display radius-server configuration

Function

The display radius-server configuration command displays the configuration of RADIUS server groups on the device.

Format

display radius-server configuration [ group group-name ]

Parameters

Parameter Description Value
group group-name

Specifies the name of a RADIUS server group.

The value is a string of 1 to 32 characters.

Views

All views

Default Level

1: Monitoring level

Task Name and Operations

Task Name Operations
radius read

Usage Guidelines

Usage Scenario

If you run this command in the RADIUS server group or specify the name of the RADIUS server group, the detailed configuration of the RADIUS server group is displayed. Otherwise, the summary of all the RADIUS server groups is displayed.

NOTE:

Configuring the ui-mode type1 command in the system view influences the output format of the display command.

If you run this command in the RADIUS server group or specify the name of the RADIUS server group, the detailed configuration of the RADIUS server group is displayed. Otherwise, the summary of all the RADIUS server groups is displayed.

In VS mode, this command is supported only by the admin VS.

Example

The actual command output varies according to the device. The command output here is only an example.

# Display the configuration of the RADIUS server group 123.
<HUAWEI> display radius-server configuration group 123
-------------------------------------------------------
  Server-group-name    :  123
  Authentication-server:  IP:192.168.1.87 Port:1812 Weight[0] [DOWN]  
                          Vpn: -
                          Status changing:
                          2015-11-19 08:07:33 [DOWN]
                          2015-11-19 08:09:21 [UP]
                          2015-11-19 08:13:56 [DOWN]
                          2015-11-19 08:22:12 [DOWN]
  Authentication-server:  IP:192.168.1.86 Port:1812 Weight[0] [UP]  
                          Vpn: -
                          Status changing:
                          2015-11-19 08:07:48 [DOWN]
  Authentication-server:  IP:192.168.1.93 Port:1812 Weight[0] [UP] [MASTER] 
                          Vpn: -
  Authentication-server:  -
  Authentication-server:  -
  Authentication-server:  -
  Authentication-server:  -
  Authentication-server:  -
  Authentication-server:  -
  Authentication-server:  -
  Authentication-server:  -
  Authentication-server:  -
  Authentication-server:  -
  Authentication-server:  -
  Authentication-server:  -
  Authentication-server:  -
  Accounting-server    :  IP:192.168.1.87 Port:1813 Weight[0] [DOWN]  
                          Vpn: -
                          Status changing:
                          2015-11-19 08:12:02 [DOWN]
                          2015-11-19 08:15:53 [UP]
                          2015-11-19 08:22:28 [DOWN]
  Accounting-server    :  IP:192.168.1.86 Port:1813 Weight[0] [UP]  
                          Vpn: -
                          Status changing:
                          2015-11-19 08:12:17 [DOWN]
  Accounting-server    :  IP:192.168.1.93 Port:1813 Weight[0] [UP] [MASTER] 
                          Vpn: -
  Accounting-server    :  -
  Accounting-server    :  -
  Accounting-server    :  -
  Accounting-server    :  -
  Accounting-server    :  -
  Accounting-server    :  -
  Accounting-server    :  -
  Accounting-server    :  -
  Accounting-server    :  -
  Accounting-server    :  -
  Accounting-server    :  -
  Accounting-server    :  -
  Accounting-server    :  -
  Protocol-version     :  radius
  Shared-secret-key    :  ******
  Retransmission       :  3
  Timeout-interval(s)  :  5
  Acct-Start-Packet Resend  :  NO
  Acct-Start-Packet Resend-Times  :  0
  Acct-Stop-Packet Resend  :  NO
  Acct-Stop-Packet Resend-Times  :  0
  Traffic-unit         :  B
  ClassAsCar           :  NO
  User-name-format     :  Domain-included
  Option82 parse mode  :  -
  Attribute-translation:  NO
  Packet send algorithm:  Master-Backup
  Tunnel password      :  cipher
  LTS-Tunnel format    :  vendor 2352
  Calling-Station-ID format: vendor 2352 include option82 version1
  Attribute decode-error-policy list: -
  Attribute-included   :  HW-DHCP-OPTION
  HW-DHCP-OPTION       :  2 4 6
  Attribute-included   :  HW-DHCPv6-OPTION
  HW-DHCPv6-OPTION     :  2 3 7
  Accounting-attribute-included   :  HW-DHCP-OPTION
  HW-DHCP-OPTION       :  60
  Accounting-attribute-included   :  HW-DHCPv6-OPTION
  HW-DHCPv6-OPTION     :  16
  Trust server username:  NO
  Attach username in ACK:  -
  Apply user-name user-type  :  IPOE 
  Qos-profile no-exist-policy  :  Online
  Qos-profile-name case-sensitive  :  YES
  Vendor Added         :  311
  Usermac-as-option61  :  YES
  Vendor noncontinuous :  huawei other
  Nas-port-id lns include  :  string(ip $) call-serial-number($) local-tunnel-ip                                     
  Calling-station-id include  :  (*) option82 domain(@) mac 
  Calling-station-id lns-default  :  version1
  Policy-name no-exist-policy  :  Online 
  Authentication rollover-on-reject  :  YES    
  Apply framed-ipv6-pool match pool-type  :  YES
  Hw-domain-name block policy  :  Online
  Accounting-merge max-length  :  --
  Radius-attribute include agent-circuit-id value-added-service  :  FALS
  Radius-attribute include agent-remote-id value-added-service  :  FALSE
  Radius-attribute include hw-avpair nat:nat-vpn :  FALSE
  Radius-attribute include hw-avpair nat:nat-export :  FALSE
  Radius-attribute include class edsg :  FALSE
  Radius-attribute include class daa :  FALSE
  Radius-attribute include hw-acct-terminate-subcause :  FALSE
  Radius-attribute include hw-acct-terminate-subcause edsg :  FALSE
  Radius-attribute include hw-avpair subscriber:vpnid :  FALSE
  Radius-attribute include replymessage :  FALSE
  Acct-Interim-Packet Resend  :  NO
  Acct-Interim-Packet Resend-Times  :  0
  Nasport Bypass enable  :  0
  NAS-IP-Address using remote-ip  :  NO   
  NAS-PORT using user-id  :  NO
  Radius-server alarm enable : YES
# Display the configuration of all the RADIUS server groups.
<HUAWEI> display radius-server configuration
RADIUS no response packet count    : 10
  RADIUS auto recover time(Min)      : 3
  RADIUS retransmit interval(Sec)    : 30
  RADIUS authentication source ports :
         IPv4: 1812
         IPv6: 1812
  RADIUS accounting source ports     :
         IPv4: 1813
         IPv6: 1813
  -------------------------------------------------------
  Server-group-name    :  rd1
  Authentication-server:  IP:10.93.4.16 Port:1812 Weight[0] [UP] [MASTER]       
                          Vpn: -                                                
                          share-key:  ******                                    
  Authentication-server:  IP:10.93.4.14 Port:1812 Weight[0] [UP]                
                          Vpn: -                                                
                          share-key:  ******                                    
  Authentication-server:  IP:1.1.1.1 Port:1812 Weight[0] [UP]                   
                          Vpn: -                                                
  Accounting-server    :  IP:10.93.4.16 Port:1813 Weight[0] [UNKNOWN] [MASTER]  
                          Vpn: -                                                
                          share-key:  ******                                    
  Accounting-server    :  IP:10.93.4.14 Port:1813 Weight[0] [UNKNOWN]           
                          Vpn: -                                                
                          share-key:  ****** 
  Protocol-version     :  radius 
  Shared-secret-key    :  ******
  Retransmission       :  2
  Timeout-interval(s)  :  8
  Acct-Start-Packet Resend  :  YES   
  Acct-Start-Packet Resend-Times  :  10   
  Acct-Stop-Packet Resend  :  YES
  Acct-Stop-Packet Resend-Times  :  100
  Acct-Interim-Packet Resend  :  NO
  Acct-Interim-Packet Resend-Times  :  0
  Nasport Bypass enable  :  0
  -------------------------------------------------------
  Are you sure to display next (Y/N)[Y]:Y
  -------------------------------------------------------
  Server-group-name    :  g1
  Protocol-version     :  radius 
  Shared-secret-key    :  ******
  Retransmission       :  3
  Timeout-interval(s)  :  5
  Acct-Start-Packet Resend  :  NO   
  Acct-Start-Packet Resend-Times  :  0   
  Acct-Stop-Packet Resend  :  NO
  Acct-Stop-Packet Resend-Times  :  0
  Acct-Interim-Packet Resend  :  NO
  Acct-Interim-Packet Resend-Times  :  0
  Nasport Bypass enable  :  0  
  NAS-IP-Address using remote-ip  :  NO   
  NAS-PORT using user-id  :  NO   
  -------------------------------------------------------
  Total 2,2 printed
<HUAWEI> display radius-server configuration
RADIUS no response packet count    : 10                                       
  RADIUS auto recover time(Min)      : 3                                        
  RADIUS retransmit interval(Sec)    : 5                                        
  RADIUS authentication source ports :                                          
         IPv4: 1812                                                             
         IPv6: 1812                                                             
  RADIUS accounting source ports     :                                          
         IPv4: 1813                                                             
         IPv6: 1813
# Display the configuration of huawei group.
<HUAWEI> display radius-server configuration group huawei
-----------------------------------------------------------------------------
Server-group-name                   :  abc
Protocol-version                    :  standard
Shared-secret-key                   :  ****************
Timeout-interval(in second)         :  5
Auth-timeout-interval(in second)    :  3
Acct-timeout-interval(in second)    :  3
Primary-authentication-server       :  10.164.155.13-1812
Primary-accounting-server           :  10.10.10.5-1000
Secondary-accounting-server         :  10.10.10.6-1000
Secondary-authentication-server     :  10.10.10.7-1000
Retransmission                      :  3
Auth-retransmission                 :  5
Acct-retransmission                 :  5
Domain-included                     :  YES
Mode                                :  Pri-secondary
Attribute Translation               :  NO
-----------------------------------------------------------------------------
Table 1 Description of the display radius-server configuration command output
Item Description
Server-group-name

Name of the RADIUS server group.
Status changing

Status change of the RADIUS server,The available options are as follows:

  • UP: enabled.
  • DOWN: disabled.
  • UNKNOWN: Detection is performed when the device assumes that the RADIUS server is up.
Accounting-server

Parameters of the RADIUS accounting server, such as the IP address, interface number, weight, RADIUS server status and VPN Up-Group.

RADIUS uses UDP as the transport protocol. the device determines the RADIUS server status based on the radius-server { dead-count dead-count | dead-interval dead-interval | dead-time dead-time } command configuration. the device considers the RADIUS server Down if, after sending request packets to the RADIUS server for the number of dead-count times and the elapsed period since the first request packet is sent is greater than dead-interval, the device receives no response packet. After the period of time specified dead-time, the device assumes that the RADIUS server goes Up (If the ui-mode type1 command is configured, the status of the RADIUS server is UNKNOWN, instead of UP) and resends request packets. If the device does not receive any response packet from the RADIUS server after sending request packets for the number of dead-count times and the period of time since the first request packet is sent is longer than dead-interval, the device sets the status of the RADIUS server to Down. If the RADIUS server is Up, the status of the server is Up after you run the display radius-server configuration command. The system generates logs and traps indicating that the RADIUS serve is Up only after it receives a response packet.

The RADIUS server has three states: UP, DOWN, and UNKNOWN. The UNKNOWN state means that the device assumes that the RADIUS server status is Up.
Protocol-version

Version of the protocol used by the RADIUS server.
Shared-secret-key

Specifies the shared key.
Retransmission

Specifies the number of retransmissions.
Timeout-interval(s)

Timeout period for the retransmission of RADIUS packets.

If this parameter is not configured using the radius-server timeout command, the default value 5 is displayed.
Acct-Start-Packet Resend

Whether to retransmit cached accounting-start packets:

  • YES: Cached accounting-start packets are retransmitted.
  • NO: Cached accounting-start packets are not retransmitted.

If the radius-server accounting-start-packet resend command has been run to enable the device to retransmit cached accounting-start packets, YES is displayed. Otherwise, NO is displayed.
Acct-Start-Packet Resend-Times

Number of times that cached accounting-start packets are retransmitted.

The number of times that cached accounting-start packets are retransmitted can be configured using the radius-server accounting-start-packet resend command. If the number of times that cached accounting-start packets are retransmitted is not configured, 0 is displayed.
Acct-Stop-Packet Resend

Whether to retransmit Accounting-Stop packets (Yes or No).

If this parameter is not configured using the radius-server accounting-stop-packet resend command, the default value NO is displayed.
Acct-Stop-Packet Resend-Times

Number of the times that Accounting-Stop packets are retransmitted.

If this parameter is not configured using the radius-server accounting-stop-packet resend command, the default value NO is displayed.
Traffic-unit

Traffic unit used by the RADIUS server, which can be:

  • B: bytes.
  • GB: Gbytes.
  • KB: kbytes.
  • MB: Mbytes.

If this parameter is not configured using the radius-server traffic-unit command, the default value B is displayed.
ClassAsCar

Whether to set the Class attribute to CAR (Yes or No).

If this parameter is not configured using the radius-server class-as-car command, the default value NO is displayed.
User-name-format

Format of the user name sent to the RADIUS server, which can be:

  • Original: The user name sent to the RADIUS server and the user name entered by the user are of the same format.
  • Domain-not-included: The user name excludes the domain name.
  • Domain-included: The user name includes the domain name.

If this parameter is not configured using the radius-server user-name command, the default value Domain-included is displayed.
Domain-included

Indicates whether the user name includes the domain name.

  • Yes.
  • No.
Option82 parse mode

Option82 parse mode that is set using the option-82 parse-mode command.
Packet send algorithm

Algorithm for selecting a RADIUS server during packet sending, which can be:

  • Master-Backup: master and backup algorithm.
  • Master-Backup strict: master and backup algorithm, based on which the accounting server is strictly selected, irrespective of the authentication server.
  • Loading-share: load sharing algorithm.

If this parameter is not configured using the radius-server algorithm command, the default value Master-Backup is displayed.
Tunnel password

Mode in which the RADIUS server sends a tunnel password and that is supported by the , which can be:

  • cipher: cipher mode.
  • simple: simple mode.

If this parameter is not configured using the radius-attribute tunnel-password command, the default value cipher is displayed.
LTS-Tunnel format

Vendor-specific encapsulation format of LTS user tunnel attributes.

If no vendor-specific encapsulation format is configured using the radius-server format-attribute lts-tunnel command, this field is not displayed.
Calling-Station-ID format

Calling-Station-ID attribute format that is configured using the radius-server format-attribute calling-station-id vendor 2352 version1 command.
Attribute decode-error-policy list

RADIUS attribute that is ignored if the device fails to parse this attribute (this field is not displayed if this function is not configured.).
Attribute Translation

Indicates the attribute translation enable information. It can be any of the following:

  • YES.
  • NO.
Attribute-included

Attribute carried in a RADIUS packet If this attribute is not configured using the radius-attribute include command, this field is not displayed.
HW-DHCP-OPTION

ID of the option carried in the HW-DHCP-Option attribute.
HW-DHCPv6-OPTION

ID of the option carried in the HW-DHCPv6-Option attribute.
Accounting-attribute-included

ID of the option in the HW-DHCP-Option or HW-DHCPv6-Option attribute carried in the accounting request packet sent to the RADIUS server.
Trust server username

Username of the trusted server,The available options are as follows:

  • YES:Trusted.
  • NO:Untrusted.
Attach username in ACK

Username carried in ACK packets.
Apply user-name user-type

User type of the user name delivered by the RADIUS server. This field is displayed only if the user type is configured using the radius-attribute apply user-name match user-type command.
Apply framed-ipv6-pool match pool-type

Whether the device is enabled to use the IPv6 address pool delivered by the RADIUS server through the RADIUS attribute Framed-Ipv6-Pool only when the type of this address pool is the same as that of the IPv6 address pool configured in the domain. This field is displayed only if this function is configured using the radius-attribute apply framed-ipv6-pool match pool-type command.
Qos-profile no-exist-policy

User policy used when the QoS profile delivered by the RADIUS server does not exist on the device:

-

Online: Keep users online.

-

Offline: Log out users.

If the user policy is not configured using the radius-attribute qos-profile no-exist-policy command, the default value Offline is displayed.
Qos-profile-name case-sensitive

Whether the QoS profile name is case-sensitive, which can be configured using the radius-attribute case-sensitive qos-profile-name command. This field is displayed only after the command is run.
Vendor Added

Function of displaying the IDs of the vendors whose devices can parse private RADIUS attributes. This field is displayed only if this function is configured using the radius-attribute vendor enable command.
Vendor noncontinuous

Function of displaying the IDs of the vendors whose devices do not continuously encapsulate attributes. This field is displayed only if this function is configured using the undo adius-attribute vendor { all | { 3gpp2 | dslforum | huawei | microsoft | other | redback} * } continuous command.
Usermac-as-option61

Whether the hw-user-mac attribute (RADIUS proprietary No. 153 attribute) carries Option 61. This field is displayed only if this function is configured using the radius-attribute usermac-as-option61 command.
Nas-port-id lns include

Contents of the Nas-Port-Id attribute on the LNS. This field is displayed only if the contents are configured using the radius-server nas-port-id lns include command.
Calling-station-id include

Contents of the Calling-Station-Id attribute. This field is displayed only if the contents are configured using the radius-server calling-station-id include command.
Calling-station-id lns-default

Default format of the Calling-Station-Id attribute on the LNS. This field is displayed only if the default format is configured using the radius-server calling-station-id lns-default version1 command.
Policy-name no-exist-policy

User policy used when the policy name delivered by the RADIUS server does not exist:

  • Online: Keep users online.
  • Offline: Log out users.

    If the user policy is not configured using the radius-attribute policy-name no-exist-policy online command, the default value Offline is displayed.
Authentication rollover-on-reject

Whether the device is enabled to poll RADIUS servers for authentication after receiving a RADIUS Access-Reject packet. This field is displayed only if this function is configured using the radius-server authentication rollover-on-reject command.
Accounting-merge max-length

Maximum length of an encapsulated accounting packet.
Radius-attribute include agent-circuit-id value-added-service

Whether the Agent-Circuit-Id attribute is carried in an accounting packet.
Radius-attribute include agent-remote-id value-added-service

Whether the Agent-Remote-Id attribute is carried in an accounting packet.
Radius-attribute include hw-acct-terminate-subcause

Whether accounting stop packets carry user logout sub-causes:

  • TRUE: Accounting stop packets carry user logout sub-causes.
  • FALSE: Accounting stop packets do not carry user logout sub-causes.
Radius-attribute include hw-acct-terminate-subcause edsg

Whether EDSG service accounting stop packets carry user logout sub-causes:

  • TRUE: EDSG service accounting stop packets carry user logout sub-causes.
  • FALSE: EDSG service accounting stop packets do not carry user logout sub-causes.
Radius-attribute include hw-avpair nat

Specifies the value of the HW-AVPair attribute to be encapsulated into the authentication or accounting packets to be sent to the RADIUS server.

The below values are supported:

  • nat-vpn: allows user accounting packets to carry the IDs of the VPN instances bound to CGN address pools.
  • nat-extport: allows user accounting packets to carry incrementally allocated port numbers.
Radius-attribute include hw-avpair subscriber

Value of the hw-avpair attribute carried in user authentication or accounting packets.

The available options are as follows:

  • subscriber:fq: Whether the Flow-queue parameter setting that actually takes effect is carried in user accounting packets.
    • TRUE: It is carried in user accounting packets.
    • FASLE: It is not carried in user accounting packets.
  • subscriber:vpnid: Whether the user's VPN index is carried in user accounting packets.
    • TRUE: It is carried in the user accounting packets.
    • FASLE: It is not carried in the user accounting packets.
  • subscriber:link-address: Whether the DHCPv6 address is carried in authentication packets.
    • TRUE: It is carried in authentication packets.
    • FALSE: It is not carried in authentication packets.
Acct-Interim-Packet Resend

Whether the function to cache RADIUS real-time accounting packets is enabled.
Acct-Interim-Packet Resend-Times

Number of retransmissions of cached real-time accounting packets.
Nasport Bypass enable

Whether the LNS encapsulates the NAS-Port attribute received from the LAC in an authentication or accounting request packet to be sent to the RADIUS server:

  • 1: yes.
  • 0: no.
NAS-IP-Address using remote-ip

Whether the device is enabled to encapsulate the LAC-side IP address (remote IP address) into the NAS-IP-Address attribute of a RADIUS packet for an LNS user:

  • YES: The function is enabled.
  • NO: The function is not enabled.

This function is configured using the radius-server nas-ip-address lns remote-ip command. If the command is not run, the default value NO is displayed.
NAS-PORT using user-id

Whether the device is enabled to encapsulate user IDs into the NAS-Port attribute of a RADIUS packet for an LNS user:

  • YES: The function is enabled.
  • NO: The function is not enabled.

This function is configured using the radius-attribute include nas-port lns with-user-id command. If the command is not run, the default value NO is displayed.
Radius-server alarm enable

Whether the device generates a RADIUS server down alarm when the communication between a device and a RADIUS server in a RADIUS server group is interrupted.
RADIUS no response packet count

Number of the consecutive times that the RADIUS server does not respond (used to determine whether the RADIUS server runs normally).
RADIUS auto recover time(Min)

Time spent waiting for the RADIUS server to recover.
RADIUS retransmit interval(Sec)

Interval between the first and last ones of the packets that are ignored for the number of consecutive times specified by the radius-server dead-count dead-count command.

The interval is configured using the radius-server dead-interval dead-interval command. The default value is 5s.
RADIUS authentication source ports

Source ports for RADIUS authentication service.
RADIUS accounting source ports

Source ports for RADIUS accounting service.
Auth-timeout-interval(in second)

Specifies the authentication timeout interval in seconds.
Acct-timeout-interval(in second)

Specifies the accounting timeout interval in seconds.
Primary-authentication-server

Specifies the secondary authentication server.
Primary-accounting-server

Specifies the primary accounting server.
Secondary-accounting-server

Specifies the timeout period for retransmission.
Secondary-authentication-server

Specifies the secondary accounting server.
Auth-retransmission

Specifies the authentication retransmission time.
Acct-retransmission

Specifies the accounting retransmission time.
Mode

Specifies the working mode in a server group. There are two working modes:

  • Pri-secondary.
  • Load-balance.
Attribute-translation

Whether to enable RADIUS attribute translation (Yes or No).

If this parameter is not configured using the radius-server attribute translate command, the default value NO is displayed.
Authentication-server

Parameters of the RADIUS authentication server, such as the IP address, interface number, weight, RADIUS server status and VPN Up-Group.

RADIUS uses UDP as the transport protocol. the device determines the RADIUS server status based on the radius-server { dead-count dead-count | dead-interval dead-interval | dead-time dead-time } command configuration. the device considers the RADIUS server Down if, after sending request packets to the RADIUS server for the number of dead-count times and the elapsed period since the first request packet is sent is greater than dead-interval, the device receives no response packet. After the period of time specified dead-time, the device assumes that the RADIUS server goes Up (If the ui-mode type1 command is configured, the status of the RADIUS server is UNKNOWN, instead of UP) and resends request packets. If the device does not receive any response packet from the RADIUS server after sending request packets for the number of dead-count times and the period of time since the first request packet is sent is longer than dead-interval, the device sets the status of the RADIUS server to Down. If the RADIUS server is Up, the status of the server is Up after you run the display radius-server configuration command. The system generates logs and traps indicating that the RADIUS serve is Up only after it receives a response packet.

The RADIUS server has three states: UP, DOWN, and UNKNOWN. The UNKNOWN state means that the device assumes that the RADIUS server status is Up.
IPv4

IPv4 port for RADIUS authentication.
IPv6

IPv6 port for RADIUS authentication.
Vpn

VPN instance, RADIUS server parameter.
IP

IP address, RADIUS server parameter.
Parent Topic: AAA and User Management Configuration Commands (Administrative User)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >