Page 1: Command Reference
HP 5120 SI Switch Series Security Command Reference Part number: 5998-1814 Software version: Release 1513 Document version: 6W100-20130830...
Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Page 3: Table Of Contents
Contents AAA configuration commands ···································································································································· 1 General AAA configuration commands ························································································································· 1 aaa nas-id profile ····················································································································································· 1 access-limit enable ··················································································································································· 1 accounting command ··············································································································································· 2 accounting default ···················································································································································· 3 accounting lan-access ·············································································································································· 4 accounting login ·······················································································································································...
Page 4 display stop-accounting-buffer ······························································································································ 46 key (RADIUS scheme view)··································································································································· 47 nas-ip (RADIUS scheme view) ······························································································································ 48 primary accounting (RADIUS scheme view) ······································································································· 49 primary authentication (RADIUS scheme view) ·································································································· 50 radius client ···························································································································································· 52 radius nas-ip ··························································································································································· 53 ...
Page 5 dot1x domain-delimiter ········································································································································· 99 dot1x guest-vlan ·················································································································································· 100 dot1x handshake ················································································································································· 101 dot1x handshake secure ····································································································································· 102 dot1x mandatory-domain ··································································································································· 102 dot1x max-user ···················································································································································· 103 dot1x multicast-trigger ········································································································································· 105 dot1x port-control ················································································································································ 105 ...
Page 6 portal redirect-url ················································································································································· 153 portal server ························································································································································· 154 portal server banner ············································································································································ 155 portal server method ··········································································································································· 155 portal server server-detect ··································································································································· 156 portal server user-sync········································································································································· 158 portal web-proxy port ········································································································································· 159 reset portal connection statistics ························································································································ 160 ...
Page 7 display habp table ·············································································································································· 199 display habp traffic ············································································································································· 199 habp client vlan ··················································································································································· 200 habp enable ························································································································································· 201 habp server vlan ·················································································································································· 201 habp timer ···························································································································································· 202 Public key configuration commands ······················································································································ 203 ...
Page 8 state ······································································································································································· 238 SSH2.0 configuration commands ·························································································································· 239 SSH2.0 server configuration commands ··················································································································· 239 display ssh server ················································································································································ 239 display ssh user-information ······························································································································· 240 ssh server authentication-retries ························································································································· 241 ssh server authentication-timeout························································································································ 242 ssh server compatible-ssh1x ·······························································································································...
Page 9 close-mode wait ··················································································································································· 272 display ssl client-policy ········································································································································ 273 display ssl server-policy ······································································································································ 274 handshake timeout ·············································································································································· 275 pki-domain ··························································································································································· 276 prefer-cipher ························································································································································· 277 server-verify enable ············································································································································· 277 session ·································································································································································· 278 ssl client-policy ····················································································································································· 279 ...
Page 10 ipv6 nd mac-check enable ································································································································· 305 ND detection configuration commands ····················································································································· 305 display ipv6 nd detection ··································································································································· 305 display ipv6 nd detection statistics ···················································································································· 306 ipv6 nd detection enable ···································································································································· 307 ipv6 nd detection trust ········································································································································ 308 ...
Page 11 ··························································································································································· 373 sa duration ··························································································································································· 374 time-out ································································································································································· 374 Support and other resources ·································································································································· 376 Contacting HP ······························································································································································ 376 Subscription service ············································································································································ 376 Related information ······················································································································································ 376 Documents ···························································································································································· 376 ...
Page 12: Aaa Configuration Commands
AAA configuration commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA configuration commands aaa nas-id profile Syntax...
Page 13: Accounting Command
Default level 2: System level Parameters max-user-number: Maximum number of users, in the range 1 to 2147483646. Description Use the access-limit enable command to enable the limit on the number of users in an ISP domain and set the allowed maximum number. After the number of users reaches the maximum number allowed, no more users will be accepted.
Page 14: Accounting Default
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac accounting default Syntax accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting default View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a...
Page 15: Accounting Lan-Access
accounting lan-access Syntax accounting lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo accounting lan-access View ISP domain view Default level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Page 16: Accounting Optional
Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters. local: Performs local accounting. It is not used for charging purposes, but for collecting statistics on and limiting the number of local user connections.
Page 17: Accounting Portal
Description Use the accounting optional command to enable the accounting optional feature. Use the undo accounting optional command to disable the feature. By default, the feature is disabled. After you configure the accounting optional command for a domain, a user that will be disconnected otherwise can continue to use the network resources when no accounting server is available or the communication with the current accounting server fails.
Page 18: Authentication Default
Examples # Configure ISP domain test to use local accounting for portal users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting portal local # Configure ISP domain test to use RADIUS scheme rd for accounting on portal users and use local accounting as the backup.
Page 19: Authentication Lan-Access
[Sysname] domain test [Sysname-isp-test] authentication default radius-scheme rd local authentication lan-access Syntax authentication lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo authentication lan-access View ISP domain view Default level 2: System level Parameters local: Performs local authentication.
Page 20: Authentication Portal
View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Page 21: Authentication Super
none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters. Description Use the authentication portal command to configure the authentication method for portal users. Use the undo authentication portal command to restore the default. By default, the default authentication method for the ISP domain is used for portal users.
Page 22: Authorization Command
The specified RADIUS or HWTACACS authentication scheme must have been configured. Related commands: hwtacacs scheme and radius scheme; super authentication-mode (Fundamentals Command Reference). Examples # Configure ISP domain test to use HWTACACS scheme tac for user privilege level switching authentication. <Sysname>...
Page 23: Authorization Default
# Configure ISP domain test to use HWTACACS scheme hwtac for command line authorization and use local authorization as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization command hwtacacs-scheme hwtac local authorization default Syntax authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization default View...
Page 24: Authorization Lan-Access
[Sysname] domain test [Sysname-isp-test] authorization default radius-scheme rd local authorization lan-access Syntax authorization lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo authorization lan-access View ISP domain view Default level 2: System level Parameters local: Performs local authorization.
Page 25: Authorization Login
authorization login Syntax authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization login View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.
Page 26: Authorization Portal
authorization portal Syntax authorization portal { local | none | radius-scheme radius-scheme-name [ local ] } undo authorization portal View ISP domain view Default level 2: System level Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated portal user can access the network directly.
Page 27: Cut Connection
View ISP domain view Default level 3: Manage level Parameters profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see the Security Configuration Guide. Description Use the authorization-attribute user-profile command to specify the default authorization user profile for an ISP domain.
Page 28: Display Connection
domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a string of 1 to 24 characters. interface interface-type interface-number: Specifies user connections on an interface by the interface type and number.
Page 29 View Any view Default level 1: Monitor level Parameters access-type: Specifies the user connections of the specified access type. dot1x: Indicates 802.1X authentication. • mac-authentication: Indicates MAC address authentication. • portal: Indicates portal authentication. • domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters.
Page 30 treated as users in the mandatory authentication domain. To display connections of such users, specify the mandatory authentication domain for the display connection domain isp-name command. For 802.1X users whose usernames use a forward slash (/) or backward slash (\) as the domain name delimiter, you cannot query the connections by username.
Page 31: Display Domain
Field Description User Profile Authorization user profile CAR(kbps) Authorized CAR parameters UpPeakRate Uplink peak rate DnPeakRate Downlink peak rate UpAverageRate Uplink average rate DnAverageRate Downlink average rate display domain Syntax display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ] View Any view Default level...
Page 32: Domain
Self-service : Disabled Authorization attributes : Domain : test State : Active Access-limit : Disabled Accounting method : Required Default authentication scheme : local Default authorization scheme : local Default accounting scheme : local Lan-access authentication scheme : radius:test, local Lan-access authorization scheme : hwtacacs:hw, local Lan-access accounting scheme...
Page 33: Domain Default Enable
undo domain isp-name View System view Default level 3: Manage level Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 63 characters that contains no forward slash (/), backward slash (\), colon (:), asterisk (*), question mark (?), left bracket (<), right bracket (>), quotation marks ("), vertical bar (|), or at sign (@).
Page 34: Idle-Cut Enable
The specified domain must already exist; otherwise, users without any domain name carried in the username cannot pass authentication. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command.
Page 35: Nas-Id Bind Vlan
nas-id bind vlan Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id View NAS ID profile view Default level 2: System level Parameters nas-identifier: NAS ID, a case-sensitive string of 1 to 20 characters vlan-id: ID of the VLAN to be bound with the NAS ID, in the range of 1 to 4094. Description Use the nas-id bind vlan command to bind a NAS ID with a VLAN.
Page 36: State
Description Use the self-service-url enable command to enable the self-service server location function and specify the URL of the self-service server for changing user password. Use the undo self-service-url enable command to restore the default. By default, the function is disabled. A self-service RADIUS server (such as IMC) is required for the self-service server location function.
Page 37: Local User Configuration Commands
By blocking an ISP domain, you disable users of the domain that are offline from requesting network services. The online users are not affected. Related commands: domain. Examples # Place the current ISP domain test to the state of blocked. <Sysname>...
