Security management, which includes the management on authentication, authorization, accounting, domains, and users.
Version: 2021-09-16
module huawei-aaa { yang-version 1; namespace "urn:huawei:yang:huawei-aaa"; prefix aaa; import huawei-hwtacacs { prefix hwtacacs; } import huawei-extension { prefix ext; } include huawei-aaa-type; include huawei-aaa-lam; organization "Huawei Technologies Co., Ltd."; contact "Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: http://www.huawei.com Email: support@huawei.com"; description "Security management, which includes the management on authentication, authorization, accounting, domains, and users."; revision "2021-09-16" { description "Modify path of task-group-include-maps, and add ext of authen-scheme-name, and delete default of default-admin-domain."; reference "Huawei private."; } revision "2021-06-23" { description "Modify path of include-user-group-name."; reference "Huawei private."; } revision "2021-03-17" { description "Add read|write|execute|debug node of list user-group-task-group-map."; reference "Huawei private."; } revision "2021-01-28" { description "Add read|write|execute|debug node of list user-group-task-group-map."; reference "Huawei private."; } revision "2021-01-20" { description "Add no-response-authorization node."; reference "Huawei private."; } revision "2020-07-01" { description "Add node constraint information."; reference "Huawei private."; } revision "2020-06-17" { description "Add management-user-qrys node."; reference "Huawei private."; } revision "2020-03-02" { description "Init revision."; reference "Huawei private."; } ext:task-name "aaa"; typedef authen-change { type enumeration { enum "none" { value 0; description "Change authen mode (none)."; } enum "hwtacacs-local" { value 1; description "Tacs authentication fails, switch to local."; } } description "Authen change switch."; } container aaa { description "Security management, which includes the management on authentication, authorization, accounting, domains, and users."; container tasks { config false; description "List of tasks."; list task { key "name"; config false; description "Statistics of minimum unit for dividing rights on an NE. Tasks can be determined when an NE is delivered. Tasks cannot be customized."; leaf name { type string { length "1..32"; } config false; description "Name of a task, it is not case sensitive."; } } // list task } // container tasks container task-groups { description "List of task groups."; list task-group { key "name"; max-elements 256; description "Configure a collection of certain tasks. The default task groups cannot be removed and are set in the system before the NE delivery."; leaf name { ext:case-sensitivity "lower-only"; type string { length "1..32"; pattern '[^A-Z/\*":?<>|]+'; } description "Name of a task group."; } container task-group-include-maps { description "List of the task groups included in a main task group."; list task-group-include-map { key "include-task-group-name"; max-elements 1; description "Configure task group included in a main task group."; leaf include-task-group-name { type leafref { path "../../../../task-group/name"; } must "(../../../name!=current())"; description "Name of included task group, it is not case sensitive."; } } // list task-group-include-map } // container task-group-include-maps container task-group-task-maps { description "List of the tasks included in a task group."; list task-group-task-map { key "task-name"; description "Configure task in a task group. The default task group cannot be modified."; leaf task-name { ext:case-sensitivity "lower-only"; type string { length "1..32"; pattern '[^A-Z]+'; } must "(../write='enable' or ../execute='enable' or ../debug='enable' or ../read='enable')"; description "Name of a task. It must be an existing task."; } leaf read { type aaa-enable-type; must "not(../write='disable' and ../execute='disable' and ../debug='disable') or (../write='disable' and ../execute='disable' and ../debug='disable' and ../read!=../write)"; default "disable"; description "To determine whether a task has the read right."; } leaf write { type aaa-enable-type; default "disable"; description "To determine whether a task has the write right."; } leaf execute { type aaa-enable-type; default "disable"; description "To determine whether a task has the operation right."; } leaf debug { type aaa-enable-type; default "disable"; description "To determine whether a task has the debug right."; } } // list task-group-task-map } // container task-group-task-maps } // list task-group } // container task-groups container user-groups { description "List of user groups."; list user-group { key "name"; max-elements 64; description "Configure a collection of certain users. Certain default user groups are set before an NE is delivered and cannot be deleted."; leaf name { ext:case-sensitivity "lower-only"; type string { length "1..32"; pattern '[^A-Z/\*":?<>|]+'; } description "Name of a user group."; } container user-group-task-group-maps { description "List of the task groups included in a user group."; list user-group-task-group-map { key "task-group-name"; description "Configure task group in a user group."; leaf task-group-name { type leafref { path "../../../../../task-groups/task-group/name"; } description "Name of a task group, it is not case sensitive."; } } // list user-group-task-group-map } // container user-group-task-group-maps container user-group-include-maps { description "List of the user groups included in a main user group."; list user-group-include-map { key "include-user-group-name"; max-elements 1; description "Configure user group included in a main user group."; leaf include-user-group-name { type leafref { path "../../../../user-group/name"; } must "(../../../name!=current())"; description "Name of a user group, it is not case sensitive."; } } // list user-group-include-map } // container user-group-include-maps } // list user-group } // container user-groups container authentication-schemes { description "List of authentication scheme."; list authentication-scheme { key "authen-scheme-name"; max-elements 32; description "Configure authentication scheme. The default authentication scheme cannot be deleted."; leaf authen-scheme-name { ext:case-sensitivity "lower-only"; type string { length "1..32"; pattern '[^A-Z/\*":?<>|]+'; } description "Name of an authentication scheme."; } choice authen-mode-type { description "Sorting method of authentication mode."; case ordered-strictly { description "Ordered strictly case."; leaf first-authen-mode { type aaa-authen-mode; must "(../first-authen-mode!='invalid' )"; default "local"; description "Preferred authentication mode. The second, third, or fourth authentication mode is used only when the first authentication mode does not respond. The first authentication mode cannot be set to unavailable."; } leaf second-authen-mode { type aaa-authen-mode; must "(../second-authen-mode!='radius-proxy' and (((../first-authen-mode='none' or ../first-authen-mode='radius-proxy') and (../second-authen-mode='invalid')) or ((../first-authen-mode!='none' and ../first-authen-mode!='radius-proxy') and ../first-authen-mode!=../second-authen-mode)))"; default "invalid"; description "Authentication mode with the preference lower than the first authentication mode. The second authentication mode is used when the first authentication mode does not respond. If the setting of the second authentication mode is unavailable, the third and fourth authentication modes fail to be set."; } leaf third-authen-mode { type aaa-authen-mode; must "(../third-authen-mode!='radius-proxy' and ((../second-authen-mode ='none' or ../second-authen-mode='invalid') and (../third-authen-mode='invalid') ) or ((../second-authen-mode !='none' and ../second-authen-mode!='invalid' and ../first-authen-mode!='radius-proxy') and ../third-authen-mode!=../second-authen-mode and ../third-authen-mode!=../first-authen-mode ))"; default "invalid"; description "Authentication mode with the preference lower than the first and second authentication modes. The third authentication mode is used when the first and second authentication modes do not respond. If the setting of the third authentication mode is unavailable, the fourth authentication mode fails to be set."; } leaf fourth-authen-mode { type aaa-authen-mode; must "(../fourth-authen-mode='none' and ../first-authen-mode!='invalid' and ../first-authen-mode!='none' and ../first-authen-mode!='radius-proxy' and ../second-authen-mode!='invalid' and ../second-authen-mode!='none' and ../third-authen-mode!='invalid' and ../third-authen-mode!='none' ) or ../fourth-authen-mode='invalid' "; default "invalid"; description "Authentication mode with the least preference. The fourth authentication mode is used when the first, second, and third authentication modes do not respond. If the setting of the fourth authentication mode is unavailable or the fourth authentication mode does not respond, the authentication fails."; } } // case ordered-strictly } // choice authen-mode-type leaf authentication-change { type authen-change; default "none"; description "Enable/disable auto change authen mode."; } } // list authentication-scheme } // container authentication-schemes container authorization-schemes { description "List of authorization scheme."; list authorization-scheme { key "author-scheme-name"; max-elements 32; description "Configure authorization scheme. The default authorization scheme cannot be deleted."; leaf author-scheme-name { ext:case-sensitivity "lower-only"; type string { length "1..32"; pattern '[^A-Z/\*":?<>|]+'; } description "Name of an authorization scheme. The name uniquely identifies the authorization scheme and can be used in the domain."; } choice author-mode-type { description "Sorting method of authorization mode."; case ordered-strictly { description "Ordered strictly case."; leaf first-author-mode { type aaa-author-mode; must "../first-author-mode='local' or ../first-author-mode='hwtacacs' or ../first-author-mode='if-authenticated' or ../first-author-mode='none'"; default "local"; description "Preferred authorization mode. The second, third, or fourth authorization mode can be used only when the first authorization mode does not respond. The first authorization mode must be available."; } leaf second-author-mode { type aaa-author-mode; must "(../first-author-mode='none' and (../second-author-mode='invalid') ) or (../first-author-mode!='invalid' and ../first-author-mode!='none' and ../second-author-mode!=../first-author-mode)"; default "invalid"; description "Authorization mode with the preference next to the first authorization mode. It is used when the first authorization mode does not respond. If the setting of the second authorization mode is unavailable, the third and fourth authorization modes fail to be set."; } leaf third-author-mode { type aaa-author-mode; must "((../second-author-mode='none' or ../second-author-mode='invalid') and ../third-author-mode='invalid' ) or (../second-author-mode !='none' and ../second-author-mode!='invalid' and ../first-author-mode!='none' and ../third-author-mode!=../second-author-mode and ../third-author-mode!=../first-author-mode ) or (../first-author-mode='none' and (../third-author-mode='invalid') )"; default "invalid"; description "Authorization mode with the preference next to the first and second authorization modes. It is used when the first and second authorization modes do not respond. If the setting of the third authorization mode is unavailable, the fourth authorization mode fails to be set."; } leaf fourth-author-mode { type aaa-author-mode; must "(../fourth-author-mode='none' and ../first-author-mode!='invalid' and ../first-author-mode!