< Home

Data Model

The configuration model files matching AAA management are huawei-user-management.yang, huawei-aaa.yang, huawei-aaa-hwtacacs.yang, and huawei-aaa-radius.yang.

Table 1 Local user

Object

Description

Value

Remarks

/huawei-user-management/user-management/local-user/user-name

Indicates the user name of a local user.

The value is a string of 1 to 64 case-insensitive characters. It cannot contain spaces, asterisk, double quotation mark and question mark.

N/A

/huawei-user-management/user-management/local-user/password

Indicates the password of a local user.

The value is a case-sensitive string without question marks (?) or spaces.

N/A

/huawei-user-management/user-management/local-user/privilege-level

Indicates the level of a local user.

The value is an integer that ranges from 0 to 15. A larger value indicates a higher level of a user.

N/A

/huawei-user-management/user-management/local-user/service-type

Indicates the access type of a local user.

The value can be:

  • dot1x: 802.1x user
  • api: API user
  • ftp: FTP user
  • http: HTTP user (typically used for web system login)
  • ppp: PPP user
  • ssh: SSH user
  • telnet: Telnet user (usually a network administrator)
  • terminal: end user (usually a user connected using a console port)
  • web: Portal authentication user
  • x25pad: X25-PAD user

N/A

/huawei-user-management/user-management/local-user/ftp-directory

Indicates the directory that FTP users can access.

The value is a string of 1 to 64 case-sensitive characters without spaces.

N/A

/huawei-user-management/user-management/local-user/http-directory

Indicates the directory that HTTP users can access.

The value is a string of 1 to 64 case-sensitive characters without spaces.

N/A

/huawei-user-management:user-management/local-user/expire-date

Indicates the expiration time of a local account.

The value is an integer that ranges from 2000-01-01 to 2099-12-31.

N/A

/huawei-user-management:user-management/local-user/time-range

Indicates the access permission time range of local accounts.

The value is a string of 1 to 32 case-sensitive characters and must begin with a letter.

N/A

/huawei-user-management:user-management/local-user/device-type-group/device-type

Indicates the type of terminals that allow local users to access the network.

The value is a string of 1 to 31 case-insensitive characters without spaces.

N/A

/huawei-user-management:user-management/local-user/user-type

Indicates that a local user is an NMS user.

Enumerated type. The value is net-manager.

N/A

/huawei-user-management/user-management/local-user/access-limit

Indicates the maximum number of connections that can be created with a specified user name.

The value is an integer that ranges from 1 to 4294967295.

N/A

/huawei-user-management/user-management/local-user/idle-time

Indicates the timeout period of the user account.

The value is an integer that ranges from 0 to 2147519, in seconds.

N/A

/huawei-user-management/user-management/local-user/state

Indicates the state of a local user.
Enumerated type. The value can be:
  • active: A local user is in active state. The device accepts and processes the authentication request from the user, and allows the user to change the password.
  • block: A local user is in blocking state. The device rejects the authentication request from the user and does not allow the user to change the password.

N/A

/huawei-user-management:user-management/administrator-password-police
Indicates the password policy for local administrators. The object includes:
  • enable: indicates whether the password policy is enabled for local administrators.
  • expire-day: indicates the password validity period.
  • alert-expire-day: indicates whether the password expiration prompt function is enabled.
  • alert-original: indicates whether the initial password change prompt function is enabled.
  • history-record-number: indicates the maximum number of historical passwords recorded for each user.

  • enable: The value is of the Boolean type:

    • true: The password policy is enabled for local administrators.
    • false: The password policy is disabled for local administrators.
    The default value is false.
  • expire-day: The value is an integer that ranges from 0 to 999, in days. The default value is 90.
  • alert-expire-day: The value is an integer that ranges from 0 to 999, in days. The default value is 30.
  • alert-original: The value is of the Boolean type:
    • true: indicates the initial password change prompt function is enabled.
    • false: indicates the initial password change prompt function is disabled.
    The default value is true.
  • history-record-number: The value is an integer that ranges from 0 to 12. The default value is 5.

N/A

/huawei-user-management:user-management/user-password-police

Indicates the password policy for local access users. The object includes:

  • enable: indicates whether the password policy is enabled for local access users.
  • history-record-number: indicates the maximum number of historical passwords recorded for each user.
  • enable: The value is of the Boolean type:
    • true: indicates the password policy is enabled for local access users.
    • false: indicates the password policy is disabled for local access users.
  • history-record-number: The value is an integer that ranges from 0 to 12. The default value is 5.

N/A

/huawei-user-management:user-management/wrong-password-police

Indicates the local account locking function. The object includes:

  • retry-interval: indicates the authentication retry interval of local users.
  • retry-times: indicates the maximum number of consecutive incorrect password attempts of a local account.
  • block-time: indicates the local account locking time.
  • retry-interval: The value is an integer that ranges from 5 to 65535, in minutes.
  • retry-times: The value is an integer that ranges from 3 to 65535.
  • block-time: The value is an integer that ranges from 5 to 65535, in minutes.

N/A

/huawei-user-management:user-management/password-option/complexity-check

Indicates whether the password complexity check function is enabled for local accounts.
The value is of the Boolean type:
  • true: indicates the password complexity check function is enabled for local accounts.
  • false: indicates the password complexity check function is disabled for local accounts.

N/A
Table 2 AAA

Object

Description

Value

Remarks

huawei-aaa:aaa/global/user-queue

Whether the user queue scheduling is set to single-user mode.

The value is of the Boolean type:

  • true: The user queue scheduling is set to single-user mode.
  • false: The user queue scheduling is set to user sharing mode.

The default value is true.

NA

/huawei-aaa:aaa/authentication-scheme/name

Indicates the name of an authentication scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/authentication-scheme/authentication-mode

Indicates the authentication mode in an authentication scheme.

The value can be:

  • hwtacacs: Authenticates users using an HWTACACS server.
  • local: Authenticates users locally.
  • radius: Authenticates users using a RADIUS server.
  • none: Indicates non-authentication. That is, users access the network without being authenticated.

N/A

/huawei-aaa:aaa/authentication-scheme/no-response-accounting

Whether the device continues sending accounting packets after the server does not respond to a user's authentication request and the user then is authenticated using the local authentication mode.

Boolean type. The value can be:

  • true: The device continues sending accounting packets.
  • false: The device does not send accounting packets.

The default value is false.

NA

/huawei-aaa:aaa/authorization-scheme/name

Indicates the name of an authorization scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/authorization-scheme/authorization-mode

Indicates the authorization mode in an authorization scheme.

The value can be:

  • hwtacacs: Indicates that the user is authorized by an HWTACACS server.
  • if-authenticated: Indicates that only the user who succeeds in authentication (authentication exemption excluded) is authorized.
  • local: Indicates that the user is authorized locally.
  • none: Indicates non-authorization.

N/A

/huawei-aaa:aaa/authorization-scheme/authorization-cmd/authorization-cmd-item

Configure the administrator of a specific level to run only commands that are authorized by the HWTACACS server. The object includes:

  • privilege-level: Indicates the administrator level.

  • authorization-cmd-mode: Indicates the authorization backup mode.

  • privilege-level: The value is an integer that ranges from 0 to 15.

  • authorization-cmd-mode: The value can be:
    • local: Indicates that the authorization backup mode is authorized locally.
    • none: Indicates the authorization backup mode is non-authorization.

N/A

/huawei-aaa:aaa/accounting-scheme/name

Indicates the name of an accounting scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/accounting-scheme/accounting-mode

Indicates the accounting mode in an accounting scheme.

The value can be:

  • hwtacacs: Indicates that accounting is performed by an HWTACACS server.
  • radius: Indicates that accounting is performed by a RADIUS server.
  • none: Indicates non-accounting.

N/A

/huawei-aaa:aaa/accounting-scheme/start-accounting-fail/fail-policy

Indicates the policy for accounting-start failures.

Enumerated type. The value can be:

  • offline: rejects users' online requests if accounting-start fails.
  • online: allows users to go online if accounting-start fails.

N/A

/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-interval

Indicates the interval for real-time accounting.

The value is an integer that ranges from 0 to 65535, in minutes. When the value is set to 0, real-time accounting is disabled. The default value is 0.

N/A

/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-fail/fail-max-times

Indicates the maximum number of real-time accounting failures.

The value is an integer that ranges from 1 to 255. The default value is 3.

N/A

/huawei-aaa:aaa/accounting-scheme/realtime-accounting/realtime-fail/fail-policy

Indicates the policy for real-time accounting failures.

Enumerated type. The value can be:

  • offline: disconnects users if real-time accounting fails.
  • online: keeps users online if real-time accounting fails.

N/A

/huawei-aaa:aaa/service-scheme/name

Indicates the name of a service scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > | @ ' %.

N/A

/huawei-aaa:aaa/service-scheme/admin-user-privilege-level

Indicates the level of a user who logs in to the device as an administrator.

The value is an integer that ranges from 0 to 15.

N/A

/huawei-aaa:aaa/service-scheme/voice-vlan-enable

Whether to enable the voice VLAN function in a service scheme.