Page 38: Authorization-Attribute (Local User View/User Group View)
authorization-attribute (local user view/user group view) Syntax authorization-attribute { acl acl-number | idle-cut minute | level level | user-profile profile-name | user-role security-audit | vlan vlan-id | work-directory directory-name } * undo authorization-attribute { acl | idle-cut | level | user-profile | user-role | vlan | work-directory } View Local user view, user group view Default level...
Page 39: Bind-Attribute
Every configurable authorization attribute has its definite application environments and purposes. Consider the service types of users when assigning authorization attributes. Authorization attributes configured for a user group are effective for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.
Page 40: Display Local-User
Binding attributes are checked upon authentication of a local user. If the binding attributes of a local user do not match the configured ones, the user will fail the checking and the authentication. Binding attribute checking does not take the service types of the users into account. A configured binding attribute is effective for all types of users.
Page 41 number of members and numbering conditions in the current IRF virtual device. If no IRF virtual device exists, the slot-number argument is the current device number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 42: Display User-Group
Field Description Service types that the local user can use, including FTP, LAN, ServiceType portal, SSH, Telnet, terminal, and Web Limit on the number of user connections using the current Access-limit username Current AccessNum Current number of user connections using the current username Max AccessNum Maximum number of user connections using the current username VLAN ID...
Page 43: Expiration-Date (Local User View)
Related commands: user-group. Examples # Display configuration information about user group abc. <Sysname> display user-group abc The contents of user group abc: Authorization attributes: Idle-cut: 120(min) Work Directory: FLASH: Level: Acl Number: 2000 Vlan ID: User-Profile: Callback-number: Password-Aging: Enabled(1 day(s)) Password-Length: Enabled(4 characters) Password-Composition:...
Page 44: Group
Examples # Configure the expiration time of user abc to be 12:10:20 on May 31, 201 1. <Sysname> system-view [Sysname] local-user abc [Sysname-luser-abc] expiration-date 12:10:20-2011/05/31 group Syntax group group-name undo group View Local user view Default level 3: Manage level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters.
Page 45: Password
asterisk (*), question mark (?), left bracket (<), right bracket (>), and at sign (@), and cannot be a, al, or all. all: Specifies all users. service-type: Specifies the users of a type. • ftp: FTP users. lan-access: Users accessing the network through an Ethernet, such as 802.1X users. •...
Page 46: Service-Type
If the hash keyword is not specified, a plaintext password is a string of 1 to 63 characters and a • ciphertext password is a string of 1 to 1 17 characters. If the hash keyword is specified, a plaintext password is a string of 1 to 63 characters and a •...
Page 47: State(Local User View)
Default level 3: Manage level Parameters ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default. lan-access: Authorizes the user to use the LAN access service. Such users are mainly Ethernet users, for example, 802.1X users.
Page 48: User-Group
By default, a local user is in the active state. By blocking a user, you disable the user from requesting network services. No other users are affected. Related commands: local-user. Examples # Place the current user user1 to the blocked state. <Sysname>...
Page 49: Radius Configuration Commands
RADIUS configuration commands accounting-on enable Syntax accounting-on enable [ interval seconds | send send-times ] * undo accounting-on enable View RADIUS scheme view Default level 2: System level Parameters seconds: Time interval for retransmitting an accounting-on packet in seconds, ranging from 1 to 15. The default is 3 seconds.
Page 50: Attribute 25 Car
attribute 25 car Syntax attribute 25 car undo attribute 25 car View RADIUS scheme view Default level 2: System level Parameters None Description Use the attribute 25 car command to specify to interpret the RADIUS class attribute (attribute 25) as CAR parameters.
Page 51: Display Radius Scheme
Description Use the data-flow-format command to set the traffic statistics unit for data flows or packets. Use the undo data-flow-format command to restore the default. By default, the unit for data flows is byte and that for data packets is one-packet. The unit for data flows and that for packets must be consistent with those on the RADIUS server.
Page 52 If no IRF member ID is specified, the command will display the configuration information of the RADIUS schemes on all members of an IRF virtual device. Related commands: radius scheme. Examples # Display the configuration information of all RADIUS schemes. <Sysname>...
Page 53 Table 4 Output description Field Description SchemeName Name of the RADIUS scheme Index Index number of the RADIUS scheme Type Type of the RADIUS server Primary Auth Server Primary authentication server Primary Acct Server Primary accounting server Second Auth Server Secondary authentication server Second Acct Server Secondary accounting server...
Page 54: Display Radius Statistics
Field Description NAS-IP address Source IP address for outgoing RADIUS packets Attribute 25 Interprets RADIUS attribute 25 as the CAR parameters. display radius statistics Syntax display radius statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level...