='none' and ../second-author-mode!='invalid' and ../second-author-mode!='none' and ../third-author-mode!='invalid' and ../third-author-mode!='none' ) or ../fourth-author-mode='invalid' "; default "invalid"; description "Authorization mode with the least preference. It is used when the first, second, and third authorization modes do not respond. If the setting of the fourth authorization mode is unavailable or the fourth authorization mode does not respond, the authorization fails."; } } // case ordered-strictly } // choice author-mode-type leaf no-lvl-first-cmd-author { type aaa-author-cmd-mode; must "../no-lvl-first-cmd-author='local' or ../no-lvl-first-cmd-author='hwtacacs'"; default "local"; description "Configures the first authorization mode for users of user group."; } leaf no-lvl-second-cmd-author { type aaa-author-cmd-mode; must "(../no-lvl-first-cmd-author='local' and (../no-lvl-second-cmd-author='invalid' or ../no-lvl-second-cmd-author='hwtacacs') ) or ((not(../no-lvl-first-cmd-author='local') and (../no-lvl-second-cmd-author='invalid' or ../no-lvl-second-cmd-author='local') ))"; default "invalid"; description "Configures the second authorization mode for users of user group."; } leaf no-response-policy { type author-no-res-policy-type; default "online"; description "Configures a policy for a scenario where no responses are obtained during command line-based authorization."; } leaf no-response-times { when "../no-response-policy='offline'"; type uint32 { range "1..10"; } default "5"; description "Configures the number of times of failed authorization."; } container authorization-cmds { description "List of authorization cmd."; list authorization-cmd { key "level"; description "Configure authorization cmd."; leaf level { type uint32 { range "0..15"; } description "The level of authorization cmd."; } choice cmd-author-mode-type { description "Sorting method of cmd authorization mode."; case ordered-strictly { description "Ordered strictly case."; leaf first-cmd-author { type aaa-author-cmd-mode; must "../first-cmd-author='local' or ../first-cmd-author='hwtacacs'"; default "local"; description "First cmd authorization mode."; } leaf second-cmd-author { type aaa-author-cmd-mode; must "(../first-cmd-author='local' and (../second-cmd-author='invalid' or ../second-cmd-author='hwtacacs') ) or ((not(../first-cmd-author='local') and (../second-cmd-author='invalid' or ../second-cmd-author='local') ))"; default "invalid"; description "Second cmd authorization mode."; } } // case ordered-strictly } // choice cmd-author-mode-type } // list authorization-cmd } // container authorization-cmds } // list authorization-scheme } // container authorization-schemes container accounting-schemes { description "List of accounting scheme."; list accounting-scheme { key "acct-scheme-name"; max-elements 256; description "Configure accounting scheme. The default accounting scheme cannot be deleted."; leaf acct-scheme-name { ext:case-sensitivity "lower-only"; type string { length "1..32"; pattern '[^A-Z/\*":?<>|]+'; } description "Accounting scheme name."; } leaf accounting-mode { type aaa-acct-mode; must "../accounting-mode='radius' or ../accounting-mode='hwtacacs' or ../accounting-mode='none'"; default "none"; description "Accounting Mode."; } } // list accounting-scheme } // container accounting-schemes container domains { description "List of domain."; list domain { key "name"; max-elements 1024; description "Configure in a domain, users apply the same authentication/authorization scheme or server. The default domain cannot be deleted."; leaf name { ext:case-sensitivity "lower-only"; type string { length "1..64"; pattern '([^A-Z*?"']{3,})|[^A-Z*?"'-]|([^A-Z*?"'-][^A-Z*?"'])|([^A-Z*?"'][^A-Z*?"'-])'; } description "Name of a domain."; } leaf admin-level { type uint32 { range "0..15"; } description "The admin level of domain. If the command level adjustment function is disabled, the value of adminLevel ranges from 0 to 3. If the command level adjustment function is enabled, the value of adminLevel ranges from 0 to 15."; } leaf authen-scheme-name { ext:dynamic-default { ext:default-value "default0" { when "../name = 'default0'"; } ext:default-value "default1" { when "../name = 'default1'"; } ext:default-value "default" { when "../name = 'default_admin'"; } ext:default-value "default1"; } type leafref { path "../../../authentication-schemes/authentication-scheme/authen-scheme-name"; } description "Name of the authentication scheme used by the domain, it is not case sensitive. The default value varies according to domains. The default value is restored when the node is deleted."; } leaf author-scheme-name { type leafref { path "../../../authorization-schemes/authorization-scheme/author-scheme-name"; } description "Name of the authorization scheme used by the domain, it is not case sensitive. The default value varies according to domains. The default value is restored when the node is deleted."; } leaf acct-scheme-name { ext:dynamic-default { ext:default-value "default0" { when "../name = 'default0'"; } ext:default-value "default1" { when "../name = 'default1'"; } ext:default-value "default0" { when "../name = 'default_admin'"; } ext:default-value "default1"; } type leafref { path "../../../accounting-schemes/accounting-scheme/acct-scheme-name"; } description "Name of the accounting scheme used by the domain, it is not case sensitive. The default value varies according to domains. The default value is restored when the node is deleted."; } leaf access-limit { type int32 { range "0..2147483647"; } description "Domain max access number. The default value is defined in the PAF file and is restored when the node is deleted."; } leaf radius-server-template { type string { length "1..32"; } description "Name of the RADIUS server used by the domain, it is not case sensitive."; } leaf hwtacacs-server-template { type leafref { path "/hwtacacs:hwtacacs/hwtacacs:templates/hwtacacs:template/hwtacacs:name"; } description "Name of the HWTACACS server used by the domain, it is not case sensitive."; } leaf state { type aaa-state-type; default "active"; description "Activated state of the domain."; } leaf time-range-enable { type boolean; default "false"; description "Enable/disable the time range function used by a domain."; } leaf service-terminal { type boolean; default "true"; description "Enable/disable users to log in Terminal mode."; } leaf service-telnet { type boolean; default "true"; description "Enable/disable users to log in Telnet mode."; } leaf service-ftp { type boolean; default "true"; description "Enable/disable users to log in FTP mode."; } leaf service-ppp { type boolean; default "true"; description "Enable/disable users to log in PPP mode."; } leaf service-ssh { type boolean; default "true"; description "Enable/disable users to log in SSH mode."; } leaf service-qx { type boolean; default "true"; description "Enable/disable users to log in QX mode."; } leaf service-snmp { type boolean; default "true"; description "Enable/disable users to log in SNMP mode."; } leaf service-mml { type boolean; default "true"; description "Enable/disable users to log in MML mode."; } leaf service-http { type boolean; default "true"; description "Enable/disable users to log in HTTP mode."; } leaf online-num { type int32 { range "0..2147483647"; } config false; description "Online number of the domain."; } container bas { description "Configure the bas domain."; container ipv4-basic-access { description "Configure the IPv4 basic access domain."; container max-user-reauth-time { description "Configure the maximum reauthentication time of a domain."; leaf time { type uint16; units "s"; default "300"; description "Sets the maximum reauthentication time of a domain."; } } // container max-user-reauth-time container ip-pools { description "List of ip pools bound to the domain."; list ip-pool { key "name"; max-elements 1024; description "Configure the list of IP address pools bound to the domain."; leaf name { type leafref { path "/bras-ipv4-address-manage:bras-ipv4-address-manage/bras-ipv4-address-manage:ipv4-pools/bras-ipv4-address-manage:ipv4-pool/bras-ipv4-address-manage:name"; } must "(/bras-ipv4-address-manage:bras-ipv4-address-manage/bras-ipv4-address-manage:ipv4-pools/bras-ipv4-address-manage:ipv4-pool[bras-ipv4-address-manage:name=current()]/bras-ipv4-address-manage:type = 'dynamic' or (/bras-ipv4-address-manage:bras-ipv4-address-manage/bras-ipv4-address-manage:ipv4-pools/bras-ipv4-address-manage:ipv4-pool[bras-ipv4-address-manage:name=current()]/bras-ipv4-address-manage:local/bras-ipv4-address-manage:gateway/bras-ipv4-address-manage:gate-ip or /bras-ipv4-address-manage:bras-ipv4-address-manage/bras-ipv4-address-manage:ipv4-pools/bras-ipv4-address-manage:ipv4-pool[bras-ipv4-address-manage:name=current()]/bras-ipv4-address-manage:remote/bras-ipv4-address-manage:gateway/bras-ipv4-address-manage:gate-ip))"; description "Specifies the name of an IP address pool."; } } // list ip-pool } // container ip-pools container accounting-copy-radius { description "Configure RADIUS server group to send accounting packets of a domain."; leaf name { type leafref { path "/radius:radius/radius:radius-server-groups/radius:radius-server-group/radius:name"; } description "Enables the system to send accounting packets of a domain to a configured RADIUS server group."; } leaf realtime-accounting-copy { type boolean; default "true"; description "Enable/disable users' real-time accounting packets not copied to the RADIUS server."; } } // container accounting-copy-radius container dns-server { description "Configure the IP address of the DNS server."; leaf primary-ip { type inet:ipv4-address-no-zone; description "Specifies the IP address of the primary DNS server."; } leaf secondary-ip { type inet:ipv4-address-no-zone; description "Specifies the IP address of the secondary DNS server."; } } // container dns-server container nbns-server { description "Configure the IP address of the nbns server."; leaf primary-ip { type inet:ipv4-address-no-zone; description "Specifies the IP address of the primary DNS server."; } leaf secondary-ip { type inet:ipv4-address-no-zone; description "Specifies the IP address of the secondary DNS server."; } } // container nbns-server container user-group { description "Configure the name of the user group bound to the domain."; leaf name { type leafref { path "/bras-basic-access:bras-basic-access/bras-basic-access:user-groups/bras-basic-access:user-group/bras-basic-access:name"; } description "Specifies the name of the user group bound to the domain."; } } // container user-group container user-group-list { description "Configure the name of the user group list bound to the domain."; leaf name { type leafref { path "/bras-basic-access:bras-basic-access/bras-basic-access:user-group-lists/bras-basic-access:user-group-list/bras-basic-access:name"; } description "Specifies the name of the user group list bound to the domain."; } } // container user-group-list container policy-route { description "Configure the next-hop of the policy-based route for all users in a domain."; leaf ipv4-address { type inet:ipv4-address-no-zone; description "Specifies the next-hop IP address of the policy-based route for all users in a domain."; } leaf ipv6-address { type inet:ipv6-address-no-zone; description "Specifies the next-hop IPv6 address of the policy-based route for all users in a domain."; } } // container policy-route container user-max-session { description "Configure the maximum number of users."; leaf number { type uint32 { range "0..3145728"; } description "Specifies the maximum number of users that can use the same user account."; } leaf local-user-name-case-insensitive { when "../number"; type