access-type

Function

The access-type command configures the access type of a BAS interface. The access type can be leased line access for Layer 2 access, Layer 2 leased line access, Layer 3 access, or Layer 3 leased line access.

The undo access-type command disables the BAS interface.

By default, a BAS interface is disabled.

This command is supported only on the NetEngine 8000 F1A.

Format

access-type layer2-subscriber [ bas-interface-name bname | default-domain { pre-authentication predname | authentication [ force | replace ] dname } * | accounting-copy radius-server rd-name ] *

access-type layer2-leased-line user-name uname password { cipher cipher-password | simple simple-password } [ bas-interface-name bname | default-domain authentication dname | accounting-copy radius-server rd-name | nas-port-type port-type ] *

access-type layer3-subscriber [ default-domain { pre-authentication dname | authentication [ force | replace ] dname } * ]

access-type layer3-leased-line { user-name uname | user-name-template } password { cipher cipher-password | simple simple-password } [ bas-interface-name bname | default-domain authentication dname | accounting-copy radius-server rd-name | nas-port-type port-type | mac-address mac-address | client-id client-id ] *

access-type l2vpn-leased-line user-name uname password { cipher cipher-password | simple simple-password } [ bas-interface-name bname | default-domain authentication dname | accounting-copy radius-server rd-name | nas-port-type port-type ] *

undo access-type

Parameters

Parameter Description Value
bas-interface-name bname

Specifies a BAS interface name.

The value is a string of 1 to 32 characters.
default-domain

Indicates the default domain.

-
pre-authentication dname

Specifies the name of the pre-authentication domain.

The value is a string of 1 to 64 characters.
pre-authentication predname

Specifies the name of the default pre-authentication domain.

If no pre-authentication domain is configured on a BAS interface, default0 is used.

The value is a string of 1 to 64 characters.
authentication dname

Specifies the name of the domain.

The value is a string of 1 to 64 characters.
force

Specifies a mandatory authentication domain.

A user uses the authentication and accounting scheme configured in this domain, irrespective of whether the user name contains a domain name or what the domain name is. If the user name contains a domain name, the domain name remains unchanged during authentication; if the user name does not contain a domain name, the mandatory authentication domain name is added to the user name.

This parameter does not take effect for EAP authentication users.

-
replace

Specifies a mandatory substitute authentication domain.

A user uses the authentication and accounting schemes configured in this domain, irrespective of whether the user name contains a domain name or what the domain name is. If the user name contains a domain name, the domain name is replaced by the mandatory substitute authentication domain name during authentication; if the user name does not contain a domain name, the mandatory substitute authentication domain name is added to the user name.

This parameter does not take effect for EAP authentication users.

-
accounting-copy radius-server rd-name

Specifies a RADIUS accounting copy server.

The value is a string of 1 to 32 characters.
radius-server rd-name

Specifies a RADIUS accounting copy server.

The value is a string of 1 to 32 characters.
layer2-leased-line

Indicates Layer 2 leased line users.

-
user-name uname
Specifies a leased line user name.
  • To prevent security risks, you are advised to configure a username consisting of at least six characters for leased line users. A warning message will be displayed if you configure a username containing less than six characters.

The value is a string of 1 to 253 characters.
password

Specifies a password.

-
cipher cipher-password

Specifies a user password.

  • The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
  • When configuring an authentication password, select the ciphertext mode becasue the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.

The value is a string of 1 to 128 case-sensitive characters in simple text or a string of 1 to 268 case-sensitive characters in ciphertext.
simple simple-password

Specifies a user password.

  • The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
  • When configuring an authentication password, select the ciphertext mode becasue the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.

If a password is entered in simple mode, the value is a string of 1 to 128 characters.
nas-port-type port-type

Specifies a NAS interface type.

-
layer3-subscriber

Indicates Layer 3 common users.

-
layer3-leased-line

Indicates Layer 3 leased line users.

-
user-name-template

Specifies a user name template.

-
mac-address mac-address

Specifies the MAC address of a Layer 3 leased line user.

The value is a 12-digit hexadecimal number, in the format of H-H-H. Each H is 4 digits. If an H contains fewer than 4 digits, the left-most digits are padded with zeros. For example, e0 is displayed as 00e0.
client-id client-id

Specifies the client ID of a Layer 3 leased line user.

The value is a string of 1 to 64 case-sensitive characters without metacharacters, such as spaces and question marks.
l2vpn-leased-line

Indicates Layer 2 vpn leased line users.

-
layer2-subscriber

Indicates Layer 2 common users.

-

Views

BAS interface view (GE), BAS interface view (VE), BAS interface view (trunk)

Default Level

3: Management level

Task Name and Operations

Task Name Operations
bras-control write

Usage Guidelines

Usage Scenario

To configure the access type of a BAS interface as a Layer 2 common user, Layer 2 leased line user, Layer 3 common user, or Layer 3 leased line user, run the access-type command.

  • A common user is a single user who accesses through a Layer 2 or Layer 3 network. This type of user has independent service attributes, authentication, and accounting.
  • A leased line user leases an Ethernet interface or some VLANs of an interface.

    On a leased line, connections can be established for multiple users; however, these users are represented as one user on the BRAS. The BRAS implements uniform authentication and accounting, bandwidth control, access control, and QoS for leased line users.

    Leased lines are classified as Layer 2 or Layer 3 leased lines.

    Assume that a user getting online with a domain name and the user inputs a user account, namely, user@A.
  • The BAS interface that accesses the user is configured with domain B as the default-domain authentication. If domain A is configured on the device, the user adopts the authentication scheme that is configured in domain A, and the user account for authentication is user@A. If domain A is not configured on the device, and the roam-domain is disabled, the user authentication fails. If the roam-domain is enabled, the user adopts the authentication scheme that is configured in the roam-domain.
  • The BAS interface that accesses the user is configured with domain E as the roam-domain configured through the roam-domain command. If domain A is not configured on the device, the user adopts the authentication scheme that is configured in domain E. If domain A is configured on the device, the user adopts the authentication scheme that is configured in domain A, and the user account for authentication is user@A.
  • The BAS interface that accesses the user is configured with domain F as the default-domain authentication force. In this case, the user adopts the authentication scheme that is configured in domain F (regardless of whether domain A is configured on the device or whether a roam-domain is configured), and the user account for authentication is still user@A.
  • The BAS interface that accesses the user is configured with domain G as the default-domain authentication replace. In this case, the user adopts the authentication scheme that is configured in domain G (regardless of whether domain A is configured on the device or whether a roam-domain is configured), and the user account for authentication is changed into user@G.

    Assume that a user getting online without a domain name and the user inputs a user account, namely, user.
  • If the BAS interface that accesses the user is not configured with the default-domain authentication, the user adopts the authentication scheme that is configured in default1, and the user account for authentication is user@default1.
  • If the BAS interface that accesses the user is configured with domain B as the default-domain authentication, the user adopts the authentication scheme that is configured in domain B (domain B here is a default domain), and the user account for authentication is user@B.
  • If the BAS interface that accesses the user is configured with domain H as the default-domain authentication force, the user adopts the authentication scheme that is configured in domain H, and the user account for authentication is user@H.
  • If the BAS interface that accesses the user is configured with domain J as the default-domain authentication replace, the user adopts the authentication scheme that is configured in domain J, and the user account for authentication is user@J.

    NOTE:

    The user account mentioned above may not the one that is sent to an AAA server. Instead, whether the user account sent to the AAA server contains a domain name depends on the device is configured the radius-server user-name command to send a domain name to the AAA server or not.

    The commands that configure the access type as Layer 2 user access cannot be configured at the same time as the undo ipv6 nd ra halt command. If you want to run one of the former commands, but the undo ipv6 nd ra halt command has been configured on the interface, you must first run the ipv6 nd ra halt command.

Configuration Impact

After this command is run, only the packets sent by the user and the packets arriving at the user can be forwarded after the user goes online.

Precautions

This command is supported only on the admin VS.

If the dhcp relay, dhcp select, dhcp option82, and ip relay commands are run on an interface, the bas command can be run on the same interface. However, the access-type layer2-subscriber, access-type layer3-subscriber, and access-type layer2-leased-line commands cannot be run on the same interface. Otherwise, an error message is displayed:Error:This interface has the configurations of other services, and cannot be configured as an access interface.

Both an RBP (remote-backup-profile rbp-name) and Layer 3 users access (access-type layer3-subscriber) can be configured only on an Eth-Trunk interface.

  • The ipv6 urpf command in the interface view is mutually exclusive with the access-type layer2-leased-line, access-type layer2-subscriber, and access-type layer3-subscriber commands in the BAS interface view. The ipv6 urpf command in the interface view is not mutually exclusive with the access-type layer3-leased-line command in the BAS interface view.
  • The dhcp select relay, dhcp option82 format, dhcp option82 insert enable, dhcp optiion82 rebuild enable, ip relay address ip-address, ip relay giaddr ip-address commands in the interface view are exclusive with the access-type layer2-subscriber, access-type layer3-subscriber, and access-type layer2-leased-line commands.
  • The qos-profile <profile-name> command is exclusive with the access-type layer2-leased-line and access-type layer3-leased-line commands.
  • The qos-profile <profile-name> command in the BAS interface view is exclusive with the access-type layer2-leased-line command.
  • The user-vlan command in the sub-interface view is exclusive with the access-type layer3-leased-line command.
  • The vlan-type dot1q <vlan-id>, control-vid <vid> dot1q-termination, and control-vid <vid> qinq-termination commands in the sub-interface view are exclusive with the access-type layer2-leased-line command.
  • The qinq stacking vid <low-ce-vid> and qinq mapping vid <vid> commands in the sub-interface view are exclusive with the access-type layer2-leased-line and access-type layer3-leased-line commands.

    For security purposes, you are advised to configure a username no less than 6 characters.

    For security purposes, you are advised to configure a complex password.

Example

# Configure the access type of GE 0/1/0 as Layer 2 subscriber.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 0/1/0
[~HUAWEI-GigabitEthernet0/1/0] bas
[~HUAWEI-GigabitEthernet0/1/0-bas] access-type layer2-subscriber
Parent Topic: IPoE Access Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >