Cutting down user connections forcibly, Cutting down user connections forcibly -7 – H3C Technologies H3C WX3000 Series Unified Switches User Manual

25-7

To do…

Use the command…

Remarks

Configure the
authorization VLAN for
the local user

authorization vlan string

Required
By default, no authorization VLAN is configured for
the local user.

Set the attributes of the
user whose service
type is lan-access

attribute

{ ip ip-address |

mac mac-address

| idle-cut

second

| access-limit

max-user-number

| vlan

vlan-id

| location { nas-ip

ip-address port port-number

| port port-number } }*

Optional
When binding the user to a remote port, you must
use nas-ip ip-address to specify a remote access
server IP address (here, ip-address is 127.0.0.1 by
default, representing this device). When binding the
user to a local port, you need not use nas-ip
ip-address

.

z

The following characters are not allowed in the user-name string: /:*?<>. And you cannot input
more than one “@” in the string.

z

After the local-user password-display-mode cipher-force command is executed, any password
will be displayed in cipher mode even though you specify to display a user password in plain text by
using the password command.

z

If a user name and password is required for user authentication (RADIUS authentication as well as
local authentication), the command level that a user can access after login is determined by the
privilege level of the user. For SSH users using RSA shared key for authentication, the commands
they can access are determined by the levels set on their user interfaces.

z

If the configured authentication method is none or password authentication, the command level
that a user can access after login is determined by the level of the user interface.

z

If the clients connected to a port have different authorization VLANs, only the first client passing the
MAC address authentication can be assigned with an authorization VLAN. The device will not
assign authorization VLANs for subsequent users passing MAC address authentication. In this
case, you are recommended to connect only one MAC address authentication user or multiple
users with the same authorization VLAN to a port.

z

For local RADIUS authentication or local authentication to take effect, the VLAN assignment mode
must be set to string after you specify authorization VLANs for local users.

Cutting Down User Connections Forcibly

Follow these steps to cut down user connections forcibly

To do…

Use the command…

Remarks

Enter system view

system-view

—

Cut down user
connections forcibly

cut connection

{ all | access-type { dot1x | mac-authentication } |

domain isp-name

| interface interface-type interface-number | ip

ip-address

| mac mac-address | radius-scheme

radius-scheme-name

| vlan vlan-id | ucibindex ucib-index |

user-name user-name

}

Required