boolean; default "false"; description "Enable/disable the local user account is case-insensitive."; } } // container user-max-session container ip-unr-route-tag { description "Configure a route tag for host routes of IPv4 users and network segment routes generated based on the Framed-Route attribute delivered by the RADIUS server."; leaf value { type uint32; description "Specify a route tag."; } } // container ip-unr-route-tag container user-detect { must "(retransmit-time and interval) or (not(retransmit-time) and not(interval))"; description "Configure a user group in the domain."; leaf retransmit-time { type uint32 { range "2..120"; } description "Indicates the number of times for detecting users by sending ARP packets."; } leaf interval { type uint32 { range "0..1800"; } units "s"; description "Indicates the interval for detecting users by sending ARP packets."; } } // container user-detect container user-basic-service-ip-type { description "Configure the user basic service type."; leaf ipv4 { type boolean; default "false"; description "Enable/disable the user basic service type is IPv4."; } leaf ipv6 { type boolean; default "false"; description "Enable/disable the user basic service type is IPv6."; } leaf ipv6-pd { type boolean; default "false"; description "Enable/disable the user basic service type is IPv6 PD."; } } // container user-basic-service-ip-type container cui { description "Configure users in a domain to apply to the RADIUS server for the CUI attribute when requesting to get online, and then adds the CUI attribute to the subsequent user accounting packets."; leaf enable { type boolean; default "false"; description "Enable/disable users in a domain to apply to the RADIUS server for the CUI attribute when requesting to get online, and then adds the CUI attribute to the subsequent user accounting packets."; } } // container cui container ip-pool-mode { description "Configure ip pool mode."; leaf layer2-user-priority { type ip-pool-priority-layer2; default "local"; description "The layer 2 users priority in which an IP address pool assigns IP addresses."; } leaf layer3-user-priority { type ip-pool-priority-layer3; default "based-on-gateway-address"; description "The layer 3 users priority in which an IP address pool assigns IP addresses."; } leaf user-type { when "../layer2-user-priority='remote'"; type enumeration { enum "ipoe" { value 1; description "Ipoe."; } enum "pppoe" { value 2; description "Pppoe."; } } description "Specifies the type of a user."; } } // container ip-pool-mode container accounting-exclude-vlan { description "Configure the router to exclude VLAN header length from packet length when collecting statistics about user packet bytes. This command applies to both IPv4 and IPv6 packet statistics."; leaf ipoe { type boolean; default "false"; description "Enable/disable IPoE user."; } leaf pppoe { type boolean; default "false"; description "Enable/disable PPPoE user."; } } // container accounting-exclude-vlan container annex { must "(direction and string) or (not(direction) and not(string))"; description "Configure string information to the left/right side of a domain name when the BRAS sends authentication and accounting request packets to the RADIUS server."; leaf direction { type enumeration { enum "left" { value 1; description "Adds string information to the left side."; } enum "right" { value 2; description "Adds string information to the right side."; } } description "Adds string information to the left or right side."; } leaf string { when "../direction"; type string { length "1..31"; } description "Specifies the string added to the DHCP option 125 attribute."; } } // container annex container mac-authentication { description "Configure MAC address authentication."; leaf enable { type boolean; default "false"; description "Enable/disable MAC address authentication."; } } // container mac-authentication container ip-pool-groups { description "List of the address pool group in a domain."; list ip-pool-group { key "name"; max-elements 8; description "Configure an address pool group."; leaf name { type leafref { path "/bras-ipv4-address-manage:bras-ipv4-address-manage/bras-ipv4-address-manage:pool-groups/bras-ipv4-address-manage:pool-group/bras-ipv4-address-manage:name"; } description "Specifies the name of an IP address pool."; } } // list ip-pool-group } // container ip-pool-groups container framed-ip-urpf { description "Configure URPF when IP addresses are delivered by the RADIUS server."; leaf enable { type boolean; default "true"; description "Enable/disable URPF when IP addresses are delivered by the radius server."; } } // container framed-ip-urpf container map-priority { description "Configure a device to preferentially assign MAP-T prefixes to users."; leaf map-t-priority { type boolean; default "false"; description "Enable/disable MAP priority in a domain."; } } // container map-priority container idle-user-control-policy { description "Configure idle user control policy."; leaf cut-time { type uint32 { range "0..2880"; } units "min"; default "0"; description "Specifies the period after which the user connection is torn down."; } choice cut-rate { default "rate"; description "Config cut rate."; case rate { description "Cut rate."; leaf rate { type uint32 { range "0..76800000"; } units "1/60 kB/s"; default "60"; description "Specifies the amount of user traffic rate. If the user traffic rate is less than the amount, the user is considered idle."; } } // case rate case zero-rate { description "Zero cut rate."; leaf zero-rate { type empty; description "Indicates that if the time when the user traffic rate is less than 1Kbyte/min reaches the idle-time value, the system will disconnect the idle user."; } } // case zero-rate } // choice cut-rate leaf cut-flow-direction { type enumeration { enum "inbound" { value 1; description "Indicates that the parameter idle takes effect only on the upstream traffic."; } enum "outbound" { value 2; description "Indicates that the parameter idle takes effect only on the downstream traffic."; } } description "Indicates that the parameter idle takes effect on the upstream or downstream traffic."; } } // container idle-user-control-policy container quota-out { description "Configure quota out."; choice policy { default "offline"; description "Quota out policy."; case offline { description "Quota out offline policy."; leaf offline { type empty; description "Forces the users to go offline."; } } // case offline case online { description "Quota out online policy."; leaf online { type empty; description "Allows the users to remain online."; } } // case online case redirect { description "Quota out redirect policy."; leaf url { type string { length "1..200"; } description "Specifies the URL for forcible redirection."; } leaf stop-accounting { when "../url"; type empty; description "Indicates that a user sends an accounting-stop packet after the user is redirected because the quota of the user is used up."; } } // case redirect case realtime-accounting { description "Quota out realtime accounting policy."; leaf enable { type empty; description "Indicates that a user sends real-time accounting packets after the quota of the user is used up."; } } // case realtime-accounting } // choice policy } // container quota-out container any-address-release { description "Configure a device to forcibly log out a dual-stack user if the user releases any IP address."; leaf offline { type boolean; default "false"; description "Enable/disable a device to forcibly log out a dual-stack user if the user releases any IP address."; } } // container any-address-release container public-ip-address-pool-usage-threshold { must "(lower and upper) or (not(lower) and not(upper) and both-cgn = 'false')"; description "Configure threshold for public IP address pool usage in an AAA domain."; leaf lower { type uint32 { range "0..99"; } units "%"; description "Lower threshold for public IP address pool usage in an AAA domain."; } leaf upper { when "../lower"; type uint32 { range "1..100"; } units "%"; must "../upper > ../lower"; description "Upper threshold for public IP address pool usage in an AAA domain."; } leaf both-cgn { type boolean; default "false"; description "Enable/disable threshold in an AAA domain. The public IP address pool status is determined by the address pool usage in both CGN and non-CGN scenarios. By default, the public IP address pool status is safe in non-CGN scenarios."; } } // container public-ip-address-pool-usage-threshold container user-volume-quato { description "Configure a user traffic volume quota to upstream or downstream traffic."; leaf direction { type enumeration { enum "both" { value 0; description "Both inbound and outbound direction."; } enum "inbound" { value 1; description "Inbound direction."; } enum "outbound" { value 2; description "Outbound direction."; } } default "both"; description "User flow quota applying direction. By default, the user traffic volume quota applies to both upstream and downstream traffic."; } } // container user-volume-quato container accounting-start-delay { description "Configure a device to send an accounting-start packet about a dual-stack user after a specified delay."; leaf ipv4-immediately { type boolean; default "false"; description "Enable/disable accounting immediately when the IPv4 stack is online."; } container delay-policy { presence "Delay policy."; description "Configure a device to send an accounting-start packet about a dual-stack user after a specified delay for user."; leaf time { type uint32 { range "1..300"; } units "s"; mandatory true; description "Specifies a delay in sending accounting-start packets."; } leaf method { type enumeration { enum "online" { value 1; description "The user stays online and the device sends accounting-start packets after the specified delay."; } enum "offline" { value 2; description "The device forcibly logs out the user after the specified delay."; } } mandatory true; description "User delay process method."; } choice user-type { mandatory true; description "User type for enable a device to send an accounting-start packet about a dual-stack user after a specified delay."; case all { description "Enable a device to send an accounting-start packet about a dual-stack user after a specified delay all user type."; leaf all { when "../method='offline'"; type empty; description "Delay process for All user type."; } } // case all case spec { description "Enable a device to send an accounting-start packet about a dual-stack user after a specified delay special user type."; leaf ppp { type empty; description "Delay process for PPP access user."; } leaf ipoe { type empty; description "Delay process for IPoE access user."; } leaf l2tp { type empty; description "Delay process for L2TP access user."; } leaf static { type empty; description "Delay process for Static access user."; } } // case spec } // choice user-type } // container delay-policy container traffic { description "Configure a device to send an accounting-start packet about a dual-stack user after a specified delay for traffic."; leaf forward-before-start-accounting { type boolean; default "false"; description "Enable/disable users to access the network before starting accounting message."; } leaf statistics-before-start-accounting { type boolean; default "false"; description "Enable/disable the traffic of ueser accessing to network before starting accounting message."; } } // container traffic } // container accounting-start-delay container radius-no-response { description "Configure the lease time of the users of an unresponsive RADIUS server."; leaf lease-time { type uint32 { range "60..65535"; } units "s"; description "Specifies the lease time of the users