Boolean type. The value can be:

  • true

  • false

N/A

/huawei-aaa:aaa/service-scheme/vlan

Specifies a user VLAN in a service scheme.

The value is an integer that ranges from 1 to 4094.

N/A

/huawei-aaa:aaa/service-scheme/acl

Indicates the number of an ACL bound to a service scheme.

The value is an integer that ranges from 3000 to 3999.

N/A

/huawei-aaa:aaa/service-scheme/acl-ipv6

Indicates the number of an IPv6 ACL bound to a service scheme.

The value is an integer that ranges from 3000 to 3999.

Only the S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S5731-H, S5731S-H, S5731-S, S5731S-S, S5730-HI, S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI support this object.

/huawei-aaa:aaa/service-scheme/qos-profile

Indicates the QoS profile bound to a service scheme.

The value is a string of 1 to 32 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: / \ : * ? " < > | @ ' %.

Only S5720-EI, S5720-HI, S5730-HI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI support this object.

/huawei-aaa:aaa/service-scheme/ucl-group

Indicates the UCL group bound to a service scheme.

The value must be the name of an existing UCL group.

N/A

/huawei-aaa:aaa/service-scheme/idle-cut-function/idle-time

Indicates the period in which an idle user can stay online.

The value is an integer that ranges from 1 to 1440, in minutes.

N/A

/huawei-aaa:aaa/service-scheme/idle-cut-function/idle-flow/flow-value

Indicates the traffic threshold for the idle-cut function.

The value is an integer that ranges from 0 to 4294967295, in Kbytes.

N/A

/huawei-aaa:aaa/service-scheme/idle-cut-function/idle-flow/flow-direction

Indicates the direction of traffic on which the idle-cut function takes effect.

Enumerated type. The value can be:

  • inbound: indicates that the idle-cut function takes effect only on upstream traffic of users.
  • outbound: indicates that the idle-cut function takes effect only on downstream traffic of users.

N/A

/huawei-aaa:aaa/service-scheme/priority

Indicates the user priority configured in a service scheme.

The value is 0 or 1. A larger value indicates a higher priority.

Only the S5730-HI, S5731-H, S5731S-H, S6730-H, S6730S-H, S5732-H, S6720-HI, and S5720-HI support this object, and this object takes effect only for wireless users.

/huawei-aaa:aaa/service-scheme/redirect-acl/acl

Configures a redirect IPv4 ACL in a service scheme:

  • acl-id: indicates the number of a redirect ACL.

  • acl-name: indicates the name of a redirect ACL.
  • acl-id is an integer in the range from 3000 to 3999.
  • acl-name must be the name of an existing ACL.

NA

/huawei-aaa:aaa/service-scheme/redirect-acl-ipv6/acl

Configures a redirect IPv6 ACL in a service scheme:

  • acl-id: indicates the number of a redirect ACL.

  • acl-name: indicates the name of a redirect ACL.
  • acl-id is an integer in the range from 3000 to 3999.
  • acl-name must be the name of an existing ACL.

NA

/huawei-aaa:aaa/aaa-domain

Indicates an authentication domain.

The value is a string of 1 to 64 case-insensitive characters. It cannot be - or -- and cannot contain spaces or the following special characters: * ? ".

N/A

/huawei-aaa:aaa/aaa-domain/authentication-scheme

Indicates the name of an authentication scheme bound to a domain.

The value must be the name of an existing authentication scheme.

N/A

/huawei-aaa:aaa/aaa-domain/authorization-scheme

Indicates the name of an authorization scheme bound to a domain.

The value must be the name of an existing authorization scheme.

N/A

/huawei-aaa:aaa/aaa-domain/accounting-scheme

Indicates the name of an accounting scheme bound to a domain.

The value must be the name of an existing accounting scheme.

N/A

/huawei-aaa:aaa/aaa-domain/service-scheme

Indicates the name of a service scheme bound to a domain.

The value must be the name of an existing service scheme.

N/A

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-radius:radius-server/huawei-aaa-radius:radius-server

Indicates the name of a RADIUS server template bound to a domain.

The value must be the name of an existing RADIUS server template.

N/A

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-hwtacacs:hwtacacs-server/huawei-aaa-hwtacacs:hwtacacs-server

Indicates the name of the HWTACACS server template that is applied in a domain.

The HWTACACS server template must already exist.

N/A

/huawei-aaa:aaa/aaa-domain/statistics-enable

Indicates whether traffic statistics collection is enabled for users in a domain.

Boolean type. The value can be:

  • true: Traffic statistics collection is enabled for users in a domain.

  • false: Traffic statistics collection is disabled for users in a domain.

