Cutting down user connections forcibly – H3C Technologies H3C S3100 Series Switches User Manual

2-10

Operation

Command

Remarks

Configure the
authorization VLAN for
the local user

authorization vlan string

Required

By default, no authorization VLAN is
configured for the local user.

Set the attributes of the
user whose service type
is lan-access

attribute { ip ip-address | mac
mac-address | idle-cut second
| access-limit
max-user-number | vlan vlan-id
| location { nas-ip ip-address
port port-number | port
port-number } }*

Optional

When binding the user to a remote
port, you must use nas-ip ip-address
to specify a remote access server IP
address (here, ip-address is 127.0.0.1
by default, representing this device).
When binding the user to a local port,
you need not use nas-ip ip-address.

z

The following characters are not allowed in the user-name string: /:*?<>. And you cannot input

more than one “@” in the string.

z

After the local-user password-display-mode cipher-force command is executed, any password

will be displayed in cipher mode even though you specify to display a user password in plain text by

using the password command.

z

If a user name and password is required for user authentication (RADIUS authentication as well as

local authentication), the command level that a user can access after login is determined by the

privilege level of the user. For SSH users using RSA shared key for authentication, the commands

they can access are determined by the levels set on their user interfaces.

z

If the configured authentication method is none or password authentication, the command level

that a user can access after login is determined by the level of the user interface.

z

If the clients connected to a port have different authorization VLANs, only the first client passing the

MAC address authentication can be assigned with an authorization VLAN. The switch will not

assign authorization VLANs for subsequent users passing MAC address authentication. In this

case, you are recommended to connect only one MAC address authentication user or multiple

users with the same authorization VLAN to a port.

z

For local RADIUS authentication to take effect, the VLAN assignment mode must be set to string

after you specify authorization VLANs for local users.

Cutting Down User Connections Forcibly

Table 2-8 Cut down user connections forcibly

Operation

Command

Remarks

Enter system view

system-view

—

Cut down user
connections forcibly

cut connection { all | access-type { dot1x |
mac-authentication } | domain isp-name |
interface interface-type interface-number | ip
ip-address | ipv6 ipv6-address | mac
mac-address | radius-scheme
radius-scheme-name | vlan vlan-id | ucibindex
ucib-index | user-name user-name }

Required