of an unresponsive RADIUS server."; } } // container radius-no-response container ip-usage-threshold { must "not(upper) or not(lower) or upper >= lower"; description "Configure alarm threshold for the IP address usage."; leaf lower { type uint32 { range "0..99"; } units "%"; description "Specifies a lower alarm threshold for the IP address usage."; } leaf upper { type uint32 { range "1..100"; } units "%"; description "Specifies an upper alarm threshold for the IP address usage."; } } // container ip-usage-threshold container nas-logic { description "Configure the logical."; leaf system-name { type string { length "1..30"; } description "Specifies the logical host name."; } } // container nas-logic container llid-first-authentication-radius-server-group { description "Configure RADIUS server group name of LLID first authentication."; leaf name { type leafref { path "/radius:radius/radius:radius-server-groups/radius:radius-server-group/radius:name"; } must "../../../../aaa:radius-server-template"; description "RADIUS server group name."; } } // container llid-first-authentication-radius-server-group container non-accouting-time-range { description "Configure the name of a time range for non-accounting."; leaf name { type leafref { path "/timerange:time-range/timerange:time-range-instances/timerange:time-range-instance/timerange:name"; } description "Specifies the name of a time range."; } } // container non-accouting-time-range container pre-auth-radius-server-groups { description "List of RADIUS server group to use for pre-authentication in a domain."; list pre-auth-radius-server-group { key "radius-server-group-name"; unique "priority"; max-elements 3; description "Configure a RADIUS server group to use for pre-authentication in a domain."; leaf radius-server-group-name { type leafref { path "/radius:radius/radius:radius-server-groups/radius:radius-server-group/radius:name"; } description "Specifies a RADIUS server group to use for pre-authentication."; } leaf priority { type uint8 { range "0..2"; } default "0"; description "Specifies the priority of a RADIUS server group to use for pre-authentication."; } } // list pre-auth-radius-server-group } // container pre-auth-radius-server-groups } // container ipv4-basic-access container bras-auto-save { description "Configure a domain and enters the domain; alternatively, you can enter the existing domain. Exceptionally, the node in this module cannot be deleted or removed to delete its child nodes."; container dhcp-auto-save { description "Configure automatic backup of DHCPv4 user information in a domain."; leaf enable { type boolean; default "false"; description "Enable/disable automatic backup of DHCPv4 user information."; } } // container dhcp-auto-save } // container bras-auto-save container vas { must "not(./service-policy-group/name and ./vas-policy/name)"; description "Configure vas in aaa domain model."; container service-rate-limit-mode { description "Configure a rate limit mode for EDSG service traffic."; leaf inbound { type bras-vas-rate-limit-mode; default "car"; description "Configuring the upstream rate limit mode."; } leaf outbound { type bras-vas-rate-limit-mode; default "car"; description "Configuring the downstream rate limit mode."; } } // container service-rate-limit-mode container edsg-traffic-mode { description "Configure EDSG service rate limiting and traffic statistics policies. By default, the rate of service traffic is separately limited and is not affected by user bandwidth. Only user traffic is counted as user traffic."; leaf rate-limit-and-traffic-static { type enumeration { enum "default-mode" { value 0; description "By default, the rate of service traffic is separately limited and is not affected by user bandwidth. Only user traffic is counted as user traffic."; } enum "separate" { value 1; description "Performs separate rate limiting on service traffic."; } enum "together" { value 2; description "Performs rate limiting on service traffic and then user traffic."; } } default "default-mode"; description "Configures EDSG service rate limiting mode."; } } // container edsg-traffic-mode container billing-server-type { description "Configure the accounting server type. By default, Router considers all accounting servers supporting the dynamic policy."; leaf type { type enumeration { enum "dynamic" { value 1; description "Specifies the dynamic policy switch mode."; } enum "normal" { value 2; description "Specifies the normal policy switch mode."; } } default "dynamic"; description "Configures the accounting server type."; } } // container billing-server-type container daa-coexist-qos-profile { description "Configure the QoS profile attribute to take effect when DAA services are dynamically modified."; leaf enable { type boolean; default "false"; description "Enable/disable the QoS profile attribute to take effect when DAA services are dynamically modified."; } } // container daa-coexist-qos-profile container daa-match-direction { description "Configure the upstream or downstream traffic of users that go online through an AAA domain against DAA services."; leaf inbound { type boolean; default "false"; description "Enable/disable the DAA service matching function of upstream traffic of users that go online through domain."; } leaf outbound { type boolean; default "false"; description "Enable/disable the DAA service matching function of downstream traffic of users that go online through domain."; } } // container daa-match-direction container family-schedule { description "Configure EDSG services to support HQoS scheduling for home users."; leaf inbound { type boolean; default "false"; description "Enable/disable upstream traffic for home users."; } leaf outbound { type boolean; default "false"; description "Enable/disable downstream traffic for home users."; } } // container family-schedule container traffic-match-user-group { description "Configure EDSG service traffic to match a user group."; leaf direction { type enumeration { enum "both" { value 0; description "Indicates both upstream and downstream EDSG service traffic."; } enum "inbound" { value 1; description "Indicates upstream EDSG service traffic."; } enum "outbound" { value 2; description "Indicates downstream EDSG service traffic."; } } description "Indicates upstream or downstream EDSG service traffic."; } } // container traffic-match-user-group container account-type { must "../account-type/radius-server-group-name or not(../account-type/type='radius')"; description "Configure a value-added service accounting mode. default accounting, none accounting, and RADIUS accounting can be adopted for the value-added services. If no accounting mode is specified, the default accounting mode is adopted."; leaf type { type enumeration { enum "default" { value 1; description "Default accounting."; } enum "none" { value 2; description "None accounting."; } enum "radius" { value 3; description "RADIUS accounting."; } } default "default"; description "Configures a value-added service accounting mode. default accounting, none accounting, and RADIUS accounting can be adopted for the value-added services."; } leaf radius-server-group-name { when "../type='radius'"; type leafref { path "/radius:radius/radius:radius-server-groups/radius:radius-server-group/radius:name"; } description "Specifies the name of the RADIUS server group. The server group must be a configured RADIUS server group."; } } // container account-type container vas-policy { description "Configure the value-added service policy used by the domain."; leaf name { type leafref { path "/bras-vas:bras-vas/bras-vas:vas-policys/bras-vas:vas-policy/bras-vas:name"; } must "/bras-vas:bras-vas/bras-vas:vas-policys/bras-vas:vas-policy[bras-vas:name=current()]/bras-vas:type='daa'"; description "Specifies the name of the service policy used by the domain. The policy must be a configured service policy."; } } // container vas-policy container service-policy { description "Configure a service policy to a domain."; leaf name { type leafref { path "/bras-vas:bras-vas/bras-vas:service-policys/bras-vas:service-policy/bras-vas:name"; } must "/bras-vas:bras-vas/bras-vas:service-policys/bras-vas:service-policy[name=current()]/mode='portal'"; description "Specifies a service policy name."; } } // container service-policy container edsg-accounting-copy-server { description "Configure EDSG service accounting copy and configures a RADIUS copy server group."; leaf radius-server-group-name { type leafref { path "/radius:radius/radius:radius-server-groups/radius:radius-server-group/radius:name"; } description "Specifies the name of a RADIUS copy server group."; } } // container edsg-accounting-copy-server container service-policy-group { description "Configure the service policy group used by the domain."; leaf name { type leafref { path "/bras-vas:bras-vas/bras-vas:service-policy-groups/bras-vas:service-policy-group/bras-vas:name"; } description "Specifies the name of the service policy group used by the domain. The policy group must be a configured service policy group."; } } // container service-policy-group container daa-accounting-merge { description "Configure daa accounting packet merging for value added services."; leaf start-packet { type boolean; default "false"; description "Enable/disable accounting start packets merged."; } leaf stop-packet { type boolean; default "false"; description "Enable/disable accounting stop packets merged."; } leaf interim-packet-interval { type uint32 { range "30..65535"; } units "min"; description "Specifies an interval at which real-time accounting packets are merged."; } leaf interim-packet-hash { when "../interim-packet-interval"; type boolean; default "false"; description "Enable/disable the hash function for post-merging real-time accounting packets for value-added services. If both interval and hash are specified, the time for sending a real-time accounting packet for the first time is random and the random time ranges from interval to double interval."; } } // container daa-accounting-merge container edsg-accounting-merge { description "Configure edsg accounting packet merging for value added services."; container stop-packet { description "Configure accounting stop packets merged."; leaf enable { type boolean; default "false"; description "Enable/disable accounting stop packets merged."; } leaf report-drop-flowqueue-direct { when "../enable='true'"; type flowqueue-direction-type; description "Specifies the direction of reporting dropped SQ traffic."; } } // container stop-packet container interim-packet { description "Configure accounting interim packets merged."; leaf interval { type uint32 { range "30..65535"; } units "min"; description "Specifies an interval at which real-time accounting packets are merged."; } leaf hash-packet { when "../interval"; type boolean; default "false"; description "Enable/disable the hash function for post-merging real-time accounting packets for value-added services. If both interval and hash are specified, the time for sending a real-time accounting packet for the first time is random and the random time ranges from interval to double interval."; } leaf report-drop-flowqueue-direct { when "../interval"; type flowqueue-direction-type; description "Specifies the direction of reporting dropped SQ traffic."; } } // container interim-packet } // container edsg-accounting-merge } // container vas container web-authen { description "Configure WEB authentication on domain."; container reallocate-ip-address { description "Configure IP address reallocation during post domain authentication."; leaf enable { type boolean; default "false"; description "Enable/disable IP address reallocation during post domain authentication."; } } // container