N/A

/huawei-aaa:aaa/aaa-domain/dual-stack-separate

Indicates whether the function of collecting statistics on IPv4 and IPv6 traffic separately is enabled.

The value is of the Boolean type:

  • true: The function of collecting statistics on IPv4 and IPv6 traffic separately is enabled for users in a domain.

  • false: The function of collecting statistics on IPv4 and IPv6 traffic separately is disabled for users in a domain.

Only the S5720-EI, S6720-EI, S6720S-EI, S5720-HI, S5730-HI, S6720-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,? and S6730S-S support this object.

/huawei-aaa:aaa/remote-user-policy

Indicates that the remote AAA authentication account locking function is enabled. The object includes:

  • retry-interval: Specifies the authentication retry interval.
  • retry-times: Specifies the maximum number of consecutive authentication failures.
  • block-time: Specifies the account locking period.
  • retry-interval: The value is an integer that ranges from 5 to 65535, in minutes.
  • retry-times: The value is an integer that ranges from 3 to 65535.
  • block-time: The value is an integer that ranges from 5 to 65535, in minutes.

NA

/huawei-aaa:aaa/global/authentication-bypass

Indicates whether the bypass authentication function is configured. The object includes:

  • bypass-enable: Whether the bypass authentication function is enabled.

  • bypass-time: Specifies the bypass authentication timeout interval.

  • bypass-enable: The value is of the Boolean type and can be:

    • true: Indicates that the bypass authentication function is enabled.
    • false: Indicates that the bypass authentication function is disabled.
    The default value is false.
  • bypass-time: The value is an integer that ranges from 1 to 1440, in minutes.

N/A

/huawei-aaa:aaa/global/authorization-bypass

Indicates whether the bypass authorization function is configured. The object includes:

  • bypass-enable: Whether the bypass authorization function is enabled.

  • bypass-time: Specifies the bypass authorization timeout interval.

  • bypass-enable: The value is of the Boolean type and can be:

    • true: Indicates that the bypass authorization function is enabled.
    • false: Indicates that the bypass authorization function is disabled.
    The default value is false.
  • bypass-time: The value is an integer that ranges from 1 to 1440, in minutes.

N/A

/huawei-aaa:aaa/global/authorization-cmd-bypass

Indicates whether the command-line bypass authorization function is configured. The object includes:

  • bypass-enable: Whether the command-line bypass authorization function is enabled.

  • bypass-time: Specifies the command-line bypass authorization timeout interval.

  • bypass-enable: The value is of the Boolean type and can be:

    • true: Indicates that the command-line bypass authorization function is enabled.
    • false: Indicates that the command-line bypass authorization function is disabled.
    The default value is false.
  • bypass-time: The value is an integer that ranges from 1 to 1440, in minutes.

N/A

/huawei-aaa:aaa/global/authorization-info-check/fail-policy

Indicates whether the device allows users to go online after the authorization information check fails.

  • online: Indicates that the device allows users to go online.

  • offline: Indicates that the device prohibits users from going online.

By default, the device allows users to go online after the authorization information check fails.

NA

/huawei-aaa:aaa/test-aaa

Tests the server connectivity. The object includes:

  • vsys-name: indicates the name of a virtual system.

  • user-name: indicates the user name.

  • user-password: indicates the user password.

  • server-type: Indicates the server type.

  • template-name: indicates the name of a server template.

  • test-type: tests an accounting server.

  • accounting-type: indicates the type of accounting packets to be sent.

  • vsys-name: The value is public.

  • user-name: The value is a string of 1 to 253 case-insensitive characters.

  • user-password: The value is a string of 1 to 128 case-sensitive characters.

  • server-type: The value is radius or hwtacacs.

  • template-name: The value must be the name of an existing server template.

  • test-type: The value is accounting.

  • accounting-type: The value is start, realtime, or stop.

NA
Table 3 RADIUS

Object

Description

Value

Remarks

/huawei-aaa-radius:radius/radius-server/name

Indicates the name of a RADIUS server template.

The value is a string of 1 to 32 case-sensitive characters, including letters, digits, dots (.), underscores (_), and hyphens (-). The value cannot be - or --.

