config user radius
Description: Configure RADIUS server entries.
edit <name>
set server {string}
set secret {password}
set secondary-server {string}
set secondary-secret {password}
set tertiary-server {string}
set tertiary-secret {password}
set timeout {integer}
set all-usergroup [disable|enable]
set use-management-vdom [enable|disable]
set nas-ip {ipv4-address}
set acct-interim-interval {integer}
set radius-coa [enable|disable]
set radius-port {integer}
set h3c-compatibility [enable|disable]
set auth-type [auto|ms_chap_v2|...]
set source-ip {string}
set username-case-sensitive [enable|disable]
set group-override-attr-type [filter-Id|class]
set class <name1>, <name2>, ...
set password-renewal [enable|disable]
set password-encoding [auto|ISO-8859-1]
set acct-all-servers [enable|disable]
set switch-controller-acct-fast-framedip-detect {integer}
set interface-select-method [auto|sdwan|...]
set interface {string}
set switch-controller-service-type {option1}, {option2}, ...
set rsso [enable|disable]
set rsso-radius-server-port {integer}
set rsso-radius-response [enable|disable]
set rsso-validate-request-secret [enable|disable]
set rsso-secret {password}
set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]
set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]
set sso-attribute [User-Name|NAS-IP-Address|...]
set sso-attribute-key {string}
set sso-attribute-value-override [enable|disable]
set rsso-context-timeout {integer}
set rsso-log-period {integer}
set rsso-log-flags {option1}, {option2}, ...
set rsso-flush-ip-session [enable|disable]
set rsso-ep-one-ip-only [enable|disable]
config accounting-server
Description: Additional accounting servers.
edit <id>
set status [enable|disable]
set server {string}
set secret {password}
set port {integer}
set source-ip {string}
set interface-select-method [auto|sdwan|...]
set interface {string}
next
end
next
end
Parameter Name | Description | Type | Size | |
---|---|---|---|---|
server | Primary RADIUS server CN domain name or IP address. | string | Maximum length: 63 | |
secret | Pre-shared secret key used to access the primary RADIUS server. | password | Not Specified | |
secondary-server | {<name_str | ip_str>} secondary RADIUS CN domain name or IP. | string | Maximum length: 63 |
secondary-secret | Secret key to access the secondary server. | password | Not Specified | |
tertiary-server | {<name_str | ip_str>} tertiary RADIUS CN domain name or IP. | string | Maximum length: 63 |
tertiary-secret | Secret key to access the tertiary server. | password | Not Specified | |
timeout | Time in seconds between re-sending authentication requests. | integer | Minimum value: 1 Maximum value: 300 | |
all-usergroup | Enable/disable automatically including this RADIUS server in all user groups. disable: Do not automatically include this server in a user group. enable: Include this RADIUS server in every user group. |
option | - | |
use-management-vdom | Enable/disable using management VDOM to send requests. enable: Send requests using the management VDOM. disable: Send requests using the current VDOM. |
option | - | |
nas-ip | IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes. | ipv4-address | Not Specified | |
acct-interim-interval | Time in seconds between each accounting interim update message. | integer | Minimum value: 60 Maximum value: 86400 | |
radius-coa | Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated. enable: Enable RADIUS CoA. disable: Disable RADIUS CoA. |
option | - | |
radius-port | RADIUS service port number. | integer | Minimum value: 0 Maximum value: 65535 | |
h3c-compatibility | Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication. enable: Enable H3C compatibility. disable: Disable H3C compatibility. |
option | - | |
auth-type | Authentication methods/protocols permitted for this RADIUS server. auto: Use PAP, MSCHAP_v2, and CHAP (in that order). ms_chap_v2: Microsoft Challenge Handshake Authentication Protocol version 2. ms_chap: Microsoft Challenge Handshake Authentication Protocol. chap: Challenge Handshake Authentication Protocol. pap: Password Authentication Protocol. |
option | - | |
source-ip | Source IP address for communications to the RADIUS server. | string | Maximum length: 63 | |