reallocate-ip-address } // container web-authen container http-redirect { must "not(./web-server-address/ip-address and ./web-server-address-slave/ip-address and ./web-server-address/ip-address=./web-server-address-slave/ip-address)"; must "not(./web-server-address/ipv6-address and ./web-server-address-slave/ipv6-address and ./web-server-address/ipv6-address=./web-server-address-slave/ipv6-address)"; must "not(./web-server-url/url-name = ./web-server-url-slave/url-name)"; description "Configure HTTP redirect."; container portal-redirect-age { description "Configure the portal redirect function."; leaf time { type uint32 { range "1..900"; } units "s"; description "Specifies the captive portal timeout period."; } } // container portal-redirect-age container portal-redirect-pppoe-url { description "Configure the portal redirect function."; leaf authenticate { type string { length "1..200"; } description "Sets the URL for forcibly redirecting an authenticated PPPoE user to a portal."; } } // container portal-redirect-pppoe-url container portal-redirect-identical-url { description "Configure the portal redirect function."; leaf enable { type boolean; default "false"; description "Enable/disable IPv4 and IPv6 users to use identical URL and the IPv6 redirection web page to be pushed to users in IPv6 forcible redirection scenarios."; } } // container portal-redirect-identical-url container portal-server { description "Configure the mandatory parameters in the domain. Including the IP address of the portal server, redirected URL, number of forcible redirection attempts, URL parameters, and whether a user is redirected to the first URL entered by the user, user MAC address in redirection packets."; leaf url-parameter { type empty; description "Indicates whether the redirected URL carries wlanusername."; } leaf cipher-key-type { type enumeration { enum "cipher-without-key" { value 1; description "Use an empty string as the key for encryption."; } } description "Displays whether the ciphertext of a user MAC address is empty."; } leaf shared-key-cipher { when "not(../cipher-key-type)"; type pub-type:password-extend { length "1..128"; } description "Specifies the keyword for generating ciphertext user MAC address to be displayed,the simple password length ranges from 1 to 16, and the cipher password length ranges from 1 to 128."; } leaf ip-address { type inet:ipv4-address-no-zone; description "Specifies the IPv4 address of the portal server."; } leaf ipv6-address { type inet:ipv6-address-no-zone; description "Specifies the IPv6 address of the portal server."; } leaf redirect-limit { type uint32 { range "1..5"; } default "2"; description "Specifies the number of forcible redirection attempts."; } leaf url { type string { length "1..200"; } description "Indicates the redirected URL address."; } } // container portal-server container web-server-url { presence "Create web-server-url."; description "Enable/disable a redirection URL for mandatory web authentication and configures the web authentication server bound to the mandatory web authentication server in a domain."; leaf url-name { type string { length "1..200"; } must "../url-name != '-' and ../url-name != '--'"; description "Specifies the redirection URL for mandatory web authentication."; } leaf auth-ip-address { when "../url-name"; type leafref { path "/bras-web-authen:bras-web-authen/bras-web-authen:ip-servers/bras-web-authen:ip-server/bras-web-authen:ip"; } must "not(../../web-server-address) or (../../web-server-address/auth-ip-address and ../../web-server-address[auth-ip-address = current()])"; description "Specifies the IPv4 or IPv6 address of the web authentication server to which the mandatory web server is bound, in dotted decimal notation."; } leaf vpn-name { when "../auth-ip-address"; type leafref { path "/bras-web-authen:bras-web-authen/bras-web-authen:ip-servers/bras-web-authen:ip-server[bras-web-authen:ip=current()/../auth-ip-address]/bras-web-authen:vpn-name"; } mandatory true; description "Specifies the name of the VPN instance to which the bound web authentication server belongs. Public network vpn-name value is '_public_'."; } } // container web-server-url container web-server-url-slave { presence "Create web-server-url-slave."; description "Enable/disable a redirection URL for mandatory web authentication and configures the web authentication server bound to the mandatory web authentication server in a domain as slave."; leaf url-name { type string { length "1..200"; } must "../url-name != '-' and ../url-name != '--'"; description "Specifies the redirection URL for mandatory web authentication."; } leaf auth-ip-address { when "../url-name"; type leafref { path "/bras-web-authen:bras-web-authen/bras-web-authen:ip-servers/bras-web-authen:ip-server/bras-web-authen:ip"; } must "not(../../web-server-address-slave) or (../../web-server-address-slave/auth-ip-address and ../../web-server-address-slave[auth-ip-address = current()])"; description "Specifies the IPv4 or IPv6 address of the web authentication server to which the mandatory web server is bound, in dotted decimal notation."; } leaf vpn-name { when "../auth-ip-address"; type leafref { path "/bras-web-authen:bras-web-authen/bras-web-authen:ip-servers/bras-web-authen:ip-server[bras-web-authen:ip=current()/../auth-ip-address]/bras-web-authen:vpn-name"; } mandatory true; description "Specifies the name of the VPN instance to which the bound web authentication server belongs. Public network vpn-name value is '_public_'."; } } // container web-server-url-slave container web-server-address { presence "Create web-server-address."; description "Enable/disable an IP address or an IPv6 address for the web server and configures the web authentication server bound to the mandatory web authentication server in a domain."; leaf ip-address { type inet:ipv4-address-no-zone; description "Specifies the IP address of the web server."; } leaf ipv6-address { type inet:ipv6-address-no-zone; description "Specifies the IPv6 address of the web server."; } leaf auth-ip-address { when "../ipv6-address or ../ip-address"; type leafref { path "/bras-web-authen:bras-web-authen/bras-web-authen:ip-servers/bras-web-authen:ip-server/bras-web-authen:ip"; } must "not(../../web-server-url) or (../../web-server-url/auth-ip-address and ../../web-server-url[auth-ip-address = current()])"; description "Specifies the IPv4 or IPv6 address of the web authentication server to which the mandatory web server is bound, in dotted decimal notation."; } leaf vpn-instance { when "../auth-ip-address"; type leafref { path "/bras-web-authen:bras-web-authen/bras-web-authen:ip-servers/bras-web-authen:ip-server[bras-web-authen:ip=current()/../auth-ip-address]/bras-web-authen:vpn-name"; } mandatory true; description "Specifies the name of the VPN instance to which the bound web authentication server belongs. Public network vpn-name value is '_public_'."; } } // container web-server-address container web-server-address-slave { presence "Create web-server-address-slave."; description "Enable/disable an IP address or an IPv6 address for the web server and configures the web authentication server bound to the mandatory web authentication server in a domain as slave."; leaf ip-address { type inet:ipv4-address-no-zone; description "Specifies the IP address of the web server."; } leaf ipv6-address { type inet:ipv6-address-no-zone; description "Specifies the IPv6 address of the web server."; } leaf auth-ip-address { when "../ipv6-address or ../ip-address"; type leafref { path "/bras-web-authen:bras-web-authen/bras-web-authen:ip-servers/bras-web-authen:ip-server/bras-web-authen:ip"; } must "not(../../web-server-url-slave) or (../../web-server-url-slave/auth-ip-address and ../../web-server-url-slave[auth-ip-address = current()])"; description "Specifies the IPv4 or IPv6 address of the web authentication server to which the mandatory web server is bound, in dotted decimal notation."; } leaf vpn-instance { when "../auth-ip-address"; type leafref { path "/bras-web-authen:bras-web-authen/bras-web-authen:ip-servers/bras-web-authen:ip-server[bras-web-authen:ip=current()/../auth-ip-address]/bras-web-authen:vpn-name"; } mandatory true; description "Specifies the name of the VPN instance to which the bound web authentication server belongs. Public network vpn-name value is '_public_'."; } } // container web-server-address-slave container web-redirect { description "Configure web redirect."; leaf work-mode { type enumeration { enum "get" { value 1; description "Indicates that the working mode is get."; } enum "post" { value 2; description "Indicates that the working mode is post."; } } default "get"; description "Indicates that the working mode."; } } // container web-redirect container web-redirect-identical { description "Configure web redirect identical url."; leaf url { type boolean; default "false"; description "Enable/disable identical url."; } } // container web-redirect-identical container redirect-users-to-urls { description "List of forcibly redirects users in a domain to a URL."; list redirect-users-to-url { key "index"; description "Configure forcibly redirects users in a domain to a URL."; leaf index { type uint32 { range "1..5"; } description "Specifies the index of a URL."; } leaf value { type string { length "1..200"; } mandatory true; description "Specifies the URL to which users are forcibly redirected. The URL can be a domain name or an IP address, such as 10.0.0.1, http://10.0.0.1, www.huawei.com, and http://www.huawei.com."; } } // list redirect-users-to-url } // container redirect-users-to-urls container web-first-url { must "not(./key-string and ./default-name='true')"; description "Configure the web-first-url."; leaf key-string { type string { length "1..31"; pattern '[a-zA-Z0-9._-]{1,31}'; } must "../key-string != '-' and ../key-string != '--'"; description "Specifies a homepage to be displayed after a user is authenticated by a web server. By default, a homepage will not be displayed after a user is authenticated by a web server."; } leaf default-name { type boolean; default "false"; description "Enable/disable the default keyword used when a homepage to be displayed after a user is authenticated by a web server is wlanuserfirsturl."; } } // container web-first-url container web-individualization { must "not(./subscription-id-keyword and ./agent-remoteid-keyword)"; presence "web-individualization."; description "Configure the web individualization."; leaf user-ipaddress-keyword { type string { length "1..32"; } description "Specifies the keyword of the user IP address."; } leaf ipaddress-of-router-keyword { type string { length "1..32"; } description "Specifies the keyword of the IP address of the router. If a source interface on the BRAS to the web server is specified using the web-auth-server source command in the system scenario, mscg-ip is the IP address of the outbound interface. If no source interface is specified, mscg-ip is the IP address of the outbound interface of the route to the network segment of the IP address of the web server in the routing table of the BRAS."; } leaf bras-name-for-users-login-keyword { type string { length "1..32"; } description "Specifies the keyword of the router name for users' login."; } leaf logical-host-name { type string { length "1..32"; } description "Specifies the logical host name."; } leaf user-defined-ssid-keyword { type string { length "1..32"; } description "Specifies the key value of the user-defined portal parameter SSID."; } leaf physical-location-keyword { type string { length "1..32"; } description "Specifies the keyword of physical location information."; } leaf agent-remoteid-keyword { type string { length "1..32"; } description "Specifies the key value of the user-defined portal parameter agent-remote-id."; } leaf subscription-id-keyword { type string { length "1..32"; } description "Specifies the key value of the user-defined portal parameter subscription-id."; } leaf user-mac-keyword { type string { length "1..32"; } description "Specifies the keyword of the user MAC address."; } leaf user-mac-simple-text-keyword { when "../user-mac-keyword"; type boolean; default "false"; description "Enable/disable the keyword of the user MAC address in simple text."; } leaf user-mac-display-format { when "../user-mac-simple-text-keyword='true'"; type boolean; default "false"; description "Enable/disable the user MAC address is displayed in the format of aa:bb:cc:dd:ee:ff. By default, the MAC address is displayed in the format of aa-bb-cc-dd-ee-ff."; } leaf user-mac-aes128-cipher-text { when "../user-mac-keyword"; type boolean; must "(../user-mac-aes128-cipher-text='false' and ../user-mac-simple-text-keyword='false' and ../user-mac-encrypt-in-des='true') or (../user-mac-aes128-cipher-text='false' and ../user-mac-encrypt-in-des='false' and ../user-mac-simple-text-keyword='true') or (../user-mac-encrypt-in-des='false' and ../user-mac-simple-text-keyword='false' and ../user-mac-aes128-cipher-text='true')"; default "true"; description "Enable/disable the keyword of the user MAC address to be encrypted in AES128 mode and to be transmitted in ciphertext."; } leaf user-mac-encrypt-in-cbc { when "../user-mac-aes128-cipher-text='true'"; type boolean; default "false"; description "Enable/disable the keyword of user MAC address to be encrypted in CBC mode."; } leaf user-mac-encrypt-in-gcm { when "../user-mac-aes128-cipher-text='true'"; type boolean; must "not(../user-mac-encrypt-in-cbc='true' and ../user-mac-encrypt-in-gcm='true')"; default "true"; description "Enable/disable the keyword of user MAC address to be encrypted in GCM mode."; } leaf user-mac-encrypt-in-des { when "../user-mac-keyword"; type boolean; default "false"; description "Enable/disable the keyword of user MAC address to be encrypted in DES mode."; } leaf ap-mac-keyword { type string { length "1..32"; } description "Specifies the keyword of the AP MAC address."; } leaf ap-mac-simple-text-keyword { when "../ap-mac-keyword"; type boolean; default "false"; description "Enable/disable the keyword of the AP MAC address in simple text."; } leaf ap-mac-display-format { when "../ap-mac-simple-text-keyword='true'"; type boolean; default "false"; description "Enable/disable the AP MAC address is displayed in the format of aa:bb:cc:dd:ee:ff. By default, the MAC address is displayed in the format of aa-bb-cc-dd-ee-ff."; } leaf ap-mac-aes128-cipher-text { when "../ap-mac-keyword"; type boolean; must "(../ap-mac-aes128-cipher-text='false' and ../ap-mac-simple-text-keyword='false' and ../ap-mac-encrypted-in-des='true') or (../ap-mac-aes128-cipher-text='false' and ../ap-mac-encrypted-in-des='false' and ../ap-mac-simple-text-keyword='true') or (../ap-mac-encrypted-in-des='false' and ../ap-mac-simple-text-keyword='false' and ../ap-mac-aes128-cipher-text='true')"; default "true"; description "Enable/disable the keyword of the AP MAC address to be encrypted in AES128 mode and to be transmitted in ciphertext."; } leaf ap-mac-encrypted-in-cbc { when "../ap-mac-aes128-cipher-text='true'"; type boolean; default "false"; description "Enable/disable the keyword of AP MAC address to be encrypted in CBC mode."; } leaf ap-mac-encrypted-in-gcm { when "../ap-mac-aes128-cipher-text='true'"; type boolean; must "not(../ap-mac-encrypted-in-cbc='true' and ../ap-mac-encrypted-in-gcm='true')"; default "true"; description "Enable/disable the keyword of AP MAC address to be encrypted in GCM mode."; } leaf ap-mac-encrypted-in-des { when "../ap-mac-keyword"; type boolean; default "false"; description "Enable/disable the keyword of AP MAC address to be encrypted in DES mode."; } } // container web-individualization container web-share-key { description "Configure the web share key."; leaf carried-in-url-of-web-page { type boolean; default "false"; description "Enable/disable the keywords carried in the URL of a web page pushed by the portal server. The keywords are user-ip and ac-name nas-serial."; } leaf cipher-key-type { type enumeration { enum "cipher-without-key" { value 1; description "Use an empty string as the key for encryption."; } } description "Displays whether the ciphertext of a user MAC address or an AP MAC address is empty."; } leaf shared-key-cipher { when "not(../cipher-key-type)"; type pub-type:password-extend { length "1..128"; } description "Specifies the keyword for generating ciphertext user MAC address or AP MAC address to be displayed."; } } // container web-share-key container portal-individualization { must "not(./first-page-url-keyword and ./first-page-url-default-keyword='true')"; description "Configure the portal individualization."; leaf user-macaddress { type string { length "1..32"; } must "not(../user-macaddress-in-simple-mode='false' and ../user-macaddress-in-aes128-gcm='false' and ../user-macaddress-in-aes128-cbc='false' and ../user-macaddress-in-des='false')"; description "Specifies a user MAC address."; } leaf user-macaddress-in-simple-mode { when "../user-macaddress"; type boolean; must "(../user-macaddress-in-simple-mode='false') or (../user-macaddress-in-aes128-gcm='false' and ../user-macaddress-in-aes128-cbc='false' and ../user-macaddress-in-des='false')"; default "false"; description "Enable/disable the user MAC address carried in redirection packets is encapsulated in simple mode."; } leaf delimiter-of-user-macaddress { when "../user-macaddress-in-simple-mode='true'"; type boolean; default "false"; description "Enable/disable the delimiter of user MAC addresses is a colon (:)."; } leaf user-macaddress-in-aes128-cbc { when "../user-macaddress"; type boolean; must "(../user-macaddress-in-aes128-cbc='false') or (../user-macaddress-in-simple-mode='false' and ../user-macaddress-in-des='false' and ../user-macaddress-in-aes128-gcm='false')"; default "false"; description "Enable/disable the user MAC address carried in redirection packets is encrypted in AES128 and CBC mode and to be transmitted in ciphertext."; } leaf user-macaddress-in-aes128-gcm { when "../user-macaddress"; type boolean; must "(../user-macaddress-in-aes128-gcm='false') or (../user-macaddress-in-simple-mode='false' and ../user-macaddress-in-des='false' and ../user-macaddress-in-aes128-cbc='false')"; default "true"; description "Enable/disable the user MAC address carried in redirection packets is encrypted in AES128 and GCM mode and to be transmitted in ciphertext."; } leaf user-macaddress-in-des { when "../user-macaddress"; type boolean; must "(../user-macaddress-in-des='false') or (../user-macaddress-in-simple-mode='false' and ../user-macaddress-in-aes128-cbc='false' and ../user-macaddress-in-aes128-gcm='false')"; default "false"; description "Enable/disable the user MAC address carried in redirection packets is encapsulated in DES mode."; } leaf first-page-url-keyword { type string { length "1..31"; } description "Specifies the keyword used in the function of displaying the page at the first URL."; } leaf first-page-url-default-keyword { type boolean; default "false"; description "Enable/disable the default keyword wlanuserfirsturl in the function of displaying the page at the first URL."; } } // container portal-individualization container dns-redirect { description "Configure DNS redirect Web server address."; leaf server-ip { type inet:ipv4-address-no-zone; description "The IP address of the redirect Web server."; } } // container dns-redirect container post-domain { description "Configure post domain login for web user."; choice auto-login-type { description "Configure post domain auto login type for web user."; case web { description "Configure post domain auto login type web."; leaf ip-address { type leafref { path "/bras-web-authen:bras-web-authen/bras-web-authen:ip-servers/bras-web-authen:ip-server/bras-web-authen:ip"; } mandatory true; description "Web authentication server ip address."; } leaf vpn-instance { type leafref { path "/bras-web-authen:bras-web-authen/bras-web-authen:ip-servers/bras-web-authen:ip-server[bras-web-authen:ip=current()/../ip-address]/bras-web-authen:vpn-name"; } mandatory true; description "Web authentication server vpn instance. Public network vpn-name value is '_public_'"; } } // case web case coa { description "Configure post domain auto login type coa."; leaf enable { type empty; description "Enable/disable coa auto login type."; } } // case coa } // choice auto-login-type } // container post-domain } // container http-redirect container bras-qos { description "Configure the Bas-qos model in domain."; container time-range-qos-enable { description "Configure the time range during which a QoS profile takes effect."; leaf enable { type boolean; default "false"; description "Enable/disable time range qos profile."; } } // container time-range-qos-enable container time-range-qos-profiles { description "List of the QoS profile to take effect during a time range for users in the AAA domain."; list time-range-qos-profile { key "range-name"; description "Configure the QoS profile to take effect during a time range for users in the AAA domain."; leaf range-name { type leafref { path "/timerange:time-range/timerange:time-range-instances/timerange:time-range-instance/timerange:name"; } description "Specifies the name of a time range."; } leaf qos-profile-name { type leafref { path "/qos:qos/qos:queue-scheduler-template/qos:profiles/qos:profile/qos:name"; } must "/qos:qos/qos:queue-scheduler-template/qos:profiles/qos:profile[qos:name=current()]/qos:mode='normal'"; mandatory true; description "Specifies the name of a QoS profile."; } } // list time-range-qos-profile } // container time-range-qos-profiles container trusts { description "List of configure trust diffserv domain."; list trust { key "up-stream-flag"; description "Configure trust diffserv domain."; leaf up-stream-flag { type aaa-stream-flag; description "To select trusting diffserv domain."; } leaf diffserv-domain-name { type leafref { path "/qos:qos/qos:classifier-template/qos:diffserv-domains/qos:diffserv-domain/qos:name"; } default "default"; description "Name of a diffserv domain."; } } // list trust } // container trusts container per-hop-behaviors { description "List of configure priority mappings."; list per-hop-behavior { key "type"; description "Configure priority mappings."; leaf type { type aaa-map-type; description "Map type."; } } // list per-hop-behavior } // container per-hop-behaviors container user-prioritys { description "List of configure user priority."; list user-priority { ext:generated-by "system" { description "The instance is generated automatically."; } ext:operation-exclude "create" { description "The instances cannot be created."; } key "direction"; description "Configure user priority."; leaf direction { type aaa-direction-type; description "Direction."; } choice type { default "trust"; description "Specify type of user priority."; case trust { description "Specify type of user priority choice case as trust."; leaf trust-type { type aaa-trust-type; default "unchangeable"; description "Trust type."; } } // case trust case priority { description "Specify type of user priority choice case as priority value."; leaf priority-value { type uint8 { range "0..7"; } description "Priority value."; } } // case priority } // choice type } // list user-priority } // container user-prioritys container profile-applys { description "List of configure QoS profile application."; list profile-apply { key "direction"; description "Configure QoS profile application."; leaf direction { type qos:qos-direction-type; description "Direction."; } leaf profile-name { type leafref { path "/qos:qos/qos:queue-scheduler-template/qos:profiles/qos:profile/qos:name"; } must "/qos:qos/qos:queue-scheduler-template/qos:profiles/qos:profile[qos:name=current()]/qos:mode='normal'"; mandatory true; description "Name of Qos Profile."; } } // list profile-apply } // container profile-applys container redirect-diffserv-domain { description "Configure redirect diffserv domain."; leaf diffserv-domain-name { type leafref { path "/qos:qos/qos:classifier-template/qos:diffserv-domains/qos:diffserv-domain/qos:name"; } description "Name of a diffserv domain."; } } // container redirect-diffserv-domain container session-group-excludes { description "List of configure session group exclude."; list session-group-exclude { must "(./type='all' and not (../session-group-exclude[type='user-queue']) and not(../session-group-exclude[type='car']) or (./type!='all' and not(../session-group-exclude[type='all'])))"; key "type direction"; description "Configure session group exclude."; leaf type { type exclude-type; description "Session group exclude type."; } leaf direction { type qos:qos-direction-type; description "Direction."; } } // list session-group-exclude } // container session-group-excludes container l2-user-priority { description "Configure L2 user priority."; leaf trust-type { type aaa-l2-trust-type; description "Trust type."; } } // container l2-user-priority container rate-limits { description "List of configure rate limit mode."; list rate-limit { key "direction"; description "Configure rate limit mode."; leaf direction { type qos:qos-direction-type; description "Direction."; } leaf mode { type rate-mode-type; mandatory true; description "Rate limit mode."; } } // list rate-limit } // container rate-limits container dscp-user-priority { description "Configure dscp user priority."; leaf value { type uint8 { range "0..63"; } description "Dscp value."; } } // container dscp-user-priority container link-adjustment { description "Configure link adjustment."; leaf enable { type qos:enable-type; description "Link adjustment remote enable."; } leaf adjust-value { type int32 { range "-64..-1 | 1..64"; } description "Adjust value."; } leaf shaping-mode { type qos:link-adjustment-type; description "Shaping mode. If users access the network through PPPoA, the remote link type must be set to cell; if users access the network through PPPoE, the remote link type does not need to be set to cell."; } } // container link-adjustment container user-queue-granularitys { description "Configure user queue granularity."; container user-queue-granularity { presence "create user-queue-granularity"; description "Enable/disable user queue granularity."; leaf granularity-value { type granularity-type; units "kbit/s"; mandatory true; description "Specify the value of granularity (range:1/16/32/64/128/256/512/1024)."; } } // container user-queue-granularity } // container user-queue-granularitys } // container bras-qos } // container bas } // list domain } // container domains container login-alarm-threshold { description "Configure alarm when manager login failed frequently."; leaf report-times { type uint16 { range "0..100"; } units "min"; must "../resume-times<=../report-times"; default "30"; description "Login Alarm report times."; } leaf resume-times { type uint16 { range "0..100"; } must "../resume-times<=../report-times"; default "20"; description "Login Alarm resume times."; } leaf period { type uint16 { range "1..120"; } units "min"; default "5"; description "Login Alarm period."; } } // container login-alarm-threshold container alive-user-qrys { config false; description "List of alive users."; list alive-user-qry { key "user-id"; config false; description "Statistics of active users."; leaf user-id { type uint32; config false; description "User ID."; } leaf user-name { type string { length "1..253"; } config false; description "Name of an access user, it is not case sensitive."; } leaf level { type uint32 { range "0..15"; } config false; description "User level."; } leaf user-group-name { type string { length "1..32"; } config false; description "Specifies the name of a user group, it is not case sensitive."; } leaf name { type string { length "1..64"; } config false; description "Name of a domain, it is not case sensitive."; } leaf access-type { type aaa-user-access-type; config false; description "Access type."; } leaf authen-type { type aaa-authen-access-type; config false; description "Authentication Type."; } leaf authen-method { type aaa-authen-mode; config false; description "Alive user current authentication mode."; } leaf authen-state { type aaa-authen-state-type; config false; description "Authentication state."; } leaf author-method { type aaa-author-mode; config false; description "Current authorization mode."; } leaf author-state { type aaa-author-state-type; config false; description "Author state."; } leaf acct-method { type aaa-acct-mode; config false; description "Current accounting Mode."; } leaf acct-state { type aaa-acct-state-type; config false; description "Accounting state."; } } // list alive-user-qry } // container alive-user-qrys container global-policy { description "Configure global policy."; leaf domain-location { type aaa-domain-location-type; default "after-delimiter"; description "Domain Location."; } leaf domain-parse-direction { type aaa-parse-direction-type; default "left-to-right"; description "Domain Parse Direction."; } leaf default-admin-domain { type leafref { path "../../domains/domain/name"; } description "Admin user default domain."; } leaf default-access-domain { type leafref { path "../../domains/domain/name"; } description "Access user default domain."; } leaf parse-priority { type aaa-parse-priority-type; default "domain-first"; description "Specifies priorities for parsing domain names."; } leaf realm-location { type aaa-realm-location-type; default "before-delimiter"; description "Specifies a position for a realm domain name."; } leaf real-name-delimiter { type string { length "1"; pattern '[/:<>\|@%']'; } description "Specifies a realm name delimiter used to parse the user account. The value is a single character. It can be one of the following symbols: back-slant, /, :, <, >, |, @, %, '."; } leaf real-name-parse-direction { type aaa-parse-direction-type; default "left-to-right"; description "Specifies a parsing direction for the realm name."; } leaf roam-character { type string { length "1"; pattern '[/:*<>\|]'; } default ":"; description "Specifies an identifier for a roaming user. The value is a single character. It can be one of the following symbols: back-slant, /, :, *, <, >, |."; } } // container global-policy container recording { description "Configure recording function."; container function { description "Configure recording function."; leaf cmd-record-scheme { type leafref { path "../../schemes/scheme/name"; } description "The recording scheme used by cmd recording."; } leaf system-record-scheme { type leafref { path "../../schemes/scheme/name"; } description "Configures a solution to record system events. Currently, only events triggered by the reboot command are recorded."; } leaf outbound-record-scheme { type leafref { path "../../schemes/scheme/name"; } description "Records remote login operations for the device that functions as the client."; } } // container function container schemes { description "List of recording scheme."; list scheme { key "name"; description "Configure recording scheme."; leaf name { ext:case-sensitivity "lower-only"; type string { length "1..32"; pattern '[^A-Z/\*":?<>|]+'; } description "Recording scheme name."; } leaf tacacs-group { type leafref { path "/hwtacacs:hwtacacs/hwtacacs:templates/hwtacacs:template/hwtacacs:name"; } description "The binded HWTACACS server."; } } // list scheme } // container schemes } // container recording container online-offline-rec-switch { description "Configure whether to enable login failure and logout recording for management users."; leaf login-fail-rec-switch { type aaa-enable-type; default "enable"; description "Enables recording of login failures."; } leaf logout-rec-switch { type aaa-enable-type; default "enable"; description "Enables recording of normal and abnormal logouts."; } leaf abnormal-logout-rec-switch { type aaa-enable-type; default "enable"; description "Enables recording of abnormal logouts."; } leaf normal-logout-rec-switch { type aaa-enable-type; default "enable"; description "Enables recording of normal logouts."; } } // container online-offline-rec-switch container abnormal-offline-hidens { description "List of the function that replaces the abnormal offline reason with 'the user requests to go offline'."; list abnormal-offline-hiden { key "hidden-id"; description "Configure the function that replaces the abnormal offline reason with 'the user requests to go offline'."; leaf hidden-id { type uint32 { range "2..18"; } description "Specifies an ID for an abnormal logout reason."; } } // list abnormal-offline-hiden } // container abnormal-offline-hidens container lam { description "Configure the local account and related policy management functions."; container login-failed-limit { description "Configure login failed times limit in special period."; leaf failed-times { type uint32 { range "0..10"; } default "5"; description "Indicates the consecutive failure times. 0 indicates that the number of times for a user to fail the authentification continuously is not restricted."; } leaf period { type uint32 { range "1..120"; } units "min"; default "5"; description "Specifies a period for consecutive authentication failures."; } leaf reactive-time { type uint32 { range "0..1000"; } units "min"; default "5"; description "Specifies an automatic activation time for a locked account. 0 indicates that the locked account will not be unlocked automatically."; } } // container login-failed-limit container user-security-policy { description "Configure local user security policy."; leaf security-policy { type boolean; default "true"; description "Enable/disable the local user security policy function."; } leaf user-aging-period { type uint32 { range "1..365"; } description "The period of user age."; } leaf user-name-min-len { type uint32 { range "0..253"; } default "0"; description "The minimum length of username, 0 indicates that the length is not limited."; } } // container user-security-policy container password-policy { description "Configure local-user password policy."; leaf expire-days { type uint16 { range "0..365"; } units "d"; must "../prompt-days<=../expire-days"; default "0"; description "Password expire days, 0 indicates that password is useful forever."; } leaf prompt-days { type uint16 { range "0..180"; } units "d"; must "../prompt-days<=../expire-days"; default "0"; description "Password promptdays."; } leaf change-check { type boolean; default "false"; description "Enable/disable the function to prompt a user to change the password upon first-time use."; } leaf complexity-check { type boolean; default "false"; description "Enable/disable password complexity check."; } leaf pwd-min-length { type uint32 { range "3..128"; } description "Specifies a minimum password length for local users."; } leaf expired-pwd-reuse-num { type uint32; config false; description "Max. Number of times to reuse expired password."; } leaf history-pwd-num { type uint32 { range "1..20"; } default "10"; description "History password number."; } leaf pwd-expire-days { type uint32; units "d"; config false; description "The passowrd will expire in the special days."; } leaf pwd-force-change { type boolean; default "true"; description "Enable/disable the function of forcing a user to change the password upon first use."; } } // container password-policy container forbidden-word-rules { description "List of password black."; list forbidden-word-rule { key "forbidden-word"; description "Configure password forbidden rule."; leaf forbidden-word { ext:case-sensitivity "lower-or-upper"; type string { length "1..255"; } description "Forbidden word."; } } // list forbidden-word-rule } // container forbidden-word-rules container users { description "List of local user."; list user { key "name"; max-elements 1024; description "Configure local user."; leaf name { type string { length "1..253"; pattern '[^A-Z]+'; } description "Name of a local user. The minimum length of a username is determined by user-name-min-len and security-policy. If security-policy is set to false and user-name-min-len is configured, the configuration takes effect. When security-policy is set to true, the minimum length of the username must be at least 6 characters. If user-name-min-len is configured and the user-name-min-len value is greater than 6 characters, the minimum length of the username is equal to the user-name-min-len value. If security-policy is set to false and user-name-min-len is not configured, the minimum length of the username is 1. If the username contains more than 32 characters, service-snmp cannot be set to true."; } leaf end-life-date { type pub-type:date; description "The end date of local user's life."; } leaf is-login-anytime { type boolean; must "(not(../begin-login-day='sun' and ../end-login-day='sat' and ../begin-login-time='00:00:00' and ../end-login-time='23:59:59') and ../is-login-anytime='false') or (../begin-login-day='sun' and ../end-login-day='sat' and ../begin-login-time='00:00:00' and ../end-login-time='23:59:59' and ../is-login-anytime='true')"; default "true"; description "Enable/disable the flag of login anytime."; } leaf begin-login-day { type lam-weekday-type; must "not(../is-login-anytime='true') or (../is-login-anytime='true' and ../begin-login-day='sun')"; default "sun"; description "The begin day of week for login."; } leaf end-login-day { type lam-weekday-type; must "not(../is-login-anytime='true') or (../is-login-anytime='true' and ../end-login-day='sat')"; default "sat"; description "The end day of week for login."; } leaf begin-login-time { type pub-type:time; must "not(../is-login-anytime='true') or (../is-login-anytime='true' and ../begin-login-time='00:00:00')"; default "00:00:00"; description "The begin time of every login day. The begin-login-time must be five or more minutes earlier than the end-login-time."; } leaf end-login-time { type pub-type:time; must "not(../is-login-anytime='true') or (../is-login-anytime='true' and ../end-login-time='23:59:59')"; default "23:59:59"; description "The end time of every login day. The end-login-time must be five or more minutes later than the begin-login-time."; } leaf aging-in-days { type uint32 { range "0..365"; } units "d"; description "The user will age if not online in the special days."; } leaf password-expire-in-days { type uint32 { range "0..999"; } units "d"; description "The passowrd will expire in the special days."; } leaf group-name { type string { length "1..32"; } description "Name of the user group where the user belongs, it must be an existing user group. The user inherits all the rights of the user group."; } leaf state { type user-state-type; default "active"; description "Activated state of a user."; } leaf failed-times { when "../state='active'"; type uint32 { range "0..10"; } must "(../interval) and ((../interval!=0) or (../failed-times=0 and ../interval=0))"; default "0"; description "When user continuous authen failed times reach the limit, the user is locked."; } leaf interval { when "../state='active'"; type uint32 { range "0..65535"; } units "min"; must "(../failed-times) and ((../failed-times!=0) or (../failed-times=0 and ../interval=0))"; default "0"; description "Set a user lockout period (in minutes). If a user is locked due to consecutive authentication failures, the user is automatically unlocked after the set period expires. 0 indicats that the locked user is not automatically unlocked."; } leaf password-type { type aaa-pwd-mode-type; must "../password"; default "irreversible-cipher"; description "Set a password type, which can be cipher or irreversible-cipher. Cipher passwords are encrypted and generated using the reversible algorithm, while irreversible-cipher passwords are encrypted and generated using the irreversible algorithm."; } leaf password { type pub-type:password-extend { length "1..268"; } mandatory true; description "Login password of a user, which is a string ranging from 1 to 128 characters for a unencrypted password and 32 to 268 characters for a encrypted password. The password can contain letters, numbers, and special characters. Chinese characters are not supported. The minimum length and complexity of a user password are restricted by pwd-min-length, security-policy, complexity-check, and forbidden-word. When security-policy is set to true, the minimum length of a password is 8 characters. In addition, complexity verification is enabled. The complexity requirements are as follows: (1) A password must contain digits, uppercase letters, lowercase letters, and special characters. Spaces and question marks are not supported. If the password is enclosed in quotation marks, spaces are allowed in the password. (2) The password cannot contain an account or the reverse string of an account. (3) The new password cannot be the same as any of the previous 10 passwords. (If the new password is the same as the current password, the new password is also considered as a history password. That is, the current password is included in the 10 history passwords.) This parameter takes effect when the password complexity check is enabled (complexity-check is set to true). If forbidden-word is configured, the password cannot contain forbidden words. If only the pwd-min-length value is set, the pwd-min-length setting takes effect. If the minimum length of a user password is set and the user security policy is enabled, the minimum length of a password cannot be less than 8 characters. If the minimum length of a password is set and the pwd-min-length value is greater than 8 characters, the minimum length of a password is determined by the pwd-min-length value."; } leaf level { type uint32 { range "0..15"; } description "Login level of a local user. If the command level adjustment function is disabled, the value of userLevel ranges from 0 to 3. If the command level adjustment function is enabled, the value of userLevel ranges from 0 to 15."; } leaf ftp-dir { type string { length "1..255"; } description "FTP user directory."; } leaf service-terminal { type boolean; default "false"; description "Enable/disable login through a terminal."; } leaf service-telnet { type boolean; default "false"; description "Enable/disable login through Telnet."; } leaf service-ftp { type boolean; default "false"; description "Enable/disable login through FTP."; } leaf service-ppp { type boolean; default "false"; description "Enable/disable login through PPP."; } leaf service-ssh { type boolean; default "false"; description "Enable/disable login through SSH."; } leaf service-qx { type boolean; default "false"; description "Enable/disable login through QX."; } leaf service-snmp { type boolean; must "(../service-snmp='false') or (../service-snmp='true' and string-length(current()/../name)<32)"; default "false"; description "Enable/disable login through SNMP."; } leaf service-mml { type boolean; default "false"; description "Enable/disable login through MML."; } leaf service-http { type boolean; default "false"; description "Enable/disable login through HTTP."; } leaf max-access-num { type int32 { range "1..2147483647"; } description "The local user max access number."; } leaf idle-cut-enable { type boolean; default "true"; description "Enable/disable configures the idle cut function for a local user."; } leaf begin-life-date { type pub-type:date; config false; description "The begin date of local user's life."; } leaf last-login-time { type yang:date-and-time; config false; description "The last login time."; } leaf is-aged { type aaa-bool-type; config false; description "Whether the user is aged now."; } leaf is-locked { type aaa-bool-type; config false; description "Whether the user is locked now."; } leaf left-lock-time { type uint32 { range "1..4294967295"; } units "s"; config false; description "Left lock time of locked user."; } leaf is-terminal-locked { type aaa-bool-type; config false; description "Whether the user is terminal locked now."; } leaf terminal-left-lock-time { type uint32 { range "1..4294967295"; } units "s"; config false; description "Left lock time of terminal locked user."; } leaf pass-modify-time { type yang:date-and-time; config false; description "Password modify time."; } leaf is-pass-expired { type is-pass-expired-type; config false; description "Whether the password of this user name expires."; } leaf is-pass-changed { type boolean; config false; description "Whether the password of this user name is changed by the user."; } leaf alive-num { type int32 { range "0..2147483647"; } config false; description "Online number of the local user."; } } // list user } // container users } // container lam container local-server { description "Configure a local AAA server. You can perform access security configurations for local users."; container login-failed-limit { description "Configure the maximum number of login attempts allowed in the specified period."; leaf failed-times { type uint32 { range "0..10"; } default "5"; description "Indicates the consecutive failure times. 0 indicates that the number of times that a user fails authentication continuously is not restricted."; } leaf period { type uint32 { range "1..120"; } units "min"; default "5"; description "Specifies a period for consecutive authentication failures."; } leaf reactive-time { type uint32 { range "0..1000"; } units "min"; default "5"; description "Specifies an automatic activation time for a locked account. 0 indicates that the locked account will not be unlocked automatically."; } } // container login-failed-limit container user-security-policy { description "Configure a local user security policy."; leaf user-aging-period { type uint32 { range "1..365"; } description "Specifies an aging period for an administrator."; } leaf user-name-min-len { type uint32 { range "0..253"; } default "0"; description "Specifies the minimum length for user names. 0 indicates that the length is not limited."; } } // container user-security-policy container password-policy { description "Configure a local user password policy."; leaf expire-days { type uint16 { range "0..365"; } units "d"; must "../prompt-days<=../expire-days"; default "0"; description "Specifies an expiration period for a password. 0 indicates that a password is permanently valid."; } leaf prompt-days { type uint16 { range "0..180"; } units "d"; must "../prompt-days<=../expire-days"; default "0"; description "Specifies a remaining validity period for a password."; } leaf change-check { type boolean; default "false"; description "Enable/disable mandatory password change when a password is used for the first time."; } leaf complexity-check { type boolean; default "false"; description "Enable/disable password complexity enhancement."; } leaf pwd-min-length { type uint32 { range "3..128"; } description "Specifies the minimum length for passwords configured for local users."; } } // container password-policy } // container local-server } // container aaa } // module huawei-aaa
© 2023 YumaWorks, Inc. All rights reserved.