Configuring user group attributes, Tearing down user connections forcibly, Configuring a nas id-vlan binding – H3C Technologies H3C S5120 Series Switches User Manual

1-17

depends on the level of the user interface. For an SSH user using public key authentication, the

commands that can be used depend on the level configured on the user interface. For details about

authentication method and commands accessible to user interface, refer to Login Configuration.

z

Binding attributes are checked upon authentication of a local user. If the checking fails, the user

fails the authentication. Therefore, be cautious when deciding which binding attributes should be

configured for a local user.

z

Every configurable authorization attribute has its definite application environments and purposes.

Therefore, when configuring authorization attributes for a local user, consider what attributes are

needed.

Configuring User Group Attributes

The concept of user group is introduced to simplify local user configuration and manageability. A user

group consists of a group of local users and has a set of local user attributes. You can configure local

user attributes for a user group to implement centralized management of user attributes for the local

users in the group. Currently, you can configure authorization attributes for a user group.

By default, every newly added local user belongs to a user group named system and bears all attributes

of the group. User group system is automatically created by the device.

Follow these steps to configure the attributes for a user group:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Create a user group and enter user
group view

user-group group-name

Required

Configure the authorization attributes
for the user group

authorization-attribute { acl
acl-number |
callback-number

callback-number | idle-cut
minute | level level |
user-profile profile-name |
vlan vlan-id | work-directory
directory-name } *

Optional

By default, no
authorization attribute is
configured for a user
group.

Tearing down User Connections Forcibly

Follow these steps to tear down user connections forcibly:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Tear down AAA user
connections forcibly

cut connection { access-type dot1x |
all | domain isp-name | interface
interface-type interface-number | ip
ip-address | mac mac-address |
ucibindex ucib-index | user-name
user-name | vlan vlan-id }

Required

Applicable to only LAN access
user connections at present.

Configuring a NAS ID-VLAN Binding

In some application scenarios, it is required to identify the access locations of users. In this case, you

need to configure NAS ID-VLAN bindings on the access device, so that when a user gets online, the