N/A

/huawei-aaa-radius:radius/radius-server/authentication-server

Configures a RADIUS authentication server. The object includes:

  • server-ip-address: indicates the IPv4 or IPv6 address of a RADIUS authentication server.
  • port: indicates the port number of a RADIUS authentication server.
  • vpn-instance: indicates the name of a VPN instance to which a RADIUS authentication server is bound. This parameter can be configured only when the RADIUS authentication server uses an IPv4 address.
  • weight: indicates the weight value of a RADIUS authentication server.
  • loopback-interface: indicates the number of a loopback interface.
  • server-ip-address: The value is an IPv4 address in dotted decimal notation or an IPv6 address in X:X:X:X:X:X:X:X format (a 32-digit hexadecimal number).
  • port: The value is an integer that ranges from 1 to 65535.
  • vpn-instance: The value must be the name of an existing VPN instance.
  • weight: The value is an integer that ranges from 0 to 100. The default value is 80.
  • loopback-interface: The loopback interface must already exist.

N/A

/huawei-aaa-radius:radius/radius-server/accounting-server
Configures a RADIUS accounting server. The object includes:
  • server-ip-address: indicates the IPv4 or IPv6 address of a RADIUS accounting server.
  • port: indicates the port number of a RADIUS accounting server.
  • vpn-instance: indicates the name of a VPN instance to which a RADIUS accounting server is bound. This parameter can be configured only when the RADIUS accounting server uses an IPv4 address.
  • weight: indicates the weight value of a RADIUS accounting server.
  • loopback-interface: indicates the number of a loopback interface.
  • server-ip-address: The value is an IPv4 address in dotted decimal notation or an IPv6 address in X:X:X:X:X:X:X:X format (a 32-bit hexadecimal number).
  • port: The value is an integer that ranges from 1 to 65535.
  • vpn-instance: The value must be the name of an existing VPN instance.
  • weight: The value is an integer that ranges from 0 to 100. The default value is 80.
  • loopback-interface: The loopback interface must already exist.

N/A

/huawei-aaa-radius:radius/radius-server/authentication-server/shared-key

Indicates the shared key of a RADIUS authentication server.

The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.

N/A

/huawei-aaa-radius:radius/radius-server/accounting-server/shared-key

Indicates the shared key of a RADIUS accounting server.

The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.

The shared key of the RADIUS accounting server must be the same as that of the RADIUS authentication server.

/huawei-aaa-radius:radius/dynamic-authorization-server
Configures a RADIUS authorization server. The object includes:
  • server-ip-address: indicates the IP address of a RADIUS authorization server.
  • shared-key: indicates the shared key of a RADIUS authorization server.
  • vpn-instance: indicates the name of a VPN instance to which a RADIUS authorization server is bound.
  • ack-reserved-interval: indicates the duration for retaining a RADIUS authorization response packet.
  • server-group: indicates the name of a RADIUS server template corresponding to a RADIUS authorization server.
  • server-ip-address: The value is a valid unicast address in dotted decimal notation.
  • shared-key: The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.
  • vpn-instance: The value must be the name of an existing VPN instance.
  • ack-reserved-interval: The value is an integer that ranges from 0 to 300, in seconds. The default value is 0.
  • server-group: The value is a string of 1 to 32 case-sensitive characters, including letters, digits, dots (.), underscores (_), and hyphens (-). The value cannot be - or --.

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/enable

Indicates whether RADIUS attribute translation is enabled.

Boolean type. The value can be:

  • true

  • false

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-normal

Configures standard RADIUS attribute translation. The object includes:

  • source-attribute-name: indicates the name of a source attribute.

  • destination-attribute-name: indicates the name of a destination attribute.

  • packet-type: indicates the packet type in a standard RADIUS attribute to be translated.

  • source-attribute-name: The value is a string of 1 to 64 characters.

  • destination-attribute-name: The value is a string of 1 to 64 characters.

  • packet-type: The value is the enumerated type.
    • receive: translates RADIUS attributes for received packets.
    • send: translates RADIUS attributes for sent packets.
    • access-request: translates RADIUS attributes for Authentication Request packets.
    • account-request: translates RADIUS attributes for Accounting Request packets.
    • access-accept: translates RADIUS attributes for Authentication Accept packets.
    • account-response: translates RADIUS attributes for Accounting Response packets.

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-extend

Translates extended RADIUS attributes, that is, translating the non-Huawei attributes not supported by the device to the attributes supported by the device. The object includes:

  • source-attribute-name: indicates the name of a source attribute.

  • destination-vendor-id: indicates the vendor ID in the extended RADIUS attribute to be translated.
  • destination-sub-vendor-id: indicates the sub ID in the extended RADIUS attribute to be translated.
  • packet-type: indicates the packet type in the extended RADIUS attribute to be translated.

  • source-attribute-name: The value is a string of 1 to 64 characters.

  • destination-vendor-id: The value is an integer that ranges from 1 to 4294967295.

  • destination-sub-vendor-id: The value is an integer that ranges from 1 to 255.

  • packet-type: The value is the enumerated type.
    • access-request: translates RADIUS attributes for Authentication Request packets.
    • account-request: translates RADIUS attributes for Accounting Request packets.

N/A

/huawei-aaa-radius:radius/radius-server/translate-attribute/translate-extend-vendor

Translates extended RADIUS attributes, that is, translating the attributes supported by the device to the non-Huawei attributes not supported by the device. The object includes:

  • source-vendor-id: indicates the vendor ID in the extended RADIUS attribute to be translated.

  • source-sub-vendor-id: indicates the sub ID in the extended RADIUS attribute to be translated.
  • destination-attribute-name: indicates the name of a destination attribute.
  • packet-type: indicates the packet type in the extended RADIUS attribute to be translated.

  • source-vendor-id: The value is an integer that ranges from 1 to 4294967295.

  • source-sub-vendor-id: The value is an integer that ranges from 1 to 255.

  • destination-attribute-name: The value is a string of 1 to 64 characters.

  • packet-type: The value is the enumerated type.
    • access-accept: translates RADIUS attributes for Authentication Accept packets.
    • account-response: translates RADIUS attributes for Accounting Response packets.

N/A

/huawei-aaa-radius:radius/radius-server/disable-attribute

Disables a RADIUS attribute. The object includes:

  • attribute-name: indicates the name of a RADIUS attribute to be disabled.

  • option: indicates the packet type of a RADIUS attribute to be disabled.

  • attribute-name: The value is a string of 1 to 64 characters.

  • option: The value is the enumerated type and can be either of the following:
    • receive: disables a RADIUS attribute for received packets.
    • send: disables a RADIUS attribute for sent packets.

N/A

/huawei-aaa-radius:radius/radius-server/options/user-name/format

Configures the device to encapsulate domain names in user names in RADIUS packets to be sent to a RADIUS server.
Enumerated type. The value can be:
  • original: The device does not modify the user name entered by the user.
  • domain-include: The user name includes the domain name.
  • domain-exclude: The user name does not include the domain name.
  • domain-exclude-except-eap: The user name does not include the domain name (for authentication modes excluding the EAP authentication).

N/A

/huawei-aaa-radius:radius/radius-server/options/traffic-unit

Indicates the traffic unit used by a RADIUS server.

Enumerated type. The value can be:

  • byte
  • kbyte
  • mbyte
  • gbyte

N/A

/huawei-aaa-radius:radius/radius-server/options/dead-time

Indicates the interval for the server to return to the active state.

The value is an integer that ranges from 1 to 65535, in minutes.

N/A

/huawei-aaa-radius:radius/radius-server/options/timeout-timer

Indicates the timeout interval of RADIUS request packets.

The value is an integer that ranges from 1 to 10, in seconds.

N/A

/huawei-aaa-radius:radius/radius-server/options/retransmit-time

Indicates the number of times RADIUS request packets can be retransmitted.

The value is an integer that ranges from 1 to 5.

N/A

/huawei-aaa-radius:radius/radius-server/options/account-stop-packet-resend-times

Enables retransmission of accounting-stop packets.

The value is an integer that ranges from 0 to 300. The default value is 3.

N/A

/huawei-aaa-radius:radius/radius-server/service-type

Indicates the reauthentication type.

Enumerated type. The value is with-authenonly-reauthen.

N/A

/huawei-aaa-radius:radius/radius-server/message-authenticator

Indicates the type of packets carrying the Message-Authenticator attribute.

Enumerated type. The value is access-request.

N/A

/huawei-aaa-radius:radius/radius-server/hw-dhcp-option-format

Indicates the format of Huawei extended attribute HW-DHCP-Option.

Enumerated type. The value can be new or old.

N/A

/huawei-aaa-radius:radius/radius-server/mac-format-called-station-id

Sets the encapsulation format of the MAC address in the called-station-id attribute of RADIUS packets. The object includes:

  • mac-address-format: indicates the separator in a MAC address.

  • mode: indicates the format of a MAC address.
  • letter: indicates whether letters in a MAC address are in uppercase or lowercase.
  • mac-address-format: The value is the enumerated type.
    • dot-split: sets the separator to dot (.).
    • hyphen-split: sets the separator to hyphen (-).
    • unformatted: sets no separator.
  • mode: The value is the enumerated type.
    • mode1: indicates that the MAC address in the called-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.
    • mode2: indicates that the MAC address in the called-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format.
  • letter: The value is the enumerated type.
    • lowercase: indicates that the MAC address in the called-station-id attribute uses the lowercase.
    • uppercase: indicates that the MAC address in the called-station-id attribute uses the uppercase.

