display aaa

Function

The display aaa command displays information about normal logout, abnormal logout, and login failures.

Format

display aaa { offline-record | abnormal-offline-record | online-fail-record } { all | reverse-order | domain domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-instance vpn-instance-name ] | mac-address mac-address | access-slot slot-number | time start-time end-time [ date start-date end-date ] | username user-name [ time start-time end-time [ date start-date end-date ] ] } [ brief ]

Parameters

Parameter	Description	Value
offline-record	Displays normal logout records.	-
abnormal-offline-record	Displays abnormal logout records.	-
online-fail-record	Displays login failure records.	-
all	Displays all login and logout records.	-
reverse-order	Displays the records in order of newest to oldest.	-
domain domain-name	Specifies the name of a domain.	The value is a string of 1 to 64 case-insensitive characters, excluding spaces, *, ?, and ".
interface interface-type interface-number	Specifies the type and number of an interface.	-
vlan vlan-id	Specifies the inner VLAN ID.	The value is an integer that ranges from 1 to 4094.
qinq qinq-vlan-id	Specifies the outer VLAN ID.	The value is an integer that ranges from 1 to 4094.
ip-address ip-address	Specifies an IP address.	The value is in dotted decimal notation.
vpn-instance vpn-instance-name	Specifies the name of a VPN instance.	The value must be an existing VPN instance name.
mac-address mac-address	Specifies a MAC address.	The value is in H-H-H format. An H is a 4-digit hexadecimal number.
access-slot slot-number	Specifies a slot ID.	The value is an integer. The value range depends on the model of the device.
username user-name	Specifies a user.	The value must be an existing user.
time start-time end-time	Specifies a time range.	The format is HH:MM:SS, indicating hour:minute:second.
date start-date end-date	Specifies a date.	The format is YYYY/MM/DD. YYYY is the year, MM is the month, and DD is the day.
brief	Displays brief login and logout information.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

This command allows you to view information about user normal logouts, abnormal logouts, and login failures based on the domain name, interface, IP address, VPN instance, MAC address, or slot ID.

Precautions

Only letters, digits, and special characters can be displayed for username. It supports English, Chinese, and Russian. The coding format used by the Telnet terminal must be the same as the coding format used by the user name input device. Otherwise, the user name in the language other than English may not be normally displayed.

When the value of username contains special characters or characters in other languages except English, the device displays dots (.) for these characters. If there are more than three such consecutive characters, three dots (.) are displayed. Here, the special characters are the ASCII codes smaller than 32 (space) or larger than 126 (~).

For the descriptions, possible causes, and solutions of abnormal user logins and logouts, see "Common Causes for Access Authentication Failures" in the Huawei S Series Campus Switches Troubleshooting Guide.

Example

# Display information about user normal logouts in domain rds.

<HUAWEI> display aaa offline-record domain rds
 -------------------------------------------------------------------
  User name             : test@rds
  Domain name           : rds
  User MAC              : 0021-9746-b67c
  User access type      : 802.1x
  User access interface : GigabitEthernet10/0/2
  Qinq vlan/User vlan   : 0/1
  User IP address       : 192.168.2.2
  User IPV6 address     : -
  User ID               : 19
  User login time       : 2008/10/01 04:49:39
  User offline time     : 2008/10/01 04:59:43
  User offline reason   : EAPOL user request
  User name to server   : test@rds 
  
 
 
 
 
 
 
 
   AP ID                 : 0 
   Radio ID              : 0 
   AP MAC                : b001-0000-ac01 
   SSID                  : ssid1
   -------------------------------------------------------------------
  Are you sure to display some information?(y/n)[y]:

# Display all unexpected user logout records.

<HUAWEI> display aaa abnormal-offline-record all
  ------------------------------------------------------------------------------
  User name             : cdw                                                   
  Domain name           : l2bng                                                 
  User MAC              : c825-e142-4f2b                                        
  User access type      : MAC                                                   
  User access interface : Wlan-Dbss1                                            
  Qinq vlan/User vlan   : 0/2012                                                
  User IP address       : 10.17.17.219                                          
  User IPV6 address     : -                                                     
  User ID               : 18                                                    
  User login time       : 2017/03/16 19:40:18                                   
  User offline time     : 2017/03/16 19:43:20                                   
  User offline reason   : AAA cut command                                       
  User name to server   : cdw@l2bng 
  AP ID                 : 1 
  Radio ID              : 0  
  AP MAC                : b001-0000-ac01  
  SSID                  : ssid1
  ------------------------------------------------------------------------------
  Are you sure to display some information?(y/n)[y]:

