remote-download acl support-all-operate access-accept

Function

The remote-download acl support-all-operate access-accept command enables a BRAS to support all operation types of a dynamic ACL delivered using a RADIUS authentication response packet when a user goes online.

The undo remote-download acl support-all-operate access-accept command restores the default configuration.

By default, a BRAS supports only the update-user-class operation type in a dynamic ACL delivered using a RADIUS authentication response packet. That is, if the BRAS receives other operation types in a dynamic ACL delivered using a RADIUS authentication response packet, it also takes the action specified by the update-user-class operation type.

This command is supported only on the NetEngine 8000 F1A.

Format

remote-download acl support-all-operate access-accept

undo remote-download acl support-all-operate access-accept

Parameters

None

Views

AAA view

Default Level

3: Management level

Task Name and Operations

Task Name	Operations
aaa-access	write

Usage Guidelines

Usage Scenario

The RADIUS server can send RADIUS authentication response or change-of-authorization (CoA) packets that carry the Hw-Data-Filter (26-82) attribute to deliver ACLs or dynamically change ACLs it previously delivered to the BRAS.

The RADIUS server can use a RADIUS authentication response or CoA packet to deliver a CoA action string to specify a dynamic ACL's operation types.

A RADIUS authentication response or CoA packet may carry the following operation types of a dynamic ACL:

update-user-class (replacement of dynamic ACL information used by the user): The BRAS references the classifier-behavior pair delivered using the RADIUS authentication response or CoA packet for the user and no longer references the classifier-behavior pair that is being used for the user. If the RADIUS authentication response or CoA packet does not deliver any classifier-behavior pair, no dynamic ACL information is available for the user after the packet is successfully processed.
add-user-class (addition of the classifier-behavior pair for the user): The BRAS references the classifier-behavior pair delivered using the RADIUS authentication response or CoA packet for the user.
del-user-class (deletion of some classifier-behavior pairs for the user): The BRAS deletes the classifier-behavior pair delivered using the RADIUS authentication response or CoA packet from the classifier-behavior pairs that are being referenced for the user.
add-rule (addition of rules to the classifier used by the user): The BRAS adds a rule to the classifier delivered using the RADIUS authentication response or CoA packet.
update-class (replacement of rules and actions in the classifier-behavior pair used by the user): The BRAS replaces rules and actions in the classifier-behavior pair that is used by the user and specified in the RADIUS authentication response or CoA packet with those in the classifier-behavior pair delivered using the RADIUS authentication response or CoA packet.
The BRAS can parse the five operation types in a CoA packet. However, the BRAS supports only the update-user-class operation type in a RADIUS authentication response packet by default. When the BRAS receives other operation types in a dynamic ACL delivered using a RADIUS authentication response packet, it also takes the action specified by the update-user-class operation type.
To enable the BRAS to parse the five operation types in a RADIUS authentication response packet, run the remote-download acl support-all-operate access-accept command.

Prerequisites

The remote-download acl enable command has been run to enable the RADIUS server to create a dynamic ACL.

Precautions

In VS mode, this command is supported only by the admin VS.

Example

# Enable a BRAS to support all operation types of a dynamic ACL delivered using a RADIUS authentication response packet when a user goes online.

<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] remote-download acl support-all-operate access-accept