N/A

/huawei-aaa-radius:radius/radius-server/mac-format-calling-station-id

Sets the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets. The object includes:

  • mac-address-format: indicates the separator in a MAC address.
  • mode: indicates the format of a MAC address.
  • letter: indicates the style of letters in a MAC address.
  • mac-address-format: The value is the enumerated type.
    • dot-split: sets the separator to dot (.).
    • hyphen-split: sets the separator to hyphen (-).
    • unformatted: sets no separator.
  • mode: The value is the enumerated type.
    • mode1: indicates that the MAC address in the calling-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.
    • mode2: indicates that the MAC address in the calling-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format.
  • letter: The value is the enumerated type.
    • lowercase: indicates that the MAC address in the calling-station-id attribute uses the lowercase.
    • uppercase: indicates that the MAC address in the calling-station-id attribute uses the uppercase.
    • bin: indicates that the MAC address in the calling-station-id attribute is in binary notation.

N/A

/huawei-aaa-radius:radius/dynamic-authorization-option/decode-mac-format-calling-station-id

Sets the format of the MAC address that can be parsed by a device in the calling-station-id attribute carried in RADIUS dynamic authorization packets. The object includes:

  • mac-address-format: indicates the separator in a MAC address.
  • mode: indicates the format of a MAC address.
  • mac-address-format: The value is the enumerated type.
    • dot-split: sets the separator to dot (.).
    • hyphen-split: sets the separator to hyphen (-).
    • unformatted: sets no separator.
  • mode: The value is the enumerated type.
    • common: indicates that the MAC address in the calling-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format.
    • compress: indicates that the MAC address in the calling-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format.

N/A

/huawei-aaa-radius:radius/dynamic-authorization-option/decode-attribute-sameastemplate

Indicates whether the device is enabled to parse attributes in the RADIUS dynamic authorization packet based on the configurations in the system view.

The value is of the Boolean type:

  • true: indicates the device is enabled to parse attributes in the RADIUS dynamic authorization packet based on the configurations in the system view.
  • false: indicates the device is disabled from parsing attributes in the RADIUS dynamic authorization packet based on the configurations in the system view.

The default value is true.

N/A

/huawei-aaa-radius:radius/session-manage-function/client/any/any-enable

Indicates whether the session management function is enabled.

The value is of the Boolean type:

  • true: indicates the session management function is enabled.
  • false: indicates the session management function is disabled.

The default value is false.

N/A

/huawei-aaa-radius:radius/session-manage-function/client/ip/client-item

Indicates the session management server. The object includes:

  • ip-address: specifies the IP address of the session management server.
  • vpn-instance: specifies the VPN instance bound to the session management server.
  • shared-key: specifies the shared key of the session management server.
  • ip-address: The value is in dotted decimal notation.
  • vpn-instance: The value is a string of 1 to 31 case-sensitive characters without spaces.
  • shared-key: The value is a case-sensitive character string without spaces and question mask (?).

N/A

/huawei-aaa-radius:radius/radius-server/hw-ap-info-format

Sets the AP's IP address in Huawei extended attribute HW-AP-Information.

The value is include-ap-ip.

This object is only supported by S5730-HI, S5731-H, S5731S-H, S6730-H, S6730S-H, S5732-H, S6720-HI, and S5720-HI.

/huawei-aaa-radius:radius/radius-server/check-attribute/attribute-name

Enables the function of checking whether a RADIUS Access-Accept packet carries a specified attribute.

The value is a string of 1 to 64 characters.

N/A

/huawei-aaa-radius:radius/radius-server/nas-ip-address

Sets the NAS-IP-Address attribute in RADIUS packets sent by the device.

The value is a valid unicast address in dotted decimal notation.

N/A

/huawei-aaa-radius:radius/radius-server/nas-ipv6-address

Sets the NAS-IPv6-Address attribute in RADIUS packets sent by the device.

The value is a 32-bit hexadecimal string in the X:X:X:X:X:X:X:X format.

N/A

/huawei-aaa-radius:radius/radius-server/server-detect-function
Creates a user account for automatic detection in the RADIUS server template.
  • server-detect-enable: indicates whether to enable automatic RADIUS server detection.
  • test-user-name: indicates the user name for automatic detection.
  • test-user-password: indicates the user password for automatic detection.
  • interval: indicates the RADIUS server automatic detection interval.
  • server-detect-enable: The value is Boolean that can only be true or false.
  • test-user-name: The value is a string of 1 to 253 case-sensitive characters without spaces.
  • test-user-password: The value is a string of case-sensitive characters without spaces or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.
  • interval: The value is an integer that ranges from 5 to 3600, in seconds.

