user-group
Function
The user-group command creates a user group or displays the user group view.
The undo user-group command deletes a user group.
By default, no user group is configured.
Parameters
| Parameter | Description | Value |
|---|---|---|
group-name |
Specifies the name of a user group. |
The value is a string of 1-64 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following symbols: / \ : * ? " < > | @ ' %. |
Usage Guidelines
Usage Scenario
In practical NAC applications, there are many access users and a large number of ACL rules need to be configured for each user. However, the number of user types is limited.
You can run the user-group command to create user groups on the device and associate each user group to a group of ACL rules (for details, see acl-id). In this way, users in the same group share a group of ACL rules. The limited ACL resources can support a large number of access users.
When the user group function is enabled on models except the S5720-EI, S5720-HI, S5730-HI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI, ACL rules are delivered to each user and the user group function cannot be used to save ACL resources.
- When you create a user group, ensure that the user group name is different from the number of an existing ACL. You can run the display acl all command to view the configuration of all ACL rules on the device.
- If you want to delete the user group when the ACL bound to the user takes effect, run the cut access-user user-group group-name command to disconnect all users bound to the user group, and run the undo user-group group-name enable command to disable the user group function.
The priority of the user group authorization information delivered by the authentication server is higher than that of the user group authorization information applied in the AAA domain. If the user group authorization information delivered by the authentication server cannot take effect, the user group authorization information applied in the AAA domain is used. For example, if only user group B is configured on the device and the group authorization information is applied in the AAA domain when the authentication server delivers authorization information about user group A, the authorization information about user group A cannot take effect and the authorization information about user group B is used. To make the user group authorization information delivered by the authentication server take effect, ensure that this user group is configured on the device.