< Home

Data Model

The configuration model file matching authentication profile is huawei-nac.yang.

Table 1 Data model

Object

Description

Value

Remarks

/huawei-nac:nac-access/configure-mode/unified-mode

Indicates that the request operation (creation or modification) object is nac-access. This object is the root object. It is only used to contain sub-objects, but does not have any data meaning.

N/A

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile

Indicates that an authentication profile is configured.

The value is a string of 1 to 31 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/dot1x-access-profile

Indicates that an 802.1X access profile is bound to the authentication profile.

The value must be the name of an existing 802.1X access profile.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/mac-access-profile

Indicates that a MAC access profile is bound to the authentication profile.

The value must be the name of an existing MAC access profile.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/portal-access-profile

Indicates that a Portal access profile is bound to the authentication profile.

The value must be the name of an existing Portal access profile.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/free-rule-profile

Indicates that an authentication-free rule profile is bound to the authentication profile.

The value must be the name of an existing authentication-free rule profile.

This object is only supported by the S5730-HI, S5731-H, S5731S-H, S6730-H, S6730S-H, S5732-H, S6720-HI, and S5720-HI.

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/access-force-domain/domain-name

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/access-force-domain/access-type

Indicates that a forcible domain is configured based on the access type.

The value must be the name of an existing domain.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/access-default-domain/domain-name

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/access-default-domain/access-type

Indicates that the default domain is configured based on the access type.

The value must be the name of an existing domain.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/force-domain/default-force-domain

Indicates that a forcible domain is configured.

The value must be the name of an existing domain.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/default-domain/default-default-domain

Indicates that the default domain is configured.

The value must be the name of an existing domain.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-device/device-type

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-device/service-scheme

Indicates that the function of allowing voice terminals to go online without authentication is configured.

The value must be the name of an existing service scheme.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/mode

Indicates that the user access mode is configured.

Enumerated type:

  • single-terminal: The interface allows only one user to go online.
  • single-voice-with-data: The interface allows only one data user and one voice user to go online.
  • multi-share: The interface allows multiple users to go online. In this mode, the switch only authenticates the first access user. If the first user passes authentication, the subsequent users share the same network access rights with the first user. If the first user goes offline, other users also go offline.
  • multi-authen: The interface allows multiple users to go online. In this mode, the switch authenticates each access user. If a user passes authentication, the switch grants independent network access rights to the user. If a user goes offline, other users are not affected.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/max-user/multi-authen/user-num/max-user-num

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/max-user/multi-authen/user-num/access-type

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authentication-mode-parameters/mode

Indicates that the maximum numbers of access users in different authentication modes are configured.

The value is an integer that varies depending on the card type.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/authentication-event

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/response-fail

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/vlan-id

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/service-scheme

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/authorize-of-authentication-event/ucl-group

Indicates that network access rights are configured for users in each phase before authentication.

N/A

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/re-authen-trigger-event

Indicates that the switch is configured to re-authenticate users when the authentication server changes from Down to Up.

N/A

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/pre-authen-access

Indicates whether the pre-connection function is disabled.

Boolean type:

  • true: enabled
  • false: disabled

N/A

/ietf-interfaces:interfaces/ietf-interfaces:interface/huawei-nac:authentication-profile/authentication-profile-name

Binding the authentication profile to an interface.

The value must be the name of an existing authentication profile.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/assigned-ip-address/in-accounting-start

Indicates whether accounting-start packets carry users' IP addresses.

The value is of the Boolean type:

  • true: Accounting-start packets carry users' IP addresses.
  • false: Accounting-start packets do not carry users' IP addresses.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/dot1x-mac-bypass

Indicates whether to enable MAC address bypass authentication in an authentication profile.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/single-access

Indicates whether to enable the device to allow users to access in only one authentication mode in the authentication profile.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/security-name-delimiter

Indicates the security string delimiter in the authentication profile.

The value is of the enumerated type. The value can be \ / : , < > | @ ' % or *.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-delimiter

Indicates the domain name delimiter in the authentication profile.

The value can only be one of the following characters: \ / : < > | @ ' %.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-direction

Indicates the direction in which a domain name is parsed in the authentication profile.

The value is of the enumerated type:

  • left-to-right: indicates the direction from left to right.
  • right-to-left: indicates the direction from right to left.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/domain-name-parameters/domain-name-location

Indicates the position of a domain name in the authentication profile.

The value is of the enumerated type:

  • after-delimiter: indicates that the domain name is placed behind the delimiter.
  • before-delimiter: indicates that the domain name is placed before the delimiter.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/re-authen-period/pre-authen

Indicates the interval for re-authenticating pre-connection users in the authentication profile.

The value can be 0 or any integer in the range from 30 to 7200, in seconds.

The value 0 indicates that the re-authentication function is disabled for pre-connection users.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/re-authen-period/authen-fail

Indicates the interval for re-authenticating users who fail to be authenticated in the authentication profile.

The value can be 0 or any integer in the range from 30 to 7200, in seconds.

The value 0 indicates that the re-authentication function is disabled for users who fail to be authenticated.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/re-authen-period/authen-fail-wlan-user

Indicates the interval for re-authenticating wireless users who fail to be authenticated in the authentication profile.

The value can be 0 or any integer in the range from 30 to 7200, in seconds.

The value 0 indicates that the re-authentication function is disabled for wireless users who fail to be authenticated.

NA

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/aging-period/pre-authen

Indicates the aging time for pre-connection user entries in the authentication profile.

The value can be 0 or any integer in the range from 60 to 4294860, in seconds.

The value 0 indicates that the entry does not age.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/timer/aging-period/authen-fail

Indicates the aging time for entries of the users who fail to be authenticated in the authentication profile.

The value can be 0 or any integer in the range from 60 to 4294860, in seconds.

The value 0 indicates that the entry does not age.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/realtime-accounting-trigger/update-ip-accounting

Indicates whether to enable a device to send accounting packets for address updating in the authentication profile.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/realtime-accounting-trigger/roam-accounting

Indicates whether to enable a device to send accounting packets for roaming in the authentication profile.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/permit-domain-list/domain

Configures permitted domains for WLAN users in the authentication profile.

The value must be an existing domain name.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/wlan-max-user-num

Configures the maximum number of authenticated users allowed in the authentication profile.

The value is an integer in the range from 1 to 128.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/speed-limit-auto

Indicates whether to enable the device to dynamically adjust the rate of packets from NAC users in the system view.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/enable-vlan/all-vlan/all

Enables MAC address migration for all VLANs in the system view.

N/A

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/enable-vlan/vlan-params/vlan/range/begin

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/enable-vlan/vlan-params/vlan/range/end

Enables MAC address migration and specifies the VLAN range in the system view.

  • begin: indicates the start VLAN ID.
  • end: indicates the end VLAN ID.

The value is an integer in the range from 1 to 4094.

The end VLAN ID must be greater than the start VLAN ID.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/detect-function/enable

Indicates whether to enable a device to detect users' online status before user MAC address migration in the system view.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/detect-function/interval

Indicates the interval at which a device detects users' online status before user MAC address migration in the system view.

The value is an integer in the range from 1 to 5, in seconds.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/detect-function/times

Indicates the maximum number of detections before user MAC address migration in the system view.

The value is an integer in the range from 1 to 3.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-function/quiet-period

Indicates the period that MAC address migration users stay in the quiet state in the system view.

The value is an integer in the range from 0 to 3600.

The value 0 indicates that the MAC address migration quiet function is disabled.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-function/quiet-times

Indicates the number of times that MAC address migration users are allowed to migrate their MAC addresses within 60 seconds before the device quiets the users in the system view.

The value is an integer in the range from 1 to 10.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-log-function/enable

Indicates whether to enable the device to record logs about MAC address migration quiet in the system view.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-alarm-function/enable

Indicates whether to enable the device to send alarms about MAC address migration quiet in the system view.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-alarm-function/lower-threshold-percentage

/huawei-nac:nac-access/configure-mode/unified-mode/mac-move/quiet-alarm-function/upper-threshold-percentage

Indicates the upper and lower alarm thresholds for the percentage of MAC address migration users in quiet state in the system view.

  • lower-threshold-percentage: indicates the lower alarm threshold.
  • upper-threshold-percentage: indicates the upper alarm threshold.
  • lower-threshold-percentage: The value is an integer in the range from 1 to 100.
  • upper-threshold-percentage: The value is an integer in the range from 1 to 100. The value must be greater than that of lower-threshold-percentage.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/default-detect-ip

Indicates the default source IP address of offline detection packets in the system view.

The value is in dotted decimal notation and can be 0.0.0.0 or 255.255.255.255.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/detect-source/detect-source-item/vlan

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/detect-source/detect-source-item/ip

/huawei-nac:nac-access/configure-mode/unified-mode/arp-detect/detect-source/detect-source-item/mac

Indicates the source IP address and source MAC address of offline detection packets for a specified VLAN in the system view.

  • vlan: indicates the VLAN.
  • ip: indicates the IP address.
  • mac: indicates the MAC address.
  • vlan: The value is an integer in the range from 1 to 4094.
  • ip: The value is in dotted decimal notation.
  • mac: The value must be the unicast MAC addresses. The value is in the format of H-H-H, in which H is a hexadecimal number of 1 to 4 digits.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/band-width

Indicates whether to enable the bandwidth share mode in the system view.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/link-down-offline-parameters/off-line/unlimited

Indicates whether users are logged out when an interface link is faulty.

The value is of the Boolean type:

  • true: Users are logged out.
  • false: Users are not logged out.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/authentication-profile/link-down-offline-parameters/off-line/delay-time

Indicates the user logout delay when an interface link is faulty.

The value is an integer in the range from 0 to 60, in seconds.

The default value is 10.

N/A

/huawei-nac:nac-access/configure-mode/unified-mode/syslog-restrain

Indicates whether to enable system log suppression.

The value is of the Boolean type:

  • true: enables the function.
  • false: disables the function.

NA

/huawei-nac:nac-access/configure-mode/unified-mode/device-sensor/option

Specifies the DHCP option field that the device needs to resolve.

The option fields in a DHCP packet carry the control information and parameters, for example, terminal type.

The value is an integer in the range from 1 to 254. You can configure one to six Option fields.

NA
Parent Topic: Configuring an Authentication Profile
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >