static-user

Function

The static-user command configures a static user.

The undo static-user command deletes the configured static user.

By default, no static user is configured.

Format

static-user start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ] [ ip-user ] [ domain-name domain-name | interface interface-type interface-number [ detect ] | mac-address mac-address | vlan vlan-id | keep-online ] ^*

undo static-user start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]

Parameters

Parameter	Description	Value
start-ip-address [ end-ip-address ]	Specifies the IP address range to which a static user belongs. If end-ip-address is not specified, the static user is specified by start-ip-address.	The value is in dotted decimal notation.
vpn-instance vpn-instance-name	Specifies the name of a VPN instance to which a static user belongs.	The value must be an existing VPN instance name.
ip-user	Identifies a static user using an IP address. NOTE: This parameter is only supported by the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI.	-
domain-name domain-name	Specifies the domain to which a static user belongs. If this parameter is specified, the user name of the static user is in the format of user name@domain name. In this case, @ is the default domain name delimiter. The location of delimiter and domain name can be set as required.	The value must be an existing domain name.
interface interface-type interface-number	Specifies the interface connected to a static user. interface-type specifies the interface type. interface-number specifies the interface number.	-
detect	Permits the device to send ARP packets to trigger MAC address authentication for offline static users.	-
mac-address mac-address	Specifies the MAC address for a static user.	The value is in the format of H-H-H, in which H is a hexadecimal number of 1 to 4 digits.
vlan vlan-id	Specifies the VLAN to which a static user belongs.	The value is an integer that ranges from 1 to 4094.
keep-online	Keeps a static user online, with offline detection not performed.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In network deployment, static IP addresses are assigned to dumb terminals such as printers and servers. These users can be configured as static users for flexible authentication.

After static users are configured, the device can use static user information such as their IP addresses as the user names to authenticate the users only if one of the 802.1X authentication, MAC address authentication, and Portal authentication modes is enabled on the interfaces connected to the static users.

When ip-user is specified, IP addresses are used to identify static users and control their permission.

When some terminals have multiple IP addresses and one MAC address, and they can access the network only after each IP address is authenticated, specify the ip-user parameter to identify these users and configure the ip-static-user enable command in the authentication template bound to the user access interfaces.
When all terminals have multiple IP addresses and can access the network only after each IP address is authenticated, only configure the ip-static-user enable command in the authentication template bound to the user access interfaces.

Precautions

After the static-user command is executed to modify the configuration, if a new user cannot log in due to an IP address conflict with an existing user, you need to run the cut access-user command to force the existing user to log out.

When the interface (interface interface-type interface-number) mapping static users is specified, the VLAN (vlan vlan-id) to which the interface belongs must be configured.

This function takes effect only for users who go online after this function is successfully configured.

Only when static users have the ip-user parameter configured and connect to the interfaces bound to the authentication template in which the ip-static-user enable command configured, IP addresses can be used to identify these users and control their permission.

After this command is configured to specify the VLAN to which a static user belongs, and the user is authenticated and the VLAN is authorized, if the authorized VLAN is different from the previously specified VLAN, the user is added to the new authorized VLAN and is no longer a static user.

When the command is configured on the UC device and directly delivered to the ASs in the SVF scenario, the command must be in the following format: static-user start-ip-address [ end-ip-address ] { vlan vlan-id | mac-address mac-address } or static-user start-ip-address [ end-ip-address ] vlan vlan-id mac-address mac-address.

In SVF mode, when the direct-command view command static-user command is executed on the control device to deliver the static-user configuration to access devices, the configuration must be the same as the static-user command configuration on the control device. If they are different, the static-user command configuration on the control device takes effect.

In policy association scenarios, the static-user command is optional on access devices. When this command is configured, the static-user configuration must be the same as that on the control device. If they are different, the static-user command configuration on the control device takes effect.

Example

# Configure the IP address range of 10.1.1.1 to 10.1.1.10, authentication domain huawei, and VLAN 10 for static users.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
[HUAWEI] static-user 10.1.1.1 10.1.1.10 domain-name huawei vlan 10