N/A

/huawei-aaa-radius:radius/radius-server/shared-key

Indicates the shared key of the RADIUS server in a RADIUS server template.

The value is a string of case-sensitive characters without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.

If shared keys are configured for the RADIUS authentication server, RADIUS accounting server, and RADIUS server template, the configurations for the servers have higher priorities. If no shared key is configured for the RADIUS authentication and accounting servers, the shared key configured in the RADIUS server template is used.

/huawei-aaa-radius:radius/server-shared-key/server-item

Configures the shared key of the RADIUS server globally. The object includes:

  • shared-key: specifies the shared key.
  • ip-address: specifies the IP address of the RADIUS server.
  • shared-key: The value is a case-sensitive character string without spaces, single quotation marks ('), or question marks (?). The value can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.
  • ip-address: indicates the format of the IPv4 or IPv6 address.

NA

/huawei-aaa-radius:radius/radius-server/server-algorithm

Indicates the algorithm for selecting RADIUS servers.

Enumerated type. The value can be:

  • loading-share: sets the algorithm for selecting RADIUS servers to load balancing.
  • master-backup: sets the algorithm for selecting RADIUS servers to primary/secondary.
  • load-sharing-byuser: sets the algorithm for selecting RADIUS servers to single user-based load balancing.
  • master-backup-byuser: sets the algorithm for selecting RADIUS servers to single user-based primary/secondary.

N/A

/huawei-aaa-radius:radius/global/options
Configures keepalive detection for the RADIUS server. The object includes:
  • dead-interval: indicates the detection interval of the RADIUS server.
  • dead-count: indicates the maximum number of consecutive packets that are not acknowledged by the RADIUS server.
  • dead-detect-condition: indicates the RADIUS server detection mode.
  • dead-interval: The value is an integer that ranges from 1 to 300, in seconds.
  • dead-count: The value is an integer that ranges from 1 to 65535.
  • dead-detect-condition: Enumerated type. The value is by-server-ip.

N/A

/huawei-aaa-radius:radius/radius-server/format-attribute/nas-port-format
Indicates the encapsulation format of the NAS-Port attribute. The object includes:
  • format: indicates the format of the NAS-Port attribute.
  • self-designed-format: The value is a string of 1 to 32 characters.
  • format: Enumerated type. The value can be new or old.

N/A

/huawei-aaa-radius:radius/radius-server/format-attribute/nas-identifier-format

Indicates the encapsulation content of the NAS-Identifier attribute.

Enumerated type. The value can be hostname and vlan-id.

N/A

/huawei-aaa-radius:radius/radius-server/format-attribute/nas-port-id-format

Indicates the encapsulation format of the NAS-Port-Id attribute.

Enumerated type. The value can be new, vm, and old.

Only the S5720-EI supports vm.
Table 4 HACA

Object

Description

/huawei-aaa-haca:aca

Indicates that the operation request (creating and modifying) object is nac-access. It is a root object, which is only used to contain sub-objects, but does not have any data meaning.

/huawei-aaa-haca:aca/haca-server

Indicates the name of an HACA server template.

The value is a string of 1 to 32 case-sensitive characters, including letters, digits, periods (.), hyphens (-), underscores (_), and a combination of the above characters. The value cannot be - or --.

/huawei-aaa-haca:aca/haca-server/enable

Enables the HACA function.

/huawei-aaa-haca:aca/haca-server/server/server-ip

Indicates the IP address of an HACA server.

The value is a valid unicast IP address in dotted decimal notation.

/huawei-aaa-haca:aca/haca-server/server/port

Indicates the port number of an HACA server.

The value is an integer that ranges from 1 to 65535. The default value is 49.

/huawei-aaa-haca:aca/haca-server/pki-domain

Indicates a PKI realm name.

The PKI realm name must already exist.

/huawei-aaa-haca:aca/haca-server/heart-beat

Indicates the interval at which HACA heartbeat packets are sent.

The value is an integer that ranges from 1 to 1440, in minutes.

/huawei-aaa-haca:aca/haca-server/detection-function/reconnect-interval

Indicates the interval for reconnecting to an HACA server.

The value is an integer that ranges from 1 to 255, in minutes.

/huawei-aaa-haca:aca/haca-server/timeout

Indicates the response timeout interval of an HACA server.

The value is an integer that ranges from 1 to 300, in seconds.

/huawei-aaa:aaa/huawei-aaa:aaa-domain/huawei-aaa-haca:haca-server/huawei-aaa-haca:haca-server

Indicates the name of an HACA server template for a domain.

The value must be an existing HACA server template name.
Parent Topic: AAA Management
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >