remote-download user-group enable

Function

The remote-download user-group enable command enables the RADIUS server to create dynamic user groups.

The undo remote-download user-group enable command disables the RADIUS server from creating dynamic user groups.

By default, the RADIUS server is enabled to create dynamic user groups.

This command is supported only on the NetEngine 8000 F1A.

Format

remote-download user-group enable

undo remote-download user-group enable

Parameters

None

Views

AAA view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
aaa-access write

Usage Guidelines

Usage Scenario

If a carrier wants the RADIUS server to deliver dynamic user groups, but does not want to run commands on the device to create user groups, run the remote-download user-group enable command.

Implementation Procedure

This command takes effect for subsequent login users and for CoA operations of online users.

After the remote-download user-group enable command is run, if the RADIUS server delivers a user group that does not exist on the device, the user group is dynamically created.

If the undo remote-download user-group enable command is run, the dynamic user groups that have been created are not affected, but no subsequent dynamic user groups can be created.

Configuration Impact

Before this command is run, when the Filter-Id attribute or the sub-attribute (subscriber:user group) of the HW-Avpair attribute delivered by the RADIUS server contains users groups that do not exist on the device, for new user authentication and authorization, logout authentication and authorization, the device ignores the delivered user groups; for user re-authorization triggered by CoA re-authentication, the device processes it as CoA failures.

After this command is run, when the Filter-Id attribute delivered by the RADIUS server contains users groups that do not exist on the device, the user groups are dynamically created. If creating these user groups fails, the processing is the same as that when this command is not run.

Before this command is run, if the rules carried in the classifiers delivered by the HW-Data-Filter attribute contain user groups that do not exist on the device, the device cannot parse the HW-Data-Filter attribute.

After this command is run, if the rules carried in the classifiers delivered by the HW-Data-Filter attribute contain user groups that do not exist on the device, the user groups are dynamically created. If creating these user groups fails, the device cannot parse the HW-Data-Filter attribute.

Precautions

In VS mode, this command is supported only by the admin VS.

Example

# Enable the RADIUS server to create dynamic user groups.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] remote-download user-group enable
Parent Topic: AAA and User Management Configuration (Access User)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >