUS packets.

● 0: The RADIUS attributes of this type
of packets are not translated.
● 1: The RADIUS attributes of this type
of packets are translated.

Related Topics
13.2.16 radius-attribute disable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8639

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.2.7 display radius-attribute translate

Function
The display radius-attribute translate command displays the RADIUS attribute
translation configuration.

Format
display radius-attribute [ template template-name ] translate

Parameters
Parameter Description Value

template template- Displays the RADIUS The value must be an

name attribute translation existing RADIUS server
configuration of a template name.
specified RADIUS server
template. template-
name specifies the name
of the RADIUS server
template that is created
using the radius-server
template command.
If this parameter is not
specified, the disabled
RADIUS attributes
translation configuration
in all the RADIUS server
templates are displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After running the radius-attribute translate command to configure the device to
translate RADIUS attributes, run the display radius-attribute translate command
to check the configuration.

Example
# Display the RADIUS attribute translation configuration.
<HUAWEI> display radius-attribute translate
Packet-Type: Type of the RADIUS packets to be modified. 1 indicates valid; 0 indicates invalid. Bit 1 to bit 4

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8640

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

indicate the authentication request, authentication accept, accounting request, and accounting response
packets.

Server-template-name: rds
--------------------------------------------------------------------------------
Source-Vendor-ID Source-Sub-ID Dest-Vendor-ID Dest-Sub-ID Direct Packet-Type
--------------------------------------------------------------------------------
0 6 0 40 receive 0 0 0 0
--------------------------------------------------------------------------------
Server-template-name: eee
--------------------------------------------------------------------------------
Source-Vendor-ID Source-Sub-ID Dest-Vendor-ID Dest-Sub-ID Direct Packet-Type
--------------------------------------------------------------------------------
234567 123 2011 20 -- 0101
--------------------------------------------------------------------------------

Table 13-23 Description of the display radius-attribute translate command

output

Item Description

Server-template-name Server template name.

Source-Vendor-ID Vendor ID of the source attribute.

Source-Sub-ID ID of the source attribute's sub-attribute.

Dest-Vendor-ID Vendor ID of the destination attribute.

Dest-Sub-ID ID of the destination attribute's sub-

attribute.

Direct Direction in which the attribute is

translated.
● receive: Translates RADIUS attributes
for received packets.
● send: Translates RADIUS attributes for
sent packets.

Packet-Type Type of RADIUS packets.

● 0: The RADIUS attributes of this type
of packets are not translated.
● 1: The RADIUS attributes of this type
of packets are translated.

Related Topics
13.2.21 radius-attribute translate

13.2.8 display radius-server accounting-stop-packet

Function
The display radius-server accounting-stop-packet command displays
information about accounting-stop packets on the RADIUS server.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8641

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
display radius-server accounting-stop-packet { all | ip { ip-address | ipv6-
address } }

Parameters
Parameter Description Value

all Displays all the -

accounting-stop packets.

ip ip-address Displays the accounting- The value of ip-address

stop packets with the is in dotted decimal
specified IP address. notation.

ip ipv6-address Displays the accounting- The value is a 32-digit

stop packets with the hexadecimal number, in
specified IPv6 address. the format
X:X:X:X:X:X:X:X.

Views
All views

Default Level
3: Management level

Usage Guidelines
The display radius-server accounting-stop-packet command output helps you
check configurations or isolate faults.

Example
# Display the accounting-stop packets with the IP address being 10.138.104.32.
<HUAWEI> display radius-server accounting-stop-packet ip 10.138.104.32
------------------------------------------------------------------------------
Time Stamp Resend Times Session Time Username
------------------------------------------------------------------------------
1980409 6 22 g@rds
------------------------------------------------------------------------------
Total: 1, printed: 1

Table 13-24 Description of the display radius-server accounting-stop-packet

command output

Item Description

Time Stamp Timestamp of an accounting-stop packet.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8642

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Resend Times Number of times that accounting-stop packets have been

retransmitted.

Session Time Session time, in seconds.

Username User name.

Related Topics
13.2.24 radius-server accounting-stop-packet resend
13.2.49 reset radius-server accounting-stop-packet

13.2.9 display radius-server authorization configuration

Function
The display radius-server authorization configuration command displays the
configuration of RADIUS authorization servers.

Format
display radius-server authorization configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After running the radius-server authorization command to configure an
authorization server, run the display radius-server authorization configuration
command to check whether the authorization server configuration is correct.

Example
# Display the configuration of RADIUS authorization servers.
<HUAWEI> display radius-server authorization configuration
------------------------------------------------------------------------------
IP-Address Shared-key Group Ack-reserved-interval
------------------------------------------------------------------------------
10.10.1.114 **************** - 20
vpn-instance : -

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8643

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

------------------------------------------------------------------------------
1 RADIUS authorization server(s) in total

Table 13-25 Description of the display radius-server authorization

configuration command output
Item Description

IP-Address IP address of a RADIUS authorization

server.
To configure this field, run the radius-
server authorization command.

Shared-key Shared key of the RADIUS authorization

server.
To configure this field, run the radius-
server authorization command.

Group RADIUS server group matching the

RADIUS authorization server.
To configure this field, run the radius-
server authorization command.

Ack-reserved-interval Holdtime of RADIUS authorization

response packets.
To configure this field, run the radius-
server authorization command.

vpn-instance Name of the VPN instance that the

RADIUS authorization server is bound to.
To configure this field, run the radius-
server authorization command.
NOTE
Only the S1720GW, S1720GW-E, S1720GWR,
S1720GWR-E, S1720X, S1720X-E, S2720EI,
S5720LI, S5720S-LI, S5720SI, S5720S-SI,
S5730SI, S5730S-EI, S5720EI, S5720HI,
S6720LI, S6720S-LI, S6720SI, S6720S-SI,
S6720EI, and S6720S-EI support vpn-instance.

Related Topics
13.2.29 radius-server authorization

13.2.10 display radius-server configuration

Function
The display radius-server configuration command displays configuration
information about a RADIUS server template.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8644

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
display radius-server configuration [ template template-name ]

Parameters
Parameter Description Value

template template- Specifies the name of a The RADIUS server

name RADIUS server template. template must already
If this parameter is not exist.
specified, configuration
information of all
RADIUS server templates
is displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After the configuration of a RADIUS server template is completed or a RADIUS
fault needs to be rectified, you can run this command to check whether the
configuration of the RADIUS server template is correct.

Example
# Display configuration information about the RADIUS server template named
shiva.
<HUAWEI> display radius-server configuration template shiva
------------------------------------------------------------------------------
Server-template-name : shiva
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : %^%#O09i(W[^YT4g#Z37Nct9$IK#TH(-B6-1|<;q|D)"%^%#
Group-filter : class
Timeout-interval(in second) : 5
Retransmission : 2
EndPacketSendTime : 0
Dead time(in minute) : 5
Domain-included : YES
NAS-IP-Address : -
Calling-station-id MAC-format : xxxx-xxxx-xxxx
Called-station-id MAC-format : XX.XX.XX.XX.XX.XX
NAS-Port-ID format : New
Service-type : -
NAS-IPv6-Address : ::
Server algorithm : master-backup
Detect-interval(in second) : 60
Testuser-username : huawei
Testuser-ciperpwd : %^%#.5*EDl^j_WXg[#Z>plj8;k|8.s*ju<_F~g9k`0*9%^%#

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8645

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Authentication Server 1 : 10.7.66.66 Port:1812 Weight:80 [UP]

Vrf:- LoopBack:NULL Vlanif:NULL
Source IP: ::
Authentication Server 2 : 10.7.66.67 Port:1812 Weight:80 [UP]
Vrf:- LoopBack:NULL Vlanif:NULL
Source IP: ::
Accounting Server 1 : 10.7.66.66 Port:1813 Weight:80 [UP]
Vrf:- LoopBack:NULL Vlanif:NULL
Source IP: ::
Accounting Server 2 : 10.7.66.67 Port:1813 Weight:80 [UP]
Vrf:- LoopBack:NULL Vlanif:NULL
Source IP: ::
------------------------------------------------------------------------------

Table 13-26 Description of the display radius-server configuration template

template-name command output
Item Description

Server-template-name Name of a RADIUS server template. To

configure this item, run the radius-server
template command.

Protocol-version RADIUS protocol version:

● standard
● huawei
● iphotel
● portal

Traffic-unit Traffic unit in the RADIUS server

template:
● B: Byte
● KB: Kilobyte
● MB: Megabyte
● GB: Gigabyte
To configure this item, run the radius-
server traffic-unit command.

Shared-secret-key Shared key in the RADIUS server

template. To configure this item, run the
radius-server shared-key command.

Group-filter Filtering field of a user group. Currently,

only the class field can be used as the
filtering field of a user group.

Timeout-interval(in second) Response timeout period of a RADIUS

server. To configure this item, run the
13.2.41 radius-server retransmit
timeout dead-time command.

Retransmission Number of times RADIUS packets are

retransmitted. To configure this item, run
the 13.2.41 radius-server retransmit
timeout dead-time command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8646

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

EndPacketSendTime Number of times RADIUS accounting-stop

packets are retransmitted. To configure
this item, run the radius-server
accounting-stop-packet resend
command.

Dead time(in minute) Interval for the primary RADIUS server to

revert to the active status. To configure
this item, run the 13.2.41 radius-server
retransmit timeout dead-time
command.

Domain-included Whether the RADIUS user name contains

the domain name.
● YES: The user name contains the
domain name.
● NO: The user name does not contain
the domain name.
● Original: The device does not modify
the user name entered by the user.
To configure this item, run the 13.2.48
radius-server user-name domain-
included command.

NAS-IP-Address NAS IP address in RADIUS packets.

Calling-station-id MAC-format Encapsulation format of the MAC address

in the calling-station-id attribute of
RADIUS packets.

Called-station-id MAC-format Encapsulation format of the MAC address

in the called-station-id attribute of
RADIUS packets. To configure this item,
run the 13.2.2 called-station-id mac-
format command.

NAS-Port-ID format Format of the NAS-Port-ID attribute on

the RADIUS server.
● New: Uses the new format of the NAS-
Port-ID attribute.
● Old: Uses the old format of the NAS-
Port-ID attribute.
● Vm: Uses the NAS-Port-ID attribute
format of the VM.
NOTE
Only the S5720EI supports this parameter.
To configure this item, run the 13.2.40
radius-server nas-port-id-format
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8647

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Service-type Service type.

NAS-IPv6-Address NAS IPv6 address in RADIUS packets.

Server algorithm Algorithm for selecting RADIUS servers.

● master-backup: Specifies the algorithm
for selecting RADIUS servers as
primary/secondary.
● loading-share: Specifies the algorithm
for selecting RADIUS servers as packet-
based load balancing.
● loading-share based-user: Specifies the
algorithm for selecting RADIUS servers
as single user-based load balancing.
To configure this item, run the 13.2.25
radius-server algorithm command.

Detect-interval(in second) Automatic detection interval for RADIUS

servers. To configure this item, run the
radius-server detect-server command.

Testuser-username User name for automatic RADIUS server

detection. To configure this item, run the
radius-server testuser command.

Testuser-ciperpwd User password for automatic RADIUS

server detection. To configure this item,
run the radius-server testuser command.

Authentication Server 1 IP address, interface number, weight,

status, VPN instance, source interface,
and source IP address of the primary
RADIUS authentication server. To
configure this item, run the radius-server
authentication command.

Authentication Server 2 IP address, interface number, weight,

status, VPN instance, source interface,
and source IP address of the secondary
RADIUS authentication server. To
configure this item, run the radius-server
authentication command.

Accounting Server 1 IP address, interface number, weight,

status, VPN instance, source interface,
and source IP address of the primary
RADIUS accounting server. To configure
this item, run the radius-server
accounting command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8648

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Accounting Server 2 IP address, interface number, weight,

status, VPN instance, source interface,
and source IP address of the secondary
RADIUS accounting server. To configure
this item, run the radius-server
accounting command.

13.2.11 display radius-server dead-interval dead-count

Function
The display radius-server dead-interval dead-count command displays
configuration information about the RADIUS server detection interval and
maximum number of consecutive unacknowledged packets in each detection
interval.

Format
display radius-server { dead-interval | dead-count }

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After the RADIUS server detection interval and maximum number of consecutive
unacknowledged packets in each detection interval are configured using the
13.2.33 radius-server dead-interval dead-count command, you can run the
display radius-server { dead-interval | dead-count } command to check
configuration information about the RADIUS server detection interval and
maximum number of consecutive unacknowledged packets in each detection
interval.

Example
# Display configuration information about the RADIUS server detection interval.
<HUAWEI> display radius-server dead-interval
Radius server state detected internal is 5.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8649

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

# Display configuration information about the maximum number of consecutive

packets that are not acknowledged by the RADIUS server in each detection
interval.
<HUAWEI> display radius-server dead-count
Radius server state detected count is 2.

Table 13-27 Description of the display radius-server { dead-interval | dead-

count } command output

Item Description

Radius server state detected internal is Detection interval of the current

RADIUS server.

Radius server state detected count is Maximum number of consecutive

packets that are not acknowledged
by the RADIUS server.

13.2.12 display radius-server item

Function
The display radius-server item command shows the RADIUS server configuration.

Format
display radius-server item { ip-address { ipv4-address | ipv6-address }
{ accounting | authentication } | template template-name }

Parameters
Parameter Description Value

ip-address { ipv4- Specifies the IP address ipv4-address: The value

address | ipv6-address } of the RADIUS server. is in dotted decimal
notation.
ipv6-address: The value
is a 32-digit hexadecimal
number.

accounting Indicates the RADIUS -

accounting server.

authentication Indicates the RADIUS -

authentication server.

template template- Specifies the RADIUS The value must be an

name server template name. existing RADIUS server
template name.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8650

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
ALL views

Default Level
3: Management level

Usage Guidelines
The display radius-server item command shows the RADIUS server configuration.

Example
# Display the configuration of RADIUS server template rds.
<HUAWEI> display radius-server item template rds
------------------------------------------------------------------------------
Type = auth-server
State = state-up
AlarmFlag = false
STUseNum = 1
IPAddress = 192.168.30.1
AlarmTimer = 0xffffffff
Head = 1057
Tail = 1311
ProbeID = 255
Type = acct-server
State = state-up
AlarmFlag = false
STUseNum = 1
IPAddress = 192.168.30.1
AlarmTimer = 0xffffffff
Head = 1057
Tail = 1311
ProbeID = 255
------------------------------------------------------------------------------

Table 13-28 Description of the display radius-server item template command

output

Item Description

Type RADIUS server type: authentication or accounting

server.
● auth-server: indicates authentication server.
● acct-server: indicates accounting server.

State RADIUS server status.

● state-up: indicates that the RADIUS server is in UP
status.
● state-down: indicates that the RADIUS server is in
DOWN status.
● state-probe: indicates that the RADIUS server is in
detection status.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8651

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

AlarmFlag Alarm flag.

● true: indicates that an alarm about status change
has been sent.
● false: indicates that an alarm about status change is
not sent.

STUseNum RADIUS server template ID.

IPAddress RADIUS server IP address.

AlarmTimer ID of the alarm timer.

Head Head pointer used to allocate the ID to RADIUS

packets.

Tail Tail pointer used to allocate the ID to RADIUS packets.

ProbeID ID of probe packets.

13.2.13 display radius-server session-manage configuration

Function
The display radius-server session-manage configuration command displays
session management configuration on the RADIUS server.

Format
display radius-server session-manage configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After session management is enabled using the radius-server session-manage
command on the RADIUS server, you can run this command to view session
management configuration.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8652

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Display session management configuration on the RADIUS server.
<HUAWEI> display radius-server session-manage configuration
------------------------------------------------------------------------------
Session Manage Enable : True Session Manage AnyServer : False
------------------------------------------------------------------------------
IP Address VPN Instance Shared-key
------------------------------------------------------------------------------
10.1.1.1 - ****************
------------------------------------------------------------------------------
1 Radius session manage server(s) in total

Table 13-29 Description of the display radius-server session-manage

configuration command output
Item Description

Session Manage Enable Whether session management is enabled:

● True: enabled
● False: disabled
To set this parameter, run the radius-
server session-manage command.

Session Manage AnyServer Whether any RADIUS session

management server is configured:
● True: configured
● False: not configured

IP Address IP address of the RADIUS session

management server.

VPN Instance Name of the VPN instance bound to the

RADIUS session management server.
NOTE
Only the S1720GW, S1720GW-E, S1720GWR,
S1720GWR-E, S1720X, S1720X-E, S2720EI,
S5720LI, S5720S-LI, S5720SI, S5720S-SI,
S5730SI, S5730S-EI, S5720EI, S5720HI,
S6720LI, S6720S-LI, S6720SI, S6720S-SI,
S6720EI, and S6720S-EI support this
parameter.

Shared-key Shared key of the RADIUS session

management server.

Radius session manage server(s) in Number of the RADIUS session

total management servers.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8653

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.2.14 display snmp-agent trap feature-name radius all

Function
The display snmp-agent trap feature-name radius all command displays the
status of all traps on the RDS module.

Format
display snmp-agent trap feature-name radius all

Parameters
None

Views
All views

Default Level
3: Management level

Usage Guidelines
Usage Scenario

After enabling the trap function for the RDS module, you can run this command
to check the status of all traps on the RDS module. To enable the trap function for
the RDS module, run the snmp-agent trap enable feature-name radius
command.

Prerequisites

The SNMP function has been enabled on the device.

Example
# Display the status of all traps on the RDS module.
<HUAWEI>display snmp-agent trap feature-name radius all
------------------------------------------------------------------------------
Feature name: radius
Trap number : 4
------------------------------------------------------------------------------
Trap name Default switch status Current switch status
hwRadiusAuthServerUp off off
hwRadiusAuthServerDown off off
hwRadiusAcctServerUp off off
hwRadiusAcctServerDown off off

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8654

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-30 Description of the display snmp-agent trap feature-name radius

all command output

Item Description

Feature name Name of the module to which a trap belongs.

Trap number Number of traps.

Trap name Name of a trap. Traps on the RDS module include:

● hwRadiusAuthServerUp: The device sends a
Huawei proprietary trap when it detects that
communication with the RADIUS authentication
server is restored.
● hwRadiusAuthServerDown: The device sends a
Huawei proprietary trap when it detects that
communication with the RADIUS authentication
server is interrupted.
● hwRadiusAcctServerUp: The device sends a
Huawei proprietary trap when it detects that
communication with the RADIUS accounting
server is restored.
● hwRadiusAcctServerDown: The device sends a
Huawei proprietary trap when it detects that
communication with the RADIUS accounting
server is interrupted.

Default switch status Default status of the trap function:

● on: The trap function is enabled by default.
● off: The trap function is disabled by default.

Current switch status Trap status:

● on: The trap is enabled.
● off: The trap is disabled.

Related Topics
13.2.50 snmp-agent trap enable feature-name radius

13.2.15 radius-attribute check

Function
The radius-attribute check command enables the device to check the specified
attributes in the received RADIUS Access-Accept packets.
The undo radius-attribute check command disables the device from checking the
specified attributes in the received RADIUS Access-Accept packets.
By default, the device does not check whether a RADIUS Access-Accept packet
contains the specified attributes.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8655

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
radius-attribute check attribute-name
undo radius-attribute check [ attribute-name ]

Parameters
Parameter Description Value

attribute-name Specifies the name of The value is a string of 1

the RADIUS attribute. If to 64 characters. After
this parameter is the name is entered, the
specified, the RADIUS system automatically
Access-Accept packets associates the RADIUS
are checked based on attribute with the name.
attribute names.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
After the radius-attribute check command is executed, the device checks whether
the received RADIUS Access-Accept packets contain the specified attributes. If yes,
the device considers that authentication was successful; if not, the device
considers that authentication failed and discards the packet. For example, after
the radius-attribute check filter-id command is executed, the device checks the
filter-id attribute in the received RADIUS Access-Accept packets. If a RADIUS
packet does not contain this attribute, authentication fails.
Precautions
● When you use the undo radius-attribute check command with parameters,
the device checks the specified attributes in the RADIUS Access-Accept
packets. When you use the undo radius-attribute check command without
any parameter, the device does not check RADIUS Access-Accept packets.
● The display radius-attribute can display RADIUS attribute names.

Example
# Check whether the RADIUS Access-Accept packets contain the framed-protocol
attribute.
<HUAWEI> system-view
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-attribute check framed-protocol

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8656

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.2.4 display radius-attribute

13.2.16 radius-attribute disable

Function
The radius-attribute disable command disables a RADIUS attribute.
The undo radius-attribute disable command enables a disabled RADIUS
attribute.
By default, no RADIUS attribute is disabled.

Format
radius-attribute disable attribute-name { receive | send } *

undo radius-attribute disable [ attribute-name ]

Parameters
Parameter Description Value

attribute-name Specifies the name of a The value is a string of 1

RADIUS attribute. to 64 characters. After
the name is entered, the
system automatically
associates the RADIUS
attribute with the name.

receive Disables a RADIUS -

attribute for received
packets.

send Disables a RADIUS -

attribute for sent
packets.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
Generally, a RADIUS server connects to multiple network devices, which can be
one vendor's devices or different vendors' devices. If some vendors' devices require

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8657

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

the RADIUS server to deliver an attribute to support a specified feature but other
vendors' device do not support the delivered attribute, the RADIUS attribute may
fail to be parsed.

The device may communicate with RADIUS servers of different vendors. Some
RADIUS servers require the device to send some attributes but other RADIUS
servers cannot process the attributes. Errors may occur.

The radius-attribute disable command disables RADIUS attributes on the device.

You can configure the device to ignore incompatible attributes when receiving
RADIUS packets to prevent parsing failures. You can also configure the device to
disable RADIUS attributes when sending RADIUS packets. When the device sends
RADIUS packets, it does not encapsulate the disabled RADIUS attributes in the
RADIUS packets.

Prerequisites

The RADIUS attribute translation function has been enabled using the 13.2.27
radius-server attribute translate command.

Precautions

Before disabling RADIUS attributes, run the 13.2.4 display radius-attribute

command to view the RADIUS attributes supported by the device.

Example
# Disable the Frame-Route attribute in sent packets.
<HUAWEI> system-view
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-server attribute translate
[HUAWEI-radius-test1] radius-attribute disable framed-route send

Related Topics
13.2.4 display radius-attribute
13.2.45 radius-server template

13.2.17 radius-attribute nas-ip

Function
The radius-attribute nas-ip command sets the NAS-IP-Address attribute in a
RADIUS packet sent from an NAS.

The undo radius-attribute nas-ip command deletes the configured NAS-IP-

Address attribute.

By default, the source IP address of the NAS is the NAS-IP-Address attribute value.

Format
radius-attribute nas-ip ip-address

undo radius-attribute nas-ip

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8658

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

ip-address Specifies the NAS-IP- The value is a valid

Address attribute value unicast address in dotted
in RADIUS packets sent decimal notation.
by the device.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

A RADIUS server uses the NAS-IP-Address attributes in RADIUS packets sent by

NASs to identify NASs. You can run the radius-attribute nas-ip command in the
RADIUS server template view to set the NAS-IP-Address attribute.

Prerequisites

A RADIUS server template has been created using the radius-server template
command.

Precautions

If the RADIUS NAS-IP-Address attribute is set to an invalid IP address, the

configuration fails and an error message is displayed.

Example
# Set the RADIUS NAS-IP-Address attribute.
<HUAWEI> system-view
[HUAWEI] radius-server template temp1
[HUAWEI-radius-temp1] radius-attribute nas-ip 10.3.3.3

Related Topics
13.2.10 display radius-server configuration

13.2.18 radius-attribute nas-ipv6

Function
The radius-attribute nas-ipv6 command sets the NAS-IPv6-Address attribute in a
RADIUS packet sent from a network access server (NAS).

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8659

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo radius-attribute nas-ipv6 command deletes the configured NAS-IPv6-

Address attribute.

By default, no NAS-IPv6-Address attribute is configured.

Format
radius-attribute nas-ipv6 ipv6-address

undo radius-attribute nas-ipv6

Parameters
Parameter Description Value

ipv6-address Specifies the NAS-IPv6- The value is a 32-digit

Address attribute in a hexadecimal number, in
RADIUS packet. the format
X:X:X:X:X:X:X:X.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

The RADIUS server uses IP addresses to identify different NASs. The NAS-IPv6-
Address attribute in a RADIUS packet can be configured using the radius-
attribute nas-ipv6 command in the RADIUS template.

Prerequisites

A RADIUS server template has been created using the radius-server template
command.

Precautions

If the RADIUS NAS-IP-Address attribute is set to an invalid IP address, the

configuration fails and an error message is displayed.

Example
# Set the RADIUS NAS-IPv6-Address attribute.
<HUAWEI> system-view
[HUAWEI] radius-server template temp1
[HUAWEI-radius-temp1] radius-attribute nas-ipv6 FC00::7

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8660

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.2.10 display radius-server configuration

13.2.19 radius-attribute service-type with-authenonly-

reauthen
Function
The radius-attribute service-type with-authenonly-reauthen command set the
reauthentication mode to reauthentication only.
The undo radius-attribute service-type with-authenonly-reauthen command
restores the reauthentication mode to reauthentication and reauthorization.
By default, this command is not configured and the reauthentication mode is
reauthentication and reauthorization.

Format
radius-attribute service-type with-authenonly-reauthen
undo radius-attribute service-type with-authenonly-reauthen

Parameters
None

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
A large number of users are online at the same time and each user has a lot of
authorization information. If the users need to be reauthenticated, the device
delivers authorization information to each user after the authentication is
successful. It is difficult for the device to process a lot of authorization
information. As a result, users go offline due to authorization failures. After the
radius-attribute service-type with-authenonly-reauthen command is run in the
RADIUS server template view, the device only reauthenticates users during
reauthentication, and does not redeliver authorization information, preventing
users from going offline due to authorization failures.
Precautions
After this command is configured, users still use the original authorization
information after being successfully reauthenticated even if the user authorization
information changes.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8661

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

This function takes effect after the Service-Type attribute on the RADIUS server is
set to Authenticate Only.

Example
# Set the reauthentication mode to reauthentication only.
<HUAWEI> system-view
[HUAWEI] radius-server template test
[HUAWEI-radius-test] radius-attribute service-type with-authenonly-reauthen

Related Topics
13.2.10 display radius-server configuration

13.2.20 radius-attribute set

Function
The radius-attribute set command modifies the RADIUS attributes.

The undo radius-attribute set command restores the default RADIUS attributes.

By default, values of the RADIUS attributes are not modified.

Format
radius-attribute set attribute-name attribute-value [ auth-type mac | user-type
ipsession ]

undo radius-attribute set attribute-name

Parameters
Parameter Description Value

attribute-name Specifies the name of The value is a string of 1

the attribute to be to 64 characters. After
modified. the name is entered, the
system automatically
associates the RADIUS
attribute with the name.

attribute-value Indicates the value of the The value of attribute-

attribute to be modified. value is automatically
displayed.

auth-type mac Sets the user -

authentication mode to
MAC address
authentication. Only the
Service-Type attribute
supports this parameter.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8662

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

user-type ipsession Specifies the users with -

user type being IP
session. Only the Service-
Type attribute supports
this parameter.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

The RADIUS attribute values of different vendors are different. To ensure that
Huawei device can successfully communicate with the devices of other vendors,
run the radius-attribute set command to modify the RADIUS attribute values.

For example, the Huawei device uses Service-Type value 2 to indicate an

authentication request from a common user by default, while a non-Huawei
RADIUS server uses Service-Type value 1 to indicate an authentication request
from a common user; you can run the radius-attribute set service-type 1
command to change the Service-Type value on the device so that the device can
communicate with the RADIUS server.

Precautions

● The radius-attribute set command can modify only the RADIUS attributes in
the authentication or accounting request packets sent from a device to the
RADIUS server, and cannot modify the RADIUS attributes in the packets sent
from the RADIUS server to a device.
If you run the display radius-attribute command to check the RADIUS
attributes supported by a device and the Auth Req or Acct Req field in the
command output displays 1, the RADIUS attributes supported by the device
can be carried in the authentication or accounting request packets sent from
the device to the RADIUS server.
Among the RADIUS attributes that can be carried in the authentication or
accounting packets sent from the device to the RADIUS server, you cannot run
the radius-attribute set command to modify the following attributes: User-
Password, Agent-Circuit-Id, Agent-Remote-Id, NAS-IP-Address, NAS-IPv6-
Address, CHAP-Password, CHAP-Challenge, EAP-Message, Framed-Interface-
Id, Framed-IPv6-Prefix, and Message-Authenticator.
● The type of the attribute modified by the radius-attribute set command
cannot be changed.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8663

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● The radius-attribute set service-type attribute-value { auth-type mac |

user-type ipsession } command has a higher priority than the radius-
attribute set service-type attribute-value command.
● If the value of the HW-Output-Committed-Information-Rate attribute is
changed to 0, sent packets do not carry this attribute.

Example
# Create the template temp1 and set the Service-Type attribute value to 1.
<HUAWEI> system-view
[HUAWEI] radius-server template temp1
[HUAWEI-radius-temp1] radius-attribute set service-type 1

Related Topics
13.2.45 radius-server template

13.2.21 radius-attribute translate

Function
The radius-attribute translate command configures a RADIUS attribute to be
translated.
The undo radius-attribute translate command cancels the configuration.
By default, no RADIUS attribute is translated.

Format
radius-attribute translate src-attribute-name dest-attribute-name { receive |
send | access-accept | access-request | account-request | account-response } *

radius-attribute translate extend vendor-specific src-vendor-id src-sub-id dest-

attribute-name { access-accept | account-response } *
radius-attribute translate extend src-attribute-name vendor-specific dest-
vendor-id dest-sub-id { access-request | account-request } *
undo radius-attribute translate [ src-attribute-name ]
undo radius-attribute translate extend src-attribute-name
undo radius-attribute translate extend vendor-specific src-vendor-id src-sub-id

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8664

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

src-attribute-name Specifies the name of The value is a string of 1

the source attribute. to 64 characters. After
the name is entered, the
system automatically
associates the RADIUS
attribute with the name.

dest-attribute-name Specifies the name of The value is a string of 1

the destination attribute. to 64 characters. After
the name is entered, the
system automatically
associates the RADIUS
attribute with the name.

receive Translates RADIUS -

attributes for received
packets.

send Translates RADIUS -

attributes for sent
packets.

access-request Translates RADIUS -

attributes for
Authentication Request
packets.

account-request Translates RADIUS -

attributes for Accounting
Request packets.

access-accept Translates RADIUS -

attributes for
Authentication Accept
packets.

account-response Translates RADIUS -

attributes for Accounting
Response packets.

extend Translates extended -

RADIUS attributes.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8665

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

vendor-specific src- Specifies the source ● The value of src-

vendor-id src-sub-id extended attribute to be vendor-id is an
translated. integer ranging from
● src-vendor-id: The 1 to 4294967295.
vendor ID in the ● The value of src-sub-
extended RADIUS id is an integer
attributes needs to be ranging from 1 to
translated. 255.
● src-sub-id: The sub ID
in the RADIUS
attributes needs to be
translated.

vendor-specific dest- Specifies the destination ● The value of dest-

vendor-id dest-sub-id extended attribute to be vendor-id is an
translated. integer ranging from
● dest-vendor-id: The 1 to 4294967295.
vendor ID in the ● The value of dest-sub-
extended RADIUS id is an integer
attributes needs to be ranging from 1 to
translated. 255.
● dest-sub-id: The sub
ID in the extended
RADIUS attributes
needs to be
translated.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

Currently, RADIUS servers of different vendors may support different RADIUS

attributes and have vendor-specific RADIUS attributes. To communicate with
different RADIUS servers, the device provides the RADIUS attribute translation
function. After RADIUS attribute translation is enabled, the device can translate
RADIUS attributes when sending or receiving packets.

RADIUS attribute translation is used in the following modes:

● Format translation for the same attribute

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8666

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

This mode is widely applied. It solves the problem of compatibility because

different users have different requirements for the format of a RADIUS
attribute.
● Translation between different attributes
This mode is used because different vendors have different implementations
of RADIUS attributes.
For example, the device delivers the priority of the administrator by using the
Huawei proprietary attribute HW-Exec-Privilege (26-29), whereas another
vendor's device delivers it by using the Login-service (15) attribute. When the
device and the vendor's device use the same RADIUS server on a network, the
user hopes that the device can deliver the priority of the administrator by
using the Login-service (15) attribute. After the radius-attribute translate
command is configured, the device automatically processes the Login-service
attribute in the received RADIUS authentication response packet as the HW-
Exec-Privilege attribute.

Prerequisites

RADIUS attribute translation has been enabled by using the radius-server

attribute translate command.

Before configuring RADIUS attribute translation, run the display radius-attribute

command to view the RADIUS attributes supported by the device.

Precautions

● When the device sends packets, if attribute A is to be translated to attribute B,

the type of the encapsulated attribute is the same as that of attribute B but
the attribute content and format are the same as those of attribute A.
● When the device receives packets, if attribute A is to be translated to attribute
B, the device parses the received attribute A as attribute B.
● Three commands are available to translate RADIUS attributes:
– To translate the attributes supported by the device to other attributes
also supported by the device, run the radius-attribute translate
command.
– To translate the non-Huawei attributes not supported by the device to
the attributes supported by the device, run the radius-attribute
translate extend vendor-specific command.
– To translate the attributes supported by the device to the non-Huawei
attributes not supported by the device, run the radius-attribute
translate extend command.
● The RADIUS attribute consists of Type, Length, and Value fields. A device can
translate a non-Huawei RADIUS attribute (specified using the src-sub-id and
dest-sub-id parameters) only when the length of the Type field in the RADIUS
attribute is 1 byte.
● The device can translate the RADIUS attribute only when the type of the
source RADIUS attribute is the same as that of the destination RADIUS
attribute. For example, the types of NAS-Identifier and NAS-Port-Id attributes
are string, and they can be translated into each other. The types of NAS-
Identifier and NAS-Port attributes are string and integer respectively, they
cannot be translated into each other.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8667

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Configure the device to translate NAS-Identifier into NAS-Port-Id when sending
RADIUS packets.
<HUAWEI> system-view
[HUAWEI] radius-server template temp1
[HUAWEI-radius-temp1] radius-server attribute translate
[HUAWEI-radius-temp1] radius-attribute translate nas-identifier nas-port-id send

# Translate the Cisco No. 2 attribute (vendor ID 9) in Authentication Accept and

Accounting Response packets to Huawei No. 155 extended attribute HW-URL-Flag.
<HUAWEI> system-view
[HUAWEI] radius-server template temp1
[HUAWEI-radius-temp1] radius-server attribute translate
[HUAWEI-radius-temp1] radius-attribute translate extend Vendor-Specific 9 2 HW-URL-Flag access-
accept account-response

# Translate the Huawei No. 153 extended attribute HW-Access-Type in

Authentication Request and Accounting Request packets to Cisco No. 11 attribute.
<HUAWEI> system-view
[HUAWEI] radius-server template temp1
[HUAWEI-radius-temp1] radius-server attribute translate
[HUAWEI-radius-temp1] radius-attribute translate extend HW-Access-Type vendor-specific 9 11 access-
request account-request

Related Topics
13.2.4 display radius-attribute
13.2.7 display radius-attribute translate
13.2.27 radius-server attribute translate
13.2.45 radius-server template

13.2.22 radius-server (aaa domain view)

Function
The radius-server command applies a RADIUS server template to a domain.
The undo radius-server command unbinds an RADIUS server template from a
domain.
By default, the RADIUS server template default is bound to a configured domain
and the domain default, and no RADIUS server template is bound to the domain
default_admin.

Format
radius-server template-name
undo radius-server

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8668

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

template-name Specifies the name of a The RADIUS server

RADIUS server template. template must already
exist.

Views
AAA domain view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
To perform RADIUS authentication and accounting for users in a domain, apply a
RADIUS server template to the domain. A RADIUS server template takes effect
only after the RADIUS server template is applied to a domain.
Prerequisites
A RADIUS server template has been created using the 13.2.45 radius-server
template command.

Example
# Apply the RADIUS server template template1 to the domain radius1.
<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] quit
[HUAWEI] aaa
[HUAWEI-aaa] domain radius1
[HUAWEI-aaa-domain-radius1] radius-server template1

Related Topics
13.2.10 display radius-server configuration
13.2.45 radius-server template

13.2.23 radius-server accounting

Function
The radius-server accounting command configures the RADIUS accounting
server.
The undo radius-server accounting command deletes the configuration.
By default, no RADIUS accounting server is configured.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8669

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
radius-server accounting ipv4-address port [ vpn-instance vpn-instance-name |
source { loopback interface-number | ip-address ipv4-address | vlanif interface-
number } | weight weight-value ] *
radius-server accounting ipv6-address port [ source { loopback interface-
number | ip-address ipv6-address | vlanif interface-number } | weight weight-
value ] *
undo radius-server accounting [ ipv4-address [ port [ vpn-instance vpn-
instance-name | source { loopback interface-number | ip-address ipv4-address |
vlanif interface-number } | weight ] * ] ]
undo radius-server accounting [ ipv6-address [ port [ source { loopback
interface-number | ip-address ipv6-address | vlanif interface-number } |
weight ] ] ]

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Parameters
Parameter Description Value

ipv4-address Specifies the IPv4 The value is a valid

address of a RADIUS unicast address in dotted
accounting server. decimal notation.

ipv6-address Specifies the IPv6 The value is a 32-digit

address of a RADIUS hexadecimal number, in
accounting server. the format
X:X:X:X:X:X:X:X.

port Specifies the port The value is an integer

number of a RADIUS that ranges from 1 to
accounting server. 65535.

vpn-instance vpn- Specifies the name of a The value must be an

instance-name VPN instance that the existing VPN instance
RADIUS accounting name.
server is bound to.

source loopback Specifies the number of The loopback interface

interface-number a loopback interface. must already exist.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8670

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

source ip-address ipv4- Specifies the source IPv4 The value is a valid
address address in RADIUS unicast address in dotted
packets sent from the decimal notation.
device to a RADIUS
accounting server.
If this parameter is
specified, ensure that the
value of this parameter
is the same as the
client's IPv4 address
specified on the RADIUS
accounting server.
If this parameter is not
specified, the IPv4
address of the outbound
interface is used as the
source IPv4 address in
RADIUS packets sent
from the device to a
RADIUS accounting
server.

source ip-address ipv6- Specifies the source IPv6 The value is a 32-digit
address address in RADIUS hexadecimal number, in
packets sent from the the format
device to a RADIUS X:X:X:X:X:X:X:X.
accounting server.
If this parameter is not
specified, the IPv6
address of the outbound
interface is used as the
source IPv6 address in
RADIUS packets sent
from the device to a
RADIUS accounting
server.
This address cannot be a
virtual IPv6 address of a
VRRP6 group.

source vlanif interface- Specifies the IP address The VLANIF interface

number of a VLANIF interface as must exist.
the source IP address.
interface-number
specifies the number of a
VLANIF interface.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8671

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

weight weight-value Specifies the weight of a The value is an integer

RADIUS accounting that ranges from 0 to
server. 100.
When multiple servers
are available, the device
uses the server with the
highest weight to
perform accounting. If
the servers have the
same weights, the device
uses the server
configured first to
perform accounting.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

To perform accounting for users, configure a RADIUS accounting server. The device
communicates with a RADIUS accounting server to obtain accounting information,
and performs accounting for users based on the accounting information. The
device sends accounting packets to the RADIUS accounting server only after the IP
address and port number of the RADIUS accounting server are specified in the
RADIUS server template.

Precautions

The IP address of the primary accounting server must be different from the IP
address of the secondary accounting server; otherwise, the configuration fails.

Example
# Configure the primary RADIUS accounting server.
<HUAWEI> system-view
[HUAWEI] radius-server template group1
[HUAWEI-radius-group1] radius-server accounting 10.163.155.12 1813

# Configure the secondary RADIUS accounting server.

<HUAWEI> system-view
[HUAWEI] radius-server template group1
[HUAWEI-radius-group1] radius-server accounting 10.163.155.15 1813 weight 50

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8672

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.2.10 display radius-server configuration

13.2.24 radius-server accounting-stop-packet resend

Function
The radius-server accounting-stop-packet resend command enables
retransmission of accounting-stop packets and sets the number of accounting-stop
packets that can be retransmitted each time.
The undo radius-server accounting-stop-packet resend command disables
retransmission of accounting-stop packets.
By default, retransmission of accounting-stop packets is enabled, and the
retransmission times is 3.

NOTE

The default settings are recommended. If accounting-stop packets need to be retransmitted

many times, the RADIUS authentication performance of the switch will be affected and
even cause a failure to send accounting-stop packets.

Format
radius-server accounting-stop-packet resend [ resend-times ]
undo radius-server accounting-stop-packet resend

Parameters
Parameter Description Value

resend-times Specifies the number of The value is an integer

accounting-stop packets that ranges from 0 to
that can be 300.
retransmitted each time.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
When accounting-stop packets cannot be sent to the RADIUS server that is
unreachable, you can run the radius-server accounting-stop-packet resend
command to save the accounting-stop packets in the buffer and send them at the
preset intervals until the number of allowed retransmission times is reached or the
packets are sent successfully.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8673

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Enable the retransmission of accounting-stop packets and set the number of
accounting-stop packets that can be retransmitted each time to 50.
<HUAWEI> system-view
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-server accounting-stop-packet resend 50

Related Topics
13.2.10 display radius-server configuration

13.2.25 radius-server algorithm

Function
The radius-server algorithm command configures the algorithm for selecting
RADIUS servers.

The undo radius-server algorithm command restores the default algorithm for
selecting RADIUS servers.

By default, the algorithm for selecting RADIUS servers is primary/secondary.

Format
radius-server algorithm { loading-share [ based-user ] | master-backup }

undo radius-server algorithm

Parameters
Parameter Description Value

loading-share Sets the algorithm for -

selecting RADIUS servers
to load balancing.

based-user Sets the algorithm for -

selecting RADIUS servers
to single user-based load
balancing.
If this parameter is not
specified, the algorithm
for selecting RADIUS
servers is packet-based
load balancing.

master-backup Sets the algorithm for -

selecting RADIUS servers
to primary/secondary.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8674

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
When two or more than two RADIUS servers are available, you can use the
radius-server algorithm command to set the algorithm for selecting RADIUS
servers.
● When master-backup is specified, the weight is used to determine the
primary and secondary RADIUS authentication or accounting servers. The
server with a larger weight value is the primary server. If devices have the
same weight, the server that was first configured is the primary server.
● When loading-share is specified, the device sends a packet to a server
according to the weights configured on servers. For example, if the weights of
RADIUS server A, RADIUS server B, and RADIUS server C are 80, 80, and 40
respectively, the probabilities of sending packets to RADIUS server A, RADIUS
server B, and RADIUS server C are as follows:
– RADIUS server A: 80/(80 + 80 + 40) = 40%
– RADIUS server B: 80/(80 + 80 + 40) = 40%
– RADIUS server C: 40/(80 + 80 + 40) = 20%
If the algorithm for selecting RADIUS servers is configured as single user-
based load balancing, authentication server information is saved in the
authentication phase, and the device preferentially sends an accounting
request to the accounting server in the accounting phase when the
accounting server is the same as the authentication server. If the algorithm
for selecting RADIUS servers is configured as packet-based load balancing,
authentication server information is not saved in the authentication phase,
and the accounting server is reselected based on the algorithm in the
accounting phase, which may result in that authentication and accounting for
a user is not performed on the same server.
Precautions
If you run the radius-server algorithm command multiple times in the same
RADIUS server template view, only the latest configuration takes effect.

Example
# Set the algorithm for selecting RADIUS servers to load balancing.
<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server algorithm loading-share

Related Topics
13.2.10 display radius-server configuration

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8675

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.2.26 radius-server attribute message-authenticator access-

request

Function
The radius-server attribute message-authenticator access-request command
carries the Message-Authenticator attribute in RADIUS authentication packets sent
by the device.

The undo radius-server attribute message-authenticator access-request

command cancels the Message-Authenticator attribute from RADIUS
authentication packets sent by the device.

By default, RADIUS authentication packets do not carry the Message-

Authenticator attribute.

Format
radius-server attribute message-authenticator access-request

undo radius-server attribute message-authenticator access-request

Parameters
None

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
The Message-Authenticator attribute is used to identify and verify authentication
packets to prevent invalid packets.

NOTE

● This command is used when the PAP or CHAP authentication is enabled.

● When EAP authentication is enabled, RADIUS packets contain the Message-
Authenticator attribute by default. You do not need to run this command.

Example
# Configure the Message-Authenticator attribute to RADIUS authentication
packets.
<HUAWEI> system-view
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-server attribute message-authenticator access-request

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8676

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.2.27 radius-server attribute translate

Function
The radius-server attribute translate command enables RADIUS attribute
translation.

The undo radius-server attribute translate command disables RADIUS attribute

translation.

By default, RADIUS attribute translation is disabled.

Format
radius-server attribute translate

undo radius-server attribute translate

Parameters
None

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

Currently, RADIUS servers of different vendors may support different RADIUS

attributes and have vendor-specific RADIUS attributes. To communicate with
different RADIUS servers, the device provides the RADIUS attribute translation
function. After RADIUS attribute translation is enabled, the device can translate
RADIUS attributes when sending or receiving packets.

Follow-up Procedure

After RADIUS attribute translation is enabled, perform either of the following

operations to make the function to take effect:
● Run the 13.2.21 radius-attribute translate command to specify the RADIUS
attributes that you want to translate.
● Run the 13.2.16 radius-attribute disable command to specify the RADIUS
attributes that you do not want to translate.

Example
# Enable RADIUS attribute translation.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8677

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-server attribute translate

Related Topics
13.2.21 radius-attribute translate
13.2.45 radius-server template

13.2.28 radius-server authentication

Function
The radius-server authentication command configures a RADIUS authentication
server.

The undo radius-server authentication command deletes the configured RADIUS

authentication server.

By default, no RADIUS authentication server is specified.

Format
radius-server authentication ipv4-address port [ vpn-instance vpn-instance-
name | source { loopback interface-number | ip-address ipv4-address | vlanif
interface-number } | weight weight-value ] *

radius-server authentication ipv6-address port [ source { loopback interface-

number | ip-address ipv6-address | vlanif interface-number } | weight weight-
value ] *

undo radius-server authentication [ ipv4-address [ port [ vpn-instance vpn-

instance-name | source { loopback interface-number | ip-address ipv4-address |
vlanif interface-number } | weight ] * ] ]

undo radius-server authentication [ ipv6-address [ port [ source { loopback

interface-number | ip-address ipv6-address | vlanif interface-number } |
weight ] ] ]

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Parameters
Parameter Description Value

ipv4-address Specifies the IPv4 The value is a valid

address of a RADIUS unicast address in dotted
authentication server. decimal notation.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8678

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

ipv6-address Specifies the IPv6 The value is a 32-digit

address of a RADIUS hexadecimal number, in
authentication server. the format
X:X:X:X:X:X:X:X.

port Specifies the port The value is an integer

number of a RADIUS that ranges from 1 to
authentication server. 65535.

vpn-instance vpn- Specifies the name of a The value must be an

instance-name VPN instance that the existing VPN instance
RADIUS authentication name.
server is bound to.

source loopback Specifies the IP address The loopback interface

interface-number of the loopback interface must already exist.
taken as the source IP
address. interface-
number specifies the
number of a loopback
interface.

source ip-address ipv4- Specifies the source IPv4 The value is a valid
address address in RADIUS unicast address in dotted
packets sent from the decimal notation.
device to a RADIUS
authentication server.
If this parameter is
specified, ensure that the
value of this parameter
is the same as the
client's IPv4 address
specified on the RADIUS
authentication server.
If this parameter is not
specified, the IPv4
address of the outbound
interface is used as the
source IPv4 address in
RADIUS packets sent
from the device to a
RADIUS authentication
server.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8679

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

source ip-address ipv6- Specifies the source IPv6 The value is a 32-digit
address address in RADIUS hexadecimal number, in
packets sent from the the format
device to a RADIUS X:X:X:X:X:X:X:X.
authentication server.
If this parameter is not
specified, the IPv6
address of the outbound
interface is used as the
source IPv6 address in
RADIUS packets sent
from the device to a
RADIUS authentication
server.
This address cannot be a
virtual IPv6 address of a
VRRP6 group.

source vlanif interface- Specifies the IP address The VLANIF interface

number of a VLANIF interface as must exist.
the source IP address.
interface-number
specifies the number of a
VLANIF interface.

weight weight-value Specifies the weight of a The value is an integer

RADIUS authentication that ranges from 0 to
server. 100. The default value is
When multiple servers 80.
are available, the device
uses the server with the
highest weight to
perform authentication.
If the servers have the
same weights, the device
uses the server
configured first to
perform authentication.

Views
RADIUS server template view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8680

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
To perform RADIUS authentication, configure a RADIUS authentication server in a
RADIUS server template. The device uses the RADIUS protocol to communicate
with a RADIUS authentication server to obtain authentication information, and
authenticates users based on the authentication information. The device sends
authentication packets to the RADIUS authentication server only after the IP
address and port number of the RADIUS authentication server are specified in the
RADIUS server template.

When the radius-server algorithm master-backup command has been executed

to specify the master/backup algorithm on the RADIUS server and both the
primary and secondary authentication servers are configured, the device sends an
authentication request packet to the secondary authentication server in either of
the following situations:
● The primary authentication server does not send an authentication response
packet.
● The authentication request packet retransmission count reaches the
maximum.

When the 802.1x authentication mode is set to EAP, the device and RADIUS
authentication servers exchange packets multiple times. During the first exchange
process, the device sends a request packet to the primary RADIUS authentication
server. If the device resends the request packet for the maximum number of times
but does not receive a response packet from the primary RADIUS authentication
server, the device sends a request packet to the secondary RADIUS authentication
server. If the secondary RADIUS authentication server sends a response packet to
the device, the device will directly send request packets to the secondary RADIUS
authentication server in the following exchange processes. In this way, the device
does not need to send a request packet to the primary RADIUS authentication
server first in the following exchange processes, shortening the authentication
time and preventing the user authentication connection from being disconnected
because the client does not receive a response packet for a long time.

Example
# Configure the IP address of the primary RADIUS authentication server to
10.163.155.13 and the port number to 1812.
<HUAWEI> system-view
[HUAWEI] radius-server template group1
[HUAWEI-radius-group1] radius-server authentication 10.163.155.13 1812

# Configure the IP address of the secondary RADIUS authentication server to

10.163.155.15, the port number to 1812 and the weigh to 50.
<HUAWEI> system-view
[HUAWEI] radius-server template group1
[HUAWEI-radius-group1] radius-server authentication 10.163.155.15 1812 weight 50

Related Topics
13.2.10 display radius-server configuration

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8681

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.2.29 radius-server authorization

Function
The radius-server authorization command configures the RADIUS authorization
server.
The undo radius-server authorization command deletes the configured RADIUS
authorization server.
By default, no RADIUS authorization server is configured.

Format
radius-server authorization ip-address [ vpn-instance vpn-instance-name ]
{ server-group group-name shared-key cipher key-string | shared-key cipher
key-string [ server-group group-name ] } [ ack-reserved-interval interval ]
undo radius-server authorization { all | ip-address [ vpn-instance vpn-instance-
name ] }

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Parameters
Parameter Description Value

ip-address Specifies the IP address The value is a unicast

of a RADIUS address in dotted
authorization server. decimal notation.

vpn-instance vpn- Specifies the name of a The value must be an

instance-name VPN instance that the existing VPN instance
RADIUS authorization name.
server is bound to.

server-group group- Specifies the name of a The value is a string of 1

name RADIUS group to 32 characters,
corresponding to a including letters (case-
RADIUS server template. sensitive), numerals (0 to
9), punctuation mark (.),
dash (-), and underline
(_). The value cannot be
- or --.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8682

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

shared-key cipher key- Specifies the shared key The value is a case-
string of a RADIUS server. sensitive character string
without spaces or
question marks (?). key-
string can be a string of
1 to 128 characters in
plain text or a string of
48, 68, 88, 108, 128, 148,
168, or 188 characters in
cipher text.

ack-reserved-interval Specifies the duration for The value is an integer

interval retaining a RADIUS that ranges from 0 to
authorization response 300, in seconds. By
packet. default, the value is 0s.

all Deletes all RADIUS -

authorization servers.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

An independent RADIUS authorization server can be used to authorize online

users. RADIUS provides two authorization methods: Change of Authorization
(CoA) and Disconnect Message (DM).
● CoA: After a user is successfully authenticated, you can modify the rights of
the online user through the RADIUS authorization server. For example, a
VLAN ID can be delivered to access users of a certain department through
CoA packets, so that they belong to the same VLAN no matter which
interfaces they connect to.
● DM: The administrator can forcibly disconnect a user through the RADIUS
authorization server.

After the parameters such as IP address and shared key are configured for the
RADIUS authorization server, the device can receive authorization requests from
the server and grant rights to users according to the authorization information.
After authorization is complete, the device returns authorization response packets
carrying the results to the server.

Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8683

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

To improve security, it is recommended that the password contains at least three

types of lower-case letters, upper-case letters, numerals, and special characters,
and contains at least 16 characters.

Example
# Specify a RADIUS authorization server.
<HUAWEI> system-view
[HUAWEI] radius-server authorization 10.1.1.116 shared-key cipher Huawei@2012

Related Topics
13.2.9 display radius-server authorization configuration
13.2.45 radius-server template

13.2.30 radius-server authorization attribute-decode-

sameastemplate

Function
The radius-server authorization attribute-decode-sameastemplate command
configures the device to parse RADIUS dynamic authorization packet attributes
based on the configuration in RADIUS server template.

The undo radius-server authorization attribute-decode-sameastemplate

command restores the default method of parsing RADIUS authorization packet
attributes.

By default, the device parses RADIUS dynamic authorization packet attributes

based on global configuration.

Format
radius-server authorization attribute-decode-sameastemplate

undo radius-server authorization attribute-decode-sameastemplate

Parameters
None.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8684

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The device parses the MAC address in the Calling-Station-Id attribute in RADIUS
dynamic authorization packets. By default, the MAC address format that can be
parsed is configured using the radius-server authorization calling-station-id
decode-mac-format command in the system view. When the device is connected
to multiple RADIUS servers, the MAC address formats are different in the Calling-
Station-Id attribute in dynamic authorization packets sent by different RADIUS
servers. In this case, the MAC address may fail to be parsed if the same parse
mode is used, resulting in that the device fails to be connected to some RADIUS
servers. You can run the radius-server authorization attribute-decode-
sameastemplate command to configure the device to parse RADIUS dynamic
authorization packet attributes based on the Calling-Station-Id attribute
encapsulation mode configured in each RADIUS server template, making the
device be successfully connected to multiple RADIUS servers.
Prerequisites
This function is used to make the Calling-Station-Id attribute parse mode the
same as the Calling-Station-Id attribute encapsulation mode configured in RADIUS
server template. Therefore, make sure that the following steps have been
performed before using this function.
1. The calling-station-id mac-format command has been run in the RADIUS
server template view to configure the encapsulation mode of the MAC
address in the Calling-Station-Id attribute.
2. The radius-server authorization command has been run in the system view
to configure the authorization server to use the RADIUS server template
server-group.

NOTE
If the RADIUS server template used by the authorization server is not specified, this function
cannot be implemented on a device. You can run the radius-server authorization calling-
station-id decode-mac-format command in the system view to configure the Calling-Station-Id
attribute parse mode.

Precautions
The configuration in a RADIUS server template has a higher priority than the
global configuration.

Example
# Configure the RADIUS authorization server to parse attributes depending on the
configuration in a RADIUS template.
<HUAWEI> system-view
[HUAWEI] radius-server authorization attribute-decode-sameastemplate

13.2.31 radius-server authorization calling-station-id decode-

mac-format
Function
The radius-server authorization calling-station-id decode-mac-format
command sets the format of MAC address that can be parsed by a device in the
calling-station-id (Type 31) attribute carried in RADIUS authorization packets.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8685

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo radius-server authorization calling-station-id decode-mac-format

command restores the default format of the MAC address in the calling-station-id
(Type 31) attribute.
By default, the MAC address format in the calling-station-id attribute carried in
RADIUS dynamic authorization packets is xxxxxxxxxxxx, in lowercase.

Format
radius-server authorization calling-station-id decode-mac-format { bin | ascii
{ unformatted | { dot-split | hyphen-split } [ common | compress ] } }
undo radius-server authorization calling-station-id decode-mac-format

Parameters
Parameter Description Value
bin Indicates that the MAC address in the calling-station-id attribute -
uses the binary format.
ascii Indicates that the MAC address in the calling-station-id attribute -
uses the ASCII format.
unformatted Indicates that no separator is used in the MAC address in the -
calling-station-id field.
dot-split Indicates that dots are used as the separators in MAC address. -
hyphen-split Indicates that the hyphens are used as the separators in MAC -
address.
common Indicates that the MAC address in the calling-station-id attribute -
uses the
"xxseparatorxxseparatorxxseparatorxxseparatorxxseparatorxx"
format.
compress Indicates that the MAC address in the calling-station-id attribute -
uses the "xxxxseparatorxxxxseparatorxxxx" format.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
By default, the MAC address format in the calling-station-id attribute carried in
RADIUS dynamic authorization packets is xxxxxxxxxxxx. If the MAC address format
in the calling-station-id attribute sent by the RADIUS server is not the default
format used on the device, run the radius-server authorization calling-station-id
decode-mac-format command to change the MAC address format on the device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8686

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

When a device connects to multiple RADIUS servers, the RADIUS servers may send
MAC addresses in different formats in the calling-station-id attribute to the device.
You need to run the radius-server authorization attribute-decode-
sameastemplate command to configure the device to parse the RADIUS
authorization packet attributes based on the configuration in RADIUS server
template, so that the device can work with these RADIUS servers.
Precautions
The configuration in a RADIUS server template has a higher priority than the
global configuration.

Example
# Set the format of MAC address that can be parsed by the device in the calling-
station-id attribute to binary.
<HUAWEI> system-view
[HUAWEI] radius-server authorization calling-station-id decode-mac-format bin

13.2.32 radius-server dead-detect-condition by-server-ip

Function
The radius-server dead-detect-condition by-server-ip command configures
keepalive detection for RADIUS server based on the RADIUS server IP address.
The undo radius-server dead-detect-condition by-server-ip command restores
the default setting.
By default, keepalive detection is performed for only RADIUS authentication
server.

Format
radius-server dead-detect-condition by-server-ip
undo radius-server dead-detect-condition by-server-ip

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8687

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The device periodically sends authentication request packets to the RADIUS server
in Down state. If the RADIUS server responds, the device sets the RADIUS
authentication server status to Up. The device does not perform keepalive
detection for RADIUS accounting servers in Down state. Instead, the device sets
the RADIUS accounting server status to Up only when the server recovery time
expires.
To allow the device to promptly detect the status of RADIUS accounting servers
that are in Down state, run the radius-server dead-detect-condition by-server-ip
command. After the command is executed, the device performs keepalive
detection on RADIUS servers based on the RADIUS server IP address, so that the
status of RADIUS accounting server is associated with the status of authentication
server.
Precautions
After the radius-server dead-detect-condition by-server-ip command is
executed, run the radius-server testuser command to configure automatic user
detection.
When detecting the Down states of RADIUS authentication and accounting
servers, the device counts the numbers of authentication and accounting request
packets separately. After the radius-server dead-detect-condition by-server-ip
command is executed, if the authentication and accounting servers sharing the
same IP address are in the same VPN instance, the device accumulates the
number of authentication and accounting packets sent by the servers. In addition,
the status of RADIUS authentication server with the same IP address in the same
VPN instance is updated.

Example
# Configure keepalive detection for RADIUS server based on RADIUS server IP
address.
<HUAWEI> system-view
[HUAWEI] radius-server dead-detect-condition by-server-ip

13.2.33 radius-server dead-interval dead-count

Function
The radius-server dead-interval dead-count command configures the RADIUS
server detection interval and maximum number of consecutive unacknowledged
packets in each detection interval.
The undo radius-server dead-interval dead-count command restores the default
settings.
By default, the RADIUS server detection interval is 5 seconds and the maximum
number of consecutive unacknowledged packets in each detection interval is 2.

Format
radius-server { dead-interval dead-interval | dead-count dead-count }
undo radius-server { dead-interval | dead-count }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8688

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

dead-interval Specifies the RADIUS The value is an integer

server detection interval. that ranges from 1 to
300, in seconds.

dead-count Specifies the maximum The value is an integer

number of consecutive that ranges from 1 to
unacknowledged packets 65535.
in each detection
interval.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
After the system starts, the RADIUS server status detection timer runs. The device
sets the RADIUS server status to Up. When the device sends a RADIUS request
packet to the RADIUS server, if the conditions for setting the RADIUS server status
to Down are met, the device sets the RADIUS server status to Down; if the
conditions are not met, the RADIUS server status remains to be Up.
If multiple RADIUS servers are configured, some servers are Up and the other
servers are Down, and the device receives an authentication request packet from a
user, the device retransmits the packet to a RADIUS server in Up status based on
the server priority and detects the actual status of the server. The following
describes the process in which a device detects the status of a RADIUS server.
1. If the device receives no response packet from the RADIUS server and the
number of times that the device receives no response packet after sending an
authentication request packet is greater than or equal to the maximum
number of consecutive unacknowledged packets within the detection interval,
the device records a communication interruption.
2. If the device records two consecutive communication interruptions with one
RADIUS server, the device considers that the RADIUS server is unavailable and
the condition for the device to set the status of the RADIUS server to Down is
met.
NOTE
If the first connection attempt fails but the second one succeeds, the device deletes the
recorded communication interruption with the RADIUS server.
3. When sending an authentication request packet to the RADIUS server again,
the device sets the server status to Down. If a response packet is received

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8689

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

from the server, the device restores the server status to Up. If no response
packet is received from the server and the number of retransmission times is
not reached, the device sends an authentication request packet to the server
again. If the server still does not respond, the device no longer sends any
authentication request packet to the server.
If the device sets the status of all servers that are originally set to Up to Down
after the device completes the server status detection based on the preceding
detection process or these servers do not respond to the authentication request
packets sent from the device, the device sends an authentication request packet to
a RADIUS server that is originally set to be Down based on the server priority to
detect the server status. (In the original mechanism, the device does not send
authentication request packets to the RADIUS servers that are originally set to be
Down.)

Precautions

● If the device has reported a RADIUS server Up alarm and needs to report a
RADIUS server Down alarm, the device will send the Down alarm 10 seconds
after the Up alarm is sent, even if the RADIUS server Down detection interval
is shorter than 10 seconds (for example, the value of dead-interval is set to 4
seconds, and the RADIUS server Down detection interval is 8 seconds). This
function prevents frequent alarm sending.
● To rapidly detect whether the RADIUS server goes Down, when there are a
small number of users, smaller values are recommended for the detection
interval and maximum number.
● If a user terminal is authenticated using a client and more than one server is
deployed on the live network, the authentication request packet is
retransmitted by each server upon timeout. If a server is faulty, the timeout
wait period of the client software is smaller than the total timeout period of
the servers, and the client repeatedly redials and cannot access the network.
In addition, if the RADIUS server escape function is configured, the total
timeout period of the servers is required to be smaller than the timeout
period of the client software, ensuring that the escape rights can be properly
configured for the user.
Therefore, run the 13.2.41 radius-server retransmit timeout dead-time and
13.2.33 radius-server dead-interval dead-count commands to ensure that
users can properly access the network or are configured with proper escape
rights. For example, the response timeout period of the RADIUS server is
within 4 seconds and the timeout period of the 802.1X client is more than 18
seconds. The recommended configurations in the active/standby mode are as
follows:
– When a server is configured:

▪ Run the radius-server dead-interval 5 and radius-server dead-

count 1 commands in the system view.

▪ Run the radius-server retransmit 3 timeout 5 command in the

RADIUS server template view.
– When two servers are configured:

▪ Run the radius-server dead-interval 2 and radius-server dead-

count 1 commands in the system view.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8690

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

▪ Run the radius-server retransmit 3 timeout 2 command in the

RADIUS server template view.
– When three servers are configured:

▪ Run the radius-server dead-interval 1 and radius-server dead-

count 1 commands in the system view.

▪ Run the radius-server retransmit 5 timeout 1 command in the

RADIUS server template view.

Example
# Set the RADIUS server detection interval to 10 seconds and maximum number
of consecutive unacknowledged packets in each detection interval to 2.
<HUAWEI> system-view
[HUAWEI] radius-server dead-interval 10
[HUAWEI] radius-server dead-count 2

13.2.34 radius-server detect-server interval

Function
The radius-server detect-server interval command configures an automatic
detection interval for RADIUS servers.

The undo radius-server detect-server interval command restores the default

settings.

The default automatic detection interval is 60 seconds.

Format
radius-server detect-server interval interval

undo radius-server detect-server interval

Parameters
Parameter Description Value

interval Specifies the automatic The value is an integer

detection interval for that ranges from 5 to
RADIUS servers. 3600, in seconds.

Views
RADIUS server template view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8691

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
After the automatic detection function is enabled using the radius-server testuser
command, you can run the radius-server detect-server interval command to
adjust the automatic detection interval for RADIUS servers.

Example
# Set the automatic detection interval for RADIUS servers to 100 seconds in the
RADIUS server template acs.
<HUAWEI> system-view
[HUAWEI] radius-server template acs
[HUAWEI-radius-acs] radius-server detect-server interval 100

13.2.35 radius-server format-attribute

Function
The radius-server format-attribute command configures the format of the NAS-
Port attribute.
The undo radius-server format-attribute command deletes the configured
attribute format.
By default, the format of the NAS-Port attribute is new.

Format
radius-server format-attribute nas-port nas-port-sting
undo radius-server format-attribute nas-port

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8692

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

nas-port nas-port-sting Specifies the format of The value is a string of 1

the NAS-Port attribute. to 32 characters.
● The keywords s, t, p,
o, and i stand for slot,
subslot, port, out-vlan
(qinqvlan)/vpi, and
vlan (user-vlan)/vci
respectively. The
keywords n and z are
used as paddings. The
keyword n indicates 1
and the keyword z
indicates 0.
● The keywords s, t, p,
o, and i must be
followed by numbers,
and the numbers
must range from 1 to
32. The keywords s, t,
p, o, and i can be
present in the format
string only once.
● The keywords s, t, p,
o, i, n, and z must
range from 1 to 9.
● n and z can be
present multiple times
at any position. They
are followed by
numbers. For
example, n12
indicates that this
position is filled by
twelve 1s, and z12
indicates that this
position is filled by
twelve 0s.
● The character string
must contain 32 bits.
● The format string
must start with s, t, p,
o, i, n, or z and end
with a number.
● If no VLAN exists, you
can add n or z before
o or i to indicate
whether this position

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8693

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

is filled by 0s or 1s.
That is, n and z can
be followed by
numbers or o/i in this
case, and the
numbers must range
from 1 to 32.
● To specify the format
string, determine the
interface type, and
then determine the
encapsulation type of
the interface. If the
format string does
not contain o or i, the
NAS-Port attribute
does not contain the
QinQ VLAN or user
VLAN field. If the
format string contains
o or i but no outer
VLAN exists, the outer
VLAN field is filled by
0s. If n is added
before o or i, this field
is filled by 1s when no
outer VLAN or inner
VLAN exists.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
The NAS port format affects the information about the physical port. The NAS
port format can be used by the RADIUS server to process services, such as binding
the user name and port. This attribute is developed by Huawei, which is used to
ensure connectivity and service cooperation among Huawei devices.
If the radius-server nas-port-format command sets the format of the NAS-Port
attribute to new (the default format is new), the device will check whether the
radius-server format-attribute nas-port command configuration exists. If yes,
the device will assemble the NAS-Port attribute in the format configured by the
radius-server format-attribute nas-port command. If no, the device will

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8694

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

assemble the NAS-Port attribute in the new format. If the radius-server nas-port-
format command sets the format of the NAS-Port attribute to old, the device will
assemble the NAS-Port attribute in the old format, regardless of whether the
radius-server format-attribute nas-port command configuration exists.

Example
# Configure the format of the NAS-Port attribute to s2t2p6no10ni12. That is, the
NAS-Port attribute consists of a 2-bit slot field, a 2-bit subslot field, a 6-bit port
field, a 10-bit outer VLAN field, and a 12-bit inner VLAN field. If the outer VLAN
does not exist, this field is filled by ten 1s. If the inner VLAN does not exist, this
field is filled by twelve 1s. Therefore, the NAS-port attribute contains 32 bits.
<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server format-attribute nas-port s2t2p6no10ni12

Related Topics
13.2.39 radius-server nas-port-format

13.2.36 radius-server hw-ap-info-format include-ap-ip

Function
The radius-server hw-ap-info-format include-ap-ip command configures the
AP's IP address carried in Huawei extended attribute HW-AP-Information.
The undo radius-server hw-ap-info-format command restores the default
setting.
By default, Huawei extended attribute HW-AP-Information does not carry AP's IP
address.

NOTE

This function is supported only by S5720HI.

Format
radius-server hw-ap-info-format include-ap-ip
undo radius-server hw-ap-info-format

Parameters
None

Views
RADIUS server template view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8695

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
RADIUS is a fully extensible protocol. Device vendors can expand the No. 26
attribute defined in the protocol to implement functions not supported by
standard RADIUS attributes. Huawei defines the No. 141 sub-attribute (HW-AP-
Information) in the No. 26 attribute to indicate AP information, including the MAC
and IP addresses of an AP. The HW-AP-Information attribute is carried in the
authentication or accounting request packet send by a device, so that the RADIUS
server can use the AP's MAC and IP addresses as the filter criterion to select a
policy template to be delivered.

When an AP's IP address is carried in the HW-AP-Information attribute, the

encapsulation format of the attribute is AP-MAC AP-IP.

Example
#Configure the AP's IP address in Huawei extended attribute HW-AP-Information.
<HUAWEI> system-view
[HUAWEI] radius-server template huawei
[HUAWEI-radius-huawei] radius-server hw-ap-info-format include-ap-ip

13.2.37 radius-server hw-dhcp-option-format

Function
The radius-server hw-dhcp-option-format command sets the format of the
Huawei extended attribute HW-DHCP-Option.

The undo radius-server hw-dhcp-option-format command restores the default

setting.

By default, the format of HW-DHCP-Option is old.

Format
radius-server hw-dhcp-option-format { new | old }

undo radius-server hw-dhcp-option-format

Parameters
Parameter Description Value

new Sets the format of -

Huawei extended
attribute HW-DHCP-
Option to new.

old Sets the format of -

Huawei extended
attribute HW-DHCP-
Option to old.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8696

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
The RADIUS protocol has good extensibility. Device vendors can expand the No. 26
RADIUS attribute to implement new functions. Huawei defines that the No.158
sub-attribute in the No.26 attribute represents DHCP option and is encapsulated
through Type, Length, Value (TLV). The device adds this attribute in authentication
request or accounting request packets and sends the DHCP option information to
the RADIUS server.

To connect to different types of RADIUS server, the device supports two HW-
DHCP-Option formats: new and old.
● new: When the attribute is encapsulated through TLV, the Type field length is
1 byte. This format is applicable when the device connects to most types of
RADIUS servers.
● old: When the attribute is encapsulated through TLV, the Type field length is 2
bytes. This format is applicable when the device connects to special RADIUS
servers, for example, Huawei RADIUS server.

Example
# Set the format of Huawei extended attribute HW-DHCP-Option to new.
<HUAWEI> system-view
[HUAWEI] radius-server template huawei
[HUAWEI-radius-huawei] radius-server hw-dhcp-option-format new

13.2.38 radius-server nas-identifier-format

Function
The radius-server nas-identifier-format command sets the encapsulation format
of the NAS-Identifier attribute.

The undo radius-server nas-identifier-format command restores the default

encapsulation format of the NAS-Identifier attribute.

By default, the NAS-Identifier attribute encapsulation format is the device's

hostname.

Format
radius-server nas-identifier-format { hostname | vlan-id }

undo radius-server nas-identifier-format

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8697

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

hostname Sets the encapsulation -

format of NAS-Identifier
to a device's host name.

vlan-id Sets the encapsulation -

format of NAS-Identifier
to a user's VLAN ID.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
A RADIUS server uses the NAS-Identifier attributes to identify NASs. The NASs also
use the NAS-Identifier attributes carried in the sent RADIUS packets to identify
themselves.

Example
# Set the NAS-Identifier encapsulation format to VLAN ID.
<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server nas-identifier-format vlan-id

13.2.39 radius-server nas-port-format

Function
The radius-server nas-port-format command sets the format of the NAS port
attribute.

The undo radius-server nas-port-format command restores the default format of

the NAS port attribute.

By default, the new NAS port format is used.

Format
radius-server nas-port-format { new | old }

undo radius-server nas-port-format

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8698

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

new Uses the new format of -

an NAS port. The new
format of the NAS port
attribute is slot number
(8 bits) + subslot
number (4 bits) + port
number (8 bits) + VLAN
ID (12 bits).

old Uses the old format of -

an NAS port. The old
format of the NAS port
attribute is slot number
(12 bits) + port number
(8 bits) + VLAN ID (12
bits).

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

The NAS port format affects the information about the physical port. The NAS
port format can be used by the RADIUS server to process services, such as binding
the user name and port. This attribute is developed by Huawei, which is used to
ensure connectivity and service cooperation among Huawei devices.

Precautions

The difference between the two NAS port formats lies in the physical ports
connected to Ethernet access users.
● The new format of the NAS port attribute is slot number (8 bits) + subslot
number (4 bits) + port number (8 bits) + VLAN ID (12 bits).
● The old format of the NAS port attribute is slot number (12 bits) + port
number (8 bits) + VLAN ID (12 bits).

The format of the NAS port attribute for Asymmetric Digital Subscriber Line
(ADSL) access users is slot number (4 bits) + subslot number (2 bits) + port
number (2 bits) + VPI (8 bits) + VCI (16 bits). This format is not affected by the
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8699

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Set the format of the NAS port attribute to new.
<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server nas-port-format new

13.2.40 radius-server nas-port-id-format

Function
The radius-server nas-port-id-format command sets the format of the NAS port
ID attribute.

The undo radius-server nas-port-id-format command restores the default format

of the NAS port ID attribute.

By default, the new format of the NAS port ID attribute is used.

Format
radius-server nas-port-id-format { new | old | vm }

undo radius-server nas-port-id-format

Parameters
Parameter Description Value

new Uses the new format of -

the NAS port ID.

old Uses the old format of -

the NAS port ID.

vm Uses the NAS port ID -

format of the VM.
NOTE
Only the S5720EI supports
this parameter.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8700

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The NAS port format and the NAS port ID format are developed by Huawei, which
are used to ensure connectivity and service cooperation among Huawei devices.

Precautions

When new is specified:

● For Ethernet access users, the NAS port ID format is slot=xx; subslot=xx;
port=xxx; VLAN ID=xxxx, in which slot ranges from 0 to 15, subslot from 0 to
15, port from 0 to 255, and VLAN ID from 1 to 4094.
● For ADSL access users, the NAS port ID format is slot=xx; subslot=x;
port=x;VPI=xxx; VCI=xxxxx, in which slot ranges from 0 to 15, subslot from 0
to 9, port from 0 to 9, VPI from 0 to 255, and VCI from 0 to 65535.

When old is specified:

● For Ethernet access users, the NAS port ID format is slot number (2
characters) + subslot number (2 bytes) + card number (3 bytes) + VLAN ID (9
characters).
● For ADSL access users, the NAS port ID format is slot number (2 characters) +
subslot number (2 bytes) + card number (3 bytes) + VPI (8 characters) + VCI
(16 characters). A field is prefixed with 0s if its actual value contains fewer
characters.

Example
# Set the format of the NAS port ID attribute to new.
<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server nas-port-id-format new

Related Topics
13.2.10 display radius-server configuration

13.2.41 radius-server retransmit timeout dead-time

Function
The radius-server retransmit timeout dead-time command sets the number of
times that RADIUS request packets are retransmitted, timeout period, and interval
for the server to revert to the active status.

The undo radius-server retransmit timeout dead-time command restores the

default number of retransmission times, the default timeout period, and the
default interval for the server to revert to the active status.

By default, the number of retransmission times is 3, timeout period is 5 seconds,

and the interval for the server to revert to the active status is 5 minutes.

Format
radius-server { retransmit retry-times | timeout time-value | dead-time dead-
time } *

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8701

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo radius-server { retransmit [ retry-times ] | timeout [ time-value ] | dead-

time [ dead-time ] } *

Parameters
Parameter Description Value

retransmit retry-times Specifies the number of The value is an integer

retransmission times. that ranges from 1 to 5.
The value is the total
number of times a
packet is transmitted.

timeout time-value Specifies the timeout The value is an integer

period. that ranges from 1 to 10,
in seconds.

dead-time dead-time Specifies the interval for The value is an integer

the server to revert to that ranges from 1 to
the active status. 65535, in minutes.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
The retransmission upon timeout mechanism is configured for a device to forward
RADIUS Access-Request packets sourced from users to the server. The overall
retransmission time depends on the retransmission interval, retransmission times,
RADIUS server status, and number of servers configured in the RADIUS server
template.
You can configure the number of times that RADIUS request packets are
retransmitted and the timeout period using the radius-server retransmit retry-
times and radius-server timeout time-value commands, respectively. If a device
sends an authentication request packet to the RADIUS server and does not receive
any response packet from the server during the timeout period, the device sends
an authentication request packet again.
You can run the radius-server dead-time dead-time command to configure the
duration for which the RADIUS server status remains Down. After the device sets
the RADIUS server status to Down and the interval specified by dead-time expires,
the device resets the server status to Force-up. If a new user needs to be
authenticated in RADIUS mode and no RADIUS server is available, the device
attempts to re-establish a connection with a RADIUS server in Force-up status. The
Force-up status is defined to prevent servers in Down status from remaining idle.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8702

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

If automatic detection for RADIUS servers is configured using the radius-server testuser
command, the server status is maintained using the automatic detection function. The interval
for the RADIUS server to revert to the active status configured using the radius-server
retransmit timeout dead-time command does not take effect.

This command can improve the reliability of RADIUS authentication.

Precautions

● The request packet retransmission time (number of retransmission times x

timeout period) of the RADIUS server must be shorter than the request
packet retransmission time of the Portal server.
● If more than 8 authentication server IP addresses are configured in the
RADIUS server template, reduce the number of retransmission times and
timeout period.
● To rapidly detect whether the RADIUS server goes Down, smaller values are
recommended for the timeout period and number of retransmission times
when there are a small number of users.

Example
# Set the number of retransmission times to 3, the timeout period to 2s, and the
interval for the server to revert to the active status to 10 minutes.
<HUAWEI> system-view
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-server retransmit 3 timeout 2 dead-time 10

Related Topics
13.2.10 display radius-server configuration
13.2.45 radius-server template

13.2.42 radius-server session-manage

Function
The radius-server session-manage command enables session management on
the RADIUS server.

The undo radius-server session-manage command disables session management

on the RADIUS server.

By default, session management is disabled on the RADIUS server.

Format
radius-server session-manage { ip-address [ vpn-instance vpn-instance-name ]
shared-key cipher share-key | any }

undo radius-server session-manage [ ip-address [ vpn-instance vpn-instance-

name ] | all ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8703

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Parameters
Parameter Description Value

ip-address Specifies the IP address The value is in dotted

of the RADIUS session decimal notation.
management server.

vpn-instance vpn- Specifies the name of The value must be the

instance-name the VPN instance bound name of an existing VPN
to the RADIUS session instance.
management server.

shared-key cipher Specifies the shared key The value is a string of

share-key of the RADIUS session case-sensitive characters
management server. without spaces, and
question marks. share-
key can be a string of
1-128 characters in plain
text or a string of 48, 68,
88, 108, 128, 148, 168, or
188 characters in cipher
text.

any Indicates that no RADIUS -

session management
server is specified.

all Deletes all RADIUS -

session management
servers.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
To improve device security, run this command to enable session management on
the RADIUS server. After this function is enabled, the device checks the source IP
addresses and shared keys for the received session management packets. When

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8704

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

the source IP addresses and shared keys match the configured values, the packets
are processed; otherwise, the packets are discarded.

Precautions

● This command has been supported since V200R010C00. When a device is

upgraded from a version earlier than V200R010C00 to V200R010C00 or a
later version, the radius-server session-manage any command is configured
by default.
● When the any parameter is specified, there is a security risk. You are advised
to configure the IP address and shared key for a specified RADIUS session
management server.

Example
# Enable session management on the RADIUS server, and set the IP address and
shared key of the RADIUS session management server to 10.1.1.1 and
Huawei@2012 respectively.
<HUAWEI> system-view
[HUAWEI] radius-server session-manage 10.1.1.1 shared-key cipher Huawei@2012

Related Topics
13.2.13 display radius-server session-manage configuration

13.2.43 radius-server shared-key (RADIUS server template

view)

Function
The radius-server shared-key command configures the shared key of a RADIUS
server.

The undo radius-server shared-key command deletes the shared key of a

RADIUS server.

The default username and password are available in S Series Switches Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not
obtained the access permission of the document, see Help on the website to find
out how to obtain it.

Format
radius-server shared-key cipher key-string

undo radius-server shared-key

Parameters
Parameter Description Value

cipher Indicates the shared key -

in cipher text.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8705

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

key-string Specifies the shared key The value is a case-

of a RADIUS server. sensitive character string
without spaces, single
quotation marks ('), or
question marks (?). key-
string can be a string of
1-128 characters in plain
text or a string of 48, 68,
88, 108, 128, 148, 168, or
188 characters in cipher
text.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
The shared key is used to encrypt the password and generate the response
authenticator.
When exchanging authentication packets with a RADIUS server, the device uses
MD5 to encrypt important data such as the password to ensure security of data
transmission over the network. To ensure validity of both communication parties,
the device and RADIUS server must be configured with the same shared key.

Example
# Set the shared key of a RADIUS server to Huawei@2012 in cipher text.
<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server shared-key cipher Huawei@2012

Related Topics
13.2.10 display radius-server configuration
13.2.45 radius-server template

13.2.44 radius-server shared-key (system view)

Function
The radius-server shared-key command configures the shared key of a RADIUS
server.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8706

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo radius-server shared-key command deletes the shared key of a

RADIUS server.
By default, no global shared key is configured for the RADIUS server.

Format
radius-server ip-address { ipv4-address | ipv6-address } shared-key cipher key-
string
undo radius-server ip-address { ipv4-address | ipv6-address } shared-key

Parameters
Parameter Description Value

ip-address { ipv4- Specifies the IPv4 or IPv6 ● ipv4-address: The

address | ipv6-address } address of the RADIUS value is in dotted
server. decimal notation.
● ipv6-address: The
value is a 32-bit
hexadecimal string in
format X:X:X:X:X:X:X:X.

cipher key-string Specifies the shared key The value is a case-

in cipher text. sensitive character string
without spaces, single
quotation marks ('), or
question marks (?). key-
string can be a string of
1-128 characters in plain
text or a string of 48, 68,
88, 108, 128, 148, 168, or
188 characters in cipher
text.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
The shared key is used to encrypt the password and generate the response
authenticator.
When exchanging authentication packets with a RADIUS server, the device uses
MD5 to encrypt important data such as the password to ensure security of data

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8707

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

transmission over the network. To ensure validity of both communication parties,

the device and RADIUS server must be configured with the same shared key.
You can run the 13.2.43 radius-server shared-key (RADIUS server template
view) command in the RADIUS server template view to configure the shared keys.
However, after this command is run, all RADIUS servers in the template use the
same shared key. To configure different shared keys for RADIUS servers, run the
radius-server shared-key command in the system view.
Precautions
To improve security, it is recommended that the shared key contains at least two
types of lower-case letters, upper-case letters, numerals, and special characters,
and contains at least 6 characters.
When the shared keys are configured in both the RADIUS server template and
system view, the configuration in the system view takes effect.

Example
# Set the shared key for RADIUS server to Huawei@2012.
<HUAWEI> system-view
[HUAWEI] radius-server ip-address 10.1.1.1 shared-key cipher Huawei@2012

Related Topics
13.2.43 radius-server shared-key (RADIUS server template view)

13.2.45 radius-server template

Function
The radius-server template command creates a RADIUS server template and
displays the RADIUS server template view.
The undo radius-server template command deletes a RADIUS server template.
By default, the device contains the RADIUS server template default. The template
can be modified, but cannot be deleted.

Format
radius-server template template-name
undo radius-server template template-name

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8708

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

template-name Specifies the name of a The value is a string of 1

RADIUS server template. to 32 case-sensitive
characters, including
letters (case-sensitive),
numerals (0 to 9),
punctuation mark (.),
underline (_), and
hyphens (-). The value
cannot be - or --.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

Creating a RADIUS server template is the prerequisite for configuring RADIUS

authentication and accounting. You can perform RADIUS configurations, such as
the configuration of authentication servers, accounting servers, and shared key
only after a RADIUS server template is created.

Follow-up Procedure

Configure an authentication server, an accounting server, and shared key in the

RADIUS server template view, and then run the 13.2.22 radius-server (aaa
domain view) command to apply the RADIUS server template.

Example
# Create a RADIUS server template template1 and enter the RADIUS server
template view.
<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1]

Related Topics
13.2.10 display radius-server configuration
13.2.22 radius-server (aaa domain view)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8709

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.2.46 radius-server testuser

Function
The radius-server testuser command enables the automatic detection function
and configures an automatic detection account.
The undo radius-server testuser command restores the default settings.
By default, the automatic detection function is disabled.

Format
radius-server testuser username user-name password cipher password
undo radius-server testuser

Parameters
Parameter Description Value

username user-name Specifies a user name The value is a string of 1

used for automatic to 253 case-sensitive
detection. characters. If the user
name contains spaces,
you must enclose the
name with double
quotation marks ("), for
example, "user for test".

password cipher Specifies the user The value is a character

password password for automatic string of 1 to 128
detection. characters without
spaces and question
marks. It is case
sensitive. If it is in cipher
text, the password is a
string of 48, 68, 88, 108,
128, 148, 168, or 188
characters.

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
After the RADIUS server status is set to Down, you can configure the automatic
detection function to test the RADIUS server reachability.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8710

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

After automatic detection is configured for users, the device periodically performs
automatic detection on the RADIUS server in Down status. You can set the
automatic detection interval using the radius-server detect-server command.
For the automatic status detection function, only the automatic detection user
name and password need to be configured in the RADIUS server template on the
device, and the automatic detection account does not need to be configured on
the RADIUS server. Authentication success is not mandatory. If the device can
receive the authentication failure response packet, the RADIUS server is properly
working and the device sets the RADIUS server status to Up. If the device cannot
receive the response packet, the RADIUS server is unavailable and the device sets
the RADIUS server status to Down.

Example
# Create a user account with the user name test and password Huawei@2012 in
RADIUS server template acs.
<HUAWEI> system-view
[HUAWEI] radius-server template acs
[HUAWEI-radius-acs] radius-server testuser username test password cipher Huawei@2012

13.2.47 radius-server traffic-unit

Function
The radius-server traffic-unit command sets the traffic unit used by a RADIUS
server.
The undo radius-server traffic-unit command restores the default traffic unit
used by a RADIUS server.
The default RADIUS traffic unit is byte on the device.

Format
radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
undo radius-server traffic-unit

Parameters
Parameter Description Value

byte Indicates that the traffic -

unit is byte.

kbyte Indicates that the traffic -

unit is kilobyte.

mbyte Indicates that the traffic -

unit is megabyte.

gbyte Indicates that the traffic -

unit is gigabyte.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8711

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Different RADIUS servers may use different traffic units; therefore, you need to set
the traffic unit for each RADIUS server group on the router and the traffic unit
must be the same as that on the RADIUS server.

Example
# Set the traffic unit used by a RADIUS server to kilobyte.
<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server traffic-unit kbyte

Related Topics
13.2.10 display radius-server configuration

13.2.48 radius-server user-name domain-included

Function
The radius-server user-name domain-included command configures the device
to encapsulate the domain name in the user name in RADIUS packets to be sent
to a RADIUS server.
The radius-server user-name original command configures the device not to
modify the user name entered by the user in the packets sent to the RADIUS
server.
The undo radius-server user-name domain-included command configures the
device not to encapsulate the domain name in the user name when sending
RADIUS packets to a RADIUS server.
The undo radius-server user-name domain-included except-eap command
configures the device not to encapsulate the domain name in the user name when
sending packets to a RADIUS server (applicable to other authentication modes
except EAP authentication).
By default, the device does not modify the user name entered by the user in the
packets sent to the RADIUS server.

Format
radius-server user-name domain-included
radius-server user-name original
undo radius-server user-name domain-included

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8712

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo radius-server user-name domain-included except-eap

Parameters
None

Views
RADIUS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

The format of a user name is user name@domain name. In the user name, @ is
the domain name delimiter. The domain name delimiter can also be any of the
following symbols: \ / : < > | ' %.

If the RADIUS server does not accept the user name with the domain name, run
the undo radius-server user-name domain-included command to delete the
domain name from the user name.

Precautions

If the user names in the RADIUS packets sent from the device to RADIUS server
contain domain names, ensure that the total length of a user name (user name +
domain name delimiter + domain name) is not longer than 253 characters;
otherwise, the user name cannot be contained in RADIUS packets. As a result,
authentication will fail.

Example
# Configure the device not to encapsulate the domain name in the user name
when sending RADIUS packets to a RADIUS server.
<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] undo radius-server user-name domain-included

Related Topics
13.2.10 display radius-server configuration

13.2.49 reset radius-server accounting-stop-packet

Function
The reset radius-server accounting-stop-packet command clears statistics on
the remaining buffer information of RADIUS accounting-stop packets.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8713

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
reset radius-server accounting-stop-packet { all | ip { ipv4-address | ipv6-
address } }

Parameters
Parameter Description Value

all Clears statistics on the -

remaining buffer
information of RADIUS
accounting-stop packets.

ip ipv4-address Clears statistics on the The value of ipv4-

remaining buffer address is in dotted
information of RADIUS decimal notation.
accounting-stop packets
with the specified IPv4
address.

ip ipv6-address Clears statistics on the The value is a 32-digit

remaining buffer hexadecimal number, in
information of RADIUS the format
accounting-stop packets X:X:X:X:X:X:X:X.
with the specified IPv6
address.

Views
User view

Default Level
3: Management level

Usage Guidelines
This command can clear statistics on the remaining buffer information of RADIUS
accounting-stop packets. The deleted statistics cannot be restored.

Example
# Clear statistics on the remaining buffer information of all RADIUS accounting-
stop packets.
<HUAWEI> reset radius-server accounting-stop-packet all

Related Topics
13.2.8 display radius-server accounting-stop-packet

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8714

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.2.50 snmp-agent trap enable feature-name radius

Function
The snmp-agent trap enable feature-name radius command enables the trap
function for the RDS module.

The undo snmp-agent trap enable feature-name radius command disables the
trap function for the RDS module.

By default, the trap function is disabled for the RDS module.

Format
snmp-agent trap enable feature-name radius [ trap-name
{ hwradiusacctserverdown | hwradiusacctserverup | hwradiusauthserverdown |
hwradiusauthserverup } ]

undo snmp-agent trap enable feature-name radius [ trap-name

{ hwradiusacctserverdown | hwradiusacctserverup | hwradiusauthserverdown |
hwradiusauthserverup } ]

Parameters
Parameter Description Value

trap-name Enables or disables the -

trap function for a
specified event of the
RDS module.

hwradiusacctserver- Enables the device to -

down send a Huawei
proprietary trap when it
detects that
communication with the
RADIUS accounting
server is interrupted.

hwradiusacctserverup Enables the device to -

send a Huawei
proprietary trap when it
detects that
communication with the
RADIUS accounting
server is restored.

hwradiusauthserver- Enables the device to -

down send a Huawei
proprietary trap when it
detects that
communication with the
RADIUS authentication
server is interrupted.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8715

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

hwradiusauthserverup Enables the device to -

send a Huawei
proprietary trap when it
detects that
communication with the
RADIUS authentication
server is restored.

Views
System view

Default Level
3: Management level

Usage Guidelines
After the trap function is enabled, the device generates traps during operation and
sends the traps to the NMS through the SNMP module. If the trap function is
disabled, the device does not generate traps and the SNMP module does not send
traps to the NMS.

You can specify trap-name to enable the trap function for one or more events.

Example
# Enable the trap function for hwradiusacctserverdown of the RDS module.
<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name radius trap-name hwradiusacctserverdown

Related Topics
13.2.14 display snmp-agent trap feature-name radius all

13.2.51 test-aaa

Function
The test-aaa command tests the connectivity between the device and the
authentication server or accounting server, and tests whether a user can be
authenticated using authentication server and whether the accounting server can
charge a user.

Format
test-aaa user-name user-password radius-template template-name [ chap | pap
| accounting [ start | realtime | stop ] ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8716

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

user-name Specifies a user name. The value is a

string of 1 to
253 case-
insensitive
characters.
When the user
name contains
spaces, you
must put the
string in double
quotation
marks ("").
NOTE
When the
HWTACACS, or
RADIUS server
is detected, the
user name
cannot contain
spaces.

user-password Specifies a user password. The value is a

string of 1 to
128 case-
sensitive
characters.

radius-template Specifies the name of a RADIUS The RADIUS

template-name server template. server template
must already
exist.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8717

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

chap Indicates Challenge Handshake -

Authentication Protocol (CHAP)
authentication.
The NAS device sends the user
name, password, and 16-byte
random code to the RADIUS
server. The RADIUS server searches
for the database according to the
user name and obtains the
password that is the same as the
encrypted password at the user
side. The RADIUS server then
encrypts the received 16-byte
random code and compares the
result with the password. If they
are the same, the user is
authenticated. If they are different,
the user fails to be authenticated.
In addition, if the user is
authenticated, the RADIUS server
generates a 16-byte random code
to challenge the user.

pap Indicates Password Authentication -

Protocol (PAP) authentication.
The NAS device adds the user
name and encrypted password to
the corresponding fields of
authentication request packets,
and then sends the packets to the
RADIUS server. The NAS device
determines whether to allow the
user go online based on the result
returned by the RADIUS server.

accounting Indicates accounting. By default, -

an accounting-start packet is sent.

start Indicates that the sent packet is an -

accounting-start packet.

realtime Indicates that the sent packet is a -

real-time accounting packet.

stop Indicates that the sent packet is an -

accounting-stop packet.

Views
All views

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8718

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
3: Management level

Usage Guidelines
Usage Scenario
The test-aaa command tests service reachability of the server. The device sends an
authentication or accounting request packet to the server. If the server returns an
authentication or accounting success packet, the device and server can
communicate with each other. If the server's response times out, the device and
server cannot communicate with each other.
Prerequisites
An authentication server template or accounting server template has been
created, an authentication server or accounting server has been specified in the
authentication server template or accounting server template, and the
authentication server or accounting server has been configured.
Follow-up Procedure
If the test result indicates that the user fails to be authenticated by using
authentication server or the accounting server fails to charge the user, check
whether the configuration of the authentication server template and the
authentication server is correct, and check the connectivity between the device
and the authentication server.
Precautions
chap and pap are two authentication modes.
● PAP: The NAS device adds the user name and encrypted password to the
corresponding fields of authentication request packets, and then sends the
packets to the RADIUS server. The NAS device determines whether to allow
the user go online based on the result returned by the RADIUS server.
● CHAP: The NAS device sends the user name, password, and 16-byte random
code to the RADIUS server. The RADIUS server searches for the database
according to the user name and obtains the password that is the same as the
encrypted password at the user side. The RADIUS server then encrypts the
received 16-byte random code and compares the result with the password. If
they are the same, the user is authenticated. If they are different, the user
fails to be authenticated. In addition, if the user is authenticated, the RADIUS
server generates a 16-byte random code to challenge the user.
Before running the test-aaa command, you only need to create a RADIUS server
template and specify an authentication server or accounting server in the RADIUS
server template.

Example
# Test whether the user user1 can be authenticated using CHAP authentication in
the RADIUS server template huawei.
<HUAWEI> test-aaa user1 userkey radius-template huawei chap
Info: The server template does not exist.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8719

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.3 HWTACACS Configuration Commands

13.3.1 Command Support
13.3.2 display hwtacacs-server accounting-stop-packet
13.3.3 display hwtacacs-server template
13.3.4 display hwtacacs-server template verbose
13.3.5 hwtacacs enable
13.3.6 hwtacacs-server
13.3.7 hwtacacs-server accounting
13.3.8 hwtacacs-server accounting-stop-packet resend
13.3.9 hwtacacs-server authentication
13.3.10 hwtacacs-server authorization
13.3.11 hwtacacs-server shared-key
13.3.12 hwtacacs-server source-ip
13.3.13 hwtacacs-server template
13.3.14 hwtacacs-server timer quiet
13.3.15 hwtacacs-server timer response-timeout
13.3.16 hwtacacs-server traffic-unit
13.3.17 hwtacacs-server user-name domain-included
13.3.18 hwtacacs-user change-password hwtacacs-server
13.3.19 reset hwtacacs-server accounting-stop-packet
13.3.20 reset hwtacacs-server statistics

13.3.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

13.3.2 display hwtacacs-server accounting-stop-packet

Function
The display hwtacacs-server accounting-stop-packet command displays
information about Accounting-Stop packets sent by an HWTACACS server.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8720

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
display hwtacacs-server accounting-stop-packet { all | number | ip ip-address }

Parameters
Parameter Description Value

all Displays information -

about all Accounting-
Stop packets.

number Displays information The value is an integer

about Accounting-Stop that ranges from 1 to
packets starting from a 65535.
specified number.

ip ip-address Displays information The value is in dotted

about Accounting-Stop decimal notation.
packets sent by the
HWTACACS server with a
specified IP address.

Views
All views

Default Level
3: Management level

Usage Guidelines
During HWTACACS troubleshooting, you can run this command to check
information about Accounting-Stop packets sent by the HWTACACS server.

Example
# Display information about all Accounting-Stop packets.
<HUAWEI> display hwtacacs-server accounting-stop-packet all
-------------------------------------------------------------
NO. SendTime IP Address Template
1 10 192.168.1.110 tac
-------------------------------------------------------------
Whole accounting stop packet to resend:1

Table 13-31 Description of the display hwtacacs-server accounting-stop-packet

command output

Item Description

NO. Number of the Accounting-Stop packet.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8721

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

SendTime Number of times that Accounting-Stop packets are sent.

IP Address IP address of the HWTACACS server.

Template Name of the HWTACACS server template.

Whole accounting Total number of Accounting-Stop packets sent by a

stop packet to device.
resend

Related Topics
13.3.8 hwtacacs-server accounting-stop-packet resend
13.3.19 reset hwtacacs-server accounting-stop-packet

13.3.3 display hwtacacs-server template

Function
The display hwtacacs-server template command displays the configurations of
an HWTACACS server template.

Format
display hwtacacs-server template [ template-name ]

Parameters

Parameter Description Value

template-name Specifies the name of an The HWTACACS server
HWTACACS server template. template must already exist.

Views
All views

Default Level
3: Management level

Usage Guidelines
The display hwtacacs-server template command output helps you check the
configuration of HWTACACS server templates and isolate faults.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8722

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

The device determines whether its communication with the HWTACACS server is proper based
on the response timeout mechanism of HWTACACS request packets, and always marks the
status of the last HWTACACS server as Up.

Example
# Display the configuration of the HWTACACS server template template0.
<HUAWEI> display hwtacacs-server template template0
---------------------------------------------------------------------------
HWTACACS-server template name : template0
Primary-authentication-server : 10.7.66.66:49:-
Primary-authorization-server : 10.7.66.66:49:-
Primary-accounting-server : 10.7.66.66:49:-
Secondary-authentication-server : 10.7.66.67:49:-
Secondary-authorization-server : 10.7.66.67:49:-
Secondary-accounting-server : 10.7.66.67:49:-
Current-authentication-server : 10.7.66.66:49:-
Current-authorization-server : 10.7.66.66:49:-
Current-accounting-server : 10.7.66.66:49:-
Source-IP-address : 0.0.0.0
Shared-key : ****************
Quiet-interval(min) :5
Response-timeout-Interval(sec) : 5
Domain-included : Yes
Traffic-unit :B
---------------------------------------------------------------------------

Table 13-32 Description of the display hwtacacs-server template command

output
Item Description

HWTACACS-server template name Name of an HWTACACS server

template.

Primary-authentication-server IP address and port number of the

primary authentication server.

Primary-authorization-server IP address and port number of the

primary authorization server.

Primary-accounting-server IP address and port number of the

primary accounting server.

Secondary-authentication-server IP address and port number of the

secondary authentication server.

Secondary-authorization-server IP address and port number of the

secondary authorization server.

Secondary-accounting-server IP address and port number of the

secondary accounting server.

Current-authentication-server IP address and port number of current

authentication server.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8723

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Current-authorization-server IP address and port number of current

authorization server.

Current-accounting-server IP address and port number of current

accounting server.

Source-IP-address Source IP address for communication

between the device and HWTACACS
server.

Shared-key Shared key of an HWTACACS server.

Quiet-interval(min) Interval for the primary server to

return to the active state, in minutes.

Response-timeout-Interval(sec) Response timeout interval of an

HWTACACS server, in seconds.

Domain-included Whether the user name contains an

authentication domain name.
● Yes: The user name contains the
domain name.
● No: The user name does not
contain the domain name.
● Original: The device does not
modify the user name entered by
the user.

Traffic-unit Traffic unit used by the HWTACACS

server.
● B: Byte
● KB: KByte
● MB: MByte
● GB: GByte

13.3.4 display hwtacacs-server template verbose

Function
The display hwtacacs-server template verbose command displays statistics on
HWTACACS authentication, accounting, and authorization.

Format
display hwtacacs-server template template-name verbose

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8724

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

template-name Specifies the name of an The HWTACACS server

HWTACACS server template must exist.
template.

Views
All views

Default Level
3: Management level

Usage Guidelines
Usage Scenario
By viewing statistics on HWTACACS authentication, accounting, and authorization,
administrators can better understand the interaction between modules, facilitating
fault locating and troubleshooting.
You can run the reset hwtacacs-server statistics { all | accounting |
authentication | authorization } command to delete statistics on HWTACACS
authentication, accounting, and authorization.
Precautions
In the HWTACACS server template, you can query the relevant statistics only after
the IP address of the authentication server, the IP address of the authorization
server, or the IP address of the accounting server is configured.

Example
# Display statistics on HWTACACS authentication, accounting, and authorization
in the HWTACACS server template test1.
<HUAWEI> display hwtacacs-server template test1 verbose
---[HWTACACS template test1 primary
authentication]---
HWTACACS server open number:
1670281960
HWTACACS server close number: 508333868
HWTACACS authen client access request packet number:
0
HWTACACS authen client access response packet number:
0
HWTACACS authen client unknown type number:
0
HWTACACS authen client timeout number: 0
HWTACACS authen client packet dropped number:
0
HWTACACS authen client access request change password number:
0
HWTACACS authen client access request login number:
0

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8725

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

HWTACACS authen client access request send authentication number:

0
HWTACACS authen client access request send password number:
0
HWTACACS authen client access connect abort number:
0
HWTACACS authen client access connect packet number:
0
HWTACACS authen client access response error number:
0
HWTACACS authen client access response failure number:
0
HWTACACS authen client access response follow number:
0
HWTACACS authen client access response getdata number:
0
HWTACACS authen client access response getpassword number:
0
HWTACACS authen client access response getuser number:
0
HWTACACS authen client access response pass number:
0
HWTACACS authen client access response restart number:
0
HWTACACS authen client malformed access response number:
0
HWTACACS authen client round trip time(s): 0
---[HWTACACS template test1 primary
authorization]---
HWTACACS server open number:
1670281960
HWTACACS server close number: 508333868
HWTACACS author client request packet number:
0
HWTACACS author client response packet number:
0
HWTACACS author client timeout number: 0
HWTACACS author client packet dropped number:
0
HWTACACS author client unknown type number:
0
HWTACACS author client request EXEC number:
0
HWTACACS author client request PPP number: 0
HWTACACS author client request VPDN number:
0
HWTACACS author client response error number:
0
HWTACACS author client response EXEC number:
0
HWTACACS author client response PPP number:
0
HWTACACS author client response VPDN number:
0
HWTACACS author client round trip time(s): 0
---[HWTACACS template test1 primary
accounting]---
HWTACACS server open number:
1670281960
HWTACACS server close number: 508333868
HWTACACS account client request packet number:
0
HWTACACS account client response packet number:
0
HWTACACS account client unknown type number:
0
HWTACACS account client timeout number: 0
HWTACACS account client packet dropped number:
0

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8726

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

HWTACACS account client request command level number:

0
HWTACACS account client request connection number:
0
HWTACACS account client request EXEC number:
0
HWTACACS account client request network number:
0
HWTACACS account client request system event number:
0
HWTACACS account client request update number:
0
HWTACACS account client response error number:
0
HWTACACS account client round trip time(s): 0

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8727

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-33 Description of the display hwtacacs-server template verbose

command output
Item Description

HWTACACS Statistics on the primary authentication server in the

template test1 HWTACACS server template test1. If the secondary and
primary third authentication servers are configured, the relevant
authentication statistics are also displayed, including:
● HWTACACS server open number: Number of times that
the socket connection of the HWTACACS server is set up
● HWTACACS server close number: Number of times that
the socket connection of the HWTACACS server is
disconnected
● HWTACACS authen client access request packet number:
Number of HWTACACS client authentication request
packets
● HWTACACS authen client access response packet
number: Number of HWTACACS client authentication
response packets
● HWTACACS authen client unknown type number:
Number of unknown HWTACACS client authentication
messages
● HWTACACS authen client timeout number: Number of
HWTACACS client authentication timeouts
● HWTACACS authen client packet dropped number:
Number of times that HWTACACS client authentication
packets are dropped
● HWTACACS authen client access request change
password number: Number of password change
requests from an HWTACACS client
● HWTACACS authen client access request login number:
Number of HWTACACS client login requests
● HWTACACS authen client access request send
authentication number: Number of authentication
requests sent by an HWTACACS client
● HWTACACS authen client access request send password
number: Number of times that an HWTACACS client
sends passwords
● HWTACACS authen client access connect abort number:
Number of connection-stop packets sent by an
HWTACACS client
● HWTACACS authen client access connect packet
number: Number of continuous packets sent by an
HWTACACS client
● HWTACACS authen client access response error number:
Number of error packets received by an HWTACACS
client

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8728

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

● HWTACACS authen client access response failure

number: Number of authentication failure packets
received by an HWTACACS client
● HWTACACS authen client access response follow
number: Number of packets that an HWTACACS client
receives from the server for re-authentication
● HWTACACS authen client access response getdata
number: Number of packets that an HWTACACS client
receives from the server for user information
● HWTACACS authen client access response getpassword
number: Number of packets that an HWTACACS client
receives from the server for user password
● HWTACACS authen client access response getuser
number: Number of packets that an HWTACACS client
receives from the server for user name
● HWTACACS authen client access response pass number:
Number of authentication success packets received by
an HWTACACS client
● HWTACACS authen client access response restart
number: Number of authentication restart packets that
an HWTACACS client receives from the server
● HWTACACS authen client malformed access response
number: Number of invalid response packets received by
an HWTACACS client
● HWTACACS authen client round trip time(s): Last
authentication response time of the HWTACACS server

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8729

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

HWTACACS Statistics on the primary authorization server in the

template test1 HWTACACS server template test1. If the secondary and
primary third authorization servers are configured, the relevant
authorization statistics are also displayed, including:
● HWTACACS server open number: Number of times that
the socket connection of the HWTACACS server is set up
● HWTACACS server close number: Number of times that
the socket connection of the HWTACACS server is
disconnected
● HWTACACS author client request packet number:
Number of HWTACACS client authorization request
packets
● HWTACACS author client response packet number:
Number of HWTACACS client authorization response
packets
● HWTACACS author client timeout number: Number of
HWTACACS client authorization timeouts
● HWTACACS author client packet dropped number:
Number of times that HWTACACS client authorization
packets are dropped
● HWTACACS author client unknown type number:
Number of unknown authorization packets on an
HWTACACS client
● HWTACACS author client request EXEC number: Number
of EXEC user request packets authorized by an
HWTACACS client
● HWTACACS author client request PPP number: Number
of PPP user request packets authorized by an
HWTACACS client
● HWTACACS author client request VPDN number:
Number of VPDN user request packets authorized by an
HWTACACS client
● HWTACACS author client response error number:
Number of error authorization response packets
received by an HWTACACS client
● HWTACACS author client response EXEC number:
Number of authorized EXEC user response packets
received by an HWTACACS client
● HWTACACS author client response PPP number:
Number of authorized PPP user response packets
received by an HWTACACS client
● HWTACACS author client response VPDN number:
Number of authorized VPDN user response packets
received by an HWTACACS client
● HWTACACS author client round trip time(s): Last
authorization response time of the HWTACACS server

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8730

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

HWTACACS Statistics on the primary accounting server in the

template test1 HWTACACS server template test1. If the secondary and
primary third accounting servers are configured, the relevant
accounting statistics are also displayed, including:
● HWTACACS server open number: Number of times that
the socket connection of the HWTACACS server is set up
● HWTACACS server close number: Number of times that
the socket connection of the HWTACACS server is
disconnected
● HWTACACS account client request packet number:
Number of HWTACACS client accounting request
packets
● HWTACACS account client response packet number:
Number of HWTACACS client accounting response
packets
● HWTACACS account client unknown type number:
Number of unknown HWTACACS client accounting
packets
● HWTACACS account client timeout number: Number of
HWTACACS client accounting timeouts
● HWTACACS account client packet dropped number:
Number of times that HWTACACS client accounting
packets are dropped
● HWTACACS account client request command level
number: Number of HWTACACS client accounting
requests for command line packets
● HWTACACS account client request connection number:
Number of HWTACACS client accounting requests for
connection
● HWTACACS account client request EXEC number:
Number of HWTACACS client accounting requests for
EXEC packets
● HWTACACS account client request network number:
Number of HWTACACS client accounting requests for
Network packets
● HWTACACS account client request system event
number: Number of HWTACACS client accounting
requests for system event packets
● HWTACACS account client request update number:
Number of HWTACACS client accounting requests for
update packets
● HWTACACS account client response error number:
Number of HWTACACS client accounting requests for
error packets

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8731

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

● HWTACACS account client round trip time(s): Response

time of the last accounting packet of the HWTACACS
server

13.3.5 hwtacacs enable

Function
The hwtacacs enable command enables Huawei Terminal Access Controller
Access Control System (HWTACACS).

The undo hwtacacs enable command disables HWTACACS.

The hwtacacs disable command disables HWTACACS.

By default, HWTACACS is enabled.

Format
hwtacacs enable

undo hwtacacs enable

hwtacacs disable

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

To use HWTACACS authentication, authorization, or accounting, run the hwtacacs

enable command to enable the HWTACACS function.

Precautions

If the undo hwtacacs enable command is run when a user is performing

HWTACACS authentication, authorization, or accounting, the command does not
take effect.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8732

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Disable HWTACACS.
<HUAWEI> system-view
[HUAWEI] undo hwtacacs enable

13.3.6 hwtacacs-server
Function
The hwtacacs-server command applies an HWTACACS server template to a
domain.
The undo hwtacacs-server command deletes an HWTACACS server template
from a domain.
By default, no HWTACACS server template is applied to a domain.

Format
hwtacacs-server template-name
undo hwtacacs-server

Parameters
Parameter Description Value

template-name Specifies the name of an The HWTACACS server

HWTACACS server template must already
template. exist.

Views
AAA domain view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
To perform HWTACACS authentication, authorization, and accounting for users in
a domain, configure an HWTACACS server template in the domain. After the
HWTACACS server template is configured in the domain, the configuration in the
HWTACACS server template takes effect.
Prerequisites
An HWTACACS server template has been created by using the 13.3.13 hwtacacs-
server template command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8733

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Apply the HWTACACS server template tacacs1 to the domain tacacs1.
<HUAWEI> system-view
[HUAWEI] hwtacacs-server template tacacs1
[HUAWEI-hwtacacs-tacacs1] quit
[HUAWEI] aaa
[HUAWEI-aaa] domain tacacs1
[HUAWEI-aaa-domain-tacacs1] hwtacacs-server tacacs1

Related Topics
13.3.3 display hwtacacs-server template
13.3.13 hwtacacs-server template

13.3.7 hwtacacs-server accounting

Function
The hwtacacs-server accounting command configures an HWTACACS accounting
server.

The undo hwtacacs-server accounting command cancels the configuration.

By default, no HWTACACS accounting server is configured.

Format
hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpn-
instance-name ] [ secondary ]

undo hwtacacs-server accounting [ ip-address [ port ] [ public-net | vpn-

instance [ vpn-instance-name ] ] ] [ secondary ]

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Parameters
Parameter Description Value

ip-address Specifies the IP address The value is a valid

of an HWTACACS unicast address in dotted
accounting server. decimal notation.

port Specifies the port The value is an integer

number of an that ranges from 1 to
HWTACACS accounting 65535. The default value
server. is 49.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8734

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

public-net Indicates that the -

HWTACACS accounting
server is connected to
the public network.

vpn-instance vpn- Specifies the name of a The value must be an

instance-name VPN instance that the existing VPN instance
HWTACACS accounting name.
server is bound to.

secondary If this parameter is -

specified, the secondary
HWTACACS accounting
server is configured. If
this parameter is not
specified, the primary
HWTACACS accounting
server is configured.

Views
HWTACACS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

The device does not support local accounting; therefore, you need to configure an
HWTACACS accounting server to perform accounting. The device sends accounting
packets to an HWTACACS accounting server only after the accounting server is
specified in an HWTACACS server template.

Precautions

● You can modify this configuration only when device does not set up TCP
connection with the specified accounting server.
● The IP addresses of the primary and secondary servers must be different.
Otherwise, the server configuration fails.
● If the command is run for multiple times in the same HWTACACS server
template to configure the servers with the same type (for example, the
servers are all primary servers), only the latest configuration takes effect.

Example
# Configure the primary HWTACACS accounting server.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8735

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template test1
[HUAWEI-hwtacacs-test1] hwtacacs-server accounting 10.163.155.12 52

Related Topics
13.3.3 display hwtacacs-server template

13.3.8 hwtacacs-server accounting-stop-packet resend

Function
The hwtacacs-server accounting-stop-packet resend command enables or
disables retransmission of accounting-stop packets and sets the number of
accounting-stop packets that can be retransmitted each time.
The undo hwtacacs-server accounting-stop-packet resend command restores
retransmission of accounting-stop packets and the default number of accounting-
stop packets that can be retransmitted each time.
By default, 100 accounting-stop packets can be retransmitted each time.

Format
hwtacacs-server accounting-stop-packet resend { disable | enable number }
undo hwtacacs-server accounting-stop-packet resend

Parameters
Parameter Description Value

disable Disables the -

retransmission of
accounting-stop packets.

enable number Enables the The value is an integer

retransmission of that ranges from 1 to
accounting-stop packets, 300.
and specifies the number
of packets that can be
retransmitted each time.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8736

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

After a user goes offline, the device sends an accounting-stop packet to an

accounting server. After the accounting server receives the accounting-stop packet,
it stops accounting for the user. If the accounting server does not receive the
accounting-stop packet because of network faults, it continues to perform
accounting for the user. As a result, the user is charged incorrectly. To solve this
problem, configure the device to send accounting-stop packets multiple times.

Precautions

● If disable is configured, an accounting-stop packet is transmitted only once

even when packet transmission fails.
● If enable number is configured, number specifies the number of accounting-
stop packets that can be retransmitted each time when the device does not
receive any response packet from the HWTACACS server or fails to receive the
response packet.

Example
# Enable the retransmission of accounting-stop packets and set the number of
accounting-stop packets that can be retransmitted each time to 50.
<HUAWEI> system-view
[HUAWEI] hwtacacs-server accounting-stop-packet resend enable 50

Related Topics
13.3.2 display hwtacacs-server accounting-stop-packet

13.3.9 hwtacacs-server authentication

Function
The hwtacacs-server authentication command configures the HWTACACS
authentication server.

The undo hwtacacs-server authentication command deletes configurations of

the HWTACACS authentication server.

By default, no HWTACACS authentication server is configured.

Format
hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance
vpn-instance-name ] [ secondary ]

undo hwtacacs-server authentication [ ip-address [ port ] [ public-net | vpn-

instance [ vpn-instance-name ] ] ] [ secondary ]

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8737

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

ip-address Specifies the IP address The value is a valid

of an HWTACACS unicast address in dotted
authentication server. decimal notation.

port Specifies the port The value is an integer

number of an that ranges from 1 to
HWTACACS 65535. The default value
authentication server. is 49.

public-net Indicates that the -

HWTACACS
authentication server is
connected to the public
network.

vpn-instance vpn- Specifies the name of a The value must be an

instance-name VPN instance that the existing VPN instance
HWTACACS accounting name.
server is bound to.

secondary If this parameter is -

specified, the secondary
HWTACACS
authentication server is
configured. If this
parameter is not
specified, the primary
HWTACACS
authentication server is
configured.

Views
HWTACACS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

To authenticate users in HWTACACS mode, you must configure the HWTACACS

authentication server. When both the primary and secondary authentication
servers are configured, the device sends an authentication request packet to the
secondary authentication server in any of the following situations:

● The device fails to send a request packet to the primary authentication server.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8738

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● If the device does not receive any authentication response packet from the
primary server:
● The primary authentication server requires re-authentication.
● The primary authentication server considers that the received authentication
request packet is incorrect.

Precautions

● You can modify this configuration only when device does not set up TCP
connection with the specified accounting server.
● The IP addresses of the primary and secondary servers must be different.
Otherwise, the server configuration fails.
● If the command is run for multiple times in the same HWTACACS server
template to configure the servers with the same type (for example, the
servers are all primary servers), only the latest configuration takes effect.

Example
# Configure the primary HWTACACS authentication server.
<HUAWEI> system-view
[HUAWEI] hwtacacs-server template test1
[HUAWEI-hwtacacs-test1] hwtacacs-server authentication 10.163.155.12 49

Related Topics
13.3.3 display hwtacacs-server template

13.3.10 hwtacacs-server authorization

Function
The hwtacacs-server authorization command configures the HWTACACS
authorization server.

The undo hwtacacs-server authorization command deletes configurations of the

HWTACACS authorization server.

By default, no HWTACACS authorization server is configured.

Format
hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance
vpn-instance-name ] [ secondary ]
undo hwtacacs-server authorization [ ip-address [ port ] [ public-net | vpn-
instance [ vpn-instance-name ] ] ] [ secondary ]

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8739

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

ip-address Specifies the IP address The value is a valid

of an HWTACACS unicast address in dotted
authorization server. decimal notation.

port Specifies the port The value is an integer

number of an that ranges from 1 to
HWTACACS 65535. The default value
authorization server. is 49.

public-net Indicates that the -

HWTACACS
authorization server is
connected to the public
network.

vpn-instance vpn- Specifies the name of a The value must be an

instance-name VPN instance that the existing VPN instance
HWTACACS name.
authorization server is
bound to.

secondary If this parameter is -

specified, the secondary
HWTACACS
authorization server is
configured. If this
parameter is not
specified, the primary
HWTACACS
authorization server is
configured.

Views
HWTACACS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

To authorize users in HWTACACS mode, you must configure the HWTACACS

authorization server.

Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8740

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● You can modify this configuration only when device does not set up TCP
connection with the specified accounting server.
● The IP addresses of the primary and secondary servers must be different.
Otherwise, the server configuration fails.
● If the command is run for multiple times in the same HWTACACS server
template to configure the servers with the same type (for example, the
servers are all primary servers), only the latest configuration takes effect.

Example
# Configure the primary HWTACACS authorization server.
<HUAWEI> system-view
[HUAWEI] hwtacacs-server template test1
[HUAWEI-hwtacacs-test1] hwtacacs-server authorization 10.163.155.12 49

Related Topics
13.3.3 display hwtacacs-server template

13.3.11 hwtacacs-server shared-key

Function
The hwtacacs-server shared-key command sets a shared key for an HWTACACS
server.

The undo hwtacacs-server shared-key command cancels the configuration.

By default, the HWTACACS server is not configured with any shared key.

Format
hwtacacs-server shared-key [ cipher ] key-string

undo hwtacacs-server shared-key

Parameters

Parameter Description Value

cipher Indicates the shared -
key in cipher text.
key-string Specifies a shared The value is a case-sensitive string without
key. question marks (?) or spaces. The key is
processed as cipher text no matter whether
the cipher keyword is specified. The key-string
may be a plain text consisting of 1 to 255
characters or a cipher text consisting of 20 to
392 characters.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8741

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
HWTACACS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

The shared key is used to encrypt the password and generate the response
authenticator.

When exchanging authentication packets with an HWTACACS server, the device

uses MD5 to encrypt important data such as the password to ensure security of
data transmission over the network. The device and HWTACACS server must use
the same key to ensure their validity in the authentication.

Precautions

To improve security, it is recommended that the password contains at least two

types of lower-case letters, upper-case letters, numerals, and special characters,
and contains at least 6 characters.

You can modify this configuration only when the HWTACACS server template is
not in use.

Example
# Set the shared key of the HWTACACS server to Admin@123.
<HUAWEI> system-view
[HUAWEI] hwtacacs-server template test1
[HUAWEI-hwtacacs-test1] hwtacacs-server shared-key cipher Admin@123

Related Topics
13.3.3 display hwtacacs-server template
13.3.13 hwtacacs-server template

13.3.12 hwtacacs-server source-ip

Function
The hwtacacs-server source-ip command specifies the source IP address used by
a device to communicate with an HWTACACS server.

The undo hwtacacs-server source-ip command cancels the configuration.

By default, the device uses the IP address of the actual outbound interface as the
source IP address encapsulated in HWTACACS packets.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8742

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
hwtacacs-server source-ip ip-address

undo hwtacacs-server source-ip

Parameters
Parameter Description Value
ip-address Specifies the source IP address for The value is a valid unicast
communication between the device address in dotted decimal
and HWTACACS server. notation.

Views
HWTACACS server template view

Default Level
3: Management level

Usage Guidelines
You can configure all HWTACACS packets sent by the device to use the same
source IP address. In this way, an HWTACACS server uses only one IP address to
communicate with the device.

Example
# Specify the source IP address 10.1.1.1 for communication between the device
and HWTACACS server.
<HUAWEI> system-view
[HUAWEI] hwtacacs-server template test1
[HUAWEI-hwtacacs-test1] hwtacacs-server source-ip 10.1.1.1

Related Topics
13.3.3 display hwtacacs-server template
13.3.13 hwtacacs-server template

13.3.13 hwtacacs-server template

Function
The hwtacacs-server template command creates an HWTACACS server template
and enters the HWTACACS server template view.

The undo hwtacacs-server template command deletes an HWTACACS server

template.

By default, no HWTACACS server template is configured.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8743

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
hwtacacs-server template template-name

undo hwtacacs-server template template-name

Parameters
Parameter Description Value

template-name Specifies the name of an The value is a string of 1

HWTACACS server to 32 case-insensitive
template. characters. The name
contains only letters,
digits (0-9), dots (.),
underscores (_) and
hyphens (-), and a
combination of the
above characters. The
value cannot be - or --.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

You can perform HWTACACS configurations, such as the configuration of

authentication servers, authorization servers, accounting servers, and shared key,
only after an HWTACACS server template is created.

Follow-up Procedure

Configure an authentication server, accounting server, and shared key in the

HWTACACS server template view, and run the 13.3.6 hwtacacs-server command
in the domain view to apply the HWTACACS server template.

Precautions

You can modify the content of a template or delete a template only when the
template is not in use.

Example
# Create an HWTACACS server template template1 and enter the HWTACACS
server template view.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8744

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template template1
[HUAWEI-hwtacacs-template1]

Related Topics
13.3.3 display hwtacacs-server template
13.3.6 hwtacacs-server

13.3.14 hwtacacs-server timer quiet

Function
The hwtacacs-server timer quiet command sets the quiet interval before the
primary server reverts to the active state.
The undo hwtacacs-server timer quiet command restores the default quiet
interval before the primary server reverts to the active state.
By default, the quiet interval before the primary HWTACACS server reverts to the
active state is 5 minutes.

Format
hwtacacs-server timer quiet interval
undo hwtacacs-server timer quiet

Parameters
Parameter Description Value

interval Specifies the quiet The value is an integer

interval before the ranging from 1 to 255, in
primary server reverts to minutes.
the active state.

Views
HWTACACS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
If the primary server is unavailable, the device automatically switches services to
the standby server and sends packets to the standby server. After the quiet interval
before the primary server reverts to the active state expires, the device attempts to
establish a connection with the primary server.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8745

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● If the primary server is still unavailable, the device continues to send packets
to the standby server until the next interval expires. Such a process repeats.
● If the primary server is available, the device switches services to the primary
server and sends packets to the primary server.
The quiet interval before the primary server reverts to the active state ensures that
the primary server can be restored immediately and reduces the number of
detection times during the switchover.
The default value is recommended.
Precautions
When you run the hwtacacs-server timer quiet command to change the quiet
interval before the primary server reverts to the active state, the device does not
check whether the HWTACACS server template is in use.

Example
# Set the quiet interval before the primary server reverts to the active state to 3
minutes.
<HUAWEI> system-view
[HUAWEI] hwtacacs-server template template1
[HUAWEI-hwtacacs-template1] hwtacacs-server timer quiet 3

Related Topics
13.3.3 display hwtacacs-server template

13.3.15 hwtacacs-server timer response-timeout

Function
The hwtacacs-server timer response-timeout command sets the response
timeout interval of an HWTACACS server.
The undo hwtacacs-server timer response-timeout command restores the
default response timeout interval of an HWTACACS server.
By default, the response timeout interval for an HWTACACS server is 5 seconds.

Format
hwtacacs-server timer response-timeout interval
undo hwtacacs-server timer response-timeout

Parameters
Parameter Description Value

interval Specifies the response The value is an integer

timeout interval of an ranging from 1 to 300, in
HWTACACS server. seconds.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8746

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
HWTACACS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

After the device sends a request packet to the HWTACACS server, if the device
does not receive any response packet from the server within the specified response
timeout interval:
● If only one HWTACACS server is configured, the device retransmits the request
to this server.
● If active/standby HWTACACS servers are configured, the device retransmits
the request to the standby server.
This improves reliability of HWTACACS authentication, authorization, and
accounting.

The default value is recommended.

Precautions

You can modify this configuration only when the HWTACACS server template is
not in use.

Example
# Set the response timeout interval of an HWTACACS server to 30s.
<HUAWEI> system-view
[HUAWEI] hwtacacs-server template test1
[HUAWEI-hwtacacs-test1] hwtacacs-server timer response-timeout 30

Related Topics
13.3.3 display hwtacacs-server template
13.3.13 hwtacacs-server template

13.3.16 hwtacacs-server traffic-unit

Function
The hwtacacs-server traffic-unit command sets the traffic unit used by an
HWTACACS server.

The undo hwtacacs-server traffic-unit command restores the default traffic unit
used by the HWTACACS server.

By default, the traffic unit is byte on the device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8747

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
undo hwtacacs-server traffic-unit

Parameters
Parameter Description Value

byte Indicates that the traffic -

unit is byte.

kbyte Indicates that the traffic -

unit is KByte.

mbyte Indicates that the traffic -

unit is MByte.

gbyte Indicates that the traffic -

unit is GByte.

Views
HWTACACS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
Different HWTACACS servers may use different traffic units; therefore, you need to
set the traffic unit for each HWTACACS server group on the device and the traffic
unit must be the same as that on the HWTACACS server.
Precautions
You can modify this configuration only when the HWTACACS server template is
not in use.

Example
# Set the traffic unit used by an HWTACACS server to KByte.
<HUAWEI> system-view
[HUAWEI] hwtacacs-server template template1
[HUAWEI-hwtacacs-template1] hwtacacs-server traffic-unit kbyte

Related Topics
13.3.3 display hwtacacs-server template
13.3.13 hwtacacs-server template

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8748

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.3.17 hwtacacs-server user-name domain-included

Function
The hwtacacs-server user-name domain-included command configures the
device to encapsulate the domain name in the user name in HWTACACS packets
to be sent to an HWTACACS server.
The undo hwtacacs-server user-name domain-included command configures
the device not to encapsulate the domain name in the user name when sending
HWTACACS packets to an HWTACACS server.
By default, the device encapsulates the domain name in the user name when
sending HWTACACS packets to an HWTACACS server.

Format
hwtacacs-server user-name domain-included
undo hwtacacs-server user-name domain-included

Parameters
None

Views
HWTACACS server template view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
The format of a user name is user name@domain name. In the user name, @ is
the domain name delimiter.
If the HWTACACS server does not accept the user name with the domain name,
run the undo hwtacacs-server user-name domain-included command to delete
the domain name from the user name.
Precautions
You can modify this configuration only when the HWTACACS server template is
not in use.
The hwtacacs-server user-name domain-included command in the current
version does not take effect. The user names sent by the device can be either of
the following: 1. By default, the user names in the packets sent from the device to
the HWTACACS server are original, and the device does not modify the user
names. 2. After the undo hwtacacs-server user-name domain-included
command is executed, the user names in the packets sent from the device to the
HWTACACS server do not contain domain names.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8749

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If the user names in the HWTACACS packets sent from the device to HWTACACS
server contain domain names, ensure that the total length of a user name (user
name + domain name delimiter + domain name) is not longer than 64 characters;
otherwise, the user name cannot be contained in HWTACACS packets. As a result,
authentication will fail.

Example
# Configure the device to encapsulate the domain name in the user name when
sending HWTACACS packets to an HWTACACS server.
<HUAWEI> system-view
[HUAWEI] hwtacacs-server template template1
[HUAWEI-hwtacacs-template1] hwtacacs-server user-name domain-included

Related Topics
13.3.3 display hwtacacs-server template

13.3.18 hwtacacs-user change-password hwtacacs-server

Function
The hwtacacs-user change-password hwtacacs-server command enables the
device to change the passwords saved on the HWTACACS server.

Format
hwtacacs-user change-password hwtacacs-server template-name

Parameters
Parameter Description Value

template-name Specifies the name of an The HWTACACS server template

HWTACACS server must already exist.
template.

Views
User view

Default Level
0: Visit level

Usage Guidelines
Usage Scenario
To change the password saved on the HWTACACS server, users can run the
hwtacacs-user change-password hwtacacs-server command on the device. You
do not need to change the configuration on the HWTACACS server.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8750

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Precautions
● Users are HWTACACS authenticated and the HWTACACS server template is
configured.
● Users can run this command to change the passwords only when the user
names and passwords saved on the HWTACACS do not expire. When a user
whose password has expired logs in to the device, the HWTACACS server does
not allow the user to change the password and displays a message indicating
that the authentication fails.
● The system wait period is 30 seconds. If the TACACS server does not receive
the user name, new password, or confirmed password from the user within
such a period, it terminates the password change process.
● Users can also press Ctrl+C to cancel password change.
● HWTACACS users who pass AAA authentication can use the hwtacacs-user
change-password hwtacacs-server command to change the passwords
before the passwords expire. If a user needs to run this command to change
the passwords of other users, the user must have the system rights.

Example
# Enable the user that passes HWTACACS authentication to change the password.
<HUAWEI> hwtacacs-user change-password hwtacacs-server huawei
Username:cj@huawei
Old Password:
New Password:
Re-enter New password:
Info: The password has been changed successfully.

13.3.19 reset hwtacacs-server accounting-stop-packet

Function
The reset hwtacacs-server accounting-stop-packet command clears statistics on
Accounting Stop packets.

Format
reset hwtacacs-server accounting-stop-packet { all | ip ip-address }

Parameters
Parameter Description Value

all Clears the statistics -

about all accounting-
stop packets.

ip ip-address Clears the statistics The value is in dotted

about the Accounting- decimal notation.
Stop packets sent by the
HWTACACS server with a
specified IP address.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8751

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
User view

Default Level
3: Management level

Usage Guidelines
Statistics cannot be restored once being cleared.

Example
# Clear statistics on all Accounting Stop packets.
<HUAWEI> reset hwtacacs-server accounting-stop-packet all

Related Topics
13.3.2 display hwtacacs-server accounting-stop-packet

13.3.20 reset hwtacacs-server statistics

Function
The reset hwtacacs-server statistics command clears the statistics on
HWTACACS authentication, accounting, and authorization.

Format
reset hwtacacs-server statistics { all | accounting | authentication |
authorization }

Parameters
Parameter Description Value

all Clears all the statistics. -

accounting Clears the statistics on -

HWTACACS accounting.

authentication Clears the statistics on -

HWTACACS
authentication.

authorization Clears the statistics on -

HWTACACS
authorization.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8752

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
User view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
If statistics about HWTACACS authentication, accounting, and authorization need
to be collected in a specified period of time, you must clear the original statistics
first.
Precautions
● After the reset hwtacacs-server statistics command is run, all the statistics
about HWTACACS authentication, accounting, and authorization is cleared. In
addition, the statistics cannot be restored once being cleared. Therefore,
exercise caution when you decide to run this command.
● You can run the display hwtacacs-server template template-name verbose
command to check statistics about HWTACACS authentication, accounting,
and authorization in the specified server template.

Example
# Clear all the statistics.
<HUAWEI> reset hwtacacs-server statistics all

Related Topics
13.3.3 display hwtacacs-server template

13.4 NAC Configuration Commands (Unified Mode)

13.4.1 Command Support
13.4.2 access-context profile enable
13.4.3 access-context profile name
13.4.4 access-author policy global
13.4.5 access-author policy name
13.4.6 access-domain
13.4.7 access-user arp-detect
13.4.8 access-user arp-detect default ip-address
13.4.9 access-user dot1x-identity speed-limit
13.4.10 access-user syslog-restrain enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8753

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.11 access-user syslog-restrain period

13.4.12 acl-id (service scheme view)
13.4.13 authentication handshake
13.4.14 authentication control-direction
13.4.15 authentication device-type voice authorize
13.4.16 authentication dot1x-mac-bypass
13.4.17 authentication event action authorize
13.4.18 authentication event authen-server-up action re-authen
13.4.19 authentication event client-no-response action authorize
13.4.20 authentication event portal-server-down action authorize
13.4.21 authentication event portal-server-up action re-authen
13.4.22 authentication mac-move enable
13.4.23 authentication mac-move detect enable
13.4.24 authentication mac-move detect retry-interval retry-time
13.4.25 authentication mac-move quiet-log enable
13.4.26 authentication mac-move quiet-times quiet-period
13.4.27 authentication mac-move quiet-user-alarm enable
13.4.28 authentication mac-move quiet-user-alarm percentage
13.4.29 authentication pre-authen-access enable
13.4.30 authentication timer handshake-period
13.4.31 authentication timer authen-fail-aging
13.4.32 authentication timer pre-authen-aging
13.4.33 authentication timer re-authen
13.4.34 authentication wlan-max-user
13.4.35 authentication mode
13.4.36 authentication single-access
13.4.37 authentication speed-limit auto
13.4.38 authentication unified-mode
13.4.39 authentication trigger-condition (802.1X authentication)
13.4.40 authentication trigger-condition (MAC address authentication)
13.4.41 authentication trigger-condition dhcp dhcp-option
13.4.42 authentication-profile (Interface view or VAP profile view)
13.4.43 authentication-profile (system view)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8754

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.44 authentication update-ip-accounting enable

13.4.45 band-width share-mode
13.4.46 cut access-user ucl-group
13.4.47 device-type
13.4.48 device-profile
13.4.49 device-sensor dhcp option
13.4.50 device-sensor lldp tlv
13.4.51 display aaa statistics access-type-authenreq
13.4.52 display access-context profile
13.4.53 display access-author policy
13.4.54 display access-user dot1x-identity statistics
13.4.55 display access-user
13.4.56 display access-user-num
13.4.57 display authentication mac-move configuration
13.4.58 display authentication mac-move quiet-user
13.4.59 display authentication interface
13.4.60 display authentication mode
13.4.61 display authentication-profile configuration
13.4.62 display device-profile
13.4.63 display dot1x
13.4.64 display dot1x-access-profile configuration
13.4.65 display dot1x quiet-user
13.4.66 display free-rule
13.4.67 display free-rule-template configuration
13.4.68 display mac-address authen
13.4.69 display mac-address pre-authen
13.4.70 display mac-access-profile configuration
13.4.71 display mac-authen
13.4.72 display mac-authen quiet-user
13.4.73 display portal
13.4.74 display portal local-server connect
13.4.75 display portal local-server
13.4.76 display portal local-server page-information

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8755

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.77 display portal-access-profile configuration

13.4.78 display portal quiet-user
13.4.79 display portal url-encode configuration
13.4.80 display portal user-logout
13.4.81 display server-detect state
13.4.82 display static-user
13.4.83 display ucl-group all
13.4.84 display ucl-group ip
13.4.85 display url-template
13.4.86 display snmp-agent trap feature-name mid_aaa all
13.4.87 display snmp-agent trap feature-name mid_eapol all
13.4.88 display snmp-agent trap feature-name mid_web all
13.4.89 display web-auth-server configuration
13.4.90 domain mac-authen force
13.4.91 dot1x authentication-method
13.4.92 dot1x eap-notify-packet
13.4.93 dot1x handshake
13.4.94 dot1x handshake packet-type
13.4.95 dot1x mc-trigger
13.4.96 dot1x mc-trigger port-up-send enable
13.4.97 dot1x port-control
13.4.98 dot1x quiet-period
13.4.99 dot1x quiet-times
13.4.100 dot1x reauthenticate mac-address
13.4.101 dot1x reauthenticate
13.4.102 dot1x retry
13.4.103 dot1x timer
13.4.104 dot1x timer mac-bypass-delay
13.4.105 dot1x timer quiet-period
13.4.106 dot1x trigger dhcp-binding
13.4.107 dot1x timer tx-period
13.4.108 dot1x unicast-trigger
13.4.109 dot1x url

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8756

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.110 dot1x-access-profile (authentication profile view)

13.4.111 dot1x-access-profile (system view)
13.4.112 enable (terminal type identification profile view)
13.4.113 free-rule
13.4.114 free-rule-template (authentication profile view)
13.4.115 free-rule-template (system view)
13.4.116 http parse user-agent enable
13.4.117 http get-method enable
13.4.118 http-method post
13.4.119 force-push
13.4.120 if-match vlan-id
13.4.121 if-match
13.4.122 ip-static-user enable
13.4.123 link-down offline delay
13.4.124 mac-access-profile (authentication profile view)
13.4.125 mac-access-profile (system view)
13.4.126 mac-authen offline dhcp-release
13.4.127 mac-authen permit mac-address
13.4.128 mac-authen quiet-times
13.4.129 mac-authen reauthenticate mac-address
13.4.130 mac-authen reauthenticate
13.4.131 mac-authen reauthenticate dhcp-renew
13.4.132 mac-authen timer quiet-period
13.4.133 mac-authen timer reauthenticate-period
13.4.134 mac-authen username
13.4.135 match access-context-profile action
13.4.136 match access-context-profile action access-domain
13.4.137 parameter
13.4.138 port (Portal server profile view)
13.4.139 portal auth-network
13.4.140 portal captive-adaptive enable
13.4.141 portal captive-bypass enable
13.4.142 portal https-redirect enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8757

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.143 portal https-redirect wired enable

13.4.144 portal local-server ad-image load
13.4.145 portal local-server anonymous
13.4.146 portal local-server authentication-method
13.4.147 portal local-server background-color
13.4.148 portal local-server background-image load
13.4.149 portal local-server enable
13.4.150 portal local-server ip
13.4.151 portal local-server keep-alive
13.4.152 portal local-server load
13.4.153 portal local-server logo load
13.4.154 portal local-server
13.4.155 portal local-server page-text load
13.4.156 portal local-server policy-text load
13.4.157 portal local-server timer session-timeout
13.4.158 portal local-server syslog-limit enable
13.4.159 portal local-server syslog-limit period
13.4.160 portal logout different-server enable
13.4.161 portal logout resend timeout
13.4.162 portal max-user
13.4.163 portal quiet-period
13.4.164 portal quiet-times
13.4.165 portal timer quiet-period
13.4.166 portal timer offline-detect
13.4.167 portal url-encode enable
13.4.168 portal user-alarm percentage
13.4.169 portal web-authen-server
13.4.170 portal-access-profile (authentication profile view)
13.4.171 portal-access-profile (system view)
13.4.172 protocol (Portal server template view)
13.4.173 qos-profile (service scheme view)
13.4.174 reset aaa statistics access-type-authenreq
13.4.175 reset dot1x statistics

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8758

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.176 reset mac-authen statistics

13.4.177 reset access-user dot1x-identity statistics
13.4.178 reset access-user traffic-statistics
13.4.179 rule (terminal type identification profile view)
13.4.180 server-detect
13.4.181 server-ip (Portal server profile view)
13.4.182 shared-key (Portal server profile view)
13.4.183 source-ip (Portal server profile view)
13.4.184 source-interface (Portal server template view)
13.4.185 static-user
13.4.186 static-user password
13.4.187 static-user username format-include
13.4.188 snmp-agent trap enable feature-name mid_aaa
13.4.189 snmp-agent trap enable feature-name mid_eapol
13.4.190 snmp-agent trap enable feature-name mid_web
13.4.191 traffic-filter acl
13.4.192 traffic-redirect acl
13.4.193 ucl-group (service scheme view)
13.4.194 ucl-group ip
13.4.195 ucl-group
13.4.196 url (URL template view)
13.4.197 url (Portal server profile view)
13.4.198 url-parameter mac-address format
13.4.199 url-parameter
13.4.200 url-template name
13.4.201 url-template (Portal server profile view)
13.4.202 user-sync
13.4.203 vm-authen password
13.4.204 vm-user association-type
13.4.205 user-vlan (service scheme view)
13.4.206 voice-vlan (service scheme view)
13.4.207 vpn-instance (Portal server template view)
13.4.208 web-auth-server listening-port

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8759

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.209 web-auth-server (Portal access profile view)

13.4.210 web-auth-server reply-message
13.4.211 web-auth-server (system view)
13.4.212 web-auth-server version
13.4.213 web-redirection disable (Portal server profile view)

13.4.1 Command Support

The S2750EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC support external Portal
authentication only when Layer 3 hardware forwarding of IPv4 packets is enabled.
To configure Layer 3 hardware forwarding of IPv4 packets, see Configuring Layer
3 Hardware Forwarding of IPv4 Packets.

13.4.2 access-context profile enable

Function
The access-context profile enable command enables the user context
identification function.
The undo access-context profile enable command disables the user context
identification function.
By default, the user context identification function is disabled.

Format
access-context profile enable
undo access-context profile enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
User context refers to association information of a user, such as the user name,
user VLAN, and access interface.
To simplify the authentication server configuration, the administrator can add the
users with the same network access rights to the same user context profile based

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8760

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

on the user context, and configure the network access rights for the users based
on the user context profile. When a user goes online after the user context
identification function is enabled, the device can identify the user context
information and add the user to the corresponding context profile based on the
identification result.
● If the user is authenticated successfully, the authentication server can assign
the network access rights mapping the user context profile to the user based
on the user context reported by the device.
● If the user fails to be authenticated, the device assigns the user the network
access rights in each phase before authentication success, which are bound to
the context profile in the user authentication event authorization policy.

For example, on some enterprise networks, VLANs are used to divide the entire
network into different areas with various security levels. The administrator
requires that a user should obtain different network access rights when the user
connects to the network from different areas. In this case, the user context
identification function can be enabled on access devices, and a group of VLANs
that belong to the same area are added to the same user context profile. The
administrator then assigns the mapping network access rights to different user
context profiles based on the security level of each area. When a user connects to
the network from different areas, the user is added to different user context
profiles matching their access VLANs and therefore obtains different network
access rights.

Follow-up Procedure

1. In the system view, run the access-context profile name profile-name

command to create a user context profile.
2. In the user context profile view, run the if-match vlan-id { start-vlan-id [ to
end-vlan-id ] } &<1-10> command to configure the user identification policy
based on VLAN IDs.

Precautions

● The device can only identify user VLANs.

Example
# Enable the user context identification function.
<HUAWEI> system-view
[HUAWEI] access-context profile enable

13.4.3 access-context profile name

Function
The access-context profile name command creates a user context profile and
displays the user context profile view.

The undo access-context profile name command deletes the created user
context profile.

By default, no user context profile is created.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8761

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
access-context profile name profile-name
undo access-context profile name profile-name

Parameters
Parameter Description Value

profile-name Specifies the name of a The value is a string of 1

user context profile. to 32 case-sensitive
characters without any
space. The value cannot
be set to - or --, and
cannot contain the
following characters: / \ :
* ? " < > | @ ' %.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To simplify the authentication server configuration, the administrator can add the
users with the same network access rights to the same user context profile based
on the user context, and assign the network access rights to the users based on
the user context profile.
Follow-up Procedure
In the user context profile view, run the if-match vlan-id start-vlan-id [ to end-
vlan-id ] &<1-10> command to configure the user identification policy based on
VLAN IDs.

Example
# Creates the user context profile p1.
<HUAWEI> system-view
[HUAWEI] access-context profile name p1

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8762

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.4 access-author policy global

Function
The access-author policy global command applies a user authentication event
authorization policy.
The undo access-author policy global command restores the default
configuration.
By default, no user authentication event authorization policy is applied.

Format
access-author policy policy-name global
undo access-author policy policy-name global

Parameters
Parameter Description Value

policy-name Specifies the name of a The value must be the

user authentication name of an existing user
event authorization authentication event
policy. authorization policy on
the device.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
Users need basic network access rights before they are authenticated. For
example, the users need to download 802.1X clients and update the antivirus
database. A user authentication event authorization policy can be used to bind the
network access rights of users in each phase before authentication success to a
user context profile. When a user goes online after a user authentication event
authorization policy is applied to the device, the device adds the user to the
context profile based on the user context identification result, and assigns the
network access rights to the user based on the user authentication result.
Prerequisites
A user authentication event authorization policy has been created using the
access-author policy name policy-name command in the system view.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8763

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Precautions
This function takes effect only for users who go online after this function is
successfully configured.

Example
# Globally apply the user authentication event authorization policy a1.
<HUAWEI> system-view
[HUAWEI] access-author policy name a1
[HUAWEI-access-author-a1] quit
[HUAWEI] access-author policy a1 global

13.4.5 access-author policy name

Function
The access-author policy name command creates a user authentication event
authorization policy and displays the user authentication event authorization
policy view.
The undo access-author policy name command deletes the created user
authentication event authorization policy.
By default, no user authentication event authorization policy is created.

Format
access-author policy name policy-name
undo access-author policy name policy-name

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8764

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

policy-name Specifies the name of a The value is a string of 1

user authentication to 32 case-sensitive
event authorization characters without any
policy. space. The value cannot
be set to - or --, and
cannot contain the
following characters: / \ :
* ? " < > | @ ' %.
NOTE
The value of profile-name
cannot be set to the first
character or first several
characters of the name,
and the name itself, and it
also cannot be the
uppercase and lowercase
combination of the first
character, first several
characters, and the name.
This prevents the conflict
with the 13.4.4 access-
author policy global
command.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Users need basic network access rights before they are authenticated. For
example, the users need to download 802.1X clients and update the antivirus
database. A user authentication event authorization policy can be used to bind the
network access rights of users in each phase before authentication success to a
user context profile. When a user goes online after a user authentication event
authorization policy is applied to the device, the device adds the user to the
context profile based on the user context identification result, and assigns the
network access rights to the user based on the user authentication result.

Follow-up Procedure

1. In the user authentication event authorization policy view, run the match
access-context-profile action command to configure the network access
rights for users in each phase before authentication success.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8765

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

2. In the system view, run the access-author policy global command to apply
the user authentication event authorization policy.

Example
# Create the user authentication event authorization policy a1.
<HUAWEI> system-view
[HUAWEI] access-author policy name a1

13.4.6 access-domain
Function
The access-domain command configures a default or forcible domain in an
authentication profile for users.
The undo access-domain command deletes a configured default or forcible
domain in an authentication profile.
By default, no default or forcible domain is configured in an authentication profile.

Format
access-domain domain-name [ dot1x | mac-authen | portal ] * [ force ]

undo access-domain [ dot1x | mac-authen | portal ] * [ force ]

Parameters
Parameter Description Value

domain-name Specifies the domain The value must be the

name. name of an existing
domain.

dot1x Specifies a default or -

forcible domain for
802.1X authentication
users.

mac-authen Specifies a default or -

forcible domain for MAC
address authentication
users.

portal Specifies a default or -

forcible domain for
Portal authentication
users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8766

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

force Specifies the configured -

domain as a forcible
domain.
If this parameter is not
specified, the configured
domain is a default
domain.

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The device manages users in domains. For example, AAA schemes and
authorization information are bound to domains. During user authentication, the
device assigns users to specified domains based on the domain names contained
in user names. However, user names entered by many users on actual networks do
not contain domain names. In this case, you can configure a default domain in an
authentication profile. If users using this profile enter user names that do not
contain domain names, the device manages the users in the default domain.

On actual networks, user names entered by some users contain domain names
and those entered by other users do not. The device uses different domains to
manage the users. Because authentication, authorization and accounting (AAA)
information in the domains are different, users use different AAA information. To
ensure that users using the same authentication profile use the same AAA
information, you can configure a forcible domain in the authentication profile for
the users. The device then manages the users in the forcible domain regardless of
whether entered user names contain domain names or not.

Prerequisites

A domain has been configured using the 13.1.47 domain (AAA view) command
in the AAA view.

Precautions

When you configure a default or forcible domain in an authentication profile, the

domain takes effect as follows:

● If you do not specify the user authentication mode (dot1x, mac-authen, or

portal), the domain takes effect for all access authentication users using the
authentication profile.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8767

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● If both a default domain and a forcible domain are configured, the device
authenticates users in the forcible domain.
● This function takes effect only for users who go online after this function is
successfully configured.
● In a wireless scenario, RADIUS accounting is performed only for AAA users
who do not need to pass authentication in a forcible domain, and cannot be
performed for such users in the default domain.

Example
# Configure the forcible domain huawei in the authentication profile p1.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] access-domain huawei force

Related Topics
13.4.61 display authentication-profile configuration

13.4.7 access-user arp-detect

Function
The access-user arp-detect command sets the source IP address and source MAC
address of offline detection packets in a VLAN.

The undo access-user arp-detect command deletes the source IP address and
source MAC address of offline detection packets in a VLAN.

By default, the source IP address and source MAC address are not specified for
offline detection packets in a VLAN.

Format
access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-
address

undo access-user arp-detect vlan vlan-id ip-address ip-address mac-address

mac-address

Parameters
Parameter Description Value

vlan vlan-id Specifies a VLAN ID. The value is an integer

that ranges from 1 to
4094.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8768

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

ip-address ip-address Specifies the source IP The value is in dotted

address of offline decimal notation.
detection packets.

mac-address mac- Specifies the source The value is a unicast MAC

address MAC address of offline address in H-H-H format,
detection packets. where H can be one to
four hexadecimal digits.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The device sends an ARP probe packet to check the user online status. If the user
does not respond within a detection period, the device considers that the user is
offline.

If the VLAN to which the user belongs does not have a VLANIF interface or the
VLANIF interface does not have an IP address, the device sends an offline
detection packet using 0.0.0.0 as the source IP address. If a user cannot respond to
an ARP probe packet with the source IP address 0.0.0.0, you can specify a source IP
address for the offline detection packet.

You are advised to specify the user gateway IP address and its corresponding MAC
address as the source IP address and source MAC address of offline detection
packets.

Precautions

This function does not take effect for users who use Layer 3 Portal authentication.

If a user on a physical interface is online, this command takes effect only after the
user goes online again or the device re-authenticates the user.

If a user on a Eth-trunk interface is online, this command takes immediately.

Example
# Set the source IP address and MAC address of offline detection packets for users
in VLAN 10 to 192.168.1.1 and 2222-1111-1234 respectively.
<HUAWEI> system-view
[HUAWEI] access-user arp-detect vlan 10 ip-address 192.168.1.1 mac-address 2222-1111-1234

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8769

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.8 access-user arp-detect default ip-address

Function
The access-user arp-detect default ip-address command sets the default source
IP address of offline detection packets.
The undo access-user arp-detect default ip-address command restores the
default setting.
By default, the default source IP address of offline detection packets is 0.0.0.0.

Format
access-user arp-detect default ip-address ip-address
undo access-user arp-detect default ip-address

Parameters
Parameter Description Value

ip-address Specifies the default The value is in dotted

source IP address of decimal notation and can
offline detection packets. be 0.0.0.0 or
255.255.255.255.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The device sends an ARP probe packet to check the user online status. If the user
does not respond within a detection period, the device considers that the user is
offline.
Precautions
● This function does not take effect for users who use Layer 3 Portal
authentication.
● In the SVF or policy association scenario, you are advised to run the access-
user arp-detect default ip-address command to set the source IP address of
offline detection packets to 0.0.0.0. In the SVF scenario, the command must
be configured on the UC device and takes effect only for UC detection. The
default source IP address of offline detection packets for AS detection is

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8770

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

0.0.0.0. In the policy association scenario, you can directly configure the
command on the AS device.
● In normal situations, after a device sends an ARP probe packet with a default
source IP address, online clients will immediately respond with ARP reply
packets. If online clients do not respond with ARP reply packets, the device
logs them out unexpectedly. To resolve this problem, use either of the
following methods:
– Run the access-user arp-detect vlan vlan-id ip-address ip-address mac-
address mac-address command to specify a VLAN ID, source IP address,
and source MAC address for ARP probe packets.
– Run the authentication timer handshake-period handshake-period
command to increase the handshake period so that the device can detect
gratuitous ARP packets that these clients send at an irregular period.
Once the device detects such packets, it does not log them out.

Example
# Set the default source IP address of offline detection packets to 0.0.0.0.
<HUAWEI> system-view
[HUAWEI] access-user arp-detect default ip-address 0.0.0.0

13.4.9 access-user dot1x-identity speed-limit

Function
The access-user dot1x-identity speed-limit command configures the rate limit of
Identity packets for wireless 802.1X authentication to be sent to the CPU.
The undo access-user dot1x-identity speed-limit command restores the default
rate limit of Identity packets for wireless 802.1X authentication to be sent to the
CPU.
By default, the maximum of Identity packets for wireless 802.1X authentication
can be sent to the CPU every second depends on the device.

NOTE

This function is supported only by S5720HI.

Format
access-user dot1x-identity speed-limit value
undo access-user dot1x-identity speed-limit [ value ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8771

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

value Specifies the rate limit of The value is an integer in

Identity packets for the range of 5 to 40, in
wireless 802.1X pps.
authentication to be sent
to the CPU.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
If a large number of Identity packets for wireless 802.1X authentication are sent to
the CPU of a switch, the CPU usage is high and other services are affected. To
prevent this problem, run the access-user dot1x-identity speed-limit command
to configure the rate limit of Identity packets for wireless 802.1X authentication to
be sent to the CPU, so that the switch discards excess Identity packets.

Example
# Set the rate limit of Identity packets for wireless 802.1X authentication to be
sent to the CPU to 10 pps.
<HUAWEI> system-view
[HUAWEI] access-user dot1x-identity speed-limit 10

13.4.10 access-user syslog-restrain enable

Function
The access-user syslog-restrain enable command enables system log
suppression.

The undo access-user syslog-restrain enable command disables system log

suppression.

By default, system log suppression is enabled.

Format
access-user syslog-restrain enable

undo access-user syslog-restrain enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8772

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
When a user fails in authentication or goes offline, the device records a system
log. The system log contains the MAC addresses of access device and access user
and the authentication time.
If a user repeatedly attempts to go online after authentication failures or
frequently goes online and offline in a short period, a lot of system logs are
generated, which waste system resources and degrade system performance.
System log suppression can address this problem. After the device generates a
system log, it will not generate the same log within the suppression period (set by
13.4.11 access-user syslog-restrain period).

NOTE

The same system logs refer to the system logs containing the same MAC addresses. For
example, after the device generates a system log for a user failing in authentication, the
device will not generate new system log for this user in the suppression period if the user
fails in authentication again. The system logs for users logging offline are generated in the
same way. If a system log has no MAC address, such system logs are suppressed based on
the user name.

Example
# Enable system log suppression.
<HUAWEI> system-view
[HUAWEI] access-user syslog-restrain enable

Related Topics
13.4.11 access-user syslog-restrain period

13.4.11 access-user syslog-restrain period

Function
The access-user syslog-restrain period command sets a period for system log
suppression.
The undo access-user syslog-restrain period command restores the default
period for system log suppression.
By default, the period of system log suppression is 300s.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8773

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
access-user syslog-restrain period period
undo access-user syslog-restrain period

Parameters
Parameter Description Value

period Specifies the period for system log The value is an

suppression. integer that ranges
from 60 to 604800,
in seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the system log suppression function is enabled using the 13.4.10 access-user
syslog-restrain enable command, use this command to set the system log
suppression period. After generating a system log, the device will not generate the
same log within the suppression period.

Example
# Set the period for system log suppression to 600s.
<HUAWEI> system-view
[HUAWEI] access-user syslog-restrain period 600

Related Topics
13.4.10 access-user syslog-restrain enable

13.4.12 acl-id (service scheme view)

Function
The acl-id command binds an ACL to a service scheme.
The undo acl-id command unbinds the ACL from the service scheme.
By default, no ACL is bound to a service scheme.

NOTE

S5720EI, S5720HI, S6720EI, and S6720S-EI do not support this command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8774

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
acl-id acl-number
undo acl-id { acl-number | all }

Parameters
Parameter Description Value
acl-number The value is an integer
Specifies the number of an ACL bound to
that ranges from 3000
a service scheme.
to 3999.
all Deletes the numbers of all ACLs bound to -
a service scheme.

Views
Service scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
After creating a service scheme using the 13.1.82 service-scheme (AAA view)
command, you can run the acl-id command to bind an ACL to the service scheme.
The user assigned with the service scheme will have the ACL rules.
Prerequisites
An IPv4 ACL must have been created using the 14.1.5 acl (system view) or 14.1.4
acl name command.
Precautions
If all users in a group are required to have the same access rights, do not specify
the source IP address in the ACL bound to the service scheme. If an ACL bound to
a service scheme has defined the source IP address, only users with the same IP
address as the source IP address in the ACL can match the ACL in the service
scheme.
The maximum number of ACLs that can be bound to a service scheme is 4.
In the policy association scenario, if multiple ACLs are configured using this
command on the authentication control device, only the first configured one takes
effect on the authentication access device.

Example
# Bind ACL 3001 to the service scheme huawei.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8775

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] quit
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme huawei
[HUAWEI-aaa-service-huawei] acl-id 3001

13.4.13 authentication handshake

Function
The authentication handshake command enables the handshake with pre-
connection users and authorized users.
The undo authentication handshake command disables the handshake with pre-
connection users and authorized users.
By default, the handshake with pre-connection users and authorized users is
enabled.

Format
authentication handshake
undo authentication handshake

Parameters
None

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The device creates entries for pre-connection users, users who fail to be
authenticated and are assigned network access rights, and users who are
authenticated. After users go offline in normal situations, the system immediately
deletes the corresponding user entries. However, if some users go offline due to
exceptions such as network disconnections, the system cannot immediately delete
the corresponding user entries. If there are too many such invalid user entries,
other users may fail to access the network.
To solve this problem, run the authentication handshake command to enable the
handshake with pre-connection users and authorized users. If a user does not
respond to the handshake request from the device within the handshake interval,
the device deletes the user entry.
Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8776

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● The handshake interval for MAC address authentication users, Layer 3 Portal
authentication users, and 802.1X authentication users is configured using the
13.4.30 authentication timer handshake-period command. The handshake
interval for Layer 2 Portal authentication users is configured using the portal
timer offline-detect command.
● For Layer 3 Portal authentication users, only those who go online through
S5720HI support this function.
● This function takes effect only for the wired users who obtain IP addresses.
● When the configuration changes, the configuration takes effect only for new
online wired users.
● The handshake function is implemented using ARP probe packets or neighbor
discovery (ND) probe packets.
● The handshake function can also be implemented by detecting whether there
is user traffic on the access device. Assuming that the handshake interval is
3n, the device will detect user traffic at n and 2n. The following uses the 0-n
period as an example. The process during the n-2n period is similar to that
during 0-n. (This process applies only to authentication users who go online
from the S5720EI, S5720HI, S6720EI, and S6720S-EI. Other switch models do
not detect user traffic and send probe packets at n and 2n.)
– If user traffic passes the device during the 0-n period, the device
considers that the user is online at n, so it will not send a probe packet to
the user, but resets the handshake interval.
– If no user traffic passes the device during the 0-n period, the device
cannot determine whether the user is online at n, so it sends a probe
packet to the user. If the device receives the reply packet from the user, it
considers the user online and resets the handshake interval. If no reply
packet is received, it considers the user offline.
– If user traffic passes the device during the 2n-3n period, the device
considers that the user is online at 3n and resets the handshake interval.
– If no user traffic passes the device during the 2n-3n period, the device
cannot determine whether the user is online at 3n and considers that the
user is offline.
If the device considers that the user is offline at n, 2n, and 3n, the device
deletes all entries related to the user. To prevent the user from going offline
unexpectedly when no operation is performed on the PC, do not set a short
handshake period.

Example
# In the authentication profile p1, enable the handshake with pre-connection
users and authorized users.
<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication handshake

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8777

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.14 authentication control-direction

Function
The authentication control-direction command configures the direction of traffic
controlled by the device.
By default, the device only controls the upstream traffic.

Format
authentication control-direction { all | inbound }

Parameters
Parameter Description Value
all Configures bidirectional traffic control. -

inbound Controls only the upstream traffic. -

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
By default, the access authentication device discards all the traffic sent from the
users who fail the 802.1x authentication or MAC address authentication. However,
these users can still receive packets broadcast from network devices to successfully
authenticated users in the same VLAN. To disable the users who fail the
authentication from receiving the broadcast packets, run the authentication
control-direction all command to configure bidirectional traffic control. To restore
the default situation, run the authentication control-direction inbound command
so that the device only controls the traffic sent from the users who fail the
authentication.
Precaution
● This function applies only to 802.1x authentication and MAC address
authentication.
● This function takes effect only when an access switch functions as the
authentication device and an interface of the switch is connected to only one
IP phone or PC.
● This function does not take effect when users have pre-connection entries or
authentication event entries. You are advised to run the undo authentication

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8778

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

pre-authen-access enable command disable the function of keeping users

who fail to be authenticated and do not have any network access rights in the
pre-connection state, and do not run the authentication event command to
configure the device to assign network access rights to users in each phase
before authentication succeeds.
● When there are both successfully authenticated users and users who fail to be
authenticated on the same interface in the same VLAN, bidirectional traffic
control does not take effect on this interface.
● Layer 3 interfaces do not support bidirectional traffic control.
● You are advised to run the stp edged-port enable command to configure the
interface on which the function is applied as an edge port. The interface can
be added to a maximum of four VLANs.
● The SVF and policy association scenarios do not support this function.
● WLAN scenarios do not support this function.
● When this function is configured, the recommended STP mode is VBST. If the
STP mode is changed after users go online, traffic will be interrupted for a
short time. If the STP mode is set to MSTP or STP, run the 5.12.19 instance
command to map VLANs to different spanning tree instances (MSTIs).
● A user VLAN cannot be specified as an RRPP or ERPS control VLAN.

Example
# Configure bidirectional traffic control in the authentication profile authen1.
<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication control-direction all

13.4.15 authentication device-type voice authorize

Function
The authentication device-type voice authorize command enables voice
terminals to go online without authentication.
The undo authentication device-type voice authorize command disables voice
terminals from going online without authentication.
By default, voice terminals are disabled from going online without authentication.

Format
authentication device-type voice authorize [ service-scheme scheme-name ]
undo authentication device-type voice authorize [ service-scheme ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8779

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

service-scheme scheme- Specifies the name of The value must be an

name the service scheme based existing service scheme
on which network access name.
rights are assigned to
voice terminals.

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When both data terminals (such as PCs) and voice terminals (such as IP phones)
are connected to devices, NAC is configured on the devices to manage and control
the data terminals. The voice terminals, however, only need to connect to the
network without being managed and controlled. In this case, you can configure
the voice terminals to go online without authentication on the devices. Then the
voice terminals identified by the devices can go online without authentication.

Precautions

When a RADIUS server is used for dynamic VLAN delivery, the following RADIUS
attributes must be used: (064) Tunnel-Type (which must be set to VLAN or 13),
(065) Tunnel-Medium-Type (which must be set to 802 or 6), and (081) Tunnel-
Private-Group-ID (which can be set to the VLAN ID , VLAN description). To ensure
that the RADIUS server delivers VLAN attributes correctly, all the three RADIUS
attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-Type
attributes must be set to the specified values. When a voice VLAN is delivered, the
RADIUS attribute (26-33) HW-Voice-Vlan must also be used.

To enable the switches to identify the voice terminals, enable LLDP or configure
OUI for the voice VLAN on the switches. For details, see "Configuring Basic LLDP
Functions" in "LLDP Configuration" in the S1720, S2700, S5700, and S6720
V200R011C10 Configuration Guide - Network Management and Monitoring or
"Configuring a Voice VLAN Based on a MAC Address" in "Voice VLAN
Configuration" in the S1720, S2700, S5700, and S6720 V200R011C10
Configuration Guide - Ethernet Switching. If a voice device supports only CDP but
does not support LLDP, configure CDP-compatible LLDP on the switch using
16.3.16 lldp compliance cdp receive command.

To identify voice terminals in a policy association scenario, the voice VLAN OUI
must be configured.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8780

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

After the voice VLAN function is enabled on an interface using the voice-vlan
enable command, authenticated voice terminals are authorized to use the voice
VLAN if the VLAN of the voice terminals is the same as the voice VLAN.

If an 802.1X user initiates authentication through a voice terminal, a device

preferentially processes the authentication request. If the authentication succeeds,
the terminal obtains the corresponding network access rights. If the
authentication fails, the device identifies the terminal type and enables the
terminal to go online without authentication.

If you run this command repeatedly, the latest configuration overrides the
previous ones.

This function takes effect only for users who go online after this function is
successfully configured.

Example
# In the authentication profile p1, enable the device to allow voice terminals to go
online without authentication and assign the service scheme s1 to voice terminals
that are not authenticated.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme s1
[HUAWEI-aaa-service-s1] quit
[HUAWEI-aaa] quit
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication device-type voice authorize service-scheme s1

13.4.16 authentication dot1x-mac-bypass

Function
The authentication dot1x-mac-bypass command enables MAC address bypass
authentication.

The undo authentication dot1x-mac-bypass command disables MAC address

bypass authentication.

By default, MAC address bypass authentication is disabled.

Format
authentication dot1x-mac-bypass

undo authentication dot1x-mac-bypass

Parameters
None

Views
Authentication profile view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8781

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
You can configure MAC address bypass authentication to authenticate terminals
such as printers that cannot have the 802.1X client installed.
After MAC address bypass authentication is enabled in an authentication profile,
the device performs 802.1X authentication for users using the authentication
profile. If the user name request times out, the device starts the MAC address
authentication process for the users.
Precautions
MAC address bypass authentication involves 802.1X authentication and MAC
address authentication. Before enabling this function in an authentication profile,
ensure that an 802.1X access profile and a MAC access profile have been bound to
the authentication profile.

Example
# In the authentication profile p1, enable MAC address bypass authentication.
<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication dot1x-mac-bypass

13.4.17 authentication event action authorize

Function
The authentication event action authorize command configures authentication
event authorization information.
The undo authentication event action authorize command restores the default
setting.
By default, authentication event authorization information is not configured.

Format
User authorization in the case of pre-connections:
authentication event pre-authen action authorize { vlan vlan-id | service-
scheme service-scheme-name | ucl-group ucl-group-name }
undo authentication event pre-authen action authorize
User authorization when authentication fails:
authentication event authen-fail action authorize { vlan vlan-id | service-
scheme service-scheme-name | ucl-group ucl-group-name } [ response-fail ]
undo authentication event authen-fail action authorize

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8782

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

User authorization when the authentication server is Down:

authentication event authen-server-down action authorize { vlan vlan-id |
service-scheme service-scheme-name | ucl-group ucl-group-name } [ response-
fail ]
undo authentication event authen-server-down action authorize

Parameters
Parameter Description Value

pre-authen Configures the device to assign -

network access rights to users
when the users establish pre-
connections with the device.

authen-fail Configures the device to assign -

network access rights to users
when the authentication server
sends authentication failure
packets to the device.

authen-server-down Configures the device to assign -

network access rights to users
when the authentication server
is Down.

response-fail Configures the device to send -

authentication failure packets to
users after assigning network
access rights to the users.
If this parameter is not specified,
the device by default sends
authentication success packets
to users and therefore the users
cannot know the fact that they
fail to be authenticated. To solve
this problem, specify this
parameter so that the device will
send authentication failure
packets for the users to know
their authentication results.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8783

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

vlan vlan-id Specifies a VLAN ID. When this The value is an

parameter is specified, users can integer that
access only the resources in the ranges from 1 to
VLAN. 4094.
The VLAN must
exist on the
device.
Otherwise, the
configuration
does not take
effect.

service-scheme service- Specifies the name of the service The value must
scheme-name scheme based on which network be an existing
access rights are assigned to service scheme
users. name on the
device.

ucl-group ucl-group- Specifies the name of the UCL The value must
name group based on which network be an existing
access rights are assigned to UCL group name
users. on the device.
NOTE
This parameter is supported only by
the S5720EI, S5720HI, S6720EI, and
S6720S-EI.

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If users establish pre-connections with the device or fail to be authenticated, they
have no network access rights.
To meet these users' basic network access requirements such as updating the
antivirus database and downloading the client, configure authentication event
authorization information. The device will assign network access rights to these
users based on the authentication phase.
Precautions
Wireless 802.1X authentication does not support this function.
If no network access right is configured for users who fail authentication or when
the authentication server is Down, the users establish pre-connections with the

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8784

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

device after the authentication fails and then have the network access rights
mapping pre-connection users.
VLAN-based authorization does not apply to the authentication users who access
through VLANIF interfaces.
To use VLAN-based authorization (excluding authentication of pre-connection
users), run the 13.4.29 authentication pre-authen-access enable command to
disable the pre-connection function first.
An authorized VLAN cannot be delivered to online Portal users.
This function takes effect only for users who go online after this function is
successfully configured.
For S5720EI, S6720EI, and S6720S-EI, if the user upstream rate limit is configured
in the QoS profile bound to a service scheme, do not configure the device to use
the service scheme to grant network access rights to users in the pre-connection
phase. Otherwise, users go offline.
When the authentication server is in Down state, user authentication fails, or the
user is in pre-connection state, the redirection ACL function is not supported. For
details about this function, see 13.1.72 redirect-acl.
In 802.1X authentication for wired users, when the RADIUS server is Down, some
new clients do not have escape rights. For example, when a new Windows client
receives a Success packet from the device but does not receive the authentication
packets exchanged with the RADIUS server, the client will fail the authentication
and cannot go online. Currently, the following clients have escape rights when
they go online for the first time: H3C iNode clients using EAP-MD5 or PEAP and
Cisco AnyConnect clients using EAP-FAST or PEAP. For Windows clients, for
example, Windows 7, choose "Local Area Connection> Properties> Authentication>
Fallback to unauthorized network access".
Authentication event authorization information cannot be configured for static
users identified by IP addresses.

Example
# In the authentication profile authen1, configure the device to assign network
access rights specified in VLAN 10 to pre-connection users.
<HUAWEI> system-view
[HUAWEI] vlan batch 10
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication event pre-authen action authorize vlan 10

13.4.18 authentication event authen-server-up action re-

authen
Function
The authentication event authen-server-up action re-authen command enables
the device to re-authenticate users in the survival state when the authentication
server changes from Down to Up.
The undo authentication event authen-server-up action re-authen command
restores the default setting.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8785

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

By default, the device does not re-authenticate users in the survival state when
the authentication server changes from Down to UP.

Format
authentication event authen-server-up action re-authen

undo authentication event authen-server-up action re-authen

Parameters
None

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The users in the survival state can only access limited network resources after the
device assigns specified network access rights to users who fail authentication
because the authentication server is Down. To meet the users' normal network
access requirements, the device needs to re-authenticate users in the survival state
in real time when the authentication server turns Up.

Prerequisites

The 13.2.46 radius-server testuser command has been configured in the RADIUS
server template so that the device can detect that the authentication server
changes from Down to Up.

NOTE

If the 13.2.46 radius-server testuser command is not configured and the device sets the status
of the authentication server to Down, the device will automatically set the status of the
authentication server to Up after the interval (configured using the 13.2.41 radius-server
retransmit timeout dead-time command) for the server to restore to the active state. The
device will not re-authenticate users.

Example
# In the authentication profile authen1, enable the device to re-authenticate
users when the authentication server turns Up from Down.
<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication event authen-server-up action re-authen

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8786

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.19 authentication event client-no-response action

authorize
Function
The authentication event client-no-response action authorize command
configures network access rights for users when the 802.1X client does not
respond.
The undo authentication event client-no-response action authorize command
restores the default setting.
By default, no network access right is configured for users when the 802.1X client
does not respond.

Format
authentication event client-no-response action authorize { service-scheme
service-scheme-name | ucl-group ucl-group-name | vlan vlan-id }
undo authentication event client-no-response action authorize

Parameters
Parameter Description Value

service-scheme service- Specifies the name of a service The value must

scheme-name scheme based on which network be an existing
access rights are assigned. service scheme
name on the
device.

ucl-group ucl-group- Specifies the name of a UCL The value must

name group based on which network be an existing
access rights are assigned. UCL group name
NOTE on the device.
This parameter is only supported by
the S5720EI, S5720HI, S6720EI, and
S6720S-EI.

vlan vlan-id Specifies a VLAN ID. When this The value is an

parameter is specified, users can integer that
access only the resources in the ranges from 1 to
VLAN. 4094.

Views
802.1X access profile view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8787

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
If the 802.1X client does not respond, users cannot pass authentication and
thereby have no network access right. Before being successfully authenticated,
some users may need certain basic network access rights to download client
software and update the antivirus database. The network access rights can be
configured for the users when the 802.1X client does not respond, so that the
users can access specified network resources.
Precautions
Wireless 802.1X authentication does not support this function.
This function takes effect only for users who go online after this function is
successfully configured.
When an 802.1X client does not respond, the redirection ACL function is not
supported. For details about the function, see 13.1.72 redirect-acl.

Example
# In the 802.1X access profile d1, configure the device to assign the network
access rights specified in VLAN 10 for users when the 802.1X client does not
respond.
<HUAWEI> system-view
[HUAWEI] vlan batch 10
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] authentication event client-no-response action authorize vlan 10

Related Topics
13.4.64 display dot1x-access-profile configuration

13.4.20 authentication event portal-server-down action

authorize
Function
The authentication event portal-server-down action authorize command
configures network access rights for users when the Portal server is Down.
The undo authentication event portal-server-down action authorize command
deletes the network access rights configured for users when the Portal server is
Down.
By default, no network access right is configured for users when the Portal server
is Down.

Format
authentication event portal-server-down action authorize { service-scheme
service-scheme-name | ucl-group ucl-group-name }
undo authentication event portal-server-down action authorize

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8788

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

service-scheme service- Specifies the name of the service The value must
scheme-name scheme based on which network be an existing
access rights are assigned to service scheme
users. name.

ucl-group ucl-group- Specifies the name of the UCL The value must
name group based on which network be an existing
access rights are assigned to UCL group name.
users.
NOTE
This parameter is only supported by
the S5720EI, S5720HI, S6720EI, and
S6720S-EI.

Views
Portal access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If the Portal server is Down, users cannot pass the authentication and thereby
have no network access right. Before being successfully authenticated, some users
may need certain basic network access rights to download client software and
update the antivirus database. The network access rights can be configured for
the users when the Portal server is Down, so that the users can access specified
network resources.
Prerequisites
A UCL group has been created using the ucl-group command in the system view.
A service scheme has been created using the service-scheme command in the
AAA view.
Precautions
● This function takes effect only for users who go online after this function is
successfully configured.
● Only HTTP messages-triggered Portal authentication users support this
function.
● Before enabling the access device to assign network access rights to users
when the Portal server is Down, enable the heartbeat detection function on
the Portal server and run the server-detect command on the access device to
enable the Portal server detection function.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8789

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● When the Portal server is in Down state, the redirection ACL function is not
supported. For details about this function, see 13.1.72 redirect-acl.

Example
# In the Portal access profile p1, configure the device to assign network access
rights based on the service scheme s1 to users when the Portal server is Down.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme s1
[HUAWEI-aaa-service-s1] quit
[HUAWEI-aaa] quit
[HUAWEI] portal-access-profile name p1
[HUAWEI-portal-acces-profile-p1] authentication event portal-server-down action authorize service-
scheme s1

Related Topics
13.4.77 display portal-access-profile configuration

13.4.21 authentication event portal-server-up action re-

authen
Function
The authentication event portal-server-up action re-authen command enables
the device to re-authenticate users when the Portal server turns Up from Down.
The undo authentication event portal-server-up action re-authen command
restores the default setting.
By default, the device does not re-authenticate users when the Portal server turns
Up from Down.

Format
authentication event portal-server-up action re-authen
undo authentication event portal-server-up action re-authen

Parameters
None

Views
Portal access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8790

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If the device is configured to assign network access rights to users when the Portal
server is Down, users can access limited network resources after the device detects
that the Portal server is Down. To ensure that users can obtain normal network
access rights after the Portal server goes Up, you can enable the device to re-
authenticate users when the Portal server changes from Down to Up. After the
Portal server goes Up, the device sets the status of users who display web-server-
down to pre-connection. The re-authentication process starts when the users visit
any web page. If the authentication succeeds, the device assigns normal network
access rights to the users.

Precautions

● This command does not apply to users connected to the route main interface.
● This function takes effect only for users who go online after this function is
successfully configured.
● Before enabling the access device to assign network access rights to users
when the Portal server is Down, enable the heartbeat detection function on
the Portal server and run the server-detect command on the access device to
enable the Portal server detection function.

Example
# In the Portal access profile p1, enable the device to re-authenticate users when
the Portal server turns Up from Down.
<HUAWEI> system-view
[HUAWEI] portal-access-profile name p1
[HUAWEI-portal-acces-profile-p1] authentication event portal-server-up action re-authen

Related Topics
13.4.77 display portal-access-profile configuration

13.4.22 authentication mac-move enable

Function
The authentication mac-move enable command enables MAC address
migration.

The undo authentication mac-move enable command disables MAC address

migration.

By default, MAC address migration is disabled.

Format
authentication mac-move enable vlan { all | { vlan-id1 [ to vlan-id2 ] } & <1–
10> }

undo authentication mac-move enable vlan { all | { vlan-id1 [ to vlan-id2 ] } &

<1–10> }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8791

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

vlan Specifies the VLAN range -

for enabling MAC
address migration.

all Enables MAC address -

migration in all VLANs.

vlan-id1 [ to vlan-id2 ] Enables MAC address The value is an integer

migration in the that ranges from 1 to
specified VLANs. 4094.
● vlan-id1 specifies the
ID of the first VLAN.
● vlan-id2 specifies the
ID of the second
VLAN. The value of
vlan-id2 must be
greater than that of
vlan-id1.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After a user is authenticated and accesses the network from one interface of the
device, the network cable is pulled out from the interface and plugged in another
interface on the device. In this case, the user cannot immediately initiate
authentication and access the network. The user can initiate authentication on the
current interface only after the user offline detection interval expires or the
authentication interface is manually enabled and shut down to clear user online
entries. To improve user experience, MAC address migration is enabled so that the
user can immediately initiate authentication and access the network after be
switched to another access interface.

MAC address migration allows online NAC authentication users to immediately

initiate authentication and access the network after they are switched to other
access interfaces. If the user is authenticated successfully on the new interface, the
online user entry on the original interface is deleted immediately to ensure that
only one interface records the online user entry.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8792

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

In addition, VLANs need to be specified for users in MAC address migration. The
VLANs before and after the migration can be specified for the users, and they can
be the same or different.

Precautions

● In normal case, enabling MAC address migration is not recommended. It

should be enabled only when users have migration requirements during
roaming. This prevents unauthorized users from forging MAC addresses of
online users and sending ARP, 802.1X, or DHCP packets on other
authentication control interfaces to trigger the MAC address migration
function and force authorized user offline.
● In the Policy Association and SVF scenario, the device does not support MAC
address migration.
● In the Layer 2 BNG scenario, the device does not support MAC address
migration.
● Cascading migration through intermediate devices is not supported, because
ARP and DHCP packets are not sent after the cascading migration.
● The device does not support MAC address migration for a terminal with one
MAC address and multiple IP addresses.
● MAC address migration is not supported for Layer 3 Portal authentication
users.
● A user is switched from an interface configured with NAC authentication to
another interface not configured with NAC authentication. In this case, the
user can access the network only after the original online entry is aged
because the new interface cannot send authentication packets to trigger MAC
migration.
● In common mode, Portal authentication is triggered only after users who go
online through a VLANIF interface send ARP packets and go offline;
otherwise, the users can go online again only after the original user online
entries age out. Portal authentication cannot be triggered after users who go
online through physical interfaces migrate. The users can go online again only
after the original user online entries age out.
● After a user who goes online from a VLANIF interface is quieted because of
multiple MAC address migrations, MAC address migration can be performed
for the quieted user only after the quiet period expires and the ARP entry is
aged out.
● After authorized VLANs are delivered to users who go online on the S5720EI,
S6720EI, and S6720S-EI, some users may fail to migrate. In this scenario, the
users can go online again only after the user entries on the interface before
the migration are aged out.
● When an authorized VLAN is specified in the authentication mac-move
enable vlan command, you are advised to enable the function of detecting
the user status before user MAC address migration.

Example
# Enable MAC address migration in all VLANs.
<HUAWEI> system-view
[HUAWEI] authentication mac-move enable vlan all

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8793

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.23 authentication mac-move detect enable

Function
The authentication mac-move detect enable command enables a device to
detect users' online status before user MAC address migration.
The undo authentication mac-move detect enable command disables a device
from detecting users' online status before user MAC address migration.
By default, a device is disabled from detecting users' online status before user
MAC address migration.

Format
authentication mac-move detect enable
undo authentication mac-move detect enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
To prevent unauthorized users from spoofing online users to attack a device, run
the authentication mac-move detect enable command to enable the device to
detect users' online status before user MAC address migration. If no users are
online, the device permits MAC address migration and allows users to go online
from a new access interface. If a user is online, the device terminates MAC address
migration and does not allow the user to go online from a new access interface.
You can also run the 13.4.24 authentication mac-move detect retry-interval
retry-time command to set the detection interval and maximum number of
detections before user MAC address migration.
After the authentication mac-move detect enable command is configured in an
authentication profile, the authentication profile cannot be bound to a VAP
profile.

Example
# Enable a device to detect users' online status before user MAC address
migration.
<HUAWEI> system-view
[HUAWEI] authentication mac-move detect enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8794

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.24 authentication mac-move detect retry-interval retry-

time
Function
The authentication mac-move detect retry-interval retry-time command sets
the detection interval and maximum number of detections before user MAC
address migration.
The undo authentication mac-move detect retry-interval retry-time command
restores the default setting.
By default, a device detects users' online status once. The detection interval is 3
seconds.

Format
authentication mac-move detect { retry-interval interval | retry-time times } *

undo authentication mac-move detect { retry-interval | retry-time } *

Parameters
Parameter Description Value

interval Specifies the interval at The value is an integer

which a device detects that ranges from 1 to 5,
users' online status in seconds.
before user MAC address
migration.

times Specifies the maximum The value is an integer

number of detections that ranges from 1 to 3.
before user MAC address
migration.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After a device is enabled to detect users' online status before user MAC address
migration, if no users are online, the device permits MAC address migration and
allows users to go online from a new access interface. If a user is online, the
device terminates MAC address migration and does not allow the user to go
online from a new access interface. You can run the authentication mac-move

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8795

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

detect { retry-interval interval | retry-time times } * command to modify the

default detection interval and maximum number of detections.

Example
# Configure a device to detect users' online status twice at an interval of 5
seconds before user MAC address migration.
<HUAWEI> system-view
[HUAWEI] authentication mac-move detect retry-interval 5 retry-time 2

13.4.25 authentication mac-move quiet-log enable

Function
The authentication mac-move quiet-log enable command enables the device to
record logs about MAC address migration quiet.
The undo authentication mac-move quiet-log enable command disables the
device from recording logs about MAC address migration quiet.
By default, the device is enabled to record logs about MAC address migration
quiet.

Format
authentication mac-move quiet-log enable
undo authentication mac-move quiet-log enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The device can record logs when adding or deleting MAC address migration quiet
entries. This helps the administrator to find out the cause for MAC address
migration failure, and improves maintainability of the MAC address migration
quiet function.

Example
# Enable the device to record logs about MAC address migration quiet.
<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-log enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8796

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.26 authentication mac-move quiet-times quiet-period

Function
The authentication mac-move quiet-times quiet-period command configures
the quiet period and the maximum number of MAC address migration times
within 60 seconds before users enter the quiet state.
The undo authentication mac-move quiet-times quiet-period command
restores the default settings.
The default quiet period is 0 seconds and the maximum number of MAC address
migration times within 60 seconds before users enter the quiet state is 3.

Format
authentication mac-move { quiet-times times | quiet-period quiet-value } *

undo authentication mac-move { quiet-times | quiet-period } *

Parameters
Parameter Description Value

times Specifies the maximum The value is an integer

number of MAC address that ranges from 1 to 10.
migration times within
60 seconds before users
enter the quiet state.

quiet-value Specifies the quiet period The value is an integer

for MAC address that ranges from 0 to
migration users. 3600.
The value 0 indicates
that the MAC address
migration quiet function
is disabled.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
When users frequently switch access interfaces (especially frequent switching due
to loops), the device needs to process a large number of authentication packets
and entries, which results in high CPU usage. To solve this problem, configure the
MAC address migration quiet function.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8797

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If the number of MAC address migration times for a user within 60 seconds
exceeds the value (times) after the MAC address migration quiet function is
enabled, the device quiets the user for a certain period (quiet-value). During the
quiet period, the device does not allow users to perform MAC address migration.

Example
# Configure the quiet period to 120 seconds and the maximum number of MAC
address migration times within 60 seconds before users enter the quiet state to 5.
<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-times 5 quiet-period 120

13.4.27 authentication mac-move quiet-user-alarm enable

Function
The authentication mac-move quiet-user-alarm enable command enables the
device to send alarms about MAC address migration quiet.

The undo authentication mac-move quiet-user-alarm enable command

disables the device from sending alarms about MAC address migration quiet.

By default, the device is disabled from sending alarms about MAC address
migration quiet.

Format
authentication mac-move quiet-user-alarm enable

undo authentication mac-move quiet-user-alarm enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The device can send alarms about MAC address migration quiet to improve
maintainability of the MAC address migration quiet function. The device sends
alarms when the percentage of the actual user amount in the MAC address
migration quiet table against the maximum number of users exceeds the upper
alarm threshold configured. If the percentage decreases to be equal to or smaller
than the lower alarm threshold, the device sends a clear alarm. The upper and
lower alarm thresholds are configured using the 13.4.28 authentication mac-
move quiet-user-alarm percentage command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8798

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Enable the device to send alarms about MAC address migration quiet.
<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-user-alarm enable

13.4.28 authentication mac-move quiet-user-alarm

percentage

Function
The authentication mac-move quiet-user-alarm percentage command
configures the upper and lower alarm thresholds for the percentage of MAC
address migration users in quiet state.

The undo authentication mac-move quiet-user-alarm percentage command

restores the default setting.

By default, the lower alarm threshold is 50 and upper alarm threshold is 100.

Format
authentication mac-move quiet-user-alarm percentage lower-threshold upper-
threshold

undo authentication mac-move quiet-user-alarm percentage

Parameters
Parameter Description Value

lower-threshold Specifies the lower alarm The value is an integer

threshold. that ranges from 1 to
100.

upper-threshold Specifies the upper The value is an integer

alarm threshold. that ranges from 1 to
100.
The value must be
greater than that of
lower-threshold.

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8799

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
The 13.4.27 authentication mac-move quiet-user-alarm enable command can
be run to enable the device to send alarms about MAC address migration quiet to
improve maintainability of the MAC address migration quiet function. The device
sends alarms when the percentage of the actual user amount in the MAC address
migration quiet table against the maximum number of users exceeds the upper
alarm threshold configured. If the percentage decreases to be equal to or smaller
than the lower alarm threshold, the device sends a clear alarm. The upper and
lower alarm thresholds are configured using the authentication mac-move
quiet-user-alarm percentage command.

Example
# Configure the upper alarm threshold to 80 and lower alarm threshold to 40.
<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-user-alarm percentage 40 80

13.4.29 authentication pre-authen-access enable

Function
The authentication pre-authen-access enable command enables the function of
keeping users who fail to be authenticated and do not have any network access
rights in the pre-connection state.
The undo authentication pre-authen-access enable command disables the
function of keeping users who fail to be authenticated and do not have any
network access rights in the pre-connection state.
By default, the device keeps users who fail to be authenticated and do not have
any network access rights in the pre-connection state.

Format
authentication pre-authen-access enable
undo authentication pre-authen-access enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8800

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

When a user terminal connects to an NAC-enabled interface on the device, a pre-

connection is set up between the terminal and device. If the device is not
configured to grant network access rights to users in pre-connection or
authentication failure state, users who fail to be authenticated remain in the pre-
connection state by default. Because the device allows DHCP packets from pre-
connection users to pass through, the users can still obtain IP addresses although
they do not have any network access rights, wasting IP addresses and bringing
network security risks.

You can run the undo authentication pre-authen-access enable command to

disable the function of keeping users who fail to be authenticated and do not
have any network access rights in the pre-connection state. This configuration
ensures that the users cannot obtain IP addresses.

Precautions

This function does not take effect for users who use Portal authentication or
combined authentication (including Portal authentication).

The undo authentication pre-authen-access enable command does not take effect
for pre-connection users for whom network access permissions are configured.

To use VLAN-based authorization (excluding authentication of pre-connection

users), run the undo authentication pre-authen-access enable command to disable
the pre-connection function first.

When 802.1X authentication or MAC authentication is configured on a physical

interface, the free-rulee command configuration will not take effect after the
prec-connection function is disabled.

If the device connects to some terminals such as a MacBook laptop that is not
authenticated after obtaining an IP address, it is recommended that you run the
undo authentication pre-authen-access enable command on the device to
disable the pre-connection function and then connect the terminal to the network
again.

If a user in pre-connection state attempts to go online using DHCP packets

containing the Option 82 field but fails to go online, it is recommended that you
run the undo authentication pre-authen-access enable command on the device
to disable the function of keeping users who fail to be authenticated and do not
have any network access rights in the pre-connection state.

Example
# Disable the function of keeping users who fail to be authenticated and do not
have any network access rights in the pre-connection state.
<HUAWEI> system-view
[HUAWEI] undo authentication pre-authen-access enable

13.4.30 authentication timer handshake-period

Function
The authentication timer handshake-period command sets the handshake
interval of the device with pre-connection users and authorized users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8801

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo authentication timer handshake-period command restores the

default setting.

The default handshake interval of the device with pre-connection users and
authorized users is 300 seconds.

Format
authentication timer handshake-period handshake-period

undo authentication timer handshake-period

Parameters
Parameter Description Value

handshake-period Specifies the handshake The value is an integer

interval. that ranges from 5 to
7200, in seconds.

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After enabling the handshake with pre-connection users and authorized users
using the 13.4.13 authentication handshake command, you can run the this
command to set the handshake interval. After that, if a user does not respond to
the handshake request from the device within the handshake interval, the device
deletes the user entry.

Precautions

● This command only applies to MAC address authentication, Layer 3 Portal

authentication, and 802.1X authentication.
● For Layer 3 Portal authentication users, only those who go online through
S5720HI support this function.
● This function takes effect only for the wired users. For wired users who do not
obtain IP addresses within 30 minutes, traffic detection will be performed
(detection process can be seen as the following precautions). If traffic passes
through the device, users are online. If no traffic passes through the device,
users go offline.
● This function takes effect only for users who go online after this function is
successfully configured.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8802

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● The handshake function is implemented using ARP probe packets or neighbor

discovery (ND) probe packets.
● The handshake function can also be implemented by detecting whether there
is user traffic on the access device. Assuming that the handshake interval is
3n, the device will detect user traffic at n and 2n. The following uses the 0-n
period as an example. The process during the n-2n period is similar to that
during 0-n. (This process applies only to authentication users who go online
from the S5720EI, S5720HI, S6720EI, and S6720S-EI. Other switch models do
not detect user traffic and send probe packets at n and 2n.)
– If user traffic passes the device during the 0-n period, the device
considers that the user is online at n, so it will not send a probe packet to
the user, but resets the handshake interval.
– If no user traffic passes the device during the 0-n period, the device
cannot determine whether the user is online at n, so it sends a probe
packet to the user. If the device receives the reply packet from the user, it
considers the user online and resets the handshake interval. If no reply
packet is received, it considers the user offline.
– If user traffic passes the device during the 2n-3n period, the device
considers that the user is online at 3n and resets the handshake interval.
– If no user traffic passes the device during the 2n-3n period, the device
cannot determine whether the user is online at 3n and considers that the
user is offline.
If the device considers that the user is offline at n, 2n, and 3n, the device
deletes all entries related to the user. To prevent the user from going offline
unexpectedly when no operation is performed on the PC, do not set a short
handshake period.
● If the configured handshake interval is less than the default value, an IP
address conflict may occur between terminal detection and device ARP probe.
For example, a Windows client sends a detection packet with the source
address 0.0.0.0 at an interval of 10 seconds after obtaining an IP address. If
the device also initiates ARP probe with the source address 0.0.0.0, a conflict
occurs.
● For the models that do not support implementing the handshake function by
detecting whether there is user traffic on the access device, if the number of
ARP probe packets exceeds the default CAR value, the probe fails and the
users are logged out (The display cpu-defend statistics command can be run
to check whether ARP request and response packets are lost.). To resolve the
problem, the following methods are recommended:
– Increase the handshake interval based on the number of users. The
default handshake interval is recommended when there are less than
8000 users; the handshake interval should be no less than 600 seconds
when there are more than 8000 users.
– Deploy the port attack defense function on the access device and limit
the rate of packets sent to the CPU.

Example
# In the authentication profile p1, set the handshake interval of the device with
pre-connection users and authorized users to 200 seconds.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8803

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication timer handshake-period 200

13.4.31 authentication timer authen-fail-aging

Function
The authentication timer authen-fail-aging command configures the aging time
for entries of the users who fail to be authenticated.
The undo authentication timer authen-fail-aging command restores the default
aging time for entries of the users who fail to be authenticated.
By default, the aging time for entries of the users who fail to be authenticated is
23 hours.

Format
authentication timer authen-fail-aging aging-time
undo authentication timer authen-fail-aging

Parameters
Parameter Description Value
aging-time Specifies the aging The value is an integer that ranges from 0 or
time. 60 to 4294860, in seconds.
The value 0 indicates that the entry does not
age.

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After network access policies are configured for users who fail to be
authenticated, the device creates entries for these users. If the user still fails to be
authenticated when the user aging time expires, the user entry is deleted.
The entries of the users who fail to be authenticated share device resources with
the entries of the users who are authenticated. If there are excess entries of the
users who fail to be authenticated, other users fail to be authenticated. To solve
this problem, run the authentication timer authen-fail-aging command to
reduce the aging time for entries of the users who fail to be authenticated. In

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8804

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

addition, if the time that the users who fail to be authenticated have network
access policies should be shortened, you can run this command to decrease the
aging time for the user entries.
Precautions
This function takes effect only for users who go online after this function is
successfully configured.
Only wired users support this function.

Example
# In the authentication profile p1, configure the aging time for entries of the users
who fail to be authenticated to 3600 seconds.
<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication timer authen-fail-aging 3600

13.4.32 authentication timer pre-authen-aging

Function
The authentication timer pre-authen-aging command configures the aging time
for pre-connection user entries.
The undo authentication timer pre-authen-aging command restores the default
aging time for pre-connection user entries.
By default, the aging time for pre-connection user entries is 23 hours.

Format
authentication timer pre-authen-aging aging-time
undo authentication timer pre-authen-aging

Parameters
Parameter Description Value
aging-time Specifies the aging The value is an integer that ranges from 0 or
time. 60 to 4294860, in seconds.
The value 0 indicates that the entry does not
age.

Views
Authentication profile view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8805

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
When a pre-connection is established between the device and a user, the device
creates the pre-connection user entry. If the user still fails to be authenticated
when the user aging time expires, the user entry is deleted.
The pre-connection user entries share device resources with the entries of the
users who are authenticated. If there are excess pre-connection user entries, other
users fail to be authenticated. To solve this problem, run the authentication
timer pre-authen-aging command to reduce the aging time for the pre-
connection user entries. In addition, if the time that the pre-connection users have
network access policies should be extended, you can run this command to increase
the aging time for the pre-connection user entries.
Precautions
This function takes effect only for users who go online after this function is
successfully configured.
Only wired users support this function.

Example
# In the authentication profile p1, configure the aging time for the pre-connection
user entries to 3600 seconds.
<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication timer pre-authen-aging 3600

13.4.33 authentication timer re-authen

Function
The authentication timer re-authen command configures the interval for re-
authenticating pre-connection users or users who fail to be authenticated.
The undo authentication timer re-authen command restores the default setting.
By default, pre-connection users and users who fail to be authenticated are re-
authenticated at an interval of 60 seconds.

Format
authentication timer re-authen { pre-authen re-authen-time | authen-fail re-
authen-time }
undo authentication timer re-authen { pre-authen | authen-fail }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8806

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value
pre-authen re- Specifies the interval The value is an integer that ranges
authen-time for re-authenticating from 0 or 30 to 7200, in seconds.
pre-connection users.
The value 0 indicates that the re-
authentication function is disabled for
pre-connection users.

authen-fail re- Specifies the interval The value is an integer that ranges
authen-time for re-authenticating from 0 or 30 to 7200, in seconds.
users who fail to be
authenticated. The value 0 indicates that the re-
authentication function is disabled for
users who fail to be authenticated.

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The device creates the mapping user entries when network access policies are
assigned to users who are in the pre-connection phase or fail authentication. To
enable users to pass authentication in real time, the device periodically re-
authenticates the users who are in the pre-connection phase or fail authentication
according to the user entries. The administrator can adjust the re-authentication
interval based on the actual network requirements.
Precautions
This command only applies to 802.1X authentication and MAC address
authentication.
This function takes effect only for users who go online after this function is
successfully configured.
The device cannot re-authenticate wireless users who are in the pre-connection
phase or fail authentication. Therefore, the authentication timer re-authen
command does not apply to wireless users.
To reduce the impact on the device performance when many users exist, the user
re-authentication interval may be longer than the configured re-authentication
interval.
If a static user configured with 802.1X authentication enters the pre-connection
status after failing the authentication, 802.1X authentication is then performed.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8807

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

During the 802.1X authentication, the pre-authen re-authen-time timer does not
take effect. If the 802.1X authentication also fails, the pre-authen re-authen-time
timer takes effect, and re-authentication is triggered according to this timer.

Example
# In the authentication profile authen1, set the interval for re-authenticating
users who fail to be authenticated to 300 seconds.
<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication timer re-authen authen-fail 300

Related Topics
13.4.61 display authentication-profile configuration

13.4.34 authentication wlan-max-user

Function
The authentication wlan-max-user command configures the maximum number
of authenticated users allowed on a VAP.

The undo authentication wlan-max-user command restores the default setting.

By default, a maximum of 128 authenticated users are allowed on a VAP.

NOTE

This function is supported only by S5720HI.

Format
authentication wlan-max-user max-user-number

undo authentication wlan-max-user

Parameters
Parameter Description Value

max-user-number Specifies the maximum The value is an integer

number of users. that ranges from 1 to
128.

Views
Authentication profile view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8808

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
To ensure high-quality network access services for online users in high-density
wireless access scenarios, the administrator needs to limit the number of
authenticated users to prevent excess access users from degrading user
experience. The administrator can run the authentication wlan-max-user
command to limit the number of access users allowed on a VAP of a single AP.
NOTE

This function takes effect only when the authentication profile is bound to the VAP profile.

Example
# In the authentication profile authen1, set the maximum number of allowed
authenticated users to 100 on a VAP.
<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication wlan-max-user 100

13.4.35 authentication mode

Function
The authentication mode command configures the user access mode.

The undo authentication mode command restores the default user access mode.

By default, the user access mode is multi-authen.

Format
authentication mode { single-terminal | single-voice-with-data | multi-share |
multi-authen [ max-user max-user-number [ dot1x | mac-authen | portal ] * ] }

undo authentication mode [ multi-authen max-user [ dot1x | mac-authen |

portal ] * ]

Parameters

Parameter Description Value

single- Specifies the interface to allow only one user to -
terminal go online.

single-voice- Specifies the interface to allow only one data user -

with-data and one voice user to go online.
This mode applies to the scenario in which a data
user connects to a network through a voice
terminal.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8809

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

multi-share Specifies the interface to allow multiple users to -
go online.
In this mode, the device only authenticates the
first user. If the first user can be authenticated,
the subsequent users share the same network
access rights with the first user. If the first user
goes offline, other users are also offline.

multi-authen Specifies the interface to allow multiple users to -

go online.
In this mode, the device authenticates each access
user. If users can be authenticated, the users have
their individual network access rights. If a user
goes offline, other users are not affected.

max-user Specifies the maximum number of access users on The value is

max-user- the interface in multi-authen mode. an integer
number that
depends on
the device.

dot1x Specifies the maximum number of 802.1X -

authentication users allowed to connect to the
interface in multi-authen mode.

mac-authen Specifies the maximum number of MAC address -

authentication users allowed to connect to the
interface in multi-authen mode.

portal Specifies the maximum number of Portal -

authentication users allowed to connect to the
interface in multi-authen mode.

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After enabling NAC authentication, you can configure a user access mode based
on the user access on the interface. The user access modes include:

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8810

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● single-terminal: applies to the scenario in which only one data terminal is

connected to the network through the interface.
● single-voice-with-data: applies to the scenario in which only one data
terminal is connected to the network on the device interface through a voice
terminal.
● multi-share: applies to the scenario that does not require high security and in
which multiple data terminals are connected to the network on the device
interface.
● multi-authen: applies to the scenario that requires high security and in which
multiple data terminals are connected to the network on the device interface.
In this access mode, you can configure the maximum number of access users
based on the actual user quantity on the interface. This prevents malicious
users from occupying a large amount of device resources and ensures that the
users on other device interfaces can normally go online.
Precautions
● VLANIF interfaces do not support this function.
● Only wired users support this function.
● If the multi-share mode is configured on an Eth-Trunk of the S5720HI, the
upstream rate limit cannot be delivered to users who go online through this
Eth-Trunk.
● If the first access user fails to be authenticated on a physical interface and
sets up a pre-connection after the multi-share mode is configured on the
physical interface, new access users will also fail to be authenticated on the
interface. Therefore, the following operations are recommended if the first
access user may fail to be authenticated after the multi-share mode is
configured on a physical interface.
– Configure users to not set up pre-connections when 802.1X
authentication or MAC address authentication is used. You can run the
undo authentication pre-authen-access enable command to configure
the device to not generate entries for users who obtain rights in the pre-
connection phase.
– Do not use the multi-share mode with Portal authentication.
● In the policy association scenario, the authentication mode multi-authen
max-user max-user-number command configured on an access device does
not take effect. To configure the number of access users on an access device,
run the authentication access-point max-user max-user-number command
to set the maximum number of access users allowed on the interface of the
access device.
● When authentication mode is set to multi-authen in the authentication
profile, set the interface type to hybrid or trunk in policy association scenarios
or to hybrid in other scenarios when you configure the authorization VLAN.
● In L2 BNG scenarios, the multi-share mode is not supported.

Example
# In the authentication profile p1, set the user access mode to multi-authen.
<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication mode multi-authen

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8811

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.36 authentication single-access

Function
The authentication single-access command configures the device to allow users
to access in only one authentication mode.
The undo authentication single-access command restores the default setting.
By default, the device allows users to access in different authentication modes.

Format
authentication single-access
undo authentication single-access

Parameters
None

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
After hybrid authentication is configured, the device by default allows users to
access in different authentication modes. You can run the authentication single-
access command to disable this default function. The device then allows users to
access in only one authentication mode and does not process the packets of other
authentication modes.

Example
# In the authentication profile authen1, configure the device to allow users to
access in only one authentication mode.
<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication single-access

13.4.37 authentication speed-limit auto

Function
The authentication speed-limit auto command enables the device to
dynamically adjust the rate of packets from NAC users.
The undo authentication speed-limit auto command disables the device from
dynamically adjusting the rate of packets from NAC users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8812

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

By default, the device does not dynamically adjust the rate of packets from NAC
users.

Format
authentication speed-limit auto
undo authentication speed-limit auto

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
When a lot of NAC users send authentication or log off requests to the device, the
CPU usage may be overloaded especially when the CPU or memory usage is
already high (for example, above 80%). After the device is enabled to dynamically
adjust the rate of packets from NAC users, the device limits the number of NAC
packets received per second if the CPU or memory usage is high. This function
reduces loads on the device CPU.

Example
# Enable the device to dynamically adjust the rate of packets from NAC users.
<HUAWEI> system-view
[HUAWEI] authentication speed-limit auto

13.4.38 authentication unified-mode

Function
The authentication unified-mode command switches the NAC mode to unified
mode.
The undo authentication unified-mode command switches the NAC mode to
common mode.
By default, the unified NAC configuration mode is used.

Format
authentication unified-mode
undo authentication unified-mode

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8813

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Compared with the common mode, the unified mode uses the modular
configuration, making the configuration clearer and configuration model easier to
understand.

Considering advantages of the unified mode, you are advised to deploy NAC in
unified mode. You can run the authentication unified-mode command to switch
the NAC mode to unified mode.

Precautions

● Starting from V200R005C00, the default NAC mode changes from common
mode to unified mode. Therefore, if the system software of a switch is
upgraded from a version earlier than V200R005C00 to V200R005C00 or a
later version, the switch automatically runs the undo authentication unified-
mode command to configure the NAC mode to common mode.
● After the common mode and unified mode are switched, the device
automatically restarts, causing service interruption.
● In V200R008C00, some NAC commands do not differentiate the common and
unified modes. Their formats and views remain unchanged after being
switched from one mode to the other. After devices are switched from the
common mode in V200R008C00 or later versions to the unified mode in
V200R009C00 or later versions, these NAC commands can be switched to the
unified mode.
● In the unified mode, only the commands of the common mode are
unavailable; in the common mode, only the commands of the unified mode
are unavailable. In addition, after the configuration mode is switched, the
commands supported by both the common mode and unified mode still take
effect.

Example
# Switch the NAC mode to unified mode.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8814

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.39 authentication trigger-condition (802.1X

authentication)
Function
The authentication trigger-condition command configures the packet types that
can trigger 802.1X authentication.
The undo authentication trigger-condition command restores the default
configuration.
By default, DHCP/ARP packets can trigger 802.1X authentication.

Format
authentication trigger-condition { dhcp | arp | any-l2-packet } *

undo authentication trigger-condition [ dhcp | arp | any-l2-packet ] *

Parameters
Parameter Description Value
dhcp Triggers 802.1X authentication through DHCP packets. -

arp Triggers 802.1X authentication through ARP packets. -

any-l2-packet Triggers 802.1X authentication through any Layer 2 -

packets. For multicast packets, the corresponding protocol
needs to be enabled, otherwise 802.1X authentication
cannot be triggered.

Views
802.1X access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After 802.1X authentication is enabled, the device can trigger 802.1X
authentication on users by default when receiving DHCP or ARP packets. Based on
user information on the actual network, the administrator can adjust the packet
types that can trigger 802.1X authentication. For example, if all users on a
network dynamically obtain IPv4 addresses, the device can be configured to
trigger 802.1X authentication only through DHCP packets. This prevents the device
from continuously sending ARP packets to trigger 802.1X authentication when

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8815

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

static IPv4 addresses are configured for unauthorized users on the network, and
reduces device CPU occupation.
If a static IPv4 address is configured for a client, 802.1X authentication cannot be
triggered because they do not exchange DHCP or ARP packets. You can run the
authentication trigger-condition any-l2-packet command to trigger 802.1X
authentication through any Layer 2 packets. To prevent unauthorized users from
occupying user entries on the device maliciously, you are advised to configure the
function of triggering 802.1X authentication through any packets on the access
device, and run the authentication mode max-user max-user-number command
in the authentication profile view to configure the maximum number of access
users allowed on an interface. The recommended value is 10.
Precautions
This function takes effect only for users who go online after this function is
successfully configured.
To allow BPDUs to trigger 802.1X authentication, you must enable the function
corresponding to the BPDUs globally. For example, to allow LLDPDUs to trigger
802.1X authentication, run the 16.3.20 lldp enable (system view) command to
enable LLDP globally.
When any-l2-packet is configured and 802.1X authentication is enabled on an
interface, EAP packets sent from a client trigger 802.1X authentication first.
In a policy association scenario, MAC address authentication can only be triggered
by EAP or DHCP or ARP packets.
When MAC address authentication and 802.1X authentication are both enabled on
an interface, packets that can trigger authentication include all the packet types
that can trigger authentication in the MAC access profile and 802.1X access
profile. For example, assume that ARP packets in the MAC access profile are
unable to trigger authentication and ARP packets in the 802.1X access profile can
trigger authentication. If MAC address authentication and 802.1X authentication
are both enabled on an interface, ARP packets can trigger MAC address
authentication.

Example
# In the 802.1X access profile d1, configure the device to use DHCP packets to
trigger 802.1X authentication.
<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] authentication trigger-condition dhcp

13.4.40 authentication trigger-condition (MAC address

authentication)
Function
The authentication trigger-condition command configures the packet types that
can trigger MAC address authentication.
The undo authentication trigger-condition command restores the default
configuration.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8816

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

By default, DHCP/ARP/DHCPv6/ND packets can trigger MAC address

authentication.

Format
authentication trigger-condition { dhcp | arp | dhcpv6 | nd | any-l2-packet } *

undo authentication trigger-condition [ dhcp | arp | dhcpv6 | nd | any-l2-

packet ] *

Parameters
Parameter Description Value
dhcp Triggers MAC address authentication through DHCP -
packets.

arp Triggers MAC address authentication through ARP -

packets.

dhcpv6 Triggers MAC address authentication through DHCPv6 -

packets.

nd Triggers MAC address authentication through ND packets. -

any-l2-packet Triggers MAC address authentication through any Layer 2 -

packets. For multicast packets, the corresponding protocol
needs to be enabled, otherwise MAC authentication
cannot be triggered.

Views
MAC access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After MAC address authentication is enabled, the device can trigger MAC address
authentication on users by default when receiving DHCP/ARP/DHCPv6/ND
packets. Based on user information on the actual network, the administrator can
adjust the packet types that can trigger MAC address authentication. For example,
if all users on a network dynamically obtain IPv4 addresses, the device can be
configured to trigger MAC address authentication only through DHCP packets.
This prevents the device from continuously sending ARP packets to trigger MAC
address authentication when static IPv4 addresses are configured for unauthorized
users on the network, and reduces device CPU occupation.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8817

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If a static IPv4 address is configured for a client, MAC address authentication

cannot be triggered because they do not exchange DHCP or ARP packets. You can
run the authentication trigger-condition any-l2-packet command to trigger
MAC address authentication through any Layer 2 packets. To prevent unauthorized
users from occupying user entries on the device maliciously, you are advised to
configure the function of triggering MAC address authentication through any
packets on the access device, and run the authentication mode max-user max-
user-number command in the authentication profile view to configure the
maximum number of access users allowed on an interface. The recommended
value is 10.
Precautions
● MAC address authentication configured on a VLANIF interface can only be
triggered by ARP packets.
● This function takes effect only for users who go online after this function is
successfully configured.
● There is a situation that you should notice. A device is configured to trigger
MAC address authentication through DHCP packets and DHCP options are
used as the user names for MAC address authentication (for the configuration
of user names in MAC address authentication, see 13.4.134 mac-authen
username). If the authentication server delivers Huawei extended RADIUS
attribute HW-Forwarding-VLAN (No. 26-161) to the device, the user packet
must carry double VLAN tags and the outer VLAN ID cannot be the same as
the ID of HW-Forwarding-VLAN; otherwise, the delivered attribute cannot
take effect.
● Only wired users support MAC address authentication triggered by
DHCP/ARP/DHCPv6/ND/any packets. For wireless users, MAC address
authentication is triggered by association packets.
● After the authentication trigger-condition { dhcp | dhcpv6 | nd } *

command is run, static users cannot go online.

● To allow BPDUs to trigger MAC address authentication, you must enable the
function corresponding to the BPDUs globally. For example, to allow LLDPDUs
to trigger MAC address authentication, run the 16.3.20 lldp enable (system
view) command to enable LLDP globally.
● In a policy association scenario, MAC address authentication can only be
triggered by DHCP or ARP packets.
● When MAC address authentication is performed for IP phones and the voice
VLAN service is deployed, if the authentication trigger-condition any-l2-
packet command is run to configure the device to trigger MAC address
authentication through any packets, you need to run the 13.4.22
authentication mac-move enable command to configure MAC address
migration and run the 13.4.23 authentication mac-move detect enable
command to configure the device to detect users' online status before MAC
address migration.
● When any-l2-packet is configured and 802.1X authentication is enabled on
an interface, EAP packets sent from a client trigger 802.1X authentication
first.
● When MAC address authentication and 802.1X authentication are both
enabled on an interface, packets that can trigger authentication include all
the packet types that can trigger authentication in the MAC access profile and

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8818

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

802.1X access profile. For example, assume that ARP packets in the MAC
access profile are unable to trigger authentication and ARP packets in the
802.1X access profile can trigger authentication. If MAC address
authentication and 802.1X authentication are both enabled on an interface,
ARP packets can trigger MAC address authentication.

Example
# In the MAC access profile m1, configure the device to trigger MAC address
authentication only through ARP packets.
<HUAWEI> system-view
[HUAWEI] mac-access-profile name m1
[HUAWEI-mac-access-profile-m1] authentication trigger-condition arp

13.4.41 authentication trigger-condition dhcp dhcp-option

Function
The authentication trigger-condition dhcp dhcp-option command enables the
device to send DHCP option information to the authentication server when
triggering MAC address authentication through DHCP packets.
The undo authentication trigger-condition dhcp dhcp-option command
restores the default configuration.
By default, the device does not send DHCP option information to the
authentication server when triggering MAC address authentication through DHCP
packets.

Format
authentication trigger-condition dhcp dhcp-option option-code
undo authentication trigger-condition dhcp dhcp-option option-code

Parameters
Parameter Description Value
option-code Specifies the option that the device sends The value is fixed as 82.
to the authentication server.

Views
MAC access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8819

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Option82 records information about DHCP user locations and services (voice and
data services). After this command is run, if the device can trigger MAC address
authentication through DHCP packets, it sends Option82 information to the
authentication server when triggering MAC address authentication through DHCP
packets. Based on the user information recorded in Option82, the authentication
server then assigns different network access rights to users with different services
in different locations. This implements accurate control on the network access
rights of each user.
Precautions
● MAC address authentication users who go online through VLANIF interfaces
do not support this function.
● This function takes effect only for users who go online after this function is
successfully configured.
● Only wired users support MAC address authentication triggered by
DHCP/ARP/DHCPv6/ND/any packets. For wireless users, MAC address
authentication is triggered by association packets.

Example
# In the MAC access profile m1, enable the device to send Option82 information
to the authentication server when triggering MAC address authentication through
DHCP packets.
<HUAWEI> system-view
[HUAWEI] mac-access-profile name m1
[HUAWEI-mac-access-profile-m1] authentication trigger-condition dhcp dhcp-option 82

13.4.42 authentication-profile (Interface view or VAP profile

view)
Function
The authentication-profile command applies an authentication profile to the
interface or VAP profile.
The undo authentication-profile command restores the default setting.
By default, no authentication profile is applied to the interface or VAP profile.

Format
authentication-profile authentication-profile-name
undo authentication-profile

Parameters
Parameter Description Value

authentication-profile- Specifies the name of an The value must be an

name authentication profile. existing authentication
profile name.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8820

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
Interface view, or VAP profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
An authentication profile uniformly manages NAC configuration. The
authentication profile is bound to the interface or VAP profile view to enable NAC,
implementing access control on the users in the interface or VAP profile. The
authentication type of the users in the interface or VAP profile is determined by
the access profile bound to the authentication profile.
Prerequisites
An authentication profile has been created using the 13.4.43 authentication-
profile (system view) command in the system view.
Precautions
When configuring NAC, pay attention to the following points:
● VLANIF interfaces, Ethernet interfaces, GE interfaces, MultiGE interfaces, XGE
interfaces, 40GE interfaces, Eth-Trunks, port groups, and VAP profiles support
NAC. The support for NAC on different interfaces is as follows:
– 802.1X authentication does not take effect on a VLANIF interface.
– Layer 2 interfaces and VLANIF interfaces support MAC address
authentication. (Only S5720EI, S1720X, S1720X-E, S5720HI, S5720S-SI,
S5720SI, S5730S-EI, S5730SI, S6720LI, S6720S-LI, S6720S-SI, S6720SI,
S6720EI, and S6720S-EI support configuration of MAC address
authentication on VLANIF interfaces.)
– The support for Portal authentication varies depending on different
interfaces, routed main interfaces (Only S5720EI, S5720HI, S6720EI, and
S6720S-EI) support only Layer 3 Portal authentication, Layer 2 interfaces
support only Layer 2 Portal authentication, and VLANIF interfaces support
both Layer 2 and Layer 3 Portal authentication.
– The VLANIF interface corresponding to the super VLAN does not support
Portal authentication.
● For the access of wireless users through APs, ensure that the APs can be
authenticated (for example, adding the APs to static users) when NAC
authentication is deployed for users. Otherwise, the wireless users cannot be
authenticated.
● NAC authentication cannot be enabled both on a Layer 2 Ethernet interface
and the VLANIF interface mapping the VLAN of the Ethernet interface.
Otherwise, the users have no network access rights after connecting to the
network. In wireless scenarios, NAC authentication cannot be enabled both in

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8821

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

VAP profiles and on VLANIF interfaces. In direct forwarding mode, NAC

authentication configured on a VLANIF interface takes effect only when the
device is connected in off-path mode.
● After enabling NAC on an interface, you cannot run the following commands
on the interface. Similarly, after running the following commands on an
interface, you cannot enable NAC on the interface.
Command Function

mac-limit Sets the maximum number of MAC

addresses that can be learned by an
interface.

mac-address learning disable Disables MAC address learning on

an interface.

port link-type dot1q-tunnel Sets the link type of an interface to

QinQ.

port vlan-mapping vlan map-vlan Configures VLAN mapping on an

port vlan-mapping vlan inner-vlan interface.

port vlan-stacking Configures selective QinQ.

port-security enable Enables interface security.

mac-vlan enable Enables MAC address-based VLAN

assignment on an interface.

ip-subnet-vlan enable Enables IP subnet-based VLAN

assignment on an interface.

user-bind ip sticky-mac Enables the device to generate

NOTE snooping MAC entries.
This command conflicts with only 802.1X
authentication and MAC address
authentication.

● After the encapsulation mode of packets allowed to pass a Layer 2 sub-

interface is set to default using the 18.1.18 encapsulation (Layer 2 sub-
interface view) command, NAC cannot be configured on the main interface
of the Layer 2 sub-interface.

Example
# Apply the authentication profile m1 to VLANIF10.
<HUAWEI> system-view
[HUAWEI] authentication-profile name m1
[HUAWEI-authen-profile-m1] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] authentication-profile m1

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8822

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.43 authentication-profile (system view)

Function
The authentication-profile command creates an authentication profile and
displays the authentication profile view.
The undo authentication-profile command deletes the authentication profile.
By default, the device has six built-in authentication profiles:
default_authen_profile, dot1x_authen_profile, mac_authen_profile,
portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.

Format
authentication-profile name authentication-profile-name
undo authentication-profile name authentication-profile-name

Parameters
Parameter Description Value

name authentication- Specifies the name of an The value is a string of

profile-name authentication profile. 1-31 case-sensitive
characters, which cannot
be configured to - and
--. It cannot contain
spaces and the following
symbols: / \ : * ? " < > |
@ ' %.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
NAC can implement access control on users. The device uses authentication
profiles to uniformly manage NAC configuration so that users can easily configure
NAC functions. The parameters (for example, the bound access profile and
authentication type) in the authentication profile can be configured to provide
various access control modes for different users. After the configuration is
complete, the authentication profile is applied to the interface or VAP profile to
enable NAC.
Follow-up Procedure

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8823

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

1. Configuring authentication profiles: Configure the access profile, and

authorization information in the authentication profiles.
2. Applying authentication profiles: Run the 13.4.42 authentication-profile
(Interface view or VAP profile view) command to apply the authentication
profiles to the interface or VAP profile.
Precautions
● The built-in authentication profile default_authen_profile and the
compatibility profile converted after an upgrade are not counted in the
configuration specification. The six built-in authentication profiles
(default_authen_profile, dot1x_authen_profile, mac_authen_profile,
portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile)
can be modified and applied, but cannot be deleted.
● Before deleting an authentication profile, ensure that this profile is not bound
to any interface or VAP profile. You can run the 13.4.61 display
authentication-profile configuration command to check whether the
authentication profile is bound to an interface or VAP profile

Example
# Create the authentication profile named mac_authen_profile1.
<HUAWEI> system-view
[HUAWEI] authentication-profile name mac_authen_profile1

Related Topics
13.4.110 dot1x-access-profile (authentication profile view)
13.4.124 mac-access-profile (authentication profile view)
13.4.170 portal-access-profile (authentication profile view)
13.4.61 display authentication-profile configuration

13.4.44 authentication update-ip-accounting enable

Function
The authentication update-ip-accounting enable command enables a device to
send accounting packets for address updating.
The undo authentication update-ip-accounting enable command disables a
device from sending accounting packets for address updating.
By default, the device is enabled to send accounting packets for address updating.

Format
authentication update-ip-accounting enable
undo authentication update-ip-accounting enable

Parameters
None

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8824

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
By default, the device sends accounting packets for address updating to the
accounting server. Some accounting servers may not require the accounting
packets. In this case, resources on the device are occupied. You can run the undo
authentication update-ip-accounting enable command to disable the device
from sending accounting packets for address updating, saving resources on the
device. After address updating are complete, the device sends accounting packets
again and the accounting function is not affected.
● update-info-accounting indicates that accounting packets are immediately
sent during address updating.
● If the terminal information (including the DHCP Option, UA, or LLDP
information) is updated for the first time, the device immediately triggers
real-time accounting. If the terminal information is not updated for the first
time, the device only updates the user entry and reports the new terminal
information through subsequent accounting messages.
● After the undo authentication update-ip-accounting enable command is
configured, the device does not send the accounting packet immediately after
obtaining the packet, and waits until the real-time accounting timer expires.

Example
# Disable a device from sending accounting packets for address updating.
<HUAWEI> system-view
[HUAWEI] authentication-profile name test
[HUAWEI-authen-profile-test] undo authentication update-ip-accounting enable

13.4.45 band-width share-mode

Function
The band-width share-mode command enable the bandwidth share mode.
The undo band-width share-mode command restores the default configuration.
By default, the bandwidth share mode is disabled.

NOTE

This command is only supported by the S5720HI.

Format
band-width share-mode
undo band-width share-mode

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8825

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
None

Views
System view, AAA domain view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

On a home network, all family members go online using the same account. To
improve service experience of family members, you can enable the bandwidth
share mode so that all members can share the bandwidth.

Precautions

● This function does not apply to users who are connected through the inter-
card Eth-Trunk interface.
● If this command is run in the system view, it takes effect for all new online
users who connected to the device. If this command is run in the AAA domain
view, it takes effect only for new online users in the domain.
● If the local or remote RADIUS server does not assign CAR settings to the users
who will go online and the online users, the share mode is invalid to the
users.
● If the bandwidth share mode is enabled and different users use the same
account for authentication, the users going online with no CAR settings
assigned will not be affected when CAR settings are assigned to the users
who go online later.

Example
# Enable the bandwidth share mode in the system view.
<HUAWEI> system-view
[HUAWEI] band-width share-mode

# Enable the bandwidth share mode in the AAA domain view.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] band-width share-mode

13.4.46 cut access-user ucl-group

Function
The cut access-user ucl-group command forces UCL group users offline.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8826

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

This command is supported only by the S5720EI, S5720HI, S6720EI, and S6720S-EI.

Format
cut access-user ucl-group { group-index | name group-name }

Parameters
Parameter Description Value

group-index Specifies the index of a The UCL group must exist.

UCL group.

name group-name Specifies the name of a The UCL group must exist.
UCL group.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
After a user goes online, if you want to modify the user's network access rights or
detect that the user is unauthorized, run this command to force the user offline.

Example
# Force UCL group users offline.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] cut access-user ucl-group name huawei

13.4.47 device-type
Function
The device-type command sets a terminal type identifier.
The undo device-type command deletes a terminal type identifier that has been
set.
By default, no terminal type identifier exists in the system.

NOTE

This function is supported only by S5720HI.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8827

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
device-type device-name
undo device-type

Parameters
Parameter Description Value

device-name Specifies a terminal type identifier. The value is a string

of 1 to 31 case-
sensitive characters
without spaces. The
value cannot be - or
--, and cannot
contain ?, ', ".

Views
Terminal type identification profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After a terminal type identifier is configured in a terminal type identification
profile, the terminal type can be identified in the profile. Assume that the terminal
type identifier is set to huawei. If the MAC address, UA, or DHCP Option
information that an AC receives from a terminal matches the identification rule
configured in the terminal type profile, the terminal type is huawei. This helps
administrators to perform access control and rights management for the terminal
based on the identified terminal type.
Precautions
The device-type command is cyclic in nature, and only the latest configuration
takes effect.

Example
# In the terminal type identification profile huawei, configure the terminal type
identifier huawei_1.
<HUAWEI> system-view
[HUAWEI] device-profile profile-name huawei
[HUAWEI-device-profile-huawei] device-type huawei_1

Related Topics
13.4.62 display device-profile

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8828

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.48 device-profile
Function
The device-profile command creates a terminal type identification profile and
enters the terminal type identification profile view, or directly enters the view of a
terminal type identification profile that has already been created.
The undo device-profile command deletes a terminal type identification profile
that has been created.
By default, no terminal type identification profile is created.

NOTE

This function is only supported by the S5720HI and the function takes effect only for
wireless access users.
The AP3010DN-AGN does not support terminal type identification.

Format
device-profile profile-name profile-name
undo device-profile { all | profile-name profile-name }

Parameters
Parameter Description Value

profile-name Specifies the name of a terminal type The value is a string

profile-name identification profile. of 1 to 31 case-
sensitive characters
without characters
including spaces
and the following:/
\ : * ? " < > | @ ' %.
The value cannot be
- or --.

all Deletes all terminal type identification -

profiles.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
With the development of Internet, many enterprises allow employees to wirelessly
access the enterprise intranet using their own intelligent devices such as

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8829

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

cellphones, tablets, and laptops, which satisfies employees' pursuit of new

technology and desire of being unique, and improves their efficiency as well. This
is called Bring Your Own Device (BYOD). However, access to enterprise intranet
through PCs may cause potential security risks, and traditional security technology
based on user identity authentication and authorization can no longer guarantee
network security. It is in such a background that the terminal type identification
technology comes out. With this technology, the types of the devices that
employees use to access the intranet can be identified, facilitating access control.
During the implementation of BYOD, administrators can limit intranet access
rights to specified types of mobile devices and perform authentication and
authorization based on users, device types, access time, access points, and
environment information about the devices.
A terminal type identification profile is configured with terminal types that can be
identified by devices, and identification rules. With the configured identification
rules, the types of devices using which employees access the intranet can be
identified, helping administrators to control employees' access rights.

Example
# Create a terminal type identification profile named huawei.
<HUAWEI> system-view
[HUAWEI] device-profile profile-name huawei

Related Topics
13.4.62 display device-profile

13.4.49 device-sensor dhcp option

Function
The device-sensor dhcp option command enables the DHCP-based terminal type
awareness function.
The undo device-sensor dhcp option command disables the DHCP-based
terminal type awareness function.
By default, the DHCP-based terminal type awareness function is disabled.

Format
device-sensor dhcp option option-code &<1-6>
undo device-sensor dhcp option option-code &<1-6>

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8830

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value
option-code Specifies the DHCP option field that the The value is an
device needs to resolve. integer that ranges
from 1 to 254.
The option fields in a DHCP packet carry the
control information and parameters, for
example, terminal type.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
A device usually connects to many types of terminals. You may need to assign
different network access rights or packet processing priorities to the terminals of
different types. For example, the voice devices, such as IP phones, should be
assigned a high packet processing priority because voice signals require low delay
and jitter.
After the DHCP-based terminal type awareness function is enabled, the device can
resolve the option fields that carry terminal type information in the received DHCP
Request packets. The device then sends the option information to the RADIUS
server through RADIUS accounting packets. Through the option information, the
RADIUS server knows the terminal types and controls the network access rights
and packet processing priorities of the terminals.
Precautions
● The command takes effect only when the authentication or accounting mode
in the AAA scheme is RADIUS.
● To make this command take effect, you must run the 14.8.20 dhcp snooping
enable command on the interfaces or in VLANs.

Example
# Set the option fields to be resolved by the device to option 60.
<HUAWEI> system-view
[HUAWEI] device-sensor dhcp option 60

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8831

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.50 device-sensor lldp tlv

Function
The device-sensor lldp tlv command enables the LLDP-based terminal type
awareness function.

The undo device-sensor lldp tlv command disables the LLDP-based terminal type
awareness function.

By default, the LLDP-based terminal type awareness function is disabled.

Format
device-sensor lldp tlv tlv-type &<1-4>

undo device-sensor lldp tlv

Parameters
Parameter Description Value
tlv-type Specifies the The value is an integer that can be 1, 2, 5, 6, 7, 8,
LLDP TLV type as and 127. The values are as follows:
the terminal ● 1: Chassis ID TLV, indicating the bridge MAC
type to be aware address of the device
of the device.
● 2: Port ID TLV, indicating the port identifying
the LLD PDU sending end
● 5: System Name TLV, indicating the device
name
● 6: System Description TLV, indicating the
system description
● 7: System Capabilities TLV, indicating the
system capabilities
● 8: Management Address TLV, indicating the
management address
● 127: Organization Specific TLV, indicating the
user-defined organization information. You can
run the lldp tlv-enable med-tlv command on
the physical interface for user access to set this
parameter.

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8832

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario

A device usually connects to many types of terminals. You may need to assign
different network access rights or packet processing priorities to the terminals of
different types. For example, the voice devices, such as IP phones, should be
assigned a high packet processing priority because voice signals require low delay
and jitter.

Using the LLDP-based terminal type awareness function, the device parses the
required TLV type containing terminal type information from the received LLDP
packets. The device then sends the TLV type information to the RADIUS server
through a RADIUS accounting packet. Through the TLV type information, the
RADIUS server knows the terminal types and controls the network access rights
and packet processing priorities of the terminals.

Precautions

● The command takes effect only when the authentication or accounting mode
in the AAA scheme is RADIUS.
● The command takes effect only when the LLDP function is enabled on the
device and the connected peer device.

Example
# Enable the terminal type awareness function based on LLDP TLV type 5.
<HUAWEI> system-view
[HUAWEI] device-sensor lldp tlv 5

Related Topics
13.4.49 device-sensor dhcp option

13.4.51 display aaa statistics access-type-authenreq

Function
The display aaa statistics access-type-authenreq command displays the number
of requests for MAC, Portal, or 802.1X authentication.

Format
display aaa statistics access-type-authenreq

Parameters
None

Views
All views

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8833

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
1: Monitoring level

Usage Guidelines
When users send authentication requests, the device collects statistics on the
number of initiating MAC, Portal, or 802.1X authentications.
To view the number of requests for MAC, Portal, or 802.1X authentication, run the
display aaa statistics access-type-authenreq command.

Example
# Display the number of requests for MAC, Portal, or 802.1X authentication.
<HUAWEI> display aaa statistics access-type-authenreq
mac authentication request :2
portal authentication request :0
dot1x authentication request :0

Table 13-34 Description of the display aaa statistics access-type-authenreq

command output
Item Description

mac authentication Number of MAC authentication requests.

request

portal authentication Number of Portal authentication requests.

request

dot1x authentication Number of 802.1X authentication requests.

request

13.4.52 display access-context profile

Function
The display access-context profile command displays the configuration of a user
context profile.

Format
display access-context profile [ name profile-name ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8834

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

name profile- Displays the configuration of the user The value must be
name context profile with a specified name. the name of an
If name profile-name is not specified, all existing user context
user context profiles configured on the profile on the
device are displayed. device.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring a user context profile, you can run this command to check
whether the configuration is correct.

Example
# Display all user context profiles configured on the device.
<HUAWEI> display access-context profile
-------------------------------------------------------------------------------
ID Access-context profile name
-------------------------------------------------------------------------------
0 p1
1 aA
-------------------------------------------------------------------------------
Total 2, printed 2

# Display the configuration of the user context profile p1.

<HUAWEI> display access-context profile name p1
Profile name : p1
if-match vlan-id : 13 to 20

Table 13-35 Description of the display access-context profile command output

Item Description

ID Index of a user context profile.

Access-context profile name or Profile Name of a user context profile.

name To configure the parameter, run the
13.4.3 access-context profile name
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8835

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

if-match vlan-id VLAN matching a user context profile.

To configure the parameter, run the
13.4.120 if-match vlan-id command.

13.4.53 display access-author policy

Function
The display access-author policy command displays the configuration of a user
authentication event authorization policy.

Format
display access-author policy [ name policy-name ]

Parameters
Parameter Description Value

name policy- Displays the configuration of the user The value must be
name authentication event authorization policy the name of an
with a specified name. existing user
If name policy-name is not specified, all authentication
user authentication event authorization event authorization
policies configured on the device are policy on the device.
displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring a user authentication event authorization policy, you can run this
command to check whether the configuration is correct.

Example
# Display all user authentication event authorization policies configured on the
device.
<HUAWEI> display access-author policy
-------------------------------------------------------------------------------

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8836

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

ID Access-author policy name

-------------------------------------------------------------------------------
0 a1
1 a2
-------------------------------------------------------------------------------
Total 2, printed 2

# Display the configuration of the user authentication event authorization policy

a1.
<HUAWEI> display access-author policy name a1
Policy name : a1
match access-context-profile p1 action authen-fail service-scheme s1

Table 13-36 Description of the display access-author policy command output

Item Description

ID Index of a user authentication event

authorization policy.

Access-author policy name or Policy Name of a user authentication event

name authorization policy.
To configure the parameter, run the
13.4.5 access-author policy name
command.

match access-context-profile profile- User authorization information

name action authen-fail service- specified based on a user context
scheme scheme-name profile.
To configure the parameter, run the
13.4.135 match access-context-
profile action command.

13.4.54 display access-user dot1x-identity statistics

Function
The display access-user dot1x-identity statistics command displays statistics
about Identity packets for wireless 802.1X authentication on a switch.

NOTE

This function is supported only by S5720HI.

Format
display access-user dot1x-identity statistics

Parameters
None

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8837

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
All views

Default Level
3: Management level

Usage Guidelines
You can run this command to view the statistics about Identity packets for wireless
802.1X authentication on a switch.

Example
# Display statistics about Identity packets for wireless 802.1X authentication on
the switch.
<HUAWEI> display access-user dot1x-identity statistics
-----------------------------------------------------------------------
Receive(Packet) Pass(Packet) Drop(Packet) Last-dropping-time
-----------------------------------------------------------------------
0 0 0 -
-----------------------------------------------------------------------

Table 13-37 Description of the display access-user dot1x-identity statistics

command output

Item Description

Receive(Packet) Total number of Identity packets for

wireless 802.1X authentication received by
the switch.

Pass(Packet) Number of Identity packets for wireless

802.1X authentication sent to and
processed by the CPU of the switch.

Drop(Packet) Number of Identity packets for wireless

802.1X authentication discarded by the
switch.

Last-dropping-time Latest time when the switch discarded

Identity packets for wireless 802.1X
authentication. If no packet loss record
exists on the switch, this field displays -.

13.4.55 display access-user

Function
The display access-user command displays information about NAC access users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8838

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
display access-user service-scheme service-scheme

display access-user access-type { dot1x | mac-authen | portal | none | static }

display access-user event { pre-authen | authen-fail | client-no-response |

authen-server-down }

display access-user ucl-group { group-index | name ucl-group-name } [ detail ]

(This command is only supported by S5720EI, S5720HI, S6720EI, and S6720S-EI.)

display access-user option82 { circuit-id text | remote-id text }

Parameters
Parameter Description Value

service-scheme service- Displays information The value must be the

scheme about users assigned name of an existing
with a specified service service scheme.
scheme.

access-type Displays information -

about users using a
specified authentication
mode.

dot1x Displays information -

about users who pass
802.1X authentication.

mac-authen Displays information -

about users who pass
MAC address
authentication.

portal Displays information -

about users who pass
Portal authentication.

none Displays information -

about users whose AAA
scheme is non-
authentication.

static Displays static user -

information.

event Displays information -

about users in a specified
authentication phase.

pre-authen Displays information -

about users in the pre-
connection phase.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8839

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

authen-fail Displays information -

about users who fail to
be authenticated and are
assigned network access
policies when the
authentication server
sends authentication
failure packets to the
device.

client-no-response Displays information -

about 802.1X
authentication users who
fail to be authenticated
and are assigned
network access policies
when the 802.1X client
does not respond.

authen-server-down Displays information -

about users who fail to
be authenticated due to
the Down status of the
authentication server
and are assigned
network access policies.

ucl-group Displays information -

about users in a specified
UCL group.

group-index Specifies the index of a The value must be an

UCL group. existing UCL group index.

name ucl-group-name Specifies the name of a The value must be an

UCL group. existing UCL group
name.

detail Displays detailed user -

information.

option82 Displays information -

about MAC address
authentication users who
use the Option 82 field
as user names.

circuit-id text Displays information The value must be

about MAC address existing circuit-id
authentication users who information.
specify the circuit ID as
user names.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8840

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

remote-id text Displays information The value must be

about MAC address existing remote-id
authentication users who information.
specify the remote ID as
user names.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to check information about online NAC users.

Example
# Display information about users who are assigned the service scheme huawei.
<HUAWEI> display access-user service-scheme huawei
------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
16018 zqm 10.12.12.254 78ac-c0c2-0175 Pre-authen
------------------------------------------------------------------------------
Total: 1, printed: 1

# Display information about users in the pre-connection phase.

<HUAWEI> display access-user event pre-authen
------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
16018 zqm 10.12.12.254 78ac-c0c2-0175 Pre-authen
------------------------------------------------------------------------------
Total: 1, printed: 1

NOTE

Only letters, digits, and special characters can be displayed for username.
When the value of username contains special characters or characters in other languages
except English, the device displays dots (.) for these characters. If there are more than three
such consecutive characters, three dots (.) are displayed. Here, the special characters are the
ASCII codes smaller than 32 (space) or larger than 126 (~).
When the value of username is longer than 20 characters, the device displays up to three dots
(.) for the characters following 19; that is, only 22 characters are displayed.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8841

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-38 Description of the display access-user command output

Item Description

UserID ID automatically allocated to an online

user by the device.

Username User name.

IP address User IP address.

When both IPv4 and IPv6 addresses
exist, only the IPv4 address is recorded.
When only IPv6 addresses exist, only
the latest updated IPv6 address is
recorded.

MAC User MAC address.

Status User status.

● Open: For a wired user, the user
goes online through the open
function upon authentication
failure. For wireless users, no
authentication is performed.
● Success: authentication is successful
● Pre-authen: pre-authentication
● Client-no-resp: the client does not
respond
● Fail-authorized: authorization upon
authentication failure
● Web-server-down: web server is
Down
● Aaa-server-down: AAA server is
Down

13.4.56 display access-user-num

Function
The display access-user-num command displays the maximum number of
concurrent users and the number of current online users on a virtual access point
(VAP).

NOTE

This function is supported only by S5720HI.

Format
display access-user-num [ interface wlan-dbss wlan-dbss-interface-id ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8842

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

interface Displays the maximum number of The value is an

wlan-dbss concurrent users and the number of existing WLAN-
wlan-dbss- current online users on a VAP. DBSS interface id.
interface-id If this parameter is not specified, the
maximum number of concurrent users
and the number of current online users
on all VAPs are displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring the maximum number of authenticated users allowed in a VAP
profile, you can run the display access-user-num command to view the
maximum number of concurrent users and the number of current online users.

Example
# Display the maximum number of concurrent users and the number of current
online users on all VAPs.
<HUAWEI> display access-user-num
2016-09-30 11:09:27.790
----------------------------------------------------------------------
Interface name max-user-num online-user-num
----------------------------------------------------------------------
Wlan-Dbss0 30 10
Wlan-Dbss1 2 0
----------------------------------------------------------------------
Total: 8, printed: 2

Table 13-39 Description of the display access-user-num command output

Item Description

Interface name WLAN-DBSS interface id.

max-user-num Maximum number of concurrent users.

online-user-num Number of current online users.

Total Total number of interfaces.

printed Number of printed entries.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8843

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.57 display authentication mac-move configuration

Function
The display authentication mac-move configuration command displays the
MAC address migration configuration.

Format
display authentication mac-move configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run the display authentication mac-move configuration command to
view the MAC address migration configuration. The configuration includes the
number of times that MAC address migration users are allowed to migrate their
MAC addresses 60s before they enter the quiet state, the period that MAC address
migration users stay in the quiet state, the interval at which a device detects users'
online status before user MAC address migration, and the number of detections
before user MAC address migration.

Example
# Display the MAC address migration configuration.
<HUAWEI> display authentication mac-move configuration
Mac-move vlan config:all
Mac-move quiet times:1
Mac-move quiet period(s):120
Mac-move quiet log:ENABLE
Mac-move quiet user alarm:ENABLE
Mac-move quiet user alarm lower percentage(%):
50
Mac-move quiet user alarm upper percentage(%):100
Mac-move detect:DISABLE
Mac-move detect retry-interval(s):3
Mac-move detect retry-time:1

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8844

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-40 Description of the display authentication mac-move configuration

command output
Item Description

Mac-move vlan config VLAN ID range in which MAC address

migration is enabled.
For details, see the 13.4.22
authentication mac-move enable
command.

Mac-move quiet times Number of times that MAC address

migration users are allowed to migrate
their MAC addresses 60s before they
enter the quiet state.
For details, see the 13.4.26
authentication mac-move quiet-
times quiet-period command.

Mac-move quiet period(s) Period that MAC address migration

users stay in the quiet state.
For details, see the 13.4.26
authentication mac-move quiet-
times quiet-period command.

Mac-move quiet log Whether a device is enabled to record

logs about user quietness triggered by
MAC address migration:
● ENABLE
● DISABLE
For details, see the 13.4.25
authentication mac-move quiet-log
enable command.

Mac-move quiet user alarm Whether a device is enabled to send

alarms about user quietness triggered
by MAC address migration:
● ENABLE
● DISABLE
For details, see the 13.4.27
authentication mac-move quiet-
user-alarm enable command.

Mac-move quiet user alarm lower Lower alarm threshold for the
percentage(%) percentage of MAC address migration
users in quiet state.
For details, see the 13.4.28
authentication mac-move quiet-
user-alarm percentage command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8845

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Mac-move quiet user alarm upper Upper alarm threshold for the
percentage(%) percentage of MAC address migration
users in quiet state.
For details, see the 13.4.28
authentication mac-move quiet-
user-alarm percentage command.

Mac-move detect Whether a device is enabled to detect

users' online status before user MAC
address migration:
● ENABLE
● DISABLE
For details, see the 13.4.23
authentication mac-move detect
enable command.

Mac-move detect retry-interval(s) Interval at which a device detects

users' online status before user MAC
address migration.
For details, see the 13.4.24
authentication mac-move detect
retry-interval retry-time command.

Mac-move detect retry-time Number of detections before user MAC

address migration.
For details, see the 13.4.24
authentication mac-move detect
retry-interval retry-time command.

13.4.58 display authentication mac-move quiet-user

Function
The display authentication mac-move quiet-user command displays information
about MAC address migration users in quiet state.

Format
display authentication mac-move quiet-user { all | mac-address mac-address }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8846

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

all Displays information -

about all MAC address
migration users in quiet
state.

mac-address mac- Displays information The value is in the H-H-

address about MAC address H format. An H contains
migration users in quiet 1 to 4 hexadecimal
state with a specified digits.
MAC address.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Run this command to view information about MAC address migration users in
quiet state.

Example
# Display information about all MAC address migration users in quiet state.
<HUAWEI> display authentication mac-move quiet-user all
Quiet MAC Information
-------------------------------------------------------------------------------
Quiet MAC Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003 143
-------------------------------------------------------------------------------
1 quiet MAC found, 1 printed.

Table 13-41 Description of the display authentication mac-move quiet-user all

command output

Item Description

Quiet MAC MAC address of MAC address

migration users in quiet state.

Quiet Remain Time(Sec) Remaining quiet time of MAC address

migration users in quiet state, in
seconds.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8847

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.59 display authentication interface

Function
The display authentication interface command displays the configuration of the
NAC authentication mode on an interface.

Format
display authentication interface interface-type interface-number

Parameters
Parameter Description Value

interface-type interface- Displays the -

number configuration of the NAC
authentication mode on
a specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring the NAC authentication mode, you can run this command to
check the configuration.

Example
# Display the configuration of the NAC authentication mode on GE0/0/1.
<HUAWEI> display authentication interface gigabitethernet 0/0/1
Authentication profile: p1
Authentication access-point: Enable
Authentication access-point max-user: 10
Port authentication order:
MAC
DOT1X
WEB

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8848

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-42 Description of the display authentication interface command

output
Item Description

Authentication profile Name of the authentication profile applied

to the interface.

Authentication access-point Whether the interface functions as an

access control point.
NOTE
This field is displayed only on access devices used
in policy association solutions.

Authentication access-point max- Maximum number of users who are allowed

user to log in through an access point
NOTE
This field is displayed only on access devices used
in policy association solutions.

Port authentication order Authentication mode configured in the

authentication profile applied to the
interface. Authentication modes include:
● MAC: indicates the MAC address
authentication mode.
● DOT1X: indicates the 802.1X
authentication mode.
● WEB: indicates the Portal authentication
mode.
NOTE
● On a standalone device, if MAC address
bypass authentication is enabled in the
authentication profile using the 13.4.16
authentication dot1x-mac-bypass
command, DOT1X is displayed before MAC. If
MAC address bypass authentication is
disabled, MAC is displayed before DOT1X.
● On an AS device in an SVF system or a policy
association scenario, this item only indicates
authentication modes configured in the
authentication profile, and does not indicate
the authentication sequence.

13.4.60 display authentication mode

Function
The display authentication mode command displays the current NAC
configuration mode and the mode after restart.

Format
display authentication mode

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8849

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run the display authentication mode command to view the current NAC
configuration mode.

Example
# Display the current NAC configuration mode and the mode after restart.
<HUAWEI> display authentication mode
Current authentication mode is unified-mode
Next authentication mode is unified-mode

Table 13-43 Description of the display authentication mode command output

Item Description

Current authentication mode is Current NAC configuration mode.

unified-mode

Next authentication mode is NAC configuration mode after the device

unified-mode restarts.
Run the authentication unified-mode
command to switch the NAC mode to
unified mode.
Run the undo authentication unified-
mode command to switch the NAC mode to
common mode.

13.4.61 display authentication-profile configuration

Function
The display authentication-profile configuration command displays the
configuration of an authentication profile.

Format
display authentication-profile configuration [ name authentication-profile-
name ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8850

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

name authentication- Displays the The value must be the

profile-name configuration of a name of an existing
specified authentication authentication profile.
profile.
If name authentication-
profile-name is not
specified, the device
displays all the
authentication profiles
configured on the device.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring an authentication profile, you can run this command to check
whether the configuration is correct.

NOTE

The built-in authentication profile default_authen_profile is not counted in the configuration

specification. The name of the compatibility profile converted after an upgrade begins with the
at sign (@) and the profile is also not counted in the configuration specification.

Example
# Display all the authentication profiles configured on the device.
<HUAWEI> display authentication-profile configuration
-------------------------------------------------------------------------------
ID Auth-profile name
-------------------------------------------------------------------------------
0 default_authen_profile
1 dot1x_authen_profile
2 mac_authen_profile
3 portal_authen_profile
4 dot1xmac_authen_profile
5 multi_authen_profile
-------------------------------------------------------------------------------
Total 6, printed 6

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8851

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-44 Description of the display authentication-profile configuration

command output
Item Description

ID Authentication profile ID.

Auth-profile name Authentication profile name.

# Display the configuration of the authentication profile p1.

<HUAWEI> display authentication-profile configuration name p1
Profile name : p1
Dot1x access profile name :-
Mac access profile name :-
Portal access profile name : testdel
Free rule template :-
Force domain :-
Dot1x force domain :-
Mac-authen force domain :-
Portal force domain :-
Default domain : 110
Dot1x default domain :-
Mac-authen default domain :-
Portal default domain :-
Permit domain :-
Authentication handshake : Enable
Authentication handshake period : 300s
Auth-fail re-auth period : 60s
Pre-auth Re-auth period : 60s
Auth-fail aging time : 82800s
Pre-auth aging time : 82800s
Dot1x-mac-bypass : Disable
Single-access : Disable
Device-type authorize service-scheme :-
Authentication mode : multi-authen
Authen-fail authorize service-scheme :-
Authen-server-down authorize service-scheme : -
Pre-authen authorize service-scheme :-
Security-name-delimiter :-
Domain-name-delimiter :-
Domain-location :-
Domainname-parse-direction :-
WLAN max user number : 128
Bound vap profile :-
SVF flag : Disable
Ip-static-user : Disable
Roam-realtime-accounting : Enable
Update-IP-realtime-accounting : Enable
Linkdown offline delay time : 10

Table 13-45 Description of the display authentication-profile configuration

name command output
Item Description

Profile name Authentication profile name.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8852

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Dot1x access profile name 802.1X access profile bound to the

authentication profile.
To configure an 802.1X access profile, run
the 13.4.110 dot1x-access-profile
(authentication profile view) command.

Mac access profile name MAC access profile bound to the

authentication profile.
To configure a MAC access profile, run the
13.4.124 mac-access-profile
(authentication profile view) command.

Portal access profile name Portal access profile bound to the

authentication profile.
To configure a Portal access profile, run
the 13.4.170 portal-access-profile
(authentication profile view) command.

Free rule template Authentication-free rule profile bound to

the authentication profile.
To configure an authentication-free rule
profile, run the 13.4.114 free-rule-
template (authentication profile view)
command.

Force domain Forcible domain for users.

To configure a forcible domain, run the
13.4.6 access-domain command.

Dot1x force domain Forcible domain for 802.1X authentication

users.
To configure a forcible domain for 802.1X
authentication users, run the 13.4.6
access-domain command.

Mac-authen force domain Forcible domain for MAC address

authentication users.
To configure a forcible domain for MAC
address authentication users, run the
13.4.6 access-domain command.

Portal force domain Forcible domain for Portal authentication

users.
To configure a forcible domain for Portal
authentication users, run the 13.4.6
access-domain command.

Default domain Default domain for users.

To configure a default domain for users,
run the 13.4.6 access-domain command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8853

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Dot1x default domain Default domain for 802.1X authentication

users.
To configure a default domain for 802.1X
authentication users, run the 13.4.6
access-domain command.

Mac-authen default domain Default domain for MAC address

authentication users.
To configure a default domain for MAC
address authentication users, run the
13.4.6 access-domain command.

Portal default domain Default domain for Portal authentication

users.
To configure a default domain for Portal
authentication users, run the 13.4.6
access-domain command.

Permit domain Permitted domain for users.

To configure a permitted domain, run the
13.1.69 permit-domain command.

Authentication handshake Whether the handshake function is

enabled.
● Enable
● Disable
To enable the handshake function, run
the 13.4.13 authentication handshake
command.

Authentication handshake period Handshake interval.

To configure the handshake interval, run
the 13.4.30 authentication timer
handshake-period command.

Auth-fail re-auth period Interval for re-authenticating users who

fail to be authenticated.
To configure the interval, run the 13.4.33
authentication timer re-authen
command.

Pre-auth re-auth period Interval for re-authenticating pre-

connection users.
To configure the interval, run the 13.4.33
authentication timer re-authen
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8854

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Auth-fail aging Time Aging time for entries of the users who
fail to be authenticated.
To configure the aging time, run the
13.4.31 authentication timer authen-
fail-aging command.

Pre-auth aging Time Aging time for pre-connection user

entries.
To configure the aging time, run the
13.4.32 authentication timer pre-
authen-aging command.

Dot1x-mac-bypass Whether MAC address bypass

authentication is enabled.
● Enable
● Disable
To configure the function, run the 13.4.16
authentication dot1x-mac-bypass
command.

Single-access Whether the device allows users to access

in only one authentication mode.
To configure the function, run the 13.4.36
authentication single-access command.

Device-type authorize service- Name of the service scheme based on

scheme which the device assigns network access
rights to voice terminals that are not
authenticated.
To configure the name, run the 13.4.15
authentication device-type voice
authorize command.

Authentication mode User access mode.

To configure the mode, run the 13.4.35
authentication mode command.

Authen-fail authorize service- Name of the service scheme based on

scheme which the device assigns network access
rights to users who fail to be
authenticated.
To configure the name, run the 13.4.17
authentication event action authorize
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8855

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Authen-server-down authorize Name of the service scheme based on

service-scheme which the device assigns network access
rights to users when the authentication
server is Down.
To configure the name, run the 13.4.17
authentication event action authorize
command.

Pre-authen authorize service- Name of the service scheme based on

scheme which the device assigns network access
rights to users who are in the pre-
connection state.
To configure the name, run the 13.4.17
authentication event action authorize
command.

Security-name-delimiter Security string delimiter.

To configure the delimiter, run the 13.1.80
security-name-delimiter command.

Domain-name-delimiter Domain name delimiter.

To configure the delimiter, run the 13.1.50
domain-name-delimiter command.

Domain-location Domain name location.

To configure the location, run the 13.1.49
domain-location command.

Domainname-parse-direction Domain name resolution direction.

To configure the direction, run the 13.1.51
domainname-parse-direction command.

WLAN max user number Maximum number of authenticated users

allowed in a VAP profile.

Bound vap profile VAP profile to which the authentication

profile is bound.
To configure the VAP profile, run the
13.4.42 authentication-profile
(Interface view or VAP profile view)
command.

SVF flag The flag of SVF status.

Ip-static-user Whether the function of identifying static

users through IP addresses is enabled.
● Enable
● Disable
To configure the function, run the
13.4.122 ip-static-user enable command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8856

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Roam-realtime-accounting Whether a device is enabled to send

accounting packets for roaming.
● Enable
● Disable

Update-IP-realtime-accounting Whether a device is enabled to send

accounting packets for address updating.
● Enable
● Disable
To configure the function, run the 13.4.44
authentication update-ip-accounting
enable command.

Linkdown offline delay time User logout delay when an interface link
is faulty.
To configure the delay, run the 13.4.123
link-down offline delay command.

13.4.62 display device-profile

Function
The display device-profile command displays the configuration of a specified
terminal type identification profile or all terminal type identification profiles.

NOTE

This function is supported only by S5720HI.

Format
display device-profile { all | profile-name profile-name }

Parameters
Parameter Description Value

all Displays summary of all terminal type -

identification profiles.

profile-name Displays detailed information about a The value must be

profile-name specified terminal type identification the name of an
profile. existing terminal
type identification
profile.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8857

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring terminal type identification, you can run the display device-
profile command to view the terminal type identification profile configuration,
including the profile name, terminal type identifier, and ACL rule.

Example
# Display summary of all terminal type identification profiles.
<HUAWEI> display device-profile all
----------------------------------------------------------------------------
Name Device type Rule num
test huawei 1
----------------------------------------------------------------------------
Total count : 1

# Display detailed information about the terminal type identification profile test.
<HUAWEI> display device-profile profile-name test
----------------------------------------------------------------------------
Name : test
Device type : huawei
State : disabled
Rule :
rule 1 mac 0006-0045-0078 mask 12
Match :
if-match rule id 1
----------------------------------------------------------------------------

Table 13-46 Description of the display device-profile command output

Item Description

Name Name of a terminal type identification

profile.
To set a terminal type identification
profile name, run the 13.4.48 device-
profile command.

Device type Terminal type identifier.

To set a terminal type identifier, run
the 13.4.47 device-type command.

Rule num Number of ACL rules.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8858

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

State Whether to enable terminal type

identification:
● enable: Terminal type identification
is enabled.
● disabled: Terminal type
identification is disabled.
To enable terminal type identification,
run the enable command.

Rule Terminal identification rule.

To set a terminal identification rule,
run the rule command.

Match Matching mode of terminal type

identification rules.
To set a matching mode of terminal
type identification rules, run the
13.4.121 if-match command.

13.4.63 display dot1x

Function
The display dot1x command displays 802.1X authentication information.

Format
display dot1x [ statistics ] [ interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10> ]

Parameters
Parameter Description Value

statistics Displays statistics on -

802.1X authentication.
The statistics about
802.1X authentication is
displayed only when this
parameter is specified.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8859

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

interface { interface- Displays 802.1X -

type interface-number1 authentication
[ to interface- information of a
number2 ] } specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.
If this parameter is not
specified, 802.1X
authentication
information of all
interfaces is displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
You can run the display dot1x command to view configuration results of all
configuration commands in 802.1X authentication and statistics about 802.1X
packets.
The command output helps you to check whether the current 802.1X
authentication configuration is correct and isolate faults accordingly.
Follow-up Procedure
The display dot1x command displays the statistics on 802.1X packets. You can
locate the fault according to the packet statistics. When the fault is rectified, run
the reset dot1x statistics command to clear the packet statistics. After a period of
time, run the display dot1x command again to check the packet statistics. If no
error packet is found, the fault is rectified.

Example
# Display 802.1X authentication information.
<HUAWEI> display dot1x
Max users: 1024
Current users: 0
Global default domain is huawei
Quiet function is Enabled

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8860

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Mc-trigger port-up-send is Disabled

Parameter set:Quiet Period 600s Quiet-times 2
Tx Period 30s Mac-By-Pass Delay 30s
dot1x URL: http://www.***.com.cn

GigabitEthernet0/0/3 status: UP 802.1x protocol is Enabled

Dot1x access profile is dot
Authentication mode is multi-authen
Authentication method is CHAP
Reauthentication is disabled
Dot1x retry times: 2
Authenticating users: 1
Maximum users: 1024
Current users: 0

Authentication Success: 1 Failure: 0

Enter Enquence :0
EAPOL Packets: TX : 16 RX :8
Sent EAPOL Request/Identity Packets : 10
EAPOL Request/Challenge Packets :1
Multicast Trigger Packets :0
EAPOL Success Packets :1
EAPOL Failure Packets :4
Received EAPOL Start Packets : 1
EAPOL Logoff Packets :1
EAPOL Response/Identity Packets :1
EAPOL Response/Challenge Packets :1

# Display 802.1X statistics.

<HUAWEI> display dot1x statistics
Max users: 1024
Current users: 0
Global default domain is yx
Quiet function is Enabled
Mc-trigger port-up-send is Enabled
Parameter set:Quiet Period 600s Quiet-times 2
Tx Period 30s Mac-By-Pass Delay 30s
dot1x URL: http://www.***.com.cn

GigabitEthernet0/0/1 status: DOWN 802.1x protocol is Enabled

Controlled User(s) amount to 0

Authentication Success: 0 Failure: 0

Enter Enquence :0
EAPOL Packets: TX :1 RX :0
Sent EAPOL Request/Identity Packets :0
EAPOL Request/Challenge Packets :0
Multicast Trigger Packets :1
EAPOL Success Packets :0
EAPOL Failure Packets :0
Received EAPOL Start Packets : 0
EAPOL Logoff Packets :0
EAPOL Response/Identity Packets :0
EAPOL Response/Challenge Packets :0

Table 13-47 Description of the display dot1x command output

Item Description

Max users Maximum number of global online users, the value

varies according to device models.

Current users Number of current online users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8861

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Global default Global default authentication domain.

domain is To configure the global default authentication domain,
run the 13.1.48 domain (system view) command.

Quiet function is Whether the quiet function is enabled.

● Enabled.
● Disabled.
To configure the quiet function, run the dot1x quiet-
period command.

Mc-trigger port-up- Whether the function of triggering 802.1X

send is authentication through multicast packets immediately
after an interface goes Up is enabled.
● Enabled.
● Disabled.
To configure the function, run the dot1x mc-trigger
port-up-send enable command.

Parameter set Settings of 802.1X parameters:

● Quiet Period: specifies the quiet period set by the
quiet timer. To configure the quiet period, run the
dot1x timer quiet-period command.
● Quiet-times: specifies the maximum number of
authentication failures before the device quiets a user.
To configure the maximum value, run the dot1x
quiet-times command.
● Tx Period: specifies the interval for sending
authentication requests. To configure the interval, run
the dot1x timer tx-period command.

dot1x URL Redirect-to URL for HTTP access of 802.1X users.

To configure the redirect-to URL, run the dot1x url
command.

interface status Interface status:

● UP: The interface is enabled.
● DOWN: The interface is shut down.

802.1x protocol is Whether 802.1X authentication is enabled on the

interface.
● Enabled.
● Disabled.

Dot1x access profile 802.1X access profile name.

is To configure the 802.1X access profile name, run the
13.4.111 dot1x-access-profile (system view)
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8862

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Authentication mode User access mode.

is To configure the user access mode, run the 13.4.35
authentication mode command.

Authentication Authentication mode of 802.1X users.

method is To configure the authentication mode of 802.1X users,
run the 13.4.91 dot1x authentication-method
command.

Reauthentication is Whether re-authentication is enabled for online 802.1X

users.
To configure the function, run the 13.4.101 dot1x
reauthenticate command.

Dot1x retry times Maximum number of attempts to send authentication

requests to 802.1X users.
To configure maximum number of attempts to send
authentication requests to 802.1X users, run the
13.4.102 dot1x retry command.

Authenticating users Number of users who are being authenticated.

Maximum users Maximum number of online users on the interface.

The value depends on device types.

Current users Number of online users on the interface.

Authentication Number of successful and failed authentications.

Success Failure The statistics include statistics on online 802.1X users
but not on the users using MAC address bypass
authentication.

Enter Enquence Number of packets entering the queue.

EAPOL Packets: TX Number of globally received and sent EAPOL packets.

RX

EAPOL Request/ Number of globally received and sent EAPOL Request/

Identity Packets Identity packets.

EAPOL Request/ Number of globally received and sent EAPOL Request/

Challenge Packets Challenge packets.

Multicast Trigger Number of globally received and sent multicast packets

Packets that trigger authentication.

EAPOL Success Number of globally received and sent EAPOL Success

Packets packets.

EAPOL Failure Number of globally received and sent EAPOL Failure

Packets packets.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8863

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

EAPOL Start Packets Number of globally received and sent EAPOL Start
packets.

EAPOL Logoff Number of globally received and sent EAPOL LogOff

Packets packets.

EAPOL Response/ Number of globally received and sent EAPOL Response/

Identity Packets Identity packets.

EAPOL Response/ Number of globally received and sent EAPOL Response/

Challenge Packets Challenge packets.

Controlled User(s) Number of users who pass authentication successfully.

amount to

13.4.64 display dot1x-access-profile configuration

Function
The display dot1x-access-profile configuration command displays the
configuration of an 802.1X access profile.

Format
display dot1x-access-profile configuration [ name access-profile-name ]

Parameters
Parameter Description Value

name access-profile- Displays the The value must be the

name configuration of an name of an existing
802.1X access profile 802.1X access profile.
with a specified name.
If name access-profile-
name is not specified,
the device displays all
the 802.1X access
profiles configured on
the device. If name
access-profile-name is
specified, the device
displays the
configuration of a
specified 802.1X access
profile.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8864

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring an 802.1X access profile, you can run this command to check
whether the configuration is correct.

NOTE

The name of the compatibility profile converted after an upgrade begins with the at sign (@)
and the profile is not counted in the configuration specification.

Example
# Display all the 802.1X access profiles configured on the device.
<HUAWEI> display dot1x-access-profile configuration
-------------------------------------------------------------------------------
ID Dot1x-Access-Profile Name
-------------------------------------------------------------------------------
0 dot1x_access_profile
1 d1
2 d2
3 d3
4 d4
-------------------------------------------------------------------------------
Total: 5 printed: 5.

Table 13-48 Description of the display dot1x-access-profile configuration

command output
Item Description

ID 802.1X access profile ID.

Dot1x-Access-Profile Name 802.1X access profile name.

# Display the configuration of the 802.1X access profile d1.

<HUAWEI> display dot1x-access-profile configuration name d1
Profile Name : d1
Authentication method : EAP
Port control : authorized-force
Re-authen : Enable
Client-no-response authorize : -
Trigger condition : arp
Unicast trigger : Enable
Trigger dhcp-bind : Enable
Handshake : Disable
Handshake packet-type : request-identity
Max retry value :2
Reauthen Period : 3600s
Client Timeout : 5s

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8865

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Handshake Period : 60s

Eth-trunk handshake period : 120s
Bound authentication profile : -

Table 13-49 Description of the display dot1x-access-profile configuration name

command output

Item Description

Profile Name 802.1X access profile name.

Authentication method Authentication mode of 802.1X users:

● CHAP
● PAP
● EAP
To configure the authentication mode,
run the 13.4.91 dot1x authentication-
method command.

Port control 802.1X authentication interface's

authorization status:
● auto
● authorized-force
● unauthorized-force
To set an authorization state for an
interface, run the 13.4.97 dot1x port-
control command.

Re-authen Whether re-authentication for online

802.1X users is enabled:
● Enable
● Disable
To configure the re-authentication
function, run the 13.4.101 dot1x
reauthenticate command.

Client-no-response authorize Network access rights granted to users

when the 802.1X client does not respond.
● service-scheme: The name of a service
scheme based on which network
access rights are assigned.
● ucl-group: The name of a UCL group
based on which network access rights
are assigned.
● vlan: The VLAN based on which
network access rights are assigned.
To configure the network access rights,
run the 13.4.19 authentication event
client-no-response action authorize
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8866

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Trigger condition Packet type that can trigger 802.1X

authentication:
● dhcp
● arp
● any-l2-packet
To configure the packet type, run the
13.4.39 authentication trigger-
condition (802.1X authentication)
command.

Unicast trigger Whether 802.1X authentication triggered

by unicast packets is enabled:
● Enable
● Disable
To configure the function, run the
13.4.108 dot1x unicast-trigger
command.

Trigger dhcp-bind Whether the device is enabled to

automatically generate DHCP snooping
binding entries for users with static IP
addresses:
● Enable
● Disable
To configure the function, run the
13.4.106 dot1x trigger dhcp-binding
command.

Handshake Whether handshake with online 802.1X

authentication users is enabled:
● Enable
● Disable
To configure the function, run the 13.4.93
dot1x handshake command.

Handshake packet-type Type of 802.1X authentication handshake

packets:
● request-identity
● srp-sha1-part2
To configure the type, run the 13.4.94
dot1x handshake packet-type
command.

Max retry value Maximum number of attempts to send

authentication requests to 802.1X users.
To configure the maximum value, run the
13.4.102 dot1x retry command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8867

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Reauthen Period Re-authentication interval for online

802.1X users.
To configure the re-authentication
interval, run the 13.4.103 dot1x timer
command.

Client Timeout Authentication timeout period for 802.1X

clients.
To configure the authentication timeout
period, run the 13.4.103 dot1x timer
command.

Handshake Period Interval at which the device handshakes

with an 802.1X client on a non-Eth-Trunk
interface.
To configure the interval, run the
13.4.103 dot1x timer command.

Eth-trunk handshake period Interval at which the device handshakes

with an 802.1X client on an Eth-Trunk.
To configure the interval, run the
13.4.103 dot1x timer command.

Bound authentication profile Authentication profile to which the

802.1X access profile is bound.
To configure the authentication profile,
run the 13.4.110 dot1x-access-profile
(authentication profile view) command.

13.4.65 display dot1x quiet-user

Function
The display dot1x quiet-user command displays information about 802.1X
authentication users who are quieted.

Format
display dot1x quiet-user { all | mac-address mac-address }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8868

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

all Displays information -

about all 802.1X
authentication users who
are quieted.

mac-address mac- Displays information The value is in H-H-H

address about a quiet 802.1X format. Each H is a
authentication user with hexadecimal number of
a specified MAC address. 1 to 4 digits.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to view information about 802.1X authentication users
who are quieted.

Example
# Display information about all 802.1X authentication users who are quieted.
<HUAWEI> display dot1x quiet-user all
-------------------------------------------------------------------------------
MacAddress Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003 50
-------------------------------------------------------------------------------
1 silent mac address(es) found, 1 printed.

Table 13-50 Description of the display dot1x quiet-user all command output

Item Description

MacAddress MAC address of an 802.1X

authentication user who is quieted.

Quiet Remain Time(Sec) Remaining quiet time of an 802.1X

authentication user who is quieted, in
seconds.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8869

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.66 display free-rule

Function
The display free-rule command displays whether an authentication-free rule
defined by ACL is delivered.

Format
display free-rule

Parameters
None.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run the display free-rule command to view the delivery status of an
authentication-free rule defined by ACL.

Example
# Display whether an authentication-free rule defined by ACL is delivered.
<HUAWEI> display free-rule
------------------------------------------------------------------------------
Slot-ID Acl-ID Status
------------------------------------------------------------------------------
0 6000 SUCCESS
------------------------------------------------------------------------------
Total 1 free-rule(s)

Table 13-51 Description of the display free-rule command output

Item Description

Slot-ID Slot ID.

Acl-ID ACL number.

Status Whether an authentication-free rule

defined by ACL is successfully delivered to
a slot.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8870

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.67 display free-rule-template configuration

Function
The display free-rule-template configuration command displays the
configuration of an authentication-free rule profile.

Format
display free-rule-template configuration [ name free-rule-name ]

Parameters
Parameter Description Value

name free-rule-name Displays the The value must be the

configuration of an name of an existing
authentication-free rule authentication-free rule
profile with a specified profile.
name.
If name free-rule-name
is not specified, the
device displays all the
authentication-free rule
profiles configured on
the device. If name free-
rule-name is specified,
the device displays the
configuration of a
specified authentication-
free rule profile.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring an authentication-free rule profile, you can run this command to
check whether the configuration is correct.

Example
# Display all the authentication-free rule profiles configured on the device.
<HUAWEI> display free-rule-template configuration
-------------------------------------------------------------------------------

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8871

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

ID Free-rule-template Name
-------------------------------------------------------------------------------
0 default_free_rule
-------------------------------------------------------------------------------
Total: 1 printed: 1.

Table 13-52 Description of the display free-rule-template configuration

command output
Item Description

ID ID of an authentication-free rule profile.

Free-rule-template Name Name of an authentication-free rule

profile.

13.4.68 display mac-address authen

Function
The display mac-address authen command displays the current authen MAC
address entries in the system.

Format
display mac-address authen [ interface-type interface-number | vlan vlan-id ] *

[ verbose ]

Parameters
Parameter Description Value
vlan vlan-id Displays MAC address entries in a specified The value is an
VLAN. integer that
ranges from 1
If no VLAN is specified, MAC address entries to 4094.
in all VLANs of the device are displayed.

interface-type Displays MAC address entries on a specified -

interface-number interface.

If no interface is specified, MAC address

entries on all interfaces of the device are
displayed.

verbose Displays detailed information about MAC -

address entries.

Views
All views

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8872

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

After MAC address authentication or 802.1X authentication is configured

successfully, the administrator can run this command to check the existing authen
MAC address entries on the device. The administrator can check information about
user access based on these MAC address entries to locate user access faults. The
authen entry is generated after a user passes MAC address authentication or
802.1X authentication.

Precautions

If there are a lot of authen MAC address entries, you can specify a VLAN or use a
pipe operator (|) to filter the output information. Otherwise, the following
problems may occur due to excessive output information:
● The displayed information is refreshed repeatedly on the terminal screen and
the administrator cannot obtain the required information.
● The device traverses and retrieves information for a long time, and does not
respond to any request.

Example
# Display all authen MAC address entries in the system.
<HUAWEI> display mac-address authen
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0000-0000-0100 3000/-/- GE0/0/1 authen
0000-0000-0400 3000/-/- GE0/0/1 authen
0000-0000-0200 3000/-/- GE0/0/1 authen
-------------------------------------------------------------------------------
Total items displayed = 3

Table 13-53 Description of the display mac-address authen command output

Item Description

MAC Address MAC address of a user to be authenticated.

VLAN/VSI/BD VLAN/VSI/BD that the outbound interface belongs to.

Learned-From Interface on which a MAC address is learned.

Type Type of a MAC address entry.

Total items Total number of MAC address entries that match the filter
displayed condition.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8873

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.69 display mac-address pre-authen

Function
The display mac-address pre-authen command displays the current pre-authen
MAC address entries in the system.

Format
display mac-address pre-authen [ interface-type interface-number | vlan vlan-
id ] * [ verbose ]

Parameters
Parameter Description Value
vlan vlan-id Displays MAC address entries in a specified The value is an
VLAN. integer that
ranges from 1
If no VLAN is specified, MAC address entries to 4094.
in all VLANs of the device are displayed.

interface-type Displays MAC address entries on a specified -

interface-number interface.

If no interface is specified, MAC address

entries on all interfaces of the device are
displayed.

verbose Displays detailed information about MAC -

address entries.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
You can run this command to check the existing MAC address entries of the pre-
connection type to obtain access information about pre-connection users and
locate faults.
Precautions
If there are a lot of pre-authen MAC address entries, you can specify a VLAN or
use a pipe operator (|) to filter the output information. Otherwise, the following
problems may occur due to excessive output information:

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8874

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● The displayed information is refreshed repeatedly on the terminal screen and

the administrator cannot obtain the required information.
● The device traverses and retrieves information for a long time, and does not
respond to any request.

Example
# Display all pre-authen MAC address entries in the system.
<HUAWEI> display mac-address pre-authen
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0000-0000-0100 3000/-/- GE0/0/1 pre-authen
0000-0000-0400 3000/-/- GE0/0/1 pre-authen
0000-0000-0200 3000/-/- GE0/0/1 pre-authen
-------------------------------------------------------------------------------
Total items displayed = 3

Table 13-54 Description of the display mac-address pre-authen command

output
Item Description

MAC Address MAC address of a user to be authenticated.

VLAN/VSI/BD VLAN/VSI/BD that the interface belongs to.

Learned-From Interface on which a MAC address of a user to be

authenticated is learned.

Type Type of a MAC address entry.

Total items Total number of MAC address entries that match the filter
displayed condition.

13.4.70 display mac-access-profile configuration

Function
The display mac-access-profile configuration command displays the
configuration of a MAC access profile.

Format
display mac-access-profile configuration [ name access-profile-name ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8875

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

name access-profile- Displays the The value must be the

name configuration of a MAC name of an existing MAC
access profile with a access profile.
specified name.
If name access-profile-
name is not specified,
the device displays all
the MAC access profiles
configured on the device.
If name access-profile-
name is specified, the
device displays the
configuration of a
specified MAC access
profile.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring a MAC access profile, you can run this command to check
whether the configuration is correct.

NOTE

The name of the compatibility profile converted after an upgrade begins with the at sign (@)
and the profile is not counted in the configuration specification.

Example
# Display all the MAC access profiles configured on the device.
<HUAWEI> display mac-access-profile configuration
-------------------------------------------------------------------------------
ID Mac-Access-Profile Name
-------------------------------------------------------------------------------
0 mac_access_profile
1 m1
2 m2
3 m3
4 m4
-------------------------------------------------------------------------------
Total: 5 printed: 5.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8876

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-55 Description of the display mac-access-profile configuration

command output
Item Description

ID MAC access profile ID.

Mac-Access-Profile Name MAC access profile name.

# Display the configuration of the MAC access profile m1 (the MAC address
authentication user configures a password).
<HUAWEI> display mac-access-profile configuration name m1
Profile Name : m1
Username format : fixed username: a1
Password type : cipher
Re-authen : Disable
Trigger condition : arp dhcp nd dhcpv6
Offline dhcp-release : Disable
Re-authen dhcp-renew : Disable
Reauthen Period : 1800s
Bound authentication profile : -

# Display the configuration of the MAC access profile m2 (the MAC address
authentication user does not configure a password).
<HUAWEI> display mac-access-profile configuration name m2
Profile Name : m2
Username format : fixed username: a1
Password : not configured
Re-authen : Disable
Trigger condition : arp dhcp nd dhcpv6
Offline dhcp-release : Disable
Re-authen dhcp-renew : Disable
Reauthen Period : 1800s
Bound authentication profile : -

Table 13-56 Description of the display mac-access-profile configuration name

command output
Item Description

Profile Name MAC access profile name.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8877

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Username format User name format for MAC address

authentication.
● use MAC address without-hyphen as
username: A user name is a MAC
address that does not contain hyphens
(-), for example, 0005e01c02e3.
● use MAC address with-hyphen as
username: A user name is a MAC
address that contains hyphens (-) and
the hyphens are inserted between
every four digits, for example, 0005-
e01c-02e3.
● use MAC address with-hyphen normal
as username: A user name is a MAC
address that contains hyphens (-) and
the hyphens are inserted between
every two digits, for example, 00-05-
e0-1c-02-e3.
● use MAC address without-hyphen
upper as username: A user name is a
MAC address in the uppercase format
that does not contain hyphens (-), for
example, 0005E01C02E3.
● use MAC address with-hyphen upper
as username: A user name is a MAC
address in the uppercase format that
contains hyphens (-) and the hyphens
are inserted between every four digits,
for example, 0005-E01C-02E3.
● use MAC address with-hyphen normal
upper as username: A user name is a
MAC address in the uppercase format
that contains hyphens (-) and the
hyphens are inserted between every
two digits, for example, 00-05-
E0-1C-02-E3.
● fixed username: The user name is
fixed.
● use option82 as username: The content
of the Option 82 field is used as the
user name.
● not configured: The user name format
is not configured.
To configure the user name format, run
the 13.4.134 mac-authen username
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8878

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Password type Password display mode for MAC address

authentication.
● cipher
To configure the password display mode,
run the 13.4.134 mac-authen username
command.

password Password of the MAC address

authentication user. This field has the
following fixed value:
● not configured: indicates that the MAC
address authentication user does not
configure a password.

Re-authen Whether re-authentication for online

MAC address authentication users is
enabled:
● Enable: indicates that re-
authentication is enabled.
● Disable: indicates that re-
authentication is disabled.
To configure the re-authentication
function, run the 13.4.130 mac-authen
reauthenticate command.

Trigger condition Packet type that can trigger MAC address

authentication.
To configure the packet type, run the
13.4.40 authentication trigger-
condition (MAC address
authentication) command.

Offline dhcp-release Whether the device is enabled to clear

user entries when receiving DHCP release
packets from MAC address authentication
users.
● Enable
● Disable
To configure the function, run the
13.4.126 mac-authen offline dhcp-
release command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8879

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Re-authen dhcp-renew Whether the device is enabled to re-

authenticate MAC address authentication
users when receiving DHCP lease renewal
packets from the users.
● Enable
● Disable
To configure the function, run the
13.4.131 mac-authen reauthenticate
dhcp-renew command.

Reauthen Period Re-authentication interval for online MAC

address authentication users.
To configure the re-authentication
interval, run the 13.4.133 mac-authen
timer reauthenticate-period command.

Bound authentication profile Authentication profile to which the MAC

access profile is bound.
To configure the authentication profile,
run the 13.4.124 mac-access-profile
(authentication profile view) command.

13.4.71 display mac-authen

Function
The display mac-authen command displays information about MAC address
authentication.

Format
display mac-authen [ interface { interface-type interface-number1 [ to interface-
number2 ] } &<1-10> | configuration ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8880

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

interface { interface- Displays MAC -

type interface-number1 authentication
[ to interface- information of a
number2 ] } specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.
If this parameter is not
specified, MAC
authentication
information of all
interfaces is displayed.

configuration Displays the global -

information about MAC
address authentication.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
You can run the display mac-authen command to view configuration results of all
configuration commands in MAC address authentication. The command output
helps you to check whether the MAC address authentication configuration is
correct and isolate faults accordingly.
Follow-up Procedure
You can locate the fault according to the packet statistics that is displayed using
the display mac-authen command. When the fault is rectified, run the reset mac-
authen statistics command to clear the packet statistics. After a period of time,
run the display mac-authen command again to check the packet statistics. If no
error packet is found, the fault is rectified.

Example
# Display the configuration of MAC address authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8881

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> display mac-authen

Quiet period is 60s
Authentication fail times before quiet is 1
Maximum users: 16384
Current users: 1
Global default domain is default

GigabitEthernet0/0/1 state: UP. MAC address authentication is enabled

MAC access profile is mac_access_profile
Reauthentication is disabled
Maximum users: 16384
Current users: 1
Username format: fixed username: gcs
Password type: cipher
Fixed password: %^%#2}*{%bMY.D*Kw3HxDgU3CW7g'|54H&<]S,Zfu;%^%#
Authentication Success: 22, Failure: 85

Online user(s) info:

UserId MAC/VLAN AccessTime UserName
------------------------------------------------------------------------------
37223 a088-b44d-573c/2003 2014/09/28 15:45:45 gcs
------------------------------------------------------------------------------
Total: 1, printed: 1

Table 13-57 Description of the display mac-authen command output

Item Description

Quiet period Quiet period during which the device

quiets a user who fails to be
authenticated. The default value of the
quiet timer is 60 seconds.
To configure the quiet period, run the
13.4.132 mac-authen timer quiet-
period command.

Authentication fail times before quiet Maximum number of authentication

failures before the device quiets a user.
To configure the maximum value, run
the 13.4.128 mac-authen quiet-times
command.

Maximum users Maximum number of users allowed on

the device.

Current users Number of online users, the value

varies according to device models.

Global default domain Global default authentication domain.

To configure the global default
authentication domain, run the
13.1.48 domain (system view)
command.

interface state Interface status:

● UP: The interface is enabled.
● DOWN: The interface is shut down.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8882

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

MAC address authentication Whether MAC address authentication

is enabled on the interface.
● enabled
● disabled

MAC access profile MAC access profile name.

To configure the MAC access profile
name, run the 13.4.125 mac-access-
profile (system view) command.

Reauthentication Whether re-authentication for MAC

address authentication users is
enabled.
● enabled
● disabled
To configure whether re-
authentication for MAC address
authentication users is enabled, run
the 13.4.130 mac-authen
reauthenticate command.

Current users Number of current online users on the

interface.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8883

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Username format User name format for MAC address

authentication.
● use MAC address without-hyphen
as username: A user name is a MAC
address that does not contain
hyphens (-), for example,
0005e01c02e3.
● use MAC address with-hyphen as
username: A user name is a MAC
address that contains hyphens (-)
and the hyphens are inserted
between every four digits, for
example, 0005-e01c-02e3.
● use MAC address with-hyphen
normal as username: A user name
is a MAC address that contains
hyphens (-) and the hyphens are
inserted between every two digits,
for example, 00-05-e0-1c-02-e3.
● use MAC address without-hyphen
upper as username: A user name is
a MAC address in the uppercase
format that does not contain
hyphens (-), for example,
0005E01C02E3.
● use MAC address with-hyphen
upper as username: A user name is
a MAC address in the uppercase
format that contains hyphens (-)
and the hyphens are inserted
between every four digits, for
example, 0005-E01C-02E3.
● use MAC address with-hyphen
normal upper as username: A user
name is a MAC address in the
uppercase format that contains
hyphens (-) and the hyphens are
inserted between every two digits,
for example, 00-05-E0-1C-02-E3.
● fixed username: The user name is
fixed.
● use option82 as username: The
content of the Option 82 field is
used as the user name.
● not configured: The user name
format is not configured.
To configure the user name format for
MAC address authentication, run the

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8884

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

13.4.134 mac-authen username

command.

Password type Password display mode for MAC

address authentication.
● cipher
To configure the password display
mode for MAC address authentication,
run the 13.4.134 mac-authen
username command.

Fixed password Password for MAC address

authentication.
To configure the password for MAC
address authentication, run the
13.4.134 mac-authen username
command.

Authentication Success: m, Failure: n Numbers of successful authentications

(m) and failed authentications (n) on
the interface.

Online user(s) info Online user information.

● UserId: ID of an online user.
● MAC/VLAN: MAC address and VLAN
of an online user.
● AccessTime: access time of an
online user.
● UserName: name of an online user.
● Total: total number of online users.
● printed: number of displayed online
users.

13.4.72 display mac-authen quiet-user

Function
The display mac-authen quiet-user command displays information about MAC
address authentication users who are quieted.

Format
display mac-authen quiet-user { all | mac-address mac-address }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8885

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

all Displays information -

about all MAC address
authentication users who
are quieted.

mac-address mac- Displays information The value is in the H-H-

address about a specified MAC H format. Each H is a
address authentication hexadecimal number of
user who is quieted. 1 to 4 digits.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to view information about MAC address authentication
users who are quieted.

Example
# Display information about all MAC address authentication users who are
quieted.
<HUAWEI> display mac-authen quiet-user all
-------------------------------------------------------------------------------
MacAddress Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003 50
-------------------------------------------------------------------------------
1 silent mac address(es) found, 1 printed.

Table 13-58 Description of the display mac-authen quiet-user all command

output

Item Description

MacAddress MAC address of a MAC address

authentication user who is quieted.

Quiet Remain Time(Sec) Remaining quiet time of a MAC

address authentication user who is
quieted, in seconds.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8886

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.73 display portal

Function
The display portal command displays the Portal authentication configuration.

Format
display portal [ interface interface-type interface-number | configuration ]

Parameters
Parameter Description Value

interface interface-type Displays Portal -

interface-number authentication
information of a
specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.
If this parameter is not
specified, Portal
authentication
information of all
interfaces is displayed.

configuration Displays the global -

Portal authentication
information.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run the display portal command to view the Portal authentication
configuration and check whether the configuration is correct.

Example
# Display the Portal authentication configuration.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8887

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> display portal

Portal max-user number:16384
Quiet function is Enabled
Different-server is Enabled
Parameter set:Quiet Period 60s Quiet-times 3
Logout packets resend: Resend-times 3 Timeout 5s
Portal Https Redirect: Enable

Vlanif10 protocol status: down, web-auth-server layer2(direct)

Table 13-59 Description of the display portal command output

Item Description

Portal max-user number Maximum number of concurrent Portal

authentication users allowed to access
the device, the value varies according to
device models.
To set the maximum number of
concurrent Portal authentication users
allowed to access the device, run the
13.4.162 portal max-user command.

Quiet function is Enabled or Quiet Whether the quiet function in Portal

function is Disabled authentication is enabled:
● Enabled
● Disabled
To enable the quiet function, run the
13.4.163 portal quiet-period command.

Different-server is Enabled or Whether a device is enabled to process

Different-server is Disabled user logout requests sent by a Portal
server other than the one from which
users log in:
● Enabled
● Disabled
To configure a device to process user
logout requests sent by a Portal server
other than the one from which users log
in, run the 13.4.160 portal logout
different-server enable command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8888

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Parameter set Parameter settings of the quiet function

in Portal authentication.
● Quiet Period: indicates the quiet period
in Portal authentication. To set the
quiet period in Portal authentication,
run the 13.4.165 portal timer quiet-
period command.
● Quiet-times: indicates the maximum
number of authentication failures
within 60 seconds before a Portal
authentication user enters the quiet
state. To set the maximum number of
authentication failures, run the
13.4.164 portal quiet-times
command.

Logout packets resend Configuration of the logout packet re-

transmission function for Portal
authentication users.
● Resend-times: indicates the number of
re-transmission times for Portal
authentication user logout packets.
● Timeout: indicates the re-transmission
interval of Portal authentication user
logout packets.
To set the re-transmission interval, run
the 13.4.161 portal logout resend
timeout command.

Portal Https Redirect Whether HTTPS redirection of Portal

authentication is enabled:
● Enable
● Disable
To enable this function, run the 13.4.142
portal https-redirect enable command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8889

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

interface protocol status Link layer protocol state of the interface

and the enabled Portal authentication
mode.
● up: indicates that the interface is
running properly.
● down: indicates that the interface is
disabled.
● web-auth-server layer3: indicates that
the authentication mode is set to Layer
3 Portal authentication on a specified
interface.
● web-auth-server layer2(direct):
indicates that the authentication mode
is set to Layer 2 Portal authentication
on a specified interface.

13.4.74 display portal local-server connect

Function
The display portal local-server connect command displays the connection status
of users to be authenticated on a built-in Portal server.

Format
display portal local-server connect [ user-ip ip-address ]

Parameters
Parameter Description Value

user-ip ip-address Displays the connection The value of ip-address

entry of a user with a is in dotted decimal
specified IP address on a notation.
built-in Portal server.
The connection entries of
all users on the built-in
Portal server are
displayed if this
parameter is not
specified.

Views
All views

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8890

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
1: Monitoring level

Usage Guidelines
You can run the display portal local-server connect command to check the
authentication mode and status of users to be authenticated on a built-in Portal
server.

Example
# Display the connection status of the user with the IP address 10.1.1.10 on a
built-in Portal server.
<HUAWEI> display portal local-server connect user-ip 10.1.1.10
-----------------------------------------------------------------------------------------
CID IP Address AuthMode State Session-timeout(hours)
-----------------------------------------------------------------------------------------
1 10.1.1.10 CHAP ONLINE 8
------------------------------------------------------------------------------------------

Table 13-60 Description of the display portal local-server connect command

output

Item Description

CID User table index.

IP Address IP address of a user.

AuthMode Authentication mode:

● CHAP: The built-in Portal server uses
CHAP to authenticate the user.
● PAP: The built-in Portal server uses PAP
to authenticate the user.
To set the authentication method, run the
13.4.146 portal local-server
authentication-method command.

State User status:

● WAIT_CHALLENGE: waiting for the
challenge
● WAIT_AUTHACK: waiting for the
authentication response
● ONLINE: online
● WAIT_LOGOUTACK: waiting for logout

Session-timeout(hours) The session timeout interval.

To set the session timeout interval, run
the 13.4.157 portal local-server timer
session-timeout.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8891

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.75 display portal local-server

Function
The display portal local-server command displays the configurations of a built-in
Portal server.

Format
display portal local-server

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring the built-in Portal authentication, run this command to view the
configurations of a built-in Portal server.

Example
# Display the configurations of a built-in Portal server.
<HUAWEI> display portal local-server
Portal local-server config:
server status : disable
Heartbeat-check status : auto
Heartbeat-timeout value : 60(s)
server ip : 10.1.1.1
authentication method : chap
protocol :-
https ssl-policy :-
server port :0
session-timeout : 8(h)
syslog-limit : enable
syslog-limit period : 300(s)
server pagename :-
server page-text :-
server policy-text :-
server background-image : default-image0
server background-color :-
server logo :-
server ad-image :-

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8892

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-61 Description of the display portal local-server command output

Item Description

server status Status of a built-in Portal server. To

enable the built-in Portal server
function, run the portal local-server
command.
● disable: Portal authentication is
disabled.
● enable: Portal authentication is
enabled.

Heartbeat-check status Heartbeat detection status of the

built-in Portal server. To set the
heartbeat detection status, run the
13.4.151 portal local-server keep-
alive command.
● disable: indicates that the heartbeat
detection function is disabled.
● enable: indicates the forcible
detection mode.
● auto: indicates the automatic
detection mode.

Heartbeat-timeout value Heartbeat detection interval of the

built-in Portal server. To set the
heartbeat detection interval, run the
13.4.151 portal local-server keep-
alive command.
This parameter is unavailable when
the value of Heartbeat-check status
is disable.

server ip IP address of a built-in Portal server. To

set the server IP address, run the
portal local-server ip command.

authentication method Authentication method used by a

built-in Portal server for web users. To
set the authentication method, run the
portal local-server authentication-
method command.
● chap: CHAP-based authentication
(CHAP stands for Challenge
Handshake Authentication
Protocol.)
● pap: PAP-based authentication (PAP
stands for Password Authentication
Protocol.)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8893

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

protocol Protocol used for authentication

information exchange between a built-
in Portal server and users. To enable
the built-in Portal server function, run
the portal local-server command.

https ssl-policy SSL policy used for authentication

information exchange between a built-
in Portal server and users. To enable
the built-in Portal server function, run
the portal local-server command.

server port TCP port number used by HTTPS. To

specify a TCP port number used by
HTTPS, run the portal local-server
command.

session-timeout User session timeout interval

configured on the built-in Portal
server. To set the session timeout
interval, run the portal local-server
timer session-timeout command.

syslog-limit Status of the log suppression function

for built-in Portal authentication users.
To enable or disable the log
suppression function, run the 13.4.158
portal local-server syslog-limit
enable command.
● disable: indicates that the log
suppression function is disabled for
built-in Portal authentication users.
● enable: indicates that the log
suppression function is enabled for
built-in Portal authentication users.

syslog-limit period Log suppression duration for built-in

Portal authentication users. To set the
log suppression duration, run the
13.4.159 portal local-server syslog-
limit period command.

server pagename Name of the page file package loaded

to the built-in Portal server. To set the
package name, run the 13.4.152
portal local-server load command.

server page-text Loaded use instruction page file of the

built-in Portal server. To load a use
instruction page file, run the 13.4.155
portal local-server page-text load
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8894

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

server policy-text Disclaimer page loaded to the built-in

Portal server. To load a disclaimer
page, run the 13.4.156 portal local-
server policy-text load command.

server background-image Background image of the built-in

Portal server login page. To set the
background image, run the 13.4.148
portal local-server background-
image load command.

server background-color Background color of the built-in Portal

server login page. To set the
background color, run the 13.4.147
portal local-server background-color
command.

server logo Logo file of the built-in Portal server

login page. To load a logo file, run the
13.4.153 portal local-server logo
load command.

server ad-image Advertisement image file of the built-

in Portal server login page. To load an
advertisement image file, run the
13.4.144 portal local-server ad-
image load command.

13.4.76 display portal local-server page-information

Function
The display portal local-server page-information command displays the page
files loaded to the memory of a built-in Portal server.

Format
display portal local-server page-information

Parameters
None

Views
All views

Default Level
1: Monitoring level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8895

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
You can run the display portal local-server page-information command to
check the page files loaded to the memory of a built-in Portal server.

Example
# Display the page files loaded to the memory of a built-in Portal server.
<HUAWEI> display portal local-server page-information
--------------------------------------------------------------------------------
Number of backup pages:35
Size of backup pages:94438 byte
--------------------------------------------------------------------------------
Name:/logout_success.html
Size:4042 byte
Last-Modified-Time:2011-12-16 20:24:46
--------------------------------------------------------------------------------

Table 13-62 Description of the display portal local-server page-information

command output
Item Description

Number of backup pages Number of page files loaded.

Size of backup pages Total size of the loaded page files.

Name Name of a page file.

Size Size of a page file.

Last-Modified-Time Last modification time.

Related Topics
13.4.152 portal local-server load

13.4.77 display portal-access-profile configuration

Function
The display portal-access-profile configuration command displays the
configuration of a Portal access profile.

Format
display portal-access-profile configuration [ name access-profile-name ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8896

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

name access-profile- Displays the The value must be the

name configuration of a Portal name of an existing
access profile with a Portal access profile.
specified name.
If name access-profile-
name is not specified,
the device displays all
the Portal access profiles
configured on the device.
If name access-profile-
name is specified, the
device displays the
configuration of a
specified Portal access
profile.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring a Portal access profile, you can run this command to check
whether the configuration is correct.

NOTE

The name of the compatibility profile converted after an upgrade begins with the at sign (@)
and the profile is not counted in the configuration specification.

Example
# Display all the Portal access profiles configured on the device.
<HUAWEI> display portal-access-profile configuration
-------------------------------------------------------------------------------
ID Portal-access-profile Name
-------------------------------------------------------------------------------
0 portal_access_profile
1 p1
2 p2
-------------------------------------------------------------------------------
Total: 3 printed: 3.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8897

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-63 Description of the display portal-access-profile configuration

command output
Item Description

ID Portal access profile ID.

Portal-access-profile Name Portal access profile name.

# Display the configuration of the Portal access profile p1.

<HUAWEI> display portal-access-profile configuration name p1
Profile name : p1
Portal timer offline-detect length: 300
Service-scheme name :-
Ucl-group name :-
Re-auth : Disable
Network IP Num :1
Network IP List : 10.1.1.0 255.255.255.0
Web-auth-server Name : abc
Layer : Layer two portal
Local-server : Disable
Local-server anonymous : Disable
Pushed URL for anonymous users : http://www.huawei.com
Bound authentication profile : p1

Table 13-64 Description of the display portal-access-profile configuration name

command output
Item Description

Profile name Portal access profile name.

Portal timer offline-detect length Offline detection interval for Portal

authentication users.
To configure the interval, run the
13.4.166 portal timer offline-detect
command.

Service-scheme name Name of the service scheme based on

which the device assigns network access
rights to users when the Portal server is
Down.
To configure the service scheme name,
run the 13.4.20 authentication event
portal-server-down action authorize
command.

Ucl-group name Name of the UCL group based on which

the device assigns network access rights
to users when the Portal server is Down.
To configure the UCL group name, run
the 13.4.20 authentication event portal-
server-down action authorize command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8898

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Re-auth Whether the device is enabled to re-

authenticate users when the Portal server
changes from Down to Up.
● Enable
● Disable
To configure the function, run the 13.4.21
authentication event portal-server-up
action re-authen command.

Network IP Num Number of source IP address segments

for Portal authentication.
To configure the number, run the
13.4.139 portal auth-network command.

Network IP List Source IP address segment for Portal

authentication.
To configure the source IP address
segment, run the 13.4.139 portal auth-
network command.

Web-auth-server Name Portal server profile bound to the Portal

access profile.
To configure the Portal server profile, run
the 13.4.209 web-auth-server (Portal
access profile view) command.

Layer Portal authentication mode.

● Layer two portal: Layer 2
authentication mode.
● Layer three portal: Layer 3
authentication mode.
To configure the Portal authentication
mode, run the 13.4.209 web-auth-server
(Portal access profile view) command.

Local-server Whether the built-in Portal server

function is enabled.
● Enable
● Disable
To configure the built-in Portal server
function, run the 13.4.149 portal local-
server enable command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8899

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Local-server anonymous Whether the anonymous login function is

enabled for users authenticated through
the built-in Portal server.
● Enable
● Disable
To configure the anonymous login
function, run the 13.4.145 portal local-
server anonymous command.

Pushed URL for anonymous users Redirection URL specified during

configuration of the anonymous login
function for users authenticated through
the built-in Portal server.
To configure the URL, run the 13.4.145
portal local-server anonymous
command.

Bound authentication profile Authentication profile to which the portal

access profile is bound.
To configure the authentication profile,
run the 13.4.170 portal-access-profile
(authentication profile view) command.

13.4.78 display portal quiet-user

Function
The display portal quiet-user command displays information about Portal
authentication users in quiet state.

Format
display portal quiet-user { all | user-ip ip-address | server-ip ip-address }

Parameters

Parameter Description Value

all Displays information about all Portal -
authentication users in quiet state.

user-ip ip-address Displays information about the quiet The value is in

user with the specified IP address. dotted decimal
notation.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8900

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

server-ip ip- Displays information about all the The value is in
address users in quiet state authenticated by dotted decimal
the Portal authentication server with a notation.
specified IP address.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After the quiet timer is enabled, you can run the display portal quiet-user
command to view information about Portal authentication users in quiet state.

Example
# Display information about all Portal authentication users in quiet state.
<HUAWEI> display portal quiet-user all
Quiet IP information
-------------------------------------------------------------------------------------
Quiet ip Quiet Remain Time(Sec)
------------------------------------------------------------------------------------
192.168.1.1 10
192.168.1.2 20
------------------------------------------------------------------------------------
2 quiet IP found, 2 printed.

# Display information about all the users in quiet state authenticated by the
Portal authentication server with IP address 192.168.2.1.
<HUAWEI> display portal quiet-user server-ip 192.168.2.1
Quiet IP information
-------------------------------------------------------------------------------------
Quiet ip Quiet Remain Time(Sec)
------------------------------------------------------------------------------------
192.168.1.3 10
192.168.1.4 20
------------------------------------------------------------------------------------
2 quiet IP found, 2 printed.

# Display information about the user in quiet state at 192.168.1.1.

<HUAWEI> display portal quiet-user user-ip 192.168.1.1
Quiet remain second 100

Table 13-65 Description of the display portal quiet-user command output

Item Description

Quiet IP information Information about the user in quiet state.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8901

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Quiet ip IP address of the user in quiet state.

Quiet Remain Time(Sec) Remaining quiet time of the user in quiet

state, in seconds.

Quiet remain second Remaining quiet period of the user in

quiet state.

13.4.79 display portal url-encode configuration

Function
The display portal url-encode configuration command displays the
configuration of URL encoding and decoding.

Format
display portal url-encode configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring URL encoding and decoding, you can run the display portal url-
encode configuration command to check the configuration.

Example
# Display the configuration of URL encoding and decoding.
<HUAWEI> display portal url-encode configuration
Portal URL Encode : Disable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8902

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-66 Description of the display portal url-encode configuration

command output
Item Description

Portal URL Encode Whether URL encoding and decoding are

enabled:
● Disable
● Enable
To configure the function, run the
13.4.167 portal url-encode enable
command.

Related Topics
13.4.167 portal url-encode enable

13.4.80 display portal user-logout

Function
The display portal user-logout command displays temporary logout entries of
Portal authentication users.

Format
display portal user-logout [ ip-address ip-address [ vpn-instance vpn-instance-
name ] ]

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Parameters
Parameter Description Value

ip-address ip-address Displays temporary The value is in dotted

logout entries of the decimal notation.
Portal authentication
user with a specified IP
address.

vpn-instance vpn- Displays temporary The value must be an

instance-name logout entries of the existing VPN instance
Portal authentication name.
user with a specified
VPN instance.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8903

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After a Portal authentication user goes offline, the device sends an offline request
packet to the Portal server. If the device does not receive an ACK packet from the
Portal server, it records a temporary logout entry of the user. You can run the
display portal user-logout command to check temporary logout entries of Portal
authentication users.

If the parameter ip-address ip-address [ vpn-instance vpn-instance-name ] is not

specified, the temporary logout entries of all Portal authentication users are
displayed.

Example
# Display the temporary logout entries of all Portal authentication users.
<HUAWEI> display portal user-logout
--------------------------------------------------------------
UserIP Vrf Resend Times TableID
--------------------------------------------------------------
192.168.111.100 1 3 0
--------------------------------------------------------------
Total: 1, printed: 1

Table 13-67 Description of the display portal user-logout command output

Item Description

IP address of the Portal authentication

UserIP
user.

VPN instance that the Portal

Vrf
authentication user belongs to.

Number of logout packet re-

transmission times.
Resend Times To set the number of logout packet re-
transmission times, run the 13.4.161
portal logout resend timeout
command.

TableID Index of the temporary logout entry.

Total number of temporary logout

Total: m, printed: n entries and number of displayed
entries.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8904

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.81 display server-detect state

Function
The display server-detect state command displays the status of a Portal server.

Format
display server-detect state [ web-auth-server server-name ]

Parameters

Parameter Description Value

web-auth-server Displays information about the Portal The Portal
server-name server status configured in the specified server profile
Portal server profile. name must
exist.
If this parameter is not specified, status of
all Portal servers is displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
When an external Portal server is used for Portal authentication, you can run the
display server-detect state command to check information about the Portal
server status.

Example
# Display information about the Portal server status configured in the Portal
server profile abc.
<HUAWEI> display server-detect state web-auth-server abc
Web-auth-server : abc
Total-servers : 4
Live-servers : 1
Critical-num : 0
Status : Normal
Ip-address Status
192.168.2.1 UP
192.168.2.2 DOWN
192.168.2.3 DOWN
192.168.2.4 DOWN

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8905

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-68 Description of the display server-detect state command output

Item Description

Web-auth-server Name of the Portal server profile.

Total-servers Number of Portal servers configured.

Live-servers Number of Portal servers in Up state.

Critical-num Minimum number of Portal servers in Up

state. If the number of Portal servers is
less than this value, enable the survival
function in the corresponding Portal
server profile view.

Status Status of the Portal server. The values are

as follows:
● Normal: indicates that the Portal
server is in normal state. When Total-
servers in the command output is
larger than Critical-num, Status is
displayed as Normal. If the server-ip
server-ip-address &<1-10> command is
not run in the Portal server template
view to configure an IP address for the
Portal server, Status is displayed as
Normal.
● Abnormal: indicates that the Portal
server is in abnormal state. When
Total-servers in the command output is
less than or equal to Critical-num,
Status is displayed as Abnormal.
Ip-address IP address of the Portal server.

Status Whether the Portal server with the

specified IP address is reachable. The
values are as follows:
● UP: reachable
● DOWN: unreachable

Related Topics
13.4.181 server-ip (Portal server profile view)
13.4.180 server-detect

13.4.82 display static-user

Function
The display static-user command displays static user information.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8906

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
display static-user [ domain-name domain-name | interface interface-type
interface-number | ip-address start-ip-address [ end-ip-address ] | vpn-instance
vpn-instance-name ] *

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Parameters
Parameter Description Value

domain-name domain- Displays static user The value must be an

name information in a existing domain name
specified domain. on the device.

interface interface-type Displays static user -

interface-number information on a
specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

ip-address start-ip- Displays static user The value is in dotted

address [ end-ip- information in a decimal notation.
address ] specified IP address
range.

vpn-instance vpn- Displays static user The value must be an

instance-name information in a existing VPN instance
specified VPN instance. name on the device.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After a static user is configured, you can run the display static-user command to
view the static user information.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8907

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Display information about all static users configured.
<HUAWEI> display static-user
IP-address Interface MAC-address VPN
-------------------------------------------------------------------------------
10.1.1.6 GE0/0/1 0001-0001-0001 -
10.1.1.7 GE0/0/1 0001-0001-0001 -
10.1.1.8 GE0/0/1 0001-0001-0001 -
10.1.1.10 - 0002-0002-0002 -
10.1.1.11 - 0002-0002-0002 -
10.1.1.12 - 0002-0002-0002 -
-------------------------------------------------------------------------------
Total item(s) number= 6, displayed number= 6

Ip-static-user enable status:

-------------------------------------------------------------------------------
Vlanif10 : success
-------------------------------------------------------------------------------
Total item(s) number= 1, displayed number= 1

Table 13-69 Description of the display static-user command output

Item Description

IP-address IP address of a static user.

Interface Interface connected to a static user.

MAC-address MAC address of a static user.

VPN VPN instance to which a static user

belongs.

Total item(s) number= m, displayed The total number of entries is m and the
number= n number of displayed entries is n.

Ip-static-user enable status Whether the function of identifying static

users through IP addresses is enabled.
To configure the function, run the
13.4.122 ip-static-user enable command.

if-n : success The function of identifying static users

through IP addresses is enabled on
interface if-n.

Related Topics
13.4.185 static-user
13.4.187 static-user username format-include
13.4.186 static-user password

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8908

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.83 display ucl-group all

Function
The display ucl-group all command displays information about all UCL groups
that are created.

NOTE

This command is supported only by the S5720EI, S5720HI, S6720EI, and S6720S-EI.

Format
display ucl-group all

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After creating UCL groups using the 13.4.195 ucl-group command, you can run
the display ucl-group all command to check information about the UCL groups.

Example
# Display information about all UCL groups.
<HUAWEI> display ucl-group all
ID UCL group name
--------------------------------------------------------------------------------
10 huawei
--------------------------------------------------------------------------------
Total : 1

Table 13-70 Description of the display ucl-group all command output

Item Description

ID Index of a UCL group.

UCL group name Name of a UCL group.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8909

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.84 display ucl-group ip

Function
The display ucl-group ip command displays IP address information of static UCL
groups.

NOTE

This command is supported only by the S5720EI, S5720HI, S6720EI, and S6720S-EI.

Format
display ucl-group ip ip-address { mask-length | ip-mask }
display ucl-group ip { group-index | name group-name | static | local-access-
user | all } [ verbose ]

Parameters
Parameter Description Value

ip-address Displays information The value must be the IP

about the static UCL address of an existing
group with a specified IP static UCL group.
address.

mask-length Specifies the mask The value must be the IP

length of the IP address. address mask length of
an existing static UCL
group.

ip-mask Specifies the mask of the The value must be the IP

IP address. address mask of an
existing static UCL group.

group-index Displays information The value must be the

about the static UCL index of an existing
group with a specified static UCL group.
index.

name group-name Displays information The value must be the

about the static UCL name of an existing
group with a specified static UCL group.
name.

static Displays information -

about static UCL groups.

local-access-user Displays information -

about dynamic UCL
groups.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8910

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

all Displays information -

about all static UCL
groups.

verbose Displays detailed -

information about the
static UCL group.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can view UCL groups' IP addresses that are manually added (using the
13.4.194 ucl-group ip command) and dynamically generated when users go
online and are granted UCL groups. When a user goes online successfully, the
device grants a UCL group to the user and adds the user's IP address (with a 32-
bit mask) to the UCL group. When the user goes offline or the user's IP address
changes, the device deletes the corresponding IP address from the UCL group.

Example
# Display IP address information of all UCL groups.
<HUAWEI> display ucl-group ip all
S : static L : local-access-user
IP/Mask ID UCL group name Type
--------------------------------------------------------------------------------
10.9.9.4/32 1 g1 S
10.10.0.0/16 2 g2 S
10.9.9.6/32 1 g1 L
--------------------------------------------------------------------------------
Total : 3 Static : 2 Local-access-user : 1

# Display detailed information about all static UCL groups.

<HUAWEI> display ucl-group ip static verbose
--------------------------------------------------------------------------------
IP/Mask : 10.9.9.4/32
UCL group ID :1
UCL group name : g1
Type : static
Status on slot 0 : Success

IP/Mask : 10.10.0.0/16
UCL group ID :2
UCL group name : g2
Type : static
Status on slot 0 : Success
--------------------------------------------------------------------------------
Total : 2 Static : 2 Local-access-user : 0

# Display detailed information about all dynamic UCL groups.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8911

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> display ucl-group ip local-access-user verbose

--------------------------------------------------------------------------------
IP/Mask : 10.9.9.6/32
UCL group ID :1
UCL group name : g1
Type : local-access-user
Status on slot 0 : Success
--------------------------------------------------------------------------------
Total : 1 Static : 0 Local-access-user : 1

Table 13-71 Description of the display ucl-group ip command output

Item Description

IP/Mask IP address and mask of a UCL group.

ID Index of a UCL group.

UCL group ID Index of a UCL group.

UCL group name Name of a UCL group.

Type UCL group types, including:

● static: static UCL group
● local-access-user: UCL group to which
local users belong

Status on slot n UCL group status on slot n.

13.4.85 display url-template

Function
The display url-template command displays information about URL templates.

Format
display url-template { all | name template-name }

Parameters
Parameter Description Value

all Displays information -

about all configured URL
templates.

name template-name Displays information The value must be the

about the URL template name of an existing URL
with a specified name. template.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8912

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After a URL template is configured, run the display url-template command to
view information about the URL template.

Example
# Display information about all configured URL templates.
<HUAWEI> display url-template all

-------------------------------------------------------------------------------
Name URL Start Assignment Isolate
Number Mark Mark Mark
-------------------------------------------------------------------------------
huawei 0 ? = &
huawei2 0 ? = &
huawei3 0 ? = &
-------------------------------------------------------------------------------
Total 3

# Display information about the URL template huawei.

<HUAWEI> display url-template name huawei
Name : huawei
URL :
Start mark :?
Assignment mark : =
Isolate mark : &

AC IP :
AC MAC :
AP IP :
AP MAC :
SSID :
User MAC :
Redirect URL :
User IP address :
Sysname :
Delimiter :
Format :
Login URL Key : logiurl
Login URL : http:\\huawei.com

Table 13-72 Description of the display url-template command output

Item Description

Name Name of a URL template.

URL Number Number of URLs.

URL URL of the Portal server. To configure this

parameter, run the 13.4.196 url (URL
template view) command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8913

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Start mark/Start Mark Start character in the URL. To configure

this parameter, run the 13.4.137
parameter command.

Assignment mark/Assignment Mark Assignment character in the URL. To

configure this parameter, run the
13.4.137 parameter command.

Isolate mark/Isolate Mark Delimiter between URLs. To configure this

parameter, run the 13.4.137 parameter
command.

AC IP Name of ac-ip in the URL. To configure

this parameter, run the 13.4.199 url-
parameter command.

AC MAC Name of ac-mac in the URL. To configure

this parameter, run the 13.4.199 url-
parameter command.

AP IP Name of ap-ip in the URL. To configure

this parameter, run the 13.4.199 url-
parameter command.

AP MAC Name of ap-mac in the URL. To configure

this parameter, run the 13.4.199 url-
parameter command.

SSID Name of ssid in the URL. To configure

this parameter, run the 13.4.199 url-
parameter command.

User MAC Name of user-mac in the URL. To

configure this parameter, run the
13.4.199 url-parameter command.

Redirect URL Name of redirect-url in the URL. To

configure this parameter, run the
13.4.199 url-parameter command.

User IP address Name of user-mac in the URL. To

configure this parameter, run the
13.4.199 url-parameter command.

Sysname Name of sysname in the URL. To

configure this parameter, run the
13.4.199 url-parameter command.

Delimiter Delimiter between MAC addresses in the

URL. To configure this parameter, run the
13.4.198 url-parameter mac-address
format command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8914

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Format Format of MAC addresses in the URL. To

configure this parameter, run the
13.4.198 url-parameter mac-address
format command.

Login URL Key Identification keyword for the login URL

sent to the Portal server during
redirection. To configure this parameter,
run the 13.4.199 url-parameter
command.

Login URL Device login URL. To configure this

parameter, run the 13.4.199 url-
parameter command.

13.4.86 display snmp-agent trap feature-name mid_aaa all

Function
The display snmp-agent trap feature-name mid_aaa all command displays the
status of all traps on the AAA module.

Format
display snmp-agent trap feature-name mid_aaa all

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
After enabling the trap function for the AAA module, you can run this command
to check the status of all traps on the AAA module. To enable the trap function for
the AAA module, run the snmp-agent trap enable feature-name mid_aaa
command.
Prerequisites
The SNMP function has been enabled on the device. For details, see snmp-agent.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8915

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Display the status of all traps on the AAA module.
<HUAWEI> display snmp-agent trap feature-name mid_aaa all
------------------------------------------------------------------------------
Feature name: MID_AAA
Trap number : 2
------------------------------------------------------------------------------
Trap name Default switch status Current switch status
hwMacMovedQuietMaxUserAlarm on on
hwMacMovedQuietUserClearAlarm on on

Table 13-73 Description of the display snmp-agent trap feature-name mid_aaa

all command output

Item Description

Feature name Name of the module to which a trap belongs.

Trap number Number of traps.

Trap name Name of a trap. Traps on the AAA module include:

● hwMacMovedQuietMaxUserAlarm: A Huawei
proprietary trap message is sent when the
percentage of current MAC address migration
users in quiet state against the maximum number
of users exceeds the upper alarm threshold.
● hwMacMovedQuietUserClearAlarm: A Huawei
proprietary trap message is sent when the
percentage of current MAC address migration
users in quiet state against the maximum number
of users decreases to be equal to or smaller than
the lower alarm threshold.

Default switch status Default status of the trap function:

● on: The trap function is enabled by default.
● off: The trap function is disabled by default.

Current switch status Trap status:

● on: The trap is enabled.
● off: The trap is disabled.

Related Topics
13.4.188 snmp-agent trap enable feature-name mid_aaa

13.4.87 display snmp-agent trap feature-name mid_eapol all

Function
The display snmp-agent trap feature-name mid_eapol all command displays
the status of all traps on the DOT1X module.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8916

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
display snmp-agent trap feature-name mid_eapol all

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
After enabling the trap function for the DOT1X module, you can run this
command to check the status of all traps on the DOT1X module. To enable the
trap function for the DOT1X module, run the snmp-agent trap enable feature-
name mid_eapol command.
Prerequisites
The SNMP function has been enabled on the device. For details, see snmp-agent.

Example
# Display the status of all traps on the DOT1X module.
<HUAWEI> display snmp-agent trap feature-name mid_eapol all
------------------------------------------------------------------------------
Feature name: MID_EAPOL
Trap number : 2
------------------------------------------------------------------------------
Trap name Default switch status Current switch status
hwSrvcfgEapMaxUserAlarm on on
hwMacAuthenMaxUserAlarm on on

Table 13-74 Description of the display snmp-agent trap feature-name

mid_eapol all command output
Item Description

Feature name Name of the module to which a trap belongs.

Trap number Number of traps.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8917

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Trap name Name of a trap. Traps on the DOT1X module include:

● hwSrvcfgEapMaxUserAlarm: The device sends a
Huawei proprietary trap when the number of
802.1X authentication users reaches the
maximum number allowed on an interface.
● hwMacAuthenMaxUserAlarm: The device sends a
Huawei proprietary trap when the number of
MAC address authentication users reaches the
maximum number allowed on an interface.

Default switch status Default status of the trap function:

● on: The trap function is enabled by default.
● off: The trap function is disabled by default.

Current switch status Trap status:

● on: The trap is enabled.
● off: The trap is disabled.

Related Topics
13.4.189 snmp-agent trap enable feature-name mid_eapol

13.4.88 display snmp-agent trap feature-name mid_web all

Function
The display snmp-agent trap feature-name mid_web all command displays the
status of all traps on the web authentication module.

Format
display snmp-agent trap feature-name mid_web all

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8918

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

After enabling the trap function for the web authentication module, you can run
this command to check the status of all traps on the web authentication module.
To enable the trap function for the web authentication module, run the snmp-
agent trap enable feature-name mid_web command.
Prerequisites
The SNMP function has been enabled on the device. For details, see snmp-agent.

Example
# Display the status of all traps on the web authentication module.
<HUAWEI> display snmp-agent trap feature-name mid_web all
------------------------------------------------------------------------------
Feature name: MID_WEB
Trap number : 4
------------------------------------------------------------------------------
Trap name Default switch status Current switch status
hwPortalServerUp on on
hwPortalServerDown on on
hwPortalMaxUserAlarm on on
hwPortalUserClearAlarm on on

Table 13-75 Description of the display snmp-agent trap feature-name mid_web

all command output
Item Description

Feature name Name of the module to which a trap belongs.

Trap number Number of traps.

Trap name Name of a trap. Traps on the web authentication

module include:
● hwPortalServerUp: The device sends a Huawei
proprietary trap when it detects that the Portal
server changes from Down to Up.
● hwPortalServerDown: The device sends a Huawei
proprietary trap when it detects that the Portal
server changes from Up to Down.
● hwPortalMaxUserAlarm: The device sends a
Huawei proprietary trap when the number of
online Portal authentication users exceeds the
upper threshold.
● hwPortalUserClearAlarm: The device sends a
Huawei proprietary trap when the number of
online Portal authentication users falls below the
lower threshold.

Default switch status Default status of the trap function:

● on: The trap function is enabled by default.
● off: The trap function is disabled by default.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8919

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Current switch status Trap status:

● on: The trap is enabled.
● off: The trap is disabled.

Related Topics
13.4.190 snmp-agent trap enable feature-name mid_web

13.4.89 display web-auth-server configuration

Function
The display web-auth-server configuration command displays the Portal server
configuration.

Format
display web-auth-server configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After the Portal server template is configured, the display web-auth-server
configuration displays the Portal server configuration.

Example
# Display the Portal server configuration.
<HUAWEI> display web-auth-server configuration
Listening port : 2000
Portal : version 1, version 2
Include reply message : enabled

-------------------------------------------------------------------------------
Enabled protocol : https
Listening port : 8443
SSL policy : default_policy

-------------------------------------------------------------------------------

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8920

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Web-auth-server Name : huawei

IP-address :
Shared-key :
Source-IP :-
Port / PortFlag : 50100 / NO
URL : https://192.168.2.10:8443/webauth
URL Template :
URL Template ParaName:
URL Template IVName :
URL Template Key :
Redirection : Enable
Sync : Disable
Sync Seconds : 300
Sync Max-times :3
Detect : Disable
Detect Seconds : 60
Detect Max-times :3
Detect Critical-num : 0
Detect Action :
VPN Instance :
Bound Portal profile :

Protocol : http
Http Get-method : disable
Password Encrypt : none
Cmd ParseKey : cmd
Username ParseKey : username
Password ParseKey : password
MAC Address ParseKey : macaddress
IP Address ParseKey : ipaddress
Initial URL ParseKey : initurl
Login Cmd : login
Logout Cmd : logout
Login Success
Reply Type : redirect initial URL
Redirect URL :
Message : LoginSuccess!
Login Fail
Reply Type : redirect login URL
Redirect URL :
Message : LoginFail!
Logout Success
Reply Type : message
Redirect URL :
Message : LogoutSuccess!
Logout Fail
Reply Type : message
Redirect URL :
Message : LogoutFail!

-------------------------------------------------------------------------------
1 Web authentication server(s) in total

Table 13-76 Description of the display web-auth-server configuration command

output
Item Description

Listening port Listening port for Portal protocol packets.

To configure a listening port, run the
13.4.208 web-auth-server listening-port
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8921

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Portal Portal protocol version.

● version 1, version 2: The device
supports both the versions V1.0 and
V2.0.
● version 2: The device supports the
versions V2.0.
To configure the Portal protocol version,
run the 13.4.212 web-auth-server
version command.

Include reply message Whether the packets sent from the device
to the Portal server contain
authentication responses.
● enabled
● disabled
To enable the device to transparently
transmit authentication responses of
users sent by the authentication server to
the Portal server, run the 13.4.210 web-
auth-server reply-message command.

Enabled protocol Enabled HTTP or HTTPS protocol.

● http
● https
To enable the HTTP or HTTPS protocol,
run the 13.4.169 portal web-authen-
server command.

Listening port HTTP or HTTPS port number.

To configure the HTTP or HTTPS port
number, run the 13.4.169 portal web-
authen-server command.

SSL policy SSL policy referenced by the HTTPS

protocol.
To configure the SSL policy referenced by
the HTTPS protocol, run the 13.4.169
portal web-authen-server command.

Web-auth-server Name Name of the Portal server template.

To configure the Portal server template
name, run the 13.4.211 web-auth-server
(system view) command.

IP-address IP address of the Portal server.

To configure the IP address of the Portal
server, run the 13.4.181 server-ip (Portal
server profile view) command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8922

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Shared-key Shared key of the Portal server.

To configure the shared key of the Portal
server, run the 13.4.182 shared-key
(Portal server profile view) command.

Source-IP IP address used for communication with

the Portal server.
To configure the IP address used for
communication with the Portal server, run
the 13.4.183 source-ip (Portal server
profile view) command.

Port / PortFlag ● Port: indicates the port number of the

Portal server.
● PortFlag: indicates whether packets are
always sent through this port.
To configure the port number of the
Portal server, run the 13.4.138 port
(Portal server profile view) command.

URL URL of the Portal server.

To configure the URL of the Portal server,
run the 13.4.197 url (Portal server
profile view) command.

URL Template URL template bound to the Portal server

template.
To configure the URL template, run the
13.4.201 url-template (Portal server
profile view) command.

URL Template ParaName Encrypted URL parameter name.

To configure the URL template, run the
13.4.201 url-template (Portal server
profile view) command.

URL Template IVName Initialization vector (IV) used in URL

parameter encryption.
To configure the URL template, run the
13.4.201 url-template (Portal server
profile view) command.

URL Template Key Key used in URL parameter encryption.

To configure the URL template, run the
13.4.201 url-template (Portal server
profile view) command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8923

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Redirection Redirection status of Portal

authentication.
● Disable: Redirection of Portal
authentication is disabled.
● Enable: Redirection of Portal
authentication is enabled.
To configure redirection of Portal
authentication, run the 13.4.213 web-
redirection disable (Portal server profile
view) command.

Sync User information synchronization.

To enable user information
synchronization, run the 13.4.202 user-
sync command.

Sync Seconds User information synchronization interval.

To set the user information
synchronization interval, run the 13.4.202
user-sync command.

Sync Max-times Maximum number of times that user

information synchronization fails.
To set the maximum number of times
that user information synchronization
fails, run the 13.4.202 user-sync
command.

Detect Portal server detection function.

To configure Portal server detection
function, run the 13.4.180 server-detect
command.

Detect Seconds Detection interval of the Portal server.

To set the detection interval of the Portal
server, run the 13.4.180 server-detect
command.

Detect Max-times Maximum number of detection failures.

To set the maximum number of detection
failures, run the 13.4.180 server-detect
command.

Detect Critical-num Minimum number of Portal servers in Up

state.
To configure this function, run the
13.4.180 server-detect command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8924

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Detect Action Action taken after the number of

detection failures exceeds the maximum.
● log: The device sends logs after the
number of detection failures exceeds
the maximum.
● trap: The device sends traps after the
number of detection failures exceeds
the maximum.
To configure an action taken after the
number of detection failures exceeds the
maximum, run the 13.4.180 server-
detect command.

VPN Instance VPN instance used in Portal

authentication.
To configure the VPN instance, run the
13.4.207 vpn-instance (Portal server
template view) command.

Bound Portal profile Portal access profile to which the Portal

server template is bound.
To configure the Portal access profile, run
the 13.4.209 web-auth-server (Portal
access profile view) command.

Http Get-method Whether users submit user name and

password information to the device in
GET mode:
● disable: GET mode is not used.
● enable: GET mode is used.
To configure the GET mode, run the
13.4.117 http get-method enable
command.

Protocol Protocol used in Portal authentication.

● Portal
● http
To configure the protocol used in Portal
authentication, run the 13.4.172 protocol
(Portal server template view)
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8925

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Password Encrypt Password encoding mode:

● none: The password is not encoded.
● uam: The password is encoded using
ASCII characters.
To configure the password encoding
mode, run the 13.4.172 protocol (Portal
server template view) command.

Cmd ParseKey Command identification keyword.

To configure the command identification
keyword, run the 13.4.118 http-method
post command.

Username ParseKey User name identification keyword.

To configure the user name identification
keyword, run the 13.4.118 http-method
post command.

Password ParseKey User password identification keyword.

To configure the user password
identification keyword, run the 13.4.118
http-method post command.

MAC Address ParseKey User MAC address identification keyword.

To configure the user MAC address
identification keyword, run the 13.4.118
http-method post command.

IP Address ParseKey User IP address identification keyword.

To configure the user IP address
identification keyword, run the 13.4.118
http-method post command.

Initial URL ParseKey User initial login URL identification

keyword.
To configure the user initial login URL
identification keyword, run the 13.4.118
http-method post command.

Login Cmd User login identification keyword.

To configure the user login identification
keyword, run the 13.4.118 http-method
post command.

Logout Cmd User logout identification keyword.

To configure the user logout identification
keyword, run the 13.4.118 http-method
post command.

Login Success User login success.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8926

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Reply Type Redirection response type.

● redirect initial URL: A user is redirected
to the initial login URL after successful
login.
● redirect login URL: A user is redirected
to the login URL after a login failure.
● message: specifies the displayed
message.
● redirect URL: A user is redirected to a
specified URL.
To configure the redirection response
type, run the 13.4.118 http-method post
command.

Redirect URL Redirection URL.

To configure the redirection URL, run the
13.4.118 http-method post command.

Message Displayed message.

To configure the displayed message, run
the 13.4.118 http-method post
command.

Login Fail User login failure.

Logout Success User logout success.

Logout Fail User logout failure.

13.4.90 domain mac-authen force

Function
The domain mac-authen force command configures a forcible domain for MAC
address authentication users.
The undo domain mac-authen force command deletes a configured forcible
domain for MAC address authentication users.
By default, no forcible domain is configured for MAC address authentication users.

Format
domain domain-name mac-authen force mac-address mac-address mask mask
undo domain domain-name mac-authen force mac-address mac-address

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8927

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

domain-name Specifies the forcible The value must be an

domain name. existing domain name
on the device.

mac-address mac- Specifies a MAC address Both the MAC address

address mask mask range within which the and mask are in the H-
MAC address H-H format. Each H is a
authentication users use hexadecimal number of
the forcible domain. 1 to 4 digits.
● mac-address mac-
address: specifies the
user MAC address.
● mask mask: specifies
the MAC address
mask.
NOTE
A maximum of 16 MAC
address ranges can be
specified.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
You can configure a forcible domain for MAC address authentication users within
a specified MAC address range in the system view.
Prerequisites
A domain has been created using the 13.1.47 domain (AAA view) command.
Precautions
The priorities of the forcible domain, domain carried in the user name, and default
domain in different views are as follows in descending order: forcible domain with
a specified authentication mode in an authentication profile > forcible domain in
an authentication profile > authentication domain carried in the user name >
default domain with a specified authentication mode in an authentication profile
> default domain in an authentication profile > global default domain. Note that a
forcible domain specified for MAC address authentication users within a MAC
address range has the highest priority and takes precedence over that configured
in an authentication profile.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8928

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

This function takes effect only for users who go online after this function is
successfully configured.

Example
# In the system view, configure the forcible domain huawei for MAC address
authentication users within the MAC address range specified using MAC address
E024-7F95-7231 and mask FFFF-FFFF-FF00.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
[HUAWEI] domain huawei mac-authen force mac-address e024-7f95-7231 mask ffff-ffff-ff00

13.4.91 dot1x authentication-method

Function
The dot1x authentication-method command configures an 802.1X
authentication mode.
The undo dot1x authentication-method command restores the default
configuration.
The default 802.1X authentication mode is eap, which indicates Extensible
Authentication Protocol (EAP) relay authentication.

Format
dot1x authentication-method { chap | pap | eap }
undo dot1x authentication-method

Parameters
Parameter Description Value

chap Specifies EAP -

termination
authentication using the
Challenge Handshake
Authentication Protocol
(CHAP).

pap Specifies EAP -

termination
authentication using the
Password Authentication
Protocol (PAP).

eap Specifies Extensible -

Authentication Protocol
(EAP) relay
authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8929

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
802.1X access profile view

Default Level
2: Configuration level

Usage Guidelines
During 802.1X authentication, users exchange authentication information with the
device using EAP packets. The device uses two modes to exchange authentication
information with the RADIUS server.
● EAP termination: The device directly parses EAP packets, encapsulates user
authentication information into a RADIUS packet, and sends the packet to the
RADIUS server for authentication. EAP termination is classified into PAP or
CHAP authentication.
– PAP: The device arranges the MAC address, shared key, and random value
in sequence, performs hash processing on them using the MD5 algorithm,
and encapsulates the hash result into the User-Password attribute.
– CHAP: The device arranges the CHAP ID, MAC address, and random value
in sequence, performs hash processing on them using the MD5 algorithm,
and encapsulates the hash result into the CHAP-Password and CHAP-
Challenge attributes.
● EAP relay (specified by eap): The device encapsulates EAP packets into
RADIUS packets and sends the RADIUS packets to the RADIUS server. The
device does not parse the received EAP packets but encapsulates them into
RADIUS packets. This mechanism is called EAP over Radius (EAPoR).
The processing capability of the RADIUS server determines whether EAP
termination or EAP relay is used. If the RADIUS server has a higher processing
capability and can parse a large number of EAP packets before authentication, the
EAP relay mode is recommended. If the RADIUS server has a processing capability
not good enough to parse a large number of EAP packets and complete
authentication, the EAP termination mode is recommended and the device parses
EAP packets for the RADIUS server. When the authentication packet processing
method is configured, ensure that the client and server both support this method;
otherwise, the users cannot pass authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8930

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

● The EAP relay can be configured for 802.1X users only when RADIUS authentication is
used.
● If AAA local authentication is used, the authentication mode for 802.1X users can only
be set to EAP termination.
● Because mobile phones do not support EAP termination mode (PAP and CHAP), the
802.1X authentication + local authentication mode cannot be configured for mobile
phones. Terminals such as laptop computers support EAP termination mode only after
having third-party clients installed.
● If the 802.1X client uses the MD5 encryption mode, the user authentication mode on
the device can be set to EAP or CHAP; if the 802.1X client uses the PEAP authentication
mode, the authentication mode on the device can be set to EAP.
● In a wireless access scenario, if WPA or WPA2 authentication mode is configured in the
security policy profile, 802.1X authentication does not support pre-authentication
domain-based authorization.
● If an interface has online 802.1X users and the authentication mode is changed between
EAP termination and EAP relay in the 802.1X access profile bound to the interface, the
online 802.1X users will be logged out. If the authentication mode is changed between
CHAP and PAP in EAP termination mode, the online 802.1X users will not be logged out.

Example
# In the 802.1X access profile d1, configure the device to use PAP authentication
for 802.1X users.
<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x authentication-method pap

Related Topics
13.4.64 display dot1x-access-profile configuration

13.4.92 dot1x eap-notify-packet

Function
The dot1x eap-notify-packet command configures the device to send EAP
packets with a code number to 802.1X users.

The undo dot1x eap-notify-packet command restores the default configuration.

By default, the device does not send EAP packets with a code number to users.

Format
dot1x eap-notify-packet eap-code code-number data-type type-number

undo dot1x eap-notify-packet [ eap-code code-number data-type type-

number ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8931

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

eap-code code-number Specifies the code The value is an integer

number in EAP packets that ranges from 5 to
sent by the device. 255, the default value is
255.

data-type type-number Specifies the data type in The value is an integer

EAP packets sent by the that ranges from 1 to
device. 255, the default value is
255.

Views
802.1X access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When a non-Huawei device used as the RADIUS server sends RADIUS packets with
attribute 61, EAP packet code number 0xa (hexadecimal notation, 10 in decimal
notation), and data type being 0x19 (hexadecimal notation, 25 in decimal
notation) to the device, run the dot1x eap-notify-packet command on the device
so that the device can send EAP packets with code number 0xa and data type
0x19 to users. If the dot1x eap-notify-packet command is not executed, the
device does not process EAP packets of this type and users are disconnected.
Precautions
The device can only send EAP packets with code number 10 and data type 25.

Example
# In the 802.1X access profile d1, configure the device to send EAP packets with
code number 10 and data type 25 to users.
<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x eap-notify-packet eap-code 10 data-type 25

13.4.93 dot1x handshake

Function
The dot1x handshake command enables the device to send handshake packets to
online 802.1X users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8932

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo dot1x handshake command disables the device from sending
handshake packets to online 802.1X users.
By default, the device handshake function is disabled for online 802.1X users.

Format
dot1x handshake
undo dot1x handshake

Parameters
None

Views
802.1X access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To check whether an 802.1X user is online in real time, run the 13.4.13
authentication handshake command to enable the device to send handshake
packets to the 802.1X user. If some clients support handshake with online 802.1X
users, run the dot1x handshake command to enable handshake with online
802.1X users. Then the device sends EAP handshake request packets to the user. If
the user sends a response packet within the handshake interval (configured using
the 13.4.103 dot1x timer command), the device considers that the user is online.
If the user does not send any response packet within the interval, the device
considers that the user is offline.
Precautions
Currently, most clients do not support this function, for example, the Windows
built-in client, AnyConnect client, and iOS built-in client. If a client does not
support the handshake function, the device will not receive handshake response
packets within the handshake interval and considers that the user is offline.
Therefore, you need to disable the device from sending handshake packets to an
online 802.1X user when the user's client does not support the handshake
function.
After the dot1x handshake command is run, the 13.4.13 authentication
handshake command does not take effect.
This function takes effect only for the wired users.

Example
# In the 802.1X access profile d1, enable the device to send handshake packets to
online 802.1X users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8933

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x handshake

13.4.94 dot1x handshake packet-type

Function
The dot1x handshake packet-type command sets the type of 802.1X
authentication handshake packets.
The undo dot1x handshake packet-type command restores the default type of
802.1X authentication handshake packets.
By default, the type of 802.1X authentication handshake packets is request-
identity.

Format
dot1x handshake packet-type { request-identity | srp-sha1-part2 }
undo dot1x handshake packet-type

Parameters
Parameter Description Value
request-identity Indicates that the type of 802.1X authentication -
handshake packets is request-identity.
srp-sha1-part2 Indicates that the type of 802.1X authentication -
handshake packets is srp-sha1-part2.

Views
802.1X access profile view

Default Level
2: Configuration level

Usage Guidelines
During 802.1X authentication, different vendors' devices support different
handshake packet types. By default, the device uses 802.1X authentication
handshake packets of the request-identity type. If a device connected to the
switch uses the 802.1X authentication handshake packets of the srp-sha1-part2
type, run the dot1x handshake packet-type command to set the type of 802.1X
authentication handshake packets to srp-sha1-part2.
NOTE

The dot1x handshake packet-type command takes effect only for users that log in after
the command is run.
This function takes effect only for the wired users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8934

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# In the 802.1X access profile d1, set the type of 802.1X authentication handshake
packets to srp-sha1-part2.
<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x handshake packet-type srp-sha1-part2

13.4.95 dot1x mc-trigger

Function
The dot1x mc-trigger command enables multicast-triggered 802.1X
authentication.

The undo dot1x mc-trigger command disables multicast-triggered 802.1X

authentication.

By default, multicast-triggered 802.1X authentication is enabled.

Format
dot1x mc-trigger

undo dot1x mc-trigger

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
If a client (for example, the built-in 802.1X client of the Windows operating
system) cannot send an EAPOL-Start packet to perform 802.1X authentication, you
can enable multicast-triggered 802.1X authentication. After that, the device
multicasts an EAP-Request/Identity packet to the client to trigger authentication.

Example
# Enable multicast-triggered 802.1X authentication.
<HUAWEI> system-view
[HUAWEI] dot1x mc-trigger

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8935

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.96 dot1x mc-trigger port-up-send enable

Function
The dot1x mc-trigger port-up-send enable command enables the function of
triggering 802.1X authentication through multicast packets immediately after an
interface goes Up.

The undo dot1x mc-trigger port-up-send enable command disables the function
of triggering 802.1X authentication through multicast packets immediately after
an interface goes Up.

By default, the function of triggering 802.1X authentication through multicast

packets immediately after an interface goes Up is disabled.

Format
dot1x mc-trigger port-up-send enable

undo dot1x mc-trigger port-up-send enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the device periodically multicasts EAP-Request/Identity packets to
clients so that the clients are triggered to send EAPOL-Start packets for 802.1X
authentication. If the device interface connecting to a client changes from Down
to Up, the client needs to send EAPOL-Start packets again for 802.1X
authentication, which takes a long time. You can run the dot1x mc-trigger port-
up-send enable command on the device to enable the device interface to
multicast EAP-Request/Identity packets to the client to trigger 802.1X
authentication immediately after the interface goes Up. This configuration
shortens the re-authentication time.

Example
# Enable the function of triggering 802.1X authentication through multicast
packets immediately after an interface goes Up.
<HUAWEI> system-view
[HUAWEI] dot1x mc-trigger port-up-send enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8936

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.97 dot1x port-control

Function
The dot1x port-control command sets the authorization state of an interface.
The undo dot1x port-control command restores the default authorization state
of an interface.
By default, the authorization state of an interface is auto.

Format
dot1x port-control { auto | authorized-force | unauthorized-force }
undo dot1x port-control

Parameters
Parameter Description Value

auto Indicates the auto -

identification mode. In
this mode, an interface is
initially in Unauthorized
state and only allows
users to send and receive
EAPOL packets. Users
cannot access network
resources. After the users
are authenticated, the
interface becomes
authorized and allows
the users to access
network resources.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8937

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

authorized-force Indicates the forcible -

authorization mode. In
this mode, the interface
is always in Authorized
state, does not handle
EAPOL packets, and
allows users to access
network resources
without authentication
or authorization.
Indicates the forcible
unauthorized mode. In
this mode, the interface
is always in
Unauthorized state, does
not handle EAPOL
packets, and prohibits
users from accessing
network resources.

unauthorized-force Indicates the forcible -

authorization mode. In
this mode, the interface
is always in Authorized
state, does not handle
EAPOL packets, and
allows users to access
network resources
without authentication
or authorization.
Indicates the forcible
unauthorized mode. In
this mode, the interface
is always in
Unauthorized state, does
not handle EAPOL
packets, and prohibits
users from accessing
network resources.

Views
802.1X access profile view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8938

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario

The auto mode is recommended. Only authenticated users can access network
resources. To trust all users on an interface without authentication, configure the
authorized-force mode. To disable access rights of all users on an interface to
ensure security, configure the unauthorized-force mode.

Precautions

If 802.1X users on an interface have gone online, changing the authorization state
in the 802.1X access profile bound to the interface will make the online 802.1X
users go offline.

It is recommended that you set the authorization state of an interface in the early
stage of network deployment. When the network is running properly, run the cut
access-user command to disconnect all users from the interface before changing
the authorization state.

Example
# Configure the authorization state of an interface as unauthorized-force in
802.1X access profile d1.
<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x port-control unauthorized-force

Related Topics
13.4.64 display dot1x-access-profile configuration

13.4.98 dot1x quiet-period

Function
The dot1x quiet-period command enables the quiet function for 802.1X
authentication users.

The undo dot1x quiet-period command disables the quiet function for 802.1X
authentication users.

By default, the quiet function is enabled for 802.1X authentication users.

Format
dot1x quiet-period

undo dot1x quiet-period

Parameters
None

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8939

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the quiet timer function is enabled, if the number of authentication failures
of an 802.1X user exceeds a specified value (set using the 13.4.99 dot1x quiet-
times command) within 60 seconds, the user enters a quiet period. During the
quiet period, the device discards the 802.1X authentication request packets from
the user. This prevents the impact on the system due to frequent user
authentication.
The value of the quiet timer is set using the 13.4.105 dot1x timer quiet-period
command. When the quiet timer expires, the device re-authenticates the user.

Example
# Enable the quiet timer.
<HUAWEI> system-view
[HUAWEI] dot1x quiet-period

13.4.99 dot1x quiet-times

Function
The dot1x quiet-times command sets the maximum number of authentication
failures within 60 seconds before an 802.1X user enters the quiet state.
The undo dot1x quiet-times command restores the default setting.
By default, an 802.1X user enters the quiet state after 10 authentication failures
within 60 seconds.

Format
dot1x quiet-times fail-times
undo dot1x quiet-times

Parameters
Parameter Description Value

fail-times Specifies the maximum The value is an integer

number of that ranges from 1 to 10.
authentication failures
before the 802.1X user
enters the quiet state.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8940

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the quiet timer function of the device is enabled using the 13.4.98 dot1x
quiet-period command, if the number of authentication failures of an 802.1X user
exceeds the value that is set using the dot1x quiet-times command within 60
seconds, the user enters the quiet state. This prevents the impact on the system
due to frequent user authentication.

Example
# Set the maximum number of authentication failures within 60 seconds before
an 802.1X user enters the quiet state to 4.
<HUAWEI> system-view
[HUAWEI] dot1x quiet-times 4

13.4.100 dot1x reauthenticate mac-address

Function
The dot1x reauthenticate mac-address command enables re-authentication for
an online 802.1X user with the specified MAC address.

By default, re-authentication is disabled for an online 802.1X user with the

specified MAC address.

Format
dot1x reauthenticate mac-address mac-address

Parameters
Parameter Description Value

mac-address Specifies the MAC The value is a unicast

address of an 802.1X MAC address in H-H-H
user to be re- format, where H can be
authenticated. one to four hexadecimal
digits.

Views
System view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8941

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
For details, see dot1x reauthenticate.

The dot1x reauthenticate mac-address and dot1x reauthenticate commands

re-authenticate online 802.1X users and their difference is as follows:
● The dot1x reauthenticate mac-address command configures the device to
re-authenticate a specified user for once.
● The dot1x reauthenticate command configures the device to re-authenticate
all users at intervals.

Example
# Enable re-authentication for an 802.1X user with the MAC address of 00e0-
fc01-0005.
<HUAWEI> system-view
[HUAWEI] dot1x reauthenticate mac-address 00e0-fc01-0005

13.4.101 dot1x reauthenticate

Function
The dot1x reauthenticate command configures re-authentication for online
802.1X authentication users.

The undo dot1x reauthenticate command restores the default configuration.

By default, re-authentication is not configured for online 802.1X authentication

users.

Format
dot1x reauthenticate

undo dot1x reauthenticate

Parameters
None

Views
802.1X access profile view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8942

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
After modifying the authentication parameters of a user on the authentication
server, the administrator must re-authenticate the user in real time to ensure user
validity if the user has been online.
After the user goes online, the device saves authentication parameters of the user.
After re-authentication is configured for online 802.1X authentication users using
the dot1x reauthenticate command in the 802.1X access profile, the device
automatically sends the user authentication parameters in the 802.1X access
profile to the authentication server at an interval (specified using the 13.4.103
dot1x timer reauthenticate-period reauthenticate-period-value command) for
re-authentication. If the user authentication information on the authentication
server remains unchanged, the users are kept online. If the information has been
changed, the users are disconnected and need to be re-authenticated based on
the changed authentication parameters.
Precautions
After re-authentication is configured for online 802.1X authentication users, a
large number of 802.1X authentication logs are generated.
If the device is connected to a server for re-authentication and the server replies
with a re-authentication deny message that makes an online user go offline, it is
recommended that you locate the cause of the re-authentication failure on the
server or disable the re-authentication function on the device.

Example
# In the 802.1X access profile d1, configure re-authentication for online 802.1X
authentication users.
<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x reauthenticate

Related Topics
13.4.64 display dot1x-access-profile configuration

13.4.102 dot1x retry

Function
The dot1x retry command configures the number of times an authentication
request or handshake packet is retransmitted to an 802.1X user.
The undo dot1x retry command restores the default configuration.
By default, the device can retransmit an authentication request or handshake
packet to an 802.1X user twice.

Format
dot1x retry max-retry-value

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8943

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo dot1x retry

Parameters
Parameter Description Value

max-retry-value Specifies the number of The value is an integer

times an authentication that ranges from 1 to 10.
request or handshake
packet is retransmitted
to an 802.1X user.

Views
802.1X access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If the device does not receive any response from a user within a specified time
after sending an authentication request or handshake packet to the user, the
device sends the authentication request or handshake packet again. If the
authentication request or handshake packet has been sent for the maximum
retransmission times and no response is received, the user authentication or
handshake fails. In this process, the total number of authentication requests or
handshake packets sent by the device is max-retry-value plus 1.
Precautions
Repeated authentication requests occupy a lot of system resources. When using
the dot1x retry command, you can set the maximum number of times according
to user requirements and device resources. The default value is recommended.
The following table lists the intervals at which the device retransmits different
types of packets and related commands.

Packet Type Interval for Command

Retransmitting Packets

EAP-Request/Identity tx-period-value 13.4.107 dot1x timer

packet (MAC address tx-period tx-period-
bypass authentication is value
disabled)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8944

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Packet Type Interval for Command

Retransmitting Packets

EAP-Request/Identity Integer part of the value 13.4.104 dot1x timer

packet (MAC address calculated using the mac-bypass-delay
bypass authentication is following formula: delay- delay-time-value
enabled) time-value/(max-retry-
value + 1)
EAP-Request/MD5 client-timeout-value 13.4.103 dot1x timer
Challenge packet client-timeout client-
timeout-value
Handshake packet handshake-period-value 13.4.103 dot1x timer
handshake-period
handshake-period-value

Example
# In the 802.1X access profile d1, configure the number of times an authentication
request or handshake packet can be retransmitted to 802.1X users to 4.
<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x retry 4

Related Topics
13.4.64 display dot1x-access-profile configuration

13.4.103 dot1x timer

Function
The dot1x timer command configures the parameters of each 802.1X timer.
The undo dot1x timer command restores the default settings.
For the default parameter settings of each 802.1X timer, see the parameter
description.

Format
dot1x timer { client-timeout client-timeout-value | reauthenticate-period
reauthenticate-period-value | handshake-period handshake-period-value | eth-
trunk-access handshake-period handshake-period-value }
undo dot1x timer { client-timeout | reauthenticate-period | handshake-period
| eth-trunk-access handshake-period }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8945

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

client-timeout client- Specifies the client The value is an integer

timeout-value authentication timeout that ranges from 1 to
interval.You are advised 120, in seconds.
to set this parameter to By default, the client
30 seconds for wired authentication timeout
users. interval is 5 seconds.
NOTE
On the network, some
terminals may delay in
responding to EAP-
Request/MD5 Challenge
packets sent from the
device. If the delay is long,
you can increase client-
timeout client-timeout-
value so that these
terminals can go online.
The adjustment rule is as
follows:3 x client-timeout
client-timeout-value >
Terminal response delay.

reauthenticate-period Specifies the periodic re- The value is an integer

reauthenticate-period- authentication period for that ranges from 60 to
value online 802.1X users. 7200, in seconds.
By default, the periodic
re-authentication period
is 3600 seconds for
online 802.1X users.

handshake-period Specifies the interval at The value is an integer

handshake-period-value which the device that ranges from 5 to
handshakes with an 7200, in seconds.
802.1X client on a non- By default, the interval
Eth-Trunk interface. for sending handshake
For details, see 13.4.93 packets is 15s.
dot1x handshake.

eth-trunk-access Specifies the interval at The value is an integer

handshake-period which the device that ranges from 30 to
handshake-period-value handshakes with an 7200, in seconds.
802.1X client on an Eth- By default, the interval
Trunk. for sending handshake
For details, see 13.4.93 packets is 120s.
dot1x handshake.

Views
802.1X access profile view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8946

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
During 802.1X authentication, multiple timers are started to implement proper
and orderly interactions between access users, access devices, and the
authentication server. You can change the values of timers by running the dot1x
timer command to adjust the interaction process. (The values of some timers
cannot be changed.) This command is necessary in special network environments.
It is recommended that you retain the default settings of the timers.
This command only sets the values of the timers. To enable the timers, perform
corresponding configurations or use default settings.
● The client authentication timeout timer and the interval for sending
authentication requests are enabled by default. You can run the 13.4.102
dot1x retry command to configure the number of retransmissions of
authentication request packets when the client authentication times out.
● The re-authentication timer for online 802.1X users is disabled by default. To
enable this timer, run the 13.4.101 dot1x reauthenticate command.
● The online 802.1X user handshake function is disabled by default. You can run
the 13.4.93 dot1x handshake command to enable the online 802.1X user
handshake function. The handshake function takes effect only for the wired
users.
NOTE

It is recommended that the re-authentication interval be set to the default value. If multiple
ACLs need to be delivered during user authorization, you are advised to disable the re-
authentication function or set a longer re-authentication interval to improve the device's
processing performance.
In remote authentication and authorization, if the re-authentication interval is set to a shorter
time, the CPU usage may be higher.
To reduce the impact on the device performance when many users exist, the user re-
authentication interval may be longer than the configured re-authentication interval.

Example
# In the 802.1X access profile d1, set the client authentication timeout interval to
90 seconds.
<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x timer client-timeout 90

Related Topics
13.4.64 display dot1x-access-profile configuration

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8947

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.104 dot1x timer mac-bypass-delay

Function
The dot1x timer mac-bypass-delay command configures the 802.1X
authentication timeout timer after which MAC address authentication is
performed.

The undo dot1x timer mac-bypass-delay command restores the default

configuration.

By default, the device performs MAC address authentication if 802.1X

authentication is not successful within 30 seconds.

Format
dot1x timer mac-bypass-delay delay-time-value

undo dot1x timer mac-bypass-delay

Parameters
Parameter Description Value

delay-time-value Specifies the value of the The value is an integer in

802.1X authentication the range 1 to 300, in
timeout timer after seconds.
which MAC address
authentication is
performed.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After MAC address bypass authentication is configured, the device performs
802.1X authentication first and starts the timer configured using the dot1x timer
mac-bypass-delay delay-time-value command. If 802.1X authentication is not
successful before the timer expires, the device performs MAC address
authentication on users. You can run the 13.4.102 dot1x retry max-retry-value
command to set the number of times an authentication request is retransmitted
to an 802.1X user. The retransmission interval is the integer part of the value
calculated using the following formula: delay-time-value/(max-retry-value + 1)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8948

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Configure the device to perform MAC address authentication if 802.1X
authentication is not successful within 60 seconds.
<HUAWEI> system-view
[HUAWEI] dot1x timer mac-bypass-delay 60

13.4.105 dot1x timer quiet-period

Function
The dot1x timer quiet-period command configures the quiet period for 802.1X
users who fail to be authenticated.
The undo dot1x timer quiet-period command restores the default quiet period.
By default, the quiet period is 60 seconds for 802.1X users who fail to be
authenticated.

Format
dot1x timer quiet-period quiet-period-times
undo dot1x timer quiet-period

Parameters
Parameter Description Value

quiet-period-times Sets the quiet period for The value is an integer

802.1X users who fail to that ranges from 1 to
be authenticated. 3600, in seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
If an 802.1X authentication user fails to be authenticated consecutively within a
short period, the system is affected and a large number of duplicated
authentication failure logs are generated.
After the quiet function is enabled using the 13.4.98 dot1x quiet-period
command, if the number of times that an 802.1X user fails to be authenticated
within 60s exceeds the upper limit (configured using the 13.4.99 dot1x quiet-
times command), the device discards the user's 802.1X authentication request
packets for a period to avoid frequent authentication failures.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8949

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Set the quiet period to 100 seconds for 802.1X users who fail to be
authenticated.
<HUAWEI> system-view
[HUAWEI] dot1x timer quiet-period 100

13.4.106 dot1x trigger dhcp-binding

Function
The dot1x trigger dhcp-binding command enables the device to automatically
generate the DHCP snooping binding table after static IP users pass 802.1X
authentication or when the users are at the pre-connection phase.
The undo dot1x trigger dhcp-binding command restores the default setting.
By default, the device does not automatically generate the DHCP snooping
binding table after static IP users pass 802.1X authentication or when the users
are at the pre-authentication phase.

Format
dot1x trigger dhcp-binding
undo dot1x trigger dhcp-binding

Parameters
None

Views
802.1X access profile view

Default Level
2: Configuration level

Usage Guidelines
Scenario
There are unauthorized users who modify their MAC addresses to those of
authorized users. After authorized users are connected through 802.1X
authentication, the unauthorized users can obtain the same identities as the
authorized users and connect to the network without authentication. This results
in security risks of authentication and accounting. After accessing the network,
unauthorized users can also initiate ARP spoofing attacks by sending bogus ARP
packets. In this case, the device records incorrect ARP entries, greatly affecting
normal communication between authorized users. To prevent the previous attacks,
configure IPSG and DAI. These two functions are implemented based on binding
tables. For static IP users, you can run the user-bind static command to configure
the static binding table. However, if there are many static IP users, it takes more
time to configure static binding entries one by one.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8950

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

To reduce the workload, you can configure the device to automatically generate
the DHCP snooping binding table for static IP users. After the static IP users who
pass 802.1X authentication or are at the pre-authentication phase send EAP
packets to trigger generation of the user information table, the device
automatically generates the DHCP snooping binding table based on the MAC
address, IP address, and interface recorded in the table.

You can run the display dhcp snooping user-bind command to check the DHCP
snooping binding table that is generated by the device for static IP users who pass
802.1X authentication or are at the pre-authentication phase. The DHCP snooping
binding table generated using this function will be deleted after the users are
disconnected.

Follow-up Procedure

Configure IPSG and DAI after the DHCP snooping binding table is generated,
prevent attacks from unauthorized users.
● In the interface view, run the ip source check user-bind enable command to
enable IPSG.
● In the interface view, run the arp anti-attack check user-bind enable
command to enable DAI.

Precautions

● To make this function take effect, you must run the dhcp snooping enable
command on the interface to which the 802.1X access profile is bound to
enable the DHCP snooping function on the interface and globally.
● The EAP protocol does not specify a standard attribute to carry IP address
information. Therefore, if the EAP request packet sent by a static IP user does
not contain an IP address, the IP address information in the DHCP snooping
binding table is obtained from the user' first ARP request packet with the
same MAC address as the user information table after the user passes
authentication. On a network, unauthorized users may forge authorized users'
MAC addresses to initiate ARP snooping attacks to devices, and the DHCP
snooping binding table generated accordingly may be unreliable. Therefore,
the dot1x trigger dhcp-binding command is not recommended and you are
advised to run the user-bind static command to configure the static binding
table.
● For users who are assigned IP addresses using DHCP, you do not need to run
the dot1x trigger dhcp-binding command on the device. The DHCP snooping
binding table is generated through the DHCP snooping function.
● The IP address in the DHCP snooping binding table is extracted from the ARP
request packet (the first ARP request packet sent by the user after the user is
authenticated or in the pre-connection state that has the same MAC address
in the user information table). If the static IP address of a user is changed, the
user needs to be authenticated again.

Example
# In the 802.1X access profile d1, enable the device to automatically generate the
DHCP snooping binding table after static IP users pass 802.1X authentication or
when the users are at the pre-authentication phase.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8951

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x trigger dhcp-binding

13.4.107 dot1x timer tx-period

Function
The dot1x timer tx-period command sets the interval at which the device sends
authentication requests.
The undo dot1x timer tx-period command restores the default configuration.
By default, the device sends authentication requests at an interval of 30 seconds.

Format
dot1x timer tx-period tx-period-value
undo dot1x timer tx-period

Parameters
Parameter Description Value

tx-period-value Specifies the interval for The value is an integer

sending authentication that ranges from 1 to
requests. 120, in seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The device starts the tx-period timer in either of the following situations:
● When the client initiates authentication and MAC address bypass
authentication is not configured, the device sends a unicast Request/Identity
packet to the client and starts the tx-period timer. If the client does not
respond within the period set by the timer, the device retransmits the
authentication request.
● To authenticate the 802.1X clients that cannot initiate authentication, the
device periodically sends multicast Request/Identity packets through the
802.1X-enabled interface to the clients at the interval set by the tx-period
timer.
After MAC address bypass authentication is enabled on a device, the interval at
which the device sends unicast Request/Identity packets to clients is determined

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8952

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

by delay-time-value configured in the 13.4.104 dot1x timer mac-bypass-delay

command and max-retry-value configured in the 13.4.102 dot1x retry command.
The retransmission interval is the integer part of the value calculated using the
following formula: delay-time-value/(max-retry-value + 1)

Normally, it is recommended that you retain the default setting of the timer.

Example
# Set the interval at which the device sends authentication requests to 90 seconds.
<HUAWEI> system-view
[HUAWEI] dot1x timer tx-period 90

13.4.108 dot1x unicast-trigger

Function
The dot1x unicast-trigger command enables 802.1X authentication triggered by
unicast packets.

The undo dot1x unicast-trigger command disables 802.1X authentication

triggered by unicast packets.

By default, 802.1X authentication triggered by unicast packets is disabled.

Format
dot1x unicast-trigger

undo dot1x unicast-trigger

Parameters
None

Views
802.1X access profile view

Default Level
2: Configuration level

Usage Guidelines
After the dot1x unicast-trigger command is used on the device, the device sends
a unicast packet to respond to the received ARP or DHCP Request packet from a
client. If the client does not respond within the timeout interval (set by the
13.4.103 dot1x timer client-timeout client-timeout-value command), the device
retransmits the unicast packet (the maximum of retransmission times is set by the
13.4.102 dot1x retry max-retry-value command). This function allows users to
use the 802.1X client provided by the operating system for authentication, helping
quickly deploy an 802.1X network.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8953

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

After receiving a packet that triggers 802.1X authentication from a client, the
device sends a unicast packet to the client. For clients that cannot send packets to
trigger 802.1X authentication, configure multicast packets to trigger 802.1X
authentication.

Example
# In the 802.1X access profile d1, enable 802.1X authentication triggered by
unicast packets.
<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x unicast-trigger

13.4.109 dot1x url

Function
The dot1x url command configures the redirect-to URL in 802.1X authentication.
The undo dot1x url command cancels the redirect-to URL configuration in 802.1X
authentication.
By default, no redirect-to URL is configured in 802.1X authentication.

Format
dot1x url url-string
undo dot1x url

Parameters
Parameter Description Value
url-string Specifies the It is a string of 1 to 200 case-sensitive
redirect-to URL. characters that do not contain spaces and
question marks (?). When double quotation
marks are used around the string, spaces are
allowed in the string.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
In the early stage of network deployment, 802.1X client deployment is difficult
with heavy workload. You can run the dot1x url command to set the redirect-to

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8954

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

URL to the 802.1X client download web page address. When a user attempts to
access a non-free IP subnet, the device redirects the user to the redirect-to URL
where the user can download and install the 802.1X client software.

Follow-up Procedure

Run the 13.4.113 free-rule command to configure a free IP subnet where the
redirect URL used in 802.1X authentication belongs.

Precautions

Wireless users do not support the redirect URL configuration in 802.1X

authentication.

The device does not support the triggering of a redirect URL through HTTPS
packets.

Example
# Set the redirect-to URL in 802.1X authentication to http://www.***.com.cn.
<HUAWEI> system-view
[HUAWEI] dot1x url http://www.***.com.cn

13.4.110 dot1x-access-profile (authentication profile view)

Function
The dot1x-access-profile command binds an authentication profile to an 802.1X
access profile.

The undo dot1x-access-profile command unbinds an authentication profile from

an 802.1X access profile.

By default, an authentication profile is not bound to an 802.1X access profile.

Format
dot1x-access-profile access-profile-name

undo dot1x-access-profile

Parameters
Parameter Description Value

access-profile-name Specifies the name of an The value must be the

802.1X access profile. name of an existing
802.1X access profile.

Views
Authentication profile view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8955

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The authentication type used by an authentication profile is determined by the
access profile bound to the authentication profile. After being bound to an 802.1X
access profile, the authentication profile is enabled with 802.1X authentication.
After the authentication profile is applied to the interface or VAP profile, 802.1X
authentication can be performed on online users.
Prerequisites
An 802.1X access profile has been created using the 13.4.111 dot1x-access-
profile (system view) command.
Follow-up Procedure
Run the 13.4.42 authentication-profile (Interface view or VAP profile view)
command to apply the authentication profile to the interface or VAP profile.
Precautions
An authentication profile can be bound to only one 802.1X access profile.

Example
# Bind the authentication profile dot1x_authen_profile1 to the 802.1X access
profile dot1x_access_profile1.
<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name dot1x_access_profile1
[HUAWEI-dot1x-access-profile-dot1x_access_profile1] quit
[HUAWEI] authentication-profile name dot1x_authen_profile1
[HUAWEI-authen-profile-dot1x_authen_profile1] dot1x-access-profile dot1x_access_profile1

Related Topics
13.4.61 display authentication-profile configuration

13.4.111 dot1x-access-profile (system view)

Function
The dot1x-access-profile command creates an 802.1X access profile and displays
the 802.1X access profile view.
The undo dot1x-access-profile command deletes an 802.1X access profile.
By default, the device has a built-in 802.1X access profile named
dot1x_access_profile.

Format
dot1x-access-profile name access-profile-name

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8956

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo dot1x-access-profile name access-profile-name

Parameters
Parameter Description Value

name access-profile- Specifies the name of an The value is a string of

name 802.1X access profile. 1-31 case-sensitive
characters, which cannot
be configured to - and
--. It cannot contain
spaces and the following
symbols: / \ : * ? " < > |
@ ' %.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The device uses 802.1X access profiles to uniformly manage all 802.1X users access
configurations. To perform 802.1X authentication for the users in the interface or
VAP profile, bind the authentication profile applied to the interface or VAP profile
to an 802.1X access profile.

Follow-up Procedure

Run the 13.4.110 dot1x-access-profile (authentication profile view) command

in the authentication profile view to bind the authentication profile to an 802.1X
access profile.

Precautions

● The compatibility profile converted after an upgrade is not counted in the

configuration specification. The built-in 802.1X access profile
dot1x_access_profile can be modified and applied, but cannot be deleted.
● Before deleting an 802.1X access profile, ensure that this profile is not bound
to any authentication profile.

Example
# Create the 802.1X access profile named dot1x_access_profile1.
<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name dot1x_access_profile1

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8957

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.4.64 display dot1x-access-profile configuration

13.4.112 enable (terminal type identification profile view)

Function
The enable command enables terminal type identification.
The undo enable command disables terminal type identification.
By default, terminal type identification is disabled.

NOTE

This function is supported only by S5720HI.

Format
enable
undo enable

Parameters
None

Views
Terminal type identification profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The terminal type identification profile takes effect immediately when terminal
type identification is enabled. The AC analyzes the terminal's MAC address, DHCP
Option, and UA information. If the information matches the rules configured in
the profile, the AC identifies the terminal type.
Prerequisite
A terminal type identifier has been configured using the 13.4.47 device-type
command.

Example
# Enable terminal type identification.
<HUAWEI> system-view
[HUAWEI] device-profile profile-name huawei

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8958

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

[HUAWEI-device-profile-huawei] device-type huawei

[HUAWEI-device-profile-huawei] enable

Related Topics
13.4.47 device-type
13.4.62 display device-profile

13.4.113 free-rule

Function
The free-rule command configures authentication-free rules for NAC
authentication users.

The undo free-rule command restores the default settings.

By default, no authentication-free rule is configured for NAC authentication users.

Format
Common authentication-free rule:

free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-

mask } [ tcp destination-port port | udp destination-port port ] | any } } |
source { any | { interface interface-type interface-number | ip { ip-address mask
{ mask-length | ip-mask } | any } | vlan vlan-id } * } } *

undo free-rule { rule-id | all }

Authentication-free rule defined by ACL:

free-rule acl { acl-id | acl-name acl-name }

undo free-rule { acl { acl-id | acl-name acl-name } | all }

NOTE

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the authentication-free rule defined
by ACL.

Parameters
Parameter Description Value
rule-id Specifies the number of an The value is an integer
authentication-free rule for NAC that ranges from 0 to
authentication users. 511.

destination Specifies the destination network -

resource that NAC authentication
users can access without
authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8959

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

source Specifies source information for -
NAC authentication users without
authentication.

any Indicates any condition. When any -

is used together with different
keywords, the effect of the
command is different.

interface Specifies the source interface in the -

interface-type rule.
interface-number
● interface-type specifies the
interface type.
● interface-number specifies the
interface number.
NOTE
The source interface cannot be a
management interface.

ip ip-address Specifies the source or destination The value is in dotted

IP address depending on the decimal notation.
keyword.

mask mask-length Specifies the mask length of the The value is an integer
source or destination IP address that ranges from 1 to
depending on the keyword. 32.

mask ip-mask Specifies the mask of the source or The value is in dotted
destination IP address depending on decimal notation.
the keyword.

tcp destination- Specifies a TCP destination port The value is an integer

port port number. that ranges from 1 to
65535.

udp destination- Specifies the UDP destination port The value is an integer
port port number. that ranges from 1 to
65535.

vlan vlan-id Specifies the VLAN ID of source The value is an integer

packets. that ranges from 1 to
4094.

acl Specifies an authentication-free rule -

defined by ACL.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8960

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

acl-id Specifies the number of an IPv4 The value is an integer
ACL. that ranges from 6000
to 6031.

acl-name acl- Specifies the name of an IPv4 ACL. The value must be an
name existing IPv4 ACL
name. The value of the
named ACL ranges
from 6000 to 6031.

all Specifies all rules. -

Views
Authentication-free rule profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To meet basic network access requirements of users who have not passed
authentication, the users need to obtain some network access rights without
authentication, for example, download 802.1X client software and update the
antivirus database. After running the 13.4.115 free-rule-template (system view)
command to create an authentication-free rule profile, run the free-rule
command to configure authentication-free rules in the profile. The users then can
obtain some network access rights without authentication.
An authentication-free rule can be a common authentication-free rule or defined
by an ACL. A common authentication-free rule is determined by parameters such
as IP address, MAC address, interface, and VLAN. An authentication-free rule
defined by an ACL is determined by the ACL rule (configured using the rule
command). The destination IP address that users can access without
authentication can be specified in an authentication-free rule defined by either of
the two methods. In addition, the destination domain name that users can access
without authentication can be specified in an authentication-free rule defined by
an ACL.
Compared with the authentication-free rule defined by IP address, the one defined
by domain name is sometimes simple and convenient. For example, some
authentication users who do not have an authentication account must first log in
to the official website of a carrier and apply for a member account, or log in using
the account of a third party such as Twitter or Facebook. This requires that the
users can access specified websites before successful authentication. The domain
name of a website is easier to remember than the IP address; therefore, the
authentication-free rule defined by ACL can be configured to enable the users to
access the domain names of websites without authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8961

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Prerequisites
To use the authentication-free rule defined by ACL: an ACL rule has been
configured using the rule command. This ACL rule can be based on an IP address
or a domain name. If the rule is defined by IP address, the source and destination
parameters can be configured; if the rule is defined by domain name, only the
destination parameter can be configured.
NOTE
If the user ACL is created using a name (specified by acl-name), a name-based ACL has been
created and the ACL number (6000-6031) has been specified using the acl name acl-name acl-
number command.

Follow-up Procedure
The domain name specified in an ACL only supports dynamic DNS resolution.
Therefore, when you define the authentication-free rule by domain name,
configure dynamic DNS resolution on the device and enable users to access the
DNS server without authentication. The steps are as follows:
1. Run the dns resolve command in the system view to enable dynamic DNS
resolution.
2. Run the dns server ip-address command in the system view to specify an IP
address for the DNS server.
3. Run the free-rule rule-id destination ip ip-address mask { mask-length | ip-
mask } command in the authentication-free rule profile to enable users to
access the DNS server without authentication.
Precautions
Wireless 802.1X authentication does not support this function.
When 802.1X authentication or MAC authentication is configured on a physical
interface, the free-rule command configuration will not take effect after the undo
authentication pre-authen-access enable command is configured to disable the
prec-connection function.
Pay attention to the following when you use common authentication-free rules:
● When multiple authentication-free rules are configured simultaneously, the
system matches the rules one by one.
● In a wireless scenario or an SVF system, only the authentication-free rules
with IDs in the range of 0 to 127 on the AP or AS can take effect. On the AC
or parent, all configured authentication-free rules take effect.
● In a wireless scenario, the VLAN ID and interface number cannot be specified
in authentication-free rules configured on an AP. You are advised to set the
authentication-free rule ID to 128 or a larger value when specifying the VLAN
ID and interface number. If the ID of an authentication-free rule is less than
128, Portal redirection cannot be performed.
● In an SVF system, interface information in an authentication-free rule is
invalid.
● If you specify both the VLAN ID and interface number in an authentication-
free rule, the interface must belong to the VLAN. Otherwise, the rule is
invalid.
● If the destination port number is configured in an authentication-free rule,
fragments cannot match the rule and packets cannot be forwarded.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8962

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● No authentication-free rule needs to be configured for DHCP, CAPWAP, ARP,

and HTTP packets before user authentication, the DHCP, CAPWAP, ARP, and
HTTP packets can be directly forwarded. Authentication-free rules must be
configured for other packets that need to be forwarded. When the packets
need to be processed locally, authentication-free rules need to be configured
on only the S5720HI.
– DHCP packet: If authentication and DHCP are enabled on an interface,
authentication can be triggered by DHCP packets and the switch acts as
the DHCP relay or DHCP server to forward or process DHCP packets. If
only authentication is configured on the interface and the DHCP function
is not configured, authentication can be triggered by DHCP packets and
the switch broadcasts the DHCP packets.
– CAPWAP packet: CAPWAP packets are classified into control packets and
data packets. Generally, NAC is still effective for CAPWAP data packets
after they are decapsulated, and the authentication-free rule takes effect
(except for ARP and DHCP packets that are encapsulated in CAPWAP
data packets). CAPWAP control packets are sent to the CPU for
processing (such as SVF and wireless scenarios). If authentication is
enabled on the physical interface connected to an AP, you need to
configure the authentication-free rule to transmit packets from the
management VLAN. In this scenario, the server may be overloaded due to
multiple times of re-authentication. Therefore, this scenario is not
recommended.
– ARP packet: No authentication-free rule needs to be configured for ARP
packets, which can be directly processed or forwarded.
– HTTP packet: If Portal authentication is enabled on an interface and the
destination URL of HTTP packets is not the URL of the Portal server, the
switch redirects HTTP packets to the Portal server for authentication.
Pay attention to the following when you define authentication free rules by ACL:
● Authentication-free rules based on domain names are valid for only wireless
users.
● When SVF is enabled, authentication-free rules cannot be delivered to an AS.
● When multiple authentication-free rules are configured at the same time,
only the last one takes effect.
● An authentication-free rule can be dynamically modified. The authentication-
free rule does not differentiate the deny or permit action of the ACL rule
(configured using the rule command) and uniformly performs the permit
action. The ACL rule number ranges from 0 to 127.
● If multiple domain names correspond to the same IP address and one
matches the authentication-free rule, other domain names also match the
authentication-free rule.
The free-rule command configures a rule for specifying the resources accessible to
users before authentication. However, this command does not mean that users
matching the rule do not need to be authenticated. To free specified users from
authentication, run the access-context profile enable command to enable the
user context identification function, and run the if-match vlan-id { start-vlan-id
[ to end-vlan-id ] } &<1-10> command in the user context profile to configure the
VLAN ID-based user identification policy. In addition, run the authentication-
mode none command to enable non-configuration in the authentication scheme
bound in the authentication domain of the users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8963

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The priority of the ACL rule delivered by the RADIUS server is higher than that of
the authentication-free rule configured on the device.

Example
# In the authentication-free rule profile default_free_rule, allow all NAC
authentication users to access the network with the IP address 10.1.1.1/24 without
authentication.
<HUAWEI> system-view
[HUAWEI] free-rule-template name default_free_rule
[HUAWEI-free-rule-default_free_rule] free-rule 1 destination ip 10.1.1.1 mask 24 source ip any

13.4.114 free-rule-template (authentication profile view)

Function
The free-rule-template command binds an authentication-free rule profile to an
authentication profile.
The undo free-rule-template command unbinds an authentication-free rule
profile from an authentication profile.
By default, no authentication-free rule profile is bound to an authentication
profile.

NOTE

This function is supported only by S5720HI.

Format
free-rule-template free-rule-template-name
undo free-rule-template

Parameters
Parameter Description Value
free-rule- Specifies the name of an The value must be the name of
template-name authentication-free rule an existing authentication-free
profile. rule profile.

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8964

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Before being authenticated, users need to obtain some network access rights to
meet basic network access requirements such as downloading the 802.1X client
and updating antivirus database. The device uses an authentication-free rule
profile to uniformly manage authorization information for authentication-free
users. You can define some network access rules in the profile to determine
network access rights that can be obtained by authentication-free users. You need
to bind a configured authentication-free rule profile to an authentication profile.
Users using the authentication profile then can obtain authentication-free
authorization information.
Prerequisites
An authentication-free rule profile has been created using the 13.4.115 free-rule-
template (system view) command.
When a large number of APs are online, do not run the free-rule-template or
undo free-rule-template command repeatedly because the device takes time to
execute the command. Otherwise, users cannot go online or offline properly in a
short period of time.

Example
# Bind the authentication-free rule profile default_free_rule to the authentication
profile p1.
<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] free-rule-template default_free_rule

Related Topics
13.4.61 display authentication-profile configuration
13.4.67 display free-rule-template configuration

13.4.115 free-rule-template (system view)

Function
The free-rule-template command creates an authentication-free rule profile and
displays the authentication-free rule profile view.
By default, the device has a built-in authentication-free rule profile named
default_free_rule.

Format
free-rule-template name free-rule-template-name

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8965

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value
name free-rule- Specifies the name of an Currently, the device supports only
template-name authentication-free rule one authentication-free rule
profile. profile, that is, the built-in profile
default_free_rule.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To meet basic network access requirements of users who have not passed
authentication, the users need to obtain some network access rights without
authentication, for example, download 802.1X client software and update the
antivirus database. After creating an authentication-free rule profile using the
free-rule-template command, you can configure authentication-free rules in the
profile to allow the users to access the specified network resources without
authentication.

Follow-up Procedure

Run the 13.4.113 free-rule command in the authentication-free rule profile view
to configure authentication-free rules for users.

Precautions

Currently, the device supports only one authentication-free rule profile, that is, the
built-in profile default_free_rule.

For wireless users, the configured authentication-free rule in an authentication-

free rule profile takes effect only after the profile is bound to an authentication
profile using the 13.4.114 free-rule-template (authentication profile view)
command in the authentication profile view.

For wired users, an authentication-free rule profile takes effect for all wired users
after it is created in the system view. The authentication-free rule profile does not
need to be bound to an authentication profile using the 13.4.114 free-rule-
template (authentication profile view) command in the authentication profile
view.

Example
# Display the view of the authentication-free rule profile default_free_rule.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8966

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] free-rule-template name default_free_rule
[HUAWEI-free-rule-default_free_rule]

Related Topics
13.4.67 display free-rule-template configuration

13.4.116 http parse user-agent enable

Function
The http parse user-agent enable command enables the UA function.
The undo http parse user-agent enable command disables the UA function.
By default, the UA function is disabled.

NOTE

This function is supported only by S5720HI.

Format
http parse user-agent enable
undo http parse user-agent enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
User Agent (UA) is a field in the HTTP packet header. The UA field carries
information including the operating system used by the device and device version,
the CPU type, the browser and browser version, the language used by the browser,
and the browser plug-in.
If the UA function is enabled, the AC extracts the UA field from the HTTP Get
packet sent from the terminal that has passed 802.1X or Portal authentication,
and analyzes the UA information and combines it with the MAC address and
DHCP Option information to finally identify the terminal type.
Precautions
Currently, the device supports the UA of a maximum of 247 characters.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8967

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Enable the UA function.
<HUAWEI> system-view
[HUAWEI] http parse user-agent enable

13.4.117 http get-method enable

Function
The http get-method enable command configures the device to allow users to
submit user name and password information to the device in GET mode during
Portal authentication.

The undo http get-method enable command restores the default setting.

By default, the device does not allow users to submit user name and password
information to the device in GET mode during Portal authentication.

Format
http get-method enable

undo http get-method enable

Parameters
None

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

By default, the device does not allow users to submit user name and password
information to the device in GET mode during Portal authentication. You can run
the http get-method enable command to configure the device to allow users to
submit user name and password information to the device in GET mode during
Portal authentication.

Precautions

The GET mode has the risk of password disclosure. Therefore, the POST mode is
recommended.

This command only applies to scenarios in which HTTP or HTTPS is used for Portal
connection establishment.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8968

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Configure the device to allow users to submit user name and password
information to the device in GET mode during Portal authentication.
<HUAWEI> system-view
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] http get-method enable

13.4.118 http-method post

Function
The http-method post command configures parameters for parsing and replying
to POST or GET request packets of the HTTP or HTTPS protocol.

The undo http-method post command restores the default configuration.

By default, the system has configured parameters for parsing and replying to
POST or GET request packets of the HTTP or HTTPS protocol. For details, see the
"Parameters" table.

Format
http-method post { cmd-key cmd-key [ login login-key | logout logout-key ] * |
init-url-key init-url-key | login-fail response { err-msg { authenserve-reply-
message | msg msg } | redirect-login-url | redirect-url redirect-url [ append-
reply-message msgkey ] } | login-success response { msg msg | redirect-init-url
| redirect-url redirect-url } | logout-fail response { msg msg | redirect-url
redirect-url } | logout-success response { msg msg | redirect-url redirect-url } |
password-key password-key | user-mac-key user-mac-key | userip-key userip-key
| username-key username-key } *

undo http-method post { all | { cmd-key | init-url-key | login-fail | login-

success | logout-fail | logout-success | password-key | user-mac-key | userip-
key | username-key } * }

Parameters
Parameter Description Value

cmd-key cmd-key Specifies the command The value is a string of 1

identification keyword. to 16 case-sensitive
The default value is cmd. characters without
spaces, question marks
(?), ampersands (&), and
equal signs (=).

login login-key Specifies the user login The value is a string of 1

identification keyword. to 15 case-sensitive
The default value is characters without
login. spaces, question marks
(?), ampersands (&), and
equal signs (=).

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8969

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

logout logout-key Specifies the user logout The value is a string of 1

identification keyword. to 15 case-sensitive
The default value is characters without
logout. spaces, question marks
(?), ampersands (&), and
equal signs (=).

init-url-key init-url-key Specifies the The value is a string of 1

identification keyword to 16 case-sensitive
for the user initial login characters without
URL. The default value is spaces, question marks
initurl. (?), ampersands (&), and
equal signs (=).

login-fail response Specifies the response ● msg: The value is a

{ err-msg message upon a user string of 1 to 200
{ authenserve-reply- login failure. case-sensitive
message | msg msg } | ● err-msg characters without
redirect-login-url | authenserve-reply- spaces, question
redirect-url redirect-url message: The marks (?),
[ append-reply- authentication server ampersands (&), and
message msgkey ] } response message is equal signs (=).
displayed after a user ● redirect-url: The value
login failure. is a string of 1 to 200
● err-msg msg msg: A case-sensitive
specified message is characters without
displayed after a user spaces.
login failure. ● msgkey: The value is a
● redirect-login-url: A string of 1 to 16 case-
user is redirected to sensitive characters
the login URL after a without spaces,
login failure. This question marks (?),
mode is the default ampersands (&), and
mode. equal signs (=).
● redirect-url redirect-
url: A user is
redirected to a
specified URL after a
login failure.
● append-reply-
message msgkey:
specifies the
identification keyword
for the authentication
server response
message carried in
the redirection URL.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8970

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

login-success response Specifies the response ● msg: The value is a

{ msg msg | redirect- message upon successful string of 1 to 200
init-url | redirect-url user login. case-sensitive
redirect-url } ● msg msg: A specified characters without
message is displayed spaces, question
after successful user marks (?),
login. ampersands (&), and
equal signs (=).
● redirect-init-url: A
user is redirected to ● redirect-url: The value
the initial login URL is a string of 1 to 200
after successful login. case-sensitive
This mode is the characters without
default mode. spaces.
● redirect-url redirect-
url: A user is
redirected to a
specified URL after
successful login.

logout-fail response Specifies the response ● msg: The value is a

{ msg msg | redirect-url message upon a user string of 1 to 200
redirect-url } logout failure. case-sensitive
● msg msg: A specified characters without
message is displayed spaces, question
after a user logout marks (?),
failure. The default ampersands (&), and
value is LogoutFail!. equal signs (=).
● redirect-url redirect- ● redirect-url: The value
url: A user is is a string of 1 to 200
redirected to a case-sensitive
specified URL after a characters without
logout failure. spaces.

logout-success response Specifies the response ● msg: The value is a

{ msg msg | redirect-url message upon successful string of 1 to 200
redirect-url } user logout. case-sensitive
● msg msg: A specified characters without
message is displayed spaces, question
after successful user marks (?),
logout. The default ampersands (&), and
value is equal signs (=).
LogoutSuccess!. ● redirect-url: The value
● redirect-url redirect- is a string of 1 to 200
url: A user is case-sensitive
redirected to a characters without
specified URL after spaces.
successful logout.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8971

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

password-key password- Specifies the password The value is a string of 1

key identification keyword. to 16 case-sensitive
The default value is characters without
password. spaces, question marks
(?), ampersands (&), and
equal signs (=).

user-mac-key user-mac- Specifies the The value is a string of 1

key identification keyword to 16 case-sensitive
for the user MAC characters without
address. The default spaces, question marks
value is macaddress. (?), ampersands (&), and
equal signs (=).

userip-key userip-key Specifies the The value is a string of 1

identification keyword to 16 case-sensitive
for the user IP address. characters without
The default value is spaces, question marks
ipaddress. (?), ampersands (&), and
equal signs (=).

username-key Specifies the user name The value is a string of 1

username-key identification keyword. to 16 case-sensitive
The default value is characters without
username. spaces, question marks
(?), ampersands (&), and
equal signs (=).

all Indicates all parameters. -

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
When the device uses the HTTP or HTTPS protocol to communicate with the
Portal server, a user sends POST or GET request packets (carrying parameters such
as the user name and MAC address) to the device as required by the Portal server.
After receiving the POST or GET request packets, the device parses parameters in
the packets. If identification keywords of the parameters differ from those
configured on the device, the user authentication fails. Therefore, you need to run
the http-method post command to configure the identification keywords based
on the Portal server configuration.
After successful user login or logout, or a user login or logout failure, the device
sends the login or logout result to the user based on the http-method post

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8972

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

command configuration. For example, the device sends the LogoutSuccess!

message to a user who logs out successfully by default.

Example
# Set the command identification keyword to cmd1 for parsing POST or GET
request packets of the HTTP or HTTPS protocol.
<HUAWEI> system-view
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] http-method post cmd-key cmd1

13.4.119 force-push

Function
The force-push command enables the forcible URL template or URL push
function.

The undo force-push command disables the forcible URL template or URL push
function.

By default, the forcible URL template or URL push function is disabled.

Format
force-push { url-template template-name | url url-address }

undo force-push

Parameters
Parameter Description Value

url-template Specifies the The value must be the name of an existing

template- name of a URL template.
name pushed URL
template.

url url- Specifies a It is a string of 1 to 200 case-sensitive

address pushed URL. characters that do not contain spaces and
question marks (?). When double quotation
marks are used around the string, spaces are
allowed in the string.

Views
AAA domain view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8973

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
After a user is successfully authenticated, the device forcibly redirect the user to a
web page when receiving the HTTP or HTTPS packet from the user who accesses
web pages for the first time. In addition to pushing advertisement pages, the
device can obtain user terminal information through the HTTP or HTTPS packets
sent by the users, and apply the information to other services. There are two ways
to push web pages:
1. URL: pushes the URL corresponding to the web page.
2. URL template: pushes the URL template. A URL template must be created.
The URL template contains the URL of the pushed web page and URL
parameters.
Prerequisites
The URL configured using the 13.4.196 url (URL template view) command in the
URL template view cannot be a redirection URL; otherwise, the command does not
take effect.
Precautions
For the S5720HI, the forcible push function takes effect only for the first HTTP or
HTTPS packet received from the user. If an application program that actively sends
HTTP or HTTPS packets is installed on the user terminal, the terminal has sent the
HTTP or HTTPS packet before the user accesses a web page. Therefore, the user is
unaware of the web page push process.
The forcible push function takes effect only when a redirection ACL is configured
for switches excluding the S5720HI. If a redirection ACL exists in the user table, a
web page is forcibly pushed when HTTP packets from users match the redirection
ACL rule. Usually, you can configure the RADIUS server to authorize the Huawei
extended RADIUS attribute HW-Redirect-ACL to users for redirection ACL
implementation, or run the 13.1.72 redirect-acl command to configure a
redirection ACL.
For HTTP and HTTPS packets, the forcible push function takes effect only when a
redirection ACL is used. If the user table always contains redirection ACLs, a web
page is forcibly pushed when HTTPS packets from users match redirection ACL
rules.
If the switch functions as an AC and the direct forwarding mode is used in a
wireless scenario, the forcible web page push function is not supported.
A pushed URL configured in a domain need to be used together with a redirect
ACL or push flag attribute. The redirect ACL has a higher priority than the push
flag attribute. By default, a pushed URL configured in a domain carries the push
flag attribute. Users will be redirected to the pushed URL when they are
successfully authenticated.
When an IPv4 redirect ACL is configured for an IPv6 user or an IPv6 redirect ACL is
configured for an IPv4 user, the Push URL content field in the 13.4.55 display
access-user command output displays the pushed URL, but the browser of the
user cannot redirect to the pushed URL .
Switches except the S5720HI do not support concurrent use of the pushed URL
and redirection ACL6 functions. If both functions are configured, the Push URL

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8974

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

content field in the 13.4.55 display access-user command output displays the
pushed URL; however, the terminal browser cannot be redirected to the pushed
URL.

Example
# Push the URL template abc in the domain huawei.
<HUAWEI> system-view
[HUAWEI] url-template name abc
[HUAWEI-url-template-abc] quit
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] force-push url-template abc

13.4.120 if-match vlan-id

Function
The if-match vlan-id command configures the VLAN ID-based user identification
policy.

The undo if-match vlan-id command deletes the VLAN ID-based user
identification policy.

By default, no VLAN ID-based user identification policy is configured.

Format
if-match vlan-id { start-vlan-id [ to end-vlan-id ] } &<1-10>

undo if-match vlan-id { start-vlan-id [ to end-vlan-id ] } &<1-10>

Parameters
Parameter Description Value

start-vlan-id [ to end- Specifies the start and The value of start-vlan-id

vlan-id ] end user VLAN IDs. or end-vlan-id is an
The value of end-vlan-id integer that ranges from
must be greater than 1 to 4094.
that of start-vlan-id. If
the parameter to end-
vlan-id is not specified,
users are classified based
on the VLAN ID specified
by start-vlan-id.

Views
User context profile view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8975

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
On some enterprise networks, VLANs are used to divide the entire network into
different areas with various security levels. The administrator requires that a user
should obtain different network access rights when the user connects to the
network from different areas. In this case, the user context identification function
can be enabled on access devices, and a group of VLANs that belong to the same
area are added to the same user context profile. The administrator then assigns
the mapping network access rights to different user context profiles based on the
security level of each area. When a user connects to the network from different
areas, the user is added to different user context profiles matching their access
VLANs and therefore obtains different network access rights.
Prerequisites
A user context profile has been created using the access-context profile name
profile-name command in the system view.
Precautions
This function takes effect only for users who go online after this function is
successfully configured.

Example
# In the user context profile p1, configure the user identification policy of
matching users in VLAN 10 to VLAN 20.
<HUAWEI> system-view
[HUAWEI] access-context profile name p1
[HUAWEI-access-context-p1] if-match vlan-id 10 to 20

13.4.121 if-match
Function
The if-match command configures the matching mode of terminal type
identification rules.
The undo if-match command deletes the matching mode of terminal type
identification rules.
By default, no matching mode of terminal type identification rules is configured.

NOTE

This function is supported only by S5720HI.

Format
if-match rule rule-id [ { and | or } rule rule-id ] &<1-7>

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8976

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo if-match

Parameters
Parameter Description Value

rule rule-id Specifies the ID of a terminal type The value is an

identification rule. integer that ranges
from 0 to 7.

and Specifies the matching mode as "and" -

(that is, a terminal type can be identified
only when the terminal information
matches all rules configured).

or Specifies the matching mode as "or" -

(that is, a terminal type can be identified
when the terminal information matches
any of the rules).

Views
Terminal type identification profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The if-match command allows you to flexibly combine terminal type

identification rules.

Prerequisite

The specified terminal type identification rules have been configured using the
rule command.

Precautions

If the parameter is specified as and and the terminal information does not match
the first rule, the AC sends a matching failure response and stops matching the
following rules.

The priority of and is higher than that of or. For example, you run the if-match
rule 1 or rule 2 and rule 3 or rule 4 and rule 5 or rule 6 and rule 7 or rule 0
command. If the terminal information matches any of the five rule combinations,
which are rule 1, rule 2 and rule 3, rule 4 and rule 5, rule 6 and rule 7, and rule 0,
the matching operation succeeds.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8977

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Specify that terminal information must match terminal type identification rule
1.
<HUAWEI> system-view
[HUAWEI] device-profile profile-name huawei
[HUAWEI-device-profile-huawei] if-match rule 1

Related Topics
13.4.179 rule (terminal type identification profile view)
13.4.62 display device-profile

13.4.122 ip-static-user enable

Function
The ip-static-user enable command enables the function of identifying static
users through IP addresses.
The undo ip-static-user enable command restores the default setting.
By default, the function of identifying static users through IP addresses is disabled,
and the device identifies static users through MAC addresses.

NOTE

This command is only supported by the S5720HI.

Format
ip-static-user enable
undo ip-static-user enable

Parameters
None

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
By default, the device identifies static users through MAC addresses. However, a
terminal may have one MAC address and multiple IP addresses, for example, a
firewall has multiple valid IP addresses that correspond to only one MAC address.
The terminal goes online only after the multiple IP addresses pass authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8978

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If the device identifies terminals through MAC addresses, entry information about
IP addresses that are authenticated later continuously overwrites entry
information about IP addresses that are authenticated earlier. As a result, the
terminal cannot go online. You can run the ip-static-user enable command to
enable the function of identifying static users through IP addresses so that
terminals with one MAC address and multiple IP addresses can go online.
Prerequisites
A static user has been configured before this function is enabled.
1. A static user has been configured using the static-user start-ip-address [ end-
ip-address ] [ vpn-instance vpn-instance-name ] [ ip-user ] [ domain-name
domain-name | interface interface-type interface-number [ detect ] | mac-
address mac-address | vlan vlan-id ] * command.
2. The authentication user name has been configured for the static user using
the static-user username format-include { ip-address | mac-address |
system-name } command.
3. The authentication password has been configured for the static user using the
static-user password cipher password command.
Precautions
● For a terminal with one MAC address and multiple IP addresses, you must
configure the terminal as a static user and enable the function of identifying
static users through IP addresses so that the terminal can pass authentication
and go online. If ip-user is not specified when you configure static users, all
static users are processed by assuming they have one MAC address and
multiple IP addresses. To precisely identify and process static users with one
MAC address and multiple IP addresses, specify ip-user when configuring
these static users.
● The device does not support traffic statistics collection for a terminal with one
MAC address and multiple IP addresses.
● Configure wired users before enabling this function.
● This function takes effect only for users who go online after it is configured.
After the configuration on an interface is modified, online users on the
interface go offline.
● The device supports this function only when the user access mode is multi-
authen. For details on how to configure the user access mode, see 13.4.35
authentication mode.
● Static users who are identified through IP addresses directly go offline after
they fail to pass authentication. In this case, the display access-user (all
views) command cannot display any information about these users, including
their states: pre-authentication or authentication failure.
● Static users identified through IP addresses do not support MAC address
flapping.
● Static users identified through IP addresses do not support right control
during Layer 2 forwarding.
● Static users identified through IP addresses support only IP address-based
upstream authorization services (such as authorization UCL, isolation
between Layer 3 groups, CAR, and priority for upstream traffic), and do not
support downstream authorization services (such as CAR, re-marking action,
dynamic authorization VLAN, and HQoS for downstream traffic).

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8979

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● In the policy association scenario, if the control point mode is set to open
using the authentication control-point open command, the device does not
support the function of identifying static users through IP addresses.
● For a terminal with one MAC address and multiple IP addresses, only ARP
packets can be used to trigger authentication. Therefore, ensure that the
device can perform authentication triggered by ARP packets; for example, the
types of packets that can trigger authentication must include ARP.
● If user A with multiple IP addresses and one MAC address is online and then
web user B with the same MAC address is successfully authenticated, the
entry of user A is overwritten by that of user B. In this case, user A still has
network access rights.

Example
# Enable the function of identifying static users through IP addresses in the
authentication profile p1.
<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] ip-static-user enable

Related Topics
13.4.185 static-user
13.4.187 static-user username format-include
13.4.186 static-user password
13.4.82 display static-user
13.4.61 display authentication-profile configuration

13.4.123 link-down offline delay

Function
The link-down offline delay command configures the user logout delay when an
interface link is faulty.
The undo link-down offline delay command restores the default configuration.
By default, the user logout delay is 10 seconds when an interface link is faulty.

Format
link-down offline delay { delay-value | unlimited }
undo link-down offline delay

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8980

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

The value is an integer

that ranges from 0 to 60,
Specifies the user logout
in seconds. If the value is
delay-value delay when an interface
0, users are logged out
link is faulty.
immediately when an
interface link is faulty.

Indicates that users are

unlimited not logged out when an -
interface link is faulty.

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If a link is faulty, the interface is interrupted and users are directly logged out. To
solve this problem, you can configure the user logout delay function. When the
interface link is faulty, the users remain online within the delay. In this case, if the
link is restored, the users do not need to be re-authenticated. If the users are
disconnected after the delay and the link is restored, the users need to be re-
authenticated.
Precautions
● This function takes effect only for wired users who go online on Layer 2
physical interfaces that have been configured with NAC authentication.
● To make the function take effect, it is recommended that the configured
interval be greater than the time during which the interface is in Up state.

Example
# In the authentication profile p1, set the user logout delay to 5 seconds when the
link is faulty.
<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] link-down offline delay 5

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8981

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.124 mac-access-profile (authentication profile view)

Function
The mac-access-profile command binds an authentication profile to a MAC
access profile.
The undo mac-access-profile command unbinds an authentication profile from a
MAC access profile.
By default, an authentication profile is not bound to a MAC access profile.

Format
mac-access-profile access-profile-name
undo mac-access-profile

Parameters
Parameter Description Value

access-profile-name Specifies the name of a The value must be the

MAC access profile. name of an existing MAC
access profile.

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The authentication type used by an authentication profile is determined by the
access profile bound to the authentication profile. After being bound to a MAC
access profile, the authentication profile is enabled with MAC address
authentication. After the authentication profile is applied to the interface or VAP
profile, MAC address authentication can be performed on online users.
Prerequisites
A MAC access profile has been created using the 13.4.125 mac-access-profile
(system view) command.
Follow-up Procedure
Run the 13.4.42 authentication-profile (Interface view or VAP profile view)
command to apply the authentication profile to the interface or VAP profile.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8982

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Precautions

An authentication profile can be bound to only one MAC access profile.

Example
# Bind the authentication profile mac_authen_profile1 to the MAC access profile
mac_access_profile.
<HUAWEI> system-view
[HUAWEI] mac-access-profile name mac_access_profile
[HUAWEI-mac-access-profile-mac_access_profile] quit
[HUAWEI] authentication-profile name mac_authen_profile1
[HUAWEI-authen-profile-mac_authen_profile1] mac-access-profile mac_access_profile

Related Topics
13.4.61 display authentication-profile configuration

13.4.125 mac-access-profile (system view)

Function
The mac-access-profile command creates a MAC access profile and displays the
MAC access profile view.

The undo mac-access-profile command deletes the MAC access profile.

By default, the device has a built-in MAC access profile named

mac_access_profile.

Format
mac-access-profile name access-profile-name

undo mac-access-profile name access-profile-name

Parameters
Parameter Description Value

name access-profile- Specifies the name of a The value is a string of

name MAC access profile. 1-31 case-sensitive
characters, which cannot
be configured to - and
--. It cannot contain
spaces and the following
symbols: / \ : * ? " < > |
@ ' %.

Views
System view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8983

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The device uses MAC access profiles to uniformly manage all MAC users access
configurations. To perform MAC address authentication for the users in the
interface or VAP profile, bind the authentication profile applied to the interface or
VAP profile to a MAC access profile.
Follow-up Procedure
Run the 13.4.124 mac-access-profile (authentication profile view) command in
the authentication profile view to bind the authentication profile to a MAC access
profile.
Precautions
● The compatibility profile converted after an upgrade is not counted in the
configuration specification. The built-in MAC access profile
mac_access_profile can be modified and applied, but cannot be deleted.
● Before deleting a MAC access profile, ensure that this profile is not bound to
any authentication profile.

Example
# Create the MAC access profile named mac_access_profile.
<HUAWEI> system-view
[HUAWEI] mac-access-profile name mac_access_profile

Related Topics
13.4.70 display mac-access-profile configuration

13.4.126 mac-authen offline dhcp-release

Function
The mac-authen offline dhcp-release command enables the device to clear user
entries when receiving DHCP Release packets from MAC address authentication
users.
The undo mac-authen offline dhcp-release command restores the default
configuration.
By default, the device does not clear user entries when receiving DHCP Release
packets from MAC address authentication users.

Format
mac-authen offline dhcp-release
undo mac-authen offline dhcp-release

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8984

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
None

Views
MAC access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After MAC address authentication users who send DHCP Release packets go
offline, the corresponding user entries on the device cannot be deleted
immediately. This occupies device resources and possibly prevents other users from
going online. You can run this command to enable the device to clear the user
entries in real time when MAC address authentication users go offline.
Precautions
MAC address authentication users who go online through VLANIF interfaces do
not support this function.
If the device functions as a DHCP relay agent, configure the DHCP snooping
function on the device; otherwise, this command does not take effect.
This function takes effect only in L2 BNG scenarios.

Example
# In the MAC access profile m1, enable the device to clear user entries when
receiving DHCP Release packets from MAC address authentication users.
<HUAWEI> system-view
[HUAWEI] mac-access-profile name m1
[HUAWEI-mac-access-profile-m1] mac-authen offline dhcp-release

13.4.127 mac-authen permit mac-address

Function
The mac-authen permit mac-address command specifies the MAC address range
allowed for MAC address authentication.
The undo mac-authen permit mac-address command deletes the MAC address
range allowed for MAC address authentication.
By default, no MAC address range is specified for MAC address authentication.

NOTE

Only S5720EI, S1720X, S1720X-E, S5720HI, S5720S-SI, S5720SI, S5730S-EI, S5730SI, S6720LI,
S6720S-LI, S6720S-SI, S6720SI, S6720EI, and S6720S-EI support this command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8985

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
mac-authen permit mac-address mac-address mask { mask | mask-length }

undo mac-authen permit mac-address mac-address mask { mask | mask-

length }

Parameters
Parameter Description Value

mac-address Specifies a MAC address The value is in H-H-H

for MAC address format. H contains 1 to 4
authentication. hexadecimal digits.

mask mask Specifies the MAC The value is in H-H-H

address mask. format. H contains 1 to 4
hexadecimal digits.

mask mask-length Specifies the MAC The value is an integer

address mask length. that ranges from 1 to 48.

Views
MAC access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

If a new MAC address entry is generated on the device after MAC address
authentication is enabled on a VLANIF interface, MAC address authentication will
be performed for the corresponding user. To actually control the users who can be
authenticated using MAC addresses on the VLANIF interface, use this command to
specify a MAC address range for MAC address authentication.

Precautions

Only MAC address authentication users who go online through VLANIF interfaces
support this function.

A maximum of eight MAC address ranges are allowed for MAC address
authentication on a VLANIF interface.

Example
# In the MAC access profile m1, set the MAC address to 0002-0002-0002 and the
MAC address mask length to 24 for MAC address authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8986

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] mac-access-profile name m1
[HUAWEI-mac-access-profile-m1] mac-authen permit mac-address 0002-0002-0002 mask 24

13.4.128 mac-authen quiet-times

Function
The mac-authen quiet-times command configures the maximum number of
authentication failures within 60 seconds before a MAC address authentication
user enters the quiet state.
The undo mac-authen quiet-times command restores the maximum number of
authentication failures to the default value.
By default, the maximum number of authentication failures is 10.

Format
mac-authen quiet-times fail-times
undo mac-authen quiet-times

Parameters
Parameter Description Value

fail-times Specifies the maximum The value is an integer

number of that ranges from 1 to 10.
authentication failures
before a MAC address
authentication user
enters the quiet state.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The quiet function for MAC address authentication is enabled on a device by
default. When the maximum number of authentication failures exceeds 10 within
60 seconds, the device quiets a MAC address authentication user and does not
process authentication requests from the user, reducing impact on the system
caused by attackers.
Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8987

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

After the maximum number of authentication failures is set to a value larger than
the configured value, the user in quiet state can initiate reauthentication only
after the quiet period expires. If the user enters an incorrect user name or
password again, the user authentication fails. The device does not quiet the user
but allows the user to initiate reauthentication immediately.
The quiet function for MAC address authentication users takes effect only after
the pre-connection function is disabled using the undo authentication pre-
authen-access enable command and the device is disabled from assigning
network access rights to users in each phase before authentication succeeds using
the undo authentication event action authorize command. In multi-mode
authentication of MAC address authentication users, the quiet function for MAC
address authentication users does not take effect.

Example
# Set the maximum number of authentication failures within 60 seconds to 4.
<HUAWEI> system-view
[HUAWEI] mac-authen quiet-times 4

13.4.129 mac-authen reauthenticate mac-address

Function
The mac-authen reauthenticate mac-address command enables re-
authentication for an online MAC address authentication user with a specified
MAC address.
By default, re-authentication for an online MAC address authentication user with
a specified MAC address is disabled.

Format
mac-authen reauthenticate mac-address mac-address

Parameters
Parameter Description Value

mac-address Specifies all valid unicast The value is a unicast

MAC addresses. MAC address in H-H-H
format, where H can be
one to four hexadecimal
digits.

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8988

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
For details, see 13.4.130 mac-authen reauthenticate.
The mac-authen reauthenticate mac-address and 13.4.130 mac-authen
reauthenticate commands re-authenticate online MAC address authentication
users and their difference is as follows:
● The mac-authen reauthenticate mac-address command configures the
device to immediately re-authenticate a user with a specified MAC address for
once.
● The 13.4.130 mac-authen reauthenticate command configures the device to
re-authenticate all online MAC address authentication users at intervals.

Example
# Enable re-authentication for an online MAC address authentication user with
the MAC address 0001-0002-0003.
<HUAWEI> system-view
[HUAWEI] mac-authen reauthenticate mac-address 0001-0002-0003

13.4.130 mac-authen reauthenticate

Function
The mac-authen reauthenticate command enables re-authentication for online
MAC address authentication users.
The undo mac-authen reauthenticate command restores the default
configuration.
By default, re-authentication for online MAC address authentication users is
disabled.

Format
mac-authen reauthenticate
undo mac-authen reauthenticate

Parameters
None

Views
MAC access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8989

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

After the administrator modifies the authentication parameters of an online user

on the authentication server, the user must be re-authenticated to ensure user
validity.

After the user goes online, the device saves authentication parameters of the user.
After re-authentication is configured for online MAC address authentication users,
the device automatically sends the user authentication parameters in the MAC
access profile to the authentication server at an interval (specified using the
13.4.133 mac-authen timer reauthenticate-period command) for re-
authentication. If the user authentication information on the authentication server
remains unchanged, the users are kept online. If the information has been
changed, the users are disconnected and need to be re-authenticated based on
the changed authentication parameters.

Precautions

After periodic re-authentication is configured for online MAC address

authentication users, a large number of MAC address authentication logs are
generated.

MAC address authentication users who go online through a VLANIF interface do

not support re-authentication.

If the device is connected to a server for re-authentication and the server replies
with a re-authentication deny message that makes an online user go offline, it is
recommended that you locate the cause of the re-authentication failure on the
server or disable the re-authentication function on the device.

Example
# In the MAC access profile mac_access_profile, configure re-authentication for
online MAC address authentication users.
<HUAWEI> system-view
[HUAWEI] mac-access-profile name mac_access_profile
[HUAWEI-mac-access-profile-mac_access_profile] mac-authen reauthenticate

Related Topics
13.4.70 display mac-access-profile configuration

13.4.131 mac-authen reauthenticate dhcp-renew

Function
The mac-authen reauthenticate dhcp-renew command enables the device to re-
authenticate the users when receiving DHCP lease renewal packets from MAC
address authentication users.

The undo mac-authen reauthenticate dhcp-renew command restores the

default setting.

By default, the device does not re-authenticate the users when receiving DHCP
lease renewal packets from MAC address authentication users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8990

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
mac-authen reauthenticate dhcp-renew
undo mac-authen reauthenticate dhcp-renew

Parameters
None

Views
MAC access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After users go online, the administrator may modify the users' authentication
parameters or network access rights on the authentication server. To ensure user
validity or update the users' network access rights in real time, you can run this
command to enable the device to re-authenticate the users when receiving DHCP
lease renewal packets from MAC address authentication users.
Precautions
MAC address authentication users who go online through a VLANIF interface do
not support re-authentication.
This function applies only to Layer 2 BNG scenarios.

Example
# In the MAC access profile m1, enable the device to re-authenticate the users
when receiving DHCP lease renewal packets from MAC address authentication
users.
<HUAWEI> system-view
[HUAWEI] mac-access-profile name m1
[HUAWEI-mac-access-profile-m1] mac-authen reauthenticate dhcp-renew

13.4.132 mac-authen timer quiet-period

Function
The mac-authen timer quiet-period command configures the quiet period for
MAC address authentication users who fail to be authenticated.
The undo mac-authen timer quiet-period command restores the default quiet
period.
By default, the quiet period is 60 seconds for MAC address authentication users
who fail to be authenticated.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8991

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
mac-authen timer quiet-period quiet-period-value

undo mac-authen timer quiet-period

Parameters
Parameter Description Value

quiet-period-value Sets the quiet period for The value is an integer

MAC address that ranges from 0 to
authentication users who 3600, in seconds.
fail to be authenticated. NOTE
If the value of quiet-
period-value is 0, the quiet
function is disabled for
MAC address
authentication users.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
If a MAC address authentication user fails to be authenticated consecutively
within a short period, the system is affected and a large number of duplicated
authentication failure logs are generated.

After the quiet function is enabled, if the number of times that a MAC address
authentication user fails to be authenticated within 60s exceeds the upper limit
(configured using the 13.4.128 mac-authen quiet-times command), the device
discards the user's MAC address authentication request packets for a period to
avoid frequent authentication failures.

NOTE

The quiet function for MAC address authentication users takes effect only after the pre-
connection function is disabled using the undo authentication pre-authen-access enable
command and the device is disabled from assigning network access rights to users in each
phase before authentication succeeds using the undo authentication event action authorize
command. In multi-mode authentication of MAC address authentication users, the quiet
function for MAC address authentication users does not take effect.

Example
# Set the quiet period to 100 seconds for MAC address authentication users who
fail to be authenticated.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8992

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] mac-authen timer quiet-period 100

13.4.133 mac-authen timer reauthenticate-period

Function
The mac-authen timer reauthenticate-period command configures the re-
authentication interval for online MAC address authentication users.
The undo mac-authen timer reauthenticate-period command restores the
default setting.
By default, the re-authentication period is 1800 seconds for online MAC address
authentication users.

Format
mac-authen timer reauthenticate-period reauthenticate-period-value
undo mac-authen timer reauthenticate-period

Parameters
Parameter Description Value

reauthenticate-period- Specifies the interval for The value is an integer

value re-authenticating online that ranges from 60 to
MAC address 7200, in seconds.
authentication users.

Views
MAC access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After configuring the re-authentication function for online MAC address
authentication users using the 13.4.130 mac-authen reauthenticate command,
run the mac-authen timer reauthenticate-period command to configure the re-
authentication interval. The device then re-authenticates online users at the
specified interval, ensuring that only authorized users can keep online.
Precautions
Generally, the default re-authentication interval is recommended. If many ACL
rules need to be delivered during user authorization, to improve the device
processing performance, you are advised to disable re-authentication or increase

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8993

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

the re-authentication internal. When remote authentication and authorization are

used and a short re-authentication interval is used, the CPU usage may become
high.
MAC address authentication users who go online through a VLANIF interface do
not support re-authentication.
To reduce the impact on the device performance when many users exist, the user
re-authentication interval may be longer than the configured re-authentication
interval.

Example
# In the MAC access profile mac_access_profile, configure the re-authentication
interval for online MAC address authentication users to 2000 seconds.
<HUAWEI> system-view
[HUAWEI] mac-access-profile name mac_access_profile
[HUAWEI-mac-access-profile-mac_access_profile] mac-authen timer reauthenticate-period 2000

Related Topics
13.4.130 mac-authen reauthenticate
13.4.70 display mac-access-profile configuration

13.4.134 mac-authen username

Function
The mac-authen username command configures the user name for MAC address
authentication.
The undo mac-authen username command restores the default setting.
By default, the MAC address without hyphens (-) is used as the user name and
password for MAC address authentication.

Format
mac-authen username { fixed username [ password cipher password ] |
macaddress [ format { with-hyphen [ normal ] | without-hyphen }
[ uppercase ] [ password cipher password ] ] | dhcp-option option-code
{ circuit-id | remote-id } * [ separate separate ] [ format-hex ] password cipher
password }
undo mac-authen username [ fixed username [ password cipher password ] |
macaddress [ format { with-hyphen [ normal ] | without-hyphen }
[ uppercase ] [ password cipher password ] ] | dhcp-option option-code
[ circuit-id | remote-id ] * [ password cipher password ] ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8994

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

fixed username Specifies a fixed user name for MAC The value is a
address authentication. string of 1 to
64 case-
sensitive
characters
without
spaces. When
double
quotation
marks are
used around
the string,
spaces are
allowed in
the string.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8995

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

password cipher Specifies the password in cipher text The value is a

password for MAC address authentication. string of
● If no password is set when a fixed case-sensitive
user name is used, the user can characters
log in without a password. This without
brings a security risk and is not spaces. The
recommended. password is
either a
● If no password is set when the plain-text
MAC address is used as the user string of 1 to
name, the user can log in using 128
the MAC address as the characters or
password. A password must be a cipher-text
configured when local string of 48
authentication is used in the AAA to 188
scheme. characters.
● The password must be configured When double
when the user name for MAC quotation
address authentication is in the marks are
DHCP option format. used around
the string,
spaces are
allowed in
the string.
NOTE
For security
purposes,
change the
default
password in
real time. The
new
password
must be a
combination
of at least
two of the
following:
digits,
lowercase
letters,
uppercase
letters, and
special
characters. In
addition, the
password
must consist
of six or more
than six
characters.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8996

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

macaddress Specifies the MAC address as the -

user name for MAC address
authentication.

format { with-hyphen Specifies the MAC address format. -

[ normal ] | without- ● with-hyphen: indicates that the
hyphen } MAC address contains hyphens
(-), for example, 0005-e01c-02e3.
● with-hyphen normal: indicates
that the MAC address contains
hyphens (-), for example, 00-05-
e0-1c-02-e3.
● without-hyphen: indicates that
the MAC address does not
contain hyphens (-), for example,
0005e01c02e3.

uppercase Indicates that the name of a MAC -

address authentication user is in
uppercase.

dhcp-option option- Specifies the name of the MAC The value is

code address authentication user to a an integer. In
specified DHCP option. the current
● circuit-id: Specifies the circuit ID version, the
in the DHCP Option82 field as the value is fixed
user name in MAC address as 82.
authentication.
● remote-id: Specifies the remote
ID in the DHCP Option82 field as
the user name in MAC address
authentication.
If both circuit-id and remote-id are
configured, the user name for MAC
address authentication can be set to
a character string that is a
combination of the circuit-id and
remote-id in the DHCP Option82
field.

separate separate Specifies the delimiter in the user The value is a

name for MAC address character and
authentication. This parameter is can be set to
configured when the user name for a letter, digit,
MAC address authentication is set to or another
a character string that is a valid
combination of the circuit-id and character.
remote-id in the DHCP Option82
field.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8997

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

format-hex Indicates that the user name for -

MAC address authentication is in
hexadecimal format.

Views
MAC access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The following user name formats are available for MAC address authentication:
● Fixed user name: A user uses the fixed user name and password configured by
the administrator for authentication.
● MAC address: A user uses the MAC address as the user name for
authentication. In addition, the MAC address or user-defined character string
can be used as the password.
● When the DHCP option format is used for MAC address authentication, the
device uses the DHCP option it obtains and password set by the administrator
for authentication. In this mode, ensure that the device supports MAC address
authentication triggered through DHCP packets.
By default, the device sends the user MAC address as the user name and password
to the authentication server for authentication. However, the users cannot be
easily identified and managed in this case. To flexibly identify and manage users,
run the mac-authen username command to configure fixed user names and
passwords for MAC address authentication users.

Precautions

● When configuring the user name format for MAC address authentication,
ensure that the authentication server supports the user name format.
● If MAC address authentication is enabled on a VLANIF interface, on an Eth-
Trunk, in a port group, or in a VAP profile, and MAC address authentication
users use fixed user names, passwords must be configured. If MAC address
authentication is enabled in a port group and MAC addresses are used as user
names, passwords cannot be configured. If MAC address authentication is
enabled on a VLANIF interface or in a VAP profile, user names for MAC
address authentication cannot be set to specified DHCP option information.
● When the user names for MAC address authentication are in the DHCP option
format, the DHCP Option82 cannot be configured in the extend format or a
customized format (non character string) by using the 14.8.6 dhcp option82
format command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8998

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# In the MAC access profile mac_access_profile, configure the device to use the
MAC address containing hyphens (-) as the user name.
<HUAWEI> system-view
[HUAWEI] mac-access-profile name mac_access_profile
[HUAWEI-mac-access-profile-mac_access_profile] mac-authen username macaddress format with-
hyphen

Related Topics
13.4.70 display mac-access-profile configuration

13.4.135 match access-context-profile action

Function
The match access-context-profile action command configures the network
access rights for specified users in each phase before authentication success based
on user context profiles.

The undo match access-context-profile action command deletes the configured

network access rights.

By default, no network access right is configured for specified users in each phase
before authentication success.

Format
match access-context-profile profile-name action { authen-fail service-scheme
service-scheme-name | authen-server-down service-scheme service-scheme-
name | authen-server-up re-authen | client-no-response service-scheme
service-scheme-name | portal-server-down service-scheme service-scheme-name
| portal-server-up re-authen | pre-authen service-scheme service-scheme-
name } *
undo match access-context-profile profile-name action { authen-fail | authen-
server-down | authen-server-up | client-no-response | portal-server-down |
portal-server-up | pre-authen } *

Parameters
Parameter Description Value

profile-name Specifies the name of a user The value must

context profile. be the name of
an existing user
context profile.

authen-fail Configures the device to assign -

network access rights to users
when the authentication server
sends authentication failure
packets to the device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 8999

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

authen-server-down Configures the device to assign -

network access rights to users
when the authentication server is
unreachable and thereby the
users fail to be authenticated.

authen-server-up Re-authenticates users when the -

authentication server can be
reachable again.

client-no-response Configures the device to assign -

network access rights to users
when clients do not respond and
thereby the users fail to be
authenticated.

portal-server-down Configures the device to assign -

network access rights to users
when the Portal server is
unreachable and thereby the
users fail to be authenticated.

portal-server-up Re-authenticates users when the -

Portal server can be reachable
again.

pre-authen Configures the device to assign -

network access rights to users
when the users establish pre-
connections with the device.

re-authen Re-initializes user rights. -

service-scheme service- Specifies the name of the service The value must
scheme-name scheme based on which network be the name of
access rights are assigned to an existing
users. service scheme
name on the
device.

Views
User authentication event authorization policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9000

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Users need basic network access rights before they are authenticated. For
example, the users need to download 802.1X clients and update the antivirus
database. A user authentication event authorization policy can be used to bind the
network access rights of users in each phase before authentication success to a
user context profile. When a user goes online after a user authentication event
authorization policy is applied to the device, the device adds the user to the
context profile based on the user context identification result, and assigns the
network access rights to the user based on the user authentication result. The
match access-context-profile action command can be used to configure the
network access rights for users in each phase (including an authentication failure,
an authentication server fault, and no response from the users) before
authentication success.
Prerequisites
● A service scheme has been created using the service-scheme command in the
AAA view.
● A user context profile has been created using the access-context profile
name profile-name command in the system view.
Follow-up Procedure
In the global view, run the access-author policy global command to apply the
user authentication event authorization policy.
Precautions
The priority of user authorization based on a user context profile is higher than
that of user authorization in an authentication profile.
This function takes effect only for users who go online after this function is
successfully configured.

Example
# Match the user authentication event authorization policy a1 with the
identification result of the user context profile p1, and use the service scheme s1
to authorize the users who fail to be authenticated.
<HUAWEI> system-view
[HUAWEI] access-context profile name p1
[HUAWEI-access-context-p1] quit
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme s1
[HUAWEI-aaa-service-s1] quit
[HUAWEI-aaa] quit
[HUAWEI] access-author policy name a1
[HUAWEI-access-author-a1] match access-context-profile p1 action authen-fail service-scheme s1

13.4.136 match access-context-profile action access-domain

Function
The match access-context-profile action access-domain command configures
the access user's authentication domain based on the user context profile.
The undo match access-context-profile action access-domain command deletes
the access user's authentication domain based on the user context profile.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9001

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

By default, no access user's authentication domain is configured based on the user

context profile.

Format
match access-context-profile profile-name action access-domain domain-name
[ dot1x | mac-authen | portal ] * [ force ]

undo match access-context-profile profile-name action access-domain domain-

name [ dot1x | mac-authen | portal ] * [ force ]

Parameters
Parameter Description Value

profile-name Specifies the name of the The value must

matching user context profile. be the name of
an existing user
context profile.

domain-name Specifies the domain name. The value must

be the name of
an existing
domain on the
device.

dot1x Specifies a default or forcible -

domain for 802.1X
authentication users.

mac-authen Specifies a default or forcible -

domain for MAC address
authentication users.

portal Specifies a default or forcible -

domain for Portal authentication
users.

force Specifies the configured domain -

as a forcible domain.
If this parameter is not specified,
the configured domain is a
default domain.

Views
User authentication event authorization policy view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9002

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario

In some enterprise networks, VLAN is divided into multiple areas with different
security levels. The administrator assigns different network access rights to access
users in different areas. The device uses the domain to manage users, so the
access user's authentication domain can be configured based on the user context
profile. Based on different context profiles matching with access VLANs, users in
different areas have different authentication domains and are assigned different
network access rights.

Prerequisites

● A domain has been configured using the 13.1.47 domain (AAA view)
command in the AAA view.
● A user context profile has been configured using the access-context profile
name profile-name command in the system view.

Precautions

The priorities of the forcible domain, domain carried in the user name, and default
domain in different views are as follows in descending order: forcible domain with
a specified authentication mode in an authentication profile > forcible domain in
an authentication profile > forcible domain with a specified authentication mode
based on a user context profile > forcible domain based on a user context profile >
domain carried in the user name > default domain with a specified authentication
mode in an authentication profile > default domain in an authentication profile >
default domain with a specified authentication mode based on a user context
profile > default domain based on a user context profile > global default domain.

Example
In the user authentication event authorization policy view, configure the user's
forcible domain huawei based on the user context profile p1.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
[HUAWEI] access-context profile name p1
[HUAWEI-access-context-p1] quit
[HUAWEI] access-author policy name a1
[HUAWEI-access-author-a1] match access-context-profile p1 action access-domain huawei force

13.4.137 parameter

Function
The parameter command sets the characters used in URL.

The undo parameter command restores the default settings.

By default, the start character is ?, assignment character is =, and delimiter is &.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9003

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
parameter { start-mark parameter-value | assignment-mark parameter-value |
isolate-mark parameter-value } *
undo parameter { start-mark parameter-value | assignment-mark parameter-
value | isolate-mark parameter-value } *

Parameters
Parameter Description Value

start-mark Changes the specified start character The value is one

parameter- to ?. case-sensitive
value character without
spaces.

assignment- Specifies the assignment character of the The value is one

mark URL parameters. case-sensitive
parameter- character without
value spaces.

isolate-mark Specifies the delimiter between URL The value is one

parameter- parameters. case-sensitive
value character without
spaces.

Views
URL template view

Default Level
2: Configuration level

Usage Guidelines
The parameter command allows you to customize the characters in URL.
For example, if the URL configured using the 13.4.196 url (URL template view)
command in the URL template bound to a Portal server profile is http://10.1.1.1,
you can run the 13.4.199 url-parameter command to add the user MAC address,
user IP address, and device system name to the URL by specifying the user_mac,
user_ip, and device parameters.
When a user with IP address 10.1.1.11 and MAC address 0002-0002-0002 connects
to an access device huawei, the access device redirects the user to http://10.1.1.1?
user_mac=0002-0002-0002&user_ip=10.1.1.11&device=huawei for Portal
authentication. In the redirection URL, ? is the default start character, = is the
default assignment character, & is the delimiter between parameters.

NOTE
If parameter-value is set to a question mark (?) in the URL, the command cannot be executed.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9004

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Change the start character in a URL from # to ?.
<HUAWEI> system-view
[HUAWEI] url-template name huawei
[HUAWEI-url-template-huawei] parameter start-mark #

13.4.138 port (Portal server profile view)

Function
The port command sets the port number that a Portal server uses to receive
notification packets from the device.
The undo port command restores the default port number.
By default, a Portal server uses port number 50100 to receive packets from the
device.

Format
port port-number [ all ]
undo port [ all ]

Parameters
Parameter Description Value
port-number Specifies the port number that the Portal server The value is
uses to receive and encapsulate UDP packets from an integer
the device. that ranges
from 1 to
65535. By
default, the
value is
50100.
all Indicates that the device always uses the -
destination port number specified by port-number
to encapsulate UDP packets.
NOTE
After this keyword is specified, when receiving UDP
packets from a Portal server, the device does not obtain
the source port number in the UDP packets as the
destination port number of UDP packets to be sent to
the Portal server. If the value of port-number is different
from the source port number of the Portal server, the
Portal server cannot receive the UDP packets sent by the
device. Therefore, this keyword is not recommended.

Views
Portal server profile view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9005

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After creating a Portal server profile on the device using the 13.4.211 web-auth-
server (system view) command, configure parameters for the template.

Run the port command to set the port number that a Portal server uses to receive
notification packets from the device. After receiving a Portal authentication
request packet from a user, the device sends the packet to the Portal server using
the specified destination port number.

Precautions

Ensure that the port number configured on the device is the same as that used by
the Portal server.

Example
# Set the port number that a Portal server uses to receive packets from the device
to 10000 in the Portal server profile huawei.
<HUAWEI> system-view
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] port 10000

Related Topics
13.4.89 display web-auth-server configuration
13.4.211 web-auth-server (system view)

13.4.139 portal auth-network

Function
The portal auth-network command configures the source subnet for Portal
authentication.

The undo portal auth-network command restores the default setting.

By default, the source subnet for Portal authentication is 0.0.0.0/0, indicating that
users in all subnets must pass Portal authentication.

Format
portal auth-network network-address { mask-length | mask-address }

undo portal auth-network { network-address { mask-length | mask-address } |

all }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9006

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

network-address Specifies a Portal The value is in dotted

authentication subnet. decimal notation.

mask-length | mask- Specifies the mask ● The value of mask-

address length or mask of the length is an integer
Portal authentication that ranges from 1 to
subnet. 32.
● mask-length: specifies ● The value of mask-
the mask length. address is in dotted
● mask-address: decimal notation.
specifies the mask.

all Deletes all Portal -

authentication subnets.

Views
Portal access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After the source subnet for Portal authentication is configured, only user packets
from the subnet can trigger Portal authentication. If an unauthenticated user is
not on a Portal authentication subnet and packets from the user do not match
any Portal authentication-free rule, the device discards the user's packets.

Precautions

The command takes effect only for Layer 3 Portal authentication. In Layer 2 Portal
authentication, users on all subnets must be authenticated.

Example
# In the Portal access profile p1, set the source authentication subnet to
10.1.1.0/24.
<HUAWEI> system-view
[HUAWEI] portal-access-profile name p1
[HUAWEI-portal-acces-profile-p1] portal auth-network 10.1.1.0 24

Related Topics
13.4.77 display portal-access-profile configuration

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9007

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.140 portal captive-adaptive enable

Function
The portal captive-adaptive enable command enables the Captive Network
Assistant (CNA) adaptive function for iOS terminals.
The undo portal captive-adaptive enable command disables the CNA adaptive
function for iOS terminals.
By default, the CNA adaptive function is disabled for iOS terminals.

NOTE

This function is supported only by S5720HI.

Format
portal captive-adaptive enable
undo portal captive-adaptive enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
Since WLANs are widely provided, users have a demand for quick and convenient
authentication by using applications on mobile terminals, without entering user
names and passwords. In such authentication mode, mobile terminals need to
automatically display the application-based Portal authentication page and the
applications need to communicate with the background server. Therefore, the
mobile terminals must be connected to the WLANs during authentication.
iOS terminals such as iPhones, iPads, and iMac computers provide the CNA
function. This function automatically detects the network connection status after
iOS terminals connect to WLANs. If the network is disconnected, the iOS terminals
display a page prompting users to enter user names and passwords. If users do
not enter the user names and passwords, the iOS terminals automatically
disconnect from the WLANs. As a result, users cannot use applications on iOS
terminals for authentication.
To solve the problem, enable the CNA adaptive function so that iOS terminals are
redirected to the application-based Portal authentication page when they connect

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9008

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

to WLANs. Users can click the link on the page to start specified applications to
perform Portal authentication. If users do not start applications to perform
authentication, they can still access authentication-free resources on the WLANs.
Precautions
When applications on iOS mobile terminals are used to perform Portal
authentication, you can run only the portal captive-bypass enable command to
enable the CNA bypass function. After this function is enabled, users who have
logged in to the applications can be automatically authenticated and connect to
networks, without entering their user names and passwords.
If you run both the portal captive-adaptive enable and portal captive-bypass
enable commands, the command executed later takes effect.
Due to restrictions of iOS 9.3.1, mobile terminals using iOS 9.3.1 cannot connect to
WLANs after the CNA adaptive function is enabled. To solve this problem, run the
portal captive-bypass enable command to enable the CNA bypass function.
Terminal users then can be redirected to the application-based Portal
authentication page after they open the browser and access a web page.
Authentication-free resources accessed by users cannot contain the URL
captive.apple.com; otherwise, terminals cannot automatically display the Portal
authentication page.
If the Portal authentication page is of the HTTPS type, terminals can automatically
display the Portal authentication page only when an HTTPS URL is used and the
domain name certificate is valid.

Example
# Enable the CNA adaptive function for iOS terminals.
<HUAWEI> system-view
[HUAWEI] portal captive-adaptive enable

13.4.141 portal captive-bypass enable

Function
The portal captive-bypass enable command enables the CNA bypass function for
iOS terminals.
The undo portal captive-bypass enable command disables the CNA bypass
function.
By default, the CNA bypass function is disabled for iOS terminals.

NOTE

This function is supported only by S5720HI.

Format
portal captive-bypass enable
undo portal captive-bypass enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9009

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The iOS operating system provides the Captive Network Assistant (CNA) function.
With the CNA function, the iOS terminals (including iPhone, iPad, and iMAC)
automatically detects wireless network connectivity after associating with a
wireless network. If the network connection cannot be set up, the iOS terminals
ask users to enter user names and passwords. If users do not enter the user names
and passwords, the iOS terminals automatically disconnect from the wireless
network.

However, Portal authentication allows users to access certain resources before

authentication is successful. If the iOS terminals are disconnected, users cannot
access the specified resources. The CNA bypass function addresses this problem. If
the users do not enter user names and passwords immediately, the CNA bypass
function keeps the iOS terminals online before the Portal authentication is
successful. Therefore, the iOS users are allowed to access authentication-free
resources.

Precautions

After the CNA bypass function is enabled for iOS terminals, the Portal
authentication page will not be automatically displayed for iOS terminals.

Example
# Enable the CNA bypass function for iOS terminals.
<HUAWEI> system-view
[HUAWEI] portal captive-bypass enable

13.4.142 portal https-redirect enable

Function
The portal https-redirect enable command enables HTTPS redirection of Portal
authentication.

The undo portal https-redirect enable command disables HTTPS redirection of

Portal authentication.

By default, HTTPS redirection is disabled for Portal authentication users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9010

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
portal https-redirect enable

undo portal https-redirect enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Many well-known websites such as Google and Baidu use Hypertext Transfer
Protocol Secure (HTTPS). When users visit these websites, it is required that users
should be redirected to the Portal authentication page so that Portal
authentication can be performed and the users can normally access the network.
If unauthenticated Portal users visit websites using HTTPS after HTTPS redirection
of Portal authentication is enabled, the device can redirect the users to the Portal
authentication page.

Precautions

● If Portal authentication is triggered when a user visits a website using HTTPS,

the browser displays a security prompt. The user needs to click Continue to
complete Portal authentication.
● Redirection cannot be performed for browsers or websites using HTTP Strict
Transport Security (HSTS).
● If the destination port in HTTPS request packets sent by users is an unknown
port (443), redirection cannot be performed.
● This function takes effect only for new Portal authentication users.
● This function takes effect only after the Portal server template is created or
the IP address of the built-in Portal server is configured.

Example
# Enable HTTPS redirection of Portal authentication.
<HUAWEI> system-view
[HUAWEI] portal https-redirect enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9011

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.143 portal https-redirect wired enable

Function
The portal https-redirect wired enable command enables HTTPS redirection for
wired Portal authentication users.
The undo portal https-redirect wired enable command disables HTTPS
redirection for wired Portal authentication users.
By default, HTTPS redirection is disabled for wired Portal authentication users.

NOTE
This command applies only to test environments, but not commercial environments.

Format
portal https-redirect wired enable
undo portal https-redirect wired enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
To use the function supported by this command, upgrade the switch to
V200R013C00SPC500 or a later version.

Example
# Enable HTTPS redirection for wired Portal authentication users.
<HUAWEI> system-view
[HUAWEI] portal https-redirect wired enable

13.4.144 portal local-server ad-image load

Function
The portal local-server ad-image load command loads an advertisement image
file to the built-in Portal server login page.
The undo portal local-server ad-image load command deletes the
advertisement image file loaded to the built-in Portal server login page.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9012

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

By default, no advertisement image file is loaded to the built-in Portal server login
page.

Format
portal local-server ad-image load ad-image-file

undo portal local-server ad-image load

Parameters
Parameter Description Value

ad-image-file Specifies the name of an The value is a string of 5

advertisement image file to 64 case-insensitive
to be loaded to the built- characters without
in Portal server login spaces, in the format of
page. [ drive ] [ path ]
The size of the filename.
advertisement image file ● drive: indicates the
must be equal to or less storage device name.
than 256 KB. A file of ● path: indicates the
670 x 405 pixels is directory and its
recommended. subdirectory. The
directory name
cannot contain the
following characters:
~, *, /, \, :, ', and ".
● filename: indicates
the file name. The jpg
and png formats are
supported, and the
file name extension
must be .jpg, .jpeg,
or .png. If you enter
only the file name,
the system considers
that the file is stored
in the default
directory.

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9013

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
There is a blank area on the login page of the default page package used by the
built-in Portal server. Users can customize this area by loading an advertisement
image file. When the login page needs to be customized based on special
requirements, the administrator can upload the user-defined advertisement image
file to the device and run the portal local-server ad-image load command. After
the advertisement image file is loaded, the user-defined advertisement images are
displayed on the built-in Portal server login page for authentication.
Prerequisites
The user-defined advertisement image file has been uploaded to the device.

Example
# Load the advertisement image file ad.png to the built-in Portal server login
page.
<HUAWEI> system-view
[HUAWEI] portal local-server ad-image load flash:/ad.png
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully.

Related Topics
13.4.75 display portal local-server

13.4.145 portal local-server anonymous

Function
The portal local-server anonymous command enables the anonymous login
function for users authenticated through the built-in Portal server.
The undo portal local-server anonymous command disables the anonymous
login function for users authenticated through the built-in Portal server.
By default, the anonymous login function is disabled for users authenticated
through the built-in Portal server.

Format
portal local-server anonymous [ redirect-url url ]
undo portal local-server anonymous [ redirect-url ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9014

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

redirect-url Specifies the redirection URL. The value is a string

url The URL is generally used to push of 1 to 200 case-
advertisement information. sensitive characters
without spaces and
question marks (?).
If the string is
enclosed in double
quotation marks ("
"), the string can
contain spaces.

Views
Portal access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

In places such as airports, hotels, cafes, and public recreation places, the
anonymous login function allows users to access the network without entering the
user name and password, facilitating network service provisioning.

After the anonymous login function is enabled, users are redirected to the login
page the first time they access a web page. To connect to the network, users only
need to accept terms in the license agreement and click Login.

If the redirect-url url parameter is specified, the web page corresponding to the
specified URL will be automatically displayed when anonymous login users access
web pages for the first time. This function can be used for advertisement push and
users are unaware of the anonymous login process, improving user experience.

Precautions

When anonymous login is configured, it is recommended that you set AAA

authentication mode to none authentication.

Example
# In the Portal access template p1, configure the anonymous login function for
users authenticated through the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] portal-access-profile name p1
[HUAWEI-portal-acces-profile-p1] portal local-server anonymous

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9015

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.4.77 display portal-access-profile configuration

13.4.146 portal local-server authentication-method

Function
The portal local-server authentication-method command configures the
authentication mode for Portal users on the built-in Portal server.
The undo portal local-server authentication-method command restores the
default authentication mode for Portal users on the built-in Portal server.
By default, the built-in Portal server uses CHAP to authenticate Portal users.

Format
portal local-server authentication-method { chap | pap }
undo portal local-server authentication-method

Parameters
Parameter Description Value

chap Indicates that the built-in -

Portal server uses CHAP
to authenticate Portal
users.

pap Indicates that the built-in -

Portal server uses PAP to
authenticate Portal
users.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
Password Authentication Protocol (PAP) is a two-way handshake authentication
protocol. It transmits passwords in plain text format in RADIUS packets.
Challenge Handshake Authentication Protocol (CHAP) is a three-way handshake
authentication protocol. It transmits only user names using RADIUS packets, but

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9016

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

does not transmit passwords. CHAP is more secure and reliable than PAP. If high
security is required, CHAP is recommended.

Prerequisites

The built-in Portal server function has been enabled globally using the portal
local-server command.

Example
# Configure the built-in Portal server to use PAP to authenticate Portal users.
<HUAWEI> system-view
[HUAWEI] portal local-server authentication-method pap

13.4.147 portal local-server background-color

Function
The portal local-server background-color command configures the background
color of the built-in Portal server login page.

The undo portal local-server background-color command cancels the

background color configured for the built-in Portal server login page.

By default, no background color of the built-in Portal server login page is

configured.

Format
portal local-server background-color background-color-value

undo portal local-server background-color

Parameters
Parameter Description Value

background-color-value Specifies the background The value is a string that

color of the built-in ranges from #000000 to
Portal server login page. #FFFFFF in the RGB
format.
The hexadecimal code is
used to indicate the page
color, and the format is
always #DEFABC (A-F
and 0-9).

Views
System view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9017

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Users can customize the login page of the default page package used by the built-
in Portal server. The administrator can configure the background color of the login
page.

Example
# Configure the user-defined background color of the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server background-color #AABBCC

13.4.148 portal local-server background-image load

Function
The portal local-server background-image load command loads a background
image file to the built-in Portal server login page.
The undo portal local-server background-image load command deletes the
background image file loaded to the built-in Portal server login page.
By default, the device has two background images default-image0 and default-
image1. The built-in Portal server uses default-image0 as the background image
by default.

Format
portal local-server background-image load { background-image-file | default-
image1 }
undo portal local-server background-image load

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9018

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

background-image-file Specifies the name of The value is a string of 5

the background image to 64 case-insensitive
file to be loaded to the characters without
built-in Portal server spaces, in the format of
login page. [ drive ] [ path ]
The size of the filename.
background image file ● drive: indicates the
must be equal to or less storage device name.
than 512 KB. A file of ● path: indicates the
1366 x 768 pixels is directory and its
recommended. subdirectory. The
directory name
cannot contain the
following characters:
~, *, /, \, :, ', and ".
● filename: indicates
the file name. The jpg
and png formats are
supported, and the
file name extension
must be .jpg, .jpeg,
or .png. If you enter
only the file name,
the system considers
that the file is stored
in the default
directory.

default-image1 Loads the background -

image default-image1
to the built-in Portal
server login page.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
Users can customize the login page of the default page package used by the built-
in Portal server. Users can customize background images or select the default

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9019

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

ones. When the background image of the login page needs to be customized
based on special requirements, the administrator can upload the user-defined
background image file to the device and run the portal local-server background-
image load command. After the image is loaded, the user-defined background
image file is displayed on the built-in Portal server login page for authentication.
Prerequisites
The user-defined background image has been uploaded to the device.

Example
# Load the background image file bg.png to the built-in Portal server login page.
<HUAWEI> system-view
[HUAWEI] portal local-server background-image load flash:/bg.png
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully.

13.4.149 portal local-server enable

Function
The portal local-server enable command enables the built-in Portal server
function in a Portal access profile.
The undo portal local-server enable command restores the default setting.
By default, the built-in Portal server function is disabled in a Portal access profile.

Format
portal local-server enable
undo portal local-server enable

Parameters
None

Views
Portal access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
In Portal authentication, the device needs to provide the IP address of the Portal
server. The device supports external and built-in Portal servers. When the built-in
Portal server is required to authenticate users, enable the built-in Portal server
function globally and then run the portal local-server enable command in the

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9020

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Portal access profile. Then the built-in Portal server can be used to authenticate
the users who use the Portal access profile.
Prerequisites
The built-in Portal server function has been enabled globally using the 13.4.154
portal local-server command.

Example
# In the Portal access profile p1, enable the built-in Portal server function.
<HUAWEI> system-view
[HUAWEI] interface loopback 1
[HUAWEI-LoopBack1] ip address 10.1.1.1 24
[HUAWEI-LoopBack1] quit
[HUAWEI] portal local-server ip 10.1.1.1
[HUAWEI] ssl policy s1
[HUAWEI-ssl-policy-s1] quit
[HUAWEI] portal local-server https ssl-policy s1
[HUAWEI] portal-access-profile name p1
[HUAWEI-portal-acces-profile-p1] portal local-server enable

Related Topics
13.4.77 display portal-access-profile configuration

13.4.150 portal local-server ip

Function
The portal local-server ip command configures an IP address for the built-in
Portal server.
The undo portal local-server ip command deletes an IP address of the built-in
Portal server.
By default, no IP address is configured for the built-in Portal server.

Format
portal local-server ip ip-address
undo portal local-server ip

Parameters
Parameter Description Value

ip-address Specifies an IP address The value is in dotted

for the built-in Portal decimal notation.
server.

Views
System view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9021

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
When the device is used as a built-in Portal server, you can run the portal local-
server ip command to configure an IP address for the built-in Portal server. Users
are then redirected to the Portal server if they enter URLs that are not located in
the free IP subnet.
NOTE

● The IP address assigned to the built-in Portal server must have a reachable route to the
user.
● It is recommended that a loopback interface address be assigned to the built-in Portal
server because the loopback interface is stable. Additionally, packets destined for
loopback interfaces are not sent to other interfaces on the network; therefore, system
performance is not deteriorated even if many users request to go online.
● After users go online through the built-in Portal server, if the interface address or
interface (non-physical interface) matching the built-in Portal server's IP address is
deleted, online users cannot go offline and offline users cannot go online. Therefore,
exercise caution when you delete the interface address or interface.

Example
# Assign the IP address 10.1.1.1 to the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] interface loopback 1
[HUAWEI-LoopBack1] ip address 10.1.1.1 24
[HUAWEI-LoopBack1] quit
[HUAWEI] portal local-server ip 10.1.1.1

13.4.151 portal local-server keep-alive

Function
The portal local-server keep-alive command configures the heartbeat detection
interval and mode of the built-in Portal server.

The undo portal local-server keep-alive command cancels the configured

heartbeat detection interval and mode of the built-in Portal server.

By default, the heartbeat detection function of the built-in Portal server is not
configured.

Format
portal local-server keep-alive interval interval-value [ auto ]

undo portal local-server keep-alive

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9022

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value
interval interval- Specifies the heartbeat detection The value is an
value interval of the built-in Portal server. integer that ranges
from 30 to 7200, in
seconds.
auto Specifies the automatic detection -
mode.
If this parameter is not configured, the
forcible detection mode is specified.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When a user closes the browser or an exception occurs, the device can detect the
user's online state to determine whether to make the user go offline. The
administrator can configure the heartbeat detection function of the built-in Portal
server. If the device does not receive a heartbeat packet from the client within a
specified period, the user is specified to go offline. The heartbeat detection mode
of the built-in Portal server can be either of the following modes:
● Forcible detection mode: This mode is valid for all users. If the device does not
receive a heartbeat packet from a user within a specified period, the device
specifies the user to go offline.
● Automatic detection mode: The device checks whether the client browser
supports the heartbeat program. If yes, the forcible detection mode is used for
the user; if no, the device does not detect the user. You are advised to
configure this mode to prevent users from going offline because the browser
does not support the heartbeat program.
NOTE

Currently, the heartbeat program is supported by Internet Explorer 8, FireFox 3.5.2, Chrome
28.0.1500.72, and Opera 12.00 on Windows 7. A Java program must be installed and
configured on the operating system.
Browsers using Java1.7 and later versions do not support the heartbeat program.

Precautions
When the forcible detection mode is configured, the device specifies users to go
offline to prevent from failing to receive heartbeat packets for a long time during
network congestion. In this scenario, the heartbeat detection interval must be
increased.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9023

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If you run this command multiple times in the same view, only the latest
configuration takes effect.

Example
# Configure the automatic detection function of the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server keep-alive interval 60 auto

13.4.152 portal local-server load

Function
The portal local-server load command loads a page file package to the built-in
Portal server.
The undo portal local-server load command restores the default configuration.
By default, the built-in Portal server loads the default page file package
portalpage.zip.

Format
portal local-server load string
undo portal local-server load

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9024

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

string Specifies the name of The value is a string of 1

the page file package to to 64 case-insensitive
be loaded to the built-in characters without
Portal server. spaces, in the format of
[ drive ] [ path ]
filename.
● drive: indicates the
storage device name.
● path: indicates the
directory and its
subdirectory. The
directory name
cannot contain the
following characters:
~, *, /, \, :, ', and ".
● filename: indicates
the file name. If you
enter only the file
name, the system
considers that the file
is stored in the
default directory.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
Customized page file packages can be loaded to the built-in Portal server.
Prerequisites
The page file (.zip) has been uploaded from the PC to the device storage media.
Precautions
The default page file package can be modified but cannot be deleted. If it is
deleted, the built-in Portal server fails to load the pages after startup.
This function is used by technical support personnel to develop limited page
customization based on customer requirements and does not apply to
customization by customers themselves.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9025

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Load the page file portalpage_01.zip on the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server load portalpage_01.zip
Warning: Portal local server has been enabled, and this operation will affect online user, continue?[Y/N]:y

Related Topics
13.4.76 display portal local-server page-information
13.4.75 display portal local-server

13.4.153 portal local-server logo load

Function
The portal local-server logo load command loads a logo file to the built-in Portal
server login page.
The undo portal local-server logo load command deletes the logo file loaded to
the built-in Portal server login page.
By default, no logo file is loaded to the built-in Portal server login page.

Format
portal local-server logo load logo-file
undo portal local-server logo load

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9026

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

logo-file Specifies the name of The value is a string of 5

the logo file to be loaded to 64 case-insensitive
to the built-in Portal characters without
server login page. spaces, in the format of
The size of the logo file [ drive ] [ path ]
must be equal to or less filename.
than 128 KB. A file of ● drive: indicates the
591 x 80 pixels is storage device name.
recommended. ● path: indicates the
directory and its
subdirectory. The
directory name
cannot contain the
following characters:
~, *, /, \, :, ', and ".
● filename: indicates
the file name. The jpg
and png formats are
supported, and the
file name extension
must be .jpg, .jpeg,
or .png. If you enter
only the file name,
the system considers
that the file is stored
in the default
directory.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
There is a blank area on the login page of the default page package used by the
built-in Portal server. Users can customize this area by loading a logo file. When
the login page needs to be customized based on special requirements, the
administrator can upload the user-defined logo file to the device and run the
portal local-server logo load command. After the logo file is loaded, the user-
defined logo is displayed on the built-in Portal server login page for
authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9027

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Prerequisites
The user-defined logo file has been uploaded to the device.

Example
# Load the logo file logo.png to the built-in Portal server login page.
<HUAWEI> system-view
[HUAWEI] portal local-server logo load flash:/logo.png
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully.

Related Topics
13.4.75 display portal local-server

13.4.154 portal local-server

Function
The portal local-server command enables the built-in Portal server function.
The undo portal local-server command disables the built-in Portal server
function.
By default, the built-in Portal server function is disabled.

Format
portal local-server https ssl-policy policy-name [ port port-num ]
undo portal local-server https

Parameters
Parameter Description Value

https Configures the built-in -

Portal server to
exchange authentication
messages with users
using the Hypertext
Transfer Protocol Secure
(HTTPS) protocol.

ssl-policy policy-name Specifies the Secure The value must be the

Sockets Layer (SSL) name of an existing SSL
policy used by the built- policy.
in Portal server.

port port-num Specifies the TCP port The value can be 443 or
number used. any integer in the range
If you do not specify a of 1025 to 55535. By
port number, the default default, the port number
port number is used. is 443.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9028

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Compared with an external Portal server, a built-in Portal server is easy to use,
cost-effective, and easy to maintain. After a built-in Portal server is configured,
Portal authentication can be implemented for users without an external Portal
server. When using the portal local-server command to enable the built-in Portal
server function, configure the built-in Portal server to exchange authentication
messages with users using the HTTPS protocol. HTTPS is a secure extension of
HTTP and uses the SSL protocol to guarantee secure communication. To enable
the built-in Portal server to exchange authentication messages using HTTPS, you
need to configure an SSL policy and load a digital certificate to the server.

Prerequisites

● The IP address of the built-in Portal server has been configured using the
13.4.150 portal local-server ip command.
● An SSL policy has been configured using the ssl policy policy-name command
in the system view, and a certificate has been loaded using the certificate
load command in the SSL policy view.
● You have obtained a digital certificate for the SSL policy from an authorized
certificate authority.

Precautions

When there are Portal authentication users online, you cannot disable the built-in
Portal server function or change the SSL policy for the built-in Portal server.

Example
# Enable the built-in Portal server function and configure the server to use the SSL
policy s1.
<HUAWEI> system-view
[HUAWEI] interface loopback 1
[HUAWEI-LoopBack1] ip address 10.1.1.1 24
[HUAWEI-LoopBack1] quit
[HUAWEI] portal local-server ip 10.1.1.1
[HUAWEI] ssl policy s1
[HUAWEI-ssl-policy-s1] quit
[HUAWEI] portal local-server https ssl-policy s1

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9029

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.155 portal local-server page-text load

Function
The portal local-server page-text load command loads the use instruction page
file of the built-in Portal server.

The undo portal local-server page-text load command deletes the loaded use
instruction page file of the built-in Portal server.

By default, no use instruction page file of the built-in Portal server is loaded.

Format
portal local-server page-text load string

undo portal local-server page-text load

Parameters
Parameter Description Value

string Specifies the use The value is a string of 1

instruction page file of to 64 case-insensitive
the built-in Portal server. characters without
spaces, in the format of
[ drive ] [ path ]
filename.
● drive indicates the
storage device name.
● path indicates the
directory or sub-
directory. The
directory name
cannot contain the
following characters:
~*/\:'"
● filename indicates
the file name. The file
name extension must
be .txt or .html. If you
enter only the file
name, the system
considers that the file
is stored in the
default directory.

Views
System view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9030

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

If you need to customize the use instruction page, you can upload the customized
use instruction page file to the device, and run this command to load the file.
After the file is loaded, the hyperlink Instruction for Use is generated on the login
page of the built-in Portal server, and users can click the hyperlink to access the
use instruction page.

Prerequisite

The page file to be loaded has been uploaded to the device.

Precautions

When the to-be-loaded page is customized, the page length and width are fixed.
After adjusting the page, the administrator must upload and load the modified
page again.

Currently, only Chinese or English page files can be loaded on the device.

Example
# Load the use instruction page file page.html to the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server page-text load flash:/page.html
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully.

Related Topics
13.4.75 display portal local-server

13.4.156 portal local-server policy-text load

Function
The portal local-server policy-text load command loads a disclaimer page file to
the built-in Portal server.

The undo portal local-server policy-text load command deletes the loaded
disclaimer page file.

By default, no disclaimer page file is loaded to the built-in Portal server.

Format
portal local-server policy-text load string

undo portal local-server policy-text load

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9031

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

string Specifies the name of The value is a string of 1

the disclaimer page file to 64 case-insensitive
to be loaded to the built- characters without
in Portal server. spaces, in the format of
[ drive ] [ path ]
filename.
● drive: indicates the
storage device name.
● path: indicates the
directory and its
subdirectory. The
directory name
cannot contain the
following characters:
~, *, /, \, :, ', and ".
● filename: indicates
the file name. The file
name extension must
be .txt or .html. If you
enter only the file
name, the system
considers that the file
is stored in the
default directory.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To customize a disclaimer page, upload the disclaimer page file to the device and
run this command to load the file. After the file is loaded, the hyperlink
Disclaimer will be displayed on the login page. You can click the link to visit the
disclaimer page.

Prerequisite

The disclaimer page file to be loaded has been uploaded to the device.

Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9032

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Currently, only Chinese and English disclaimer page files can be loaded on the
device.

Example
# Load the disclaimer page file policy.html to the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server policy-text load policy.html
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully.

Related Topics
13.4.75 display portal local-server

13.4.157 portal local-server timer session-timeout

Function
The portal local-server timer session-timeout command configures the session
timeout interval for built-in Portal authentication users.
The undo portal local-server timer session-timeout command restores the
default session timeout interval for built-in Portal authentication users.
By default, the session timeout interval is 8 hours for built-in Portal authentication
users.

Format
portal local-server timer session-timeout interval
undo portal local-server timer session-timeout

Parameters
Parameter Description Value
interval Specifies the session timeout The value is an integer that
interval for built-in Portal ranges from 1 to 720, in hours.
authentication users.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9033

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

When built-in Portal authentication is used for users and the device functions as a
built-in Portal server, you can configure the session timeout interval for the users.
The users are disconnected after the specified session timeout interval. To connect
to the network again, the users need to be re-authenticated.

Precautions

The session timeout interval for built-in Portal authentication users is calculated
based on the device time. For example, if the session timeout interval is 6 hours
and the device time is 2014-09-01 02:00:00 when a user was connected, the user
should be disconnected at 2014-09-01 08:00:00. Therefore, ensure that the device
time and time zone are correct after the session timeout interval is configured for
users. If the device time is incorrect, users may fail to be connected or
disconnected properly. You can run the display clock command to check the
device time and the time zone.

Example
# Set the session timeout interval to 10 hours for built-in Portal authentication
users.
<HUAWEI> system-view
[HUAWEI] portal local-server timer session-timeout 10

Related Topics
13.4.75 display portal local-server

13.4.158 portal local-server syslog-limit enable

Function
The portal local-server syslog-limit enable command enables the log
suppression function for users authenticated through the built-in Portal server.

The undo portal local-server syslog-limit enable command disables the log
suppression function for users authenticated through the built-in Portal server.

By default, the log suppression function is enabled for users authenticated through
the built-in Portal server.

Format
portal local-server syslog-limit enable

undo portal local-server syslog-limit enable

Parameters
None

Views
System view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9034

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
The device generates logs when users authenticated through the built-in Portal
server fail to go online or offline. If a user fails to go online or offline, the user
attempts to go online or offline repeatedly, and the device generates a large
number of logs within a short time. This results in a high failure rate in the
statistics and degrades the system performance. You can run the portal local-
server syslog-limit enable command to enable the log suppression function for
users authenticated through the built-in Portal server. The device then only
generates one log if a user fails to go online or offline within a suppression period
(configured using the 13.4.159 portal local-server syslog-limit period
command).

Example
# Enable the log suppression function for users authenticated through the built-in
Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server syslog-limit enable

13.4.159 portal local-server syslog-limit period

Function
The portal local-server syslog-limit period command configures the log
suppression period for users authenticated through the built-in Portal server.
The undo portal local-server syslog-limit period command restores the default
log suppression period.
By default, the log suppression period is 300 seconds for users authenticated
through the built-in Portal server.

Format
portal local-server syslog-limit period value
undo portal local-server syslog-limit period

Parameters
Parameter Description Value

value Specifies the log The value is an integer

suppression period for that ranges from 60 to
users authenticated 604800, in seconds.
through the built-in
Portal server.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9035

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The device generates logs when users authenticated through the built-in Portal
server fail to go online or offline. If a user fails to go online or offline, the user
attempts to go online or offline repeatedly, and the device generates a large
number of logs within a short time. This results in a high failure rate in the
statistics and degrades the system performance. You can enable the log
suppression function (configured using the 13.4.158 portal local-server syslog-
limit enable command) for users authenticated through the built-in Portal server.
The device then only generates one log if a user fails to go online or offline within
a suppression period.

Example
# Set the log suppression period to 1000 seconds for users authenticated through
the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server syslog-limit period 1000

13.4.160 portal logout different-server enable

Function
The portal logout different-server enable command configures a device to
process user logout requests sent by a Portal server other than the one from
which users log in.
The undo portal logout different-server enable command restores the default
configuration.
By default, a device does not process user logout requests sent by Portal servers
other than the one from which users log in.

Format
portal logout different-server enable
undo portal logout different-server enable

Parameters
None

Views
System view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9036

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

In a scenario where Portal server load balancing is configured, by default, a device

does not process user logout requests sent by Portal servers other than the one
from which users log in and responds ACK messages only to the Portal server from
which users log in. Users in arrears then can still stay online. To prevent this
problem, run portal logout different-server enable command to configure the
device to process user logout requests sent by a Portal server other than the one
from which users log in. Upon receipt of a user logout request from such a Portal
server, the device starts a user logout process. After completing the logout event,
the device responds an ACK message to the Portal server, thereby ensuring that
the user logs out properly.

Precautions

The user logout requests that a device can process must be sent by Portal servers
bound to an access interface. These servers include all the Portal servers
configured in the master and backup Portal server templates bound to the
interface.

Example
# Enable a device to process user logout requests a Portal server other than the
one from which users log in.
<HUAWEI> system-view
[HUAWEI] portal logout different-server enable

Related Topics
13.4.73 display portal

13.4.161 portal logout resend timeout

Function
The portal logout resend timeout command configures the re-transmission times
and interval for the Portal authentication user logout packet.

The undo portal logout resend timeout command restores the default setting.

By default, the Portal authentication user logout packet can be re-transmitted

three times within five seconds.

Format
portal logout resend times timeout period

undo portal logout { resend | timeout } *

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9037

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

times Specifies the number of The value is an integer

re-transmission times for that ranges from 0 to 15.
the Portal authentication The value 0 indicates
user logout packet. that the re-transmission
function is disabled.

period Specifies the re- The value is an integer

transmission interval of that ranges from 1 to
the Portal authentication 300, in seconds.
user logout packet.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After disconnecting a Portal authentication user, the device sends a user logout
packet (NTF-LOGOUT) to instruct the Portal server to delete the user information.
If the network between the device and Portal server is not stable or packets are
lost, the Portal server may fail to receive the user logout packet from the device
after the Portal authentication user is disconnected. In this case, the user is
displayed as disconnected on the device but still as online on the Portal server. To
enable the Portal server to receive the user logout packet and ensure that the
online user information on the Portal server is correct, the administrator can
enable the user logout packet re-transmission function on the device and
configure the re-transmission times and interval.

Example
# Configure the re-transmission times to 5 and interval to 10 seconds for the
Portal authentication user logout packet.
<HUAWEI> system-view
[HUAWEI] portal logout resend 5 timeout 10

Related Topics
13.4.73 display portal
13.4.80 display portal user-logout

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9038

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.162 portal max-user

Function
The portal max-user command sets the maximum number of concurrent Portal
authentication users allowed to access the device.
The undo portal max-user command restores the default maximum number of
concurrent Portal authentication users.
By default, the number of Portal authentication users is the maximum number of
Portal authentication users supported by the device.

Format
portal max-user user-number
undo portal max-user

Parameters
Parameter Description Value

user-number Specifies the maximum The value is an integer

number of concurrent that varies depending on
Portal users. product models.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
You can run the portal max-user command to set the maximum number of
concurrent Portal authentication users.

Example
# Set the maximum number of concurrent Portal authentication users to 25.
<HUAWEI> system-view
[HUAWEI] portal max-user 25

13.4.163 portal quiet-period

Function
The portal quiet-period command enables the quiet timer for Portal
authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9039

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo portal quiet-period command disables the quiet timer of Portal
authentication.
By default, the quiet timer for Portal authentication is enabled.

Format
portal quiet-period
undo portal quiet-period

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the portal quiet-period command is used to enable the quiet timer for
Portal authentication. If the number of Portal authentication failures exceeds the
value specified by the 13.4.164 portal quiet-times command, the device keeps
the Portal authentication user in quiet state for a period of time. During the quiet
period, the device discards Portal authentication requests from the user. This
prevents the impact of frequent authentications on the system.
The quiet period for Portal authentication can be set using the 13.4.165 portal
timer quiet-period command. After the quiet period is reached, the device re-
authenticates the user.

Example
# Enable the quiet timer for Portal authentication.
<HUAWEI> system-view
[HUAWEI] portal quiet-period

13.4.164 portal quiet-times

Function
The portal quiet-times command sets the maximum number of authentication
failures within 60s before a Portal authentication user is kept in quiet state.
The undo portal quiet-times command restores the default maximum number of
authentication failures within 60s before a Portal authentication user enters the
quiet state.
By default, the device allows a maximum of ten authentication failures within 60s
before a Portal authentication user enters the quiet state.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9040

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
portal quiet-times fail-times

undo portal quiet-times

Parameters
Parameter Description Value

fail-times Specifies the maximum The value is an integer

number of that ranges from 1 to 10.
authentication failures
before a Portal
authentication user
enters the quiet state.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the 13.4.163 portal quiet-period command is used to enable the quiet
timer, if the number of Portal authentication failures exceeds the value specified
by the portal quiet-times command, the device keeps the Portal authentication
user in quiet state for a period of time. This prevents the impact of frequent
authentications on the system.

Example
# Set the maximum number of Portal authentication failures within 60 seconds to
4.
<HUAWEI> system-view
[HUAWEI] portal quiet-times 4

13.4.165 portal timer quiet-period

Function
The portal timer quiet-period command configures the quiet period for Portal
authentication users who fail to be authenticated.

The undo portal timer quiet-period command restores the default quiet period.

By default, the quiet period is 60 seconds for Portal authentication users who fail
to be authenticated.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9041

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
portal timer quiet-period quiet-period-value
undo portal timer quiet-period

Parameters
Parameter Description Value

quiet-period-value Sets the quiet period for The value is an integer

Portal authentication that ranges from 10 to
users who fail to be 3600, in seconds.
authenticated.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
If a Portal authentication user fails to be authenticated consecutively within a
short period, the system is affected and a large number of duplicated
authentication failure logs are generated.
After the quiet function is enabled using the 13.4.163 portal quiet-period
command, if the number of times that a Portal authentication user fails to be
authenticated within 60s exceeds the upper limit (configured using the 13.4.164
portal quiet-times command), the device discards the user's Portal authentication
request packets for a period to avoid frequent authentication failures.

Example
# Set the quiet period to 100 seconds for Portal authentication users who fail to
be authenticated.
<HUAWEI> system-view
[HUAWEI] portal timer quiet-period 100

13.4.166 portal timer offline-detect

Function
The portal timer offline-detect command sets the Portal user offline detection
interval.
The undo portal timer offline-detect command restores the default Portal user
offline detection interval.
By default, the Portal user offline detection interval is 300 seconds.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9042

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
portal timer offline-detect time-length

undo portal timer offline-detect

Parameters
Parameter Description Value
time-length Specifies the Portal The value is 0 or an integer that ranges from
user offline detection 30 to 7200, in seconds. The default value is
interval. 300.
The value 0 indicates that offline detection is
not performed.

Views
Portal access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

If a Portal user goes offline due to power failure or network interruption, the
device and Portal server may still store the user information, which causes
incorrect accounting. Additionally, a limit number of users can access the device. If
a user goes offline improperly but the device still stores user information, other
users cannot access the network.

After the Portal user offline detection interval is set, if the user does not respond
within the interval, the device considers the Portal user offline. The device and
Portal server then delete the user information and release resources to ensure an
efficient resource use.

Precautions

This command only applies to Layer 2 Portal authentication.

The heartbeat detection function of the authentication server can be used to

ensure the normal online status of PC users for whom Layer 3 Portal
authentication is used. If the authentication server detects that a user goes offline,
it instructs the device to disconnect the user.

If the number of offline detection packets (ARP packets) exceeds the default CAR
value, the detection fails and the users are logged out (The display cpu-defend
statistics command can be run to check whether ARP request and response
packets are lost.). To resolve the problem, the following methods are
recommended:

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9043

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● Increase the detection interval based on the number of users. The default
detection interval is recommended when there are less than 8000 users; the
detection interval should be no less than 600 seconds when there are more
than 8000 users.
● Deploy the port attack defense function on the access device and limit the
rate of packets sent to the CPU.

If user traffic (such as service packets) passes through the device within the Portal
user offline detection period, the device does not consider the user offline even if
the user does not respond.

Example
# In the Portal access profile p1, set the offline detection interval of Portal
authentication users to 400s.
<HUAWEI> system-view
[HUAWEI] portal-access-profile name p1
[HUAWEI-portal-acces-profile-p1] portal timer offline-detect 400

13.4.167 portal url-encode enable

Function
The portal url-encode enable command enables URL encoding and decoding.

The undo portal url-encode enable command disables URL encoding and
decoding.

By default, URL encoding and decoding are enabled.

NOTE

If the system software is upgraded from a version earlier than V200R009C00SPC500 to

V200R009C00SPC500 or a later version, the switch automatically runs the undo portal url-
encode enable command to disable URL encoding and decoding.

Format
portal url-encode enable

undo portal url-encode enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9044

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
To improve web application security, data from untrustworthy sources must be
encoded before being sent to clients. URL encoding is most commonly used in web
applications. To enable URL encoding and decoding, run the portal url-encode
enable command. Some special characters in redirected URLs are then converted
to secure formats, preventing clients from mistaking them for syntax signs or
instructions and unexpectedly modifying the original syntax. In this way, cross-site
scripting attacks and injection attacks are prevented.
Precautions
After the URL encoding and decoding function is enabled, some servers may not
support the escape characters converted from special characters in redirect URLs.
Therefore, check whether servers support the escape characters before configuring
special characters in redirect URLs.

Example
# Enable URL encoding and decoding.
<HUAWEI> system-view
[HUAWEI] portal url-encode enable

Related Topics
13.4.79 display portal url-encode configuration

13.4.168 portal user-alarm percentage

Function
The portal user-alarm percentage command sets alarm thresholds for the Portal
authentication user count percentage.
The undo portal user-alarm percentage command restores the default alarm
thresholds for the Portal authentication user count percentage.
By default, the lower alarm threshold for the Portal authentication user count
percentage is 50, and the upper alarm threshold for the Portal authentication user
count percentage is 100.

Format
portal user-alarm percentage percent-lower-value percent-upper-value
undo portal user-alarm percentage

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9045

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters

Parameter Description Value

percent-lower- Specifies the lower alarm The value is an integer that
value threshold for the Portal ranges from 1 to 100.
authentication user count
percentage.

percent-upper- Specifies the upper alarm The value is an integer that

value threshold for the Portal ranges from 1 to 100, but must
authentication user count be greater than or equal to the
percentage. lower alarm threshold.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After running the 13.4.162 portal max-user command to set the maximum
number of online Portal authentication users allowed on a device, you can run the
portal user-alarm percentage command to set alarm thresholds for the Portal
authentication user count percentage.

When the percentage of online Portal authentication users against the maximum
number of users allowed by the device exceeds the upper alarm threshold, the
device generates an alarm. When the percentage of online Portal authentication
users against the maximum number of users allowed by the device reaches or falls
below the lower alarm threshold later, the device generates a clear alarm.

If the configured upper alarm threshold for the Portal authentication user count
percentage is 100, the device generates an alarm when the number of online users
reaches the maximum number of users allowed by the device.

Example
# Set the lower alarm threshold for the Portal authentication user count
percentage to 30, and the upper alarm threshold for the Portal authentication
user count percentage to 80.
<HUAWEI> system-view
[HUAWEI] portal user-alarm percentage 30 80

Related Topics
13.4.162 portal max-user

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9046

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.169 portal web-authen-server

Function
The portal web-authen-server command enables the Portal interconnection
function of the HTTP or HTTPS protocol.
The undo portal web-authen-server command disables the Portal
interconnection function of the HTTP or HTTPS protocol.
By default, the Portal interconnection function of the HTTP or HTTPS protocol is
disabled.

Format
portal web-authen-server { http | https ssl-policy policy-name } [ port port-
number ]
undo portal web-authen-server [ port ]

Parameters
Parameter Description Value

http Sets the HTTP protocol -

for Portal authentication.
NOTE
The HTTP protocol poses
security risks. The HTTPS
protocol is recommended.

https Sets the HTTPS protocol -

for Portal authentication.

ssl-policy policy-name Specifies the name of an The value must be the

SSL policy. name of an existing SSL
policy.

port port-number Specifies a port number. The value is an integer

that ranges from 1025 to
55535.
The default HTTP port
number is 8000 and the
default HTTPS port
number is 8443.

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9047

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
If the device is connected to the Portal server that only supports the HTTP or
HTTPS protocol, you need to run the portal web-authen-server command on the
device to enable the Portal interconnection function of the HTTP or HTTPS
protocol.
Follow-up Procedure
Run the 13.4.172 protocol (Portal server template view) command to set the
protocol used in Portal authentication to HTTP or HTTPS.
Precautions
Modifying the port parameter causes the pre-connected user to go offline.

Example
# Enable the Portal interconnection function of the HTTPS protocol.
<HUAWEI> system-view
[HUAWEI] ssl policy huawei
[HUAWEI-ssl-policy-huawei] quit
[HUAWEI] portal web-authen-server https ssl-policy huawei port 8443

Related Topics
13.4.89 display web-auth-server configuration

13.4.170 portal-access-profile (authentication profile view)

Function
The portal-access-profile command binds a Portal access profile to an
authentication profile.
The undo portal-access-profile command unbinds a Portal access profile from an
authentication profile.
By default, an authentication profile is not bound to a Portal access profile.

Format
portal-access-profile access-profile-name
undo portal-access-profile

Parameters
Parameter Description Value

access-profile-name Specifies the name of a The value must be the

Portal access profile. name of an existing
Portal access profile.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9048

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
Authentication profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The authentication type used by an authentication profile is determined by the

access profile bound to the authentication profile. After being bound to a Portal
access profile, the authentication profile is enabled with Portal authentication.
After the authentication profile is applied to the interface or VAP profile, Portal
authentication can be performed on online users.

Prerequisites

The Portal server has been configured for the Portal access profile:
● If the external Portal server is used, the Portal server profile used by the
Portal access profile has been configured using the 13.4.209 web-auth-server
(Portal access profile view) command.
● If the built-in Portal server is used, the built-in Portal server function of the
Portal access profile has been enabled using the 13.4.149 portal local-server
enable command.

Follow-up Procedure

Run the 13.4.42 authentication-profile (Interface view or VAP profile view)

command to apply the authentication profile to the interface or VAP profile.

Precautions

An authentication profile can be bound to only one Portal access profile.

Example
# Bind the authentication profile portal_authen_profile1 to the Portal access
profile portal_access_profile1. The IP address of the Portal server is 192.168.10.1,
and Layer 2 Portal authentication is used.
<HUAWEI> system-view
[HUAWEI] web-auth-server server1
[HUAWEI-web-auth-server-server1] server-ip 192.168.10.1
[HUAWEI-web-auth-server-server1] quit
[HUAWEI] portal-access-profile name portal_access_profile1
[HUAWEI-portal-acces-profile-portal_access_profile1] web-auth-server server1 direct
[HUAWEI-portal-acces-profile-portal_access_profile1] quit
[HUAWEI] authentication-profile name portal_authen_profile1
[HUAWEI-authen-profile-portal_authen_profile1] portal-access-profile portal_access_profile1

Related Topics
13.4.61 display authentication-profile configuration

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9049

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.171 portal-access-profile (system view)

Function
The portal-access-profile command creates a portal access profile and displays
the portal access profile view.

The undo portal-access-profile command deletes the portal access profile.

By default, the device has a built-in portal access profile named

portal_access_profile.

Format
portal-access-profile name access-profile-name

undo portal-access-profile name access-profile-name

Parameters
Parameter Description Value

name access-profile- Specifies the name of a The value is a string of

name portal access profile. 1-31 case-sensitive
characters, which cannot
be configured to - and
--. It cannot contain
spaces and the following
symbols: / \ : * ? " < > |
@ ' %.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The device uses portal access profiles to uniformly manage all portal users access
configurations. To perform portal authentication for the users in an interface or
VAP profile, bind the authentication profile applied to the interface or VAP profile
to a portal access profile.

Follow-up Procedure

Configure the portal server used by the portal access profile:

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9050

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● If the external portal server is used, run the 13.4.209 web-auth-server

(Portal access profile view) command to configure the portal server profile
for the portal access profile.
● If the built-in portal server is used, run the 13.4.149 portal local-server
enable command to configure the built-in portal server function for the
portal access profile.

Precautions

● The compatibility profile converted after an upgrade is not counted in the

configuration specification. The built-in portal access profile
portal_access_profile can be modified and applied, but cannot be deleted.
● Before deleting a portal access profile, ensure that this profile is not bound to
any authentication profile.

Example
# Create portal access profile named portal_access_profile1.
<HUAWEI> system-view
[HUAWEI] portal-access-profile name portal_access_profile1

Related Topics
13.4.77 display portal-access-profile configuration

13.4.172 protocol (Portal server template view)

Function
The protocol command configures the protocol used in Portal authentication.

The undo protocol command restores the default configuration.

By default, the Portal protocol is used in Portal authentication.

Format
protocol { http [ password-encrypt { none | uam } ] | portal }

undo protocol

Parameters
Parameter Description Value

http Sets the protocol used in -

Portal authentication to
HTTP or HTTPS.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9051

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

password-encrypt Specifies the password -

{ none | uam } encoding mode.
● none: The password is
not encoded.
● uam: The password is
encoded using ASCII
characters.

portal Sets the protocol used in -

Portal authentication to
Portal.

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
In Portal authentication, the device can use the following protocols to
communicate with the Portal server. You can set the protocol according to the
protocol supported by the Portal server.
● Portal protocol
● HTTP or HTTPS protocol

Example
# Set the protocol used in Portal authentication to HTTP or HTTPS.
<HUAWEI> system-view
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] protocol http password-encrypt uam

13.4.173 qos-profile (service scheme view)

Function
The qos-profile command binds a QoS profile to a service scheme.

The undo qos-profile command unbinds the QoS profile from the service scheme.

By default, no QoS profile is bound to a service scheme.

NOTE

Only S5720EI, S5720HI, S6720EI, and S6720S-EI support this command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9052

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
qos-profile profile-name

undo qos-profile profile-name

Parameters
Parameter Description Value
profile-name Specifies the name of the QoS The value must be the name
profile bound to the service scheme. of an existing QoS profile.

Views
Service scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

After creating a service scheme using the 13.1.82 service-scheme (AAA view)
command, you can run the qos-profile command to bind a QoS profile to the
service scheme. The user assigned with the service scheme will have the attributes
in the QoS profile.

Precautions

For S5720EI, S6720EI, and S6720S-EI, if the user upstream rate limit is configured
in the QoS profile bound to a service scheme, do not configure the device to use
the service scheme to grant network access rights to users in the pre-connection
phase. Otherwise, users go offline.

The authorized downlink bandwidth limit delivered by the server has a low
priority, and will not take effect when it is configured together with an
authorization QoS attribute.

Example
# Bind the QoS profile abc to the service scheme huawei.
<HUAWEI> system-view
[HUAWEI] qos-profile name abc
[HUAWEI-qos-abc] quit
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme huawei
[HUAWEI-aaa-service-huawei] qos-profile abc

13.4.174 reset aaa statistics access-type-authenreq

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9053

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Function
The reset aaa statistics access-type-authenreq command clears the number of
requesting for MAC, Portal, or 802.1X authentication.

Format
reset aaa statistics access-type-authenreq

Parameters
None

Views
All views

Default Level
3: Management level

Usage Guidelines
When users send authentication requests, the device collects statistics on the
number of initiating MAC, Portal, and 802.1X authentications.
To clear the number of requesting for MAC, Portal, or 802.1X authentication, run
the reset aaa statistics access-type-authenreq command.

Example
# Clear the number of requesting for MAC, Portal, or 802.1X authentication.
<HUAWEI> reset aaa statistics access-type-authenreq

13.4.175 reset dot1x statistics

Function
The reset dot1x statistics command clears 802.1X authentication statistics.

Format
reset dot1x statistics [ interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10> ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9054

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

interface { interface- Clears 802.1X -

type interface-number1 authentication statistics
[ to interface- on a specified interface.
number2 ] } ● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.
If this parameter is not
specified, 802.1X
authentication statistics
on the device are
cleared.

Views
User view

Default Level
3: Management level

Usage Guidelines
The 802.1X authentication statistics contain the number of times that the
authentication succeeded and failed and the number of sent and received packets.

The reset dot1x statistics command is used in the following scenarios:

● Redeploy services. After the statistics are cleared, collect the 802.1X
authentication statistics again, and run the 13.4.63 display dot1x command
to check whether the authentication function works properly and whether
packets are correctly sent and received.
● Rectify a fault. After the fault is rectified, run the reset dot1x statistics
command to clear the statistics, collect the statistics on 802.1X authentication
again, and then run the 13.4.63 display dot1x command to verify the
authentication result and check whether packets are correctly sent and
received. If the authentication is successful and packets are correctly sent and
received, the fault is rectified.

Example
# Clear 802.1X authentication statistics.
<HUAWEI> reset dot1x statistics

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9055

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.4.63 display dot1x

13.4.176 reset mac-authen statistics

Function
The reset mac-authen statistics command clears MAC address authentication
statistics.

Format
reset mac-authen statistics [ interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10> ]

Parameters
Parameter Description Value

interface { interface- Clears MAC address -

type interface-number1 authentication statistics
[ to interface- on a specified interface.
number2 ] } ● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.
If this parameter is not
specified, MAC address
authentication statistics
on the device are
cleared.

Views
User view

Default Level
3: Management level

Usage Guidelines
The reset mac-authen statistics command is used in the following scenarios:

● Re-deploy services. After the statistics are cleared, collect the MAC address
authentication statistics again, and run the 13.4.71 display mac-authen
command to check whether the authentication function is normal.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9056

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● Rectify a fault. After the fault is rectified, run the reset mac-authen statistics
command to clear statistics, collect MAC address authentication statistics
again, and run the 13.4.71 display mac-authen command to check the
authentication result. If the authentication is successful, the fault is rectified.

Example
# Clear MAC address authentication statistics.
<HUAWEI> reset mac-authen statistics

Related Topics
13.4.71 display mac-authen

13.4.177 reset access-user dot1x-identity statistics

Function
The reset access-user dot1x-identity statistics command clears statistics about
Identity packets for wireless 802.1X authentication on a switch.

NOTE

This function is supported only by S5720HI.

Format
reset access-user dot1x-identity statistics

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
To display statistics about Identity packets for wireless 802.1X authentication on a
switch within a specified period of time, run the reset access-user dot1x-identity
statistics command to clear the existing statistics first, and then run the 13.4.54
display access-user dot1x-identity statistics command to display the new
statistics.

Example
# Clear statistics about Identity packets for wireless 802.1X authentication on the
switch.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9057

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] reset access-user dot1x-identity statistics

13.4.178 reset access-user traffic-statistics

Function
The reset access-user traffic-statistics command clears statistics on traffic of
users.

NOTE

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this command.

Format
reset access-user traffic-statistics { user-id begin-id [ end-id ] | mac-address
mac-address | ip-address ip-address [ vpn-instance vpn-instance ] }

Parameters
Parameter Description Value
user-id begin-id Specifies IDs of online users. The value is an integer that
[ end-id ] varies depending on the
● begin-id: indicates the ID of product model.
the start user.
● end-id: indicates the ID of
the end user. The value of
end-id must be equal to or
greater than that of begin-id.
mac-address Specifies the MAC address of an The value is in the format
mac-address online user. of H-H-H, in which H is a
hexadecimal number of 1
to 4 digits.

ip-address ip- Specifies the IP address of an The value is in dotted

address online user. decimal notation.

vpn-instance Specifies the name of a VPN The value must be an

vpn-instance instance that an online user existing VPN instance
belongs to. name.

Views
User view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9058

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
After traffic policing is configured in a service scheme, the device collects traffic
statistics for the users assigned with the service scheme. You can run the reset
access-user traffic-statistics command to clear traffic statistics of online users.

Example
# Clear statistics on traffic of the user with the IP address 10.1.1.1.
<HUAWEI> reset access-user traffic-statistics ip-address 10.1.1.1

13.4.179 rule (terminal type identification profile view)

Function
The rule command configures a terminal type identification rule.
The undo rule command deletes a terminal type identification rule.
By default, a terminal type identification rule is not configured.

NOTE

This function is supported only by S5720HI.

Format
rule rule-id { mac mac-address mask { mask-length | mask } | dhcp-option
option-id { sub-match | all-match } { ascii option-text | hex option-hex-string } |
user-agent { sub-match | all-match } user-agent-text }
undo rule rule-id

Parameters
Parameter Description Value

rule-id Specifies the ID of a terminal type The value is an

identification rule. integer that ranges
from 0 to 7.

mac mac- Specifies a terminal MAC address. The value is in H-H-

address H format. An H is a
hexadecimal
number of 4 digits.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9059

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

mask { mask- Indicates the mask or mask length of a The value of mask is
length | terminal MAC address. in H-H-H format.
mask } An H is a
hexadecimal
number of 4 digits.
The value of mask-
length is an integer
that ranges from 1
to 48.

dhcp-option Identifies the terminal type using a DHCP The value is an

option-id option. option-id specifies the ID of a integer that ranges
DHCP option. from 1 to 254.
NOTE
Currently, the
identification rule
takes effect only
when the value is set
to 12, 55, or 60.

sub-match Indicates partial match. The UA or -

Option information detected by the AC
must be the same as or contain the
value of option-text or user-agent-text.

all-match Indicates exact match. The UA or Option -

information detected by the AC must be
the same as the value of option-text or
user-agent-text.
ascii option- Specifies the Option information that a The value is a string
text terminal must match as an ASCII string. of 1 to 247 case-
sensitive characters
without spaces.

hex option- Specifies the Option information that a The value is a string
hex-string terminal must match as a hexadecimal of 1 to 254 case-
string. insensitive
characters without
spaces.

user-agent Identifies the terminal type using UA -

information.

user-agent- Specifies the UA information that a The value is a string

text terminal must match. of 1 to 247 case-
sensitive characters.

Views
Terminal type identification profile view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9060

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
A terminal type identification rule is set based on the terminal's MAC address, UA,
and DHCP Option information.
● Match the first 24 bits of a terminal's MAC address, which is known as the
Organizationally Unique Identifier (OUI), to identify the corresponding
manufacturer.
● Use the UA information carried in HTTP packets from a terminal to identify
the operating system and its version, the CPU type, browser type, and browser
version.
● Use the manufacturer information carried in Option12, Option55, and
Option60 in DHCP packets from a terminal to identify the terminal's host
name and manufacturer type.
A terminal type can be identified by checking whether the terminal information
matches the identification rule configured. Once the identification is performed,
user rights can be delivered or access control can be implemented based on
terminal types.
Precautions
● To match an identification rule, the terminal information must be the same
with all the configuration items in the rule.
● If the specified rule-id already exists and the new rule conflicts with the
original rule, the new rule replaces the original one in the conflicting part,
which is the same as editing an existing rule.
● To modify a rule that already contains rule-id, delete the old rule and create a
rule. Otherwise, the configuration result may be incorrect.

Example
# Configure terminal type identification rule 1 in the terminal type identification
profile huawei.
<HUAWEI> system-view
[HUAWEI] device-profile profile-name huawei
[HUAWEI-device-profile-huawei] rule 1 mac 0046-4b59-1ee0 mask 12

Related Topics
13.4.62 display device-profile

13.4.180 server-detect
Function
The server-detect command enables the Portal server detection function.
The undo server-detect command disables the Portal server detection function.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9061

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

By default, the Portal server detection function is disabled.

Format
server-detect [ interval interval-period | max-times times | critical-num critical-
num | action { log | trap } * ] *

undo server-detect [ interval | max-times | critical-num | action { log | trap } * ]

Parameters
Parameter Description Value

interval interval-period Specifies the detection The value is an integer

interval of the Portal that ranges from 30 to
server. 65535, in seconds.
The default value is 60.

max-times times Specifies the maximum The value is an integer

number of times that the that ranges from 1 to
detection fails. 255.
The default value is 3.

critical-num critical- Specifies the minimum The value is an integer

num number of Portal servers that ranges from 0 to
in Up state. 128.
The default value is 0.
The default value is
recommended.

action Specifies the action to be -

taken after the number
of detection failures
exceeds the maximum.

log Indicates that the device -

sends a log after the
number of detection
failures exceeds the
maximum.

trap Indicates that the device -

sends a trap after the
number of detection
failures exceeds the
maximum.

Views
Portal server profile view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9062

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
If the communication is interrupted because the network between the device and
Portal server is faulty or the Portal server is faulty, new Portal authentication users
cannot go online. This brings great inconvenience to users.

After the Portal server detection function is enabled in the Portal server profile,
the device detects all Portal servers configured in the Portal server profile. If the
number of times that the device fails to detect a Portal server exceeds the upper
limit, the status of the Portal server is changed from Up to Down. If the number of
Portal servers in Up state is less than or equal to the minimum number (specified
by the critical-num parameter), the device performs the corresponding operation
to allow the administrator to obtain the real-time Portal server status or ensure
that the users have certain network access rights.

NOTE

The detection interval of the Portal server multiplied by the maximum number of detection
failures cannot be less than the keepalive heartbeat interval of the Portal server. It is
recommended that the configured detection interval of the Portal server be greater than
the keepalive heartbeat interval of the Portal server.

Example
# Enable the Portal server detection and keepalive function in the Portal server
profile abc, set the detection interval to 100s, set the maximum number of failures
to 5, and specify the log sent after the number of failures exceeds the limit.
<HUAWEI> system-view
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] server-detect interval 100 max-times 5 action log

Related Topics
13.4.202 user-sync

13.4.181 server-ip (Portal server profile view)

Function
The server-ip command configures an IP address for a Portal server.

The undo server-ip command deletes an IP address for a Portal server.

By default, no IP address is configured for a Portal server.

Format
server-ip server-ip-address &<1-10>

undo server-ip { server-ip-address | all }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9063

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value
server-ip-address Specifies an IP address of a Portal The value is in dotted
server. decimal notation.
all Deletes all IP addresses of a Portal -
server.

Views
Portal server profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After creating a Portal server profile on the device using the 13.4.211 web-auth-
server (system view) command, configure parameters for the template.
Run the server-ip command to configure an IP address for the Portal server in the
Portal server profile view. When receiving a Portal authentication request packet
from a user, the device sends a response packet to the Portal server with the
configured IP address. Multiple IP addresses can be configured in a Portal server
profile. This configuration allows Portal authentication users to access the same
Portal authentication page using multiple IP addresses, making the authentication
process more flexible.
Precautions
● After the IP address corresponding to a Portal server is configured in the
Portal server profile, users are allowed to access the IP address.
● If multiple IP addresses are configured for a Portal server in the Portal server
profile, you are advised to run the 13.4.197 url (Portal server profile view)
command to configure a URL for the Portal server. If no URL is configured, the
device uses the first IP address as the URL by default, and the other IP
addresses do not take effect. When the switch functions as the AC, server IP
addresses are automatically delivered to the AP and authentication-free rules
are generated. Currently, only four server IP addresses take effect on the AP.

Example
# Set the Portal server IP address in the Portal server profile huawei to 10.10.10.1.
<HUAWEI> system-view
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] server-ip 10.10.10.1

Related Topics
13.4.89 display web-auth-server configuration

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9064

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.182 shared-key (Portal server profile view)

Function
The shared-key command configures the shared key that the device uses to
exchange information with a Portal server.

The undo shared-key command restores the default setting.

By default, no shared key that the device uses to exchange information with a
Portal server is configured.

Format
shared-key cipher key-string

undo shared-key

Parameters
Parameter Description Value
cipher Displays a shared key -
in cipher text.

key-string Specifies the shared The value is a string of case-sensitive

key. characters without spaces. It can be a string
of 1 to 16 characters in plain text, or a string
of 48 characters in cipher text. When double
quotation marks are used around the string,
spaces are allowed in the string.

Views
Portal server profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After a shared key is configured using the shared-key command, the Portal packet
exchanged between the device and Portal server carries an authenticator
generated according to the shared key, and the authenticator is used to check
whether the Portal packet at the receiver is correct. This effectively improves the
information exchange security.

Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9065

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

For security purposes, it is recommended that the password contains at least two
types of lower-case letters, upper-case letters, numerals, and special characters,
and contains at least 6 characters.

Example
# Configure the shared key in the Portal server profile huawei to huawei@123.
<HUAWEI> system-view
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] shared-key cipher huawei@123

Related Topics
13.4.89 display web-auth-server configuration

13.4.183 source-ip (Portal server profile view)

Function
The source-ip command configures the source IP address for the device to
communicate with a Portal server.
The undo source-ip command restores the default setting.
By default, no source IP address is configured for the device to communicate with
a Portal server.

Format
source-ip ip-address
undo source-ip

Parameters
Parameter Description Value
ip-address Specifies the source IP address for The value is in dotted
communication with a Portal server. decimal notation.

Views
Portal server profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To ensure normal communication between the device and Portal server, run the
source-ip command to configure a source IP address on the device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9066

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If the device is configured with a loopback IP address and a common IP address,

the device can communicate with the Portal server only when the loopback IP
address and common IP address are the same. The source-ip command configures
a source IP address on the device in the Portal server profile view to allow
communication between the device and a Portal server.
Precautions
Ensure that the configured source IP address is the device IP address. The source IP
address cannot be all 0s, all 1s, class D address, class E address, or loopback
address.

Example
# Set the source IP address for communication between the device and a Portal
server to 192.168.1.100 in the Portal server profile huawei.
<HUAWEI> system-view
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] source-ip 192.168.1.100

13.4.184 source-interface (Portal server template view)

Function
The source-interface command configures an IP address of a specified interface
as the source IP address used by the device to communicate with the Portal server.
The undo source interface command restores the default configuration.
By default, no source IP address is configured for the device.

Format
source-interface interface-type interface-number
undo source-interface

Parameters
Parameter Description Value
interface-type Configures an IP address of a specified interface as the -
interface- source IP address used by the device to communicate
number with the Portal server:
● interface-type specifies the interface type.
NOTE
The interface must be a loopback interface.
● interface-number specifies the interface number.

Views
Portal server template view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9067

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To enable the device to communicate with the Portal server normally, ensure that
the source IP address in the packets sent by the device to the Portal server is
consistent with the device IP address configured on the Portal server. By default,
the device uses the IP address of an outbound interface as the source IP address to
communicate with the Portal server. When there are multiple outbound interfaces
and the outbound interface sending packets changes, the source IP address in the
packets sent by the device to the Portal server becomes inconsistent with the
device IP address configured on the Portal server. In this situation, communication
between the device and Portal server is interrupted. To address this problem, run
the source-interface command on the device to specify the IP address of a
loopback interface as the source IP address used by the device to communicate
with the Portal server.

Precautions

The specified interface must be a Layer 3 interface with an IP address configured.

Example
# Configure an IP address of a specified interface as the source IP address used by
the device to communicate with the Portal server.
<HUAWEI> system-view
[HUAWEI] interface loopback 1
[HUAWEI-LoopBack1] ip address 10.1.2.25 24
[HUAWEI-LoopBack1] quit
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] source-interface loopback 1

13.4.185 static-user

Function
The static-user command configures a static user.

The undo static-user command deletes the configured static user.

By default, no static user is configured.

Format
static-user start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-
name ] [ ip-user ] [ domain-name domain-name | interface interface-type
interface-number [ detect ] | mac-address mac-address | vlan vlan-id ] *
undo static-user start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-
name ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9068

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Parameters
Parameter Description Value

start-ip-address [ end-ip- Specifies the IP address The value is in dotted

address ] range to which a static decimal notation.
user belongs.
If end-ip-address is not
specified, the static user
is specified by start-ip-
address.
vpn-instance vpn- Specifies the name of a The value must be an
instance-name VPN instance to which a existing VPN instance
static user belongs. name.

ip-user Identifies a static user -

using an IP address.
NOTE
This parameter is only
supported by the S5720HI.

domain-name domain- Specifies the domain to The value must be an

name which a static user existing domain name.
belongs.
If this parameter is
specified, the user name
of the static user is in
the format of user
name@domain name. In
this case, @ is the
default domain name
delimiter. The location of
delimiter and domain
name can be set as
required.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9069

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

interface interface-type Specifies the interface -

interface-number connected to a static
user.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.
NOTE
A management interface
cannot be configured as
the interface to which a
static user belongs.

detect Permits the device to -

send ARP packets to
trigger MAC address
authentication for offline
static users.

mac-address mac- Specifies the MAC The value is in the

address address for a static user. format of H-H-H, in
which H is a
hexadecimal number of
1 to 4 digits.

vlan vlan-id Specifies the VLAN to The value is an integer

which a static user that ranges from 1 to
belongs. 4094.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
In network deployment, static IP addresses are assigned to dumb terminals such
as printers and servers. These users can be configured as static users for flexible
authentication.
After static users are configured, the device can use static user information such as
their IP addresses as the user names to authenticate the users only if one of the
802.1X authentication, MAC address authentication, and Portal authentication
modes is enabled on the interfaces connected to the static users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9070

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

When ip-user is specified, IP addresses are used to identify static users and control
their permission.
● When some terminals have multiple IP addresses and one MAC address, and
they can access the network only after each IP address is authenticated,
specify the ip-user parameter to identify these users and configure the ip-
static-user enable command in the authentication template bound to the
user access interfaces.
● When all terminals have multiple IP addresses and can access the network
only after each IP address is authenticated, only configure the ip-static-user
enable command in the authentication template bound to the user access
interfaces.
Precautions
When the interface (interface interface-type interface-number) mapping static
users is specified, the VLAN (vlan vlan-id) to which the interface belongs must be
configured.
This function takes effect only for users who go online after this function is
successfully configured.
Static users are not allowed to update the IP address, otherwise the users will go
offline.
Only when static users have the ip-user parameter configured and connect to the
interfaces bound to the authentication template in which the ip-static-user
enable command configured, IP addresses can be used to identify these users and
control their permission.
After this command is configured to specify the VLAN to which a static user
belongs, and the user is authenticated and the VLAN is authorized, if the
authorized VLAN is different from the previously specified VLAN, the user is added
to the new authorized VLAN and is no longer a static user.
When the command is configured on the UC device and directly delivered to the
ASs in the SVF scenario, the command must be in the following format: static-
user start-ip-address [ end-ip-address ] { vlan vlan-id | mac-address mac-
address } or static-user start-ip-address [ end-ip-address ] vlan vlan-id mac-
address mac-address.

Example
# Configure the IP address range of 10.1.1.1 to 10.1.1.10, authentication domain
huawei, and VLAN 10 for static users.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
[HUAWEI] static-user 10.1.1.1 10.1.1.10 domain-name huawei vlan 10

Related Topics
13.4.187 static-user username format-include
13.4.186 static-user password
13.4.82 display static-user

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9071

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.186 static-user password

Function
The static-user password command sets the password for a static user in
authentication.
The undo static-user password command restores the default password for the
static user.
The default username and password are available in S Series Switches Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not
obtained the access permission of the document, see Help on the website to find
out how to obtain it.

Format
static-user password cipher password
undo static-user password

Parameters
Parameter Description Value

cipher Indicates that the -

password is displayed in
cipher text.

password Specifies the password of The value is a case-

a static user. sensitive string without
question marks (?) or
spaces. The password
contains 1 to 128
characters in plain text
or 48 to 188 characters
in cipher text. When
double quotation marks
are used around the
string, spaces are
allowed in the string.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9072

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

When a static user triggers authentication through an ARP packet, you can run
the static-user password command to set the password for the static user. The
access device then sends the password to the authentication server.
Precautions
To improve security, change the default password immediately and update the
password periodically. It is recommended that the new password contains at least
two types of lower-case letters, upper-case letters, numerals, and special
characters, and contains at least 6 characters.
This function takes effect only for users who go online after this function is
successfully configured.

Example
# Set huawei@123 as the static user password for authentication.
<HUAWEI> system-view
[HUAWEI] static-user password cipher huawei@123

Related Topics
13.4.185 static-user
13.4.187 static-user username format-include
13.4.82 display static-user

13.4.187 static-user username format-include

Function
The static-user username format-include command sets the user name for a
static user in authentication.
The undo static-user username format-include command restores the default
user name for the static user.
By default, the name of a static user consists of system-name and ip-address. For
example, if the access device name is huawei and user IP address is 1.1.1.1, the
static user name is huawei1.1.1.1.

Format
static-user username format-include { ip-address | mac-address | system-
name }
undo static-user username format-include

Parameters
Parameter Description Value

ip-address Specifies the user IP -

address as the static user
name.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9073

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

mac-address Specifies the user MAC -

address as the static user
name.

system-name Specifies the access -

device name as the static
user name.
To configure the device
name, run the sysname
command.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
When a static user triggers authentication through an ARP packet, you can run
the static-user username format-include command to set the user name for the
static user. The access device then sends the user name to the authentication
server.

NOTE

If the user name of a static user contains a device name whose length exceeds 16 bytes, the
system uses only the first 16 bytes of the device name.
This function takes effect only for users who go online after this function is successfully
configured.

Example
# Set the user IP address as the static user name for authentication.
<HUAWEI> system-view
[HUAWEI] static-user username format-include ip-address

Related Topics
13.4.185 static-user
13.4.186 static-user password
13.4.82 display static-user

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9074

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.188 snmp-agent trap enable feature-name mid_aaa

Function
The snmp-agent trap enable feature-name mid_aaa command enables the trap
function for the AAA module.

The undo snmp-agent trap enable feature-name mid_aaa command disables

the trap function for the AAA module.

By default, the trap function is enabled for the AAA module.

Format
snmp-agent trap enable feature-name mid_aaa [ trap-name
{ hwmacmovedquietmaxuseralarm | hwmacmovedquietuserclearalarm } ]

undo snmp-agent trap enable feature-name mid_aaa[ trap-name

{ hwmacmovedquietmaxuseralarm | hwmacmovedquietuserclearalarm } ]

Parameters
Parameter Description Value

trap-name Enables or disables the -

trap function for a
specified event of the
AAAmodule.

hwmacmovedquiet- Sends a Huawei -

maxuseralarm proprietary trap message
when the percentage of
current MAC address
migration users in quiet
state against the
maximum number of
users exceeds the upper
alarm threshold.

hwIpStaticUserMixe- A Huawei proprietary -

dInsertAlarm trap message is sent
when an exception
occurs during the login
attempt of a user with
one MAC address and
multiple IP addresses
through an Eth-Trunk
interface to which
interfaces on different
types of boards are
added.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9075

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the trap function is enabled, the device generates traps during operation and
sends the traps to the NMS through the SNMP module. If the trap function is
disabled, the device does not generate traps and the SNMP module does not send
traps to the NMS.

You can specify trap-name to enable the trap function for one or more events.

Example
# Enable the trap function for hwmacmovedquietmaxuseralarm of the AAA
module.
<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name mid_aaa trap-name
hwmacmovedquietmaxuseralarm

Related Topics
13.4.86 display snmp-agent trap feature-name mid_aaa all

13.4.189 snmp-agent trap enable feature-name mid_eapol

Function
The snmp-agent trap enable feature-name mid_eapol command enables the
trap function for the DOT1X module.

The undo snmp-agent trap enable feature-name mid_eapol command disables

the trap function for the DOT1X module.

By default, the trap function is enabled for the DOT1X module.

Format
snmp-agent trap enable feature-name mid_eapol [ trap-name
{ hwmacauthenmaxuseralarm | hwsrvcfgeapmaxuseralarm } ]

undo snmp-agent trap enable feature-name mid_eapol [ trap-name

{ hwmacauthenmaxuseralarm | hwsrvcfgeapmaxuseralarm } ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9076

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

trap-name Enables or disables the -

trap function for a
specified event of the
DOT1X module.

hwmacauthenmaxuser- Enables the device to -

alarm send a Huawei
proprietary trap when
the number of MAC
address authentication
users reaches the
maximum number
allowed on an interface.

hwsrvcfgeapmaxusera- Enables the device to -

larm send a Huawei
proprietary trap when
the number of 802.1X
authentication users
reaches the maximum
number allowed on an
interface.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the trap function is enabled, the device generates traps during operation and
sends the traps to the NMS through the SNMP module. If the trap function is
disabled, the device does not generate traps and the SNMP module does not send
traps to the NMS.
You can specify trap-name to enable the trap function for one or more events.

Example
# Enable the trap function for hwmacauthenmaxuseralarm of the DOT1X module.
<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name mid_eapol trap-name hwmacauthenmaxuseralarm

Related Topics
13.4.87 display snmp-agent trap feature-name mid_eapol all

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9077

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.190 snmp-agent trap enable feature-name mid_web

Function
The snmp-agent trap enable feature-name mid_web command enables the trap
function for the web authentication module.

The undo snmp-agent trap enable feature-name mid_web command disables

the trap function for the web authentication module.

By default, the trap function is enabled for the web authentication module.

Format
snmp-agent trap enable feature-name mid_web [ trap-name
{ hwportalmaxuseralarm | hwportaluserclearalarm | hwportalserverdown |
hwportalserverup } ]

undo snmp-agent trap enable feature-name mid_web [ trap-name

{ hwportalmaxuseralarm | hwportaluserclearalarm | hwportalserverdown |
hwportalserverup } ]

Parameters
Parameter Description Value

trap-name Enables or disables the -

trap function for a
specified event of the
web authentication
module.

hwportalmaxuseralarm Enables the device to -

send a Huawei
proprietary trap when
the number of online
Portal authentication
users exceeds the upper
threshold.

hwportalusercleara- Enables the device to -

larm send a Huawei
proprietary trap when
the number of online
Portal authentication
users falls below the
lower threshold.

hwportalserverdown Enables the device to -

send a Huawei
proprietary trap when it
detects that the Portal
server changes from Up
to Down.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9078

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

hwportalserverup Enables the device to -

send a Huawei
proprietary trap when it
detects that the Portal
server changes from
Down to Up.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the trap function is enabled, the device generates traps during operation and
sends the traps to the NMS through the SNMP module. If the trap function is
disabled, the device does not generate traps and the SNMP module does not send
traps to the NMS.

You can specify trap-name to enable the trap function for one or more events.

Example
# Enable the trap function for hwportalmaxuseralarm of the web authentication
module.
<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name mid_web trap-name hwportalmaxuseralarm

Related Topics
13.4.88 display snmp-agent trap feature-name mid_web all

13.4.191 traffic-filter acl

Function
The traffic-filter acl command configures ACL-based packet filtering.

The undo traffic-filter acl command deletes the ACL configured for packet
filtering.

By default, ACL-based packet filtering is not configured.

NOTE

This command is supported only by the S5720EI, S5720HI, S6720EI, and S6720S-EI.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9079

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
traffic-filter inbound acl { acl-number | name acl-name }
undo traffic-filter inbound acl { acl-number | name acl-name }

Parameters
Parameter Description Value
inbound Configures packet filtering in the inbound -
direction of the interface.

acl-number Specifies the ID of the user ACL configured The user ACL must
for packet filtering. exist.

name acl-name Specifies the name of the user ACL The user ACL must
configured for packet filtering. exist.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
In NAC network deployment, you can run the 13.4.195 ucl-group command to
classify users and configure user ACL rules numbered from 6000 to 9999. You can
then implement intra-group isolation (users in a group cannot communicate with
each other) and inter-group isolation (users in the user group cannot
communicate with users in other user groups.), and control network access rights
based on the UCL group.
After configuring ACL rules 6000 to 9999, you must run the traffic-filter acl
command to configure ACL-based packet filtering. The ACL rules then can take
effect for the users in the UCL group.
Precautions
If the user ACL specified in the traffic-filter inbound acl command or the user
ACL delivered by the authentication server is incorrectly configured to block all
user traffic, the switch cannot be connected and network-side protocols such as
OSPF and BGP are interrupted.

Example
# Configure the device to filter the packets in the inbound direction of the
interface based on ACL 6001.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9080

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] traffic-filter inbound acl 6001

Related Topics
13.4.195 ucl-group
14.1.5 acl (system view)
14.1.22 rule (user ACL view)

13.4.192 traffic-redirect acl

Function
The traffic-redirect acl command configures ACL-based packet redirection.

The undo traffic-redirect acl command deletes the ACL configured for packet
redirection.

By default, ACL-based packet redirection is not configured.

NOTE

This command is supported only by the S5720EI, S5720HI, S6720EI, and S6720S-EI.

Format
traffic-redirect inbound acl { acl-number | name acl-name } [ vpn-instance vpn-
instance-name ] ip-nexthop nexthop-address

undo traffic-redirect inbound acl { acl-number | name acl-name }

Parameters

Parameter Description Value

inbound Configures packet redirection in -
the inbound direction of the
interface.

acl acl-number Specifies the ID of the ACL The value is an integer

configured for packet that ranges from 6000 to
redirection. 9999.

name acl-name Filters packets based on a The value must be the

specified named ACL. acl-name name of an existing user
specifies the name of the ACL. ACL.

vpn-instance vpn- Redirects packets to a VPN The value must be the

instance-name instance. name of an existing VPN
instance.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9081

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

ip-nexthop Redirects packets to a next-hop The value is in dotted
nexthop-address IPv4 address. decimal notation.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

In NAC network deployment, you can run the 13.4.195 ucl-group command to
classify users and configure user ACL rules numbered from 6000 to 9999. You can
then implement intra-group isolation (users in a group cannot communicate with
each other) and inter-group isolation (users in the user group cannot
communicate with users in other user groups.), and control network access rights
based on the UCL group.

After configuring ACL rules 6000 to 9999, you can run the traffic-redirect acl
command to configure ACL-based packet redirection. The ACL rules then can take
effect for the users in the UCL group.

When the traffic-redirect command and the traffic-filter acl command are used
simultaneously, and the two commands are associated with the same ACL rule:
● If the deny action is configured in the ACL rule, traffic is discarded.
● If the permit action is configured in the ACL rule, traffic is redirected.

Precautions

If the destination address information about the packets to be filtered based on a

user ACL rule contains UCL group, the ACL rule takes effect only for S5720HI.

Example
# Configure the device to redirect the packets in the inbound direction of the
interface based on ACL 6001.
<HUAWEI> system-view
[HUAWEI] traffic-redirect inbound acl 6001 ip-nexthop 192.168.1.1

Related Topics
13.4.195 ucl-group
14.1.5 acl (system view)
14.1.22 rule (user ACL view)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9082

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.193 ucl-group (service scheme view)

Function
The ucl-group command binds a UCL group to a service scheme.
The undo ucl-group command unbinds the UCL group from the service scheme.
By default, no UCL group is bound to a service scheme.

NOTE

This command is supported only by the S5720EI, S5720HI, S6720EI, and S6720S-EI.

Format
ucl-group { group-index | name group-name }
undo ucl-group

Parameters
Parameter Description Value
group-index Specifies the index of a UCL group. The UCL group must
exist.

name group-name Specifies the name of a UCL group. The UCL group must
exist.

Views
Service scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
After creating a service scheme using the 13.1.82 service-scheme (AAA view)
command, you can run the ucl-group command to bind a UCL group to the
service scheme. The user assigned with the service scheme will have the functions
of the UCL group.
Prerequisites
A UCL group has been created using the 13.4.195 ucl-group command.

Example
# Bind the UCL group abc to the service scheme huawei.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9083

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] ucl-group 10 name abc
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme huawei
[HUAWEI-aaa-service-huawei] ucl-group name abc

Related Topics
13.1.82 service-scheme (AAA view)

13.4.194 ucl-group ip
Function
The ucl-group ip command configures a static UCL group. The static UCL group is
also called the static resource group.
The undo ucl-group ip command deletes the configured static UCL group.
By default, no static UCL group is configured.

NOTE

The static UCL group is only supported by S5720EI, S5720HI, S6720EI, and S6720S-EI.

Format
ucl-group ip ip-address { mask-length | ip-mask } { group-index | name group-
name }
undo ucl-group ip { ip-address { mask-length | ip-mask } | group-index | name
group-name | all }

Parameters
Parameter Description Value
ip-address Specifies the IP address of a The value is in dotted decimal
static UCL group. notation.
NOTE
You can specify the IP address
configured for the local device.

mask-length Specifies the mask length of an The value is an integer that

IP address. ranges from 1 to 32.

ip-mask Specifies the mask of the IP The value is in dotted decimal

address. notation.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9084

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

group-index Specifies the index of a static The value is an integer that
UCL group. ranges from 1 to 64000 for
S5720HI, and from 1 to 48 for
S5720EI, S6720EI, and
S6720S-EI.

name group- Specifies the name of a static The value must be an existing
name UCL group. UCL group name on the
device.

all Specifies all static UCL groups. -

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

In an enterprise network, a server that provides resources has a fixed IP address.

The administrator can identify this server using a UCL group and associate the
server IP address with the UCL group to form a static UCL group.

After a static UCL group is created for a resource server, the user access policies
can be managed based on the static UCL group to simplify network deployment.

Prerequisites

A UCL group has been created using the 13.4.195 ucl-group command.

Precautions

In the agile network ubiquitous service solution, this command does not need to
be run on the device, and it is configured on the controller and delivered to the
device.

UCL groups do not support IP address overlapping. The device cannot allocate
users or resources with the same IP addresses in different VPNs to different UCL
groups, and can only allocate these users or resources to the same UCL group.

Example
# Configure the static UCL group named email with the IP address 10.1.1.1/24.
<HUAWEI> system-view
[HUAWEI] ucl-group 1 name email
[HUAWEI] ucl-group ip 10.1.1.1 24 name email

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9085

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.195 ucl-group
Function
The ucl-group command creates a UCL group.
The undo ucl-group command deletes the configured UCL group.
By default, no UCL group is created.

NOTE

UCL group is only supported by the S5720EI, S5720HI, S6720EI, and S6720S-EI.

Format
ucl-group group-index [ name group-name ]
undo ucl-group { all | group-index | name group-name }

Parameters
Param Description Value
eter

group- Specifies the The value is an integer that ranges from 1 to 48 for
index index of a S5720EI, S6720EI, and S6720S-EI, and from 1 to 64000
UCL group. for S5720HI.

name Specifies the The value is a string of 1 to 31 case-sensitive

group- name of a characters without spaces. The value cannot be -, --, a,
name UCL group. an, or any, and cannot contain the following special
characters: / \ : * ? " < > | @ ' %

all Specifies the -

all UCL
group.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
In NAC network deployment, there are a large number of users and each user
may be configured with many ACL rules. The ACL resources on the device are
limited and therefore are insufficient to meet the demand of each user. If ACL
rules are independently deployed for each user, the workload is heavy.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9086

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

In actual NAC application, there are a large number of access users but the user
types (users of a type have the same network access rights) are limited. The users
can be classified using UCL groups (identify user types), and a group of ACL
groups are deployed for users of the same type.

After you create UCL groups on the device and configure a UCL group for a user
on the authentication server, the authentication server delivers the user's UCL
group to the device when authenticating the user. In this way, the device obtains
the mapping between users and UCL groups, and accordingly adds users to
different UCL groups so that the users in each group can share the same ACL
rules.

Follow-up Procedure

A UCL group only identifies a user type and does not control users' network access
rights. To control the network access rights, you must first configure ACL rules
numbered from 6000 to 9999 and then configure ACL-based packet filtering.
1. Run the 14.1.5 acl (system view) command to create an ACL with the
number range of 6000 to 9999.
2. Run the 14.1.22 rule (user ACL view) to create rules for the ACL.
3. Run the 13.4.191 traffic-filter acl command to configure ACL-based packet
filtering.

Precautions

Example
# Create a UCL group named abc with the group ID 10.
<HUAWEI> system-view
[HUAWEI] ucl-group 10 name abc

Related Topics
14.1.5 acl (system view)
14.1.22 rule (user ACL view)
13.4.191 traffic-filter acl

13.4.196 url (URL template view)

Function
The url command configures the redirection URL or pushed URL.

The undo url command cancels the redirection URL or pushed URL.

By default, no redirection URL or pushed URL is configured.

Format
url [ push-only | redirect-only ] url-string [ ssid ssid ]

undo url [ push-only | redirect-only ] [ ssid ssid ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9087

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

Only the S5720HI supports ssid ssid.

Parameters
Parameter Description Value

url-string Specifies the redirection URL or pushed It is a string of 1 to

URL. 200 case-sensitive
characters without
spaces. When
double quotation
marks are used
around the string,
spaces are allowed
in the string.

push-only Specifies the URL as a pushed URL. -

redirect-only Specifies the URL as a redirection URL. -

ssid ssid Specifies the SSID that users associate The SSID must
with. already exist.
This parameter is only valid for wireless
access users. The SSID that users
associate with must be the same as that
configured on the device; otherwise, the
device cannot push URLs to users.

Views
URL template view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After a URL template is created using the 13.4.200 url-template name command,
you can run this command to configure the redirection URL or pushed URL. The
difference between redirection URL and pushed URL is as follows.
● Redirection URL: When a user without network access right connects to the
network, the Portal authentication device redirects the user to the redirection
URL for authentication.
● Pushed URL: After an authenticated user accesses the network through web
for the first time, the access device pushes the web page corresponding to the
URL to the user. The web access request from the user is redirected to the
specified URL, and then the user is allowed to access network resources.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9088

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

When configuring a URL on the device, you cannot enter a question mark (?). If a
URL contains a question mark (?), you can run the parameter start-mark #
command in the URL template view to replace the question mark (?) with the
number sign (#).

Precautions

If the push-only and redirect-only parameters are not specified, the configured
URL is used as both redirection URL and pushed URL. You can configure pushed
URL using the 13.4.119 force-push command, or use the 13.4.201 url-template
(Portal server profile view) command to bind a URL template to the Portal
server profile to configure redirection URL.

Example
# Set the redirection URL to http://10.1.1.1.
<HUAWEI> system-view
[HUAWEI] url-template name huawei
[HUAWEI-url-template-huawei] url http://10.1.1.1

13.4.197 url (Portal server profile view)

Function
The url command configures the URL for a Portal server.

The undo url command restores the default setting.

By default, no URL is configured for a Portal server.

Format
url url-string

undo url

Parameters
Parameter Description Value
url-string Specifies the URL of It is a string of 1 to 200 case-sensitive
a portal server. characters that do not contain spaces and
question marks (?). When double quotation
marks are used around the string, spaces are
allowed in the string.

Views
Portal server profile view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9089

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
After the Portal server IP address is configured using the 13.4.181 server-ip
(Portal server profile view) command, the Portal server URL is generated by
default on the device. If the existing Portal server URL is inconsistent with the
default one or the domain name needs to be used, you need to run the url
command to specify the Portal server URL.
Precautions
A Portal server only has one URL.

Example
# Set the URL of a Portal server to http://www.***.com in the Portal server profile
huawei.
<HUAWEI> system-view
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] url http://www.***.com

Related Topics
13.4.89 display web-auth-server configuration

13.4.198 url-parameter mac-address format

Function
The url-parameter mac-address format command configures the MAC address
format in URL.
The undo url-parameter mac-address format command restores the default
MAC address format in URL.
By default, the MAC address format in URL is XXXXXXXXXXXX.

Format
url-parameter mac-address format delimiter delimiter { normal | compact }
undo url-parameter mac-address format

Parameters
Parameter Description Value

delimiter Specifies the delimiter in MAC address. The value is one

delimiter case-sensitive
character without
spaces.

normal Sets the MAC address format to XX-XX- -

XX-XX-XX-XX.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9090

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

compact Sets the MAC address format to XXXX- -

XXXX-XXXX.

Views
URL template view

Default Level
2: Configuration level

Usage Guidelines
Portal servers or websites may require different MAC address formats. You can run
the url-parameter mac-address format command to set MAC address formats in
URL to meet the requirements of Portal servers or website.

Example
# Set the delimiter to - and format to XXXX-XXXX-XXXX.
<HUAWEI> system-view
[HUAWEI] url-template name huawei
[HUAWEI-url-template-huawei] url-parameter mac-address format delimiter - compact

13.4.199 url-parameter

Function
The url-parameter command sets parameters in a URL.

The undo url-parameter command deletes parameters in a URL.

By default, a URL does not carry parameters.

Format
url-parameter { ac-ip ac-ip-value | ac-mac ac-mac-value | ap-ip ap-ip-value | ap-
mac ap-mac-value | ssid ssid-value | login-url url-key url | redirect-url redirect-
url-value | sysname sysname-value | user-ipaddress user-ipaddress-value | user-
mac user-mac-value } *

undo url-parameter

NOTE

The ac-ip ac-ip-value, ac-mac ac-mac-value, ap-ip ap-ip-value, ap-mac ap-mac-value, and
ssid ssid-value parameters are only supported by the S5720HI.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9091

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

ac-ip ac-ip- Specifies the IP address of the AC carried The value is a string
value in the URL and sets the parameter name of 1 to 16 case-
displayed in the URL. sensitive characters
This parameter applies only to wireless without spaces. If
users. By default, the value of device-ip the string is
carried in the URL is the CAPWAP enclosed in double
gateway address. quotation marks ("
"), the string can
contain spaces.

ac-mac ac- Specifies the MAC address of the AC The value is a string
mac-value carried in the URL and sets the of 1 to 16 case-
parameter name displayed in the URL. sensitive characters
without spaces. If
the string is
enclosed in double
quotation marks ("
"), the string can
contain spaces.

ap-ip ap-ip- Specifies the AP IP address carried in the The value is a string
value URL and sets the parameter name. of 1 to 16 case-
This parameter is only valid for wireless sensitive characters
access users. without spaces. If
the string is
enclosed in double
quotation marks ("
"), the string can
contain spaces.

ap-mac ap- Specifies the AP MAC address carried in The value is a string
mac-value the URL and sets the parameter name. of 1 to 16 case-
This parameter is only valid for wireless sensitive characters
access users. without spaces. If
the string is
enclosed in double
quotation marks ("
"), the string can
contain spaces.

ssid ssid- Specifies the SSID associated that users The value is a string
value associate with carried in the URL and of 1 to 16 case-
sets the parameter name. sensitive characters
This parameter is only valid for wireless without spaces. If
access users. the string is
enclosed in double
quotation marks ("
"), the string can
contain spaces.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9092

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

login-url url- Specifies the login URL of the access ● url-key: The
key url device. value is a string
● url-key: specifies the identification of 1 to 16 case-
keyword for the login URL sent to the sensitive
Portal server during redirection. characters
without spaces,
● url: is a specified URL on the access question marks
device. (?), ampersands
(&), and equal
signs (=).
● url: The value is a
string of 1 to 200
case-sensitive
characters
without spaces.

redirect-url Specifies the original URL that a user The value is a string
redirect-url- accesses carried in the URL and sets the of 1 to 16 case-
value parameter name. sensitive characters
without spaces. If
the string is
enclosed in double
quotation marks ("
"), the string can
contain spaces.

sysname Specifies the device system name carried The value is a string
sysname- in the URL and sets the parameter name. of 1 to 16 case-
value sensitive characters
without spaces. If
the string is
enclosed in double
quotation marks ("
"), the string can
contain spaces.

user- Specifies the user IP address carried in The value is a string

ipaddress the URL and sets the parameter name. of 1 to 16 case-
user- sensitive characters
ipaddress- without spaces. If
value the string is
enclosed in double
quotation marks ("
"), the string can
contain spaces.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9093

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

user-mac Specifies the user MAC address carried in The value is a string
user-mac- the URL and sets the parameter name. of 1 to 16 case-
value sensitive characters
without spaces. If
the string is
enclosed in double
quotation marks ("
"), the string can
contain spaces.

Views
URL template view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After a URL template is created using the 13.4.200 url-template name command
and URL is configured using the 13.4.196 url (URL template view) command,
you can use the url-parameter command to set the parameters in the URL. When
a user accesses the Portal server according to the URL, the Portal server obtains
user terminal information through the parameters in the URL. The Portal server
then provides the corresponding web authentication page for the user according
to user terminal information.
In addition, when users are pushed to a website rather than the Portal server
according to the URL, the website provides the different web pages for the users
according to user terminal information carried in the URL.
Precautions
URL parameter names configured on the device must be the same as those
supported by the server. In this example, the device is connected to the Agile
Controller-Campus.
URL Parameter URL Parameter Name Supported by
the Agile Controller-Campus

ac-ip ac-ip

ap-mac apmac

ssid ssid

redirect-url url

user-ipaddress userip

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9094

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

URL Parameter URL Parameter Name Supported by

the Agile Controller-Campus

user-mac usermac

Example
# Set the user MAC address and access device system name in the URL.
<HUAWEI> system-view
[HUAWEI] url-template name huawei
[HUAWEI-url-template-huawei] url-parameter user-mac usermac sysname huawei

13.4.200 url-template name

Function
The url-template name command creates a URL template or displays an existing
URL template view.

The undo url-template name command deletes a URL template.

By default, no URL template exists on the device.

Format
url-template name template-name

undo url-template name template-name

Parameters
Parameter Description Value

template- Specifies the name of a URL The value is a string of 1 to 31

name template. case-sensitive characters. It
cannot contain spaces or the
following symbols: / \ : * ? " <
> | @ ' %. The value cannot be
- or --.

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9095

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
After a Portal authentication server template is created using the 13.4.211 web-
auth-server (system view) command, you can bind a URL template to the Portal
authentication server template. The URL template contains the redirection URL
and redirection URL parameters.

The url-template name command creates a URL template or displays an existing

URL template view.

Example
# Create a URL template named huawei and enter the template view.
<HUAWEI> system-view
[HUAWEI] url-template name huawei

13.4.201 url-template (Portal server profile view)

Function
The url-template command binds a URL template to a Portal server profile.

The undo url-template command unbinds a URL template from a Portal server
profile.

By default, no URL template is bound to a Portal server profile.

Format
url-template url-template [ ciphered-parameter-name ciphered-parameter-
name iv-parameter-name iv-parameter-name key cipher key-string ]
undo url-template

Parameters
Parameter Description Value

url-template Specifies the name of a URL The value must be an

template. existing URL template
name.

ciphered- Specifies the name of the The value is a string of 1 to

parameter- encrypted URL template 16.
name parameter.
ciphered-
parameter-
name
iv- Specifies the encryption vector The value is a string of 1 to
parameter- name of the URL template 16.
name iv- parameter.
parameter-
name

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9096

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

key cipher Specifies the shared key for The value is a string of 1 to
key-string encrypting the URL template 16 plain-text characters or
parameter. 48 cipher-text characters.

Views
Portal server profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After the parameters of a URL template are configured, the URL template must be
bound to a Portal authentication server template so that users can be
authenticated on the Portal authentication server corresponding to the redirection
URL.

To ensure security, you can encrypt the parameter information in the URL
template bound to the Portal server profile.

Prerequisites

A URL template has been created using the 13.4.200 url-template name
command.

Precautions

If a URL template is bound to the Portal authentication server template and the
13.4.197 url (Portal server profile view) command is executed to configure the
redirection URL corresponding to the Portal authentication server, only the
parameters in the URL template take effect.

The URL configured using the 13.4.196 url (URL template view) command in the
URL template view cannot be a pushed URL; otherwise, the command does not
take effect.

The device support encryption of parameter information in the URL template only
when it connects to the Huawei Agile Controller-Campus.

Example
# Bind the URL template abc to the Portal authentication server template.
<HUAWEI> system-view
[HUAWEI] url-template name abc
[HUAWEI-url-template-abc] quit
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] url-template abc

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9097

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.202 user-sync
Function
The user-sync command enables Portal authentication user information
synchronization.
The undo user-sync command disables Portal authentication user information
synchronization.
By default, Portal authentication user information synchronization is disabled.

Format
user-sync [ interval interval-period | max-times times ] *

undo user-sync

Parameters
Parameter Description Value
interval interval- The value is an integer that
Specifies the user
period ranges from 30 to 65535, in
information synchronization
seconds. The default value is
interval.
300.
max-times times Specifies the maximum The value is an integer that
number of user information ranges from 2 to 255. The
synchronization failures. default value is 3.

Views
Portal server profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If communication is interrupted because the network between the device and
Portal server is disconnected or the Portal server is faulty, online Portal
authentication users cannot go offline. Therefore, user information on the device
and on the Portal server may be inconsistent and accounting may be inaccurate.
The user-sync command enables user information synchronization so that user
information on the device and Portal server is synchronized at intervals to ensure
user information consistency.
During information synchronization, the device does not disconnect the user
immediately after detecting that the device has certain user information while the

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9098

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

server does not have such information. Instead, the device disconnects the user
when the maximum number of user information synchronization failures is
reached.

Precautions

If users go online during the keepalive interval of the Portal server, the Portal
server does not have their entries. After the Portal server goes Up and starts
synchronizing user information, the device does not disconnect these users even if
synchronization fails. The device retails these users until next time these users go
online and performs Portal authentication, ensuring good user experience.

The value of interval-period*times configured on the device must be greater than

the interval for the Portal server to send synchronization packets. Otherwise, the
device may force users offline when it cannot receive any synchronization packet
from the Portal server after the maximum failure number is reached.

When you run the user-sync command, make sure that the Portal server supports
this function. Otherwise, the users will go offline.

Example
# Enable user information synchronization in the Portal server profile abc, set the
interval for user information synchronization to 100s, and set the maximum
number of synchronization failures to 5.
<HUAWEI> system-view
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] user-sync interval 100 max-times 5

13.4.203 vm-authen password

Function
The vm-authen password command configures a password for virtual users
during RADIUS authentication.

The undo vm-authen password command restores the default password for
virtual users during RADIUS authentication.

The default username and password are available in S Series Switches Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not
obtained the access permission of the document, see Help on the website to find
out how to obtain it.

NOTE

Only the S5720EI supports this command.

Format
vm-authen password cipher password

undo vm-authen password

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9099

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters

Parameter Description Value

cipher Displays a password in cipher -
text.

password Specifies the password for The value is a case-sensitive string

virtual users during RADIUS without question marks (?) or
authentication. spaces. The password contains 1 to
16 characters in plain text or 32
characters in cipher text.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

You can run the vm-authen password command to configure a password for
virtual users during RADIUS authentication.

Precautions

To improve security, change the default password immediately. It is recommended

that the new password contains at least two types of lower-case letters, upper-
case letters, numerals, and special characters, and contains at least 6 characters.

Example
# Set the password huawei for virtual users during RADIUS authentication.
<HUAWEI> system-view
[HUAWEI] vm-authen password cipher huawei

13.4.204 vm-user association-type

Function
The vm-user association-type command configures the association type of a
virtual user.

NOTE

Only the S5720EI supports this command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9100

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
vm-user association-type { online | pre-online | offline } mac-address mac-
address interface interface-type interface-number vlan vlan-id [ ip-address ip-
address | profile profile-name | vsi vsi-name ] *

Parameters
Parameter Description Value
online Indicates that the association -
type of the virtual user is online.

pre-online Indicates that the association -

type of the virtual user is pre-
online.

offline Indicates that the association -

type of the virtual user is offline.

mac-address Specifies the MAC address of the The value is in H-H-H

mac-address virtual user. format. H contains 1 to 4
hexadecimal digits.

interface Specifies the number or name of -

interface-type an interface for associating with
interface-number a virtual user.

● interface-type specifies the

interface type.
● interface-number specifies the
interface number.
vlan vlan-id Specifies the VLAN to which the The value is an integer
virtual user belongs. that ranges from 0 to
4094.

ip-address ip- Specifies the IP address of the The value is in dotted

address virtual user. decimal notation.

profile profile- Specifies the profile to which the The value is a string of 1
name virtual user belongs. to 64 case-sensitive
characters without spaces.

vsi vsi-name Specifies the name of the virtual The value is a string of 1
site interface. to 64 case-sensitive
characters without spaces.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9101

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
In virtual network management, you must configure the function specified by the
vm-user association-type command on the network management system (NMS)
so that virtual users can access the network. The NMS then delivers the function
configuration to the device. After receiving the related function configuration, the
device automatically runs the vm-user association-type command to configure
the association type of the virtual user.
Precautions
This command should be configured by the network administrator on the NMS
and delivered to the device. You are not advised to directly run this command on
the device.

Example
# Set the association type of the virtual user with the MAC address 1-1-1 in VLAN
10 on GE0/0/1 to pre-online.
<HUAWEI> system-view
[HUAWEI] vm-user association-type pre-online mac-address 1-1-1 interface gigabitethernet 0/0/1 vlan
10

13.4.205 user-vlan (service scheme view)

Function
The user-vlan command configures a user VLAN in a service scheme.
The undo user-vlan command deletes the user VLAN configured in the service
scheme.
By default, no user VLAN is configured in the service scheme.

Format
user-vlan vlan-id
undo user-vlan

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9102

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

vlan-id Specifies the VLAN ID. The value is an integer

that ranges from 1 to
4094.

Views
Service scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
After creating a service scheme using the 13.1.82 service-scheme (AAA view)
command, you can run the vlan command to configure a user VLAN in the service
scheme. The user assigned with the service scheme will be added to the user
VLAN and obtain network resources in the VLAN.
Precautions
An authorized VLAN cannot be delivered to online Portal users.
If the user access mode is not multi-share, you must configure the link type of
the interface connected to users to hybrid and configure user packets to pass
through the interface in untagged mode. After the configuration, this command
can take effect.

Example
# Configure user VLAN 100 in the service scheme huawei.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme huawei
[HUAWEI-aaa-service-huawei] user-vlan 100

Related Topics
13.1.82 service-scheme (AAA view)

13.4.206 voice-vlan (service scheme view)

Function
The voice-vlan command enables the voice VLAN in a service scheme.
The undo voice-vlan command restores the default setting.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9103

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

By default, the voice VLAN is disabled in the service scheme.

Format
voice-vlan

undo voice-vlan

Parameters
None

Views
Service scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

After creating a service scheme using the 13.1.82 service-scheme (AAA view)
command, you can run the voice-vlan command to enable the voice VLAN in the
service scheme. The voice user assigned with the service scheme will be added to
the voice VLAN and obtain network resources in the VLAN.

Precautions

● An authorized VLAN cannot be delivered to online Portal users.

● To make this command take effect, you must have run the 5.7.4 voice-vlan
enable command to configure a specified VLAN as the voice VLAN and
enable the voice VLAN on the interface.
● If the user access mode is set to multi-share, authorized voice VLANs are not
supported.
● This command takes effect only to authorization of users who fail to be
authenticated or voice terminals who can go online without authentication
(configured using the 13.4.15 authentication device-type voice authorize
command).

Example
# Enable the voice VLAN in the service scheme huawei.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme huawei
[HUAWEI-aaa-service-huawei] voice-vlan

Related Topics
13.1.82 service-scheme (AAA view)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9104

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.4.207 vpn-instance (Portal server template view)

Function
The vpn-instance command configures a VPN instance used for communication
between the device and Portal server.
The undo vpn-instance command restores the default setting.
By default, no VPN instance is configured for communication between the device
and Portal server.

NOTE

Only S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI,

S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI,
S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support the command.

Format
vpn-instance vpn-instance-name
undo vpn-instance

Parameters
Parameter Description Value

vpn-instance-name Specifies the name of a The value must be an

VPN instance. existing VPN instance
name.

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
A VPN implements interconnection within the same department and between
different departments in an enterprise. To enable the Portal authentication service
in the VPN, run the vpn-instance command to bind a Portal server template to a
VPN instance.
Prerequisites
A VPN instance has been created using the ip vpn-instance command.
Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9105

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The VPN instance bound to the Portal server template must be the same as that
bound to the Portal server.

The users in VPN instances bound to different Portal server templates cannot use
the same IP addresses because users with the same IP addresses cannot go online
or offline.

Example
# Bind the Portal server template abc to the VPN instance vpn1.
<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] ipv4-family
[HUAWEI-vpn-instance-vpn1-af-ipv4] quit
[HUAWEI-vpn-instance-vpn1] quit
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] vpn-instance vpn1

13.4.208 web-auth-server listening-port

Function
The web-auth-server listening-port command sets the number of the port
through which a device listens on Portal protocol packets.

The undo web-auth-server listening-port command restores the default listening

port.

By default, the device uses port 2000 to listen on Portal protocol packets.

Format
web-auth-server listening-port port-number

undo web-auth-server listening-port

Parameters

Parameter Description Value

port-number Specifies the number of the The value is an integer that
listening port. ranges from 1024 to 55535.

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9106

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
When the device exchanges user authentication information with the Portal server
using the Portal protocol, you must configure the listening port on the device to
receive Portal packets.

You can run the web-auth-server listening-port command to set the number of
the port through which the device listens on Portal packets. The port number must
be the same as the destination port number in Portal packets sent by the Portal
server and must be unique.

NOTE
If a specified port is occupied by another service or is a reserved port, the configuration fails.
Ensure that the specified port is available when running this command.

Example
# Set the number of the port through which a device listens on Portal protocol
packets to 3000.
<HUAWEI> system-view
[HUAWEI] web-auth-server listening-port 3000

Related Topics
13.4.89 display web-auth-server configuration

13.4.209 web-auth-server (Portal access profile view)

Function
The web-auth-server command configures the Portal server profile used by a
Portal access profile.

The undo web-auth-server command restores the default setting.

By default, a Portal access profile does not use any Portal server profile.

Format
web-auth-server server-name [ bak-server-name ] { direct | layer3 }

undo web-auth-server

Parameters

Parameter Description Value

server-name Specifies the name of a Portal server The value must be
profile. an existing Portal
server profile name.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9107

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

bak-server- Specifies the name of a backup Portal The value must be
name server profile. an existing Portal
server profile name.
NOTE
The name of the backup Portal server profile
cannot be configured to the command-line
keywords direct and layer3.

direct Sets the Portal authentication mode to -

Layer 2 authentication.
layer3 Sets the Portal authentication mode to -
Layer 3 authentication.

Views
Portal access profile view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After a Portal server profile is configured on the device, this profile must be bound
to a Portal access profile. When users who use the Portal access profile attempt to
access charged network resources, the HTTP requests are forcibly redirected to the
authentication page of the Portal server to implement Portal authentication.
To improve Portal authentication reliability, the backup Portal server profile can
also be bound to the Portal access profile. When the primary Portal server is
disconnected, the users are redirected to the backup Portal server for
authentication. This function can take effect only when the Portal server detection
function is enabled using the 13.4.180 server-detect command and heartbeat
detection is enabled on the Portal server.
The following Portal authentication modes are available:
● direct: When there is no Layer 3 forwarding device between the device and a
user, the device can learn the user's MAC address. You can configure the Layer
2 authentication mode so that the device can identify the user using the IP
address and MAC address.
● layer3: When there is a Layer 3 forwarding device between the device and a
user, the device cannot learn the user's MAC address and can only identify the
user using the IP address. You need to configure the Layer 3 authentication
mode.
Prerequisites
A Portal server profile has been created using 13.4.211 web-auth-server (system
view) and the IP address of the Portal server has been configured using 13.4.181
server-ip (Portal server profile view).

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9108

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Precautions

● After a Portal access profile is bound to an authentication profile, the Portal

server profile used in the Portal access profile cannot be deleted, but can be
modified.
● The support for Portal authentication varies depending on different interfaces,
routed main interfaces (Only S5720EI, S5720HI, S6720EI, and S6720S-EI)
support only Layer 3 Portal authentication, Layer 2 interfaces support only
Layer 2 Portal authentication, and VLANIF interfaces support both Layer 2
and Layer 3 Portal authentication.
● This command does not take effect on the VLANIF interface corresponding to
the super VLAN.
● When the direct forwarding mode is used for wireless users and Portal
authentication is enabled on the VLANIF interface, the branched networking
must be used for the device to make Portal authentication take effect.

Example
# Bind the Portal access profile p1 to the Portal server profiles server1 and
server2 (backup Portal server profile), and configure the Layer 2 authentication
mode.
<HUAWEI> system-view
[HUAWEI] web-auth-server server1
[HUAWEI-web-auth-server-server1] server-ip 10.10.1.1
[HUAWEI-web-auth-server-server1] quit
[HUAWEI] web-auth-server server2
[HUAWEI-web-auth-server-server2] server-ip 10.10.2.1
[HUAWEI-web-auth-server-server2] quit
[HUAWEI] portal-access-profile name p1
[HUAWEI-portal-acces-profile-p1] web-auth-server server1 server2 direct

Related Topics
13.4.211 web-auth-server (system view)
13.4.181 server-ip (Portal server profile view)
13.4.89 display web-auth-server configuration
13.4.61 display authentication-profile configuration

13.4.210 web-auth-server reply-message

Function
The web-auth-server reply-message command enables the device to
transparently transmit users' authentication responses sent by the authentication
server to the Portal server.

The undo web-auth-server reply-message command disables the device from

transparently transmitting users' authentication responses sent by the
authentication server to the Portal server.

By default, the device transparently transmits users' authentication responses sent

by the authentication server to the Portal server.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9109

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
web-auth-server reply-message
undo web-auth-server reply-message

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The AAA server requires that the authentication messages sent to the Portal server
contain the authentication reply; therefore, the web-auth-server reply-message
command is required. In certain situations, the authentication messages are not
required to carry the reply. In this case, run the undo web-auth-server reply-
message command.
By default, the device directly forwards the authentication result message from the
RADIUS server to the Portal server without processing. This is called transparent
transmission.

Example
# Disable the device from transparently transmitting users' authentication
responses to the Portal server.
<HUAWEI> system-view
[HUAWEI] undo web-auth-server reply-message

Related Topics
13.4.89 display web-auth-server configuration

13.4.211 web-auth-server (system view)

Function
The web-auth-server command creates a portal server profile or displays the
portal server profile view.
The undo web-auth-server command deletes a portal server profile.
By default, no portal server template exists.

Format
web-auth-server server-name

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9110

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo web-auth-server server-name

Parameters
Parameter Description Value

server-name Specifies the name of a The value is a string of 1

portal server. to 31 case-sensitive
characters. It cannot
contain spaces or the
following symbols: / \ :
* ? " < > | @ ' %. The
value cannot be - or --.
NOTE
server-name cannot be set
to listening-port, reply-
message, version, or the
first character or several
leftmost characters of
these character strings.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When an unauthenticated portal user goes online, the device forces the user to
log in to a specified website (also called the portal website). The user can access
resources in the portal website for free. When the user attempts to access charged
network resources, the user must pass authentication on the portal website. The
specific process is as follows:

1. The unauthorized user opens Internet Explorer and enters a URL in the
address box. When receiving the HTTP request sent by the user, the device
redirects it to the portal authentication page of the portal server.
2. The user enters user information on the authentication page or in the
authentication dialog box, and the portal server forwards the user information
to the device.
3. After receiving the user information from the portal server, the device sends
the information to the authentication server for authentication and
accounting.
4. After the user is authenticated, the device allows the user to access the
Internet if no security policy is enforced.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9111

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

After a portal server profile is created on the device by using the web-auth-server
command, run other commands to create a route from the device to the portal
server.
Follow-up Procedure
Run the following commands to configure related attributes of the portal server
profile:
● Run the 13.4.181 server-ip (Portal server profile view) command to
configure an IP address for the portal server.
● Run the 13.4.197 url (Portal server profile view) command to configure a
URL of the portal server.
● Run the 13.4.138 port (Portal server profile view) command to set the port
number that a portal server uses to receive notification packets from the
device.
● Run the 13.4.182 shared-key (Portal server profile view) command
configures the shared key that the device uses to exchange information with
the portal server.
Precautions
You are advised to back up the portal server data to prevent authentication failure
caused by the portal server fault.

Example
# Create portal server profile named huawei.
<HUAWEI> system-view
[HUAWEI] web-auth-server huawei

Related Topics
13.4.89 display web-auth-server configuration
13.4.197 url (Portal server profile view)
13.4.181 server-ip (Portal server profile view)
13.4.138 port (Portal server profile view)
13.4.182 shared-key (Portal server profile view)

13.4.212 web-auth-server version

Function
The web-auth-server version command sets the Portal protocol version
supported by the device.
The undo web-auth-server version command restores the default setting.
By default, the device supports both the versions V1.0 and V2.0.

Format
web-auth-server version v2 [ v1 ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9112

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo web-auth-server version

Parameters
Parameter Description Value
v2 Indicates that the device supports the Portal protocol version -
V2.0. The major version currently used is V2.0.
v1 Indicates that the device supports the Portal protocol version -
V1.0.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Currently, the Portal protocol has two versions: V1.0 and V2.0. The device and
Portal server must use the Portal protocol of the same version to ensure normal
communication. You can run the web-auth-server version command to set the
Portal protocol version supported by the device.
NOTE

The version V2.0 is widely used currently.

To ensure smooth communication, the device supports both versions by default.

Example
# Configure the device to use only the Portal protocol V2.0.
<HUAWEI> system-view
[HUAWEI] web-auth-server version v2

Related Topics
13.4.89 display web-auth-server configuration

13.4.213 web-redirection disable (Portal server profile view)

Function
The web-redirection disable command disables the Portal authentication
redirection function.

The undo web-redirection disable command enables the Portal authentication

redirection function.

By default, the Portal authentication redirection function is enabled.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9113

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
web-redirection disable
undo web-redirection disable

Parameters
None

Views
Portal server profile view

Default Level
2: Configuration level

Usage Guidelines
The device redirects all unauthenticated users to the Portal authentication page
when the users send access requests to external networks. For example, when the
user needs to enter the URL of the authentication page manually, the web-
redirection disable command can be executed so that unauthorized users are not
forcibly redirected to the Portal authentication page.

Example
# Disable the Portal authentication redirection function.
<HUAWEI> system-view
[HUAWEI] web-auth-server nac
[HUAWEI-web-auth-server-nac] web-redirection disable

Related Topics
13.4.89 display web-auth-server configuration

13.5 NAC Configuration Commands (Common Mode)

13.5.1 Command Support
13.5.2 access-user arp-detect
13.5.3 access-user arp-detect default ip-address
13.5.4 access-user syslog-restrain enable
13.5.5 access-user syslog-restrain period
13.5.6 acl-id (user group view)
13.5.7 authentication critical eapol-success
13.5.8 authentication critical-vlan
13.5.9 authentication device-type voice authorize

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9114

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.10 authentication event

13.5.11 authentication event response-fail
13.5.12 authentication event session-timeout
13.5.13 authentication guest-vlan
13.5.14 authentication mac-move enable
13.5.15 authentication mac-move detect enable
13.5.16 authentication mac-move detect retry-interval retry-time
13.5.17 authentication mac-move quiet-log enable
13.5.18 authentication mac-move quiet-times quiet-period
13.5.19 authentication mac-move quiet-user-alarm enable
13.5.20 authentication mac-move quiet-user-alarm percentage
13.5.21 authentication max-reauth-req
13.5.22 authentication open
13.5.23 authentication restrict-vlan
13.5.24 authentication speed-limit auto
13.5.25 authentication timer re-authen
13.5.26 band-width share-mode
13.5.27 car (user group view)
13.5.28 cut access-user
13.5.29 display aaa statistics access-type-authenreq
13.5.30 display authentication mode
13.5.31 display access-user
13.5.32 display authentication mac-move configuration
13.5.33 display authentication mac-move quiet-user
13.5.34 display dot1x
13.5.35 display dot1x quiet-user
13.5.36 display mac-address authen
13.5.37 display mac-address pre-authen
13.5.38 display mac-authen
13.5.39 display mac-authen quiet-user
13.5.40 display port connection-type access all
13.5.41 display portal
13.5.42 display portal free-rule

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9115

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.43 display portal local-server

13.5.44 display portal local-server connect
13.5.45 display portal local-server page-information
13.5.46 display portal quiet-user
13.5.47 display portal user-logout
13.5.48 display portal url-encode configuration
13.5.49 display server-detect state
13.5.50 display snmp-agent trap feature-name mid_aaa all
13.5.51 display snmp-agent trap feature-name mid_eapol all
13.5.52 display snmp-agent trap feature-name mid_web all
13.5.53 display static-user
13.5.54 display url-template
13.5.55 display user-group
13.5.56 display web-auth-server configuration
13.5.57 device-sensor dhcp option
13.5.58 device-sensor lldp tlv
13.5.59 dot1x authentication-method
13.5.60 dot1x dhcp-trigger
13.5.61 dot1x domain
13.5.62 dot1x eap-notify-packet
13.5.63 dot1x enable
13.5.64 dot1x free-ip
13.5.65 dot1x handshake
13.5.66 dot1x handshake packet-type
13.5.67 dot1x mac-bypass
13.5.68 dot1x mac-bypass access-port
13.5.69 dot1x mac-bypass mac-auth-first
13.5.70 dot1x max-user
13.5.71 dot1x mc-trigger
13.5.72 dot1x mc-trigger port-up-send enable
13.5.73 dot1x port-control
13.5.74 dot1x port-method
13.5.75 dot1x quiet-period

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9116

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.76 dot1x quiet-times

13.5.77 dot1x reauthenticate
13.5.78 dot1x reauthenticate mac-address
13.5.79 dot1x retry
13.5.80 dot1x timer
13.5.81 dot1x timer reauthenticate-period
13.5.82 dot1x trigger dhcp-binding
13.5.83 dot1x unicast-trigger
13.5.84 dot1x url
13.5.85 force-push
13.5.86 http get-method enable
13.5.87 http-method post
13.5.88 mac-authen
13.5.89 mac-authen trigger
13.5.90 mac-authen dhcp-trigger dhcp-option
13.5.91 mac-authen domain
13.5.92 mac-authen max-user
13.5.93 mac-authen offline dhcp-release
13.5.94 mac-authen permit mac-address
13.5.95 mac-authen quiet-times
13.5.96 mac-authen reauthenticate
13.5.97 mac-authen reauthenticate dhcp-renew
13.5.98 mac-authen reauthenticate mac-address
13.5.99 mac-authen timer
13.5.100 mac-authen timer reauthenticate-period
13.5.101 mac-authen username
13.5.102 parameter
13.5.103 port connection-type access
13.5.104 port (Portal server template view)
13.5.105 portal auth-network
13.5.106 portal domain
13.5.107 portal free-rule
13.5.108 portal local-server

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9117

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.109 portal local-server ad-image load

13.5.110 portal local-server anonymous
13.5.111 portal local-server authentication-method
13.5.112 portal local-server background-color
13.5.113 portal local-server background-image load
13.5.114 portal local-server enable
13.5.115 portal local-server ip
13.5.116 portal local-server keep-alive
13.5.117 portal local-server load
13.5.118 portal local-server logo load
13.5.119 portal local-server page-text load
13.5.120 portal local-server policy-text load
13.5.121 portal local-server syslog-limit enable
13.5.122 portal local-server syslog-limit period
13.5.123 portal local-server timer session-timeout
13.5.124 portal logout different-server enable
13.5.125 portal logout resend timeout
13.5.126 portal max-user
13.5.127 portal quiet-period
13.5.128 portal quiet-times
13.5.129 portal timer offline-detect
13.5.130 portal timer quiet-period
13.5.131 portal url-encode enable
13.5.132 portal user-alarm percentage
13.5.133 portal web-authen-server
13.5.134 protocol (Portal server template view)
13.5.135 remark
13.5.136 reset aaa statistics access-type-authenreq
13.5.137 reset access-user traffic-statistics
13.5.138 reset dot1x statistics
13.5.139 reset mac-authen statistics
13.5.140 server-detect
13.5.141 server-ip (Portal server template view)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9118

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.142 shared-key (Portal server template view)

13.5.143 snmp-agent trap enable feature-name mid_aaa
13.5.144 snmp-agent trap enable feature-name mid_eapol
13.5.145 snmp-agent trap enable feature-name mid_web
13.5.146 source-ip (Portal server template view)
13.5.147 static-user
13.5.148 static-user password
13.5.149 static-user username format-include
13.5.150 url (Portal server template view)
13.5.151 url (URL template view)
13.5.152 url-parameter
13.5.153 url-parameter mac-address format
13.5.154 url-template (Portal server template view)
13.5.155 url-template name
13.5.156 user-group
13.5.157 user-group enable
13.5.158 user-sync
13.5.159 user-vlan (user group view)
13.5.160 vm-authen password
13.5.161 vm-user association-type
13.5.162 vpn-instance (Portal server template view)
13.5.163 web-auth-server version
13.5.164 web-auth-server (interface view)
13.5.165 web-auth-server listening-port
13.5.166 web-auth-server reply-message
13.5.167 web-auth-server (system view)
13.5.168 web-redirection disable (Portal server template view)

13.5.1 Command Support

The S2750EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC support external Portal
authentication only when Layer 3 hardware forwarding of IPv4 packets is enabled.
To configure Layer 3 hardware forwarding of IPv4 packets, see Configuring Layer
3 Hardware Forwarding of IPv4 Packets.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9119

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.2 access-user arp-detect

Function
The access-user arp-detect command sets the source IP address and source MAC
address of offline detection packets in a VLAN.

The undo access-user arp-detect command deletes the source IP address and
source MAC address of offline detection packets in a VLAN.

By default, the source IP address and source MAC address are not specified for
offline detection packets in a VLAN.

Format
access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-
address

undo access-user arp-detect vlan vlan-id ip-address ip-address mac-address

mac-address

Parameters
Parameter Description Value

vlan vlan-id Specifies a VLAN ID. The value is an integer

that ranges from 1 to
4094.

ip-address ip-address Specifies the source IP The value is in dotted

address of offline decimal notation.
detection packets.

mac-address mac- Specifies the source MAC The value is a unicast

address address of offline MAC address in H-H-H
detection packets. format, where H can be
one to four hexadecimal
digits.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9120

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The device sends an ARP probe packet to check the user online status. If the user
does not respond within a detection period, the device considers that the user is
offline.
If the VLAN to which the user belongs does not have a VLANIF interface or the
VLANIF interface does not have an IP address, the device sends an offline
detection packet using 0.0.0.0 as the source IP address. If a user cannot respond to
an ARP probe packet with the source IP address 0.0.0.0, you can specify a source IP
address for the offline detection packet.
In addition, a Windows client sends an ARP probe packet with the source IP
address 0.0.0.0 after obtaining an IP address. In this case, if the device also sends
an ARP probe packet with the source IP address 0.0.0.0, an IP address conflict
occurs. In this case, you can specify an IP address as the source IP address of ARP
probe packets sent by the device.
You are advised to specify the user gateway IP address and its corresponding MAC
address as the source IP address and source MAC address of ARP probe packets
sent by the device. If the gateway device changes, update the source MAC address
of the ARP probe packets sent by the device in a timely manner. Otherwise, the
gateway ARP entry on terminals may be incorrect, causing network disconnection.
Precautions
This function does not take effect for users who use Layer 3 Portal authentication.
If a user on a physical interface is online, this command takes effect only after the
user goes online again or the device re-authenticates the user.
If a user on a Eth-trunk interface is online, this command takes immediately.

Example
# Set the source IP address and MAC address of offline detection packets for users
in VLAN 10 to 192.168.1.1 and 2222-1111-1234 respectively.
<HUAWEI> system-view
[HUAWEI] access-user arp-detect vlan 10 ip-address 192.168.1.1 mac-address 2222-1111-1234

Related Topics
13.5.99 mac-authen timer

13.5.3 access-user arp-detect default ip-address

Function
The access-user arp-detect default ip-address command sets the default source
IP address of offline detection packets.
The undo access-user arp-detect default ip-address command restores the
default setting.
By default, the default source IP address of offline detection packets is 0.0.0.0.

Format
access-user arp-detect default ip-address ip-address

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9121

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo access-user arp-detect default ip-address

Parameters
Parameter Description Value

ip-address Specifies the default The value is in dotted

source IP address of decimal notation and
offline detection packets. can be 0.0.0.0 or
255.255.255.255.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The device sends an ARP probe packet to check the user online status. If the user
does not respond within a detection period, the device considers that the user is
offline.
Precautions
This function does not take effect for users who use Layer 3 Portal authentication.

Example
# Set the default source IP address of offline detection packets to 0.0.0.0.
<HUAWEI> system-view
[HUAWEI] access-user arp-detect default ip-address 0.0.0.0

13.5.4 access-user syslog-restrain enable

Function
The access-user syslog-restrain enable command enables system log
suppression.
The undo access-user syslog-restrain enable command disables system log
suppression.
By default, system log suppression is enabled.

Format
access-user syslog-restrain enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9122

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo access-user syslog-restrain enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
When a user fails in authentication or goes offline, the device records a system
log. The system log contains the MAC addresses of access device and access user
and the authentication time.
If a user repeatedly attempts to go online after authentication failures or
frequently goes online and offline in a short period, a lot of system logs are
generated, which waste system resources and degrade system performance.
System log suppression can address this problem. After the device generates a
system log, it will not generate the same log within the suppression period (set by
13.5.5 access-user syslog-restrain period).

NOTE

The same system logs refer to the system logs containing the same MAC addresses. For
example, after the device generates a system log for a user failing in authentication, the
device will not generate new system log for this user in the suppression period if the user
fails in authentication again. The system logs for users logging offline are generated in the
same way.

Example
# Enable system log suppression.
<HUAWEI> system-view
[HUAWEI] access-user syslog-restrain enable

Related Topics
13.5.5 access-user syslog-restrain period

13.5.5 access-user syslog-restrain period

Function
The access-user syslog-restrain period command sets a period for system log
suppression.
The undo access-user syslog-restrain period command restores the default
period for system log suppression.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9123

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

By default, the period of system log suppression is 300s.

Format
access-user syslog-restrain period period

undo access-user syslog-restrain period

Parameters
Parameter Description Value

period Specifies the period for system log The value is an

suppression. integer that ranges
from 60 to 604800,
in seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the system log suppression function is enabled using the 13.5.4 access-user
syslog-restrain enable command, use this command to set the system log
suppression period. After generating a system log, the device will not generate the
same log within the suppression period.

Example
# Set the period for system log suppression to 600s.
<HUAWEI> system-view
[HUAWEI] access-user syslog-restrain period 600

Related Topics
13.5.4 access-user syslog-restrain enable

13.5.6 acl-id (user group view)

Function
The acl-id command binds an ACL to a user group.

The undo acl-id command unbinds an ACL from a user group.

By default, no ACL is bound to a user group.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9124

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
acl-id acl-number

undo acl-id { acl-number | all }

Parameters
Parameter Description Value
acl-number Specifies the number of an ACL bound to The value is an integer
a user group. that ranges from 3000 to
3999.
all Deletes all ACL rules bound to a user -
group.

Views
User group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After a user group is created using the 13.5.156 user-group command, you can
run the acl-id acl-number command to bind an ACL to the user group, so that
users in the user group share an ACL.
NOTE

Before an ACL is bound to the user group, do not run the 13.5.157 user-group enable
command to enable the user group; otherwise, the ACL cannot be bound to the user group.
When the user group function is enabled on models except the S5720EI, S5720HI, S6720EI,
and S6720S-EI, ACL rules are delivered to each user and the user group function cannot be
used to save ACL resources.

Prerequisites

The ACL has been created using the 14.1.5 acl (system view) or 14.1.4 acl name
command and ACL rules have been configured using the rule command.

Precautions
● The ACL bound to a user group cannot be modified or deleted in the system
view.
● If no ACL rule is configured for a user group, the device does not restrict the
network access rights of users in the user group.
● When configuring ACL rules in a user group, create a rule that rejects all
network access requests and ensure that the rule can take effect.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9125

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● If all users in a group are required to have the same access rights, do not
specify the source IP address in the ACL bound to the user group. If an ACL
bound to a user group has defined the source IP address, only users with the
same IP address as the source IP address in the ACL can match the ACL in the
user group.

Example
# Bind ACL 3001 to the user group abc.
<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule 5 deny ip destination 192.168.5.0 0.0.0.255
[HUAWEI-acl-adv-3001] quit
[HUAWEI] user-group abc
[HUAWEI-user-group-abc] acl-id 3001

Related Topics
14.1.5 acl (system view)
13.5.156 user-group
13.5.157 user-group enable
13.5.55 display user-group

13.5.7 authentication critical eapol-success

Function
The authentication critical eapol-success command configures the device to
send an Eapol-Success packet to a user after the user is added to the critical
VLAN.

The undo authentication critical eapol-success command configures the device

to send an Eapol-Fail packet to a user after the user is added to the critical VLAN.

By default, an Eapol-Fail packet is sent to a user after the user is added to the
critical VLAN.

Format
In the system view:

authentication critical eapol-success interface { interface-type interface-

number1 [ to interface-number2 ] } &<1-10>

undo authentication critical eapol-success interface { interface-type interface-

number1 [ to interface-number2 ] } &<1-10>

In the interface view:

authentication critical eapol-success

undo authentication critical eapol-success

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9126

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number1
specifies the number
of the first interface.
● interface-number2
specifies the number
of the last interface.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
After a user is added to the critical VLAN because the authentication server does
not respond, the device can be configured to send an Eapol-Success or Eapol-Fail
packet to the user to prevent the user from continuously sending access request
packets. After receiving the Eapol-Success packet or Eapol-Fail packet, the user
stops attempting to go online by sending the access request packet repeatedly,
which prevents the device performance from degrading.
The user receiving the Eapol-Success packet can still obtain the IP address through
a DHCP packet, while the user receiving the Eapol-Fail packet fails to do so. The
administrator can configure the device to send an Eapol-Success or Eapol-Fail
packet as required.

Example
# Configure the device to send an Eapol-Success packet to a user after the user is
added to the critical VLAN on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication critical eapol-success

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9127

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.8 authentication critical-vlan

Function
The authentication critical-vlan command configures a critical VLAN on an
interface.

The undo authentication critical-vlan command deletes a critical VLAN from an

interface.

By default, no critical VLAN is configured on an interface.

Format
In the system view:

authentication critical-vlan vlan-id interface { interface-type interface-number1

[ to interface-number2 ] } &<1-10>

undo authentication critical-vlan [ vlan-id ] interface { interface-type interface-

number1 [ to interface-number2 ] } &<1-10>
In the interface view:

authentication critical-vlan vlan-id

undo authentication critical-vlan [ vlan-id ]

Parameters
Parameter Description Value

vlan-id Specifies the VLAN ID of The value is an integer

a critical VLAN. that ranges from 1 to
4094.

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number1
specifies the number
of the first interface.
● interface-number2
specifies the number
of the last interface.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9128

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

A critical VLAN is authorized for users when the authentication server does not
respond.

When the access device cannot communicate with the RADIUS server or the
RADIUS server fails, the authentication process on the network is interrupted and
users cannot pass the authentication. After the critical VLAN function of the device
is enabled, the device sets the state flag of the authentication server to Down and
adds the users to the critical VLAN. In this way, the users can access resources in
the critical VLAN without being authenticated.

Precautions

● This command is only valid for 802.1X authentication and MAC address
authentication.
● If the free-ip function is configured, the critical VLAN function becomes
invalid immediately.
● To make the VLAN authorization function take effect, the link type and access
control mode of the authentication interface must meet the following
requirements:
– When the link type is hybrid in untagged mode, the access control mode
can be based on the MAC address or interface.
– When the link type is access or trunk, the access control mode can only
be based on the interface.

Example
# In the system view, configure 802.1X authentication for the users using Port
address-based access method on GE0/0/1 and set the critical VLAN to VLAN 20.
<HUAWEI> system-view
[HUAWEI] vlan batch 20
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] dot1x enable interface gigabitethernet 0/0/1
[HUAWEI] dot1x port-method port interface gigabitethernet 0/0/1
[HUAWEI] authentication critical-vlan 20 interface gigabitethernet 0/0/1

# In the interface view, enable MAC address authentication on GE0/0/1 and set
the critical VLAN to VLAN 20.
<HUAWEI> system-view
[HUAWEI] vlan batch 20
[HUAWEI] mac-authen
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet0/0/1] mac-authen
[HUAWEI-GigabitEthernet0/0/1] authentication critical-vlan 20

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9129

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.9 authentication device-type voice authorize

Function
The authentication device-type voice authorize command enables voice
terminals to go online without authentication.
The undo authentication device-type voice authorize command disables voice
terminals from going online without authentication.
By default, voice terminals are disabled from going online without authentication.

Format
authentication device-type voice authorize [ user-group group-name ]
undo authentication device-type voice authorize [ user-group ]

Parameters
Parameter Description Value

user-group group-name Specifies the name of The value must be an

the user group based on existing user group
which network access name.
rights are assigned to
voice terminals.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When both data terminals (such as PCs) and voice terminals (such as IP phones)
are connected to switches, NAC is configured on the switches to manage and
control the data terminals. The voice terminals, however, only need to connect to
the network without being managed and controlled. In this case, you can
configure the voice terminals to go online without authentication on the switches.
Then the voice terminals identified by the switches can go online without
authentication.
Precautions
To enable the switches to identify the voice terminals, enable LLDP or configure
OUI for the voice VLAN on the switches. For details, see "Configuring Basic LLDP
Functions" in "LLDP Configuration" in the S1720, S2700, S5700, and S6720

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9130

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

V200R011C10 Configuration Guide - Network Management and Monitoring or

"Configuring a Voice VLAN Based on a MAC Address" in "Voice VLAN
Configuration" in the S1720, S2700, S5700, and S6720 V200R011C10
Configuration Guide - Ethernet Switching. If a voice device supports only CDP but
does not support LLDP, configure CDP-compatible LLDP on the switch using
16.3.16 lldp compliance cdp receive command.

If an 802.1X user initiates authentication through a voice terminal, a switch

preferentially processes the authentication request. If the authentication succeeds,
the terminal obtains the corresponding network access rights. If the
authentication fails, the switch identifies the terminal type and enables the
terminal to go online without authentication.

Voice terminals can obtain the corresponding network access rights after they pass
authentication and go online, when user-group group-name is not specified.
When user-group group-name is specified, voice terminals can obtain the network
access rights specified by the user group after they go online. To use a user group
to define network access rights for voice terminals, run the 13.5.156 user-group
group-name command to create a user group and configure network
authorization information for the users in the group. Note that the user group
takes effect only after it is enabled.

If you run this command repeatedly, the latest configuration overrides the
previous ones.

This function takes effect only for users who go online after this function is
successfully configured.

Example
# Enable voice terminals to go online without authentication.
<HUAWEI> system-view
[HUAWEI] authentication device-type voice authorize

13.5.10 authentication event

Function
The authentication event command grants network access rights to users in
different authentication stages.

The undo authentication event command cancels network access rights of users
in different authentication stages.

By default, no network access right is granted to users in different authentication

stages.

Format
● Command for 802.1X authentication:
System view, Ethernet interface view, GE interface view, MultiGE interface
view, XGE interface view, 40GE interface view, Eth-Trunk interface view:
authentication event { pre-authen | authen-fail | authen-server-down |
client-no-response } { vlan vlan-id | user-group group-name }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9131

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo authentication event { pre-authen | authen-fail | authen-server-

down | client-no-response }
● Command for MAC address authentication:
System view, Ethernet interface view, GE interface view, MultiGE interface
view, XGE interface view, 40GE interface view, Eth-Trunk interface view:
authentication event { pre-authen | authen-fail | authen-server-down }
{ vlan vlan-id | user-group group-name }
undo authentication event { pre-authen | authen-fail | authen-server-
down }
VLANIF interface view:
authentication event { authen-fail | authen-server-down } user-group
group-name
undo authentication event { authen-fail | authen-server-down }
● Command for external portal authentication:
System view:
authentication event { pre-authen | authen-fail | authen-server-down }
user-group group-name
undo authentication event { pre-authen | authen-fail | authen-server-
down }
VLANIF interface view:
authentication event { authen-fail | authen-server-down } user-group
group-name
undo authentication event { authen-fail | authen-server-down }
● Command for built-in portal authentication:
System view, Ethernet interface view, GE interface view, MultiGE interface
view, XGE interface view, 40GE interface view, Eth-Trunk interface view:
authentication event { pre-authen | authen-fail | authen-server-down }
{ vlan vlan-id | user-group group-name }
undo authentication event { pre-authen | authen-fail | authen-server-
down }
VLANIF interface view:
authentication event { authen-fail | authen-server-down } user-group
group-name
undo authentication event { authen-fail | authen-server-down }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9132

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value
pre-authen Specifies the network access rights granted to users -
before authentication starts.
In an 802.1X authentication, when a device receives
an ARP or DHCP request packet sent from a user
terminal, but not an authentication request packet
from an 802.1X client, the device grants the pre-
authen right to the user. If only this parameter is
specified but the network access rights are not
configured for other events, the device grants the
pre-authen right to the users failing in
authentication.
In a MAC address or Portal authentication, if only
this parameter is specified but the network access
rights are not configured for other events, the
device grants the pre-authen right to the users
failing in authentication.

authen-fail Specifies the network access rights granted to users -

when authentication fails.
The device grants this right to all users who have
failed in authentication.

authen- Specifies the network access rights granted to users -

server-down when the authentication server does not respond.
If both the authen-server-down and authen-fail
parameters are specified, the authen-server-down
parameter takes effect if the authentication server
does not respond.

client-no- Specifies the network access rights granted to users -

response when the 802.1X client does not respond.
If both the client-no-response and authen-fail
parameters are specified, the client-no-response
parameter takes effect if the 802.1X client does not
respond.

vlan vlan-id Specifies a VLAN ID. When this parameter is The value is
specified, the user can access only the resources in an integer
the VLAN. that ranges
from 1 to
4094.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9133

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

user-group Specifies a user group. When this parameter is The value
group-name specified, the user can access the resources defined must be an
for the user group. existing
service
scheme
name.

Views
System view, VLANIF interface view, Ethernet interface view, GE interface view,
MultiGE interface view, XGE interface view, 40GE interface view, Eth-Trunk
interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To grant different network access rights to users in different stages, you can use
this command.

Prerequisites

The 802.1X authentication, MAC address authentication, or Portal authentication

has been enabled.

Precautions

● If the command is executed in both the interface view and system view, the
configuration in interface view takes effect.
● This function takes effect only for users who go online after this function is
successfully configured.
● If the user-group parameter is specified in the command, only the network
access rights (that is, the ACL and VLAN bound to the user group) configured
for the user group take effect.
● If the network access rights specified in the authentication event command
were defined by a user group, the 13.5.64 dot1x free-ip command configured
in the system view cannot take effect and the 13.5.64 dot1x free-ip
command configured in the interface view does not take effect for the
interface.
● If the user-group parameter is specified in the command and the destination
network access rights in the authentication-free rule configured by 13.5.107
portal free-rule is the same as that defined for the user group, the
authentication-free rule does not take effect.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9134

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# On GE0/0/1, allow users to access resources in VLAN 10 when authentication
fails.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication event authen-fail vlan 10

Related Topics
13.5.63 dot1x enable
13.5.88 mac-authen
13.5.167 web-auth-server (system view)
13.5.156 user-group

13.5.11 authentication event response-fail

Function
The authentication event response-fail command configures the device to return
an authentication failure packet when a user fails in authentication or the
authentication server does not respond.
The undo authentication event response-fail command restores the default
configuration.
By default, the device returns an authentication success packet when a user fails
in authentication or the authentication server does not respond.

Format
authentication event { authen-fail | authen-server-down } response-fail
undo authentication event { authen-fail | authen-server-down } response-fail

Parameters
Parameter Description Value
authen-fail Specifies that the device returns an authentication -
failure packet to the 802.1X client or portal server
when a user fails in authentication.

authen-server- Specifies that the device returns an authentication -

down failure packet to the 802.1X client or portal server
when the authentication server does not respond.

Views
System view, VLANIF interface view, Ethernet interface view, GE interface view,
MultiGE interface view, XGE interface view, 40GE interface view, Eth-Trunk
interface view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9135

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After the 13.5.10 authentication event command is executed to configure the

network access right used when a user fails in authentication or the
authentication server does not respond, the device returns an authentication
success packet to the 802.1X client or portal server by default. Therefore, the user
does not know the authentication failure and only limited network resources can
be accessed. The user cannot use the expected service.

You can use this command to configure the device to return an authentication
failure packet to the 802.1X client or portal server. In 802.1X authentication, the
802.1X client notifies the user of authentication failure. In portal authentication,
the portal server pushes an authentication failure message to the user. The user
then choose whether to perform reauthentication.

Precautions

● If the command is executed in both the interface view and system view, the
configuration in interface view takes effect.
● This function takes effect only for users who go online after this function is
successfully configured.
● This command is only applicable to the 802.1X authentication and Portal
authentication.

Example
# Configure GE0/0/1 to return an authentication failure packet to the 802.1X
client or portal server when a user fails in authentication.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication event authen-fail response-fail

Related Topics
13.5.10 authentication event

13.5.12 authentication event session-timeout

Function
The authentication event session-timeout command sets the timeout period of
network access rights granted to users in different authentication stages.

The undo authentication event session-timeout command restores the default

timeout period.

By default, the timeout period of network access rights granted to users is 15

minutes.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9136

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view
authentication event { pre-authen | authen-fail | authen-server-down | client-
no-response } session-timeout session-time
undo authentication event { pre-authen | authen-fail | authen-server-down |
client-no-response } session-timeout
VLANIF interface view
authentication event { pre-authen | authen-fail | authen-server-down }
session-timeout session-time
undo authentication event { pre-authen | authen-fail | authen-server-down }
session-timeout

Parameters
Parameter Description Value
pre-authen Specifies the timeout period of the network -
access rights granted to users before
authentication starts.

authen-fail Specifies the timeout period of the network -

access rights granted to users when
authentication fails.

authen-server- Specifies the timeout period of the network -

down access rights granted to users when the
authentication server does not respond.

client-no- Specifies the timeout period of the network -

response access rights granted to users when the 802.1X
client does not respond.
This parameter is only valid for 802.1X
authentication.

session-time The value is an

Specifies the value of timeout period.
integer that
If the user still fails to be authenticated when ranges from 0
the user aging time expires, the user entry is to 71581, in
deleted. minutes.

Views
System view, VLANIF interface view, Ethernet interface view, GE interface view,
MultiGE interface view, XGE interface view, 40GE interface view, Eth-Trunk
interface view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9137

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After you run the 13.5.10 authentication event command to grant the network
access rights to users in different authentication stages, you can run the
authentication event session-timeout command to specify the timeout period
for the network access rights. Users can access the authorized resources within the
timeout period, and will be forced to go offline after the timeout period expires.

If the aging time is set to 0, the network access rights granted to the user will not
expire. To disconnect the user from the network, run the cut access-user
command on the device or configure the authentication server to deliver an
offline message to the user.

Precautions

The timeout period set in the VLANIF interface view is not applicable to 802.1X
authentication.

If this command is only run in the system view, the configuration takes effect on
all interfaces. If this command is run in both the system view and interface view,
the configuration on interfaces takes precedence over the global configuration.

This function takes effect only for users who go online after this function is
successfully configured.

Example
# On interface GE0/0/1, set the timeout period of the network access rights
granted to users when authentication fails to 100 minutes.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication event authen-fail session-timeout 100

Related Topics
13.5.10 authentication event

13.5.13 authentication guest-vlan

Function
The authentication guest-vlan command configures a guest VLAN on an
interface.

The undo authentication guest-vlan command deletes a guest VLAN from an

interface.

By default, no guest VLAN is configured on an interface.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9138

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
In the system view:

authentication guest-vlan vlan-id interface { interface-type interface-number1

[ to interface-number2 ] } &<1-10>

undo authentication guest-vlan [ vlan-id ] interface { interface-type interface-

number1 [ to interface-number2 ] } &<1-10>
In the interface view:

authentication guest-vlan vlan-id

undo authentication guest-vlan [ vlan-id ]

Parameters
Parameter Description Value

vlan-id Specifies the ID of a The value is an integer

guest VLAN. that ranges from 1 to
4094.

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number1
specifies the number
of the first interface.
● interface-number2
specifies the number
of the last interface.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

During 802.1X authentication and MAC address authentication, a guest VLAN

allows users to access limited resources without authentication. The device
supports the guest VLAN function.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9139

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Users in the guest VLAN can access resources in the guest VLAN without
authentication but must be authenticated when they access external resources.

NOTE

● The restrict VLAN is for the users who fail the authentication, while the guest VLAN is for the
users who are not authenticated.
● If only a guest VLAN is configured but no restrict VLAN is configured, the users who fail the
authentication are added to the guest VLAN.

Prerequisites

The VLAN to be configured as the guest VLAN must have been created.

802.1X authentication has been enabled globally and on the interface using the
dot1x enable command, or MAC address authentication has been enabled
globally and on the interface using the mac-authen command.

Precautions

● The guest VLAN function can take effect only in 802.1X and MAC address
authentication.
● A super VLAN cannot be configured as a guest VLAN.
● When free IP subnets are configured, the guest VLAN function becomes
invalid immediately.
● If the authentication function of the built-in Portal server is enabled, the
guest VLAN cannot be configured on interfaces.
● The guest VLAN function takes effect only when a user sends untagged
packets to the device.
● Different interfaces can be configured with different guest VLANs. After a
guest VLAN is configured on an interface, the guest VLAN cannot be deleted.
● To make the VLAN authorization function take effect, the link type and access
control mode of the authentication interface must meet the following
requirements:
– When the link type is hybrid in untagged mode, the access control mode
can be based on the MAC address or interface.
– When the link type is access or trunk, the access control mode can only
be based on the interface.

Example
# In the system view, configure 802.1X authentication for the users using Port-
based access method on GE0/0/1 and set the guest VLAN to VLAN 20.
<HUAWEI> system-view
[HUAWEI] vlan batch 20
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] dot1x enable interface gigabitethernet 0/0/1
[HUAWEI] dot1x port-method port interface gigabitethernet 0/0/1
[HUAWEI] authentication guest-vlan 20 interface gigabitethernet 0/0/1

# In the interface view, enable MAC address authentication on GE0/0/1 and set
the guest VLAN to VLAN 20.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9140

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] vlan batch 20
[HUAWEI] mac-authen
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet0/0/1] mac-authen
[HUAWEI-GigabitEthernet0/0/1] authentication guest-vlan 20

Related Topics
13.5.63 dot1x enable
13.5.34 display dot1x
13.5.79 dot1x retry
13.5.88 mac-authen
13.5.38 display mac-authen

13.5.14 authentication mac-move enable

Function
The authentication mac-move enable command enables MAC address
migration.
The undo authentication mac-move enable command disables MAC address
migration.
By default, MAC address migration is disabled.

Format
authentication mac-move enable vlan { all | { vlan-id1 [ to vlan-id2 ] } & <1–
10> }
undo authentication mac-move enable vlan { all | { vlan-id1 [ to vlan-id2 ] } &
<1–10> }

Parameters
Parameter Description Value

vlan Specifies the VLAN range -

for enabling MAC
address migration.

all Enables MAC address -

migration in all VLANs.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9141

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

vlan-id1 [ to vlan-id2 ] Enables MAC address The value is an integer

migration in the that ranges from 1 to
specified VLANs. 4094.
● vlan-id1 specifies the
ID of the first VLAN.
● vlan-id2 specifies the
ID of the second
VLAN. The value of
vlan-id2 must be
greater than that of
vlan-id1.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After a user is authenticated and accesses the network from one interface of the
device, the network cable is pulled out from the interface and plugged in another
interface on the device. In this case, the user cannot immediately initiate
authentication and access the network. The user can initiate authentication on the
current interface only after the user offline detection interval expires or the
authentication interface is manually enabled and shut down to clear user online
entries. To improve user experience, MAC address migration is enabled so that the
user can immediately initiate authentication and access the network after be
switched to another access interface.
MAC address migration allows online NAC authentication users to immediately
initiate authentication and access the network after they are switched to other
access interfaces. If the user is authenticated successfully on the new interface, the
online user entry on the original interface is deleted immediately to ensure that
only one interface records the online user entry.
In addition, VLANs need to be specified for users in MAC address migration. The
VLANs before and after the migration can be specified for the users, and they can
be the same or different.
Precautions
● In normal case, enabling MAC address migration is not recommended. It
should be enabled only when users have migration requirements during
roaming. This prevents unauthorized users from forging MAC addresses of
online users and sending ARP, 802.1X, or DHCP packets on other

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9142

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

authentication control interfaces to trigger the MAC address migration

function and force authorized user offline.
● Cascading migration through intermediate devices is not supported, because
ARP and DHCP packets are not sent after the cascading migration.
● MAC address migration is not supported for Layer 3 Portal authentication
users.
● In the Layer 2 BNG scenario, the device does not support MAC address
migration.
● A user is switched from an interface configured with NAC authentication to
another interface not configured with NAC authentication. In this case, the
user can access the network only after the original online entry is aged
because the new interface cannot send authentication packets to trigger MAC
migration.
● In common mode, Portal authentication is triggered only after users who go
online through a VLANIF interface send ARP packets and go offline;
otherwise, the users can go online again only after the original user online
entries age out. Portal authentication cannot be triggered after users who go
online through physical interfaces migrate. The users can go online again only
after the original user online entries age out.
● After a user who goes online from a VLANIF interface is quieted because of
multiple MAC address migrations, MAC address migration can be performed
for the quieted user only after the quiet period expires and the ARP entry is
aged out.
● When an authorized VLAN is specified in the authentication mac-move
enable vlan command, you are advised to enable the function of detecting
the user status before user MAC address migration.

Example
# Enable MAC address migration in all VLANs.
<HUAWEI> system-view
[HUAWEI] authentication mac-move enable vlan all

13.5.15 authentication mac-move detect enable

Function
The authentication mac-move detect enable command enables a device to
detect users' online status before user MAC address migration.

The undo authentication mac-move detect enable command disables a device

from detecting users' online status before user MAC address migration.

By default, a device is disabled from detecting users' online status before user
MAC address migration.

Format
authentication mac-move detect enable

undo authentication mac-move detect enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9143

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
To prevent unauthorized users from spoofing online users to attack a device, run
the authentication mac-move detect enable command to enable the device to
detect users' online status before user MAC address migration. If no users are
online, the device permits MAC address migration and allows users to go online
from a new access interface. If a user is online, the device terminates MAC address
migration and does not allow the user to go online from a new access interface.

You can also run the 13.5.16 authentication mac-move detect retry-interval
retry-time command to set the detection interval and maximum number of
detections before user MAC address migration.

Example
# Enable a device to detect users' online status before user MAC address
migration.
<HUAWEI> system-view
[HUAWEI] authentication mac-move detect enable

13.5.16 authentication mac-move detect retry-interval retry-

time

Function
The authentication mac-move detect retry-interval retry-time command sets
the detection interval and maximum number of detections before user MAC
address migration.

The undo authentication mac-move detect retry-interval retry-time command

restores the default setting.

By default, a device detects users' online status once. The detection interval is 3
seconds.

Format
authentication mac-move detect { retry-interval interval | retry-time times } *

undo authentication mac-move detect { retry-interval | retry-time } *

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9144

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

interval Specifies the interval at The value is an integer

which a device detects that ranges from 1 to 5,
users' online status in seconds.
before user MAC address
migration.

times Specifies the maximum The value is an integer

number of detections that ranges from 1 to 3.
before user MAC address
migration.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After a device is enabled to detect users' online status before user MAC address
migration, you can run the authentication mac-move detect { retry-interval
interval | retry-time times } * command to modify the default detection interval
and maximum number of detections.

Example
# Configure a device to detect users' online status twice at an interval of 5
seconds before user MAC address migration.
<HUAWEI> system-view
[HUAWEI] authentication mac-move detect retry-interval 5 retry-time 2

13.5.17 authentication mac-move quiet-log enable

Function
The authentication mac-move quiet-log enable command enables the device to
record logs about MAC address migration quiet.

The undo authentication mac-move quiet-log enable command disables the

device from recording logs about MAC address migration quiet.

By default, the device is enabled to record logs about MAC address migration
quiet.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9145

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
authentication mac-move quiet-log enable

undo authentication mac-move quiet-log enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The device can record logs when adding or deleting MAC address migration quiet
entries. This helps the administrator to find out the cause for MAC address
migration failure, and improves maintainability of the MAC address migration
quiet function.

Example
# Enable the device to record logs about MAC address migration quiet.
<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-log enable

13.5.18 authentication mac-move quiet-times quiet-period

Function
The authentication mac-move quiet-times quiet-period command configures
the quiet period and the maximum number of MAC address migration times
within 60 seconds before users enter the quiet state.

The undo authentication mac-move quiet-times quiet-period command

restores the default settings.

The default quiet period is 0 seconds and the maximum number of MAC address
migration times within 60 seconds before users enter the quiet state is 3.

Format
authentication mac-move { quiet-times times | quiet-period quiet-value } *

undo authentication mac-move { quiet-times | quiet-period } *

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9146

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

times Specifies the maximum The value is an integer

number of MAC address that ranges from 1 to 10.
migration times within
60 seconds before users
enter the quiet state.

quiet-value Specifies the quiet period The value is an integer

for MAC address that ranges from 0 to
migration users. 3600.
The value 0 indicates
that the MAC address
migration quiet function
is disabled.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
When users frequently switch access interfaces (especially frequent switching due
to loops), the device needs to process a large number of authentication packets
and entries, which results in high CPU usage. To solve this problem, configure the
MAC address migration quiet function.
If the number of MAC address migration times for a user within 60 seconds
exceeds the value (times) after the MAC address migration quiet function is
enabled, the device quiets the user for a certain period (quiet-value). During the
quiet period, the device does not allow users to perform MAC address migration.

Example
# Configure the quiet period to 120 seconds and the maximum number of MAC
address migration times within 60 seconds before users enter the quiet state to 5.
<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-times 5 quiet-period 120

13.5.19 authentication mac-move quiet-user-alarm enable

Function
The authentication mac-move quiet-user-alarm enable command enables the
device to send alarms about MAC address migration quiet.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9147

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo authentication mac-move quiet-user-alarm enable command

disables the device from sending alarms about MAC address migration quiet.
By default, the device is disabled from sending alarms about MAC address
migration quiet.

Format
authentication mac-move quiet-user-alarm enable
undo authentication mac-move quiet-user-alarm enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The device can send alarms about MAC address migration quiet to improve
maintainability of the MAC address migration quiet function. The device sends
alarms when the percentage of the actual user amount in the MAC address
migration quiet table against the maximum number of users exceeds the upper
alarm threshold configured. If the percentage decreases to be equal to or smaller
than the lower alarm threshold, the device sends a clear alarm. The upper and
lower alarm thresholds are configured using the 13.5.20 authentication mac-
move quiet-user-alarm percentage command.

Example
# Enable the device to send alarms about MAC address migration quiet.
<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-user-alarm enable

13.5.20 authentication mac-move quiet-user-alarm

percentage
Function
The authentication mac-move quiet-user-alarm percentage command
configures the upper and lower alarm thresholds for the percentage of MAC
address migration users in quiet state.
The undo authentication mac-move quiet-user-alarm percentage command
restores the default setting.
By default, the lower alarm threshold is 50 and upper alarm threshold is 100.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9148

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
authentication mac-move quiet-user-alarm percentage lower-threshold upper-
threshold
undo authentication mac-move quiet-user-alarm percentage

Parameters
Parameter Description Value

lower-threshold Specifies the lower alarm The value is an integer

threshold. that ranges from 1 to
100.

upper-threshold Specifies the upper The value is an integer

alarm threshold. that ranges from 1 to
100.
The value must be
greater than that of
lower-threshold.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The 13.5.19 authentication mac-move quiet-user-alarm enable command can
be run to enable the device to send alarms about MAC address migration quiet to
improve maintainability of the MAC address migration quiet function. The device
sends alarms when the percentage of the actual user amount in the MAC address
migration quiet table against the maximum number of users exceeds the upper
alarm threshold configured. If the percentage decreases to be equal to or smaller
than the lower alarm threshold, the device sends a clear alarm. The upper and
lower alarm thresholds are configured using the authentication mac-move
quiet-user-alarm percentage command.

Example
# Configure the upper alarm threshold to 80 and lower alarm threshold to 40.
<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-user-alarm percentage 40 80

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9149

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.21 authentication max-reauth-req

Function
The authentication max-reauth-req command sets the maximum number of re-
authentication attempts for users in a critical VLAN.

The undo authentication max-reauth-req command restores the default setting.

By default, the maximum number of re-authentication attempts is 20 for users in

a critical VLAN.

Format
In the system view:

authentication max-reauth-req times interface { interface-type interface-

number1 [ to interface-number2 ] } &<1-10>
undo authentication max-reauth-req [ times ] interface { interface-type
interface-number1 [ to interface-number2 ] } &<1-10>
In the interface view:

authentication max-reauth-req times

undo authentication max-reauth-req [ times ]

Parameters
Parameter Description Value

times Specifies the maximum The value is an integer

number of re- that ranges from 1 to 20.
authentication attempts. The default value is 20.

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● Interface-type
number2 ] } specifies the interface
type.
● interface-number1
specifies the number
of the first interface.
● interface-number2
specifies the number
of the last interface.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9150

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
When the authentication server maintained by the device turns to the Up state,
the device triggers re-authentication for users already added to the critical VLAN.
If the authentication is successful, the users exit the critical VLAN. However, if the
re-authentication fails due to reasons such as the fault of the access user's client,
the repeated re-authentication degrades the device performance. After the
maximum number of re-authentication attempts is set for users in the critical
VLAN, the device forces the user to exit the critical VLAN if the user fails the
authentication the specified number of times.

Example
# Set the maximum number of re-authentication attempts for users in the critical
VLAN to 5 on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] authentication max-reauth-req 5 interface gigabitethernet 0/0/1

13.5.22 authentication open

Function
The authentication open command enables the NAC open function.
The undo authentication open command disables the NAC open function.
By default, the NAC open function is disabled on an interface.

Format
In the system view:
authentication open interface { interface-type interface-number1 [ to interface-
number2 ] } &<1-10>
undo authentication open interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
In the interface view:
authentication open
undo authentication open

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9151

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number1
specifies the number
of the first interface.
● interface-number2
specifies the number
of the last interface.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After a new NAC network is set up, the network administrator should pay
attention to the number of potential access users and authentication method but
does not need to control user access, because the administrator needs to
configure user names, passwords, and authorization information on the
authentication server. After 802.1X or MAC address authentication is configured
on the access device, only authenticated users can access the network, so the
administrator cannot obtain information about the users who do not have user
names and passwords on the authentication server.
The NAC open function allows the users who failed in authentication to access the
network.
Precautions
● The NAC open function is only applied to 802.1X and MAC address
authentication.
● The NAC open function is only applied to RADIUS remote authentication.
● The NAC open function is valid only when the MAC address-based mode is
used as the access control mode of the interface. After this function is
enabled, users can be added to VLANs except a guest VLAN after they log in.
● After NAC open is enabled on an interface and fixed user names are used for
MAC address authentication, the users on the interface are allowed to access
the network even if they have used incorrect user names or passwords.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9152

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Enable the NAC open function on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] authentication open interface gigabitethernet 0/0/1

Related Topics
13.5.63 dot1x enable

13.5.23 authentication restrict-vlan

Function
The authentication restrict-vlan command configures a restrict VLAN on an
interface.
The undo authentication restrict-vlan command deletes the restrict VLAN from
an interface.
By default, no restrict VLAN is configured on an interface.

Format
In the system view:
authentication restrict-vlan vlan-id interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10>
undo authentication restrict-vlan [ vlan-id ] interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10>
In the interface view:
authentication restrict-vlan vlan-id
undo authentication restrict-vlan [ vlan-id ]

Parameters
Parameter Description Value

vlan-id Specifies the ID of a The value is an integer

restrict VLAN. that ranges from 1 to
4094.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9153

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number1
specifies the number
of the first interface.
● interface-number2
specifies the number
of the last interface.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

You can configure the restrict VLAN on the device interface, so that the users can
still access some network resources (for example, update the virus library) when
the users fail the authentication. The users who fail the authentication are added
to the restrict VLAN to access the resources in the restrict VLAN. Note that, the
user fails the authentication because the authentication server rejects the user for
some reasons, for example, the user enters an incorrect user password, not
because the authentication times out or the network is disconnected.

NOTE

● The restrict VLAN is for the users who fail the authentication, while the guest VLAN is for the
users who are not authenticated.
● If only a guest VLAN is configured but no restrict VLAN is configured, the users who fail the
authentication are added to the guest VLAN.

Prerequisites

The VLAN to be configured as the restrict VLAN must have been created.

Precautions

● A super VLAN cannot be configured as a restrict VLAN.

● When free IP subnets are configured, the restrict VLAN function becomes
invalid immediately.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9154

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● If the authentication function of the built-in Portal server is enabled, the

restrict VLAN cannot be configured on interfaces.
● The restrict VLAN function takes effect only when a user sends untagged
packets to the device.
● To make the VLAN authorization function take effect, the link type and access
control mode of the authentication interface must meet the following
requirements:
– When the link type is hybrid in untagged mode, the access control mode
can be based on the MAC address or interface.
– When the link type is access or trunk, the access control mode can only
be based on the interface.

Example
# In the system view, configure 802.1X authentication for the users using Port-
based access method on GE0/0/1 and set the restrict VLAN to VLAN 20.
<HUAWEI> system-view
[HUAWEI] vlan batch 20
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] dot1x enable interface gigabitethernet 0/0/1
[HUAWEI] dot1x port-method port interface gigabitethernet 0/0/1
[HUAWEI] authentication restrict-vlan 20 interface gigabitethernet 0/0/1

Related Topics
13.5.63 dot1x enable
13.5.34 display dot1x
13.5.79 dot1x retry

13.5.24 authentication speed-limit auto

Function
The authentication speed-limit auto command enables the device to
dynamically adjust the rate of packets from NAC users.
The undo authentication speed-limit auto command disables the device from
dynamically adjusting the rate of packets from NAC users.
By default, the device does not dynamically adjust the rate of packets from NAC
users.

Format
authentication speed-limit auto
undo authentication speed-limit auto

Parameters
None

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9155

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
When a lot of NAC users send authentication or log off requests to the device, the
CPU usage may be overloaded especially when the CPU or memory usage is
already high (for example, above 80%).
After this command is executed, the device limits the number of NAC packets
received per second if the CPU or memory usage is high. This function reduces
loads on the device CPU.

Example
# Enable the device to dynamically adjust the rate of packets from NAC users.
<HUAWEI> system-view
[HUAWEI] authentication speed-limit auto

13.5.25 authentication timer re-authen

Function
The authentication timer re-authen command configures the interval for re-
authenticating pre-connection users or users who fail to be authenticated.
The undo authentication timer re-authen command restores the default setting.
By default, pre-connection users and users who fail to be authenticated are re-
authenticated at an interval of 60 seconds.

Format
authentication timer re-authen { pre-authen re-authen-time | authen-fail re-
authen-time }
undo authentication timer re-authen { pre-authen | authen-fail }

Parameters
Parameter Description Value
pre-authen re- Specifies the interval for The value is an integer that ranges
authen-time re-authenticating pre- from 0 or 30 to 7200, in seconds.
connection users.
The value 0 indicates that the re-
authentication function is disabled
for pre-connection users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9156

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

authen-fail re- Specifies the interval for The value is an integer that ranges
authen-time re-authenticating users from 30 to 7200, in seconds.
who fail to be
authenticated.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The device creates the mapping user entries when network access policies are
assigned to users who are in the pre-connection phase or fail authentication. To
enable users to pass authentication in real time, the device periodically re-
authenticates the users who are in the pre-connection phase or fail authentication
according to the user entries. The administrator can adjust the re-authentication
interval based on the actual network requirements.
Precautions
This command only applies to 802.1X authentication and MAC address
authentication.
This function takes effect only for users who go online after this function is
successfully configured.
To reduce the impact on the device performance when many users exist, the user
re-authentication interval may be longer than the configured re-authentication
interval.

Example
# Configures the interval for re-authenticating users who fail to be authenticated
to 300 seconds.
<HUAWEI> system-view
[HUAWEI] authentication timer re-authen authen-fail 300

13.5.26 band-width share-mode

Function
The band-width share-mode command enable the bandwidth share mode.
The undo band-width share-mode command restores the default configuration.
By default, the bandwidth share mode is disabled.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9157

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

This command is only supported by the S5720HI.

Format
band-width share-mode
undo band-width share-mode

Parameters
None

Views
System view, AAA domain view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
On a home network, all family members go online using the same account. To
improve service experience of family members, you can enable the bandwidth
share mode so that all members can share the bandwidth.
Precautions
● This function does not apply to users who are connected through the inter-
card Eth-Trunk interface.
● If this command is run in the system view, it takes effect for all new online
users who connected to the device. If this command is run in the AAA domain
view, it takes effect only for new online users in the domain.
● If the local or remote RADIUS server does not assign CAR settings to the users
who will go online and the online users, the share mode is invalid to the
users.
● If the bandwidth share mode is enabled and different users use the same
account for authentication, the users going online with no CAR settings
assigned will not be affected when CAR settings are assigned to the users
who go online later.

Example
# Enable the bandwidth share mode in the system view.
<HUAWEI> system-view
[HUAWEI] band-width share-mode

# Enable the bandwidth share mode in the AAA domain view.

<HUAWEI> system-view
[HUAWEI] aaa

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9158

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

[HUAWEI-aaa] domain huawei

[HUAWEI-aaa-domain-huawei] band-width share-mode

13.5.27 car (user group view)

Function
The car command enables traffic control for users in a user group.
The undo car command disables traffic control for users in a user group.
By default, traffic control is disabled for users in a user group.

NOTE

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this command, and the user
group CAR can only be applied in the interface outbound direction (outbound) on the
S5720EI, S6720EI, and S6720S-EI.

Format
car { outbound | inbound } cir cir-value [ pir pir-value | cbs cbs-value | pbs pbs-
value ] *
undo car { outbound | inbound }

Parameters
Parameter Description Value
outbound Applies the user group CAR to -
the outgoing packets on an
interface to restrict the
outgoing packet rate.

inbound Applies the user group CAR to -

the incoming packets on an
interface to restrict the
incoming packet rate.

cir cir-value Specifies the committed The value is an integer that

information rate (CIR), which ranges from 64 to 4294967295,
is the average rate of traffic in kbit/s.
that can pass through an
interface.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9159

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

pir pir-value Specifies the peak information The value is an integer that
rate (PIR), which is the ranges from 64 to 4294967295,
maximum rate of traffic that in kbit/s.
can pass through an interface.
The PIR value must be greater
than or equal to the CIR value.
The default PIR value is equal to
the CIR value.

cbs cbs-value The value is an integer that

Specifies the committed burst
size (CBS), which is the ranges from 10000 to
average volume of burst traffic 4294967295, in bytes.
that can pass through an
The default value of cbs-value is
interface.
188 x cir-value.

pbs pbs-value Specifies the peak burst size The value is an integer that
(PBS), which is the maximum ranges from 10000 to
volume of burst traffic that 4294967295, in bytes.
can pass through an interface.
The value of pbs-value must be
larger than that of cbs-value and
is equal to 188 times of the
value of pir-value by default.

Views
User group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After user groups are created using the user-group command, you can run the car
outbound command to configure traffic control for users in a user group so that
users in different groups are allocated different bandwidths.
Precautions
● The car command takes effect on each user in a user group.
● This function takes effect only for users who go online after this function is
successfully configured.

Example
# Set the CIR to 10000 Kbit/s and the CBS to 50000 bytes for outgoing packets of
users in a user group.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9160

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] user-group huawei
[HUAWEI-user-group-huawei] car outbound cir 10000 cbs 50000

Related Topics
13.5.137 reset access-user traffic-statistics

13.5.28 cut access-user

Function
The cut access-user command forces users offline.

Format
cut access-user open
cut access-user user-group group-name

Parameters
Parameter Description Value

open Forces open users offline. -

user-group group- Specifies the user group The value must be an

name based on which the users existing user group name.
are forced offline.

Views
AAA view

Default Level
3: Management level

Usage Guidelines
After a user goes online, if you want to modify the user's network access rights or
detect that the user is unauthorized, run this command to force the user offline.

Example
# Force open users offline.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] cut access-user open

Related Topics
13.5.31 display access-user

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9161

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.29 display aaa statistics access-type-authenreq

Function
The display aaa statistics access-type-authenreq command displays the number
of requests for MAC, Portal, or 802.1X authentication.

Format
display aaa statistics access-type-authenreq

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
When users send authentication requests, the device collects statistics on the
number of initiating MAC, Portal, or 802.1X authentications.
To view the number of requests for MAC, Portal, or 802.1X authentication, run the
display aaa statistics access-type-authenreq command.

Example
# Display the number of requests for MAC, Portal, or 802.1X authentication.
<HUAWEI> display aaa statistics access-type-authenreq
mac authentication request :2
portal authentication request :0
dot1x authentication request :0

Table 13-77 Description of the display aaa statistics access-type-authenreq

command output
Item Description

mac authentication Number of MAC authentication requests.

request

portal authentication Number of Portal authentication requests.

request

dot1x authentication Number of 802.1X authentication requests.

request

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9162

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.30 display authentication mode

Function
The display authentication mode command displays the current NAC
configuration mode and the mode after restart.

Format
display authentication mode

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run the display authentication mode command to view the current NAC
configuration mode.

Example
# Display the current NAC configuration mode and the mode after restart.
<HUAWEI> display authentication mode
Current authentication mode is unified-mode
Next authentication mode is unified-mode

Table 13-78 Description of the display authentication mode command output

Item Description

Current authentication mode is Current NAC configuration mode.

unified-mode

Next authentication mode is NAC configuration mode after the device

unified-mode restarts.
Run the authentication unified-mode
command to switch the NAC mode to
unified mode.
Run the undo authentication unified-
mode command to switch the NAC mode to
common mode.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9163

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.31 display access-user

Function
The display access-user command displays information about online NAC users.

Format
display access-user open

display access-user option82 { circuit-id text | remote-id text }

display access-user user-group group-name [ detail ]

NOTE

The detail parameter is only supported by the S5720HI.

Parameters
Parameter Description Value

open Displays open user -

information.

option82 Displays information -

about MAC address
authentication users who
use the Option 82 field
as user names.

circuit-id text Displays information The value must be

about MAC address existing circuit-id
authentication users who information.
specify the circuit ID as
user names.

remote-id text Displays information The value must be

about MAC address existing remote-id
authentication users who information.
specify the remote ID as
user names.

user-group group-name Displays information The value must be an

about users in a specified existing user group
user group. index.

detail Displays detailed -

information about users.

Views
All views

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9164

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to check information about online NAC users.

Example
# Display open user information.
<HUAWEI> display access-user open
-------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
16016 1@radius 10.8.7.5 0011-0904-2f61 Success
------------------------------------------------------------------------------
Total: 1, printed: 1, Open: 1, printed: 1

NOTE

Only letters, digits, and special characters can be displayed for username.
When the value of username contains special characters or characters in other languages
except English, the device displays dots (.) for these characters. If there are more than three
such consecutive characters, three dots (.) are displayed. Here, the special characters are the
ASCII codes smaller than 32 (space) or larger than 126 (~).
When the value of username is longer than 20 characters, the device displays up to three dots
(.) for the characters following 19; that is, only 22 characters are displayed.

Table 13-79 Description of the display access-user command output

Item Description

UserID ID that is assigned to a user after the

user goes online.

Username User name.

IP address User IP address.

MAC User MAC address.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9165

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Status User access status.

● Open: For a wired user, the user
goes online through the open
function upon authentication
failure. For wireless users, no
authentication is performed.
● Success: authentication is successful
● Pre-authen: pre-authentication
● Client-no-resp: the client does not
respond
● Fail-authorized: authorization upon
authentication failure
● Web-server-down: web server is
Down
● Aaa-server-down: AAA server is
Down

13.5.32 display authentication mac-move configuration

Function
The display authentication mac-move configuration command displays the
MAC address migration configuration.

Format
display authentication mac-move configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run the display authentication mac-move configuration command to
view the MAC address migration configuration. The configuration includes the
number of times that MAC address migration users are allowed to migrate their
MAC addresses 60s before they enter the quiet state, the period that MAC address

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9166

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

migration users stay in the quiet state, the interval at which a device detects users'
online status before user MAC address migration, and the number of detections
before user MAC address migration.

Example
# Display the MAC address migration configuration.
<HUAWEI> display authentication mac-move configuration
Mac-move vlan config:all
Mac-move quiet times:1
Mac-move quiet period(s):120
Mac-move quiet log:ENABLE
Mac-move quiet user alarm:ENABLE
Mac-move quiet user alarm lower percentage(%):
50
Mac-move quiet user alarm upper percentage(%):100
Mac-move detect:DISABLE
Mac-move detect retry-interval(s):3
Mac-move detect retry-time:1

Table 13-80 Description of the display authentication mac-move configuration

command output

Item Description

Mac-move vlan config VLAN ID range in which MAC address

migration is enabled.
For details, see the 13.5.14
authentication mac-move enable
command.

Mac-move quiet times Number of times that MAC address

migration users are allowed to migrate
their MAC addresses 60s before they
enter the quiet state.
For details, see the 13.5.18
authentication mac-move quiet-
times quiet-period command.

Mac-move quiet period(s) Period that MAC address migration

users stay in the quiet state.
For details, see the 13.5.18
authentication mac-move quiet-
times quiet-period command.

Mac-move quiet log Whether a device is enabled to record

logs about user quietness triggered by
MAC address migration:
● ENABLE
● DISABLE
For details, see the 13.5.17
authentication mac-move quiet-log
enable command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9167

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Mac-move quiet user alarm Whether a device is enabled to send

alarms about user quietness triggered
by MAC address migration:
● ENABLE
● DISABLE
For details, see the 13.5.19
authentication mac-move quiet-
user-alarm enable command.

Mac-move quiet user alarm lower Lower alarm threshold for the
percentage(%) percentage of MAC address migration
users in quiet state.
For details, see the 13.5.20
authentication mac-move quiet-
user-alarm percentage command.

Mac-move quiet user alarm upper Upper alarm threshold for the
percentage(%) percentage of MAC address migration
users in quiet state.
For details, see the 13.5.20
authentication mac-move quiet-
user-alarm percentage command.

Mac-move detect Whether a device is enabled to detect

users' online status before user MAC
address migration:
● ENABLE
● DISABLE
For details, see the 13.5.15
authentication mac-move detect
enable command.

Mac-move detect retry-interval(s) Interval at which a device detects

users' online status before user MAC
address migration.
For details, see the 13.5.16
authentication mac-move detect
retry-interval retry-time command.

Mac-move detect retry-time Number of detections before user MAC

address migration.
For details, see the 13.5.16
authentication mac-move detect
retry-interval retry-time command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9168

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.33 display authentication mac-move quiet-user

Function
The display authentication mac-move quiet-user command displays information
about MAC address migration users in quiet state.

Format
display authentication mac-move quiet-user { all | mac-address mac-address }

Parameters
Parameter Description Value

all Displays information -

about all MAC address
migration users in quiet
state.

mac-address mac- Displays information The value is in the H-H-

address about MAC address H format. An H contains
migration users in quiet 1 to 4 hexadecimal
state with a specified digits.
MAC address.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Run this command to view information about MAC address migration users in
quiet state.

Example
# Display information about all MAC address migration users in quiet state.
<HUAWEI> display authentication mac-move quiet-user all
Quiet MAC Information
-------------------------------------------------------------------------------
Quiet MAC Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003 143
-------------------------------------------------------------------------------
1 quiet MAC found, 1 printed.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9169

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-81 Description of the display authentication mac-move quiet-user all

command output
Item Description

Quiet MAC MAC address of MAC address

migration users in quiet state.

Quiet Remain Time(Sec) Remaining quiet time of MAC address

migration users in quiet state, in
seconds.

13.5.34 display dot1x

Function
The display dot1x command displays 802.1X authentication information.

Format
display dot1x [ statistics ] [ interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10> ]

Parameters
Parameter Description Value

statistics Displays statistics on -

802.1X authentication.
The statistics about
802.1X authentication is
displayed only when this
parameter is specified.

interface { interface- Displays 802.1X -

type interface-number1 authentication
[ to interface- information on a
number2 ] } specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.
802.1X authentication
information on all device
interfaces is displayed if
this parameter is not
specified.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9170

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
You can run the display dot1x command to view configuration results of all
configuration commands in 802.1X authentication and statistics about 802.1X
packets.
The command output helps you to check whether the current 802.1X
authentication configuration is correct and isolate faults accordingly.
Follow-up Procedure
The display dot1x command displays the statistics on 802.1X packets. You can
locate the fault according to the packet statistics. When the fault is rectified, run
the reset dot1x statistics command to clear the packet statistics. After a period of
time, run the display dot1x command again to check the packet statistics. If no
error packet is found, the fault is rectified.

Example
# Display 802.1X authentication information.
<HUAWEI> display dot1x
Global 802.1x is Enabled
Authentication method is CHAP
Max users: 1024
Current users: 1
DHCP-trigger is Disabled
Handshake is Enabled
Quiet function is Enabled
Mc-trigger port-up-send is Disabled
Parameter set:Dot1x Handshake Period 16s Reauthen Period 60s
Arp Handshake Period 0s Client Timeout 10s
Quiet Period 600s Quiet-times 2
Eth-Trunk Handshake Period 120s Tx Period 30
Mac-By-Pass Delay 30s
dot1x URL: www.***.com.cn
Free-ip configuration(IP/mask):
192.168.1.0 /255.255.255.0

GigabitEthernet0/0/3 status: UP 802.1x protocol is Enabled

Port control type is Auto
Authentication mode is MAC-based
Authentication method is CHAP
Reauthentication is disabled
Dot1x retry times: 2
Authenticating users: 1
Maximum users: 1024
Current users: 1

Authentication Success: 1 Failure: 0

Enter Enquence :0
EAPOL Packets: TX : 19 RX :0
Sent EAPOL Request/Identity Packets :1

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9171

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

EAPOL Request/Challenge Packets :0

Multicast Trigger Packets : 18
EAPOL Success Packets :0
EAPOL Failure Packets :0
Received EAPOL Start Packets :0
EAPOL Logoff Packets :0
EAPOL Response/Identity Packets :0
EAPOL Response/Challenge Packets :0

Online user(s) info:

UserId MAC/VLAN AccessTime UserName
------------------------------------------------------------------------------
17487 000c-2952-fd80/34 2018/07/30 09:49:15 lss
------------------------------------------------------------------------------
Total: 1, printed: 1

# Display 802.1X statistics.

<HUAWEI> display dot1x statistics
Global 802.1x is Enabled
Authentication method is CHAP
Max users: 1024
Current users: 0
DHCP-trigger is Disabled
Handshake is Enabled
Quiet function is Enabled
Mc-trigger port-up-send is Disabled
Parameter set:Dot1x Handshake Period 16s Reauthen Period 60s
Arp Handshake Period 0s Client Timeout 10s
Quiet Period 600s Quiet-times 2
Eth-Trunk Handshake Period 120s Tx Period 30
Mac-By-Pass Delay 30s
dot1x URL: http://www.***.com.cn
Free-ip configuration(IP/mask):
192.168.1.0 /255.255.255.0

GigabitEthernet0/0/3 status: UP 802.1x protocol is Enabled

Controlled User(s) amount to 0

Authentication Success: 0 Failure: 0

Enter Enquence :0
EAPOL Packets: TX : 20 RX :0
Sent EAPOL Request/Identity Packets :2
EAPOL Request/Challenge Packets :0
Multicast Trigger Packets : 18
EAPOL Success Packets :0
EAPOL Failure Packets :0
Received EAPOL Start Packets :0
EAPOL Logoff Packets :0
EAPOL Response/Identity Packets :0
EAPOL Response/Challenge Packets :0

Table 13-82 Description of the display dot1x command output

Item Description

Global 802.1x is 802.1X authentication is enabled globally.

Enabled To enable 802.1X authentication, run the dot1x enable
command.

Authentication CHAP authentication is enabled. The authentication

method is CHAP methods include EAP, CHAP, and PAP
To enable CHAP authentication, run the dot1x
authentication-method command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9172

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Max users Maximum number of global online users, the value

varies according to device models.
To set the maximum number of global online users, run
the dot1x max-user command.

Current users Number of current online users.

DHCP-trigger is Authentication triggering through DHCP packets is

Disabled disabled.
To trigger authentication using DHCP packets, run the
dot1x dhcp-trigger command.

Handshake is The handshake function is enabled for online users.

Enabled To enable the handshake function, run the dot1x
handshake command.

Quiet function is The quiet function is disabled for users.

Disabled To enable the quiet function function, run the dot1x
quiet-period command.

Mc-trigger port-up- The function of triggering 802.1X authentication through

send is Disabled multicast packets immediately after an interface goes
Up is disabled.
To configure the function, run the dot1x mc-trigger
port-up-send enable command.

Parameter set Settings of 802.1X authentication parameters.

Dot1x Handshake Handshake interval between the device and 802.1X

Period authentication client connected to a non-Eth-Trunk
interface.
To set the handshake interval, run the dot1x timer
command.

Arp Handshake Handshake interval of the device with pre-connection

Period users and authorized users.

Eth-Trunk Handshake interval between the device and 802.1X

Handshake Period authentication client connected to an Eth-Trunk.
To set the handshake interval, run the dot1x timer
command.

Reauthen Period Re-authentication interval.

To set the re-authentication interval, run the dot1x
timer command.

Client Timeout Timeout interval of a client.

To set the timeout interval of a client, run the dot1x
timer command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9173

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Quiet Period Value of the quiet timer.

To set the value of the quiet timer, run the dot1x timer
command.

Quiet-times Maximum number of authentication failures before an

802.1X user enters the quiet state.
To set the maximum number of authentication failures,
run the dot1x quiet-times command.

Tx Period The interval for sending authentication requests.

To set the timeout interval of a client, run the dot1x
timer command.

Mac-By-Pass Delay The value of the delay timer for MAC address bypass
authentication.
To set the timeout interval of a client, run the dot1x
timer command.

Free-ip Free IP subnet.

configuration(IP/ To set the free IP subnet, run the dot1x free-ip
mask) command.

dot1x URL Redirect-to URL.

To set the redirect-to URL, run the dot1x url command.

GigabitEthernet0/0/1 State of an interface.

state ● UP: The interface is started.
● DOWN: The interface is shut down.

802.1x protocol is 802.1X authentication is enabled on the interface. To

Enabled[mac- enable 802.1X authentication, run the dot1x enable
bypass] command.
To configure MAC address bypass authentication, run
the dot1x mac-bypass command. If MAC address bypass
authentication is configured, [mac-bypass] is displayed.

Port control type is The control mode on the interface is auto for 802.1X
Auto authentication user access. The access control modes
include auto, authorized-force, and unauthorized-
force.
To set the control mode, run the dot1x port-control
command.

Authentication mode The MAC address-based authentication method is used

is MAC-based on the interface.
To set the authentication method on the interface, run
the dot1x port-method command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9174

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Reauthentication is 802.1x user re-authentication is disabled on the

disabled interface.
To enable 802.1X user re-authentication, run the dot1x
reauthenticate command.

Dot1x retry times Maximum number of times an authentication request is

sent to an 802.1X user.
To set the maximum number of times an authentication
request is sent to an 802.1X user, run the dot1x retry
command.

Authenticating users Number of users who are being authenticated.

Maximum users Maximum number of online users on the interface.

To set the maximum number of online users on the
interface, run the dot1x max-user command.

Current users Number of current online users on the interface.

Authentication Number of successful and failed authentications.

Success Failure The statistics include statistics on online 802.1X users
but not on the users using MAC address bypass
authentication.

Enter Enquence Number of packets entering the queue.

EAPOL Packets: TX Number of globally received and sent EAPOL packets.

RX

EAPOL Request/ Number of globally received and sent EAPOL Request/

Identity Packets Identity packets.

EAPOL Request/ Number of globally received and sent EAPOL Request/

Challenge Packets Challenge packets.

Multicast Trigger Number of received and sent multicast packets that

Packets trigger authentication.

EAPOL Success Number of globally received and sent EAPOL Success

Packets packets.

EAPOL Failure Number of globally received and sent EAPOL Failure

Packets packets.

EAPOL Start Packets Number of globally received and sent EAPOL Start
packets.

EAPOL Logoff Number of globally received and sent EAPOL LogOff

Packets packets.

EAPOL Response/ Number of globally sent and received EAPOL Response/

Identity Packets Identity packets.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9175

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

EAPOL Response/ Number of globally sent and received EAPOL Response/

Challenge Packets Challenge packets.

Controlled User(s) Number of users who pass authentication successfully.

amount to

Online user(s) info Online user information:

● UserId: User ID.
● MAC/VLAN: MAC address/VLAN ID.
● AccessTime: Access time.
● UserName: User name.
● Total: Total number of online users.
● printed: Number of displayed online users.

13.5.35 display dot1x quiet-user

Function
The display dot1x quiet-user command displays information about 802.1X
authentication users who are quieted.

Format
display dot1x quiet-user { all | mac-address mac-address }

Parameters
Parameter Description Value

all Displays information -

about all 802.1X
authentication users who
are quieted.

mac-address mac- Displays information The value is in H-H-H

address about a quiet 802.1X format. Each H is a
authentication user with hexadecimal number of
a specified MAC address. 1 to 4 digits.

Views
All views

Default Level
1: Monitoring level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9176

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
You can run this command to view information about 802.1X authentication users
who are quieted.

Example
# Display information about all 802.1X authentication users who are quieted.
<HUAWEI> display dot1x quiet-user all
-------------------------------------------------------------------------------
MacAddress Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003 50
-------------------------------------------------------------------------------
1 silent mac address(es) found, 1 printed.

Table 13-83 Description of the display dot1x quiet-user all command output

Item Description

MacAddress MAC address of an 802.1X

authentication user who is quieted.

Quiet Remain Time(Sec) Remaining quiet time of an 802.1X

authentication user who is quieted, in
seconds.

13.5.36 display mac-address authen

Function
The display mac-address authen command displays the current authen MAC
address entries in the system.

Format
display mac-address authen [ interface-type interface-number | vlan vlan-id ] *

[ verbose ]

Parameters

Parameter Description Value

vlan vlan-id Displays MAC address entries in a specified The value is an
VLAN. integer that
ranges from 1
If no VLAN is specified, MAC address entries to 4094.
in all VLANs of the device are displayed.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9177

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

interface-type Displays MAC address entries on a specified -
interface-number interface.

If no interface is specified, MAC address

entries on all interfaces of the device are
displayed.

verbose Displays detailed information about MAC -

address entries.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

The authen MAC address entries are generated for pre-connection users or after
users pass authentication. The administrator can run this command to check the
existing authen or guest MAC address entries on the device. The administrator can
check information about user access based on these MAC address entries to locate
user access faults.

Precautions

If there are a lot of authen MAC address entries, you can specify a VLAN or use a
pipe operator (|) to filter the output information. Otherwise, the following
problems may occur due to excessive output information:
● The displayed information is refreshed repeatedly on the terminal screen and
the administrator cannot obtain the required information.
● The device traverses and retrieves information for a long time, and does not
respond to any request.

Example
# Display all authen MAC address entries in the system.
<HUAWEI> display mac-address authen
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0000-0000-0100 3000/-/- GE0/0/1 authen
0000-0000-0400 3000/-/- GE0/0/1 authen
0000-0000-0200 3000/-/- GE0/0/1 authen
-------------------------------------------------------------------------------
Total items displayed = 3

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9178

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-84 Description of the display mac-address authen command output

Item Description

MAC Address MAC address of a user to be authenticated.

VLAN/VSI/BD VLAN/VSI/BD that the outbound interface belongs to.

Learned-From Interface on which a MAC address is learned.

Type Type of MAC addresses.

Total items Total number of MAC address entries that match the filter
displayed condition.

13.5.37 display mac-address pre-authen

Function
The display mac-address pre-authen command displays the current pre-authen
MAC address entries in the system.

Format
display mac-address pre-authen [ interface-type interface-number | vlan vlan-
id ] * [ verbose ]

Parameters
Parameter Description Value
vlan vlan-id Displays MAC address entries in a specified The value is an
VLAN. integer that
ranges from 1
If no VLAN is specified, MAC address entries to 4094.
in all VLANs of the device are displayed.

interface-type Displays MAC address entries on a specified -

interface-number interface.

If no interface is specified, MAC address

entries on all interfaces of the device are
displayed.

verbose Displays detailed information about MAC -

address entries.

Views
All views

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9179

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

You can run this command to check the existing MAC address entries of the pre-
connection type to obtain access information about pre-connection users and
locate faults.

Precautions

If there are a lot of pre-authen MAC address entries, you can specify a VLAN or
use a pipe operator (|) to filter the output information. Otherwise, the following
problems may occur due to excessive output information:
● The displayed information is refreshed repeatedly on the terminal screen and
the administrator cannot obtain the required information.
● The device traverses and retrieves information for a long time, and does not
respond to any request.

Example
# Display all pre-authen MAC address entries in the system.
<HUAWEI> display mac-address pre-authen
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0000-0000-0100 3000/-/- GE0/0/1 pre-authen
0000-0000-0400 3000/-/- GE0/0/1 pre-authen
0000-0000-0200 3000/-/- GE0/0/1 pre-authen
-------------------------------------------------------------------------------
Total items displayed = 3

Table 13-85 Description of the display mac-address pre-authen command

output

Item Description

MAC Address MAC address of a user to be authenticated.

/BD

VLAN/VSI VLAN/VSI/BD that the outbound interface belongs to.

Learned-From Interface on which a MAC address is learned.

Type Type of a MAC address entry.

Total items Total number of MAC address entries that match the filter
displayed condition.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9180

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.38 display mac-authen

Function
The display mac-authen command displays information about MAC address
authentication.

Format
display mac-authen [ interface { interface-type interface-number1 [ to interface-
number2 ] } &<1-10> | configuration ]

Parameters
Parameter Description Value

interface { interface- Displays information -

type interface-number1 about MAC address
[ to interface- authentication on a
number2 ] } specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.
MAC address
authentication
information on all device
interfaces is displayed if
this parameter is not
specified.

configuration Displays the global -

information about MAC
address authentication.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
You can run the display mac-authen command to view configuration results of all
configuration commands in MAC address authentication. The command output

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9181

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

helps you to check whether the MAC address authentication configuration is

correct and isolate faults accordingly.
Follow-up Procedure
You can locate the fault according to the packet statistics that is displayed using
the display mac-authen command. When the fault is rectified, run the reset mac-
authen statistics command to clear the packet statistics. After a period of time,
run the display mac-authen command again to check the packet statistics. If no
error packet is found, the fault is rectified.

Example
# View all information about MAC address authentication.
<HUAWEI> display mac-authen
MAC address authentication is Enabled.
Username format: use MAC address without-hyphen as username
Quiet period is 60s
Authentication fail times before quiet is 1
Offline detect period is 300s
Reauthenticate period is 1000s
Guest user reauthenticate period is 60s
Maximum users: 100
Current users: 1
Global domain is not configured
Trigger condition: dhcp arp dhcpv6 nd

GigabitEthernet0/0/1 state : UP. MAC address authentication is enabled

Reauthentication is enabled
Reauthen Period: 1000s
Maximum users: 100
Current users: 1
Authentication Success: 0, Failure: 0

Online user(s) info:

UserId MAC/VLAN AccessTime UserName
------------------------------------------------------------------------------
16016 5489-9801-583d/2003 2014/01/26 09:22:49 wlan
------------------------------------------------------------------------------
Total 1,1 printed

Table 13-86 Description of the display mac-authen command output

Item Description

Mac address authentication is Enabled MAC address authentication is

enabled. To enable MAC address
authentication, run the mac-authen
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9182

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Username format User name format for MAC address

authentication.
● use MAC address without-hyphen
as username: A user name is a MAC
address that does not contain
hyphens (-), for example,
0005e01c02e3.
● use MAC address with-hyphen as
username: A user name is a MAC
address that contains hyphens (-)
and the hyphens are inserted
between every four digits, for
example, 0005-e01c-02e3.
● use MAC address with-hyphen
normal as username: A user name
is a MAC address that contains
hyphens (-) and the hyphens are
inserted between every two digits,
for example, 00-05-e0-1c-02-e3.
● use MAC address without-hyphen
upper as username: A user name is
a MAC address in the uppercase
format that does not contain
hyphens (-), for example,
0005E01C02E3.
● use MAC address with-hyphen
upper as username: A user name is
a MAC address in the uppercase
format that contains hyphens (-)
and the hyphens are inserted
between every four digits, for
example, 0005-E01C-02E3.
● use MAC address with-hyphen
normal upper as username: A user
name is a MAC address in the
uppercase format that contains
hyphens (-) and the hyphens are
inserted between every two digits,
for example, 00-05-E0-1C-02-E3.
● fixed username: The user name is
fixed.
● use option82 as username: The
content of the Option 82 field is
used as the user name.
● not configured: The user name
format is not configured.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9183

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

To configure a user name, run the

mac-authen username command.

Quiet period Quiet timer value, during which the

user waits for re-authentication after
the maximum number of
authentication failures is exceeded.
The default value of the quiet timer is
60 seconds.
To set the quiet period, run the mac-
authen timer command.

Authentication fail times before quiet Maximum number of authentication

failures before a MAC address
authentication user enters the quiet
state.

Offline detect period Interval for detecting online users. The

timer is used to periodically check
whether a user is offline. The default
interval is 300 seconds.
To set the interval for detecting online
users, run the mac-authen timer
command.

Reauthenticate period is 1000s Interval at which users are re-

authenticated. The default interval is
1800 seconds.
To set the re-authentication period,
run the mac-authen timer command.

Guest user reauthenticate period is 60s Interval at which users in a guest

VLAN are re-authenticated. The
default interval is 60 seconds.
To set the guest VLAN user re-
authentication period, run the mac-
authen timer command.

Maximum users Maximum number of online users

allowed by the device, the value varies
according to devices.
To set the maximum number of MAC
address authentication users on an
interface, run the mac-authen max-
user command.

Current users Number of current online users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9184

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Global domain Current authentication domain. By

default, no authentication domain is
specified for users. If you do not
specify any domain for users, the
default domain in the system is used.
To configure an authentication
domain, run the mac-authen domain
command.

Trigger condition Packet type that can trigger MAC

address authentication.
To configure the packet type, run the
13.5.89 mac-authen trigger
command.

GigabitEthernet0/0/1 current state Interface state.

● UP: The interface is started.
● DOWN: The interface is shut down.

MAC address authentication is Enabled MAC address authentication is enabled

on the interface. To enable MAC
address authentication, run the mac-
authen command.

Reauthentication is enabled MAC address reauthentication is

enabled. To enable the MAC address
reauthentication, run the 13.5.96 mac-
authen reauthenticate command.

Reauthen Period Interval at which users are re-

authenticated. The default interval is
1800 seconds. To set the re-
authentication period, run the
13.5.100 mac-authen timer
reauthenticate-period command.

Maximum users Maximum number of MAC address

authentication users on the interface.
To set the maximum number of MAC
address authentication users on an
interface, run the mac-authen max-
user command.

Current users Number of current online users on the

interface.

Authentication Success: 0, Failure: 0 Numbers of successful and failed

authentications on the interface.

UserId ID of an online user.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9185

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

MAC/VLAN MAC address and VLAN of a user.

NOTE
If the AAA server delivers an authorized
VLAN, information about the authorized
VLAN is displayed.

AccessTime Access time of a user.

UserName Name of a user.

13.5.39 display mac-authen quiet-user

Function
The display mac-authen quiet-user command displays information about MAC
address authentication users who are quieted.

Format
display mac-authen quiet-user { all | mac-address mac-address }

Parameters
Parameter Description Value

all Displays information -

about all MAC address
authentication users who
are quieted.

mac-address mac- Displays information The value is in the H-H-

address about a specified MAC H format. Each H is a
address authentication hexadecimal number of
user who is quieted. 1 to 4 digits.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to view information about MAC address authentication
users who are quieted.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9186

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Display information about all MAC address authentication users who are
quieted.
<HUAWEI> display mac-authen quiet-user all
-------------------------------------------------------------------------------
MacAddress Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003 50
-------------------------------------------------------------------------------
1 silent mac address(es) found, 1 printed.

Table 13-87 Description of the display mac-authen quiet-user all command

output

Item Description

MacAddress MAC address of a MAC address

authentication user who is quieted.

Quiet Remain Time(Sec) Remaining quiet time of a MAC

address authentication user who is
quieted, in seconds.

13.5.40 display port connection-type access all

Function
The display port connection-type access all command displays all current
downlink interfaces on the device.

Format
display port connection-type access all

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to check all current downlink interfaces on the device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9187

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Display all current downlink interfaces on the device.
<HUAWEI> display port connection-type access all
Slot 0:
GigabitEthernet0/0/1 GigabitEthernet0/0/2 GigabitEthernet0/0/3
GigabitEthernet0/0/4 GigabitEthernet0/0/5 GigabitEthernet0/0/6
GigabitEthernet0/0/7 GigabitEthernet0/0/8 GigabitEthernet0/0/9
GigabitEthernet0/0/10 GigabitEthernet0/0/11 GigabitEthernet0/0/12
GigabitEthernet0/0/13 GigabitEthernet0/0/14 GigabitEthernet0/0/15
GigabitEthernet0/0/16 GigabitEthernet0/0/17 GigabitEthernet0/0/18
GigabitEthernet0/0/19 GigabitEthernet0/0/20 GigabitEthernet0/0/21
GigabitEthernet0/0/22 GigabitEthernet0/0/23 GigabitEthernet0/0/24

Table 13-88 Description of the display port connection-type access all command
output

Item Description

Slot 0 Slot ID.

GigabitEthernet0/ Interface name.

0/1

13.5.41 display portal

Function
The display portal command displays the Portal authentication configuration.

Format
display portal [ interface interface-type interface-number | configuration ]

Parameters

Parameter Description Value

interface interface- Displays Portal authentication configuration on a -
type interface- specified interface.
number
● interface-type specifies the interface type.
● interface-number specifies the interface number.
Portal authentication configuration in the system
view or on all interfaces is displayed if this
parameter is not specified.

configuration Displays the global Portal authentication -

configuration.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9188

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run the display portal command to view the Portal authentication
configuration and check whether the configuration is correct.

Example
# Display the Portal authentication configuration.
<HUAWEI> display portal
Portal timer offline-detect length:500
Portal max-user number:100
Quiet function is Disabled
Different-server is Disabled
Parameter set: Quiet Period 60s Quiet-times 3
Logout packets resend: Resend-times 3 Timeout 5s
Portal user(s) on slot 0:1

Vlanif10 protocol status: up, web-auth-server layer2(direct)

Portal domain: tsm
Auth-network:
10.3.3.3 255.255.255.255
10.8.0.0 255.255.0.0

# Display the Portal authentication configuration on VLANIF10.

<HUAWEI> display portal interface vlanif 10

Vlanif10 protocol status: up, web-auth-server layer2(direct)

Portal domain: tsm
Auth-network:
10.3.3.3 255.255.255.255
10.8.0.0 255.255.0.0

Table 13-89 Description of the display portal command output

Item Description

Portal timer offline-detect length Portal authentication user offline

detection interval.
To set the user offline detection interval,
run the 13.5.129 portal timer offline-
detect command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9189

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Portal max-user number Maximum number of concurrent Portal

authentication users allowed to access
the device, the value varies according to
device models.
To set the maximum number of
concurrent Portal authentication users
allowed to access the device, run the
13.5.126 portal max-user command.

Quiet function is Enabled or Quiet Whether the quiet function in Portal

function is Disabled authentication is enabled.
● Enabled
● Disabled
To enable the quiet function, run the
13.5.127 portal quiet-period command.

Different-server is Enabled or Whether a device is enabled to process

Different-server is Disabled user logout requests sent by a Portal
server other than the one from which
users log in:
● Enabled
● Disabled
To configure a device to process user
logout requests sent by a Portal server
other than the one from which users log
in, command, run the 13.5.124 portal
logout different-server enable
command.

Parameter set Parameter settings of the quiet function

in Portal authentication.
● Quiet Period: indicates the quite period
in Portal authentication. To set the
quite period in Portal authentication,
run the 13.5.130 portal timer quiet-
period command.
● Quiet-times: indicates the maximum
number of authentication failures
within 60 seconds before a Portal
authentication user enters the quiet
state. To set the maximum number of
authentication failures, run the
13.5.128 portal quiet-times
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9190

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Logout packets resend Configuration of the logout packet re-

transmission function for Portal
authentication users.
● Resend-times: indicates the number of
re-transmission times for Portal
authentication user logout packets.
● Timeout: indicates the re-transmission
interval of Portal authentication user
logout packets.
To set the re-transmission interval, run
the 13.5.125 portal logout resend
timeout command.

Portal user(s) on slot 0 Statistics on Portal authentication users

on the device.
NOTE
This parameter is unavailable when no Portal
authentication user is online.
When Portal authentication users go online
through an Eth-Trunk, the number of Portal
authentication users on the device where Eth-
Trunk member interfaces are located is the
same as the actual number of Portal
authentication users on the device.

Vlanif10 protocol status Link layer protocol state of the VLANIF

interface.
● up: indicates that the interface is
running properly.
● down: indicates that the interface is
disabled.
● web-auth-server layer2(direct):
indicates that the authentication mode
is set to Layer 2 Portal authentication
on a specified interface.

Portal domain Name of a forcible Portal authentication

domain.
To set a forcible Portal authentication
domain, run the 13.5.106 portal domain
command.

Auth-network Portal authentication subnet.

To set the Portal authentication subnet,
run the 13.5.105 portal auth-network
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9191

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.42 display portal free-rule

Function
The display portal free-rule command displays authentication-free rules for
Portal authentication users.

Format
display portal free-rule [ rule-id ]

Parameters

Parameter Description Value

rule-id Displays the ID of an authentication-free The value is an integer
rule. If the rule ID is not specified, the of which the range
configuration of all authentication-free depends on product
rules is displayed. models.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The display portal free-rule command shows the configuration of
authentication-free rules. You can locate faults according to the command output.

Example
# Display the configuration of authentication-free rules.
<HUAWEI> display portal free-rule
portal free-rule 0 destination ip 10.1.1.1 mask 255.255.255.255
portal free-rule 10 destination ip 10.1.1.2 mask 255.255.255.255
Total 2 free-rules

# Display the configuration of authentication-free rule 10.

<HUAWEI> display portal free-rule 10
portal free-rule 10 destination ip 10.1.1.1 mask 255.255.255.255

Related Topics
13.5.107 portal free-rule

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9192

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.43 display portal local-server

Function
The display portal local-server command displays the configurations of a built-in
Portal server.

Format
display portal local-server

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring the built-in Portal authentication, run this command to view the
configurations of a built-in Portal server.

Example
# Display the configurations of a built-in Portal server.
<HUAWEI> display portal local-server
Portal local-server config:
server status : disable
Heartbeat-check status : disable
server ip :-
authentication method : chap
protocol :-
https ssl-policy :-
server port :0
session-timeout : 8(h)
syslog-limit : enable
syslog-limit period : 300(s)
server pagename :-
server page-text :-
server policy-text :-
server background-image : default-image0
server background-color : -
server logo :-
server ad-image :-

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9193

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-90 Description of the display portal local-server command output

Item Description

server status Status of a built-in Portal server. To

enable the built-in Portal server
function, run the portal local-server
command.
● disable: Portal authentication is
disabled.
● enable: Portal authentication is
enabled.

Heartbeat-check status Heartbeat detection status of the

built-in Portal server. To set the
heartbeat detection status, run the
13.5.116 portal local-server keep-
alive command.
● disable: indicates that the heartbeat
detection function is disabled.
● enable: indicates the forcible
detection mode.
● auto: indicates the automatic
detection mode.

Heartbeat-timeout value Heartbeat detection interval of the

built-in Portal server. To set the
heartbeat detection interval, run the
13.5.116 portal local-server keep-
alive command.
This parameter is unavailable when
the value of Heartbeat-check status
is disable.

server ip IP address of a built-in Portal server. To

set the server IP address, run the
portal local-server ip command.

authentication method Authentication method used by a

built-in Portal server for Portal users.
To set the authentication method, run
the portal local-server
authentication-method command.
● chap: CHAP-based authentication
(CHAP stands for Challenge
Handshake Authentication
Protocol.)
● pap: PAP-based authentication (PAP
stands for Password Authentication
Protocol.)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9194

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

protocol Protocol used for authentication

information exchange between a built-
in Portal server and users. To enable
the built-in Portal server function, run
the portal local-server command.
● http: Hypertext Transfer Protocol
(HTTP)
● https: Hypertext Transfer Protocol
Secure (HTTPS)

https ssl-policy SSL policy used for authentication

information exchange between a built-
in Portal server and users. To enable
the built-in Portal server function, run
the portal local-server command.

server port TCP port number used by HTTPS. To

specify a TCP port number used by
HTTPS, run the portal local-server
command.

session-timeout User session timeout interval

configured on the built-in Portal
server. To set the session timeout
interval, run the portal local-server
timer session-timeout command.

syslog-limit Status of the log suppression function

for built-in Portal authentication users.
To enable or disable the log
suppression function, run the 13.5.121
portal local-server syslog-limit
enable command.
● disable: indicates that the log
suppression function is disabled for
built-in Portal authentication users.
● enable: indicates that the log
suppression function is enabled for
built-in Portal authentication users.

syslog-limit period Log suppression duration for built-in

Portal authentication users. To set the
log suppression duration, run the
13.5.122 portal local-server syslog-
limit period command.

server pagename Name of the page file package loaded

to the built-in Portal server, run the
13.5.117 portal local-server load
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9195

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

server page-text Loaded use instruction page file of the

built-in Portal server. To load a use
instruction page file, run the 13.5.119
portal local-server page-text load
command.

server policy-text Disclaimer page loaded to the built-in

Portal server. To set the disclaimer
page, run the 13.5.120 portal local-
server policy-text load command.

server background-image Background image of the built-in

Portal server login page. To set the
background image, run the 13.5.113
portal local-server background-
image load command.

server background-color Background color of the built-in Portal

server login page. To set the
background color, run the 13.5.112
portal local-server background-color
command.

server logo Logo file of the built-in Portal server

login page. To configure the logo file,
run the 13.5.118 portal local-server
logo load command.

server ad-image Advertisement image file of the built-

in Portal server login page. To
configure the advertisement image
file, run the 13.5.109 portal local-
server ad-image load command.

13.5.44 display portal local-server connect

Function
The display portal local-server connect command displays the connection status
of users to be authenticated on a built-in Portal server.

Format
display portal local-server connect [ user-ip ip-address ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9196

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

user-ip ip-address Displays the connection The value of ip-address

entry of a user with a is in dotted decimal
specified IP address on a notation.
built-in Portal server.
The connection entries of
all users on the built-in
Portal server are
displayed if this
parameter is not
specified.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run the display portal local-server connect command to check the
authentication mode and status of users to be authenticated on a built-in Portal
server.

Example
# Display the connection status of the user with the IP address 9.8.7.6 on a built-in
Portal server.
<HUAWEI> display portal local-server connect user-ip 10.1.1.10
-------------------------------------------------------------------------------
CID IP Address AuthMode State
1 10.1.1.10 CHAP ONLINE
--------------------------------------------------------------------------------

# Display the connection status of all users on the built-in Portal server.
<HUAWEI> display portal local-server connect
-------------------------------------------------------------------------------
CID IP Address AuthMode State
1 10.1.1.10 CHAP ONLINE
2 10.1.1.11 PAP ONLINE
--------------------------------------------------------------------------------

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9197

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-91 Description of the display portal local-server connect command

output
Item Description

CID User table index.

IP Address IP address of a user.

AuthMode Authentication mode:

● CHAP: The built-in Portal server uses
CHAP to authenticate the user.
● PAP: The built-in Portal server uses PAP
to authenticate the user.
To set the authentication method, run the
13.5.111 portal local-server
authentication-method command.

State User status:

● WAIT_CHALLENGE: waiting for the
challenge
● WAIT_AUTHACK: waiting for the
authentication response
● ONLINE: online
● WAIT_LOGOUTACK: waiting for logout

Related Topics
13.5.111 portal local-server authentication-method
13.5.108 portal local-server
13.5.114 portal local-server enable

13.5.45 display portal local-server page-information

Function
The display portal local-server page-information command displays the page
files loaded to the memory of a built-in Portal server.

Format
display portal local-server page-information

Parameters
None

Views
All views

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9198

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
1: Monitoring level

Usage Guidelines
You can run the display portal local-server page-information command to
check the page files loaded to the memory of a built-in Portal server.

Example
# Display the page files loaded to the memory of a built-in Portal server.
<HUAWEI> display portal local-server page-information
--------------------------------------------------------------------------------
Number of backup pages:35
Size of backup pages:94438 byte
--------------------------------------------------------------------------------
Name:/logout_success.html
Size:4042 byte
Last-Modified-Time:2011-12-16 20:24:46
--------------------------------------------------------------------------------

Table 13-92 Description of the display portal local-server page-information

command output

Item Description

Number of backup pages Number of page files loaded.

Size of backup pages Total size of the loaded page files.

Name Name of a page file.

Size Size of a page file.

Last-Modified-Time Last modification time.

Related Topics
13.5.117 portal local-server load

13.5.46 display portal quiet-user

Function
The display portal quiet-user command displays information about Portal
authentication users in quiet state.

Format
display portal quiet-user { all | server-ip ip-address | user-ip ip-address }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9199

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value
all Displays information about all Portal -
authentication users in quiet state.

user-ip ip-address Displays information about the quiet The value is in

user with the specified IP address. dotted decimal
notation.

server-ip ip- Displays information about all the The value is in

address users in quiet state authenticated by dotted decimal
the Portal authentication server with a notation.
specified IP address.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After the quiet timer is enabled, you can run the display portal quiet-user
command to view information about Portal authentication users in quiet state.

Example
# Display information about all Portal authentication users in quiet state.
<HUAWEI> display portal quiet-user all
Quiet IP information
-------------------------------------------------------------------------------------
Quiet ip Quiet Remain Time(Sec)
------------------------------------------------------------------------------------
192.168.1.1 10
192.168.1.2 20
------------------------------------------------------------------------------------
2 quiet IP found, 2 printed.

# Display information about all the users in quiet state authenticated by the
Portal authentication server with IP address 192.168.2.1.
<HUAWEI> display portal quiet-user server-ip 192.168.2.1
Quiet IP information
-------------------------------------------------------------------------------------
Quiet ip Quiet Remain Time(Sec)
------------------------------------------------------------------------------------
192.168.1.3 10
192.168.1.4 20
------------------------------------------------------------------------------------
2 quiet IP found, 2 printed.

# Display information about the user in quiet state at 192.168.1.1.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9200

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> display portal quiet-user user-ip 192.168.1.1

Quiet remain second 100

Table 13-93 Description of the display portal quiet-user command output

Item Description

Quiet IP information Information about the user in quiet state.

Quiet ip IP address of the user in quiet state.

Quiet Remain Time(Sec) Remaining quiet time of the user in quiet

state, in seconds.

Quiet remain second Remaining quiet period of the user in

quiet state.

Related Topics
13.5.127 portal quiet-period
13.5.128 portal quiet-times
13.5.130 portal timer quiet-period

13.5.47 display portal user-logout

Function
The display portal user-logout command displays temporary logout entries of
Portal authentication users.

Format
display portal user-logout [ ip-address ip-address [ vpn-instance vpn-instance-
name ] ]

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Parameters
Parameter Description Value

ip-address ip-address Displays temporary The value is in dotted

logout entries of the decimal notation.
Portal authentication
user with a specified IP
address.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9201

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

vpn-instance vpn- Displays temporary The value must be an

instance-name logout entries of the existing VPN instance
Portal authentication name.
user with a specified
VPN instance.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The device records temporary entries after Portal authentication users are
disconnected. The network administrator can run this command to check
temporary logout entries to locate faults.
If the parameter ip-address ip-address [ vpn-instance vpn-instance-name ] is not
specified, the temporary logout entries of all Portal authentication users are
displayed.

Example
# Display the temporary logout entries of all Portal authentication users.
<HUAWEI> display portal user-logout
--------------------------------------------------------------
UserIP Vrf Resend Times TableID
--------------------------------------------------------------
192.168.111.100 1 3 0
--------------------------------------------------------------
Total: 1, printed: 1

Table 13-94 Description of the display portal user-logout command output

Item Description

IP address of the Portal authentication

UserIP
user.

VPN instance that the Portal

Vrf
authentication user belongs to.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9202

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Number of logout packet re-

transmission times.
Resend Times To set the number of logout packet re-
transmission times, run the 13.5.125
portal logout resend timeout
command.

TableID Index of the temporary logout entry.

Total number of temporary logout

Total: m, printed: n entries and number of displayed
entries.

13.5.48 display portal url-encode configuration

Function
The display portal url-encode configuration command displays the
configuration of URL encoding and decoding.

Format
display portal url-encode configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring URL encoding and decoding, you can run the display portal url-
encode configuration command to check the configuration.

Example
# Display the configuration of URL encoding and decoding.
<HUAWEI> display portal url-encode configuration
Portal URL Encode : Disable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9203

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-95 Description of the display portal url-encode configuration

command output
Item Description

Portal URL Encode Whether URL encoding and decoding are

enabled:
● Disable
● Enable
To configure the function, run the
13.5.131 portal url-encode enable
command.

Related Topics
13.5.131 portal url-encode enable

13.5.49 display server-detect state

Function
The display server-detect state command displays the status of a Portal server.

Format
display server-detect state [ web-auth-server server-name ]

Parameters
Parameter Description Value
web-auth-server Displays information about the Portal The Portal server
server-name server status configured in the specified template name
Portal server template. must exist.
If this parameter is not specified, status
of all Portal servers is displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
When an external Portal server is used for Portal authentication, you can run the
display server-detect state command to check information about the Portal
server status.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9204

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Display information about the Portal server status configured in the Portal
server template abc.
<HUAWEI> display server-detect state web-auth-server abc
Web-auth-server : abc
Total-servers : 4
Live-servers : 1
Critical-num : 0
Status : Normal
Ip-address Status
192.168.2.1 UP
192.168.2.2 DOWN
192.168.2.3 DOWN
192.168.2.4 DOWN

Table 13-96 Description of the display server-detect state command output

Item Description

Web-auth-server Name of the Portal server template.

Total-servers Number of Portal servers configured.

Live-servers Number of Portal servers in Up state.

Critical-num Minimum number of Portal servers in Up

state. If the number of Portal servers is
less than this value, enable the survival
function in the corresponding Portal
server template view.

Status Status of the Portal server. The values are

as follows:
● Normal: normal state
● Permit-all: survival state

Ip-address IP address of the Portal server.

Status Whether the Portal server with the

specified IP address is reachable. The
values are as follows:
● UP: reachable
● DOWN: unreachable

Related Topics
13.5.141 server-ip (Portal server template view)
13.5.140 server-detect

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9205

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.50 display snmp-agent trap feature-name mid_aaa all

Function
The display snmp-agent trap feature-name mid_aaa all command displays the
status of all traps on the AAA module.

Format
display snmp-agent trap feature-name mid_aaa all

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

After enabling the trap function for the AAA module, you can run this command
to check the status of all traps on the AAA module. To enable the trap function for
the AAA module, run the snmp-agent trap enable feature-name mid_aaa
command.

Prerequisites

The SNMP function has been enabled on the device. For details, see snmp-agent.

Example
# Display the status of all traps on the AAA module.
<HUAWEI> display snmp-agent trap feature-name mid_aaa all
------------------------------------------------------------------------------
Feature name: MID_AAA
Trap number : 2
------------------------------------------------------------------------------
Trap name Default switch status Current switch status
hwMacMovedQuietMaxUserAlarm on on
hwMacMovedQuietUserClearAlarm on on

Table 13-97 Description of the display snmp-agent trap feature-name mid_aaa

all command output

Item Description

Feature name Name of the module to which a trap belongs.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9206

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Trap number Number of traps.

Trap name Name of a trap. Traps on the AAA module include:

● hwMacMovedQuietMaxUserAlarm: A Huawei
proprietary trap message is sent when the
percentage of current MAC address migration
users in quiet state against the maximum number
of users exceeds the upper alarm threshold.
● hwMacMovedQuietUserClearAlarm: A Huawei
proprietary trap message is sent when the
percentage of current MAC address migration
users in quiet state against the maximum number
of users decreases to be equal to or smaller than
the lower alarm threshold.

Default switch status Default status of the trap function:

● on: The trap function is enabled by default.
● off: The trap function is disabled by default.

Current switch status Trap status:

● on: The trap is enabled.
● off: The trap is disabled.

Related Topics
13.5.143 snmp-agent trap enable feature-name mid_aaa

13.5.51 display snmp-agent trap feature-name mid_eapol all

Function
The display snmp-agent trap feature-name mid_eapol all command displays
the status of all traps on the DOT1X module.

Format
display snmp-agent trap feature-name mid_eapol all

Parameters
None

Views
All views

Default Level
1: Monitoring level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9207

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario

After enabling the trap function for the DOT1X module, you can run this
command to check the status of all traps on the DOT1X module. To enable the
trap function for the DOT1X module, run the snmp-agent trap enable feature-
name mid_eapol command.

Prerequisites

The SNMP function has been enabled on the device. For details, see snmp-agent.

Example
# Display the status of all traps on the DOT1X module.
<HUAWEI> display snmp-agent trap feature-name mid_eapol all
------------------------------------------------------------------------------
Feature name: MID_EAPOL
Trap number : 2
------------------------------------------------------------------------------
Trap name Default switch status Current switch status
hwSrvcfgEapMaxUserAlarm on on
hwMacAuthenMaxUserAlarm on on

Table 13-98 Description of the display snmp-agent trap feature-name

mid_eapol all command output

Item Description

Feature name Name of the module to which a trap belongs.

Trap number Number of traps.

Trap name Name of a trap. Traps on the DOT1X module include:

● hwSrvcfgEapMaxUserAlarm: The device sends a
Huawei proprietary trap when the number of
802.1X authentication users reaches the
maximum number allowed on an interface.
● hwMacAuthenMaxUserAlarm: The device sends a
Huawei proprietary trap when the number of
MAC address authentication users reaches the
maximum number allowed on an interface.

Default switch status Default status of the trap function:

● on: The trap function is enabled by default.
● off: The trap function is disabled by default.

Current switch status Trap status:

● on: The trap is enabled.
● off: The trap is disabled.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9208

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.5.144 snmp-agent trap enable feature-name mid_eapol

13.5.52 display snmp-agent trap feature-name mid_web all

Function
The display snmp-agent trap feature-name mid_web all command displays the
status of all traps on the web authentication module.

Format
display snmp-agent trap feature-name mid_web all

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

After enabling the trap function for the web authentication module, you can run
this command to check the status of all traps on the web authentication module.
To enable the trap function for the web authentication module, run the snmp-
agent trap enable feature-name mid_web command.

Prerequisites

The SNMP function has been enabled on the device. For details, see snmp-agent.

Example
# Display the status of all traps on the web authentication module.
<HUAWEI> display snmp-agent trap feature-name mid_web all
------------------------------------------------------------------------------
Feature name: MID_WEB
Trap number : 4
------------------------------------------------------------------------------
Trap name Default switch status Current switch status
hwPortalServerUp on on
hwPortalServerDown on on
hwPortalMaxUserAlarm on on
hwPortalUserClearAlarm on on

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9209

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-99 Description of the display snmp-agent trap feature-name mid_web

all command output

Item Description

Feature name Name of the module to which a trap belongs.

Trap number Number of traps.

Trap name Name of a trap. Traps on the web authentication

module include:
● hwPortalServerUp: The device sends a Huawei
proprietary trap when it detects that the Portal
server changes from Down to Up.
● hwPortalServerDown: The device sends a Huawei
proprietary trap when it detects that the Portal
server changes from Up to Down.
● hwPortalMaxUserAlarm: The device sends a
Huawei proprietary trap when the number of
online Portal authentication users exceeds the
upper threshold.
● hwPortalUserClearAlarm: The device sends a
Huawei proprietary trap when the number of
online Portal authentication users falls below the
lower threshold.

Default switch status Default status of the trap function:

● on: The trap function is enabled by default.
● off: The trap function is disabled by default.

Current switch status Trap status:

● on: The trap is enabled.
● off: The trap is disabled.

Related Topics
13.5.145 snmp-agent trap enable feature-name mid_web

13.5.53 display static-user

Function
The display static-user command displays static user information.

Format
display static-user [ domain-name domain-name | interface interface-type
interface-number | ip-address start-ip-address [ end-ip-address ] | vpn-instance
vpn-instance-name ] *

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9210

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Parameters
Parameter Description Value

domain-name domain- Displays static user The value is a string of 1

name information in a to 64 case-sensitive
specified domain. characters without
spaces, asterisk (*),
question mark (?), and
double quotation marks
("). The value cannot be
- or --.

interface interface-type Displays static user -

interface-number information on a
specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

ip-address start-ip- Displays static user The value is in dotted

address [ end-ip- information in a decimal notation.
address ] specified IP address
range.

vpn-instance vpn- Displays static user The value must be an

instance-name information in a existing VPN instance
specified VPN instance. name.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After a static user is configured, you can run the display static-user command to
view the static user information.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9211

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Display information about all static users configured.
<HUAWEI> display static-user
IP-address Interface MAC-address VPN
-------------------------------------------------------------------------------
10.1.1.1 GE0/0/3 - -
10.1.1.2 GE0/0/3 - -
10.1.1.3 GE0/0/3 - -
10.1.1.5 GE0/0/5 0001-0001-0001 -
10.1.1.6 GE0/0/5 0001-0001-0001 -
10.1.1.7 GE0/0/5 0001-0001-0001 -
10.1.1.8 GE0/0/5 0001-0001-0001 -
10.1.1.10 - 0002-0002-0002 -
10.1.1.11 - 0002-0002-0002 -
10.1.1.12 - 0002-0002-0002 -
-------------------------------------------------------------------------------
Total item(s) displayed = 10

Table 13-100 Description of the display static-user command output

Item Description

IP-address IP address of a static user.

Interface Interface connected to a static user.

MAC-address MAC address of a static user.

VPN VPN instance to which a static user

belongs.

Total item(s) number= m, displayed The total number of entries is m and the
number= n number of displayed entries is n.

Related Topics
13.5.147 static-user
13.5.149 static-user username format-include
13.5.148 static-user password

13.5.54 display url-template

Function
The display url-template command displays information about URL templates.

Format
display url-template { all | name template-name }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9212

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

all Displays information -

about all configured URL
templates.

name template-name Displays information The value is a string of 1

about the URL template to 31 case-sensitive
with a specified name. characters. It cannot
contain spaces or the
following symbols: / \ :
* ? " < > | @ ' %. The
value cannot be - or --.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After a URL template is configured, run the display url-template command to
view information about the URL template.

Example
# Display information about all configured URL templates.
<HUAWEI> display url-template all

-------------------------------------------------------------------------------
Name URL Start Assignment Isolate
Number Mark Mark Mark
-------------------------------------------------------------------------------
huawei 0 ? = &
huawei2 0 ? = &
huawei3 0 ? = &
-------------------------------------------------------------------------------
Total 3

# Display information about the URL template huawei.

<HUAWEI> display url-template name huawei
Name : huawei
URL :
1. http://10.1.1.1
Start mark :!
Assignment mark : j
Isolate mark : =
User MAC :
Redirect URL :
User IP address :
Sysname :

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9213

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Delimiter :%
Format : normal
Login URL Key : logiurl
Login URL : http:\\huawei.com

Table 13-101 Description of the display url-template command output

Item Description

Name Name of a URL template.

URL URL of the Portal server. For details, see

13.5.151 url (URL template view).

Start mark Start character in the URL address. For

details, see 13.5.102 parameter.

Assignment mark Assignment character in the URL address.

For details, see 13.5.102 parameter.

Isolate mark Delimiter between URL addresses. For

details, see 13.5.102 parameter.

User MAC MAC address of a user. For details, see

13.5.152 url-parameter.

Redirect URL URL in the original user packet. For

details, see 13.5.152 url-parameter.

User IP address User IP address. For details, see 13.5.152

url-parameter.

Sysname Device name. For details, see 13.5.152

url-parameter.

Delimiter Delimiter between MAC addresses in URL.

For details, see 13.5.153 url-parameter
mac-address format.

Format Format MAC addresses in URL. For

details, see 13.5.153 url-parameter mac-
address format.

Login URL Key Identification keyword for the login URL

sent to the Portal server during
redirection. For details, see 13.5.152 url-
parameter.

Login URL Device login URL. For details, see

13.5.152 url-parameter.

13.5.55 display user-group

Function
The display user-group command displays the configuration of a user group.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9214

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
display user-group [ group-name ]

Parameters
Parameter Description Value
group-name Displays the configuration of a The value is a string of 1
specified user group. to 64 case-sensitive
characters without spaces.
The configurations of all user groups
are displayed if this parameter is not
specified.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run the display user-group command to obtain the user group
configuration and locate faults according to the command output.

Example
# Display the configuration of all user groups.
<HUAWEI> display user-group
-------------------------------------------------------------------------------
ID Group name Rule-num User-num Status
-------------------------------------------------------------------------------
0 abc 0 0 disabled
-------------------------------------------------------------------------------
Total 1

NOTE

When the length of Group name exceeds 14 characters, the name is displayed in abridged
mode.

# Display the configuration about the user group test1.

<HUAWEI> display user-group abc
User group ID :0
Group name : abc
ACL ID :
ACL rule number :0
User-num :0
VLAN :
Remark dscp :
Remark 8021p :
Status : disabled

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9215

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Table 13-102 Description of the display user-group command output

Item Description

ID ID of the user group.

Rule-num Number of ACL rules.

User group ID ID of the user group.

Group name Name of the user group.

ACL ID ID of the ACL bound to the user group.

To set the ACL ID, run the 13.5.6 acl-id
(user group view) command.

ACL rule number Number of ACL rules.

User-num Number of online users bound to the user

group.

VLAN VLAN of the user group.

To set the VLAN, run the 13.5.159 user-
vlan (user group view) command.

Remark dscp Priorities for processing IP packets.

To set the priorities, run the 13.5.135
remark command.

Remark 8021p Priorities for processing Ethernet Layer 2

packets.
To set the priorities, run the 13.5.135
remark command.

Status Status of the user group.

● disabled: The user group is disabled.
● enabled: The user group is enabled.

Related Topics
13.5.6 acl-id (user group view)
13.5.156 user-group
13.5.157 user-group enable

13.5.56 display web-auth-server configuration

Function
The display web-auth-server configuration command displays the Portal server
configuration.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9216

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
display web-auth-server configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After the Portal server template is configured, the display web-auth-server
configuration displays the Portal server configuration.

Example
# Display the Portal server configuration.
<HUAWEI> display web-auth-server configuration
Listening port : 2000
Portal : version 1, version 2
Include reply message : enabled

-------------------------------------------------------------------------------
Enabled protocol : https
Listening port : 8443
SSL policy : default_policy

-------------------------------------------------------------------------------
Web-auth-server Name : huawei
IP-address :
Shared-key :
Source-IP :-
Port / PortFlag : 50100 / NO
URL : https://192.168.2.10:8443/webauth
URL Template :
URL Template ParaName:
URL Template IVName :
URL Template Key :
Redirection : Enable
Sync : Disable
Sync Seconds : 300
Sync Max-times :3
Detect : Disable
Detect Seconds : 60
Detect Max-times :3
Detect Critical-num : 0
Detect Action :
VPN Instance :
Bound Vlanif :
Bound Interface :

Protocol : http
Http Get-method : disable
Password Encrypt : none

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9217

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Cmd ParseKey : cmd

Username ParseKey : username
Password ParseKey : password
MAC Address ParseKey : macaddress
IP Address ParseKey : ipaddress
Initial URL ParseKey : initurl
Login Cmd : login
Logout Cmd : logout
Login Success
Reply Type : redirect initial URL
Redirect URL :
Message : LoginSuccess!
Login Fail
Reply Type : redirect login URL
Redirect URL :
Message : LoginFail!
Logout Success
Reply Type : message
Redirect URL :
Message : LogoutSuccess!
Logout Fail
Reply Type : message
Redirect URL :
Message : LogoutFail!

-------------------------------------------------------------------------------
1 Web authentication server(s) in total

Table 13-103 Description of the display web-auth-server configuration

command output

Item Description

Listening port Listening port for Portal protocol packets.

To configure a listening port, run the
13.5.165 web-auth-server listening-port
command.

Portal Portal protocol version.

● version 1, version 2: The device
supports both the versions V1.0 and
V2.0.
● version 2: The device supports the
versions V2.0.
To configure the Portal protocol version,
run the 13.5.163 web-auth-server
version command.

Include reply message Whether the packets sent from the device
to the Portal server contain
authentication responses.
● enabled
● disabled
To enable the device to transparently
transmit authentication responses of
users sent by the authentication server to
the Portal server, run the 13.5.166 web-
auth-server reply-message command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9218

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Enabled protocol Enabled HTTP or HTTPS protocol.

● http
● https
To enable the HTTP or HTTPS protocol,
run the 13.5.133 portal web-authen-
server command.

Listening port HTTP or HTTPS port number.

To configure the HTTP or HTTPS port
number, run the 13.5.133 portal web-
authen-server command.

SSL policy SSL policy referenced by the HTTPS

protocol.
To configure the SSL policy referenced by
the HTTPS protocol, run the 13.5.133
portal web-authen-server command.

Web-auth-server Name Name of the Portal server template.

To configure the Portal server template
name, run the 13.5.167 web-auth-server
(system view) command.

IP-address IP address of the Portal server.

To configure the IP address of the Portal
server, run the 13.5.141 server-ip (Portal
server template view) command.

Shared-key Shared key of the Portal server.

To configure the shared key of the Portal
server, run the 13.5.142 shared-key
(Portal server template view)
command.

Source-IP IP address used for communication with

the Portal server.
To configure the IP address used for
communication with the Portal server, run
the 13.5.146 source-ip (Portal server
template view) command.

Port / PortFlag ● Port: indicates the port number of the

Portal server.
● PortFlag: indicates whether packets are
always sent through this port.
To configure the port number of the
Portal server, run the 13.5.104 port
(Portal server template view)
command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9219

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

URL URL of the Portal server.

To configure the URL of the Portal server,
run the 13.5.150 url (Portal server
template view) command.

URL Template URL template bound to the Portal server

template.
To configure the URL template, run the
13.5.154 url-template (Portal server
template view) command.

Redirection Redirection status of Portal

authentication.
● Disable: Redirection of Portal
authentication is disabled.
● Enable: Redirection of Portal
authentication is enabled.
To configure redirection of Portal
authentication, run the 13.5.168 web-
redirection disable (Portal server
template view) command.

Sync User information synchronization.

● Disable
● Enable
To enable user information
synchronization, run the 13.5.158 user-
sync command.

Sync Seconds User information synchronization interval.

To set the user information
synchronization interval, run the 13.5.158
user-sync command.

Sync max-times Maximum number of times that user

information synchronization fails.
To set the maximum number of times
that user information synchronization
fails, run the 13.5.158 user-sync
command.

Detect Portal server detection and keepalive

functions.
● Disable
● Enable
To configure Portal server detection and
keepalive functions, run the 13.5.140
server-detect command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9220

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Detect Seconds Detection interval of the Portal server.

To set the detection interval of the Portal
server, run the 13.5.140 server-detect
command.

Detect max-times Maximum number of detection failures.

To set the maximum number of detection
failures, run the 13.5.140 server-detect
command.

Detect Critical-num Minimum number of Portal servers in Up

state. If the number of running Portal
servers is less than the minimum, enable
the survival function in the corresponding
Portal server template view.
To configure this function, run the
13.5.140 server-detect command.

Detect Action Action taken after the number of

detection failures exceeds the maximum.
● log: The device sends logs after the
number of detection failures exceeds
the maximum.
● trap: The device sends traps after the
number of detection failures exceeds
the maximum.
● permit-all: Portal authentication on the
interface is disabled after the number
of detection failures exceeds the
maximum.
To configure an action taken after the
number of detection failures exceeds the
maximum, run the 13.5.140 server-
detect command.

Bound Vlanif VLANIF interface to which the Portal

server template is bound.
To bind the Portal server template to a
VLANIF interface, run the 13.5.164 web-
auth-server (interface view).

VPN instance VPN instance used for Portal

authentication.
To configure a VPN instance, run the
13.5.162 vpn-instance (Portal server
template view) command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9221

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Bound Interface Ethernet interface or Eth-Trunk to which

the Portal server template is bound.
To bind the Portal server template to an
Ethernet interface or Eth-Trunk, run the
13.5.164 web-auth-server (interface
view) command.

Http Get-method Whether users submit user name and

password information to the device in
GET mode:
● disable: GET mode is not used.
● enable: GET mode is used.
To configure the GET mode, run the
13.5.86 http get-method enable
command.

Protocol Protocol used in Portal authentication.

● Portal
● http
To configure the protocol used in Portal
authentication, run the 13.5.134 protocol
(Portal server template view)
command.

Password Encrypt Password encoding mode:

● none: The password is not encoded.
● uam: The password is encoded using
ASCII characters.
To configure the password encoding
mode, run the 13.5.134 protocol (Portal
server template view) command.

Cmd ParseKey Command identification keyword.

To configure the command identification
keyword, run the 13.5.87 http-method
post command.

Username ParseKey User name identification keyword.

To configure the user name identification
keyword, run the 13.5.87 http-method
post command.

Password ParseKey User password identification keyword.

To configure the user password
identification keyword, run the 13.5.87
http-method post command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9222

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

MAC Address ParseKey User MAC address identification keyword.

To configure the user MAC address
identification keyword, run the 13.5.87
http-method post command.

IP Address ParseKey User IP address identification keyword.

To configure the user IP address
identification keyword, run the 13.5.87
http-method post command.

Initial URL ParseKey User initial login URL identification

keyword.
To configure the user initial login URL
identification keyword, run the 13.5.87
http-method post command.

Login Cmd User login identification keyword.

To configure the user login identification
keyword, run the 13.5.87 http-method
post command.

Logout Cmd User logout identification keyword.

To configure the user logout identification
keyword, run the 13.5.87 http-method
post command.

Login Success User login success.

Reply Type Redirection response type.

● redirect initial URL: A user is redirected
to the initial login URL after successful
login.
● redirect login URL: A user is redirected
to the login URL after a login failure.
● message: specifies the displayed
message.
● redirect URL: A user is redirected to a
specified URL.
To configure the redirection response
type, run the 13.5.87 http-method post
command.

Redirect URL Redirection URL.

To configure the redirection URL, run the
13.5.87 http-method post command.

Message Displayed message.

To configure the displayed message, run
the 13.5.87 http-method post command.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9223

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Login Fail User login failure.

Logout Success User logout success.

Logout Fail User logout failure.

13.5.57 device-sensor dhcp option

Function
The device-sensor dhcp option command enables the DHCP-based terminal type
awareness function.
The undo device-sensor dhcp option command disables the DHCP-based
terminal type awareness function.
By default, the DHCP-based terminal type awareness function is disabled.

Format
device-sensor dhcp option option-code &<1-6>
undo device-sensor dhcp option option-code &<1-6>

Parameters
Parameter Description Value
option-code Specifies the DHCP option field that the The value is an
device needs to resolve. integer that ranges
from 1 to 254.
The option fields in a DHCP packet carry the
control information and parameters, for
example, terminal type.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
A device usually connects to many types of terminals. You may need to assign
different network access rights or packet processing priorities to the terminals of

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9224

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

different types. For example, the voice devices, such as IP phones, should be
assigned a high packet processing priority because voice signals require low delay
and jitter.
After the DHCP-based terminal type awareness function is enabled, the device can
resolve the option fields that carry terminal type information in the received DHCP
Request packets. The device then sends the option information to the RADIUS
server through RADIUS accounting packets. Through the option information, the
RADIUS server knows the terminal types and controls the network access rights
and packet processing priorities of the terminals.
Precautions
● The command takes effect only when the authentication or accounting mode
in the AAA scheme is RADIUS.
● To make this command take effect, you must run the 14.8.20 dhcp snooping
enable command on the interfaces or in VLANs.

Example
# Set the option fields to be resolved by the device to option 60.
<HUAWEI> system-view
[HUAWEI] device-sensor dhcp option 60

Related Topics
14.8.20 dhcp snooping enable

13.5.58 device-sensor lldp tlv

Function
The device-sensor lldp tlv command enables the LLDP-based terminal type
awareness function.
The undo device-sensor lldp tlv command disables the LLDP-based terminal type
awareness function.
By default, the LLDP-based terminal type awareness function is disabled.

Format
device-sensor lldp tlv tlv-type &<1-4>
undo device-sensor lldp tlv

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9225

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value
tlv-type Specifies the The value is an integer that can be 1, 2, 5, 6, 7, 8,
LLDP TLV type as and 127. The values are as follows:
the terminal ● 1: Chassis ID TLV, indicating the bridge MAC
type to be aware address of the device
of the device.
● 2: Port ID TLV, indicating the port identifying
the LLD PDU sending end
● 5: System Name TLV, indicating the device
name
● 6: System Description TLV, indicating the
system description
● 7: System Capabilities TLV, indicating the
system capabilities
● 8: Management Address TLV, indicating the
management address
● 127: Organization Specific TLV, indicating the
user-defined organization information. You can
run the lldp tlv-enable med-tlv command on
the physical interface for user access to set this
parameter.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

A device usually connects to many types of terminals. You may need to assign
different network access rights or packet processing priorities to the terminals of
different types. For example, the voice devices, such as IP phones, should be
assigned a high packet processing priority because voice signals require low delay
and jitter.

Using the LLDP-based terminal type awareness function, the device parses the
required TLV type containing terminal type information from the received LLDP
packets. The device then sends the TLV type information to the RADIUS server
through a RADIUS accounting packet. Through the TLV type information, the
RADIUS server knows the terminal types and controls the network access rights
and packet processing priorities of the terminals.

Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9226

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● The command takes effect only when the authentication or accounting mode
in the AAA scheme is RADIUS.
● The command takes effect only when the LLDP function is enabled on the
device and the connected peer device.

Example
# Enable the terminal type awareness function based on LLDP TLV type 5.
<HUAWEI> system-view
[HUAWEI] device-sensor lldp tlv 5

Related Topics
13.5.57 device-sensor dhcp option

13.5.59 dot1x authentication-method

Function
The dot1x authentication-method command sets the authentication mode for
802.1X users.

The undo dot1x authentication-method command restores the default

authentication mode for 802.1X users.

By default, the global 802.1X user authentication mode is CHAP authentication

and the 802.1X user authentication mode on interfaces is the same as the mode
globally configured.

Format
dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

Parameters
Parameter Description Value

chap Indicates the CHAP- -

based EAP termination
authentication mode.

pap Indicates the PAP-based -

EAP termination
authentication mode.

eap Indicates that the EAP -

relay mode.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9227

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
During 802.1X authentication, users exchange authentication information with the
device using EAP packets. The device uses two modes to exchange authentication
information with the RADIUS server.
● EAP termination: The device directly parses EAP packets, encapsulates user
authentication information into a RADIUS packet, and sends the RADIUS
packet to the RADIUS server for authentication. In EAP termination
authentication mode, the device and RADIUS server exchange information
using PAP or CHAP.
– PAP: The device arranges the MAC address, shared key, and random value
in sequence, performs hash processing on them using the MD5 algorithm,
and encapsulates the hash result into the User-Password attribute.
– CHAP: The device arranges the CHAP ID, MAC address, and random value
in sequence, performs hash processing on them using the MD5 algorithm,
and encapsulates the hash result into the CHAP-Password and CHAP-
Challenge attributes.
After the device directly parses EAP packets, user information in the EAP
packets is authenticated by a local AAA module, or sent to the RADIUS or
HWTACACS server for authentication.
● EAP relay (specified by eap): The device encapsulates EAP packets into
RADIUS packets and sends the RADIUS packets to the RADIUS server, but
does not parse the received EAP packets that include user authentication
information. This mechanism is called EAP over Radius (EAPOR).
The EAP relay mechanism requires that the RADIUS server be capable of parsing a
lot of EAP packets and carrying out authentication; therefore, if the RADIUS server
has high processing capabilities, the EAP relay is used. If the RADIUS server is
incapable of parsing a lot of EAP packets and carrying out authentication, EAP
termination is recommended, and the device helps the RADIUS server to parse
EAP packets.
NOTE

● The authentication mode can be set to EAP relay for 802.1X authentication users only
when the RADIUS authentication is used.
● If the 802.1X client uses the MD5 encryption mode, the user authentication mode on
the device can be set to EAP or CHAP; if the 802.1X client uses the PEAP authentication
mode, the authentication mode on the device can be set to EAP.

