Operation Manual – AAA RADIUS HWTACACSH3C S5500-EI Series Ethernet SwitchesChapter 1 AAA/RADIUS/HWTACACSConfiguration1-23Note:z With the local-user password-display-mode cipher-force command configured,a local user password is always displayed in cipher text, regardless of theconfiguration of the password command. In this case, if you use the savecommand to save the configuration, all existing local user passwords will still bedisplayed in cipher text after the device restarts, even if you restore the displaymode to auto.z Local authentication checks the service types of a local user. If the service types arenot available, the user cannot pass authentication. During authorization, a user withno service type configured is authorized with no service by default.z If you specify an authentication method that requires the username and password,including local authentication, RADIUS authentication and HWTACACSauthentication, the level of the commands that a user can use after logging independs on the priority of the user, or the priority of user interface level as with otherauthentication methods. For an SSH user using RSA public key authentication, thecommands that can be used depend on the level configured on the user interface.For details regarding authentication method and command level, refer to LoginConfiguration and System Maintaining and Debugging Configuration respectively.z Both the service-type and level commands can be used to specify user priority.The one used later has the final effect.z The attribute ip command only applies to authentications that support IP addresspassing, such as 802.1x. If you configure the command to authentications that donot support IP address passing, such as MAC address authentication, the localauthentication will fail.z The attribute port command binds a port by its number only, regardless of the porttype.z The idle-cut command configured under ISP view applies to lan-access users only.1.3.8 Tearing down User Connections ForciblyFollow these steps to tear down user connections forcibly:To do… Use the command… RemarksEnter system view system-view —Tear down AAA userconnections forciblycut connection { access-type { dot1x |mac-authentication | portal } | all |domain isp-name | interface interface-typeinterface-number | ip ip-address | macmac-address | ucibindex ucib-index |user-name user-name | vlan vlan-id } [ slotslot-number ]RequiredApplies toonly LANaccess userconnectionsat present.