# Display online failure information of all users.

<HUAWEI> display aaa online-fail-record all

  ------------------------------------------------------------------------------
  User name               : huawei 
  Domain name             : default 
  User MAC                : 0000-1220-85bc 
  User access type        : MAC  
  User access interface   : Eth-Trunk10 
  Qinq vlan/User vlan     : 116/100 
  User IP address         : 10.1.1.10 
  User IPV6 address       : - 
  User ID                 : 326678  
  User login time         : 2019/09/20 10:06:32  
  User online fail reason : Radius authentication reject 
  Authen reply message    : ErrorReason is The access quanti... 
  User name to server     : zxx
  ------------------------------------------------------------------------------
  Are you sure to display some information?(y/n)[y]:

**Table 1** Description of the **display aaa** command output
Item	Description
User name	User name.
Domain name	Domain of a user.
User MAC	MAC address of a user.
User access type	Access type of a user: 802.1x indicates that the user accesses the network through 802.1X. API indicates that the user accesses the network through the API. FTP indicates that the user accesses the network through FTP. Telnet indicates that the user accesses the network through Telnet. Terminal indicates that the user accesses the network through terminal. SSH indicates that the user accesses the network through SSH. x25-pad indicates that the user accesses the network through x25-pad. HTTP indicates that the user accesses the network through HTTP. Web indicates that the user accesses the network through web. For the related command, see local-user service-type.
User access interface	Access interface of a user.
Qinq vlan/User vlan	VLAN that a user belongs to. In QinQ application, QinQvlan indicates the outer VLAN ID and Uservlan indicates the inner VLAN ID. For a common VLAN, Uservlan indicates the VLAN ID, and QinQvlan is 0.
User IP address	IP address of a user.
User IPV6 address	IPv6 address of a user.
User ID	Index of a user.
User login time	Time when a user goes online.
User offline time	Time when a user goes offline.
User offline reason or User online fail reason	Reason why a user fails to go online or offline. The common reasons are as follows: The value "EAPOL user request" indicates that an 802.1X user requests to go offline. The value "PPP user request" indicates that a PPP user requests to go offline. The value "Web user request" indicates that a web user requests to go offline. The value "AAA cut command" indicates that a user is deleted using command line. The value "Session time out" indicates that a session times out. The value "Idle cut" indicates that a user is disconnected because the user does not perform any operation within a specified period. The value "PPP authentication fail" indicates a PPP authentication failure. The value "STA disassociation" indicates that an STA is disassociated. The value "console reset or disable port" indicates that the management interface is Down. The value "Interface net down" indicates that an interface is Down. The value "AS detect fail" indicates that an AS detection failure occurs on an access device in the policy association scenario. The value "AS smooth fail" indicates that an AS smoothing failure occurs on an access device in the policy association scenario. The value "AS configuration changed on interface" indicates that the user goes offline because the configuration of an AS interface on an access device changes in the policy association scenario. The value "low RSSI" indicates that the wireless signal strength is weak. The value "No authentication server configured" indicates that no authentication server is configured. The value "No radius-server template bound" indicates that no RADIUS server template is bound. The value "No tacacs-server template bound" indicates that no TACACS server template is bound. The value "No accounting server configured" indicates that no accounting server is configured. The value "Accounting server no response" indicates that the accounting server does not respond. The value "EAPOL client restart associate" indicates that the 802.1X client re-triggers an association. The value "Users with low priorities go offline" indicates that users go offline because their priorities are low. The value "Resources are insufficient" indicates that resources of the device are insufficient. The value "Local Authentication user block" indicates that the local user is locked. The value "Roaming is prohibited" indicates that user roaming is forbidden. The value "AP fault" indicates that a wireless user is forced offline due to AP disconnection. The value "Remote user is blocked" indicates that the remotely authenticated user is locked. The value "Not support authorization with car" indicates that upstream CAR authorization is not supported for the user group. The value "Not support authorization with user-group" indicates that re-mark authorization is not supported for the user group. The value "Radius authentication reject" indicates that the RADIUS server responds with an Access-Reject packet. The value "Data flow or online time exceed threshold" indicates that the online duration or used traffic of the user reaches the threshold. The value "AS access interface down" indicates that the access device's interface connected to users goes Down in SVF or policy association scenarios. The value "Server response times out" indicates that the server does not respond within a specified period. The value "The shared keys on the device and Portal server are different" indicates that the shared key configured on the device is different from that configured on the Portal server.
Authen reply message	Authentication response message. If the Access-Reject packet returned by the RADIUS server carries this field, this field is filled with the message carried in the Access-Reject packet. The length of this field cannot exceed 32 bytes. Otherwise, the message "Authentication fail,user is blocked" or "Authentication fail" is displayed.
User name to server	User name sent by the device to the server.
AP ID	ID of the AP that a wireless user associates with.
Radio ID	ID of the radio that a wireless user associates with.
AP MAC	MAC address of the AP that a wireless user associates with.
SSID	SSID that a wireless user associates with.