username-case-sensitive | Enable/disable case sensitive user names. enable: Enable username case-sensitive. disable: Disable username case-sensitive. |
option | - | |
group-override-attr-type | RADIUS attribute type to override user group information. filter-Id: Filter-Id class: Class |
option | - | |
class <name> |
Class attribute name(s). Class name. |
string | Maximum length: 79 | |
password-renewal | Enable/disable password renewal. enable: Enable password renewal. disable: Disable password renewal. |
option | - | |
password-encoding | Password encoding. auto: Use original password encoding. ISO-8859-1: Use ISO-8859-1 password encoding. |
option | - | |
acct-all-servers | Enable/disable sending of accounting messages to all configured servers (default = disable). enable: Send accounting messages to all configured servers. disable: Send accounting message only to servers that are confirmed to be reachable. |
option | - | |
switch-controller-acct-fast-framedip-detect | Switch controller accounting message Framed-IP detection from DHCP snooping (seconds, default=2). | integer | Minimum value: 2 Maximum value: 600 | |
interface-select-method | Specify how to select outgoing interface to reach server. auto: Set outgoing interface automatically. sdwan: Set outgoing interface by SD-WAN or policy routing rules. specify: Set outgoing interface manually. |
option | - | |
interface | Specify outgoing interface to reach server. | string | Maximum length: 15 | |
switch-controller-service-type | RADIUS service type. login: User should be connected to a host. framed: User use Framed Protocol. callback-login: User disconnected and called back. callback-framed: User disconnected and called back, then a Framed Protocol. outbound: User granted access to outgoing devices. administrative: User granted access to the administrative unsigned interface. nas-prompt: User provided a command prompt on the NAS. authenticate-only: Authentication requested, and no auth info needs to be returned. callback-nas-prompt: User disconnected and called back, then provided a command prompt. call-check: Used by the NAS in an Access-Request packet, Access-Accept to answer the call. callback-administrative: User disconnected and called back, granted access to the admin unsigned interface. |
option | - | |
rsso | Enable/disable RADIUS based single sign on feature. enable: Enable RADIUS based single sign on feature. disable: Disable RADIUS based single sign on feature. |
option | - | |
rsso-radius-server-port | UDP port to listen on for RADIUS Start and Stop records. | integer | Minimum value: 0 Maximum value: 65535 | |
rsso-radius-response | Enable/disable sending RADIUS response packets after receiving Start and Stop records. enable: Enable sending RADIUS response packets. disable: Disable sending RADIUS response packets. |
option | - | |
rsso-validate-request-secret | Enable/disable validating the RADIUS request shared secret in the Start or End record. enable: Enable validating RADIUS request shared secret. disable: Disable validating RADIUS request shared secret. |
option | - | |
rsso-secret | RADIUS secret used by the RADIUS accounting server. | password | Not Specified | |
rsso-endpoint-attribute | RADIUS attributes used to extract the user end point identifer from the RADIUS Start record. User-Name: Use this attribute. NAS-IP-Address: Use this attribute. Framed-IP-Address: Use this attribute. Framed-IP-Netmask: Use this attribute. Filter-Id: Use this attribute. Login-IP-Host: Use this attribute. Reply-Message: Use this attribute. Callback-Number: Use this attribute. Callback-Id: Use this attribute. Framed-Route: Use this attribute. Framed-IPX-Network: Use this attribute. Class: Use this attribute. Called-Station-Id: Use this attribute. Calling-Station-Id: Use this attribute. NAS-Identifier: Use this attribute. Proxy-State: Use this attribute. Login-LAT-Service: Use this attribute. Login-LAT-Node: Use this attribute. Login-LAT-Group: Use this attribute. Framed-AppleTalk-Zone: Use this attribute. Acct-Session-Id: Use this attribute. Acct-Multi-Session-Id: Use this attribute. |
option | - | |
rsso-endpoint-block-attribute | RADIUS attributes used to block a user. User-Name: Use this attribute. NAS-IP-Address: Use this attribute. Framed-IP-Address: Use this attribute. Framed-IP-Netmask: Use this attribute. Filter-Id: Use this attribute. Login-IP-Host: Use this attribute. Reply-Message: Use this attribute. Callback-Number: Use this attribute. Callback-Id: Use this attribute. Framed-Route: Use this attribute. Framed-IPX-Network: Use this attribute. Class: Use this attribute. Called-Station-Id: Use this attribute. Calling-Station-Id: Use this attribute. NAS-Identifier: Use this attribute. Proxy-State: Use this attribute. Login-LAT-Service: Use this attribute. Login-LAT-Node: Use this attribute. Login-LAT-Group: Use this attribute. Framed-AppleTalk-Zone: Use this attribute. Acct-Session-Id: Use this attribute. Acct-Multi-Session-Id: Use this attribute. |
option | - | |
sso-attribute | RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record. User-Name: Use this attribute. NAS-IP-Address: Use this attribute. Framed-IP-Address: Use this attribute. Framed-IP-Netmask: Use this attribute. Filter-Id: Use this attribute. Login-IP-Host: Use this attribute. Reply-Message: Use this attribute. Callback-Number: Use this attribute. Callback-Id: Use this attribute. Framed-Route: Use this attribute. Framed-IPX-Network: Use this attribute. Class: Use this attribute. Called-Station-Id: Use this attribute. Calling-Station-Id: Use this attribute. NAS-Identifier: Use this attribute. Proxy-State: Use this attribute. Login-LAT-Service: Use this attribute. Login-LAT-Node: Use this attribute. Login-LAT-Group: Use this attribute. Framed-AppleTalk-Zone: Use this attribute. Acct-Session-Id: Use this attribute. Acct-Multi-Session-Id: Use this attribute. |
option | - | |
sso-attribute-key | Key prefix for SSO group value in the SSO attribute. | string | Maximum length: 35 | |
sso-attribute-value-override | Enable/disable override old attribute value with new value for the same endpoint. enable: Enable override old attribute value with new value for the same endpoint. disable: Disable override old attribute value with new value for the same endpoint. |
option | - | |
rsso-context-timeout | Time in seconds before the logged out user is removed from the "user context list" of logged on users. | integer | Minimum value: 0 Maximum value: 4294967295 | |
rsso-log-period | Time interval in seconds that group event log messages will be generated for dynamic profile events. | integer | Minimum value: 0 Maximum value: 4294967295 | |
rsso-log-flags | Events to log. protocol-error: Enable this log type. profile-missing: Enable this log type. accounting-stop-missed: Enable this log type. accounting-event: Enable this log type. endpoint-block: Enable this log type. radiusd-other: Enable this log type. none: Disable all logging. |
option | - | |
rsso-flush-ip-session | Enable/disable flushing user IP sessions on RADIUS accounting Stop messages. enable: Enable flush user IP sessions on RADIUS accounting stop. disable: Disable flush user IP sessions on RADIUS accounting stop. |
option | - | |
rsso-ep-one-ip-only | Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages. enable: Enable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start. disable: Disable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start. |
option | - |
Parameter Name | Description | Type | Size | |
---|---|---|---|---|
status | Status. enable: Log to remote syslog server. disable: Do not log to remote syslog server. |
option | - | |
server | {<name_str | ip_str>} Server CN domain name or IP. | string | Maximum length: 63 |
secret | Secret key. | password | Not Specified | |
port | RADIUS accounting port number. | integer | Minimum value: 0 Maximum value: 65535 | |
source-ip | Source IP address for communications to the RADIUS server. | string | Maximum length: 63 | |
interface-select-method | Specify how to select outgoing interface to reach server. auto: Set outgoing interface automatically. sdwan: Set outgoing interface by SD-WAN or policy routing rules. specify: Set outgoing interface manually. |
option | - | |
interface | Specify outgoing interface to reach server. | string | Maximum length: 15 |
config user radius
Description: Configure RADIUS server entries.
edit <name>
set server {string}
set secret {password}
set secondary-server {string}
set secondary-secret {password}
set tertiary-server {string}
set tertiary-secret {password}
set timeout {integer}
set all-usergroup [disable|enable]
set use-management-vdom [enable|disable]
set nas-ip {ipv4-address}
set acct-interim-interval {integer}
set radius-coa [enable|disable]
set radius-port {integer}
set h3c-compatibility [enable|disable]
set auth-type [auto|ms_chap_v2|...]
set source-ip {string}
set username-case-sensitive [enable|disable]
set group-override-attr-type [filter-Id|class]
set class <name1>, <name2>, ...
set password-renewal [enable|disable]
set password-encoding [auto|ISO-8859-1]
set acct-all-servers [enable|disable]
set switch-controller-acct-fast-framedip-detect {integer}
set interface-select-method [auto|sdwan|...]
set interface {string}
set switch-controller-service-type {option1}, {option2}, ...
set rsso [enable|disable]
set rsso-radius-server-port {integer}
set rsso-radius-response [enable|disable]
set rsso-validate-request-secret [enable|disable]
set rsso-secret {password}
set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]
set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]
set sso-attribute [User-Name|NAS-IP-Address|...]
set sso-attribute-key {string}
set sso-attribute-value-override [enable|disable]
set rsso-context-timeout {integer}
set rsso-log-period {integer}
set rsso-log-flags {option1}, {option2}, ...
set rsso-flush-ip-session [enable|disable]
set rsso-ep-one-ip-only [enable|disable]
config accounting-server
Description: Additional accounting servers.
edit <id>
set status [enable|disable]
set server {string}
set secret {password}
set port {integer}
set source-ip {string}
set interface-select-method [auto|sdwan|...]
set interface {string}
next
end
next
end
Parameter Name | Description | Type | Size | |
---|---|---|---|---|
server | Primary RADIUS server CN domain name or IP address. | string | Maximum length: 63 | |
secret | Pre-shared secret key used to access the primary RADIUS server. | password | Not Specified | |
secondary-server | {<name_str | ip_str>} secondary RADIUS CN domain name or IP. | string | Maximum length: 63 |
secondary-secret | Secret key to access the secondary server. | password | Not Specified | |
tertiary-server | {<name_str | ip_str>} tertiary RADIUS CN domain name or IP. | string | Maximum length: 63 |
tertiary-secret | Secret key to access the tertiary server. | password | Not Specified | |
timeout | Time in seconds between re-sending authentication requests. | integer | Minimum value: 1 Maximum value: 300 | |
all-usergroup | Enable/disable automatically including this RADIUS server in all user groups. disable: Do not automatically include this server in a user group. enable: Include this RADIUS server in every user group. |
option | - | |
use-management-vdom | Enable/disable using management VDOM to send requests. enable: Send requests using the management VDOM. disable: Send requests using the current VDOM. |
option | - | |
nas-ip | IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes. | ipv4-address | Not Specified | |
acct-interim-interval | Time in seconds between each accounting interim update message. | integer | Minimum value: 60 Maximum value: 86400 | |
radius-coa | Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated. enable: Enable RADIUS CoA. disable: Disable RADIUS CoA. |
option | - | |
radius-port | RADIUS service port number. | integer | Minimum value: 0 Maximum value: 65535 | |
h3c-compatibility | Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication. enable: Enable H3C compatibility. disable: Disable H3C compatibility. |
option | - | |
auth-type | Authentication methods/protocols permitted for this RADIUS server. auto: Use PAP, MSCHAP_v2, and CHAP (in that order). ms_chap_v2: Microsoft Challenge Handshake Authentication Protocol version 2. ms_chap: Microsoft Challenge Handshake Authentication Protocol. chap: Challenge Handshake Authentication Protocol. pap: Password Authentication Protocol. |
option | - | |
source-ip | Source IP address for communications to the RADIUS server. | string | Maximum length: 63 | |
username-case-sensitive | Enable/disable case sensitive user names. enable: Enable username case-sensitive. disable: Disable username case-sensitive. |
option | - | |
group-override-attr-type | RADIUS attribute type to override user group information. filter-Id: Filter-Id class: Class |
option | - | |
class <name> |
Class attribute name(s). Class name. |
string | Maximum length: 79 | |
password-renewal | Enable/disable password renewal. enable: Enable password renewal. disable: Disable password renewal. |
option | - | |
password-encoding | Password encoding. auto: Use original password encoding. ISO-8859-1: Use ISO-8859-1 password encoding. |
option | - | |
acct-all-servers | Enable/disable sending of accounting messages to all configured servers (default = disable). enable: Send accounting messages to all configured servers. disable: Send accounting message only to servers that are confirmed to be reachable. |
option | - | |
switch-controller-acct-fast-framedip-detect | Switch controller accounting message Framed-IP detection from DHCP snooping (seconds, default=2). | integer | Minimum value: 2 Maximum value: 600 | |
interface-select-method | Specify how to select outgoing interface to reach server. auto: Set outgoing interface automatically. sdwan: Set outgoing interface by SD-WAN or policy routing rules. specify: Set outgoing interface manually. |
option | - | |
interface | Specify outgoing interface to reach server. | string | Maximum length: 15 | |
switch-controller-service-type | RADIUS service type. login: User should be connected to a host. framed: User use Framed Protocol. callback-login: User disconnected and called back. callback-framed: User disconnected and called back, then a Framed Protocol. outbound: User granted access to outgoing devices. administrative: User granted access to the administrative unsigned interface. nas-prompt: User provided a command prompt on the NAS. authenticate-only: Authentication requested, and no auth info needs to be returned. callback-nas-prompt: User disconnected and called back, then provided a command prompt. call-check: Used by the NAS in an Access-Request packet, Access-Accept to answer the call. callback-administrative: User disconnected and called back, granted access to the admin unsigned interface. |
option | - | |
rsso | Enable/disable RADIUS based single sign on feature. enable: Enable RADIUS based single sign on feature. disable: Disable RADIUS based single sign on feature. |
option | - | |
rsso-radius-server-port | UDP port to listen on for RADIUS Start and Stop records. | integer | Minimum value: 0 Maximum value: 65535 | |
rsso-radius-response | Enable/disable sending RADIUS response packets after receiving Start and Stop records. enable: Enable sending RADIUS response packets. disable: Disable sending RADIUS response packets. |
option | - | |
rsso-validate-request-secret | Enable/disable validating the RADIUS request shared secret in the Start or End record. enable: Enable validating RADIUS request shared secret. disable: Disable validating RADIUS request shared secret. |
option | - | |
rsso-secret | RADIUS secret used by the RADIUS accounting server. | password | Not Specified | |
rsso-endpoint-attribute | RADIUS attributes used to extract the user end point identifer from the RADIUS Start record. User-Name: Use this attribute. NAS-IP-Address: Use this attribute. Framed-IP-Address: Use this attribute. Framed-IP-Netmask: Use this attribute. Filter-Id: Use this attribute. Login-IP-Host: Use this attribute. Reply-Message: Use this attribute. Callback-Number: Use this attribute. Callback-Id: Use this attribute. Framed-Route: Use this attribute. Framed-IPX-Network: Use this attribute. Class: Use this attribute. Called-Station-Id: Use this attribute. Calling-Station-Id: Use this attribute. NAS-Identifier: Use this attribute. Proxy-State: Use this attribute. Login-LAT-Service: Use this attribute. Login-LAT-Node: Use this attribute. Login-LAT-Group: Use this attribute. Framed-AppleTalk-Zone: Use this attribute. Acct-Session-Id: Use this attribute. Acct-Multi-Session-Id: Use this attribute. |
option | - | |
rsso-endpoint-block-attribute | RADIUS attributes used to block a user. User-Name: Use this attribute. NAS-IP-Address: Use this attribute. Framed-IP-Address: Use this attribute. Framed-IP-Netmask: Use this attribute. Filter-Id: Use this attribute. Login-IP-Host: Use this attribute. Reply-Message: Use this attribute. Callback-Number: Use this attribute. Callback-Id: Use this attribute. Framed-Route: Use this attribute. Framed-IPX-Network: Use this attribute. Class: Use this attribute. Called-Station-Id: Use this attribute. Calling-Station-Id: Use this attribute. NAS-Identifier: Use this attribute. Proxy-State: Use this attribute. Login-LAT-Service: Use this attribute. Login-LAT-Node: Use this attribute. Login-LAT-Group: Use this attribute. Framed-AppleTalk-Zone: Use this attribute. Acct-Session-Id: Use this attribute. Acct-Multi-Session-Id: Use this attribute. |
option | - | |
sso-attribute | RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record. User-Name: Use this attribute. NAS-IP-Address: Use this attribute. Framed-IP-Address: Use this attribute. Framed-IP-Netmask: Use this attribute. Filter-Id: Use this attribute. Login-IP-Host: Use this attribute. Reply-Message: Use this attribute. Callback-Number: Use this attribute. Callback-Id: Use this attribute. Framed-Route: Use this attribute. Framed-IPX-Network: Use this attribute. Class: Use this attribute. Called-Station-Id: Use this attribute. Calling-Station-Id: Use this attribute. NAS-Identifier: Use this attribute. Proxy-State: Use this attribute. Login-LAT-Service: Use this attribute. Login-LAT-Node: Use this attribute. Login-LAT-Group: Use this attribute. Framed-AppleTalk-Zone: Use this attribute. Acct-Session-Id: Use this attribute. Acct-Multi-Session-Id: Use this attribute. |
option | - | |
sso-attribute-key | Key prefix for SSO group value in the SSO attribute. | string | Maximum length: 35 | |
sso-attribute-value-override | Enable/disable override old attribute value with new value for the same endpoint. enable: Enable override old attribute value with new value for the same endpoint. disable: Disable override old attribute value with new value for the same endpoint. |
option | - | |
rsso-context-timeout | Time in seconds before the logged out user is removed from the "user context list" of logged on users. | integer | Minimum value: 0 Maximum value: 4294967295 | |
rsso-log-period | Time interval in seconds that group event log messages will be generated for dynamic profile events. | integer | Minimum value: 0 Maximum value: 4294967295 | |
rsso-log-flags | Events to log. protocol-error: Enable this log type. profile-missing: Enable this log type. accounting-stop-missed: Enable this log type. accounting-event: Enable this log type. endpoint-block: Enable this log type. radiusd-other: Enable this log type. none: Disable all logging. |
option | - | |
rsso-flush-ip-session | Enable/disable flushing user IP sessions on RADIUS accounting Stop messages. enable: Enable flush user IP sessions on RADIUS accounting stop. disable: Disable flush user IP sessions on RADIUS accounting stop. |
option | - | |
rsso-ep-one-ip-only | Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages. enable: Enable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start. disable: Disable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start. |
option | - |
Parameter Name | Description | Type | Size | |
---|---|---|---|---|
status | Status. enable: Log to remote syslog server. disable: Do not log to remote syslog server. |
option | - | |
server | {<name_str | ip_str>} Server CN domain name or IP. | string | Maximum length: 63 |
secret | Secret key. | password | Not Specified | |
port | RADIUS accounting port number. | integer | Minimum value: 0 Maximum value: 65535 | |
source-ip | Source IP address for communications to the RADIUS server. | string | Maximum length: 63 | |
interface-select-method | Specify how to select outgoing interface to reach server. auto: Set outgoing interface automatically. sdwan: Set outgoing interface by SD-WAN or policy routing rules. specify: Set outgoing interface manually. |
option | - | |
interface | Specify outgoing interface to reach server. | string | Maximum length: 15 |