Example
# Set the authentication mode to EAP for 802.1X users in the device in the system
view.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9228

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] dot1x authentication-method eap

# Set the authentication mode to EAP for 802.1X users on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x authentication-method eap

Related Topics
13.5.34 display dot1x

13.5.60 dot1x dhcp-trigger

Function
The dot1x dhcp-trigger command enables DHCP-triggered 802.1X authentication.

The undo dot1x dhcp-trigger command disables DHCP-triggered 802.1X

authentication.

By default, DHCP-triggered 802.1X authentication is disabled.

Format
dot1x dhcp-trigger

undo dot1x dhcp-trigger

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After DHCP-triggered 802.1X authentication is enabled using the dot1x dhcp-

trigger command, the device sends an 802.1X authentication-start packet to the
user when receiving a DHCP Request message from the user. When the user
receives the 802.1X authentication-start packet from the device, the 802.1X
authentication page is displayed on the client device and prompts the user to
enter the user name and password for authentication. During 802.1X network
deployment, DHCP-triggered 802.1X authentication enables 802.1X users to start
802.1X authentication without dial-up using the client software, which facilitates
network deployment.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9229

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

After receiving the request packet from an 802.1X user, the device starts authenticating the
user. If the user is authenticated, the device allocates an IP address to the user through a
DHCP server; if the user fails the authentication, the user cannot obtain a dynamic IP
address from the DHCP server.

Prerequisites

802.1X authentication has been enabled globally and on an interface using the
13.5.63 dot1x enable command.

Precautions

The dot1x dhcp-trigger command can be used only when the client supports
DHCP and 802.1X authentication.

Example
# Enable DHCP-triggered 802.1X authentication.
<HUAWEI> system-view
[HUAWEI] dot1x dhcp-trigger

Related Topics
13.5.63 dot1x enable
13.5.34 display dot1x

13.5.61 dot1x domain

Function
The dot1x domain command configures a forcible domain for 802.1X
authentication users.

The undo dot1x domain command restores the default setting of a forcible
domain for 802.1X authentication users.

By default, no forcible domain is configured for 802.1X authentication users.

Format
dot1x domain domain-name

undo dot1x domain

Parameters
Parameter Description Value

domain-name Specifies the name of a The value must be an

forcible domain. existing domain name
on the device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9230

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
Ethernet interface view, GE interface view, MultiGE interface view, XGE interface
view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
During authentication, if the user name entered by a user does not contain a
domain name, the user will be authenticated in the default domain; if the user
name contains a domain name, the user will be authenticated in the specified
domain.
If the user names entered by many users do not contain domain names, excess
users are authenticated in the default domain, making the authentication scheme
inflexible. If all users on an interface need to use the same AAA scheme when the
user names entered by some users contain domain name and those entered by
other users do not, the device also cannot meet such requirement. To address this
issue, you can configure a forcible domain. Then all users on the interface will be
authenticated in the forcible domain no matter whether the user names entered
by the users contain domain names.
Prerequisites
A domain has been created using the 13.1.47 domain (AAA view) command.

Example
# Configure the forcible domain huawei for 802.1X authentication users on the
interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x domain huawei

Related Topics
13.1.47 domain (AAA view)

13.5.62 dot1x eap-notify-packet

Function
The dot1x eap-notify-packet command enables the device to send an EAP packet
code number to users.
The undo dot1x eap-notify-packet command disables the device from sending
an EAP packet code number to users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9231

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

By default, the device is disabled from sending an EAP packet code number to
users.

Format
dot1x eap-notify-packet eap-code code-number data-type type-number

undo dot1x eap-notify-packet [ eap-code code-number data-type type-

number ]

Parameters
Parameter Description Value

eap-code code-number Specifies an EAP packet The value is an integer

code number sent to that ranges from 5 to
users. 255.

data-type type-number Specifies the data type in The value is an integer

EAP packets sent to that ranges from 1 to
users. 255.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When a non-Huawei device used as the RADIUS server sends RADIUS packets with
attribute 61, EAP packet code number 0xa (hexadecimal notation, 10 in decimal
notation), and data type 0x19 (hexadecimal notation, 25 in decimal notation) to
the device, run the dot1x eap-notify-packet command on the device so that the
device can send EAP packets with code number 0xa and data type 0x19 to users. If
the dot1x eap-notify-packet command is not executed, the device does not
process EAP packets of this type and users are disconnected.

Precautions

The device can only process EAP packets with code number 10 and data type 25.

Example
# Allow the device to send EAP packets with code number 10 and data type 25 to
users.
<HUAWEI> system-view
[HUAWEI] dot1x eap-notify-packet eap-code 10 data-type 25

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9232

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.5.63 dot1x enable

13.5.63 dot1x enable

Function
The dot1x enable command enables 802.1X authentication on a device.
The undo dot1x enable command disables 802.1X authentication on a device.
By default, 802.1X authentication is disabled on a device.

Format
In the system view:
dot1x enable [ interface { interface-type interface-number1 [ to interface-
number2 ] } &<1-10> ]
undo dot1x enable [ interface { interface-type interface-number1 [ to interface-
number2 ] } &<1-10> ]
In the interface view:
dot1x enable
undo dot1x enable

Parameters
Parameter Description Value

interface { interface- Enables 802.1X -

type interface-number1 authentication on the
[ to interface- specified interface of the
number2 ] } device.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.
Global 802.1X
authentication is enabled
if this parameter is not
specified.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9233

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The IEEE 802.1X standard (802.1X for short) is a port-based network access control
protocol. You can run the dot1x enable command to enable 802.1X
authentication globally and on an interface.

To make the 802.1X configuration effective on an interface, enable the global

802.1X authentication function and perform either of the following operations:
● Run the dot1x enable command in the interface view.
● Run the dot1x enable interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10> command in the system view.
Precautions

● All users have been disconnected before the undo operation is executed.
● After the static MAC address entry is configured using the mac-address static
mac-address interface-type interface-number vlan vlan-id command, the user
corresponding to the entry cannot pass 802.1X authentication.
● If 802.1X authentication is enabled on an interface, the following commands
cannot be used on the same interface.

Command Function

mac-limit Sets the maximum number of MAC

addresses that can be learned by an
interface.

mac-address learning disable Disables MAC address learning on

an interface.

port link-type dot1q-tunnel Sets the link type of an interface to

QinQ.

port vlan-mapping vlan map-vlan Configures VLAN mapping on an

port vlan-mapping vlan inner-vlan interface.

port vlan-stacking Configures selective QinQ.

port-security enable Enables interface security.

mac-vlan enable Enables MAC address-based VLAN

assignment on an interface.

ip-subnet-vlan enable Enables IP subnet-based VLAN

assignment on an interface.

user-bind ip sticky-mac Enables the device to generate

snooping MAC entries.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9234

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Enable 802.1X authentication on GE0/0/1 in the system view.
<HUAWEI> system-view
[HUAWEI] dot1x enable
[HUAWEI] dot1x enable interface gigabitethernet 0/0/1

# Enable 802.1X authentication on GE0/0/1 in the interface view.

<HUAWEI> system-view
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x enable

Related Topics
13.5.34 display dot1x

13.5.64 dot1x free-ip

Function
The dot1x free-ip command configures a free IP subnet.

The undo dot1x free-ip command deletes the configured free IP subnet.

By default, no free IP subnet is configured.

Format
dot1x free-ip ip-address { mask-length | mask-address }

undo dot1x free-ip { ip-address { mask-length | mask-address } | all }

Parameters
Parameter Description Value
ip-address Specifies a free IP subnet. The value is in dotted decimal
notation.
mask-length Specifies the mask length of an The value is an integer that
IP address. ranges from 1 to 32.
mask-address Specifies the mask of the IP The value is in dotted decimal
address. notation.
all Deletes all free IP subnets. -

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9235

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario

802.1X users can access networks only after being authenticated. You can
configure a free IP subnet, so that users can access network resources in the free
IP subnet before being authenticated.

Precautions

● 802.1X authentication has been enabled globally and on an interface using

the 13.5.63 dot1x enable command.
● To ensure that pre-connection users can be aged out normally, you need to
run the 13.5.80 dot1x timer free-ip-timeout command to set the aging time
of authentication-free user entries.
● After the free-ip function is configured, the guest VLAN, critical VLAN, and
restrict VLAN are no longer effective.
● The free IP subnet takes effect only when the interface authorization state is
auto.
● If a user who does not pass 802.1X authentication wants to obtain an IP
address dynamically through the DHCP server, the network segment of the
DHCP server needs to be configured to a free IP subnet so that the user can
access the DHCP server.
● After 802.1X users go offline, they are not allowed to access network
resources on free IP subnets within a specified period to prevent malicious
attacks.
● After users succeed in 802.1X-based fast deployment, they can only access
resources in the IP free subnets and some resources on the device.

Example
# Configure 192.168.1.0/24 as a free IP subnet that users can access before they
pass 802.1X authentication.
<HUAWEI> system-view
[HUAWEI] dot1x free-ip 192.168.1.0 24

Related Topics
13.5.84 dot1x url
13.5.34 display dot1x

13.5.65 dot1x handshake

Function
The dot1x handshake command enables the device to send handshake packets to
online 802.1X users.

The undo dot1x handshake command disables the device from sending
handshake packets to online 802.1X users.

By default, the device handshake function is disabled for online 802.1X users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9236

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
dot1x handshake
undo dot1x handshake

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
To check whether an 802.1X user is online in real time, you can run the dot1x
handshake command to enable the device to send handshake packets to the
802.1X user. The device sends handshake request packets to the user. If the user
sends a response packet within the handshake interval (set using the 13.5.80
dot1x timer command), the device considers that the user is online. If the user
does not send any response packet within the interval, the device considers that
the user is offline.
NOTE

If a client does not support the handshake function, the device will not receive handshake
response packets within the handshake interval and considers that the user is offline.
Therefore, disable the device from sending handshake packets to an online 802.1X user
when the user's client does not support the handshake function.
After the 13.5.80 dot1x timer arp-detect arp-detect-value command is executed to
configure ARP detection, the handshake function between the device and online 802.1X
users does not take effect.

Example
# Enable the device to send handshake packets to online 802.1X users.
<HUAWEI> system-view
[HUAWEI] dot1x handshake

Related Topics
13.5.63 dot1x enable
13.5.34 display dot1x

13.5.66 dot1x handshake packet-type

Function
The dot1x handshake packet-type command sets the type of 802.1X
authentication handshake packets.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9237

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo dot1x handshake packet-type command restores the default type of
802.1X authentication handshake packets.

By default, the type of 802.1X authentication handshake packets is request-

identity.

Format
dot1x handshake packet-type { request-identity | srp-sha1-part2 }

undo dot1x handshake packet-type

Parameters
Parameter Description Value
request-identity Indicates that the type of 802.1X authentication -
handshake packets is request-identity.
srp-sha1-part2 Indicates that the type of 802.1X authentication -
handshake packets is srp-sha1-part2.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
During 802.1X authentication, different vendors' devices support different
handshake packet types. By default, the device uses 802.1X authentication
handshake packets of the request-identity type. If a device connected to the non-
Huawei device uses the 802.1X authentication handshake packets of the srp-sha1-
part2 type, run the dot1x handshake packet-type command to set the type of
802.1X authentication handshake packets to srp-sha1-part2.
NOTE

The dot1x handshake packet-type command takes effect only for users that log in after
the command is run.

Example
# Set the type of 802.1X authentication handshake packets to srp-sha1-part2.
<HUAWEI> system-view
[HUAWEI] dot1x handshake packet-type srp-sha1-part2

Related Topics
13.5.65 dot1x handshake

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9238

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.67 dot1x mac-bypass

Function
The dot1x mac-bypass command enables MAC address bypass authentication on
an interface.

The undo dot1x mac-bypass command disables MAC address bypass

authentication on an interface.

By default, MAC address bypass authentication is disabled on an interface.

Format
In the system view:

dot1x mac-bypass { interface { interface-type interface-number1 [ to interface-

number2 ] } &<1-10> }

undo dot1x mac-bypass { interface { interface-type interface-number1 [ to

interface-number2 ] } &<1-10> }

In the interface view:

dot1x mac-bypass

undo dot1x mac-bypass

Parameters
Parameter Description Value

interface { interface- Enables MAC address -

type interface-number1 bypass authentication on
[ to interface- the specified interface.
number2 ] } ● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9239

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario

You can enable MAC address bypass authentication for terminals (for example,
printers) on which the 802.1X client software cannot be installed or used.

After MAC address bypass authentication is enabled on the interface using the
dot1x mac-bypass command, the device first performs 802.1X authentication on
users. If the user name request times out, the device starts the MAC address
authentication process for the users. When 802.1X authentication fails, the device
does not start the MAC address authentication process.
NOTE

Running the dot1x mac-bypass command also enables 802.1X authentication on an

interface, and running the undo dot1x mac-bypass command also disables 802.1X
authentication on an interface. When you run the dot1x mac-bypass command on an
interface that has been enabled with 802.1X authentication, the authentication mode on
the interface changes to MAC address bypass authentication.

Prerequisites

802.1X authentication has been enabled globally using the 13.5.63 dot1x enable
command.

Example
# Enable MAC address bypass authentication on GE0/0/1 in the system view.
<HUAWEI> system-view
[HUAWEI] dot1x mac-bypass interface gigabitethernet 0/0/1

# Enable MAC address bypass authentication on GE0/0/1 in the interface view.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x mac-bypass

Related Topics
13.5.63 dot1x enable
13.5.34 display dot1x

13.5.68 dot1x mac-bypass access-port

Function
The dot1x mac-bypass access-port command enables MAC address bypass
authentication on all downlink interfaces of the device.

The undo dot1x mac-bypass access-port command disables MAC address bypass
authentication on all downlink interfaces of the device.

By default, MAC address bypass authentication is disabled on all downlink

interfaces of the device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9240

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
dot1x mac-bypass access-port all
undo dot1x mac-bypass access-port all

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
You can enable MAC address bypass authentication for terminals (such as
printers) on which the 802.1X client software cannot be installed or used.
After MAC address bypass authentication is enabled, the device performs 802.1X
authentication on a user. Once 802.1X authentication fails, the device sends the
user's MAC address as the user name and password to the authentication server.
NOTE

MAC address bypass authentication involves 802.1X authentication. That is, the dot1x mac-
bypass access-port all command also enables 802.1X authentication on the interfaces; the
undo dot1x mac-bypass access-port all command also disables 802.1X authentication on
the interfaces. If 802.1X authentication has been enabled on the interfaces, the
authentication mode on the interfaces is changed to MAC address bypass authentication
after you run the dot1x mac-bypass access-port all command.

Prerequisites
802.1X authentication has been enabled globally and on the interfaces using the
13.5.63 dot1x enable command.

Example
# In the system view, enable MAC address bypass authentication on all downlink
interfaces of the device.
<HUAWEI> system-view
[HUAWEI] dot1x mac-bypass access-port all

13.5.69 dot1x mac-bypass mac-auth-first

Function
The dot1x mac-bypass mac-auth-first command enables the device to perform
MAC address authentication first during MAC address bypass authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9241

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo dot1x mac-bypass mac-auth-first command disables the device from
performing MAC address authentication first during MAC address bypass
authentication.

By default, the MAC address authentication is not performed first during MAC
address bypass authentication.

Format
In the system view:

dot1x mac-bypass mac-auth-first interface { interface-type interface-number1

[ to interface-number2 ] } &<1-10>

undo dot1x mac-bypass mac-auth-first interface { interface-type interface-

number1 [ to interface-number2 ] } &<1-10>
In the interface view:

dot1x mac-bypass mac-auth-first

undo dot1x mac-bypass mac-auth-first

Parameters
Parameter Description Value

interface { interface- Enables the device to -

type interface-number1 perform MAC address
[ to interface- authentication first on a
number2 ] } specified interface during
MAC address bypass
authentication.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9242

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

When both the clients that do not support 802.1X authentication (such as
printers) and the clients that support 802.1X authentication (such as PCs) are
connected to the interface enabled with MAC address bypass authentication, you
can run the dot1x mac-bypass mac-auth-first command to enable the device to
perform MAC address authentication first during MAC address bypass
authentication. After that, the device first starts the MAC address authentication
process for users, and triggers 802.1X authentication only if MAC address
authentication fails.
Prerequisites
802.1X authentication has been enabled globally and on an interface using the
13.5.63 dot1x enable command.
Follow-up Procedure
Run the dot1x mac-bypass command to enable MAC address bypass
authentication on the interface.

Example
# Enable the device to first perform MAC address authentication on GE0/0/1
during MAC address bypass authentication in the system view.
<HUAWEI> system-view
[HUAWEI] dot1x mac-bypass mac-auth-first interface gigabitethernet 0/0/1

# Enable the device to first perform MAC address authentication on GE0/0/1

during MAC address bypass authentication in the interface view.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x mac-bypass mac-auth-first

Related Topics
13.5.63 dot1x enable
13.5.67 dot1x mac-bypass

13.5.70 dot1x max-user

Function
The dot1x max-user command sets the maximum number of 802.1X
authentication users allowed on an interface.
The undo dot1x max-user command restores the default maximum number of
802.1X authentication users allowed on an interface.
By default, the number of 802.1X authentication users is the maximum number of
802.1X authentication users supported by the device.

Format
In the system view:
dot1x max-user user-number interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9243

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo dot1x max-user [ user-number ] interface { interface-type interface-

number1 [ to interface-number2 ] } &<1-10>
In the interface view:
dot1x max-user user-number
undo dot1x max-user [ user-number ]

Parameters
Parameter Description Value

user-number Specifies the The value is an integer that

maximum number of varies depending on the
802.1X authentication product model.
users on an interface.

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the
interface type.
● interface-number
specifies the
interface number.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To limit the maximum number of 802.1X authentication users allowed on an
interface, run the dot1x max-user command.
Prerequisites
The 802.1X authentication function has been enabled globally and on an interface
using the 13.5.63 dot1x enable command.
Precautions
If the user access mode on an interface is interface-based (configured using the
dot1x port-method command), the maximum number of 802.1X authentication
users allowed on the interface is 1. Before running the dot1x max-user command
to set the maximum number of 802.1X authentication users allowed on the

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9244

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

interface, run the undo dot1x port-method command to restore the user access
mode on the interface to MAC address-based.

Example
# In the system view, set the maximum number of 802.1X authentication users
allowed on GE0/0/1 to 7.
<HUAWEI> system-view
[HUAWEI] dot1x max-user 7 interface gigabitethernet 0/0/1

# In the interface view, set the maximum number of 802.1X authentication users
allowed on GE0/0/1 to 7.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x max-user 7

Related Topics
13.5.63 dot1x enable
13.5.74 dot1x port-method
13.5.34 display dot1x

13.5.71 dot1x mc-trigger

Function
The dot1x mc-trigger enables multicast-triggered 802.1X authentication.
The undo dot1x mc-trigger disables multicast-triggered 802.1X authentication.
By default, multicast-triggered 802.1X authentication is enabled.

Format
dot1x mc-trigger
undo dot1x mc-trigger

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9245

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If a client (for example, the built-in 802.1X client of the Windows operating
system) cannot send an EAPOL-Start packet to perform 802.1X authentication, you
can enable multicast-triggered 802.1X authentication. After that, the device
multicasts an Identity EAP-Request frame to the client to trigger authentication.

Prerequisites

802.1X authentication has been enabled globally and on the interface using the
dot1x enable command.

Example
# Enable multicast-triggered 802.1X authentication.
<HUAWEI> system-view
[HUAWEI] dot1x mc-trigger

Related Topics
13.5.63 dot1x enable

13.5.72 dot1x mc-trigger port-up-send enable

Function
The dot1x mc-trigger port-up-send enable command enables the function of
triggering 802.1X authentication through multicast packets immediately after an
interface goes Up.

The undo dot1x mc-trigger port-up-send enable command disables the function
of triggering 802.1X authentication through multicast packets immediately after
an interface goes Up.

By default, the function of triggering 802.1X authentication through multicast

packets immediately after an interface goes Up is disabled.

Format
dot1x mc-trigger port-up-send enable

undo dot1x mc-trigger port-up-send enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9246

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario

By default, the device periodically multicasts EAP-Request/Identity packets to

clients so that the clients are triggered to send EAPOL-Start packets for 802.1X
authentication. If the device interface connecting to a client changes from Down
to Up, the client needs to send EAPOL-Start packets again for 802.1X
authentication, which takes a long time. You can run the dot1x mc-trigger port-
up-send enable command on the device to enable the device interface to
multicast EAP-Request/Identity packets to the client to trigger 802.1X
authentication immediately after the interface goes Up. This configuration
shortens the re-authentication time.

Precautions

When the access control mode on the device interface is based on the MAC
address, the dot1x mc-trigger port-up-send enable command does not take
effect.

Example
# Enable the function of triggering 802.1X authentication through multicast
packets immediately after an interface goes Up.
<HUAWEI> system-view
[HUAWEI] dot1x mc-trigger port-up-send enable

13.5.73 dot1x port-control

Function
The dot1x port-control command sets the authorization state of an interface.

The undo dot1x port-control command restores the default authorization state
of an interface.

By default, the authorization state of an interface is auto.

Format
In the system view:

dot1x port-control { auto | authorized-force | unauthorized-force } interface

{ interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo dot1x port-control interface { interface-type interface-number1 [ to

interface-number2 ] } &<1-10>

In the interface view:

dot1x port-control { auto | authorized-force | unauthorized-force }

undo dot1x port-control

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9247

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

auto Indicates the auto -

identification mode. In
this mode, an interface is
initially in Unauthorized
state and only allows
users to send and receive
EAPOL packets. Users
cannot access network
resources. After the users
are authenticated, the
interface becomes
authorized and allows
the users to access
network resources.

authorized-force Indicates the forcible -

authorization mode. In
this mode, the interface
is always in Authorized
state, does not handle
EAPOL packets, and
allows users to access
network resources
without authentication
or authorization.
Indicates the forcible
unauthorized mode. In
this mode, the interface
is always in
Unauthorized state, does
not handle EAPOL
packets, and prohibits
users from accessing
network resources.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9248

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

unauthorized-force Indicates the forcible -

authorization mode. In
this mode, the interface
is always in Authorized
state, does not handle
EAPOL packets, and
allows users to access
network resources
without authentication
or authorization.
Indicates the forcible
unauthorized mode. In
this mode, the interface
is always in
Unauthorized state, does
not handle EAPOL
packets, and prohibits
users from accessing
network resources.

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number
specifies the interface
number.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The auto mode is recommended. Only authenticated users can access network
resources. To trust all users on an interface without authentication, configure the
authorized-force mode. To disable access rights of all users on an interface to
ensure security, configure the unauthorized-force mode.

Prerequisites

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9249

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

802.1X authentication has been enabled globally and on an interface using the
13.5.63 dot1x enable command.
Precautions
When there are online 802.1X users on an interface, the dot1x port-control
command must not be run; otherwise, the system displays alarm information.
It is recommended that you set the authorization state of an interface in the early
stage of network deployment. When the network is running properly, run the cut
access-user command to disconnect all users from the interface before changing
the authorization state.

Example
# Set the authorization state of GE0/0/1 to unauthorized-force in the system
view.
<HUAWEI> system-view
[HUAWEI] dot1x port-control unauthorized-force interface gigabitethernet 0/0/1

# Set the authorization state of GE0/0/1 to unauthorized-force in the interface

view.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x port-control unauthorized-force

Related Topics
13.5.63 dot1x enable
13.5.34 display dot1x

13.5.74 dot1x port-method

Function
The dot1x port-method command sets the 802.1X access control method of an
interface.
The undo dot1x port-method command sets the default 802.1X access control
method of an interface.
By default, 802.1X access control on an interface is based on MAC addresses.

Format
In the system view:
dot1x port-method { mac | port } interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10>
undo dot1x port-method interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
In the interface view:
dot1x port-method { mac | port }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9250

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo dot1x port-method

Parameters
Parameter Description Value

mac Indicates that users are -

authenticated based on
their MAC addresses.

port Indicates that users are -

authenticated based on
their access interfaces.

interface { interface- Indicates the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number
specifies the interface
number.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

802.1X access control can be based on MAC addresses or interfaces.

● When the mac method is used, all 802.1X users on an interface are
authenticated one by one. If a user goes offline, other users on this interface
are not affected. The mac method is applicable to individual users.
● When the port method is used, all the other 802.1X users on an interface can
use network resources as long as one user is authenticated successfully. When
the authenticated user goes offline, other users cannot use network resources.
The port method is applicable to group users.

Prerequisites

802.1X authentication has been enabled globally and on an interface using the
13.5.63 dot1x enable command.

Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9251

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● When there are online 802.1X users on an interface, do not run the dot1x
port-method command to change the access control method on the
interface.
● If the access control method of an interface is set to port, only one 802.1X
users can access the interface. After you run the undo dot1x port-method
command, MAC address-based access control is enabled, but still only one
user can access the interface. You can run the 13.5.70 dot1x max-user
command to increase the maximum number of 802.1X users as required.

Example
# Set the 802.1X access control method on GE0/0/1 in the system view to port.
<HUAWEI> system-view
[HUAWEI] dot1x port-method port interface gigabitethernet 0/0/1

# Set the 802.1X access control method on GE0/0/1 in the interface view to port.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x port-method port

Related Topics
13.5.63 dot1x enable
13.5.70 dot1x max-user
13.5.34 display dot1x

13.5.75 dot1x quiet-period

Function
The dot1x quiet-period command enables the quiet timer function.
The undo dot1x quiet-period command disables the quiet timer function.
By default, the quiet timer function is enabled.

Format
dot1x quiet-period
undo dot1x quiet-period

Parameters
None

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9252

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
After the quiet timer function is enabled, if the number of authentication failures
of an 802.1X user exceeds a specified value (set using the 13.5.76 dot1x quiet-
times command) within 60 seconds, the user enters a quiet period. During the
quiet period, the device discards the 802.1X authentication request packets from
the user. This prevents the impact on the system due to frequent user
authentication.
The value of the quiet timer is set using the 13.5.80 dot1x timer command. When
the quiet timer expires, the device re-authenticates the user.
Precautions
To make the configuration take effect, run the 13.5.63 dot1x enable command
twice to enable global and interface-based 802.1X user authentication.

Example
# Enable the quiet timer.
<HUAWEI> system-view
[HUAWEI] dot1x quiet-period

Related Topics
13.5.76 dot1x quiet-times

13.5.76 dot1x quiet-times

Function
The dot1x quiet-times command sets the maximum number of authentication
failures within 60 seconds before an 802.1X user enters the quiet state.
The undo dot1x quiet-times command restores the default setting.
By default, an 802.1X user enters the quiet state after ten authentication failures
within 60 seconds.

Format
dot1x quiet-times fail-times
undo dot1x quiet-times

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9253

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

fail-times Specifies the maximum The value is an integer

number of that ranges from 1 to 10.
authentication failures
before the 802.1X user
enters the quiet state.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the quiet timer function of the device is enabled using the 13.5.75 dot1x
quiet-period command, if the number of authentication failures of an 802.1X user
exceeds the value that is set using the dot1x quiet-times command within 60
seconds, the user enters the quiet state. This prevents the impact on the system
due to frequent user authentication.

Example
# Set the maximum number of authentication failures within 60 seconds to 4.
<HUAWEI> system-view
[HUAWEI] dot1x quiet-times 4

Related Topics
13.5.75 dot1x quiet-period

13.5.77 dot1x reauthenticate

Function
The dot1x reauthenticate command enables periodic 802.1X re-authentication on
an interface.

The undo dot1x reauthenticate command disables periodic 802.1X re-

authentication on an interface.

By default, periodic 802.1X re-authentication is disabled on an interface.

Format
In the system view:

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9254

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

dot1x reauthenticate interface { interface-type interface-number1 [ to interface-

number2 ] } &<1-10>

undo dot1x reauthenticate interface { interface-type interface-number1 [ to

interface-number2 ] } &<1-10>

In the interface view:

dot1x reauthenticate

undo dot1x reauthenticate

Parameters
Parameter Description Value

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number
specifies the interface
number.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After modifying the authentication information of an online user on the

authentication server, the administrator needs to re-authenticate the user in real
time to ensure user validity.

After the user goes online, the device saves user authentication information. After
802.1X re-authentication is enabled using the dot1x reauthenticate command,
the device sends the stored authentication information of the online user to the
authentication server for re-authentication at an interval. If the authentication
information of the user does not change on the authentication server, the user is
online normally. If the authentication information has been changed, the user is
forced to go offline. The user then needs to be re-authenticated according to the
changed authentication information.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9255

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

The re-authentication interval is set using the 13.5.81 dot1x timer reauthenticate-period
command.
This function takes effect only for users who go online after this function is successfully
configured.
If the device is connected to a server for re-authentication and the server replies with a re-
authentication deny message that makes an online user go offline, it is recommended that
you locate the cause of the re-authentication failure on the server or disable the re-
authentication function on the device.

Precautions

If periodic 802.1X re-authentication is enabled, a large number of 802.1X

authentication logs are generated.

If the device is connected to a server for re-authentication and the server replies
with a re-authentication deny message that makes an online user go offline, it is
recommended that you locate the cause of the re-authentication failure on the
server or disable the re-authentication function on the device.

Example
# Enable periodic 802.1X re-authentication on GE0/0/1 in the system view.
<HUAWEI> system-view
[HUAWEI] dot1x reauthenticate interface gigabitethernet 0/0/1

# Enable periodic 802.1X re-authentication on GE0/0/1 in the interface view.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x reauthenticate

Related Topics
13.5.80 dot1x timer
13.5.34 display dot1x

13.5.78 dot1x reauthenticate mac-address

Function
The dot1x reauthenticate mac-address command enables re-authentication for
an online 802.1X user with the specified MAC address.

By default, re-authentication is disabled for an online 802.1X user with the

specified MAC address.

Format
dot1x reauthenticate mac-address mac-address

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9256

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

mac-address Specifies the MAC The value is in H-H-H

address of an 802.1X format. H contains 1 to 4
user to be re- hexadecimal digits.
authenticated.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
For details, see dot1x reauthenticate.
The dot1x reauthenticate mac-address and dot1x reauthenticate commands
re-authenticate online 802.1X users and their difference is as follows:
● The dot1x reauthenticate mac-address command configures the device to
re-authenticate a specified user for once.
● The dot1x reauthenticate command configures the device to re-authenticate
all users on a specified interface at intervals.

Example
# Enable re-authentication for an 802.1X user with the MAC address of 00e0-
fc01-0005.
<HUAWEI> system-view
[HUAWEI] dot1x reauthenticate mac-address 00e0-fc01-0005

Related Topics
13.5.34 display dot1x
13.5.63 dot1x enable
13.5.77 dot1x reauthenticate
13.5.80 dot1x timer

13.5.79 dot1x retry

Function
The dot1x retry command configures the number of times an authentication
request or handshake packet is retransmitted to an 802.1X user.
The undo dot1x retry command restores the default configuration.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9257

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

By default, the device can retransmit an authentication request or handshake

packet to an 802.1X user twice.

Format
dot1x retry max-retry-value
undo dot1x retry

Parameters
Parameter Description Value

max-retry-value Specifies the number of The value is an integer

times an authentication that ranges from 1 to 10.
request or handshake By default, the device
packet is retransmitted can retransmit an
to an 802.1X user. authentication request or
handshake packet to an
802.1X user twice.
The default value is
recommended.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
If the device does not receive any response from a user within a specified time
after sending an authentication request or handshake packet to the user, the
device sends the authentication request or handshake packet again. If the
authentication request or handshake packet has been sent for the maximum
retransmission times and no response is received, the user authentication or
handshake fails. In this process, the total number of authentication requests or
handshake packets sent by the device is max-retry-value plus 1.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9258

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

● After you run the dot1x retry command, the setting takes effect on all interfaces
enabled with 802.1X authentication.
● Repeated authentication requests occupy a lot of system resources. When using the
dot1x retry command, you can set the maximum number of times according to user
requirements and device resources. The default value is recommended.
● The interval for sending authentication requests is set using the 13.5.80 dot1x timer
command. The interval for sending authentication requests to offline users is controlled
by the tx-period and client-timeout timer, and the interval for sending authentication
requests to online users is controlled by the handshake-period timer.
● The dot1x retry command is used together with the guest VLAN function (for details,
see 13.5.13 authentication guest-vlan). If a user does not respond within the specified
maximum number of times, the user is added to the guest VLAN so that the user can
access resources in the guest VLAN without being authenticated.

Example
# Set the number of times an authentication request or handshake packet can be
retransmitted to 802.1X users to 4.
<HUAWEI> system-view
[HUAWEI] dot1x retry 4

Related Topics
13.5.63 dot1x enable
13.5.34 display dot1x
13.5.80 dot1x timer
13.5.65 dot1x handshake

13.5.80 dot1x timer

Function
The dot1x timer command sets values of timers used in 802.1X authentication.

The undo dot1x timer command restores the default settings of timers used in
802.1X authentication.

By default, the values of timers used in 802.1X authentication are not set.

Format
dot1x timer { arp-detect arp-detect-value | client-timeout client-timeout-value |
handshake-period handshake-period-value | eth-trunk-access handshake-period
handshake-period-value | quiet-period quiet-period-value | tx-period tx-period-
value | mac-bypass-delay delay-time-value | free-ip-timeout free-ip-time-value }

undo dot1x timer { arp-detect | client-timeout | handshake-period | eth-trunk-

access handshake-period | quiet-period | tx-period | mac-bypass-delay | free-
ip-timeout }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9259

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

arp-detect arp-detect- Specifies the timeout The value is an integer

value interval of the ARP that ranges from 5 to
detect. You are advised 7200, in seconds.
to set this parameter to By default, the device
30 seconds. does not support the
ARP detect.

client-timeout client- Specifies the timeout The value is an integer

timeout-value interval of the that ranges from 1 to
authentication response 120, in seconds.
from the client. By default, the timeout
NOTE interval of the
On the network, some authentication response
terminals may delay in
from the client is 5
responding to EAP-
Request/MD5 Challenge seconds.
packets sent from the
device. If the delay is long,
you can increase client-
timeout client-timeout-
value so that these
terminals can go online.
The adjustment rule is as
follows:
3 x client-timeout client-
timeout-value > Terminal
response delay

handshake-period Specifies the handshake The value is an integer

handshake-period-value interval between the that ranges from 5 to
device and 802.1X 7200, in seconds.
authentication client By default, the interval
connected to a non-Eth- for sending handshake
Trunk interface. packets is 15 seconds.
For details, see 13.5.65
dot1x handshake.

eth-trunk-access Specifies the handshake The value is an integer

handshake-period interval between the that ranges from 30 to
handshake-period-value device and 802.1X 7200, in seconds.
authentication client By default, the interval
connected to an Eth- for sending handshake
Trunk. packets is 120 seconds.
For details, see 13.5.65
dot1x handshake.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9260

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

quiet-period quiet- Specifies the quiet The value is an integer

period-value period. that ranges from 1 to
For details, see 13.5.75 3600, in seconds.
dot1x quiet-period. By default, the quiet
period of a user who
fails authentication is 60
seconds.

tx-period tx-period- Specifies the interval for The value is an integer

value sending authentication that ranges from 1 to
requests. 120, in seconds.
The device starts the tx- By default, the interval
period timer in either of for sending
the following situations: authentication requests
● When the client is 30 seconds.
initiates
authentication, the
device sends a unicast
Request/Identity
request packet to the
client and starts the
tx-period timer. If the
client does not
respond within the
period set by the
timer, the device
retransmits the
authentication
request packet.
● To authenticate the
802.1X clients that
cannot initiate
authentication, the
device sends multicast
Request/Identity
packets through the
802.1X-enabled
interface to the clients
at the interval set by
the tx-period timer.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9261

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

mac-bypass-delay Specifies the value of the The value is an integer

delay-time-value delay timer for MAC that ranges from 1 to
address bypass 300, in seconds.
authentication. By default, the value of
After MAC address the delay timer for MAC
bypass authentication is address bypass
configured, the device authentication is 30s.
performs 802.1X
authentication and starts
the delay timer for MAC
address bypass
authentication. If 802.1X
authentication fails after
the value of the delay
timer is reached, the
device performs MAC
address bypass
authentication.

free-ip-timeout free-ip- Specifies the aging time The value is an integer

time-value of authentication-free that ranges from 0 to
user entries. 71581, in minutes. The
When the 802.1X free IP value 0 indicates that
subnet is configured, the authentication-free user
device creates entries do not age.
authentication-free user By default,
entries after receiving authentication-free user
ARP/DHCP packets from entries do not age.
802.1X users. If users go
offline abnormally, the
authentication-free user
entries cannot be
deleted. To prevent this
problem, the aging time
of authentication-free
user entries can be
configured.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
During 802.1X authentication, multiple timers implement systematic interactions
between access users, access devices, and the authentication server. You can

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9262

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

change the values of the timers using the dot1x timer command to adjust the
interaction process. (The values of some timers cannot be changed.) This
command is necessary in special network environments. Generally, the default
settings of the timers are recommended.
The ARP probe function can also be implemented by detecting whether there is
user traffic on the access device. If the ARP probe interval is n, the device detects
user traffic at n and 2n. The following uses the 0-n period as an example. The
process during the n-2n period is the same as that during 0-n. (This process
applies only to users who go online from the S5720EI, S5720HI, S6720EI, and
S6720S-EI. Other device models do not support user traffic detection, and they
send ARP probe packets at n and 2n.)
● If user traffic passes through the device within the 0-n period, the device
considers that the user is online at n, and will not send ARP probe packets.
Additionally, the device resets the ARP probe interval.
● If no user traffic passes through the device within the 0-n period, the device
cannot determine whether the user is online at n. In this case, the device
sends an ARP probe packet. If the device receives an ARP reply packet from
the user, it considers the user online and resets the ARP probe interval. If no
ARP reply packet is received, the device considers the user offline.
● If user traffic passes through the device or the device receives an ARP reply
packet from the user within the 2n-3n period, the device considers that the
user is online at 3n and resets the ARP probe interval.
● If no user traffic passes through the device and the device receives no ARP
reply packet from the user within the 2n-3n period, the device cannot
determine whether the user is online at 3n and considers the user offline.
If the device considers that the user is offline at n, 2n, and 3n, the device deletes
all entries related to the user. To prevent the user from going offline unexpectedly
when no operation is performed on the PC, do not set a short ARP probe interval.

Example
# Set the timeout interval of the authentication response from the client to 90s.
<HUAWEI> system-view
[HUAWEI] dot1x timer client-timeout 90

Related Topics
13.5.63 dot1x enable
13.5.65 dot1x handshake
13.5.75 dot1x quiet-period
13.5.34 display dot1x

13.5.81 dot1x timer reauthenticate-period

Function
The dot1x timer reauthenticate-period command sets the re-authentication
interval for 802.1X authentication users.
The undo dot1x timer reauthenticate-period command restores the default re-
authentication interval.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9263

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

By default, the re-authentication interval is 3600 seconds.

Format
dot1x timer reauthenticate-period reauthenticate-period-value

undo dot1x timer reauthenticate-period

Parameters
Parameter Description Value

reauthenticat Specifies the re-authentication interval The value is an

e-period- for 802.1X address authentication users. integer that ranges
value To reduce the impact on the device from 60 to 7200, in
performance when many users exist, the seconds.
user re-authentication interval may be
longer than the configured re-
authentication interval.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
After enabling the re-authentication function for online 802.1X authentication
users using the 13.5.77 dot1x reauthenticate command, run the dot1x timer
reauthenticate-period command to set the re-authentication interval. The device
then authenticates online users at the specified interval, ensuring that only
authorized users can keep online.

If the command is executed in the system view, the function takes effect on all
interfaces. If the command is executed in both system view and interface view, the
function takes effect on the interface.

NOTE

It is recommended that the re-authentication interval be set to the default value. If multiple
ACLs need to be delivered during user authorization, you are advised to disable the re-
authentication function or set a longer re-authentication interval to improve the device's
processing performance.
In remote authentication and authorization, if the re-authentication interval is set to a shorter
time, the CPU usage may be higher.
To reduce the impact on the device performance when many users exist, the user re-
authentication interval may be longer than the configured re-authentication interval.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9264

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Set the 802.1X re-authentication interval to 7200 seconds.
<HUAWEI> system-view
[HUAWEI] dot1x timer reauthenticate-period 7200

Related Topics
13.5.77 dot1x reauthenticate

13.5.82 dot1x trigger dhcp-binding

Function
The dot1x trigger dhcp-binding command enables the device to automatically
generate the DHCP snooping binding table after static IP users pass 802.1X
authentication.
The undo dot1x trigger dhcp-binding command restores the default setting.
By default, the device does not automatically generate the DHCP snooping
binding table after static IP users pass 802.1X authentication.

Format
dot1x trigger dhcp-binding
undo dot1x trigger dhcp-binding

Parameters
None

Views
Ethernet interface view, GE interface view, MultiGE interface view, XGE interface
view, 40GE interface view, Eth-Trunk interface view

Default Level
2: Configuration level

Usage Guidelines
Scenario
There are unauthorized users who modify their MAC addresses to those of
authorized users. After authorized users are connected through 802.1X
authentication, the unauthorized users can obtain the same identities as the
authorized users and connect to the network without authentication. This results
in security risks of authentication and accounting. After accessing the network,
unauthorized users can also initiate ARP spoofing attacks by sending bogus ARP
packets. In this case, the device records incorrect ARP entries, greatly affecting
normal communication between authorized users. To prevent the previous attacks,

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9265

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

configure IPSG and DAI. These two functions are implemented based on binding
tables. For static IP users, you can run the user-bind static command to configure
the static binding table. However, if there are many static IP users, it takes more
time to configure static binding entries one by one.

To reduce the workload, you can configure the device to automatically generate
the DHCP snooping binding table for static IP users. After the static IP users who
pass 802.1X authentication send EAP packets to trigger generation of the user
information table, the device automatically generates the DHCP snooping binding
table based on the MAC address, IP address, and interface recorded in the table.

You can run the display dhcp snooping user-bind command to check the DHCP
snooping binding table that is generated by the device for static IP users who pass
802.1X authentication. The DHCP snooping binding table generated using this
function will be deleted after the users are disconnected.

Follow-up Procedure

Configure IPSG and DAI after the DHCP snooping binding table is generated,
prevent attacks from unauthorized users.
● In the interface view, run the ip source check user-bind enable command to
enable IPSG.
● In the interface view, run the arp anti-attack check user-bind enable
command to enable DAI.

Precautions

● Before configuring the device to generate the DHCP snooping binding table
for static IP users, you must have enabled 802.1X authentication and DHCP
snooping globally and on interfaces using the dot1x enable and dhcp
snooping enable commands.
● The EAP protocol does not specify a standard attribute to carry IP address
information. Therefore, if the EAP request packet sent by a static IP user does
not contain an IP address, the IP address information in the DHCP snooping
binding table is obtained from the user' first ARP request packet with the
same MAC address as the user information table after the user passes
authentication. On a network, unauthorized users may forge authorized users'
MAC addresses to initiate ARP snooping attacks to devices, and the DHCP
snooping binding table generated accordingly may be unreliable. Therefore,
the dot1x trigger dhcp-binding command is not recommended and you are
advised to run the user-bind static command to configure the static binding
table.
● For users who are assigned IP addresses using DHCP, you do not need to run
the dot1x trigger dhcp-binding command on the device. The DHCP snooping
binding table is generated through the DHCP snooping function.

Example
# Enable the device to automatically generate the DHCP snooping binding table
after static IP users pass 802.1X authentication.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x trigger dhcp-binding

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9266

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.83 dot1x unicast-trigger

Function
The dot1x unicast-trigger command enables 802.1X authentication triggered by
unicast packets.
The undo dot1x unicast-trigger command disables 802.1X authentication
triggered by unicast packets.
By default, 802.1X authentication triggered by unicast packets is disabled.

Format
In the system view:
dot1x unicast-trigger interface { interface-type interface-number1 [ to interface-
number2 ] } &<1-10>
undo dot1x unicast-trigger interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
In the interface view:
dot1x unicast-trigger
undo dot1x unicast-trigger

Parameters
Parameter Description Value

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number
specifies the interface
number.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
After the dot1x unicast-trigger command is used on the device, the device sends
a unicast packet to respond to the received ARP or DHCP Request packet from a

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9267

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

client. If the client does not respond within the timeout interval (set by the
13.5.80 dot1x timer command), the device retransmits the unicast packet (the
maximum of retransmission count is set by the 13.5.79 dot1x retry command).
During 802.1X-based network deployment, 802.1X users can start 802.1X
authentication without installing specified client dial-in software, which facilitates
network deployment.
NOTE

The dot1x unicast-trigger command has the same function as the 13.5.60 dot1x dhcp-
trigger command.

Example
# Enable 802.1X authentication triggered by unicast packets on GE0/0/1 in the
system view.
<HUAWEI> system-view
[HUAWEI] dot1x unicast-trigger interface gigabitethernet 0/0/1

Related Topics
13.5.60 dot1x dhcp-trigger

13.5.84 dot1x url

Function
The dot1x url command configures the redirect-to URL in 802.1X authentication.
The undo dot1x url command cancels the redirect-to URL configuration in 802.1X
authentication.
By default, no redirect-to URL is configured in 802.1X authentication.

Format
dot1x url url-string
undo dot1x url

Parameters
Parameter Description Value
url-string Specifies the redirect-to The value is a string of 1 to 200 case-
URL. sensitive characters.

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9268

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario

In the early stage of network deployment, 802.1X client deployment is difficult

with heavy workload. You can run the dot1x url command to set the redirect-to
URL to the 802.1X client download web page address. When a user uses a web
browser to access websites other than the free IP subnet, the device redirects the
user to the redirect-to URL where the user can download and install the 802.1X
client software after receiving the HTTP packet from the user.

Follow-up Procedure

Run the dot1x free-ip command to configure a free IP subnet where the redirect-
to URL of the 802.1X user is located. To ensure that pre-connection users can be
aged out normally, you need to run the 13.5.80 dot1x timer free-ip-timeout
command to set the aging time of authentication-free user entries.

Precautions

The redirect-to URL must be within the free IP subnet. Otherwise, the URL is
inaccessible.

When 802.1X-based fast deployment is configured, the device supports redirection

triggered only by HTTP packets with HTTP port 80.

Example
# Configure the redirect-to URL in 802.1X authentication to http://www.***.com.cn.
<HUAWEI> system-view
[HUAWEI] dot1x url http://www.***.com.cn

Related Topics
13.5.64 dot1x free-ip
13.5.34 display dot1x

13.5.85 force-push

Function
The force-push command enables the forcible URL template or URL push
function.

The undo force-push command disables the forcible URL template or URL push
function.

By default, the forcible URL template or URL push function is disabled.

Format
force-push { url-template template-name | url url-address }

undo force-push

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9269

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

url-template Specifies the The value must be the name of an existing

template- name of a URL template.
name pushed URL
template.

url url- Specifies a It is a string of 1 to 200 case-sensitive

address pushed URL. characters that do not contain spaces and
question marks (?). When double quotation
marks are used around the string, spaces are
allowed in the string.

Views
AAA domain view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
After a user is successfully authenticated, the device forcibly redirect the user to a
web page when receiving the HTTP packet from the user who accesses web pages
for the first time. In addition to pushing advertisement pages, the device can
obtain user terminal information through the HTTP packets sent by the users, and
apply the information to other services. There are two ways to push web pages:
1. URL: pushes the URL corresponding to the web page.
2. URL template: pushes the URL template. A URL template must be created.
The URL template contains the URL of the pushed web page and URL
parameters.
Prerequisites
The URL configured using the 13.5.151 url (URL template view) command in the
URL template view cannot be a redirection URL; otherwise, the command does not
take effect.
Precautions
For the S5720HI, the forcible push function takes effect only for the first HTTP or
HTTPS packet received from the user. If an application program that actively sends
HTTP or HTTPS packets is installed on the user terminal, the terminal has sent the
HTTP or HTTPS packet before the user accesses a web page. Therefore, the user is
unaware of the web page push process.
The forcible push function takes effect only when a redirection ACL is configured
for switches excluding the S5720HI. If a redirection ACL exists in the user table, a

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9270

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

web page is forcibly pushed when HTTP packets from users match the redirection
ACL rule. Usually, you can configure the RADIUS server to authorize the Huawei
extended RADIUS attribute HW-Redirect-ACL to users for redirection ACL
implementation, or run the 13.1.72 redirect-acl command to configure a
redirection ACL.

A pushed URL configured in a domain need to be used together with a redirect

ACL or push flag attribute. The redirect ACL has a higher priority than the push
flag attribute. By default, a pushed URL configured in a domain carries the push
flag attribute. Users will be redirected to the pushed URL when they are
successfully authenticated.

When an IPv4 redirect ACL is configured for an IPv6 user or an IPv6 redirect ACL is
configured for an IPv4 user, the Push URL content field in the 13.5.31 display
access-user command output displays the pushed URL, but the browser of the
user cannot redirect to the pushed URL.

Switches except the S5720HI do not support concurrent use of the pushed URL
and redirection ACL6 functions. If both functions are configured, the Push URL
content field in the 13.4.55 display access-user command output displays the
pushed URL; however, the terminal browser cannot be redirected to the pushed
URL.

Example
# Push the URL template abc in the domain huawei.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] force-push url-template abc

Related Topics
13.5.151 url (URL template view)

13.5.86 http get-method enable

Function
The http get-method enable command configures the device to allow users to
submit user name and password information to the device in GET mode during
Portal authentication.

The undo http get-method enable command restores the default setting.

By default, the device does not allow users to submit user name and password
information to the device in GET mode during Portal authentication.

Format
http get-method enable

undo http get-method enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9271

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
None

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
By default, the device does not allow users to submit user name and password
information to the device in GET mode during Portal authentication. You can run
the http get-method enable command to configure the device to allow users to
submit user name and password information to the device in GET mode during
Portal authentication.
Precautions
The GET mode has the risk of password disclosure. Therefore, the POST mode is
recommended.
This command only applies to scenarios in which HTTP or HTTPS is used for Portal
connection establishment.

Example
# Configure the device to allow users to submit user name and password
information to the device in GET mode during Portal authentication.
<HUAWEI> system-view
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] http get-method enable

13.5.87 http-method post

Function
The http-method post command configures parameters for parsing and replying
to POST request packets of the HTTP or HTTPS protocol.
The undo http-method post command restores the default configuration.
By default, the system has configured parameters for parsing and replying to
POST request packets of the HTTP or HTTPS protocol. For details, see the
"Parameters" table.

Format
http-method post { cmd-key cmd-key [ login login-key | logout logout-key ] * |
init-url-key init-url-key | login-fail response { err-msg { authenserve-reply-

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9272

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

message | msg msg } | redirect-login-url | redirect-url redirect-url [ append-

reply-message msgkey ] } | login-success response { msg msg | redirect-init-url
| redirect-url redirect-url } | logout-fail response { msg msg | redirect-url
redirect-url } | logout-success response { msg msg | redirect-url redirect-url } |
password-key password-key | user-mac-key user-mac-key | userip-key userip-key
| username-key username-key } *
undo http-method post { all | { cmd-key | init-url-key | login-fail | login-
success | logout-fail | logout-success | password-key | user-mac-key | userip-
key | username-key } * }

Parameters
Parameter Description Value

cmd-key cmd-key Specifies the command The value is a string of 1

identification keyword. to 16 case-sensitive
The default value is cmd. characters without
spaces, question marks
(?), ampersands (&), and
equal signs (=).

login login-key Specifies the user login The value is a string of 1

identification keyword. to 15 case-sensitive
The default value is characters without
login. spaces, question marks
(?), ampersands (&), and
equal signs (=).

logout logout-key Specifies the user logout The value is a string of 1

identification keyword. to 15 case-sensitive
The default value is characters without
logout. spaces, question marks
(?), ampersands (&), and
equal signs (=).

init-url-key init-url-key Specifies the The value is a string of 1

identification keyword to 16 case-sensitive
for the user initial login characters without
URL. The default value is spaces, question marks
initurl. (?), ampersands (&), and
equal signs (=).

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9273

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

login-fail response Specifies the response ● msg: The value is a

{ err-msg message upon a user string of 1 to 200
{ authenserve-reply- login failure. case-sensitive
message | msg msg } | ● err-msg characters without
redirect-login-url | authenserve-reply- spaces, question
redirect-url redirect-url message: The marks (?),
[ append-reply- authentication server ampersands (&), and
message msgkey ] } response message is equal signs (=).
displayed after a user ● redirect-url: The value
login failure. is a string of 1 to 200
● err-msg msg msg: A case-sensitive
specified message is characters without
displayed after a user spaces.
login failure. ● msgkey: The value is a
● redirect-login-url: A string of 1 to 16 case-
user is redirected to sensitive characters
the login URL after a without spaces,
login failure. This question marks (?),
mode is the default ampersands (&), and
mode. equal signs (=).
● redirect-url redirect-
url: A user is
redirected to a
specified URL after a
login failure.
● append-reply-
message msgkey:
specifies the
identification keyword
for the authentication
server response
message carried in
the redirection URL.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9274

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

login-success response Specifies the response ● msg: The value is a

{ msg msg | redirect- message upon successful string of 1 to 200
init-url | redirect-url user login. case-sensitive
redirect-url } ● msg msg: A specified characters without
message is displayed spaces, question
after successful user marks (?),
login. ampersands (&), and
equal signs (=).
● redirect-init-url: A
user is redirected to ● redirect-url: The value
the initial login URL is a string of 1 to 200
after successful login. case-sensitive
This mode is the characters without
default mode. spaces.
● redirect-url redirect-
url: A user is
redirected to a
specified URL after
successful login.

logout-fail response Specifies the response ● msg: The value is a

{ msg msg | redirect-url message upon a user string of 1 to 200
redirect-url } logout failure. case-sensitive
● msg msg: A specified characters without
message is displayed spaces, question
after a user logout marks (?),
failure. The default ampersands (&), and
value is LogoutFail!. equal signs (=).
● redirect-url redirect- ● redirect-url: The value
url: A user is is a string of 1 to 200
redirected to a case-sensitive
specified URL after a characters without
logout failure. spaces.

logout-success response Specifies the response ● msg: The value is a

{ msg msg | redirect-url message upon successful string of 1 to 200
redirect-url } user logout. case-sensitive
● msg msg: A specified characters without
message is displayed spaces, question
after successful user marks (?),
logout. The default ampersands (&), and
value is equal signs (=).
LogoutSuccess!. ● redirect-url: The value
● redirect-url redirect- is a string of 1 to 200
url: A user is case-sensitive
redirected to a characters without
specified URL after spaces.
successful logout.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9275

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

password-key password- Specifies the password The value is a string of 1

key identification keyword. to 16 case-sensitive
The default value is characters without
password. spaces, question marks
(?), ampersands (&), and
equal signs (=).

user-mac-key user-mac- Specifies the The value is a string of 1

key identification keyword to 16 case-sensitive
for the user MAC characters without
address. The default spaces, question marks
value is macaddress. (?), ampersands (&), and
equal signs (=).

userip-key userip-key Specifies the The value is a string of 1

identification keyword to 16 case-sensitive
for the user IP address. characters without
The default value is spaces, question marks
ipaddress. (?), ampersands (&), and
equal signs (=).

username-key Specifies the user name The value is a string of 1

username-key identification keyword. to 16 case-sensitive
The default value is characters without
username. spaces, question marks
(?), ampersands (&), and
equal signs (=).

all Indicates all parameters. -

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
When the device uses the HTTP or HTTPS protocol to communicate with the
Portal server, a user sends POST request packets (carrying parameters such as the
user name and MAC address) to the device as required by the Portal server. After
receiving the POST request packets, the device parses parameters in the packets. If
identification keywords of the parameters differ from those configured on the
device, the user authentication fails. Therefore, you need to run the http-method
post command to configure the identification keywords based on the Portal server
configuration.
After successful user login or logout, or a user login or logout failure, the device
sends the login or logout result to the user based on the http-method post

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9276

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

command configuration. For example, the device sends the LogoutSuccess!

message to a user who logs out successfully by default.

Example
# Set the command identification keyword to cmd1 for parsing POST request
packets of the HTTP or HTTPS protocol.
<HUAWEI> system-view
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] http-method post cmd-key cmd1

13.5.88 mac-authen
Function
The mac-authen command enables MAC address authentication globally or on an
interface.
The undo mac-authen command disables MAC address authentication globally or
on an interface.
By default, MAC address authentication is disabled globally and on an interface.

NOTE

Only S5720EI, S1720X, S1720X-E, S5720HI, S5720S-SI, S5720SI, S5730S-EI, S5730SI, S6720LI,
S6720S-LI, S6720S-SI, S6720SI, S6720EI, and S6720S-EI support configuration of MAC
address authentication on VLANIF interfaces.

Format
In the system view:
mac-authen [ interface { interface-type interface-number1 [ to interface-
number2 ] } &<1-10> ]
undo mac-authen [ interface { interface-type interface-number1 [ to interface-
number2 ] } &<1-10> ]
In the interface view:
mac-authen
undo mac-authen

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9277

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number
specifies the interface
number.

Views
System view, VLANIF interface view, Ethernet interface view, GE interface view,
MultiGE interface view, XGE interface view, 40GE interface view, Eth-Trunk
interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
MAC address authentication controls network access rights of a user based on the
user's access interface and MAC address. During MAC address authentication, the
user name and password are the user's MAC address. MAC address authentication
is applicable to the scenario where MAC addresses are unchanged and high
security is not required, and is used to authenticate terminals such as printers
where the authentication client cannot be installed.
If you run the mac-authen command in the system view without any interfaces
specified, MAC address authentication is enabled globally. The configurations of
MAC address authentication take effect only after global MAC address
authentication is enabled. MAC address bypass authentication is not controlled by
this command.
To enable MAC address authentication on an interface, you can perform either of
the following operations:
● Run the mac-authen command in the interface view.
● Run the mac-authen interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10> command in the system view.
Precautions
● Before running the undo mac-authen command, ensure that there is no
online MAC address authentication user; otherwise, you cannot run this
command. Online MAC address authentication users do not include online
users using MAC address bypass authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9278

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● After MAC address authentication is enabled on a VLANIF interface, the guest

VLAN, critical VLAN, or dynamic VLAN authorization is invalid to the MAC
address authentication users on the VLANIF interface.
● Before enabling MAC address authentication on the VLANIF interface, ensure
that the strict ARP entry learning function is disabled using the undo arp
learning strict command. If the function is enabled, the users cannot go
online.
● After the static MAC address entry is configured using the mac-address static
mac-address interface-type interface-number vlan vlan-id command, the user
corresponding to the entry cannot pass MAC address authentication.
● If MAC address authentication is enabled on an interface, the following
commands cannot be used on the same interface. If the following commands
are configured on an interface, MAC address authentication cannot be
enabled on the same interface.

Command Function

mac-limit Sets the maximum number of MAC

addresses that can be learned by an
interface.

mac-address learning disable Disables MAC address learning on

an interface.

port link-type dot1q-tunnel Sets the link type of an interface to

QinQ.

port vlan-mapping vlan map-vlan Configures VLAN mapping on an

port vlan-mapping vlan inner-vlan interface.

port vlan-stacking Configures selective QinQ.

port-security enable Enables interface security.

mac-vlan enable Enables MAC address-based VLAN

assignment on an interface.

ip-subnet-vlan enable Enables IP subnet-based VLAN

assignment on an interface.

user-bind ip sticky-mac Enables the device to generate

snooping MAC entries.

Example
# Enable global MAC address authentication.
<HUAWEI> system-view
[HUAWEI] mac-authen

# Enable MAC address authentication on GE0/0/1 in the system view.

<HUAWEI> system-view
[HUAWEI] mac-authen
[HUAWEI] mac-authen interface gigabitethernet 0/0/1

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9279

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

# Enable MAC address authentication on GE0/0/1 in the interface view.

<HUAWEI> system-view
[HUAWEI] mac-authen
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] mac-authen

Related Topics
13.5.63 dot1x enable
13.5.38 display mac-authen
13.5.91 mac-authen domain
13.5.92 mac-authen max-user
13.5.96 mac-authen reauthenticate
13.5.99 mac-authen timer
13.5.101 mac-authen username

13.5.89 mac-authen trigger

Function
The mac-authen trigger command configures the packet types that can trigger
MAC address authentication.

The undo mac-authen trigger command restores the default configuration.

By default, DHCP/ARP/DHCPv6/ND packets can trigger MAC address

authentication.

Format
In the system view:

mac-authen { dhcp-trigger | arp-trigger | dhcpv6-trigger | nd-trigger } *

[ interface { interface-type interface-number1 [ to interface-number2 ] }

&<1-10> ]

undo mac-authen { dhcp-trigger | arp-trigger | dhcpv6-trigger | nd-trigger } *

[ interface { interface-type interface-number1 [ to interface-number2 ] }

&<1-10> ]

In the interface view:

mac-authen { dhcp-trigger | arp-trigger | dhcpv6-trigger | nd-trigger } *

undo mac-authen { dhcp-trigger | arp-trigger | dhcpv6-trigger | nd-trigger } *

Parameters
Parameter Description Value

dhcp-trigger Triggers MAC address -

authentication through
DHCP packets.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9280

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

arp-trigger Triggers MAC address -

authentication through
ARP packets.

dhcpv6-trigger Triggers MAC address -

authentication through
DHCPv6 packets.

nd-trigger Triggers MAC address -

authentication through
ND packets.

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number
specifies the interface
number.
If this parameter is not
specified, the command
takes effect on all
interfaces.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After MAC address authentication is enabled, the device can trigger MAC address
authentication on users by default when receiving DHCP/ARP/DHCPv6/ND
packets. Based on user information on the actual network, the administrator can
adjust the packet types that can trigger MAC address authentication. For example,
if all users on a network dynamically obtain IPv4 addresses, the device can be
configured to trigger MAC address authentication only through DHCP packets.
This prevents the device from continuously sending ARP packets to trigger MAC
address authentication when static IPv4 addresses are configured for unauthorized
users on the network, and reduces device CPU occupation.

Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9281

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If the command is configured globally, the configuration takes effect on multiple

interfaces. If the command is configured globally and on an interface, the
configuration on the interface takes precedence.

The mac-authen trigger command also enables MAC address authentication.

When both the mac-authen trigger and mac-authen commands are configured
on an interface, the last configured one takes effect. If the mac-authen
configuration takes effect on the interface, DHCP, ARP, DHCPv6, and ND packets
can trigger MAC address authentication.

Example
# Configure the device to trigger MAC address authentication only through DHCP
packets in the system view.
<HUAWEI> system-view
[HUAWEI] mac-authen dhcp-trigger

Related Topics
13.5.88 mac-authen

13.5.90 mac-authen dhcp-trigger dhcp-option

Function
The mac-authen dhcp-trigger dhcp-option command enables the device to send
DHCP option information to the authentication server when triggering MAC
address authentication through DHCP packets.

The undo mac-authen dhcp-trigger dhcp-option command restores the default

configuration.

By default, the device does not send DHCP option information to the
authentication server when triggering MAC address authentication through DHCP
packets.

Format
In the system view:

mac-authen dhcp-trigger dhcp-option option-code [ interface { interface-type

interface-number1 [ to interface-number2 ] } &<1-10> ]

undo mac-authen dhcp-trigger dhcp-option option-code [ interface { interface-

type interface-number1 [ to interface-number2 ] } &<1-10> ]

In the interface view:

mac-authen dhcp-trigger dhcp-option option-code

undo mac-authen dhcp-trigger dhcp-option option-code

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9282

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value
option-code Specifies the option that the device The value is
sends to the authentication server. fixed as 82.

interface { interface- Specifies the interface type and number. -

type interface-number1 ● interface-type specifies the interface
[ to interface- type.
number2 ] }
● interface-number specifies the
interface number.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Option82 record information about DHCP user locations and services (voice and
data services). After this command is run, if the device supports the function of
triggering MAC address authentication though DHCP packets, it sends Option82
information to the authentication server when triggering MAC address
authentication through DHCP packets. Based on the user information recorded in
Option82, the authentication server then assigns different network access rights to
users with different services in different locations. This implements accurate
control on the network access right of each user.

Example
# Globally enable the device to send Option82 information to the authentication
server when triggering MAC address authentication through DHCP packets.
<HUAWEI> system-view
[HUAWEI] mac-authen dhcp-trigger dhcp-option 82

Related Topics
13.5.88 mac-authen

13.5.91 mac-authen domain

Function
The mac-authen domain command configures an authentication domain for
MAC address authentication users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9283

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo mac-authen domain command restores the global default

authentication domain for MAC address authentication users.

The default authentication domain for MAC address authentication users is the
global default domain.

NOTE

Only S5720EI, S1720X, S1720X-E, S5720HI, S5720S-SI, S5720SI, S5730S-EI, S5730SI, S6720LI,
S6720S-LI, S6720S-SI, S6720SI, S6720EI, and S6720S-EI support configuration of MAC
address authentication on VLANIF interfaces.

Format
In the system view:

mac-authen domain isp-name [ mac-address mac-address mask mask ]

undo mac-authen domain [ isp-name [ mac-address mac-address ] | [ mac-

address { mac-address | all } ] ]

In the interface view:

mac-authen domain isp-name

undo mac-authen domain

Parameters
Parameter Description Value

isp-name Specifies the ISP domain The value is a string of 1

name. to 64 case-insensitive
characters without any
space, asterisk (*),
question mark (?),
quotation mark ("),
hyphen (-) or
consecutive hyphens (--).

mac-address mac- Specifies an The value is in H-H-H

address authentication domain format. H contains 1 to 4
for the MAC address hexadecimal digits.
authentication user with
a specified MAC address.

mask mask Specifies the mask of a The value is in H-H-H

MAC address. format. H contains 1 to 4
hexadecimal digits.

all Restores the global -

default domain for all
MAC address
authentication users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9284

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
System view, VLANIF interface view, Ethernet interface view, GE interface view,
MultiGE interface view, XGE interface view, 40GE interface view, Eth-Trunk
interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When user names for MAC address authentication do not contain domain names,
the device authenticates users using the default domain if no authentication
domain is configured on the device or interface. The authentication scheme is not
flexible because all users are authenticated in the default domain. The mac-
authen domain command specifies the authentication domains for MAC address
authentication users. Different interfaces can be located in different
authentication domains. This command can specify the authentication domains
for the specified MAC addresses. Therefore, this command allows users with
different authentication requirements to adopt various authentication schemes.

NOTE

● If the user name contains a domain name (configured using 13.5.101 mac-authen
username), the user is authenticated in this domain.
● The specified user names and domain names must be the same as those configured in
the AAA view.
● The authentication schemes in the domains are configured in the AAA view.

Prerequisites
The domain to be configured as an authentication domain has been created using
the domain (AAA view) command.
MAC address authentication has been enabled globally and on an interface using
the 13.5.88 mac-authen command.
Precautions
If authentication domains are configured in both the system view and interface
view, the domain configured in the interface view takes effect. If no authentication
domain is configured in the interface view, the domain configured in the system
view takes effect.
You must specify a unicast MAC address in the mac-authen domain command. A
user with an all-0 MAC address is not authenticated.
The configured authentication domain is applied to the MAC addresses calculated
with the mask. Therefore, the undo mac-authen domain command will delete
the authentication domain of the calculated MAC addresses. Before running the
undo mac-authen domain command, run the display this command to view the
calculated MAC addresses.
On a network configured with both 802.1X authentication and MAC address
bypass authentication, an 802.1X user failing the 802.1X authentication will be

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9285

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

authenticated in the manner of MAC address bypass authentication. If the

authentication scheme of MAC address bypass authentication is none
authentication, the user can go online successfully without being authenticated. To
prevent such unauthorized authentication, use the mac-authen domain
command to specify different domains for the two authentication methods.

Example
# Configure the cams domain as the authentication domain for MAC address
authentication users in the system view.
<HUAWEI> system-view
[HUAWEI] mac-authen domain cams
# Configure the cams domain as the authentication domain for MAC address
authentication users in the interface view.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] mac-authen domain cams

Related Topics
13.5.88 mac-authen
13.1.47 domain (AAA view)
13.5.38 display mac-authen
13.5.101 mac-authen username

13.5.92 mac-authen max-user

Function
The mac-authen max-user command sets the maximum number of MAC address
authentication users on an interface.

The undo mac-authen max-user command restores the default value of the
maximum number of MAC address authentication users on an interface.

By default, the number of MAC address authentication users is the maximum

number of MAC address authentication users supported by the device.

Format
In the system view:

mac-authen max-user user-number interface { interface-type interface-number1

[ to interface-number2 ] } &<1-10>

undo mac-authen max-user [ user-number ] interface { interface-type interface-

number1 [ to interface-number2 ] } &<1-10>

In the interface view:

mac-authen max-user user-number

undo mac-authen max-user [ user-number ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9286

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

user-number Specifies the maximum The value is an integer

number of MAC address that varies depending on
authentication users on the product model.
an interface.

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number
specifies the interface
number.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To limit the number of MAC address authentication users on an interface, run the
mac-authen max-user command. When the number of access users on an
interface reaches the limit, the device will not trigger authentication for the users
newly connected to the interface; therefore, these users cannot access the
network.

Prerequisites

MAC address authentication has been enabled globally and on an interface using
the 13.5.88 mac-authen command.

Example
# Set the maximum number of MAC address authentication users on GE0/0/1 to 8
in the system view.
<HUAWEI> system-view
[HUAWEI] mac-authen max-user 8 interface gigabitethernet 0/0/1

# Set the maximum number of MAC address authentication users on GE0/0/1 to 8

in the interface view.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9287

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] mac-authen max-user 8

Related Topics
13.5.88 mac-authen
13.5.38 display mac-authen

13.5.93 mac-authen offline dhcp-release

Function
The mac-authen offline dhcp-release command enables the device to clear user
entries when receiving DHCP Release packets from MAC address authentication
users.
The undo mac-authen offline dhcp-release command restores the default
configuration.
By default, the device does not clear user entries when receiving DHCP Release
packets from MAC address authentication users.

Format
In the system view:
mac-authen offline dhcp-release interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10>
undo mac-authen offline dhcp-release interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10>
In the interface view:
mac-authen offline dhcp-release
undo mac-authen offline dhcp-release

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9288

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

interface { interface- Specifies the type and -

type interface-number1 number of an interface.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number1
specifies the number
of the first interface.
● interface-number2
specifies the number
of the last interface.
The value of
interface-number2
must be greater than
the value of interface-
number1. interface-
number2 and
interface-number1
together specify an
interface range.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After MAC address authentication users who send DHCP Release packets go
offline, the corresponding user entries on the device cannot be deleted
immediately. This occupies device resources and possibly prevents other users from
going online. You can run this command to enable the device to clear the user
entries in real time when MAC address authentication users go offline.

Precautions

If the device functions as a DHCP relay agent, configure the DHCP snooping
function on the device; otherwise, this command does not take effect.

This function takes effect only in L2 BNG scenarios.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9289

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# In the system view, enable the device to clear user entries when receiving DHCP
Release packets from MAC address authentication users on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] mac-authen offline dhcp-release interface gigabitethernet 0/0/1

# In the interface view, enable the device to clear user entries when receiving
DHCP Release packets from MAC address authentication users on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] mac-authen offline dhcp-release

Related Topics
13.5.88 mac-authen

13.5.94 mac-authen permit mac-address

Function
The mac-authen permit mac-address command specifies the MAC address range
allowed for MAC address authentication.
The undo mac-authen permit mac-address command deletes the MAC address
range allowed for MAC address authentication.
By default, no MAC address range is specified for MAC address authentication.

NOTE

Only S5720EI, S1720X, S1720X-E, S5720HI, S5720S-SI, S5720SI, S5730S-EI, S5730SI, S6720LI,
S6720S-LI, S6720S-SI, S6720SI, S6720EI, and S6720S-EI support this command.

Format
mac-authen permit mac-address mac-address mask { mask | mask-length }
undo mac-authen permit mac-address mac-address mask { mask | mask-
length }

Parameters
Parameter Description Value

mac-address Specifies a MAC address The value is in H-H-H

for MAC address format. H contains 1 to 4
authentication. hexadecimal digits.

mask mask Specifies the MAC The value is in H-H-H

address mask. format. H contains 1 to 4
hexadecimal digits.

mask mask-length Specifies the MAC The value is an integer

address mask length. that ranges from 1 to 48.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9290

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
VLANIF interface view

Default Level
2: Configuration level

Usage Guidelines
By default, any new MAC address is allowed for MAC address authentication after
MAC address authentication is enabled on a VLANIF interface. To actually control
the users that can be authenticated using MAC addresses on the VLANIF interface,
use this command to specify a MAC address range for MAC address
authentication.

Example
# Set the MAC address to 1011-1111-1111 and the MAC address mask length to
24 for MAC address authentication.
<HUAWEI> system-view
[HUAWEI] interface Vlanif 10
[HUAWEI-Vlanif10] mac-authen permit mac-address 1011-1111-1111 mask 24

Related Topics
13.5.38 display mac-authen
13.5.91 mac-authen domain

13.5.95 mac-authen quiet-times

Function
The mac-authen quiet-times command configures the maximum number of
authentication failures within 60 seconds before a MAC authentication user enters
the quiet state.
The undo mac-authen quiet-times command restores the maximum number of
authentication failures to the default value.
By default, the maximum number of authentication failures is 10.

Format
mac-authen quiet-times fail-times
undo mac-authen quiet-times

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9291

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

fail-times Specifies the maximum The value is an integer

number of that ranges from 1 to 10.
authentication failures
before a MAC
authentication user
enters the quiet state.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The quiet function for MAC address authentication is enabled on a device by

default. When the maximum number of authentication failures exceeds 1, the
device quiets a MAC authentication user and does not process authentication
requests from the user, reducing impact on the system caused by attackers.

Precautions

After the maximum number of authentication failures is set to a value larger than
the configured value, the user in quiet state can initiate reauthentication only
after the quiet period expires. If the user enters an incorrect user name or
password again, the user authentication fails. The device does not quiet the user
but allows the user to initiate reauthentication immediately.

Example
# Set the maximum number of authentication failures within 60 seconds to 4.
<HUAWEI> system-view
[HUAWEI] mac-authen quiet-times 4

13.5.96 mac-authen reauthenticate

Function
The mac-authen reauthenticate command enables periodic MAC address re-
authentication on a specified interface.

The undo mac-authen reauthenticate command disables periodic MAC address

re-authentication on a specified interface.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9292

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

By default, periodic MAC address re-authentication is enabled on a specified

interface.

Format
In the system view:
mac-authen reauthenticate interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
undo mac-authen reauthenticate interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10>
In the interface view:
mac-authen reauthenticate
undo mac-authen reauthenticate

Parameters
Parameter Description Value

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number
specifies the interface
number.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
After modifying the authentication information of an online user on the
authentication server, the administrator needs to re-authenticate the user in real
time to ensure user validity.
After the user goes online, the device saves user authentication information. After
periodic re-authentication for all online MAC address authentication users on a
specified interface is enabled using the mac-authen reauthenticate command,
the device sends the stored authentication information of the online user on the
interface to the authentication server for re-authentication at an interval. If the
user's authentication information does not change on the authentication server,

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9293

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

the user is online normally. If the authentication information has been changed,
the user is forced to go offline. The user then needs to be re-authenticated
according to the changed authentication information.
NOTE

The re-authentication interval is set using the 13.5.100 mac-authen timer reauthenticate-
period command.
This function takes effect only for users who go online after this function is successfully
configured.
If the device is connected to a server for re-authentication and the server replies with a re-
authentication deny message that makes an online user go offline, it is recommended that
you locate the cause of the re-authentication failure on the server or disable the re-
authentication function on the device.

Example
# Enable periodic MAC address re-authentication on GE0/0/1 in the system view.
<HUAWEI> system-view
[HUAWEI] mac-authen reauthenticate interface gigabitethernet 0/0/1

# Enable periodic MAC address re-authentication on GE0/0/1 in the interface view.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] mac-authen reauthenticate

Related Topics
13.5.38 display mac-authen

13.5.97 mac-authen reauthenticate dhcp-renew

Function
The mac-authen reauthenticate dhcp-renew command enables the device to re-
authenticate the users when receiving DHCP lease renewal packets from MAC
address authentication users.
The undo mac-authen reauthenticate dhcp-renew command restores the
default setting.
By default, the device does not re-authenticate the users when receiving DHCP
lease renewal packets from MAC address authentication users.

Format
In the system view:
mac-authen reauthenticate dhcp-renew interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10>
undo mac-authen reauthenticate dhcp-renew interface { interface-type
interface-number1 [ to interface-number2 ] } &<1-10>
In the interface view:
mac-authen reauthenticate dhcp-renew

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9294

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo mac-authen reauthenticate dhcp-renew

Parameters
Parameter Description Value

interface { interface- Specifies the type and -

type interface-number1 number of an interface.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number1
specifies the number
of the first interface.
● interface-number2
specifies the number
of the last interface.
The value of
interface-number2
must be greater than
the value of interface-
number1. interface-
number2 and
interface-number1
together specify an
interface range.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
After users go online, the administrator may modify the users' authentication
parameters or network access rights on the authentication server. To ensure user
validity or update the users' network access rights in real time, you can run this
command to enable the device to re-authenticate the users when receiving DHCP
lease renewal packets from MAC address authentication users.

NOTE

This function applies only to Layer 2 BNG scenarios.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9295

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# In the system view, enable the device to re-authenticate the users when
receiving DHCP lease renewal packets from MAC address authentication users on
GE0/0/1.
<HUAWEI> system-view
[HUAWEI] mac-authen reauthenticate dhcp-renew interface gigabitethernet 0/0/1

# In the interface view, enable the device to re-authenticate the users when
receiving DHCP lease renewal packets from MAC address authentication users on
GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] mac-authen reauthenticate dhcp-renew

Related Topics
13.5.88 mac-authen

13.5.98 mac-authen reauthenticate mac-address

Function
The mac-authen reauthenticate mac-address command enables re-
authentication for an online MAC address authentication user with a specified
MAC address.

By default, re-authentication for an online MAC address authentication user with

a specified MAC address is disabled.

Format
mac-authen reauthenticate mac-address mac-address

Parameters
Parameter Description Value

mac-address Specifies all valid unicast The value is in H-H-H

MAC addresses. format. H contains 1 to 4
hexadecimal digits.

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9296

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
For details, see 13.5.96 mac-authen reauthenticate.

The mac-authen reauthenticate mac-address and 13.5.96 mac-authen

reauthenticate commands re-authenticate online MAC address authentication
users and their difference is as follows:
● The mac-authen reauthenticate mac-address command configures the
device to immediately re-authenticate a user with a specified MAC address for
once.
● The 13.5.96 mac-authen reauthenticate command configures the device to
re-authenticate all online MAC address authentication users on a specified
interface at intervals.

Example
# Enable re-authentication for an online MAC address authentication user with
the MAC address 0001-0002-0003.
<HUAWEI> system-view
[HUAWEI] mac-authen reauthenticate mac-address 0001-0002-0003

Related Topics
13.5.38 display mac-authen

13.5.99 mac-authen timer

Function
The mac-authen timer command configures parameters of timers for MAC
address authentication.

The undo mac-authen timer command restores the default parameter values of
timers for MAC address authentication.

Format
mac-authen timer { guest-vlan reauthenticate-period interval | offline-detect
offline-detect-value | quiet-period quiet-value }

undo mac-authen timer { guest-vlan reauthenticate-period | offline-detect |

quiet-period }

Parameters
Parameter Description Value

guest-vlan Specifies the interval for The value is an integer

reauthenticate-period re-authenticating users that ranges from 60 to
interval in the Guest VLAN. 3600, in seconds. The
default value is 60.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9297

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

offline-detect offline- Specifies the interval for The value is an integer

detect-value detecting online users. that ranges from 30 to
The timer is used to 7200, and 0, in seconds.
periodically check The default value is 300.
whether a user is offline. 0 means disable
NOTE detecting online users.
The timer takes effect for
both MAC address
authentication users and
static users.

quiet-period quiet-value Specifies the value of the The value is an integer

quiet timer. If a user fails that ranges from 0 to
authentication, the 3600, in seconds.
device does not process By default, the quiet
the user's authentication period of a user who
requests until the quiet fails authentication is 60
timer expires. During the seconds.
quiet period, the device
NOTE
does not process the When the quiet timer is set
user's authentication to 0, the quiet function is
requests. disabled.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
During MAC address authentication, multiple timers implement systematic
interactions between access users or devices and the authentication server. You
can change the values of the timers by running the mac-authen timer command
to adjust the interaction process. (The values of some timers cannot be changed.)
This command is necessary in special network environments. Generally, the default
settings of the timers are recommended.

NOTE

If the number of offline detection packets (ARP packets) exceeds the default CAR value, the
detection fails and the users are logged out. (The display cpu-defend statistics command can
be run to check whether ARP request and response packets are lost.) To resolve the problem,
the following methods are recommended:
● Increase the detection interval based on the number of users. The default detection
interval is recommended when there are less than 8000 users; the detection interval should
be no less than 600 seconds when there are more than 8000 users.
● Deploy the port attack defense function on the access device and limit the rate of packets
sent to the CPU.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9298

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Set the value of the quiet timer to 60 seconds.
<HUAWEI> system-view
[HUAWEI] mac-authen timer quiet-period 60

Related Topics
13.5.88 mac-authen
13.5.38 display mac-authen

13.5.100 mac-authen timer reauthenticate-period

Function
The mac-authen timer reauthenticate-period command sets the re-
authentication interval for MAC address authentication users.
The undo mac-authen timer reauthenticate-period command restores the
default re-authentication interval.
The default re-authentication interval for MAC address authentication users in the
system view is 1800 seconds, and the re-authentication interval in the interface
view is the same as the re-authentication interval configured in the system view.

Format
mac-authen timer reauthenticate-period reauthenticate-period-value
undo mac-authen timer reauthenticate-period

Parameters
Parameter Description Value

reauthenticate-period- Specifies the re- The value is an integer

value authentication interval that ranges from 60 to
for MAC address 7200, in seconds.
authentication users.

Views
System view, Ethernet interface view, GE interface view, MultiGE interface view,
XGE interface view, 40GE interface view, Eth-Trunk interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
After enabling the re-authentication function for online MAC address
authentication users using the 13.5.96 mac-authen reauthenticate command,

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9299

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

run the mac-authen timer reauthenticate-period command to set the re-

authentication interval. The device then authenticates online users at the specified
interval, ensuring that only authorized users can keep online.
If the command is executed in the system view, the function takes effect on all
interfaces. If the command is executed in both system view and interface view, the
function takes effect on the interface.

NOTE

It is recommended that the re-authentication interval be set to the default value. If multiple
ACLs need to be delivered during user authorization, you are advised to disable the re-
authentication function or set a longer re-authentication interval to improve the device's
processing performance.
In remote authentication and authorization, if the re-authentication interval is set to a shorter
time, the CPU usage may be higher.
To reduce the impact on the device performance when many users exist, the user re-
authentication interval may be longer than the configured re-authentication interval.

Example
# Set the re-authentication interval for online MAC address authentication users
to 3600 seconds.
<HUAWEI> system-view
[HUAWEI] mac-authen timer reauthenticate-period 3600

Related Topics
13.5.88 mac-authen
13.5.96 mac-authen reauthenticate

13.5.101 mac-authen username

Function
The mac-authen username command configures the user name format for MAC
address authentication.
The undo mac-authen username restores the default user name format.
By default, the MAC address without hyphens (-) is used as the user name and
password for MAC address authentication.

NOTE

Only S5720EI, S1720X, S1720X-E, S5720HI, S5720S-SI, S5720SI, S5730S-EI, S5730SI, S6720LI,
S6720S-LI, S6720S-SI, S6720SI, S6720EI, and S6720S-EI support configuration of MAC
address authentication on VLANIF interfaces.

Format
mac-authen username { fixed username [ password cipher password ] |
macaddress [ format { with-hyphen [ normal ] | without-hyphen }
[ uppercase ] [ password cipher password ] ] | dhcp-option option-code
{ circuit-id | remote-id } * [ separate separate ] [ format-hex ] password cipher
password }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9300

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo mac-authen username [ fixed username [ password cipher password ] |

macaddress [ format { with-hyphen [ normal ] | without-hyphen }
[ uppercase ] [ password cipher password ] ] | dhcp-option option-code
[ password cipher password ] ]

Parameters
Parameter Description Value

fixed username Specifies the fixed user The value is a string of 1

name for MAC address to 64 case-sensitive
authentication. characters without
spaces. When double
quotation marks are
used around the string,
spaces are allowed in the
string.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9301

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

password cipher Specifies the password The value is a case-

password displayed in cipher text sensitive string without
for MAC address question marks (?) or
authentication. spaces. The password
● The user with a fixed contains 1 to 128
name can log in characters in plain text
without a password if or 48 to 188 characters
no password is set. in cipher text. When
This brings a security double quotation marks
risk and is not are used around the
recommended. string, spaces are
allowed in the string.
● When a MAC address
NOTE
is used as the user
For security purposes, it is
name, the MAC recommended that the
address can be used password contains at least
as the password if no two types of lower-case
password is set. When letters, upper-case letters,
local authentication is numerals, and special
characters, and contains at
specified in the AAA
least 6 characters.
authentication
scheme, you must set
a password.
● If the DHCP option is
used as the user
name, you must set a
password.
NOTE
If fixed user names are
configured in the VLANIF
interface view, Eth-Trunk
interface view or port
group view, the password
must be set.
If a MAC address is
configured as the user
name in the port group
view, the password cannot
be set.

macaddress Specifies that the user -

name in MAC address
authentication is the
MAC address.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9302

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

format { with-hyphen Specifies the MAC -

[ normal ] | without- address format.
hyphen } ● with-hyphen:
indicates that the
MAC address contains
hyphens (-), for
example, 0005-
e01c-02e3.
● with-hyphen normal:
indicates that the
MAC address contains
hyphens (-), for
example, 00-05-
e0-1c-02-e3.
● without-hyphen:
indicates that the
MAC address does not
contain hyphens (-),
for example,
0005e01c02e3.

uppercase Indicates that the name -

of a MAC address
authentication user is in
uppercase.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9303

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

dhcp-option option- Specifies the name of The value is an integer.

code the MAC address In the current version,
authentication user to a the value is fixed as 82.
specified DHCP option.
● circuit-id: Specifies
the circuit ID in the
DHCP Option82 field
as the user name in
MAC address
authentication.
● remote-id: Specifies
the remote ID in the
DHCP Option82 field
as the user name in
MAC address
authentication.
If both circuit-id and
remote-id are
configured, the user
name for MAC address
authentication can be set
to a character string that
is a combination of the
circuit-id and remote-id
in the DHCP Option82
field.
NOTE
In VLANIF interface view,
the parameter does not
support.

separate separate Specifies the delimiter in The value is a character

the user name for MAC and can be set to a
address authentication. letter, digit, or another
This parameter is valid character.
configured when the
user name for MAC
address authentication is
set to a character string
that is a combination of
the circuit-id and
remote-id in the DHCP
Option82 field.

format-hex Indicates that the user -

name for MAC address
authentication is in
hexadecimal format.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9304

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
System view, VLANIF interface view, Ethernet interface view, GE interface view,
MultiGE interface view, XGE interface view, 40GE interface view, Eth-Trunk
interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
MAC address authentication uses three user name formats:
● When the MAC address is used as the user name for MAC address
authentication, the password can be the MAC address or a self-defined
character string.
● When the fixed user name is used for MAC address authentication, the user
uses the fixed user name and password set by the administrator for
authentication.
● When the DHCP option format is used for MAC address authentication, the
device uses the DHCP option it obtains and password set by the administrator
for authentication. In this mode, ensure that the device supports MAC address
authentication triggered through DHCP packets.
By default, the device uses the user's MAC address as the user name and
password, and sends the MAC address to the authentication server for
authentication. Therefore, it is inconvenient to identify and manage users. You can
run the mac-authen username command to configure the fixed name and
password for MAC address authentication users, which facilities user identification
and management.

NOTE

When the user names for MAC address authentication are in the DHCP option format, the DHCP
Option82 cannot be configured in the extend format or a customized format (non-character
string) by using the 14.8.6 dhcp option82 format command.
When the user name format in MAC address authentication is configured, ensure that the
authentication server supports this format.

Example
# Configure the user name to vipuser and the password to pass123 for MAC
address authentication.
<HUAWEI> system-view
[HUAWEI] mac-authen username fixed vipuser password cipher pass123

Related Topics
13.5.38 display mac-authen
13.5.91 mac-authen domain

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9305

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.102 parameter

Function
The parameter command sets the characters used in URL.

The undo parameter command restores the default characters.

By default, the start character is ?, assignment character is =, and delimiter is &.

Format
parameter { start-mark parameter-value | assignment-mark parameter-value |
isolate-mark parameter-value } *

undo parameter { start-mark parameter-value | assignment-mark parameter-

value | isolate-mark parameter-value } *

Parameters
Parameter Description Value

start-mark Changes the specified start character The value is one

parameter- to ?. case-sensitive
value character, with
spaces and double
quotation marks (")
not supported.

assignment- Specifies the assignment character of the The value is one

mark URL parameters. case-sensitive
parameter- character, with
value spaces and double
quotation marks (")
not supported.

isolate-mark Specifies the delimiter between URL The value is one

parameter- parameters. case-sensitive
value character, with
spaces and double
quotation marks (")
not supported.

Views
URL template view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9306

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
The parameter command allows you to customize the characters in URL.
For example, if the URL configured by the 13.5.151 url (URL template view)
command in the URL template bound to a Portal server template is http://10.1.1.1,
you can add the user MAC address, user IP address, and device system name to
the URL by specifying the user_mac, user_ip, and device parameters.
When a user with IP address 10.1.1.11 and MAC address 0002-0002-0002 connects
to an access device huawei, the access device redirects the user to http://10.1.1.1?
user_mac=0002-0002-0002&user_ip=10.1.1.11&device=huawei for Portal
authentication. In the redirection URL, ? is the default start character, = is the
default assignment character, & is the delimiter between parameters.

Example
# Change the start character in a URL from # to ?.
<HUAWEI> system-view
[HUAWEI] url-template name huawei
[HUAWEI-url-template-huawei] parameter start-mark #

13.5.103 port connection-type access

Function
The port connection-type access command configures the specified interfaces as
downlink interfaces.
The undo port connection-type access command configures the specified
interfaces as uplink interfaces.

Format
port { interface-type start-interface-number [ to interface-type end-interface-
number ] } &<1-10> connection-type access
undo port { interface-type start-interface-number [ to interface-type end-
interface-number ] } &<1-10> connection-type access

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9307

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

interface-type start- Specifies interfaces. -

interface-number [ to ● interface-type
interface-type end- specifies the interface
interface-number ] type.
● start-interface-
number specifies the
number of the first
interface.
● end-interface-number
specifies the number
of the last interface.
If the to interface-type
end-interface-number
parameter is not
specified, only the
interfaces specified by
start-interface-number
are created. You can
specify 10 interface
ranges at one time.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
By default, downlink interfaces are access ones and uplink interfaces are non-
access ones. You can run the port connection-type access or undo port
connection-type access command to modify the interface access type. For
example, you can batch configure the downlink interfaces supported by the
device, and run the 13.5.68 dot1x mac-bypass access-port command to enable
MAC address bypass authentication on all the downlink interfaces.
After the default interface access type is modified, the device generates the
interface buildrun information in the system view.
Precautions
If stack interface information exists within the interface range, the command does
not take effect. Therefore, there should be no interface with stack configuration in
the interface range. If the access type of an interface is changed, stack

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9308

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

configuration cannot be performed for the interface. That is, if an interface needs
to be configured as a stack interface, the default interface access type cannot be
modified.

Example
# Configure interfaces as downlink interfaces in the system view.
<HUAWEI> system-view
[HUAWEI] port GigabitEthernet 0/0/1 to GigabitEthernet 0/0/6 connection-type access

Related Topics
13.5.40 display port connection-type access all

13.5.104 port (Portal server template view)

Function
The port command sets the port number that a Portal server uses to receive
notification packets from the device.
The undo port command restores the default port number.
By default, a Portal server uses port number 50100 to receive packets from the
device.

Format
port port-number [ all ]
undo port [ all ]

Parameters
Parameter Description Value
port-number Specifies the port number that the Portal server The value is
uses to receive and encapsulate UDP packets from an integer
the device. that ranges
from 1 to
65535. By
default, the
value is
50100.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9309

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

all Indicates that the device always uses the -
destination port number specified by port-number
to encapsulate UDP packets.
NOTE
After this keyword is specified, when receiving UDP
packets from a Portal server, the device does not obtain
the source port number in the UDP packets as the
destination port number of UDP packets to be sent to
the Portal server. If the value of port-number is different
from the source port number of the Portal server, the
Portal server cannot receive the UDP packets sent by the
device. Therefore, this keyword is not recommended.

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After creating a Portal server template on the device using the 13.5.167 web-
auth-server (system view) command, configure parameters for the template.

Run the port command to set the port number that a Portal server uses to receive
notification packets from the device. After receiving a Portal authentication
request packet from a user, the device sends the packet to the Portal server using
the specified destination port number.

Precautions

Ensure that the port number configured on the device is the same as that used by
the Portal server.

Example
# Set the port number that a Portal server uses to receive packets from the device
to 10000 in the Portal server template huawei.
<HUAWEI> system-view
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] port 10000

Related Topics
13.5.56 display web-auth-server configuration
13.5.167 web-auth-server (system view)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9310

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.105 portal auth-network

Function
The portal auth-network command configures a source subnet for Portal
authentication.

The undo portal auth-network command restores the default source subnet for
Portal authentication.

By default, the source subnet for Portal authentication is 0.0.0.0/0, indicating that
users in all subnets must pass Portal authentication.

Format
portal auth-network network-address { mask-length | mask-address }

undo portal auth-network { network-address { mask-length | mask-address } |

all }

Parameters
Parameter Description Value
network-address Specifies the IP address of the The value is in dotted
source subnet for Portal decimal notation.
authentication.
mask-length Specifies the mask length. The value is an integer
that ranges from 1 to 32.
mask-address Specifies the mask of the source The value is in dotted
subnet for Portal authentication. decimal notation.
all Deletes all Portal authentication -
subnets.

Views
GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface
view, VLANIF interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After the source subnet for Portal authentication is configured, only user packets
from the source subnet can trigger Portal authentication. If an unauthenticated
user is not on the source subnet for Portal authentication, the device discards the
user's packets that do not match Portal authentication free rules.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9311

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

The command cannot be run on Layer 2 interfaces.

The portal auth-network command takes effect only for Layer 3 Portal authentication. In
Layer 2 authentication, users on all network segments must be authenticated.

Prerequisites
Before running this command on an interface, ensure that the Portal service
template is bound to the interface.

Example
# Set the source subnet for Portal authentication to 192.168.1.0/24 on VLANIF10.
<HUAWEI> system-view
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] server-ip 10.1.1.1
[HUAWEI-web-auth-server-huawei] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] web-auth-server huawei layer3
[HUAWEI-Vlanif10] portal auth-network 192.168.1.0 24

# Set the source subnet for Portal authentication to 192.168.1.0/24 on Layer 3

interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] server-ip 10.1.1.1
[HUAWEI-web-auth-server-huawei] quit
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] web-auth-server huawei layer3
[HUAWEI-GigabitEthernet0/0/1] portal auth-network 192.168.1.0 24

13.5.106 portal domain

Function
The portal domain specifies a forcible Portal authentication domain.
The undo portal domain command deletes a forcible Portal authentication
domain.
By default, no forcible Portal authentication domain is specified.

Format
portal domain domain-name
undo portal domain

Parameters
Parameter Description Value
domain-name Specifies the forcible The value is a string of 1 to 64 case-
Portal authentication insensitive characters without any space,
domain. asterisk (*), question mark (?), or
quotation mark (").

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9312

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface
view, VLANIF interface view

Default Level
2: Configuration level

Usage Guidelines
To flexibly deploy access policies for Portal authentication users, the administrator
can run the portal domain command to configure a forcible Portal authentication
domain.
After a forcible Portal authentication domain is configured on an interface, the
device uses the specified authentication domain to authenticate, authorize, and
charge Portal authentication users on the interface, ignoring the domain names
carried in the user names. The administrator can specify different authentication
domains for different interfaces as needed.

NOTE

The command cannot be run on Layer 2 interfaces.

Example
# Set the forcible Portal authentication domain to abc on VLANIF 10.
<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] portal domain abc

# Set the forcible Portal authentication domain to abc on Layer 3 interface

GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] portal domain abc

13.5.107 portal free-rule

Function
The portal free-rule command configures the Portal authentication-free rule for
users.
The undo portal free-rule command restores the default configuration.
By default, no Portal authentication-free rule is configured.

Format
portal free-rule rule-id { destination { any | ip { ip-address mask { mask-length |
ip-mask } [ tcp destination-port port | udp destination-port port ] | any } } |
source { any | { interface interface-type interface-number | ip { ip-address mask
{ mask-length | ip-mask } | any } | vlan vlan-id } * } } *

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9313

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

portal free-rule rule-id source ip ip-address mask { mask-length | ip-mask }

[ mac mac-address ] [ interface interface-type interface-number ] destination
user-group group-name
undo portal free-rule { rule-id | all }

Parameters
Parameter Description Value
rule-id Specifies the ID of the Portal The value is an integer
authentication-free rule. of which the range
depends on product
models.

destination Specifies the destination network -

resources that the authentication-
free users can access.

source Specifies the source information of -

the authentication-free users.

any Specifies any condition. When any -

is used together with different
keywords, the effect of the
command is different.

ip ip-address Specifies the IP address in the rule. The value is in dotted

This parameter can specify the decimal notation.
source or destination address
depending on the keyword.

mask mask- Specifies the mask length of an IP The value is an integer

length address. This parameter can specify that ranges from 1 to
the source or destination address 32.
mask depending on the keyword.

mask ip-mask Specifies the IP address mask. This The value is in dotted
parameter can specify the source or decimal notation.
destination address mask
depending on the keyword.

tcp destination- Specifies the TCP destination port The value is an integer
port port number. that ranges from 1 to
65535.

udp destination- Specifies the UDP destination port The value is an integer
port port number. that ranges from 1 to
65535.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9314

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

interface Specifies the type and number of -
interface-type the source interface in the rule.
interface-number
● interface-type specifies the
interface type.
● interface-number specifies the
interface number.
vlan vlan-id The value is an integer
Specifies the VLAN ID of the source
that ranges from 1 to
packet in the rule.
4094.
all Specifies all rules. -

mac mac-address Specifies the MAC address of the The value is in H-H-H
Portal authentication user who is format. An H is a
allowed to access destination hexadecimal number of
network resources without 1 to 4 digits.
authentication.

user-group Allows Portal authentication users It is a string of 1 to 64

group-name to access the network resources in case-sensitive
the user group. characters without
spaces.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

A user cannot access the network before being authenticated successfully. You can
configure an authentication-free rule for specified users to access certain network
resources without passing the Portal authentication. An authentication-free rule
can be determined by parameters such as the IP address, MAC address, interface,
and VLAN. An authentication-free rule can also be determined by ACL rules. The
destination IP address that users can access without authentication can be
specified in an authentication-free rule defined by either of the two methods. In
addition, the destination domain name that users can access without
authentication can be specified in an authentication-free rule defined by ACL.

For example, some authentication users who do not have an authentication

account must first log in to the official website of a carrier and apply for a
member account, or log in using the account of a third party such as Twitter or

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9315

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Facebook. This requires that the users can access specified websites before
successful authentication. The domain name of a website is easier to remember
than the IP address; therefore, the authentication-free rule defined by ACL can be
configured to enable the users to access the domain names of websites without
authentication.
Precautions
● When multiple authentication-free rules are configured, the system matches
the rules one by one.
● If the vlan parameter determines where users reside for an authentication-
free rule, the Portal server must have been bound to the VLANIF interface of
the VLAN using the 13.5.164 web-auth-server (interface view) command;
otherwise, the configured authentication-free rule does not take effect for
users in the VLAN.
● If you specify both VLAN and interface when running the portal free-rule
command, the interface must belong to the VLAN; otherwise, the
configuration is invalid.
● If you specify the destination port number in an authentication-free rule,
fragmented packets cannot match the rule and cannot be forwarded.
● You can only add or delete rules, but cannot modify the created rules. To
modify a rule with a certain rule-id, run the undo portal free-rule command
to delete the rule and re-configure it.
● To allow Portal authentication users to access the network resources in the
user group, pay attention to the following points:
– The user group has been created before it is referenced by the Portal
authentication-free rule.
– The Portal authentication-free rule takes effect only after the referenced
user group is enabled.
– A user can only join one user group. If multiple rules are configured, the
rule with the smallest rule-id has the highest priority.
– If multiple rules are applied to a user, the Portal authentication-free rule
referencing the user group has the highest priority.
– The rule of the user group can only contain whitelists. That is, the deny
action cannot be used.
– After configuring authorization for a user using the destination user-
group group-name command, you cannot configure authorization in
other modes for the user.
● If a user fails built-in Portal authentication on a Layer 2 interface of the
device (excluding the S5720HI), the user cannot obtain network access rights
defined by the Portal authentication-free rule.

Example
# Enable all Portal users to access the network 10.1.1.1/24 without authentication.
<HUAWEI> system-view
[HUAWEI] portal free-rule 1 destination ip 10.1.1.1 mask 24 source ip any

# Add the devices on network segment 10.2.100.0/24 to the user group static-user
and allow the devices to access all network resources without authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9316

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] acl number 3100
[HUAWEI-acl-adv-3100] rule 5 permit ip source 10.2.100.0 255.255.255.0
[HUAWEI-acl-adv-3100] quit
[HUAWEI] user-group static-user
[HUAWEI-user-group-static-user] acl-id 3100
[HUAWEI-user-group-static-user] quit
[HUAWEI] user-group static-user enable
[HUAWEI] portal free-rule 0 source ip 10.2.100.0 mask 24 destination user-group static-user

Related Topics
13.5.42 display portal free-rule
13.5.164 web-auth-server (interface view)
13.5.156 user-group
13.5.157 user-group enable

13.5.108 portal local-server

Function
The portal local-server command enables the built-in Portal server function.
The undo portal local-server command disables the built-in Portal server
function.
By default, the built-in Portal server function is disabled.

Format
portal local-server https ssl-policy policy-name [ port port-num ]
undo portal local-server https

Parameters
Parameter Description Value

https Configures the built-in -

Portal server to use
HTTPS to exchange
authentication
information with users.

ssl-policy policy-name Specifies the SSL policy The value of policy-name

used by the built-in is a string of 1 to 23
Portal server. case-sensitive characters
NOTE without spaces.
policy-name indicates an
existing SSL policy.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9317

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

port port-num Specifies the TCP port The value is an integer

number used by HTTPS. that ranges from 443 or
The default port number 1025 to 55535.
is used if the parameter The default port number
is not specified. is 443.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Compared with the external Portal server, the built-in Portal server is easy to use,
cost-effective, and easy to maintain. After the built-in Portal server is configured,
the external Portal authentication server is not required. When you run the portal
local-server command to enable the built-in Portal server function, configure the
built-in Portal server to use HTTPS to exchange authentication information with
users. HTTPS is a combination of the HTTP and Secure Sockets Layer (SSL)
protocols. If the built-in Portal server is configured to use HTTPS to exchange
authentication information with users, an SSL policy must be configured and the
digital certificate must be loaded.
NOTE

You can run the 13.5.114 portal local-server enable command to enable the Portal
authentication function on the interface only after the built-in Portal server function is
enabled.

Prerequisites

● The IP address for the built-in Portal server has been configured using the
13.5.115 portal local-server ip command.
● An SSL policy has been created using the ssl policy policy-name command in
the system view and the digital certificate has been loaded using the
certificate load command in the SSL policy view.
● Apply to a trusted certificate authority for the certificate that needs to be
loaded for the SSL policy.

Precautions

● When there are online Portal authentication users, the built-in Portal server
function cannot be disabled globally and the SSL policy of the built-in Portal
server cannot be modified.
● The SSL policy referenced by the built-in Portal server cannot be deleted.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9318

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● After the built-in Portal server function is enabled globally, the guest VLAN,
critical VLAN, or restrict VLAN cannot be created.

Example
# Enable the built-in Portal server function and set the SSL policy used by the
built-in Portal server to abc.
<HUAWEI> system-view
[HUAWEI] portal local-server https ssl-policy abc

Related Topics
13.5.43 display portal local-server

13.5.109 portal local-server ad-image load

Function
The portal local-server ad-image load command loads an advertisement image
file to the built-in Portal server login page.
The undo portal local-server ad-image load command deletes the
advertisement image file loaded to the built-in Portal server login page.
By default, no advertisement image file is loaded to the built-in Portal server login
page.

Format
portal local-server ad-image load ad-image-file
undo portal local-server ad-image load

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9319

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

ad-image-file Specifies the name of an The value is a string of 5

advertisement image file to 64 case-insensitive
to be loaded to the built- characters without
in Portal server login spaces, in the format of
page. [ drive ] [ path ]
The size of the filename.
advertisement image file ● drive: indicates the
must be equal to or less storage device name.
than 256 KB. A file of ● path: indicates the
670 x 405 pixels is directory and its
recommended. subdirectory. The
directory name
cannot contain the
following characters:
~, *, /, \, :, ', and ".
● filename: indicates
the file name. The jpg
and png formats are
supported, and the
file name extension
must be .jpg, .jpeg,
or .png. If you enter
only the file name,
the system considers
that the file is stored
in the default
directory.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
There is a blank area on the login page of the default page package used by the
built-in Portal server. Users can customize this area by loading an advertisement
image file. When the login page needs to be customized based on special
requirements, the administrator can upload the user-defined advertisement image
file to the device and run the portal local-server ad-image load command. After
the advertisement image file is loaded, the user-defined advertisement images are
displayed on the built-in Portal server login page for authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9320

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Prerequisites
The user-defined advertisement image file must have been uploaded to the
device.

Example
# Load the advertisement image file ad.png to the built-in Portal server login
page.
<HUAWEI> system-view
[HUAWEI] portal local-server ad-image load flash:/ad.png
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully.

13.5.110 portal local-server anonymous

Function
The portal local-server anonymous command enables anonymous login for users
in built-in Portal authentication.
The undo portal local-server anonymous command disables anonymous login
for users in built-in Portal authentication.
By default, anonymous login for users in built-in Portal authentication is disabled.

Format
portal local-server anonymous
undo portal local-server anonymous

Parameters
None

Views
VLANIF interface view, Ethernet interface view, GE interface view, MultiGE
interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view,
Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To provide convenient network services for users in airports, hotels, cafes, or civil
entertainment squares, the anonymous login function can be enabled so that the
users can access the network without entering user names and passwords.
After anonymous login for users in built-in Portal authentication is enabled, users
are redirected to the login page when they log in to the web page for the first

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9321

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

time. To connect to the network, the users only need to accept the agreements,
and click Login.
Precautions
When anonymous login is configured, it is recommended that you set AAA
authentication mode to none authentication.

Example
# Enable anonymous login for users in built-in Portal authentication on VLANIF10.
<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] portal local-server anonymous

Related Topics
13.5.114 portal local-server enable

13.5.111 portal local-server authentication-method

Function
The portal local-server authentication-method command configures the
authentication mode for Portal users on the built-in Portal server.
The undo portal local-server authentication-method command restores the
default authentication mode for Portal users on the built-in Portal server.
By default, the built-in Portal server uses CHAP to authenticate Portal users.

Format
portal local-server authentication-method { chap | pap }
undo portal local-server authentication-method

Parameters
Parameter Description Value

chap Indicates that the built-in -

Portal server uses CHAP
to authenticate Portal
users.

pap Indicates that the built-in -

Portal server uses PAP to
authenticate Portal
users.

Views
System view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9322

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Password Authentication Protocol (PAP) is a two-way handshake authentication

protocol. It transmits passwords in plain text format in RADIUS packets.

Challenge Handshake Authentication Protocol (CHAP) is a three-way handshake

authentication protocol. It transmits only user names using RADIUS packets, but
does not transmit passwords. CHAP is more secure and reliable than PAP. If high
security is required, CHAP is recommended.

Prerequisites

The built-in Portal server function has been enabled globally using the portal
local-server command.

Example
# Configure the built-in Portal server to use PAP to authenticate Portal users.
<HUAWEI> system-view
[HUAWEI] portal local-server authentication-method pap

Related Topics
13.5.43 display portal local-server

13.5.112 portal local-server background-color

Function
The portal local-server background-color command configures the background
color of the built-in Portal server login page.

The undo portal local-server background-color command cancels the

background color configured for the built-in Portal server login page.

By default, no background color of the built-in Portal server login page is

configured.

Format
portal local-server background-color background-color-value

undo portal local-server background-color

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9323

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

background-color-value Specifies the background The value is a string that

color of the built-in ranges from #000000 to
Portal server login page. #FFFFFF in the RGB
format.
The hexadecimal code is
used to indicate the page
color, and the format is
always #DEFABC (A-F
and 0-9).

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Users can customize the login page of the default page package used by the built-
in Portal server. The administrator can configure the background color of the login
page.

Example
# Configure the user-defined background color of the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server background-color #AABBCC

13.5.113 portal local-server background-image load

Function
The portal local-server background-image load command loads a background
image file to the built-in Portal server login page.
The undo portal local-server background-image load command deletes the
background image file loaded to the built-in Portal server login page.
By default, the device has two background images default-image0 and default-
image1. The built-in Portal server uses default-image0 as the background image
by default.

Format
portal local-server background-image load { background-image-file | default-
image1 }

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9324

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo portal local-server background-image load

Parameters
Parameter Description Value

background-image-file Specifies the name of The value is a string of 5

the background image to 64 case-insensitive
file to be loaded to the characters without
built-in Portal server spaces, in the format of
login page. [ drive ] [ path ]
The size of the filename.
background image file ● drive: indicates the
must be equal to or less storage device name.
than 512 KB. A file of ● path: indicates the
1366 x 768 pixels is directory and its
recommended. subdirectory. The
directory name
cannot contain the
following characters:
~, *, /, \, :, ', and ".
● filename: indicates
the file name. The jpg
and png formats are
supported, and the
file name extension
must be .jpg, .jpeg,
or .png. If you enter
only the file name,
the system considers
that the file is stored
in the default
directory.

default-image1 Loads the background -

image default-image1
to the built-in Portal
server login page.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9325

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Users can customize the login page of the default page package used by the built-
in Portal server. Users can customize background images or select the default
ones. When the background image of the login page needs to be customized
based on special requirements, the administrator can upload the user-defined
background image file to the device and run the portal local-server background-
image load command. After the image is loaded, the user-defined background
image file is displayed on the built-in Portal server login page for authentication.
Prerequisites
The user-defined background image must have been uploaded to the device.

Example
# Load the background image file bg.png to the built-in Portal server login page.
<HUAWEI> system-view
[HUAWEI] portal local-server background-image load flash:/bg.png
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully.

13.5.114 portal local-server enable

Function
The portal local-server enable command enables built-in Portal authentication
on an interface.
The undo portal local-server enable command disables built-in Portal
authentication on an interface.
By default, built-in Portal authentication is disabled on an interface.

Format
In the system view:
portal local-server enable interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
undo portal local-server enable interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10>
In the interface view:
portal local-server enable
undo portal local-server enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9326

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

interface { interface- Specifies the interface -

type interface-number1 type and number.
[ to interface- ● interface-type
number2 ] } specifies the interface
type.
● interface-number
specifies the interface
number.

Views
System view, VLANIF interface view, Ethernet interface view, GE interface view,
MultiGE interface view, XGE interface view, 40GE interface view, Eth-Trunk
interface view, Port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Compared with the external Portal server, the built-in Portal server is easy to use,
cost-effective, and easy to maintain. After built-in Portal authentication is enabled,
the external Portal server is not required. After the built-in Portal server function is
enabled using the 13.5.108 portal local-server command, built-in Portal
authentication must be enabled on the interface using the portal local-server
enable command to authenticate users on the interface.

Prerequisites

Portal authentication has been enabled globally using the portal local-server
command.

Precautions

It is recommended that you enable built-in Portal authentication on a VLANIF

interface. The VLANIF interface of a super-VLAN does not support built-in Portal
authentication.

Built-in Portal authentication of Layer 3 interfaces cannot be configured using this

command in the system view.

If 802.1X authentication, MAC address authentication, MAC address bypass

authentication or built-in Portal authentication is enabled on a Layer 2 interface,
this command cannot be executed on the VLANIF interface of a VLAN to which
the Layer 2 interface is added.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9327

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The portal local-server enable command cannot be used together with the
following commands on the same interface.
Command Function

mac-vlan enable Enables MAC address-based VLAN

assignment on an interface.

ip-subnet-vlan enable Enables IP subnet-based VLAN

assignment on an interface.

Example
# Enable built-in Portal authentication on VLANIF 10.
<HUAWEI> system-view
[HUAWEI] interface loopback 1
[HUAWEI-LoopBack1] ip address 10.1.1.1 24
[HUAWEI-LoopBack1] quit
[HUAWEI] portal local-server ip 10.1.1.1
[HUAWEI] ssl policy s1
[HUAWEI-ssl-policy-s1] pki-realm default
[HUAWEI-ssl-policy-s1] quit
[HUAWEI] http secure-server ssl-policy s1
[HUAWEI] portal local-server https ssl-policy s1 port 1025
[HUAWEI] vlan batch 10
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] portal local-server enable

Related Topics
13.5.43 display portal local-server

13.5.115 portal local-server ip

Function
The portal local-server ip command configures an IP address for the built-in
Portal server.
The undo portal local-server ip command deletes an IP address of the built-in
Portal server.
By default, no IP address is configured for the built-in Portal server.

Format
portal local-server ip ip-address
undo portal local-server ip

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9328

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

ip-address Specifies an IP address The value is in dotted

for the built-in Portal decimal notation.
server.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
When the device is used as a built-in Portal server, you can run the portal local-
server ip command to configure an IP address for the built-in Portal server. Users
are then redirected to the Portal server if they enter URLs that are not located in
the free IP subnet.
NOTE

● The IP address assigned to the built-in Portal server must have a reachable route to the
user.
● It is recommended that a loopback interface address be assigned to the built-in Portal
server because the loopback interface is stable. Additionally, packets destined for
loopback interfaces are not sent to other interfaces on the network; therefore, system
performance is not deteriorated even if many users request to go online.
● After users go online through the built-in Portal server, if the interface address or
interface (non-physical interface) matching the built-in Portal server's IP address is
deleted, online users cannot go offline and offline users cannot go online. Therefore,
exercise caution when you delete the interface address or interface.

Example
# Assign the IP address 10.1.1.1 to the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server ip 10.1.1.1

Related Topics
13.5.43 display portal local-server

13.5.116 portal local-server keep-alive

Function
The portal local-server keep-alive command configures the heartbeat detection
interval and mode of the built-in Portal server.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9329

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo portal local-server keep-alive command cancels the configured

heartbeat detection interval and mode of the built-in Portal server.
By default, the heartbeat detection function of the built-in Portal server is not
configured.

Format
portal local-server keep-alive interval interval-value [ auto ]
undo portal local-server keep-alive

Parameters
Parameter Description Value
interval interval- Specifies the heartbeat detection The value is an
value interval of the built-in Portal server. integer that ranges
from 30 to 7200, in
seconds.
auto Specifies the automatic detection -
mode.
If this parameter is not configured, the
forcible detection mode is specified.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When a user closes the browser or an exception occurs, the device can detect the
user's online state to determine whether to make the user go offline. The
administrator can configure the heartbeat detection function of the built-in Portal
server. If the device does not receive a heartbeat packet from the client within a
specified period, the user is specified to go offline. The heartbeat detection mode
of the built-in Portal server can be either of the following modes:
● Forcible detection mode: This mode is valid for all users. If the device does not
receive a heartbeat packet from a user within a specified period, the device
specifies the user to go offline.
● Automatic detection mode: The device checks whether the client browser
supports the heartbeat program. If yes, the forcible detection mode is used for
the user; if no, the device does not detect the user. You are advised to
configure this mode to prevent users from going offline because the browser
does not support the heartbeat program.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9330

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

Currently, the heartbeat program is supported by Internet Explorer 8, FireFox 3.5.2, Chrome
28.0.1500.72, and Opera 12.00 on Windows 7.
Browsers using Java1.7 and later versions do not support the heartbeat program.

Precautions

When the forcible detection mode is configured, the device specifies users to go
offline to prevent from failing to receive heartbeat packets for a long time during
network congestion. In this scenario, the heartbeat detection interval must be
increased.

If you run this command multiple times in the same view, only the latest
configuration takes effect.

Example
# Configure the automatic detection function of the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server keep-alive interval 60 auto

13.5.117 portal local-server load

Function
The portal local-server load command loads a page file package to the built-in
Portal server.

The undo portal local-server load command restores the default configuration.

By default, the built-in Portal server loads the default page file package
portalpage.zip.

Format
portal local-server load string

undo portal local-server load

Parameters
Parameter Description Value

string Specifies the name of The value is a string of 1

the page file package to to 64 case-insensitive
be loaded to the built-in characters without any
Portal server. space, asterisk (*),
question mark (?), or
quotation mark (").

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9331

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
Customized page file packages can be loaded to the built-in Portal server.
Prerequisites
The page file (.zip) has been uploaded from the PC to the device storage media.
Precautions
The default page file package can be modified but cannot be deleted. If it is
deleted, the built-in Portal server fails to load the pages after startup.
This function is used by technical support personnel to develop limited page
customization based on customer requirements and does not apply to
customization by customers themselves.

Example
# Load the page file portalpage_01.zip on the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server load portalpage_01.zip
Warning: Portal local server has been enabled, and this operation will affect online user, continue?[Y/N]:y
Info: The loading process may take a few seconds.Please wait for a moment
Info: Load web file successfully.

Related Topics
13.5.45 display portal local-server page-information

13.5.118 portal local-server logo load

Function
The portal local-server logo load command loads a logo file to the built-in Portal
server login page.
The undo portal local-server logo load command deletes the logo file loaded to
the built-in Portal server login page.
By default, no logo file is loaded to the built-in Portal server login page.

Format
portal local-server logo load logo-file
undo portal local-server logo load

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9332

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

logo-file Specifies the name of The value is a string of 5

the logo file to be loaded to 64 case-insensitive
to the built-in Portal characters without
server login page. spaces, in the format of
The size of the logo file [ drive ] [ path ]
must be equal to or less filename.
than 128 KB. A file of ● drive: indicates the
591 x 80 pixels is storage device name.
recommended. ● path: indicates the
directory and its
subdirectory. The
directory name
cannot contain the
following characters:
~, *, /, \, :, ', and ".
● filename: indicates
the file name. The jpg
and png formats are
supported, and the
file name extension
must be .jpg, .jpeg,
or .png. If you enter
only the file name,
the system considers
that the file is stored
in the default
directory.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
There is a blank area on the login page of the default page package used by the
built-in Portal server. Users can customize this area by loading a logo file. When
the login page needs to be customized based on special requirements, the
administrator can upload the user-defined logo file to the device and run the
portal local-server logo load command. After the logo file is loaded, the user-
defined logo is displayed on the built-in Portal server login page for
authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9333

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Prerequisites
The user-defined logo file must have been uploaded to the device.

Example
# Load the logo file logo.png to the built-in Portal server login page.
<HUAWEI> system-view
[HUAWEI] portal local-server logo load flash:/logo.png
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully.

13.5.119 portal local-server page-text load

Function
The portal local-server page-text load command loads the use instruction page
file of the built-in Portal server.
The undo portal local-server page-text load command deletes the loaded use
instruction page file of the built-in Portal server.
By default, no use instruction page file of the built-in Portal server is loaded.

Format
portal local-server page-text load string
undo portal local-server page-text load

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9334

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

string Specifies the use The value is a string of 5

instruction page file of to 64 case-insensitive
the built-in Portal server. characters without
spaces, in the format of
[ drive ] [ path ]
filename.
● drive indicates the
storage device name.
● path indicates the
directory or sub-
directory. The
directory name
cannot contain the
following characters:
~*/\:'"
● filename indicates
the file name. The file
name extension must
be .txt or .html. If you
enter only the file
name, the system
considers that the file
is stored in the
default directory.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If you need to customize the use instruction page, you can upload the customized
use instruction page file to the device, and run this command to load the file.
After the file is loaded, the hyperlink Instruction for Use is generated on the login
page of the built-in Portal server, and users can click the hyperlink to access the
use instruction page.
Prerequisite
The page file to be loaded has been uploaded to the device.
Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9335

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

When the to-be-loaded page is customized, the page length and width are fixed.
After adjusting the page, the administrator must upload and load the modified
page again.
Currently, only Chinese or English page files can be loaded on the device.

Example
# Load the use instruction page file page.html to the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server page-text load flash:/page.html
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully.

13.5.120 portal local-server policy-text load

Function
The portal local-server policy-text load command loads a disclaimer page file to
the built-in Portal server.
The undo portal local-server policy-text load command deletes the loaded
disclaimer page file.
By default, no disclaimer page file is loaded to the built-in Portal server.

Format
portal local-server policy-text load string
undo portal local-server policy-text load

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9336

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

string Specifies the name of The value is a string of 5

the disclaimer page file to 64 case-insensitive
to be loaded to the built- characters without
in Portal server. spaces, in the format of
[ drive ] [ path ]
filename.
● drive: indicates the
storage device name.
● path: indicates the
directory and its
subdirectory. The
directory name
cannot contain the
following characters:
~, *, /, \, :, ', and ".
● filename: indicates
the file name. The file
name extension must
be .txt or .html. If you
enter only the file
name, the system
considers that the file
is stored in the
default directory.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To customize a disclaimer page, upload the disclaimer page file to the device and
run this command to load the file. After the file is loaded, the hyperlink
Disclaimer will be displayed on the login page. You can click the link to visit the
disclaimer page.

Prerequisite

The disclaimer page file to be loaded has been uploaded to the device.

Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9337

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Currently, only Chinese and English disclaimer page files can be loaded on the
device.

Example
# Load the disclaimer page file policy.html to the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server policy-text load policy.html
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully.

13.5.121 portal local-server syslog-limit enable

Function
The portal local-server syslog-limit enable command enables the log
suppression function for users authenticated through the built-in Portal server.
The undo portal local-server syslog-limit enable command disables the log
suppression function for users authenticated through the built-in Portal server.
By default, the log suppression function is enabled for users authenticated through
the built-in Portal server.

Format
portal local-server syslog-limit enable
undo portal local-server syslog-limit enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The device generates logs when users authenticated through the built-in Portal
server fail to go online or offline. If a user fails to go online or offline, the user
attempts to go online or offline repeatedly, and the device generates a large
number of logs within a short time. This results in a high failure rate in the
statistics and degrades the system performance. You can run the portal local-
server syslog-limit enable command to enable the log suppression function for
users authenticated through the built-in Portal server. The device then only
generates one log if a user fails to go online or offline within a suppression period
(configured using the 13.4.159 portal local-server syslog-limit period
command).

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9338

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Enable the log suppression function for users authenticated through the built-in
Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server syslog-limit enable

13.5.122 portal local-server syslog-limit period

Function
The portal local-server syslog-limit period command configures the log
suppression period for users authenticated through the built-in Portal server.
The undo portal local-server syslog-limit period command restores the default
log suppression period.
By default, the log suppression period is 300 seconds for users authenticated
through the built-in Portal server.

Format
portal local-server syslog-limit period value
undo portal local-server syslog-limit period

Parameters
Parameter Description Value

value Specifies the log The value is an integer

suppression period for that ranges from 60 to
users authenticated 604800, in seconds.
through the built-in
Portal server.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The device generates logs when users authenticated through the built-in Portal
server fail to go online or offline. If a user fails to go online or offline, the user
attempts to go online or offline repeatedly, and the device generates a large
number of logs within a short time. This results in a high failure rate in the
statistics and degrades the system performance. You can enable the log
suppression function (configured using the 13.4.158 portal local-server syslog-

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9339

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

limit enable command) for users authenticated through the built-in Portal server.
The device then only generates one log if a user fails to go online or offline within
a suppression period.

Example
# Set the log suppression period to 1000 seconds for users authenticated through
the built-in Portal server.
<HUAWEI> system-view
[HUAWEI] portal local-server syslog-limit period 1000

13.5.123 portal local-server timer session-timeout

Function
The portal local-server timer session-timeout command configures the session
timeout interval for built-in Portal authentication users.
The undo portal local-server timer session-timeout command restores the
default session timeout interval for built-in Portal authentication users.
By default, the session timeout interval is 8 hours for built-in Portal authentication
users.

Format
portal local-server timer session-timeout interval
undo portal local-server timer session-timeout

Parameters
Parameter Description Value
interval Specifies the session timeout The value is an integer that
interval for built-in Portal ranges from 1 to 720, in hours.
authentication users.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Scenario
When built-in Portal authentication is used for users and the device functions as a
built-in Portal server, you can configure the session timeout interval for the users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9340

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The users are disconnected after the specified session timeout interval. To connect
to the network again, the users need to be re-authenticated.

Precautions

The session timeout interval for built-in Portal authentication users is calculated
based on the device time. For example, if the session timeout interval is 6 hours
and the device time is 2014-09-01 02:00:00 when a user was connected, the user
should be disconnected at 2014-09-01 08:00:00. Therefore, ensure that the device
time is correct after the session timeout interval is configured for users. If the
device time is incorrect, users may fail to be connected or disconnected properly.
You can run the display clock command to check the device time and the clock
datetime HH:MM:SS YYYY-MM-DD command to configure the time.

Example
# Configure the session timeout interval to 10 hours for built-in Portal
authentication users.
<HUAWEI> system-view
[HUAWEI] portal local-server timer session-timeout 10

Related Topics
13.5.43 display portal local-server

13.5.124 portal logout different-server enable

Function
The portal logout different-server enable command configures a device to
process user logout requests sent by a Portal server other than the one from
which users log in.

The undo portal logout different-server enable command restores the default
configuration.

By default, a device does not process user logout requests sent by Portal servers
other than the one from which users log in.

Format
portal logout different-server enable

undo portal logout different-server enable

Parameters
None

Views
System view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9341

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

In a scenario where Portal server load balancing is configured, by default, a device

does not process user logout requests sent by Portal servers other than the one
from which users log in and responds ACK messages only to the Portal server from
which users log in. Users in arrears then can still stay online. To prevent this
problem, run portal logout different-server enable command to configure the
device to process user logout requests sent by a Portal server other than the one
from which users log in. Upon receipt of a user logout request from such a Portal
server, the device starts a user logout process. After completing the logout event,
the device responds an ACK message to the Portal server, thereby ensuring that
the user logs out properly.

Precautions

The user logout requests that a device can process must be sent by Portal servers
bound to an access interface. These servers include all the Portal servers
configured in the master and backup Portal server templates bound to the
interface.

Example
# Enable a device to process user logout requests a Portal server other than the
one from which users log in.
<HUAWEI> system-view
[HUAWEI] portal logout different-server enable

Related Topics
13.5.41 display portal

13.5.125 portal logout resend timeout

Function
The portal logout resend timeout command configures the re-transmission times
and interval for the Portal authentication user logout packet.

The undo portal logout resend timeout command restores the default setting.

By default, the Portal authentication user logout packet can be re-transmitted

three times within five seconds.

Format
portal logout resend times timeout period

undo portal logout { resend | timeout } *

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9342

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

times Specifies the number of The value is an integer

re-transmission times for that ranges from 0 to 15.
the Portal authentication The value 0 indicates
user logout packet. that the re-transmission
function is disabled.

period Specifies the re- The value is an integer

transmission interval of that ranges from 1 to
the Portal authentication 300, in seconds.
user logout packet.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After disconnecting a Portal authentication user, the device sends a user logout
packet (NTF-LOGOUT) to instruct the Portal server to delete the user information.
If the network between the device and Portal server is not stable or packets are
lost, the Portal server may fail to receive the user logout packet from the device
after the Portal authentication user is disconnected. In this case, the user is
displayed as disconnected on the device but still as online on the Portal server. To
enable the Portal server to receive the user logout packet and ensure that the
online user information on the Portal server is correct, the administrator can
enable the user logout packet re-transmission function on the device and
configure the re-transmission times and interval.

Example
# Configure the re-transmission times to 5 and interval to 10 seconds for the
Portal authentication user logout packet.
<HUAWEI> system-view
[HUAWEI] portal logout resend 5 timeout 10

Related Topics
13.5.41 display portal
13.5.47 display portal user-logout

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9343

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.126 portal max-user

Function
The portal max-user command sets the maximum number of concurrent Portal
authentication users allowed to access the device.
The undo portal max-user command restores the default maximum number of
concurrent Portal authentication users.
By default, the number of Portal authentication users is the maximum number of
Portal authentication users supported by the device.

Format
portal max-user user-number
undo portal max-user

Parameters
Parameter Description Value

user-number Specifies the maximum The value is an integer

number of concurrent that varies depending on
Portal users. product models.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
You can run the portal max-user command to set the maximum number of
concurrent Portal authentication users.

Example
# Set the maximum number of concurrent Portal authentication users to 25.
<HUAWEI> system-view
[HUAWEI] portal max-user 25

13.5.127 portal quiet-period

Function
The portal quiet-period command enables the quiet timer for Portal
authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9344

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo portal quiet-period command disables the quiet timer of Portal
authentication.
By default, the quiet timer for Portal authentication is enabled.

Format
portal quiet-period
undo portal quiet-period

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the portal quiet-period command is used to enable the quiet timer for
Portal authentication. If the number of Portal authentication failures exceeds the
value specified by the 13.5.128 portal quiet-times command, the device keeps
the Portal authentication user in quiet state for a period of time. During the quiet
period, the device discards Portal authentication requests from the user. This
prevents the impact of frequent authentications on the system.
The quiet period for Portal authentication can be set using the 13.5.130 portal
timer quiet-period command. After the quiet period is reached, the device re-
authenticates the user.

Example
# Enable the quiet timer for Portal authentication.
<HUAWEI> system-view
[HUAWEI] portal quiet-period

Related Topics
13.5.128 portal quiet-times
13.5.130 portal timer quiet-period
13.5.46 display portal quiet-user

13.5.128 portal quiet-times

Function
The portal quiet-times command sets the maximum number of authentication
failures within 60s before a Portal authentication user is kept in quiet state.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9345

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo portal quiet-times command restores the default maximum number of
authentication failures within 60s before a Portal authentication user enters the
quiet state.
By default, the device allows a maximum of ten authentication failures within 60s
before a Portal authentication user enters the quiet state.

Format
portal quiet-times fail-times
undo portal quiet-times

Parameters
Parameter Description Value

fail-times Specifies the maximum The value is an integer

number of that ranges from 1 to 10.
authentication failures
before a Portal
authentication user
enters the quiet state.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the 13.5.127 portal quiet-period command is used to enable the quiet
timer, if the number of Portal authentication failures exceeds the value specified
by the portal quiet-times command, the device keeps the Portal authentication
user in quiet state for a period of time. This prevents the impact of frequent
authentications on the system.

Example
# Set the maximum number of Portal authentication failures within 60 seconds to
4.
<HUAWEI> system-view
[HUAWEI] portal quiet-times 4

Related Topics
13.5.127 portal quiet-period
13.5.130 portal timer quiet-period
13.5.46 display portal quiet-user

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9346

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.129 portal timer offline-detect

Function
The portal timer offline-detect command sets the Portal user offline detection
interval.
The undo portal timer offline-detect command restores the default Portal user
offline detection interval.
By default, the Portal user offline detection interval is 300 seconds.

Format
portal timer offline-detect time-length
undo portal timer offline-detect

Parameters
Parameter Description Value
time-length Specifies the Portal The value is 0 or an integer that ranges from
user offline detection 30 to 7200, in seconds. The default value is
interval. 300. The value 0 indicates that offline
detection is not performed.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If a Portal user goes offline due to power failure or network interruption, the
device and Portal server may still store the user information, which causes
incorrect accounting. Additionally, a limit number of users can access the device. If
a user goes offline improperly but the device still stores user information, other
users cannot access the network.
After the Portal user offline detection interval is set, if the user does not respond
within the interval, the device considers the Portal user offline. The device and
Portal server then delete the user information and release resources to ensure an
efficient resource use.
Precautions
The portal timer offline-detect command only applies to Layer 2 Portal
authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9347

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The heartbeat detection function of the authentication server can be used to

ensure the normal online status of PC users for whom Layer 3 Portal
authentication is used. If the authentication server detects that a user goes offline,
it instructs the device to disconnect the user.
If the number of offline detection packets (ARP packets) exceeds the default CAR
value, the detection fails and the users are logged out. (The display cpu-defend
statistics command can be run to check whether ARP request and response
packets are lost.) To resolve the problem, the following methods are
recommended:
● Increase the detection interval based on the number of users. The default
detection interval is recommended when there are less than 8000 users; the
detection interval should be no less than 600 seconds when there are more
than 8000 users.
● Deploy the port attack defense function on the access device and limit the
rate of packets sent to the CPU.
If user traffic (such as service packets) passes through the device within the Portal
user offline detection period, the device does not consider the user offline even if
the user does not respond.

Example
# Set the Portal user offline detection interval to 400s.
<HUAWEI> system-view
[HUAWEI] portal timer offline-detect 400

Related Topics
13.5.164 web-auth-server (interface view)

13.5.130 portal timer quiet-period

Function
The portal timer quiet-period command sets the quiet period for Portal
authentication.
The undo portal timer quiet-period command restores the default quiet period
for Portal authentication.
By default, the quiet period for Portal authentication is 60s.

Format
portal timer quiet-period quiet-period-value
undo portal timer quiet-period

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9348

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

quiet-period-value Specifies the quiet period The value is an integer

for Portal authentication. that ranges from 10 to
3600, in seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the 13.5.127 portal quiet-period command is used to enable the quiet
timer, run the portal timer quiet-period command to set the quiet period for
Portal authentication. If a Portal authentication user is kept in quiet state, the
device discards Portal authentication requests from the user during the quiet
period.

Example
# Set the quiet period to 2000s.
<HUAWEI> system-view
[HUAWEI] portal timer quiet-period 2000

Related Topics
13.5.127 portal quiet-period
13.5.128 portal quiet-times
13.5.46 display portal quiet-user

13.5.131 portal url-encode enable

Function
The portal url-encode enable command enables URL encoding and decoding.
The undo portal url-encode enable command disables URL encoding and
decoding.
By default, URL encoding and decoding are enabled.

NOTE

If the system software is upgraded from a version earlier than V200R009C00SPC500 to

V200R009C00SPC500 or a later version, the switch automatically runs the undo portal url-
encode enable command to disable URL encoding and decoding.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9349

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
portal url-encode enable

undo portal url-encode enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To improve web application security, data from untrustworthy sources must be

encoded before being sent to clients. URL encoding is most commonly used in web
applications. To enable URL encoding and decoding, run the portal url-encode
enable command. Some special characters in redirected URLs are then converted
to secure formats, preventing clients from mistaking them for syntax signs or
instructions and unexpectedly modifying the original syntax. In this way, cross-site
scripting attacks and injection attacks are prevented.

Precautions

After the URL encoding and decoding function is enabled, some servers may not
support the escape characters converted from special characters in redirect URLs.
Therefore, check whether servers support the escape characters before configuring
special characters in redirect URLs.

Example
# Enable URL encoding and decoding.
<HUAWEI> system-view
[HUAWEI] portal url-encode enable

Related Topics
13.5.48 display portal url-encode configuration

13.5.132 portal user-alarm percentage

Function
The portal user-alarm percentage command sets alarm thresholds for the Portal
authentication user count percentage.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9350

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo portal user-alarm percentage command restores the default alarm
thresholds for the Portal authentication user count percentage.

By default, the lower alarm threshold for the Portal authentication user count
percentage is 50, and the upper alarm threshold for the Portal authentication user
count percentage is 100.

Format
portal user-alarm percentage percent-lower-value percent-upper-value

undo portal user-alarm percentage

Parameters
Parameter Description Value
percent-lower- Specifies the lower alarm The value is an integer that
value threshold for the Portal ranges from 1 to 100.
authentication user count
percentage.

percent-upper- Specifies the upper alarm The value is an integer that

value threshold for the Portal ranges from 1 to 100, but must
authentication user count be larger than or equal to the
percentage. lower alarm threshold.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After running the 13.5.126 portal max-user command to set the maximum
number of online Portal authentication users allowed on a device, you can run the
portal user-alarm percentage command to set alarm thresholds for the Portal
authentication user count percentage.

When the percentage of online Portal authentication users against the maximum
number of users allowed by the device exceeds the upper alarm threshold, the
device generates an alarm. When the percentage of online Portal authentication
users against the maximum number of users allowed by the device reaches or falls
below the lower alarm threshold later, the device generates a clear alarm.

If the configured upper alarm threshold for the Portal authentication user count
percentage is 100, the device generates an alarm when the number of online users
reaches the maximum number of users allowed by the device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9351

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Set the lower alarm threshold for the Portal authentication user count
percentage to 30, and the upper alarm threshold for the Portal authentication
user count percentage to 80.
<HUAWEI> system-view
[HUAWEI] portal user-alarm percentage 30 80

Related Topics
13.5.126 portal max-user

13.5.133 portal web-authen-server

Function
The portal web-authen-server command enables the Portal interconnection
function of the HTTP or HTTPS protocol.
The undo portal web-authen-server command disables the Portal
interconnection function of the HTTP or HTTPS protocol.
By default, the Portal interconnection function of the HTTP or HTTPS protocol is
disabled.

Format
portal web-authen-server { http | https ssl-policy policy-name } [ port port-
number ]
undo portal web-authen-server [ port ]

Parameters
Parameter Description Value

http Sets the HTTP protocol -

for Portal authentication.
NOTE
The HTTP protocol poses
security risks. The HTTPS
protocol is recommended.

https Sets the HTTPS protocol -

for Portal authentication.

ssl-policy policy-name Specifies the name of an The value must be the

SSL policy. name of an existing SSL
policy.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9352

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

port port-number Specifies a port number. The value is an integer

that ranges from 1025 to
55535.
The default HTTP port
number is 8000 and the
default HTTPS port
number is 8443.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If the device is connected to the Portal server that only supports the HTTP or
HTTPS protocol, you need to run the portal web-authen-server command on the
device to enable the Portal interconnection function of the HTTP or HTTPS
protocol.
Follow-up Procedure
Run the 13.4.172 protocol (Portal server template view) command to set the
protocol used in Portal authentication to HTTP or HTTPS.
Precautions
Modifying the port parameter causes the pre-connected user to go offline.

Example
# Enable the Portal interconnection function of the HTTPS protocol.
<HUAWEI> system-view
[HUAWEI] ssl policy huawei
[HUAWEI-ssl-policy-huawei] quit
[HUAWEI] portal web-authen-server https ssl-policy huawei port 8443

Related Topics
13.4.89 display web-auth-server configuration

13.5.134 protocol (Portal server template view)

Function
The protocol command configures the protocol used in Portal authentication.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9353

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo protocol command restores the default configuration.

By default, the Portal protocol is used in Portal authentication.

Format
protocol { http [ password-encrypt { none | uam } ] | portal }
undo protocol

Parameters
Parameter Description Value

http Sets the protocol used in -

Portal authentication to
HTTP or HTTPS.

password-encrypt Specifies the password -

{ none | uam } encoding mode.
● none: The password is
not encoded.
● uam: The password is
encoded using ASCII
characters.

portal Sets the protocol used in -

Portal authentication to
Portal.

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
In Portal authentication, the device can use the following protocols to
communicate with the Portal server. You can set the protocol according to the
protocol supported by the Portal server.
● Portal protocol
● HTTP or HTTPS protocol

Example
# Set the protocol used in Portal authentication to HTTP or HTTPS.
<HUAWEI> system-view
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] protocol http password-encrypt uam

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9354

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.135 remark

Function
The remark command configures the user group priority.

The undo remark command cancels the user group priority configuration.

By default, no user group priority is configured.

NOTE

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this command.

Format
remark { 8021p 8021p-value | dscp dscp-value } *

undo remark { 8021p 8021p-value | dscp dscp-value } *

Parameters
Parameter Description Value

8021p 8021p-value Specifies the priority for The value is an integer

processing Layer 2 that ranges from 0 to 7.
Ethernet packets.

dscp dscp-value Specifies the priority for The value is an integer

processing IP packets. that ranges from 0 to 63.

Views
User group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After the user group priority is configured, users in the user group inherit the
priority. That is, different user packets have different priorities. In this way, the
administrator can manage different types of users more flexibly.

Precautions

When the remark and 5.7.8 voice-vlan remark commands are used together to
modify the user packet priority, if the services conflict:
● For S5720HI, the priority configured using the remark command takes effect.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9355

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● For S5720EI, S6720EI, and S6720S-EI, the priority configured using the 5.7.8
voice-vlan remark command takes effect.

Example
# Set the priority for processing IP packets to 3 in the user group abc.
<HUAWEI> system-view
[HUAWEI] user-group abc
[HUAWEI-user-group-abc] remark dscp 3

Related Topics
13.5.157 user-group enable
13.5.156 user-group

13.5.136 reset aaa statistics access-type-authenreq

Function
The reset aaa statistics access-type-authenreq command clears the number of
requesting for MAC, Portal, or 802.1X authentication.

Format
reset aaa statistics access-type-authenreq

Parameters
None

Views
All views

Default Level
3: Management level

Usage Guidelines
When users send authentication requests, the device collects statistics on the
number of initiating MAC, Portal, and 802.1X authentications.

To clear the number of requesting for MAC, Portal, or 802.1X authentication, run
the reset aaa statistics access-type-authenreq command.

Example
# Clear the number of requesting for MAC, Portal, or 802.1X authentication.
<HUAWEI> reset aaa statistics access-type-authenreq

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9356

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.137 reset access-user traffic-statistics

Function
The reset access-user traffic-statistics command clears statistics on traffic of
online users in a user group.

NOTE

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this command.

Format
reset access-user traffic-statistics { user-id begin-id [ end-id ] | mac-address
mac-address | ip-address ip-address [ vpn-instance vpn-instance ] }

Parameters
Parameter Description Value
user-id begin-id Specifies IDs of online users. The value is an integer
[ end-id ] that varies depending on
● begin-id specifies the start ID the product model.
of online users.
● end-id specifies the end ID of
online users. The value of end-
id must be equal to or greater
than that of begin-id.
To view IDs of online users, run
the 13.5.31 display access-user
command.

mac-address Specifies the MAC address of an The value is in H-H-H

mac-address online user. format. An H is a
hexadecimal number of 1
to 4 digits.

ip-address ip- Specifies the IP address of an The value is in dotted

address online user. decimal notation.

vpn-instance The value must be an

Specifies the VPN instance that an
vpn-instance existing VPN instance
online user belongs to.
name.

Views
User view

Default Level
3: Management level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9357

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
After traffic control is configured for users in a user group using the 13.5.27 car
(user group view) command, the device collects statistics on traffic of each user
in the user group. You can run the reset access-user traffic-statistics command
to clear statistics on traffic of online users in a user group.

NOTE

After you run the reset access-user traffic-statistics command to clear traffic statistics, the
cleared user traffic statistics are not included in the accounting packets sent by the device
to the accounting server.

Example
# Clear statistics on traffic of the user with the IP address as 10.1.1.1.
<HUAWEI> reset access-user traffic-statistics ip-address 10.1.1.1

Related Topics
13.5.27 car (user group view)

13.5.138 reset dot1x statistics

Function
The reset dot1x statistics command clears 802.1X authentication statistics.

Format
reset dot1x statistics [ interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10> ]

Parameters
Parameter Description Value

interface { interface- Clears 802.1X -

type interface-number1 authentication statistics
[ to interface- on a specified interface.
number2 ] } ● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.
If this parameter is not
specified, 802.1X
authentication statistics
on the device are
cleared.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9358

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
User view

Default Level
3: Management level

Usage Guidelines
The 802.1X authentication statistics contain the number of times that the
authentication succeeded and failed on an interface and the number of sent and
received packets.

The reset dot1x statistics command is used in the following scenarios:

● Redeploy services. After the statistics are cleared, collect the 802.1X
authentication statistics again, and run the 13.5.34 display dot1x command
to check whether the authentication function works properly and whether
packets are correctly sent and received.
● Rectify a fault. After the fault is rectified, run the reset dot1x statistics
command to clear the statistics, collect the statistics on 802.1X authentication
again, and then run the 13.5.34 display dot1x command to verify the
authentication result and check whether packets are correctly sent and
received. If the authentication is successful and packets are correctly sent and
received, the fault is rectified.

Example
# Clear 802.1X authentication statistics on GE0/0/1.
<HUAWEI> reset dot1x statistics interface gigabitethernet 0/0/1

Related Topics
13.5.34 display dot1x

13.5.139 reset mac-authen statistics

Function
The reset mac-authen statistics command clears MAC address authentication
statistics.

Format
reset mac-authen statistics [ interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10> ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9359

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

interface { interface- Clears MAC address -

type interface-number1 authentication statistics
[ to interface- on a specified interface.
number2 ] } ● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.
If this parameter is not
specified, MAC address
authentication statistics
on the device are
cleared.

Views
User view

Default Level
3: Management level

Usage Guidelines
The reset mac-authen statistics command is used in the following scenarios:

● Re-deploy services. After the statistics are cleared, collect the MAC address
authentication statistics again, and run the 13.5.38 display mac-authen
command to check whether the authentication function is normal.
● Rectify a fault. After the fault is rectified, run the reset mac-authen statistics
command to clear statistics, collect MAC address authentication statistics
again, and run the 13.5.38 display mac-authen command to check the
authentication result. If the authentication is successful, the fault is rectified.

Example
# Clear MAC address authentication statistics on GE0/0/1.
<HUAWEI> reset mac-authen statistics interface gigabitethernet 0/0/1

Related Topics
13.5.38 display mac-authen

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9360

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.140 server-detect
Function
The server-detect command enables the Portal server detection function.
The undo server-detect command disables the Portal server detection function.
By default, the Portal server detection function is disabled.

Format
server-detect [ interval interval-period | max-times times | critical-num critical-
num | action { log | trap | permit-all } * ] *
undo server-detect [ interval | max-times | critical-num | action { log | trap |
permit-all } * ]

Parameters
Parameter Description Value

interval interval-period Specifies the detection The value is an integer

interval of the Portal that ranges from 30 to
server. 65535, in seconds.
The default value is 60.

max-times times Specifies the maximum The value is an integer

number of times that the that ranges from 1 to
detection fails. 255.
The default value is 3.

critical-num critical- Specifies the minimum The value is an integer

num number of Portal servers that ranges from 0 to
in Up state. 128.
The default value is 0.
The default value is
recommended.

action Specifies the action to be -

taken after the number
of detection failures
exceeds the maximum.

log Indicates that the device -

sends a log after the
number of detection
failures exceeds the
maximum.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9361

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

trap Indicates that the device -

sends a trap after the
number of detection
failures exceeds the
maximum.

permit-all Cancels Portal -

authentication on an
interface after the
number of detection
failures exceeds the
maximum.

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
If the communication is interrupted because the network between the device and
Portal server is faulty or the Portal server is faulty, new Portal authentication users
cannot go online. This brings great inconvenience to users.

After the Portal server detection function is enabled in the Portal server template,
the device detects all Portal servers configured in the Portal server template. If the
number of times that the device fails to detect a Portal server exceeds the upper
limit, the status of the Portal server is changed from Up to Down. If the number of
Portal servers in Up state is less than or equal to the minimum number (specified
by the critical-num parameter), the device performs the corresponding operation
to allow the administrator to obtain the real-time Portal server status or ensure
that the users have certain network access rights.

NOTE

The detection interval of the Portal server multiplied by the maximum number of detection
failures cannot be less than the keepalive heartbeat interval of the Portal server. It is
recommended that the configured detection interval of the Portal server be greater than
the keepalive heartbeat interval of the Portal server.

Example
# Enable the Portal server detection function in the Portal server template abc.
Configure the detection interval to 100 seconds, the maximum number of
detection failures to 5. Configure the device to send log information when the
number of detection failures exceeds the upper limit.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9362

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] server-detect interval 100 max-times 5 action log

Related Topics
13.5.158 user-sync

13.5.141 server-ip (Portal server template view)

Function
The server-ip command configures an IP address for a Portal server.

The undo server-ip command deletes an IP address for a Portal server.

By default, no IP address is configured for a Portal server.

Format
server-ip server-ip-address &<1-10>

undo server-ip { server-ip-address | all }

Parameters
Parameter Description Value
server-ip-address Specifies an IP address of a Portal The value is in dotted
server. decimal notation.
all Deletes all IP addresses of a Portal -
server.

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After creating a Portal server template on the device using the 13.5.167 web-
auth-server (system view) command, configure parameters for the template.

Run the server-ip command to configure an IP address for the Portal server in the
Portal server template view. When receiving a Portal authentication request packet
from a user, the device sends a response packet to the Portal server with the
configured IP address.

Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9363

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● After the IP address corresponding to a Portal server is configured in the

Portal server template, users are allowed to access the IP address.
● When a Portal server template is bound to an interface, server IP addresses
can be added, but cannot be deleted. If multiple IP addresses are configured
for a Portal server in the Portal server profile, you are advised to run the
13.5.150 url (Portal server template view) command to configure a URL for
the Portal server. If no URL is configured, the device uses the first IP address
as the URL by default, and the other IP addresses do not take effect.

Example
# Set the Portal server IP address in the Portal server template huawei to
10.10.10.1.
<HUAWEI> system-view
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] server-ip 10.10.10.1

Related Topics
13.5.56 display web-auth-server configuration
13.5.167 web-auth-server (system view)
13.5.150 url (Portal server template view)

13.5.142 shared-key (Portal server template view)

Function
The shared-key command configures the shared key that the device uses to
exchange information with a Portal server.
The undo shared-key command restores the default setting.
By default, no shared key that the device uses to exchange information with a
Portal server is configured.

Format
shared-key cipher key-string
undo shared-key

Parameters
Parameter Description Value
cipher Displays a shared key in -
cipher text.

key-string Specifies the shared key. The value is a string of case-sensitive

characters without spaces. It can be a
string of 48 characters in cipher text, or a
string of 1 to 16 characters in plain text.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9364

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After a shared key is configured using the shared-key command, the Portal packet
exchanged between the device and Portal server carries an authenticator
generated according to the shared key, and the authenticator is used to check
whether the Portal packet at the receiver is correct. This effectively improves the
information exchange security.
Precautions
To improve security, it is recommended that the password contains at least two
types of lower-case letters, upper-case letters, numerals, and special characters,
and contains at least 6 characters.

Example
# Configure the shared key in the Portal server template huawei to huawei@123.
<HUAWEI> system-view
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] shared-key cipher huawei@123

Related Topics
13.5.56 display web-auth-server configuration
13.5.167 web-auth-server (system view)

13.5.143 snmp-agent trap enable feature-name mid_aaa

Function
The snmp-agent trap enable feature-name mid_aaa command enables the trap
function for the AAA module.
The undo snmp-agent trap enable feature-name mid_aaa command disables
the trap function for the AAA module.
By default, the trap function is enabled for the AAA module.

Format
snmp-agent trap enable feature-name mid_aaa [ trap-name
{ hwmacmovedquietmaxuseralarm | hwmacmovedquietuserclearalarm } ]
undo snmp-agent trap enable feature-name mid_aaa[ trap-name
{ hwmacmovedquietmaxuseralarm | hwmacmovedquietuserclearalarm } ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9365

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

trap-name Enables or disables the -

trap function for a
specified event of the
AAAmodule.

hwmacmovedquiet- Sends a Huawei -

maxuseralarm proprietary trap message
when the percentage of
current MAC address
migration users in quiet
state against the
maximum number of
users exceeds the upper
alarm threshold.

hwIpStaticUserMixe- A Huawei proprietary -

dInsertAlarm trap message is sent
when an exception
occurs during the login
attempt of a user with
one MAC address and
multiple IP addresses
through an Eth-Trunk
interface to which
interfaces on different
types of boards are
added.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the trap function is enabled, the device generates traps during operation and
sends the traps to the NMS through the SNMP module. If the trap function is
disabled, the device does not generate traps and the SNMP module does not send
traps to the NMS.
You can specify trap-name to enable the trap function for one or more events.

Example
# Enable the trap function for hwmacmovedquietmaxuseralarm of the AAA
module.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9366

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name mid_aaa trap-name
hwmacmovedquietmaxuseralarm

Related Topics
13.5.50 display snmp-agent trap feature-name mid_aaa all

13.5.144 snmp-agent trap enable feature-name mid_eapol

Function
The snmp-agent trap enable feature-name mid_eapol command enables the
trap function for the DOT1X module.
The undo snmp-agent trap enable feature-name mid_eapol command disables
the trap function for the DOT1X module.
By default, the trap function is enabled for the DOT1X module.

Format
snmp-agent trap enable feature-name mid_eapol [ trap-name
{ hwmacauthenmaxuseralarm | hwsrvcfgeapmaxuseralarm } ]
undo snmp-agent trap enable feature-name mid_eapol [ trap-name
{ hwmacauthenmaxuseralarm | hwsrvcfgeapmaxuseralarm } ]

Parameters
Parameter Description Value

trap-name Enables or disables the -

trap function for a
specified event of the
DOT1X module.

hwmacauthenmaxuser- Enables the device to -

alarm send a Huawei
proprietary trap when
the number of MAC
address authentication
users reaches the
maximum number
allowed on an interface.

hwsrvcfgeapmaxusera- Enables the device to -

larm send a Huawei
proprietary trap when
the number of 802.1X
authentication users
reaches the maximum
number allowed on an
interface.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9367

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the trap function is enabled, the device generates traps during operation and
sends the traps to the NMS through the SNMP module. If the trap function is
disabled, the device does not generate traps and the SNMP module does not send
traps to the NMS.

You can specify trap-name to enable the trap function for one or more events.

Example
# Enable the trap function for hwmacauthenmaxuseralarm of the DOT1X module.
<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name mid_eapol trap-name hwmacauthenmaxuseralarm

Related Topics
13.5.51 display snmp-agent trap feature-name mid_eapol all

13.5.145 snmp-agent trap enable feature-name mid_web

Function
The snmp-agent trap enable feature-name mid_web command enables the trap
function for the web authentication module.

The undo snmp-agent trap enable feature-name mid_web command disables

the trap function for the web authentication module.

By default, the trap function is enabled for the web authentication module.

Format
snmp-agent trap enable feature-name mid_web [ trap-name
{ hwportalmaxuseralarm | hwportaluserclearalarm | hwportalserverdown |
hwportalserverup } ]

undo snmp-agent trap enable feature-name mid_web [ trap-name

{ hwportalmaxuseralarm | hwportaluserclearalarm | hwportalserverdown |
hwportalserverup } ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9368

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

trap-name Enables or disables the -

trap function for a
specified event of the
web authentication
module.

hwportalmaxuseralarm Enables the device to -

send a Huawei
proprietary trap when
the number of online
Portal authentication
users exceeds the upper
threshold.

hwportalusercleara- Enables the device to -

larm send a Huawei
proprietary trap when
the number of online
Portal authentication
users falls below the
lower threshold.

hwportalserverdown Enables the device to -

send a Huawei
proprietary trap when it
detects that the Portal
server changes from Up
to Down.

hwportalserverup Enables the device to -

send a Huawei
proprietary trap when it
detects that the Portal
server changes from
Down to Up.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After the trap function is enabled, the device generates traps during operation and
sends the traps to the NMS through the SNMP module. If the trap function is

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9369

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

disabled, the device does not generate traps and the SNMP module does not send
traps to the NMS.
You can specify trap-name to enable the trap function for one or more events.

Example
# Enable the trap function for hwportalmaxuseralarm of the web authentication
module.
<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name mid_web trap-name hwportalmaxuseralarm

Related Topics
13.5.52 display snmp-agent trap feature-name mid_web all

13.5.146 source-ip (Portal server template view)

Function
The source-ip command configures the source IP address for the device to
communicate with a Portal server.
The undo source-ip command restores the default setting.
By default, no source IP address is configured for the device to communicate with
a Portal server.

Format
source-ip ip-address
undo source-ip

Parameters
Parameter Description Value
ip-address Specifies the source IP address for The value is in dotted
communication with a Portal server. decimal notation.

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To ensure normal communication between the device and Portal server, run the
source-ip command to configure a source IP address on the device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9370

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If the device is configured with a loopback IP address and a common IP address,

the device can communicate with the Portal server only when the loopback IP
address and common IP address are the same. The source-ip command configures
a source IP address on the device in the web-auth-server view to allow
communication between the device and a Portal server.
Precautions
Ensure that the configured source IP address is the device IP address. The source IP
address cannot be all 0s, all 1s, class D address, class E address, or loopback
address.

Example
# Set the source IP address for communication between the device and a Portal
server to 192.168.1.100 in the Portal server template huawei.
<HUAWEI> system-view
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] source-ip 192.168.1.100

Related Topics
13.5.167 web-auth-server (system view)

13.5.147 static-user
Function
The static-user command configures a static user.
The undo static-user command deletes the configured static user.
By default, no static user is configured.

Format
static-user start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-
name ] [ domain-name domain-name | interface interface-type interface-
number [ detect ] | mac-address mac-address | vlan vlan-id ] *
undo static-user start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-
name ]

NOTE

The vpn-instance vpn-instance-name command is supported only by the S1720GW,

S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9371

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

start-ip-address [ end-ip- Specifies the IP address The value is in dotted

address ] range that a static user decimal notation.
belongs to. If end-ip-
address is not specified,
a static user is specified
by start-ip-address.

vpn-instance vpn- Specifies the name of a The value must be an

instance-name VPN instance that a existing VPN instance
static user belongs to. name.

domain-name domain- Specifies the domain The value must be an

name that a static user belongs existing domain name.
to.

interface interface-type Specifies the interface -

interface-number connected to a static
user.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.
NOTE
A management interface
cannot be configured as
the interface to which a
static user belongs.

detect Permits the device to -

send ARP packets to
trigger Portal
authentication for static
users in offline state.

mac-address mac- Specifies the MAC The value is in H-H-H

address address of a static user. format. An H is a
hexadecimal number of
1 to 4 digits.

vlan vlan-id Specifies the ID of a The value is an integer

VLAN that a static user that ranges from 1 to
belongs to. 4094.

Views
System view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9372

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
In network deployment, static IP addresses are assigned to dumb terminals such
as printers and servers. The users can be configured as static users for flexible
authentication.
After static users are configured, the device can use static user information such as
their IP addresses as the user names to authenticate the users only when Portal
authentication is enabled on the interfaces connected to the static users.
Precautions
When the interface (interface interface-type interface-number) mapping static
users is specified, the VLAN (vlan vlan-id) that the interface belongs to must be
configured.
This function takes effect only for users who go online after this function is
successfully configured.
Static users are not allowed to update the IP address, otherwise the users will go
offline.

Example
# Specify the IP address range 10.1.1.1-10.1.1.10, authentication domain huawei,
and VLAN 10 that static users belong to.
<HUAWEI> system-view
[HUAWEI] static-user 10.1.1.1 10.1.1.10 domain-name huawei vlan 10

Related Topics
13.5.149 static-user username format-include
13.5.148 static-user password
13.5.53 display static-user

13.5.148 static-user password

Function
The static-user password command sets the password for a static user in
authentication.
The undo static-user password command restores the default password for the
static user.
The default username and password are available in S Series Switches Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not
obtained the access permission of the document, see Help on the website to find
out how to obtain it.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9373

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
static-user password cipher password
undo static-user password

Parameters
Parameter Description Value

cipher Displays a password in -

cipher text.

password Specifies the password of The value is a case-

a static user. sensitive string without
question marks (?) or
spaces. The password
contains 1 to 128
characters in plain text
or 48 to 188 characters
in cipher text.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When a static user triggers authentication through an ARP packet, you can run
the static-user password command to set the password for the static user. The
access device then sends the password to the authentication server.
Precautions
To improve security, change the default password immediately and update the
password periodically. It is recommended that the new password contains at least
two types of lower-case letters, upper-case letters, numerals, and special
characters, and contains at least 6 characters.
This function takes effect only for users who go online after this function is
successfully configured.

Example
# Configure the password huawei@123 for static users.
<HUAWEI> system-view
[HUAWEI] static-user password cipher huawei@123

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9374

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.5.147 static-user
13.5.149 static-user username format-include
13.5.53 display static-user

13.5.149 static-user username format-include

Function
The static-user username format-include command sets the user name for a
static user in authentication.
The undo static-user username format-include command restores the default
user name for the static user.
By default, the name of a static user consists of system-name and ip-address. For
example, if the access device name is huawei and user IP address is 1.1.1.1, the
static user name is huawei1.1.1.1.

Format
static-user username format-include { ip-address | mac-address | system-
name }
undo static-user username format-include

Parameters
Parameter Description Value

ip-address Indicates that the user IP -

address is used as the
user name.

mac-address Indicates that the user -

MAC address is used as
the user name.

system-name Indicates that the access -

device name is used as
the user name. To set
the device name, run the
sysname command.

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9375

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
When a static user triggers authentication through an ARP packet, you can run
the static-user username format-include command to set the user name for the
static user. The access device then sends the user name to the authentication
server.

Example
# Set the user IP address as the static user name for authentication.
<HUAWEI> system-view
[HUAWEI] static-user username format-include ip-address

Related Topics
13.5.147 static-user
13.5.148 static-user password
13.5.53 display static-user

13.5.150 url (Portal server template view)

Function
The url command configures the URL for a Portal server.

The undo url command restores the default setting.

By default, no URL is configured for a Portal server.

Format
url url-string

undo url

Parameters

Parameter Description Value

url-string Specifies the URL of a portal The value is a string of 1 to 200
server. characters.

Views
Portal server template view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9376

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario

After the Portal server IP address is configured using the 13.5.141 server-ip
(Portal server template view) command, the Portal server URL is generated by
default on the device. If the existing Portal server URL is inconsistent with the
default one or the domain name needs to be used, you need to run the url
command to specify the Portal server URL.

Precautions

● A Portal server only has one URL.

Example
# Set the URL of a Portal server to http://www.***.com in the Portal server
template huawei.
<HUAWEI> system-view
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] url http://www.***.com

Related Topics
13.5.56 display web-auth-server configuration
13.5.167 web-auth-server (system view)
13.5.141 server-ip (Portal server template view)

13.5.151 url (URL template view)

Function
The url command configures the redirection URL or pushed URL.

The undo url command cancels the redirection URL or pushed URL.

By default, no redirection URL or pushed URL is configured.

Format
url [ push-only | redirect-only ] url-string

undo url [ push-only | redirect-only ]

Parameters
Parameter Description Value

url-string Specifies the redirection URL of the It is a string of 1 to

Portal server or pushed URL. 200 case-sensitive
characters without
spaces.

push-only Specifies the URL as a pushed URL. -

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9377

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

redirect-only Specifies the URL as a redirection URL. -

Views
URL template view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After a URL template is created using the 13.5.155 url-template name command,
you can run this command to configure the redirection URL or pushed URL. When
a user without network access right connects to the network, the Portal
authentication device redirects the user to the specified URL for
authentication.The difference between redirection URL and pushed URL is as
follows:

● Redirection URL: When a user without network access right connects to the
network, the Portal authentication device redirects the user to the redirection
URL for authentication.
● Pushed URL: After an authenticated user accesses the network through web
for the first time, the access device pushes the web page corresponding to the
URL to the user. The web access request from the user is redirected to the
specified URL, and then the user is allowed to access network resources.

Precautions

When configuring a URL on the device, you cannot enter a question mark (?). If a
URL contains a question mark (?), you can run the parameter start-mark #
command in the URL template view to replace the question mark (?) with the
number sign (#).

If the push-only and redirect-only parameters are not specified, the configured
URL is used as both redirection URL and pushed URL. You can configure pushed
URL using the 13.5.85 force-push command, or use the 13.5.154 url-template
(Portal server template view) command to bind a URL template to the Portal
server template to configure redirection URL.

Example
# Set the redirection URL to http://10.1.1.1.
<HUAWEI> system-view
[HUAWEI] url-template name huawei
[HUAWEI-url-template-huawei] url http://10.1.1.1

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9378

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.152 url-parameter
Function
The url-parameter command sets the parameters in URL.
The undo url-parameter command deletes the parameters in URL.
By default, a URL does not carry parameters.

Format
url-parameter { redirect-url redirect-url-value | sysname sysname-value | user-
ipaddress user-ipaddress-value | user-mac user-mac-value | login-url url-key url }
*

undo url-parameter

Parameters
Parameter Description Value

redirect-url Specifies the original URL that a user The value is a string
redirect-url- accesses carried in the URL and sets the of 1 to 16 case-
value parameter name. sensitive characters
without spaces.

user- Specifies the user IP address carried in The value is a string

ipaddress the URL and sets the parameter name. of 1 to 16 case-
user- sensitive characters
ipaddress- without spaces.
value
sysname Specifies the device system name carried The value is a string
sysname- in the URL and sets the parameter name. of 1 to 16 case-
value sensitive characters
without spaces.

user-mac Specifies the user MAC address carried in The value is a string
user-mac- the URL and sets the parameter name. of 1 to 16 case-
value sensitive characters
without spaces.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9379

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

login-url url- Specifies the login URL of the access ● url-key: The
key url device. value is a string
● url-key: specifies the identification of 1 to 16 case-
keyword for the login URL sent to the sensitive
Portal server during redirection. characters
without spaces,
● url: is a specified URL on the access question marks
device. (?), ampersands
(&), and equal
signs (=).
● url: The value is a
string of 1 to 200
case-sensitive
characters
without spaces.

Views
URL template view

Default Level
2: Configuration level

Usage Guidelines
After a URL template is created using the 13.5.155 url-template name command
and URL is configured using the 13.5.151 url (URL template view) command,
you can use the url-parameter command to set the parameters in the URL. When
a user accesses the Portal server according to the URL, the Portal server obtains
user terminal information through the parameters in the URL. The Portal server
then provides the corresponding web authentication page for the user according
to user terminal information.
In addition, when users are pushed to a website rather than the Portal server
according to the URL, the website provides the different web pages for the users
according to user terminal information carried in the URL.

Example
# Set the user MAC address and access device system name in the URL.
<HUAWEI> system-view
[HUAWEI] url-template name huawei
[HUAWEI-url-template-huawei] url-parameter user-mac usermac sysname huawei

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9380

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.153 url-parameter mac-address format

Function
The url-parameter mac-address format command configures the MAC address
format in URL.
The undo url-parameter mac-address format command restores the default
MAC address format in URL.
By default, the MAC address format in URL is XXXXXXXXXXXX.

Format
url-parameter mac-address format delimiter delimiter { normal | compact }
undo url-parameter mac-address format

Parameters
Parameter Description Value

delimiter Specifies the delimiter in MAC address. The value is one

delimiter case-sensitive
character without
spaces.

normal Sets the MAC address format to XX-XX- -

XX-XX-XX-XX.

compact Sets the MAC address format to XXXX- -

XXXX-XXXX.

Views
URL template view

Default Level
2: Configuration level

Usage Guidelines
Portal servers or websites may require different MAC address formats. You can run
the url-parameter mac-address format command to set MAC address formats in
URL to meet the requirements of Portal servers.

Example
# Set the delimiter to - and format to XXXX-XXXX-XXXX.
<HUAWEI> system-view
[HUAWEI] url-template name huawei
[HUAWEI-url-template-huawei] url-parameter mac-address format delimiter - compact

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9381

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.154 url-template (Portal server template view)

Function
The url-template command binds a URL template to a Portal server template.

The undo url-template command unbinds a URL template from a Portal server
template.

By default, no URL template is bound to a Portal server template.

Format
url-template url-template [ ciphered-parameter-name ciphered-parameter-
name iv-parameter-name iv-parameter-name key cipher key-string ]

undo url-template

Parameters
Parameter Description Value

url-template Specifies the name of a URL The value must be an

template. existing URL template
name.

ciphered- Specifies the name of the The value is a string of 1 to

parameter- encrypted URL template 16.
name parameter.
ciphered-
parameter-
name
iv- Specifies the encryption vector The value is a string of 1 to
parameter- name of the URL template 16.
name iv- parameter.
parameter-
name
key cipher Specifies the shared key for The value is a string of
key-string encrypting the URL template 1-16 plain-text characters
parameter. or 48 cipher-text
characters.

Views
Portal server template view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9382

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
After the parameters of a URL template are configured, the URL template must be
bound to a Portal authentication server template so that users can be
authenticated on the Portal authentication server corresponding to the redirection
URL.
To ensure security, you can encrypt the parameter information in the URL
template bound to the Portal server profile.
Prerequisites
A URL template has been created using the 13.5.155 url-template name
command.
Precautions
If a URL template is bound to the Portal authentication server template and the
13.5.150 url (Portal server template view) command is executed to configure
the redirection URL corresponding to the Portal authentication server, only the
parameters in the URL template take effect.
The device support encryption of parameter information in the URL template only
when it connects to the Huawei Agile Controller-Campus.

Example
# Bind the URL template abc to the Portal authentication server template.
<HUAWEI> system-view
[HUAWEI] url-template name abc
[HUAWEI-url-template-abc] quit
[HUAWEI] web-auth-server huawei
[HUAWEI-web-auth-server-huawei] url-template abc

Related Topics
13.5.151 url (URL template view)
13.5.155 url-template name

13.5.155 url-template name

Function
The url-template name command creates a new URL template or enter an
existing URL template view.
The undo url-template name command deletes a URL template.
By default, no URL template exists on the device.

Format
url-template name template-name
undo url-template name template-name

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9383

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

template- Specifies the name of a URL The value is a string of 1 to 31

name template. case-sensitive characters. It
cannot contain spaces or the
following symbols: / \ : * ? " <
> | @ ' %. The value cannot be
- or --.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After a Portal authentication server template is created using the 13.5.167 web-
auth-server (system view) command, you can bind a URL template to the Portal
authentication server template. The URL template contains the redirection URL
and redirection URL parameters.

The url-template name command creates a new URL template or enter an

existing URL template view.

Example
# Create a URL template named huawei and enter the template view.
<HUAWEI> system-view
[HUAWEI] url-template name huawei

13.5.156 user-group

Function
The user-group command creates a user group or displays the user group view.

The undo user-group command deletes a user group.

By default, no user group is configured.

Format
user-group group-name

undo user-group group-name

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9384

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value
group-name Specifies the name The value is a string of 1-64 case-sensitive
of a user group. characters, which cannot be configured to -
and --. It cannot contain spaces and the
following symbols: / \ : * ? " < > | @ ' %.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
In practical NAC applications, there are many access users and a large number of
ACL rules need to be configured for each user. However, the number of user types
is limited.
You can run the user-group command to create user groups on the device and
associate each user group to a group of ACL rules (for details, see 13.5.6 acl-id
(user group view)). In this way, users in the same group share a group of ACL
rules. The limited ACL resources can support a large number of access users.

NOTE

When the user group function is enabled on models except the S5720EI, S5720HI, S6720EI,
and S6720S-EI, ACL rules are delivered to each user and the user group function cannot be
used to save ACL resources.

Precautions
● When you create a user group, ensure that the user group name is different
from the number of an existing ACL. You can run the display acl all
command to view the configuration of all ACL rules on the device.
● If you want to delete the user group when the ACL bound to the user takes
effect, run the cut access-user user-group group-name command to
disconnect all users bound to the user group, and run the undo user-group
group-name enable command to disable the user group function.
● The priority of the user group authorization information delivered by the
authentication server is higher than that of the user group authorization
information applied in the AAA domain. If the user group authorization
information delivered by the authentication server cannot take effect, the user
group authorization information applied in the AAA domain is used. For
example, if only user group B is configured on the device and the group
authorization information is applied in the AAA domain when the
authentication server delivers authorization information about user group A,
the authorization information about user group A cannot take effect and the
authorization information about user group B is used. To make the user group

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9385

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

authorization information delivered by the authentication server take effect,

ensure that this user group is configured on the device.

Example
# Create a user group test1.
<HUAWEI> system-view
[HUAWEI] user-group test1

Related Topics
13.5.6 acl-id (user group view)
13.5.157 user-group enable

13.5.157 user-group enable

Function
The user-group enable command enables the user group function.
The undo user-group enable command disables the user group function.
By default, the user group function is disabled.

Format
user-group group-name enable
undo user-group group-name enable

Parameters
Parameter Description Value
group-name Specifies the name of a The value is a string of 1 to 64 case-
user group. sensitive characters without spaces.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If a user group has been created using the 13.5.156 user-group command, run
the user-group enable command to enable the user group function.
Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9386

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

After the user group function is enabled, the binding relationship between a user
group and an ACL cannot be modified.
If the user group function is not enabled, users going online through Layer 2
interfaces can access the network without restriction, while users going online
through VLANIF interfaces are not allowed to access the network.

Example
# Enable the user group huawei.
<HUAWEI> system-view
[HUAWEI] user-group huawei enable

13.5.158 user-sync
Function
The user-sync command enables user information synchronization.
The undo user-sync command disables user information synchronization.
By default, user information synchronization is disabled.

Format
user-sync [ interval interval-period | max-times times ] *

undo user-sync

Parameters
Parameter Description Value
interval interval- The value is an integer that
Specifies the user
period ranges from 30 to 65535, in
information synchronization
seconds. The default value is
interval.
300.
max-times times Specifies the maximum The value is an integer that
number of user information ranges from 2 to 255. The
synchronization failures. default value is 3.

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9387

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If communication is interrupted because the network between the device and

Portal server is disconnected or the Portal server is faulty, online Portal
authentication users cannot go offline. Therefore, user information on the device
and on the Portal server may be inconsistent and accounting may be inaccurate.

The user-sync command enables user information synchronization so that user

information on the device and Portal server is synchronized at intervals to ensure
user information consistency.

NOTE

During information synchronization, the device does not disconnect the user immediately
after detecting that the device has certain user information while the server does not have
such information. Instead, the device disconnects the user when the maximum number of
user information synchronization failures is reached.

Precautions

If users go online during the keepalive interval of the Portal server, the Portal
server does not have their entries. After the Portal server goes Up and starts
synchronizing user information, the device does not disconnect these users even if
synchronization fails. The device retails these users until next time these users go
online and performs Portal authentication, ensuring good user experience.

The value of interval-period*times configured on the device must be greater than

the interval for the Portal server to send synchronization packets. Otherwise, the
device forces users offline when it cannot receive any synchronization packet from
the Portal server after the maximum failure number is reached.

When you run the user-sync command, make sure that the Portal server supports
this function. otherwise, the users will go offline.

Example
# Enable user information synchronization in the Portal server template abc, set
the interval for user information synchronization to 100s, and set the maximum
number of synchronization failures to 5.
<HUAWEI> system-view
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] user-sync interval 100 max-times 5

13.5.159 user-vlan (user group view)

Function
The user-vlan command configures a user group VLAN.

The undo user-vlan restores the default setting.

By default, no user group VLAN is configured.

Format
user-vlan vlan-id

undo user-vlan

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9388

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

vlan-id Specifies the ID of a user The value is an integer

group VLAN. that ranges from 1 to
4094.

Views
User group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After a user group is created using the user-group command, you can run the
user-vlan command to configure a user group VLAN, so that users in different
user groups have different network access permissions. When a user in a user
group goes online, the user is added to the user group VLAN to obtain the
network access permission of this user group.
Prerequisites
The user group VLAN has been created using the vlan command.
Precautions
● An authorized VLAN cannot be delivered to online Portal users.
● If a user uses Portal authentication or combined authentication (including
Portal authentication), the device cannot authorize a VLAN to the user.
● The user-vlan command does not take effect for the users who are already
online.
● If the user access mode is not multi-share,to make the user-vlancommand
take effect, you must configure the link type of the interface connected to
users to hybrid . Access switches will send untagged frames to users in the
user-vlan even when interfaces connected users are added to this user VLAN
in tagged mode.

Example
# Set the VLAN of the user group abc to 10.
<HUAWEI> system-view
[HUAWEI] user-group abc
[HUAWEI-user-group-abc] user-vlan 10

Related Topics
13.5.157 user-group enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9389

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.5.156 user-group

13.5.160 vm-authen password

Function
The vm-authen password command configures a password for virtual users
during RADIUS authentication.

The undo vm-authen password command restores the default password for
virtual users during RADIUS authentication.

The default username and password are available in S Series Switches Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not
obtained the access permission of the document, see Help on the website to find
out how to obtain it.

NOTE

Only the S5720EI supports this command.

Format
vm-authen password cipher password

undo vm-authen password

Parameters
Parameter Description Value
cipher Displays a password in cipher -
text.

password Specifies the password for The value is a case-sensitive string

virtual users during RADIUS without question marks (?) or
authentication. spaces. The password contains 1 to
16 characters in plain text or 32
characters in cipher text.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9390

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

You can run the vm-authen password command to configure a password for
virtual users during RADIUS authentication.

Precautions

To improve security, change the default password immediately. It is recommended

that the new password contains at least two types of lower-case letters, upper-
case letters, numerals, and special characters, and contains at least 6 characters.

Example
# Set the password huawei for virtual users during RADIUS authentication.
<HUAWEI> system-view
[HUAWEI] vm-authen password cipher huawei

13.5.161 vm-user association-type

Function
The vm-user association-type command configures the association type of a
virtual user.

NOTE

Only the S5720EI supports this command.

Format
vm-user association-type { online | pre-online | offline } mac-address mac-
address interface interface-type interface-number vlan vlan-id [ ip-address ip-
address | profile profile-name | vsi vsi-name ] *

Parameters

Parameter Description Value

online Indicates that the association -
type of the virtual user is online.

pre-online Indicates that the association -

type of the virtual user is pre-
online.

offline Indicates that the association -

type of the virtual user is offline.

mac-address Specifies the MAC address of the The value is in H-H-H

mac-address virtual user. format. H contains 1 to 4
hexadecimal digits.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9391

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

interface Specifies the number or name of -
interface-type an interface for associating with
interface-number a virtual user.

● interface-type specifies the

interface type.
● interface-number specifies the
interface number.
vlan vlan-id Specifies the VLAN to which the The value is an integer
virtual user belongs. that ranges from 0 to
4094.

ip-address ip- Specifies the IP address of the The value is in dotted

address virtual user. decimal notation.

profile profile- Specifies the profile to which the The value is a string of 1
name virtual user belongs. to 64 case-sensitive
characters without spaces.

vsi vsi-name Specifies the name of the virtual The value is a string of 1
site interface. to 64 case-sensitive
characters without spaces.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

In virtual network management, you must configure the function specified by the
vm-user association-type command on the network management system (NMS)
so that virtual users can access the network. The NMS then delivers the function
configuration to the device. After receiving the related function configuration, the
device automatically runs the vm-user association-type command to configure
the association type of the virtual user.

Precautions

This command should be configured by the network administrator on the NMS

and delivered to the device. You are not advised to directly run this command on
the device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9392

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Example
# Set the association type of the virtual user with the MAC address 1-1-1 in VLAN
10 on GE0/0/1 to pre-online.
<HUAWEI> system-view
[HUAWEI] vm-user association-type pre-online mac-address 1-1-1 interface gigabitethernet 0/0/1 vlan
10

13.5.162 vpn-instance (Portal server template view)

Function
The vpn-instance command configures a VPN instance used for communication
between the device and Portal server.
The undo vpn-instance command restores the default setting.
By default, no VPN instance is configured for communication between the device
and Portal server.

NOTE

Only S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI,

S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI,
S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support the command.

Format
vpn-instance vpn-instance-name
undo vpn-instance

Parameters
Parameter Description Value

vpn-instance-name Specifies the name of a The value must be an

VPN instance. existing VPN instance
name.

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
A VPN implements interconnection within the same department and between
different departments in an enterprise. To enable the Portal authentication service

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9393

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

in the VPN, run the vpn-instance command to bind a Portal server template to a
VPN instance.

Prerequisites

A VPN instance has been created using the ip vpn-instance command.

Precautions

The VPN instance bound to the Portal server template must be the same as that
bound to the Portal server; otherwise, the device cannot perform Portal
authentication for access users.

The users in VPN instances bound to different Portal server templates cannot use
the same IP addresses because users with the same IP addresses cannot go online
or offline.

Example
# Bind the Portal server template abc to the VPN instance huawei.
<HUAWEI> system-view
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] vpn-instance huawei

Related Topics
10.4.36 ip vpn-instance

13.5.163 web-auth-server version

Function
The web-auth-server version command sets the Portal protocol version
supported by the device.

The undo web-auth-server version command restores the default setting.

By default, the device supports both the versions V1.0 and V2.0.

Format
web-auth-server version v2 [ v1 ]

undo web-auth-server version

Parameters
Parameter Description Value
v2 Indicates that the device supports the Portal protocol version -
V2.0. The major version currently used is V2.0.
v1 Indicates that the device supports the Portal protocol version -
V1.0.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9394

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Currently, the Portal protocol has two versions: V1.0 and V2.0. The device and
Portal server must use the Portal protocol of the same version to ensure normal
communication. You can run the web-auth-server version command to set the
Portal protocol version supported by the device.
NOTE

The version V2.0 is widely used currently.

To ensure smooth communication, the device supports both versions by default.

Example
# Configure the device to use only the Portal protocol V2.0.
<HUAWEI> system-view
[HUAWEI] web-auth-server version v2

Related Topics
13.5.56 display web-auth-server configuration

13.5.164 web-auth-server (interface view)

Function
The web-auth-server command binds a Portal server template to an interface.

The undo web-auth-server command unbinds a Portal server template from an

interface.

By default, no Portal server template is bound to an interface.

Format
● VLANIF interface view:
web-auth-server server-name [ bak-server-name ] { direct | layer3 }
undo web-auth-server [ server-name [ bak-server-name ] ] { direct | layer3 }
● Layer 3 Ethernet interface view: (Only the S5720EI, S5720HI, S6720EI, and
S6720S-EI support this)
web-auth-server server-name [ bak-server-name ] layer3
undo web-auth-server [ server-name [ bak-server-name ] layer3 ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9395

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters

Parameter Description Value

server-name Specifies the name of the Portal server The value must be an
template. existing Portal server
template name.

bak-server- Specifies the name of the secondary The value must be an

name Portal server template. existing Portal server
template name.
NOTE
The name of the secondary Portal server
template can not be configured to the
command-line keywords direct and layer3.

direct Indicates Layer 2 authentication. -

layer3 Indicates Layer 3 authentication. -

Views
VLANIF interface view, GE interface view, XGE interface view, 40GE interface view,
Eth-Trunk interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

A configured Portal server template must be bound to the interface. In this way,
the users connected to this interface can be authenticated by the Portal server.

When the Portal server template is bound to the interface using the web-auth-
server command and a user attempts to access charged network resources, the
user is forcibly redirected to the configured Portal authentication page for Portal
authentication.

After the primary and secondary Portal server templates are configured, the users
who send HTTP requests are redirected to the network access page provided by
the secondary Portal server when the primary Portal server is faulty or cannot be
accessed. This meets the users' network access requirements. This function can
take effect only when the primary Portal server detection function is enabled
using the 13.5.140 server-detect command and heartbeat detection is enabled on
the Portal server.

Portal authentication modes are as follows:

● direct: When there is no Layer 3 forwarding device between the user and
device, the device can learn the user's MAC address. The device identifies the
user using the MAC address.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9396

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

● layer3: Whether Layer 3 forwarding devices exist between the user and
device, the device cannot learn the user's MAC address. The device identifies
the user using the IP address uniquely.
Prerequisites
A Portal server template has been created using the 13.5.167 web-auth-server
(system view) command and an IP address has been configured for the Portal
server using the 13.5.141 server-ip (Portal server template view) command.
Precautions
● You can bind only one Portal server template to an interface. To modify a
Portal server template that has been bound to an interface, remove the
template from the interface, modify the template, and bind the modified
template to the interface again.
● If 802.1X authentication, MAC address authentication, MAC address bypass
authentication or built-in Portal authentication is enabled on a Layer 2
interface, this command cannot be executed on the VLANIF interface of a
VLAN to which the Layer 2 interface is added.
● This command does not take effect on the VLANIF interface corresponding to
the super VLAN.

Example
# Bind the Portal server template Server1 to VLANIF10, and set the authentication
mode to Layer 2 authentication.
<HUAWEI> system-view
[HUAWEI] vlan batch 10
[HUAWEI] web-auth-server Server1
[HUAWEI-web-auth-server-Server1] server-ip 10.10.1.1
[HUAWEI-web-auth-server-Server1] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] web-auth-server Server1 direct

Related Topics
13.5.167 web-auth-server (system view)
13.5.141 server-ip (Portal server template view)
13.5.56 display web-auth-server configuration

13.5.165 web-auth-server listening-port

Function
The web-auth-server listening-port command sets the number of the port
through which a device listens on Portal protocol packets.
The undo web-auth-server listening-port command restores the default listening
port.
By default, the device uses port 2000 to listen on Portal protocol packets.

Format
web-auth-server listening-port port-number

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9397

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo web-auth-server listening-port

Parameters

Parameter Description Value

port-number Specifies the number of the The value is an integer that
listening port. ranges from 1024 to 55535.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
When the device exchanges user authentication information with the Portal server
using the Portal protocol, you must configure the listening port on the device to
receive Portal packets.

You can run the web-auth-server listening-port command to set the number of
the port through which the device listens on Portal packets. The port number must
be the same as the destination port number in Portal packets sent by the Portal
server and must be unique.

NOTE
If a specified port is occupied by another service or is a reserved port, the configuration fails.
Ensure that the specified port is available when running this command.

Example
# Set the number of the port through which a device listens on Portal protocol
packets to 3000.
<HUAWEI> system-view
[HUAWEI] web-auth-server listening-port 3000

Related Topics
13.5.56 display web-auth-server configuration

13.5.166 web-auth-server reply-message

Function
The web-auth-server reply-message command enables the device to
transparently transmit users' authentication responses sent by the authentication
server to the Portal server.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9398

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo web-auth-server reply-message command disables the device from

transparently transmitting users' authentication responses sent by the
authentication server to the Portal server.
By default, the device transparently transmits users' authentication responses sent
by the authentication server to the Portal server.

Format
web-auth-server reply-message
undo web-auth-server reply-message

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The AAA server requires that the authentication messages sent to the Portal server
contain the authentication reply; therefore, the web-auth-server reply-message
command is required. In certain situations, the authentication messages are not
required to carry the reply. In this case, run the undo web-auth-server reply-
message command.
By default, the device directly forwards the authentication result message from the
RADIUS server to the Portal server without processing. This is called transparent
transmission.

Example
# Disable the device from transparently transmitting users' authentication
responses to the Portal server.
<HUAWEI> system-view
[HUAWEI] undo web-auth-server reply-message

Related Topics
13.5.56 display web-auth-server configuration

13.5.167 web-auth-server (system view)

Function
The web-auth-server command creates a Portal server template or displays the
Portal server template view.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9399

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo web-auth-server command deletes a Portal server template.

By default, no Portal server template is created.

Format
web-auth-server server-name
undo web-auth-server server-name

Parameters
Parameter Description Value

server-name Specifies the name of a The value is a string of 1

Portal server. to 31 case-sensitive
characters without
spaces.
NOTE
server-name cannot be set
to listening-port, reply-
message, version, or the
first character or several
leftmost characters of
these character strings.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When an unauthenticated Portal user goes online, the device forces the user to
log in to a specified website (also called the Portal website). The user can access
resources in the Portal website for free. When the user attempts to access charged
network resources, the user must pass authentication on the Portal website. The
specific process is as follows:
1. The unauthorized user opens Internet Explorer and enters a URL in the
address box. When receiving the HTTP request sent by the user, the device
redirects it to the Portal authentication page of the Portal server.
2. The user enters user information on the authentication page or in the
authentication dialog box, and the Portal server forwards the user information
to the device.
3. After receiving the user information from the Portal server, the device sends
the information to the authentication server for authentication and
accounting.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9400

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

4. After the user is authenticated, the device allows the user to access the
Internet if no security policy is enforced.
After a Portal server template is created on the device by using the web-auth-
server command, run other commands to create a route from the device to the
Portal server.
Follow-up Procedure
Run the following commands to configure related attributes of the Portal server
template:
● Run the 13.5.141 server-ip (Portal server template view) command to
configure an IP address for the Portal server.
● Run the 13.5.150 url (Portal server template view) command to configure a
URL of the Portal server.
● Run the 13.5.104 port (Portal server template view) command to set the
port number that a Portal server uses to receive notification packets from the
device.
● Run the 13.5.142 shared-key (Portal server template view) command
configures the shared key that the device uses to exchange information with
the Portal server.
Precautions
You are advised to back up the Portal server data to prevent authentication failure
caused by the Portal server fault.
If you want to run the undo web-auth-server command to delete a Portal server
template, ensure that the Portal server template is not bound to the interface.

Example
# Create the Portal server template huawei.
<HUAWEI> system-view
[HUAWEI] web-auth-server huawei

Related Topics
13.5.56 display web-auth-server configuration
13.5.164 web-auth-server (interface view)
13.5.150 url (Portal server template view)
13.5.141 server-ip (Portal server template view)
13.5.104 port (Portal server template view)
13.5.142 shared-key (Portal server template view)

13.5.168 web-redirection disable (Portal server template

view)
Function
The web-redirection disable command disables the Portal authentication
redirection function.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9401

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo web-redirection disable command enables the Portal authentication

redirection function.
By default, the Portal authentication redirection function is enabled.

Format
web-redirection disable
undo web-redirection disable

Parameters
None

Views
Portal server template view

Default Level
2: Configuration level

Usage Guidelines
The device redirects all unauthenticated users to the Portal authentication page
when the users send access requests to external networks. For example, when the
user needs to enter the URL of the authentication page manually, the web-
redirection disable command can be executed so that unauthorized users are not
forcibly redirected to the Portal authentication page.
NOTE

If the Portal server template has been bound to the VLANIF interface, this command cannot
be executed.
After this command is executed, if multiple server IP addresses are configured in the Portal
server template and no URL is configured, the device does not display error information
when the Portal server template is bound to the VLANIF interface.

Example
# Disable the Portal authentication redirection function.
<HUAWEI> system-view
[HUAWEI] web-auth-server nac
[HUAWEI-web-auth-server-nac] web-redirection disable

Related Topics
13.5.56 display web-auth-server configuration

13.6 Policy Association Configuration Commands

13.6.1 Command Support

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9402

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.6.2 as access controller ip-address

13.6.3 as access interface
13.6.4 authentication access-point
13.6.5 authentication access-point max-user
13.6.6 authentication associate alarm-restrain enable
13.6.7 authentication associate alarm-restrain period
13.6.8 authentication control-point
13.6.9 authentication open ucl-policy enable
13.6.10 authentication speed-limit
13.6.11 control-down offline delay (access device)
13.6.12 control-down offline delay (control device)
13.6.13 display access-user as-name
13.6.14 display associate-user
13.6.15 display associate-user statistics
13.6.16 display authentication associate
13.6.17 display authentication associate alarm-restrain-table
13.6.18 display snmp-agent trap feature-name cfgmgr all
13.6.19 local-authorize
13.6.20 remote-authorize
13.6.21 snmp-agent trap enable feature-name cfgmgr
13.6.22 user-detect
13.6.23 user-sync (access device)
13.6.24 user-sync (control device)

13.6.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

13.6.2 as access controller ip-address

Function
The as access controller ip-address command specifies an IP address for a
control device on an access device.

The undo as access controller ip-address command deletes the IP address

specified for a control device from an access device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9403

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

By default, no IP address is specified for a control device on an access device.

Format
as access controller ip-address ip-address

undo as access controller ip-address

Parameters
Parameter Description Value

ip-address Specifies an IP address The value is in dotted

for a control device. decimal notation.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

When the policy association solution is deployed, access and control devices
establish connections through CAPWAP tunnels. When an access device
dynamically obtains an IP address through the DHCP server, Option 43 is used to
notify the access device of the IP address for the control device with which the
access device establishes a CAPWAP tunnel. When an IP address is statically
configured for an access device, the as access controller ip-address ip-address
command is used to specify the IP address for the control device with which the
access device establishes a CAPWAP tunnel.

Precautions

This command is supported only on access devices.

Example
# Specify an IP address for a control device.
<HUAWEI> system-view
[HUAWEI] as access controller ip-address 10.1.1.1

13.6.3 as access interface

Function
The as access interface command specifies source interface for establishing
CAPWAP tunnels on an access device.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9404

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

The undo as access interface command deletes the source interface specified for
establishing CAPWAP tunnels from an access device.
By default, no source interface is specified for establishing CAPWAP tunnels on an
access device.

Format
as access interface vlanif vlan-id
undo as access interface

Parameters
Parameter Description Value

vlanif vlan-id Specifies a source The value is an integer

interface for establishing that ranges from 1 to
CAPWAP tunnels. 4094.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
When the policy association solution is deployed, CAPWAP tunnels are used for
connection establishment, user association, message communication, user
authorization policy delivery, and user synchronization between control and access
devices. On an access device, run the as access interface vlanif vlan-id command
to specify a source interface for establishing CAPWAP tunnels.
Precautions
This command is supported only on access devices.
The management VLAN of the CAPWAP tunnel cannot be the same as the
management VLAN of the cloud switch.
In policy association, the management VLAN of a CAPWAP tunnel connects access
devices to the network. It is not recommended to perform other service
configurations except basic configurations in the management VLAN and the
corresponding VLANIF interface. If such configurations are performed, access
devices may fail to connect to the network.

Example
# Specify a source interface for establishing CAPWAP tunnels.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9405

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] vlan batch 10
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] quit
[HUAWEI] as access interface vlanif 10

13.6.4 authentication access-point

Function
The authentication access-point command enables remote access control on the
interface of an access device.
The undo authentication access-point command disables remote access control
on the interface of an access device.
By default, remote access control is disabled on the interface of an access device.

Format
authentication access-point [ open ]
undo authentication access-point [ open ]

Parameters
Parameter Description Value

open Disables right control of -

the access point.

Views
Ethernet interface view, MultiGE interface view, 40GE interface view, GE interface
view, XGE interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When you deploy policy association, configure the interface of each access device
as the access point and enable remote access control on the interface.
To configure right control on a control device instead of an access device, you can
disable right control of the access point on the access device (by specifying the
open parameter).
Precautions
This command is supported only on access devices.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9406

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

When you run the authentication access-point and undo authentication access-point
commands, ensure that no authentication type is enabled on the interface. Otherwise,
disable the authentication type before you run the commands.
The authentication access-point open and authentication access-point command must
be run together; otherwise, the authentication access-point open command cannot take
effect.
The interface types vary according to device models.
If there is a terminal with one MAC address and multiple IP addresses on the live network,
you need to configure the function of identifying static users through IP addresses on the
control device. However, because the access device cannot generate multiple entries for the
terminal, you cannot implement right control on the access device. In this case, you need to
disable right control of the access point on the access device. Otherwise, packets of the
terminal will not be forwarded.

Example
# Configure GE0/0/1 as the access point.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication access-point

Related Topics
13.6.8 authentication control-point

13.6.5 authentication access-point max-user

Function
The authentication access-point max-user command sets the maximum number
of access users allowed on an interface of an access device.

The undo authentication access-point max-user command restores the default

setting.

By default, an access device does not limit the maximum number of users who are
allowed to log in through its interfaces.

Format
authentication access-point max-user max-user-number

undo authentication access-point max-user

Parameters
Parameter Description Value

The value is an integer that ranges

Specifies the maximum
from 1 to 128 for S2750EI, and
max-user- number of access users
S5700S-LI, from 1 to 512 for
number allowed on an interface
S5720EI, S6720EI, and S6720S-EI,
of an access device.
and from 1 to 256 for other models.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9407

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Views
Ethernet interface view, MultiGE interface view, 40GE interface view, GE interface
view, XGE interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To limit the maximum number of access users allowed on an interface of an
access device, run the authentication access-point max-user command.
Precautions
This command is supported only on access devices.
This command takes effect only for users who attempt to log in for the first time.
The interface types vary according to device models.

Example
# Set the maximum number of access users allowed on GE 0/0/1 to 100.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication access-point max-user 100

Related Topics
13.6.8 authentication control-point

13.6.6 authentication associate alarm-restrain enable

Function
The authentication associate alarm-restrain enable command enables an
access device to suppress alarms that are generated due to excess associated
users.
The undo authentication associate alarm-restrain enable command disables
alarm suppression.
By default, an access device is enabled to suppress alarms that are generated due
to excess associated users.

Format
authentication associate alarm-restrain enable
undo authentication associate alarm-restrain enable

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9408

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
None

Views
System view

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

If associated users fail to log in to an access device due to the configured

limitation on the access number, the device generates alarms about the login
failure event.

These alarms consume device resources and affect system performance. To

prevent the device from generating too many repeated alarms in a short period,
run the authentication associate alarm-restrain enable command to enable
suppression on these alarms. The device then does not generate alarms of the
same type within a specified suppression period (set using the 13.6.7
authentication associate alarm-restrain period command).

Precautions

This command is supported only on access devices.

Example
# Enable an access device to suppress alarms that are generated due to excess
associated users.
<HUAWEI> system-view
[HUAWEI] authentication associate alarm-restrain enable

13.6.7 authentication associate alarm-restrain period

Function
The authentication associate alarm-restrain period command sets a
suppression period for alarms that an access device generates due to excess
associated users.

The undo authentication associate alarm-restrain period command restores the

default setting.

By default, an access device suppresses such alarms for 300 seconds.

Format
authentication associate alarm-restrain period period-value

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9409

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

undo authentication associate alarm-restrain period

Parameters
Parameter Description Value

period-value Specifies a suppression period for alarms The value is an

that an access device generates due to integer that ranges
excess associated users. from 60 to 604800,
in seconds.

Views
System view

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

After an access device is enabled to suppress alarms that are generated due to
excess associated users using the authentication associate alarm-restrain
enable command, run the authentication associate alarm-restrain period
command to set a suppression period for these alarms. The device then does not
generate alarms of the same type within the suppression period.

Precautions

This command is supported only on access devices.

Example
# Set the suppression period to 600s for alarms that an access device generates
due to excess associated users.
<HUAWEI> system-view
[HUAWEI] authentication associate alarm-restrain period 600

13.6.8 authentication control-point

Function
The authentication control-point command configures an interface as the
control point.

The undo authentication control-point command restores the default setting.

By default, an interface does not function as a control point.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9410

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
authentication control-point [ open ]

undo authentication control-point

Parameters
Parameter Description Value

open Enables the forwarding -

function of the control
point.

Views
VLANIF interface view, Ethernet interface view, GE interface view, XGE interface
view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port
group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When policy association is configured, the interface on a control device is

configured as the control point. If the open parameter is configured, the control
point directly forwards user traffic. If the open parameter is not configured, the
control point manages the forwarding rights for user traffic through NAC
authentication.

Precautions

● This command is supported only on control devices.

● When the VLANIF interface is configured as the NAC authentication interface,
the VLANIF interface and its mapping physical interface must be configured
as control points. However, NAC authentication cannot be configured on the
physical interface. The open parameter cannot be configured for a VLANIF
interface.
● When you run the authentication control-point [ open ] and undo
authentication control-point commands, check whether any authentication
type is enabled on the interface. If yes, disable the authentication type before
you run the commands.
● When the interface below functions as the control point, it can only directly
forward user traffic. That is, only the authentication control-point open
command can be configured.
– An interface on the cards except LE1D2S04SEC0 card, LE1D2X32SEC0
card, LE1D2H02QEC0 card, and X series cards

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9411

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

– An Eth-Trunk interface containing interfaces on the cards except

LE1D2S04SEC0 card, LE1D2X32SEC0 card, LE1D2H02QEC0 card, and X
series
– An interface on the S6720SI, S6720S-SI, S6720EI or S6720S-EI
– An Eth-Trunk interface containing interfaces on the S6720SI, S6720S-SI,
S6720EI or S6720S-EI

Example
# Configure GE0/0/1 as the control point.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication control-point

Related Topics
13.6.4 authentication access-point

13.6.9 authentication open ucl-policy enable

Function
The authentication open ucl-policy enable command configures a control point
where the authentication control-point open command has been configured to
filter user traffic based on a user ACL before forwarding the traffic.

The undo authentication open ucl-policy enable command restores a control

point where authentication control-point open has been configured to directly
forwarding user traffic.

By default, a control point where authentication control-point open has been

configured directly forwards user traffic.

NOTE

Only the S5720HI, LE1D2S04SEC0 card, LE1D2X32SEC0 card, LE1D2H02QEC0 card, and X
series cards support this command.

Format
authentication open ucl-policy enable

undo authentication open ucl-policy enable

Parameters
None

Views
GE interface view, XGE interface view, 40GE interface view, 100GE interface view,
Eth-Trunk interface view, port group view

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9412

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

This command is applicable to the following scenarios:

● When only independent policy association is used, the authentication

control-point open command has been configured on a control point.
● When policy association is used in an SVF system, the authentication
control-point open command is configured on a control point by default.

A control point directly forwards traffic from wired users who go online on an
interface of the access device without authentication and the traffic from wireless
users in direct forwarding mode. To enable the control point to filter user traffic
based on a user ACL, run the authentication open ucl-policy enable command.

Prerequisites

The control device has been configured to filter packets based on a user ACL using
the traffic-filter inbound acl { acl-number | name acl-name } command.

Precautions

This command can be executed only on the control device.

Example
# Configure the control point GE1/0/1 where the authentication control-point
open command has been configured to filter user traffic based on a user ACL
before forwarding the traffic.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] authentication control-point open
[HUAWEI-GigabitEthernet1/0/1] authentication open ucl-policy enable

Related Topics
13.6.8 authentication control-point

13.6.10 authentication speed-limit

Function
The authentication speed-limit command configures the rate limit for an access
device to send user association and disassociation request messages.

The undo authentication speed-limit command restores the default rate limit for
an access device to send user association and disassociation request messages.

By default, an access device sends a maximum of 60 user association and

disassociation request messages within 30 seconds.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9413

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Format
authentication speed-limit max-num max-num-value interval interval-value
undo authentication speed-limit

Parameters
Parameter Description Value

Specifies the maximum

The value is an integer
number of user
max-num max-num- that ranges from 1 to
association and
value 65535. The default value
disassociation request
is 60.
messages.

Specifies the interval for

The value is an integer
an access device to send
that ranges from 1 to
interval interval-value user association and
65535, in seconds. The
disassociation request
default value is 30.
messages.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
A control device can connect to multiple access devices. If the rate limit for an
access device to send user association and disassociation request messages is not
specified, there will be a heavy load on the control device. You can run this
command to adjust the rate limit.
Precautions
This command is supported only on access devices.
In an SVF system, commands cannot be configured on ASs. When the access rate
of users is high, they may fail to go online due to a rate limit. To lower the rate
limit, run the direct-command command on the UC device to deliver the
authentication speed-limit command configuration to the ASs. This requires that
the ASs run V200R013C00 or a later version.

Example
# Configure the access device to send a maximum of 100 association and
disassociation request messages within 10 seconds.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9414

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> system-view
[HUAWEI] authentication speed-limit max-num 100 interval 10

13.6.11 control-down offline delay (access device)

Function
The control-down offline delay command configures the user logout delay on an
access device when a control tunnel is faulty.
The undo control-down offline delay command restores the default user logout
delay on an access device when a control tunnel is faulty.
By default, the users on an access device go offline immediately when a control
tunnel is faulty.

Format
control-down offline delay { delay-value | unlimited }
undo control-down offline delay

Parameters
Parameter Description Value

The value is an integer

that ranges from 1 to 60,
Specifies the user logout in seconds. The default
delay-value delay when a control value is 0, indicating that
tunnel is faulty. users immediately go
offline when a control
tunnel is faulty.

Specifies the user logout

delay as unlimited. That
unlimited is, users do not go offline -
when a control tunnel is
faulty.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
You can run the control-down offline delay command to configure the user
logout delay on an access device when a control tunnel is faulty. In this way, the

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9415

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

users will not directly go offline upon a tunnel fault. If the fault persists after the
delay, the users go offline; if the fault is rectified within the delay, the users keep
online.

Precautions

This command is supported only on access devices.

You are advised to configure the same user logout delay on control devices and
access devices.

Example
# Configure the user logout delay to 10 seconds on an access device after the
control tunnel is faulty.
<HUAWEI> system-view
[HUAWEI] control-down offline delay 10

Related Topics
13.6.12 control-down offline delay (control device)

13.6.12 control-down offline delay (control device)

Function
The control-down offline delay command configures the user logout delay on a
control device when a control tunnel is faulty.

The undo control-down offline delay command restores the default user logout
delay on a control device when a control tunnel is faulty.

By default, users on a control device go offline immediately when a control tunnel

is faulty.

Format
control-down offline delay { delay-value | unlimited }

undo control-down offline delay

Parameters
Parameter Description Value

The value is an integer

that ranges from 1 to 60,
Specifies the user logout in seconds. The default
delay-value delay when a control value is 0, indicating that
tunnel is faulty. users immediately go
offline when a control
tunnel is faulty.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9416

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

Specifies the user logout

delay as unlimited. That
unlimited is, users do not go offline -
when a control tunnel is
faulty.

Views
Ethernet interface view, GE interface view, XGE interface view, 40GE interface view,
100GE interface view, Eth-Trunk interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

You can run the control-down offline delay command to configure the user
logout delay on a control device when a control tunnel is faulty. In this way, the
users will not directly go offline upon a tunnel fault. If the fault persists after the
delay, the users go offline; if the fault is rectified within the delay, the users keep
online.

Precautions

This command is supported only on control devices.

You are advised to configure the same user logout delay on control devices and
access devices.

When you configure users not to go offline upon a channel tunnel failure, you also
need to configure link-down offline delay unlimited command in the
authentication profile view.

Example
# Configure the user logout delay to 10 seconds on GE0/0/1 of the control device
after a control tunnel is faulty.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] control-down offline delay 10

Related Topics
13.6.11 control-down offline delay (access device)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9417

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.6.13 display access-user as-name

Function
The display access-user as-name command displays information about online
users on a specified access device.

Format
display access-user as-name as-name

Parameters
Parameter Description Value

Specifies the name of an The value is the name of

as-name
access device. an existing access device.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to check information about online access users on a
control device.

The actual name of an access device may differ from the name displayed on the
control device (using the display as all command). When an access device goes
online, its name is processed as follows:
● If the access device uses the default name, its name is changed to default
name-MAC address of the access device on the control device.
● If the access device name contains spaces or double quotation masks ("), the
spaces are changed to en dashes (-) and the double quotation masks (") are
changed to single quotation masks (') on the control device.

Example
# Display information about users on the access device test_as.
<HUAWEI> display access-user as-name test_as
------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
16019 fdsa@none 192.168.6.5 00e0-4c88-143f Success
------------------------------------------------------------------------------
Total: 1, printed: 1

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9418

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

NOTE

Only letters, digits, and special characters can be displayed for username.
When the value of username contains special characters or characters in other languages
except English, the device displays dots (.) for these characters. If there are more than three
such consecutive characters, three dots (.) are displayed. Here, the special characters are the
ASCII codes smaller than 32 (space) or larger than 126 (~).

Table 13-104 Description of the display access-user as-name command output

Item Description

UserID ID that is assigned to a user after the

user goes online.

Username Name of a user.

IP address IP address of a user.

MAC MAC address of a user.

Status Status of a user.

13.6.14 display associate-user

Function
The display associate-user command displays associated users on devices.

Format
display associate-user

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
You can run this command to check associated users on access devices and control
devices.
Precautions

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9419

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

There are no longer associated users on control devices after the users are
successfully authenticated or added to domains. You can run the 13.1.34 display
access-user (All views) command to check user information.

Example
# Display the associated users on a control device.
<HUAWEI> display associate-user
------------------------------------------------------------------
UserID IP address MAC SA MAC
------------------------------------------------------------------
27 192.168.12.1 00e0-4c88-143f dcba-6543-e00a
------------------------------------------------------------------
Total: 1, printed: 1

Table 13-105 Description of the display associate-user command output

Item Description

UserID ID that is assigned to a user after the user is

associated.

IP address IP address of a user.

MAC MAC address of a user.

SA MAC MAC address of an access device.

# Display the associated users on an access device.

<HUAWEI> display associate-user
-------------------------------------------------------------------------------
UserID IP address MAC Status Trigger type
-------------------------------------------------------------------------------
27 192.168.12.1 00e0-4c88-143f Associated Arp
-------------------------------------------------------------------------------
Total: 1, printed: 1

Table 13-106 Description of the display associate-user command output

Item Description

UserID ID that is assigned to a user after the

user is associated.

IP address IP address of a user.

MAC MAC address of a user.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9420

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Status Status of a user.

● Up: indicates that the access device
has received the authentication
success notification from the
control device and enabled data
forwarding rights for users.
● Associated: indicates that the access
device has received the association
success response from the control
device and is waiting for the
authentication success notification
from the control device.
● Idle: indicates that the access device
detects that the user has been
connected and periodically sends an
association request or is waiting for
the association response from the
control device.
● Deleting: indicates that the user has
been added to the logout queue
and is waiting for logout.

Trigger type Triggering type.

● Arp: indicates that ARP packets are
sent to trigger creation of the
association table.
● Dot1x: indicates that dot1x packets
are sent to trigger creation of the
association table.
● Http: indicates that HTTP packets
are sent to trigger creation of the
association table.
● Dhcp: indicates that DHCP packets
are sent to trigger creation of the
association table.

13.6.15 display associate-user statistics

Function
The display associate-user statistics command displays statistics about
associated users on an interface.

Format
display associate-user statistics [ interface interface-type interface-number ]

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9421

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

interface interface-type Displays statistics about -

interface-number associated users on a
specified interface.
● interface-type
specifies the type of
the interface.
● interface-number
specifies the number
of the interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

To check statistics about associated users on an interface, run the display

associate-user statistics command.

Precautions

This command is supported only on access devices.

Example
# Display statistics about associated users on an interface.
<HUAWEI> display associate-user statistics
-------------------------------------------------------------------------------
Interface number
-------------------------------------------------------------------------------
GigabitEthernet0/0/1 3
TotalNumber 3
-------------------------------------------------------------------------------
Total 1

Table 13-107 Description of the display associate-user statistics command

output

Item Description

Interface that functions as an access

Interface
point.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9422

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Number of associated users on a

number
specified access point.

Total number of associated users on

TotalNumber
all access points.

Total number of interfaces with which

Total: m
users are associated.

13.6.16 display authentication associate

Function
The display authentication associate command displays the global
configurations of associated users.

Format
display authentication associate

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

To check the global configurations of associated users, run the display

authentication associate command. The command output contains the
suppression status of alarms that an access device generates due to excess
associated users and the configured alarm suppression period.

Precautions

This command is supported only on access devices.

Example
# Display the global configurations of associated users.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9423

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

<HUAWEI> display authentication associate

authentication associate alarm-restrain: Enable
authentication associate alarm-restrain period: 300

Table 13-108 Description of the display authentication associate command

output
Item Description

Suppression status of alarms that an

access device generates due to excess
associated users:
● Enable
authentication associate alarm-restrain
● Disable
To configure a suppression status, run
the 13.6.6 authentication associate
alarm-restrain enable command.

Suppression period for alarms that an

access device generates due to excess
authentication associate alarm-restrain associated users.
period To configure a suppression period, run
the 13.6.7 authentication associate
alarm-restrain period command.

13.6.17 display authentication associate alarm-restrain-table

Function
The display authentication associate alarm-restrain-table command displays
suppression table information of alarms that are generated due to excess
associated users.

Format
display authentication associate alarm-restrain-table { all | interface interface-
type interface-number }

Parameters
Parameter Description Value

all Displays alarm -

suppression table
information on all
interfaces.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9424

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

interface interface-type Displays alarm -

interface-number suppression table
information on a
specified interface.
● interface-type
specifies the type of
the interface.
● interface-number
specifies the number
of the interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

After an access device is enabled to suppress alarms that are generated due to
excess associated users using the authentication associate alarm-restrain
enable command, run the display authentication associate alarm-restrain-
table command to check the alarm suppression table information.

Precautions

This command is supported only on access devices.

Example
# Display alarm suppression table information on all interfaces.
<HUAWEI> display authentication associate alarm-restrain-table all
-------------------------------------------------------------------------------
Interface alarm time
-------------------------------------------------------------------------------
GigabitEthernet0/0/1 --
-------------------------------------------------------------------------------
Total 1

Table 13-109 Description of the display authentication associate alarm-

restrain-table all command output

Item Description

Interface that functions as an access

Interface
point.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9425

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Item Description

Date and time when alarms were

alarm time
generated.

Total: m Total number of suppressed entries m.

13.6.18 display snmp-agent trap feature-name cfgmgr all

Function
The display snmp-agent trap feature-name cfgmgr all command displays the
status of all traps for the cfgmgr module.

Format
display snmp-agent trap feature-name cfgmgr all

Parameters
None

Views
All views

Default Level
3: Management level

Usage Guidelines
Usage Scenario
After enabling the trap function for the cfgmgr module, you can run the display
snmp-agent trap feature-name cfgmgr all command to check the status of all
traps for the cfgmgr module. To enable the trap function for the cfgmgr module,
run the snmp-agent trap enable feature-name cfgmgr command.
Prerequisites
The SNMP function has been enabled on the device.

Example
# Display the status of all traps for the cfgmgr module.
<> display snmp-agent trap feature-name cfgmgr all
------------------------------------------------------------------------------
Feature name: cfgmgr
Trap number : 1
------------------------------------------------------------------------------
Trap name Default switch status Current switch status

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9426

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

hwAuthenAssociateAccessLimitTrap
on on

Table 13-110 Description of the display snmp-agent trap feature-name cfgmgr

all command output

Item Description

Name of a module to which a trap

Feature name
belongs

Trap number Number of traps.

Trap name. Traps of the cfgmgr

module include:
● hwAuthenAssociateAccessLimitTrap:
Trap name A Huawei proprietary trap is sent
when the number of associated
users on an interface exceeds the
maximum value.

13.6.19 local-authorize

Function
The local-authorize command specifies the user authorization information to be
delivered to a control device.

The undo local-authorize command restores the default user authorization

information to be delivered to a control device.

By default, all user authorization information can be delivered to a control device.

Format
local-authorize { none | { acl | car | priority | ucl-group | vlan } * }

undo local-authorize

Parameters
Parameter Description Value

Delivers ACL
acl authorization -
information.

Delivers CAR
car authorization -
information.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9427

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

Delivers priority
priority authorization -
information.

Delivers UCL group

authorization
information.
NOTE
When you authorize the
ACL or UCL group,
ucl-group configure the -
corresponding ACL or UCL
group on control devices to
ensure that the
authorization information
takes effect on the control
devices.

Delivers VLAN
vlan authorization -
information.

Delivers no authorization
none -
information.

Views
Service scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

To enable a control device to implement specified user access policies, you can run
this command to specify user authorization information to be delivered to the
control device. By default, all authorization information is delivered to a control
device.

Precautions

This command is supported only on control devices.

This command takes effect for all user authorization types, such as local
authorization, remote authorization, and RADIUS dynamic authorization.

For VLAN authorization in a policy association scenario, VLAN authorization

information must be delivered. You must configure the local-authorize vlan
command or do not configure the local-authorize command, that is, use the

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9428

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

default settings. By default, all user authorization information can be delivered to

a control device.

Example
# Deliver only UCL group authorization information to the control device.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme huawei
[HUAWEI-aaa-service-huawei] local-authorize ucl-group

Related Topics
13.6.20 remote-authorize

13.6.20 remote-authorize
Function
The remote-authorize command specifies the user authorization information to
be delivered to an access device.
The undo remote-authorize command restores the default user authorization
information to be delivered to an access device.
By default, all user authorization information cannot be delivered to access
devices.

Format
remote-authorize { acl | car | ucl-group } *

undo remote-authorize

Parameters
Parameter Description Value

Delivers ACL
acl authorization -
information.

Delivers CAR
car authorization -
information.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9429

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameter Description Value

Delivers UCL group

authorization
information.
NOTE
When you authorize the
ACL or UCL group,
ucl-group configure the -
corresponding ACL or UCL
group on access devices to
ensure that the
authorization information
takes effect on the access
devices.

Views
Service scheme view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
To enable an access device to implement specified user access policies, you can
run this command to specify user authorization information to be delivered to the
access device. By default, no authorization information is delivered to the access
device.
Precautions
This command is supported only on access devices.
This command takes effect for all user authorization information, including local
authorization, remote authorization, and RADIUS dynamic authorization
information.
In SVF centralized configuration mode, access devices do not support ACL-based
authorization or UCL groups.

Example
# Deliver only ACL authorization information to the access device.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme huawei
[HUAWEI-aaa-service-huawei] remote-authorize acl

Related Topics
13.6.19 local-authorize

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9430

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

13.6.21 snmp-agent trap enable feature-name cfgmgr

Function
The snmp-agent trap enable feature-name cfgmgr command enables the trap
function for the cfgmgr module.
The undo snmp-agent trap enable feature-name mid_aaa command disables
the trap function for the cfgmgr module.
By default, the trap function is enabled for the cfgmgr module.

Format
snmp-agent trap enable feature-name cfgmgr [ trap-name
hwauthenassociateaccesslimittrap ]
undo snmp-agent trap enable feature-name cfgmgr [ trap-name
hwauthenassociateaccesslimittrap ]

Parameters
Parameter Description Value

cfgmgr Enables or disables the -

trap function for the
specified event of the
cfgmgr module.

hwauthenassociateac- Enables the device to -

cesslimittrap send a Huawei
proprietary trap when
the number of associated
users on an interface
exceeds the maximum
value.

Views
Service scheme view

Default Level
3: Management level

Usage Guidelines
After the trap function is enabled, the device generates traps during operation and
sends the traps to the NMS through the SNMP module. If the trap function is
disabled, the device does not generate traps and the SNMP module does not send
traps to the NMS.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9431

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

You can specify trap-name as required to enable the trap function for one or
more events.

Example
# Enable the hwauthenassociateaccesslimittrap trap function for the cfgmgr
module.
<> system-view
[] snmp-agent trap enable feature-name cfgmgr trap-name hwauthenassociateaccesslimittrap

13.6.22 user-detect
Function
The user-detect command enables the online user detection function on an
access device.
The undo user-detect command disables the online user detection function on an
access device.
By default, the online user detection function is enabled on an access device, the
detection interval is 15 seconds, and the number of packet retransmission
attempts is 3.

Format
user-detect { interval interval-value | retry retry-value } *

undo user-detect

Parameters
Parameter Description Value

The value is an integer

Specifies the detection that ranges from 1 to
interval interval-value
interval. 65535, in seconds. The
default value is 15.

The value is an integer

Specifies the number of
that ranges from 1 to
retry retry-value packet retransmission
255. The default value is
attempts.
3.

Views
System view

Default Level
2: Configuration level

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9432

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Usage Guidelines
Usage Scenario
If a user goes offline due to a power failure or network interruption, the access
device and control device may still store information about this user, which results
in a heavy load on the control device. In addition, a limited number of users can
access the device. If a user goes offline unexpectedly but the device still stores
information of this user, other users cannot access the network.
After the detection interval is set, the device considers a user to be offline if the
user does not respond within the interval. Then the access device and control
device delete the saved information about the user, ensuring effective resource
usage.
Precautions
This command is supported only on access devices.
You are advised to keep this function enabled on access devices.
This function takes effect only for users who go online after it is configured.

Example
# Enable online user detection in the system view, and set the detection interval
to 10 seconds and number of packet retransmission attempts to 5.
<HUAWEI> system-view
[HUAWEI] user-detect interval 10 retry 5

13.6.23 user-sync (access device)

Function
The user-sync command enables the user synchronization function on an access
device.
The undo user-sync command disables the user synchronization function on an
access device.
By default, user synchronization is enabled on an access device and the
synchronization interval is 60 seconds.

Format
user-sync interval interval-value
undo user-sync

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9433

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Parameters
Parameter Description Value

The value is an integer

Specifies the user that ranges from 60 to
interval interval-value
synchronization interval. 3600, in seconds. The
default value is 60.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

If a user is disconnected from an access device due to online detection or a failure

to send a disconnection request message, the user information on the control
device and access device cannot be synchronized.

After the user synchronization interval is reached, the access device sends a
synchronization message containing MAC addresses of all online users to the
control device. After receiving the synchronization message, the control device
responds with a synchronization failure message if it finds that some users are
offline. The access device forcibly disconnects the corresponding users according to
the synchronization failure message.

Precautions

This command is supported only on access devices.

The user synchronization function needs to be enabled on both access devices and
control devices to ensure that the function works properly. In addition, the user
synchronization interval configured on access devices must be shorter than or
equal to that configured on control devices, preventing users from being
disconnected due to incorrect synchronization.

The user synchronization function of access devices depends on whether the

control tunnel is available. When the control tunnel is faulty, the user
synchronization function becomes abnormal.

Example
# Set the user synchronization interval to 100 seconds.
<HUAWEI> system-view
[HUAWEI] user-sync interval 100

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9434

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

Related Topics
13.6.24 user-sync (control device)

13.6.24 user-sync (control device)

Function
The user-sync command enables the user synchronization function on a control
device.

The undo user-sync command disables the user synchronization function on a

control device.

By default, user synchronization is enabled on a control device, the

synchronization interval is 60 seconds, and the number of synchronization
attempts is 10.

Format
user-sync { interval interval-value | retry retry-value } *

undo user-sync

Parameters
Parameter Description Value

The value is an integer

Specifies the user that ranges from 60 to
interval interval-value
synchronization interval. 3600, in seconds. The
default value is 60.

Specifies the maximum The value is an integer

number of that ranges from 5 to
retry retry-value
synchronization 300. The default value is
attempts. 10.

Views
VLANIF interface view, Ethernet interface view, GE interface view, XGE interface
view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port
group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9435

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Command Reference 13 User Access and Authentication Commands

If a user is disconnected from an access device due to online detection or a failure

to send a disconnection request message, the user information on the control
device and access device cannot be synchronized.
After the user synchronization interval is reached, the number of synchronization
attempts is added by 1. If the number of synchronization attempts reaches the
maximum, the user is forced offline. If the access device detects that the user is
online by sending a synchronization message, the number of synchronization
attempts is set to 0.
Precautions
This command is supported only on control devices.
The user synchronization function needs to be enabled on both access devices and
control devices to ensure that the function works properly. In addition, the user
synchronization interval configured on access devices must be shorter than or
equal to that configured on control devices, preventing users from being
disconnected due to incorrect synchronization.

Example
# Set the user synchronization interval to 100 seconds and maximum number of
synchronization attempts to 15 on GE0/0/1 of the control device.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] user-sync interval 100 retry 15

Related Topics
13.6.23 user-sync (access device)

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 9436