AAA and RADIUS Protocol Configuration 199Note the following two items when you configure these service types: SSH, Telnetor Terminal.■ When you configure a new service type for a user, the system adds therequested service-type to any existing configuration. For example, if the userpreviously had just Telnet access, and SSH was added, the user would nowhave access to both Telnet and SSH.■ You can set user level when you configure a service type. If you set multipleservice types and specify the user levels, then only the last configured user levelis valid. Some of the service types allow a user-privilege level to be entered asan optional extra parameter. For example Telnet, Terminal & SSH.However, the user-privilege level is a global value for all service types. Enteringthe following two commands will result in the user having a level of 3 for allservice types. In this case both telnet and SSH:[4500-SI-luser-adminpwd]service-type telnet level 1[4500-SI-luser-adminpwd]service-type ssh level 3You can use either level or service-type command to specify the level for alocal user. If both of these two commands are used, the latest configuration willtake effect.Disconnecting a User byForceSometimes it is necessary to disconnect a user or a category of users by force. Thesystem provides the following command to serve this purpose.Perform the following configurations in System View.Table 212 Disconnecting a User by ForceBy default, no online user will be disconnected by force.Set a service type for the specifieduserservice-type { ftp [ ftp-directorydirectory ] | lan-access | { ssh |telnet | terminal }* }Cancel the service type of thespecified userundo service-type { ftp [ ftp-directory] | lan-access | { ssh | telnet |terminal }* [ level level ] }Configure the attributes oflan-access usersattribute { ip ip_address | macmac_address | idle-cut second |access-limit max_user_number | vlanvlanid | location { nas-ip ip_addressport portnum | port portnum } }*Remove the attributes defined forthe lan-access usersundo attribute { ip | mac | idle-cut |access-limit | vlan | location }*Operation CommandOperation CommandDisconnect a user byforcecut connection { all | access-type { dot1x | gcm |mac-authentication } | domain domain_name |interface interface_type interface_number | ipip_address | mac mac_address | radius-schemeradius_scheme_name | vlan vlanid | ucibindexucib_index | user-name user_name }