Page 55 Total 1016 RADIUS received packets statistic: Code = Num = 15 Err = 0 Code = Num = 4 Err = 0 Code = Num = 4 Err = 0 Code = 11 Num = 0 Err = 0 Running statistic: RADIUS received messages statistic: Normal auth request Num = 24...
Page 56 Field Description Number of users for whom the system sends real-time RLTSend accounting packets RLTWait Number of users waiting for real-time accounting Number of users in the state of accounting waiting AcctStop stopped OnLine Number of online users Stop Number of users in the state of stop StateErr Number of users with unknown errors Received and Sent packets statistic...
Page 57: Display Stop-Accounting-Buffer
Field Description Account failure Number of accounting failed packets Server ctrl req Number of server control requests RecError_MSG_sum Number of received packets in error SndMSG_Fail_sum Number of packets that failed to be sent out Timer_Err Number of timer errors Alloc_Mem_Err Number of memory errors State Mismatch Number of errors for mismatching status...
Page 58: Key (Radius Scheme View)
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, which is a case-sensitive string of 1 to 256 characters. Description Use the display stop-accounting-buffer command to display information about the stop-accounting requests buffered in the device by scheme, session ID, time range, username, or slot.
Page 59: Nas-Ip (Radius Scheme View)
Description Use the key command to set the shared key for RADIUS authentication/authorization or accounting packets. Use the undo key command to restore the default. By default, no shared key is configured. The shared key that is specified during the configuration of the RADIUS server, if any, takes precedence. A shared key configured in this task takes effect only if no shared key of the same type is specified during RADIUS server configuration.
Page 60: Primary Accounting (Radius Scheme View)
By default, the source IP address of an outgoing RADIUS packet is that configured with the radius nas-ip command in system view. The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server.
Page 61: Primary Authentication (Radius Scheme View)
If neither cipher nor simple is specified, you set a plaintext shared key string. • Description Use the primary accounting command to specify the primary RADIUS accounting server. Use the undo primary accounting command to remove the configuration. By default, no primary RADIUS accounting server is specified. The IP addresses of the primary and secondary accounting servers cannot be the same.
Page 62 Default level 2: System level Parameters ipv4-address: IPv4 address of the primary authentication/authorization server. ipv6 ipv6-address: IPv6 address of the primary authentication/authorization server. port-number: UDP port number of the primary authentication/authorization server, which ranges from 1 to 65535 and defaults to 1812. key [ cipher | simple ] key: Specifies a case-sensitive shared key for secure communication with the primary RADIUS authentication/authorization server.
Page 63: Radius Client
new primary server is evaluated at first and then the secondary servers according to the order in which they are configured. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext. With the server status detection feature enabled, the device sends an authentication request that carries the specified username to the primary server at the specified interval.
Page 64: Radius Nas-Ip
Parameters None Description Use the radius client enable command to enable the listening port of the RADIUS client. Use the undo radius client command to disable the listening port of the RADIUS client. By default, the listening port is enabled. When the listening port of the RADIUS client is disabled: The RADIUS client can either accept authentication, authorization or accounting requests or •...
Page 65: Radius Scheme
Specifying a source address for outgoing RADIUS packets can avoid the situation where the packets sent back by the RADIUS server cannot reach the device as the result of a physical interface failure. You can specify up to 16 source IP addresses. The source IP address specified for RADIUS packets must be of the same IP version as the IP addresses of the RADIUS servers in the RADIUS schemes that use the specified source IP address.
Page 66: Radius Trap
Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] radius trap Syntax radius trap { accounting-server-down | authentication-error-threshold | authentication-server-down } undo radius trap accounting-server-down authentication-error-threshold authentication-server-down } View System view Default level 2: System level...
Page 67: Reset Radius Statistics
reset radius statistics Syntax reset radius statistics [ slot slot-number ] View User view Default level 2: System level Parameters slot slot-number: Specifies the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device.
Page 68: Retry
slot slot-number: Specifies the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device. If no IRF virtual device exists, the slot-number argument is the current device number.
Page 69: Retry Realtime-Accounting
<Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] retry 5 retry realtime-accounting Syntax retry realtime-accounting retry-times undo retry realtime-accounting View RADIUS scheme view Default level 2: System level Parameters retry-times: Maximum number of accounting attempts, in the range 1 to 255. Description Use the retry realtime-accounting command to set the maximum number of accounting attempts.
Page 70: Retry Stop-Accounting (Radius Scheme View)
[Sysname-radius-radius1] retry realtime-accounting 10 retry stop-accounting (RADIUS scheme view) Syntax retry stop-accounting retry-times undo retry stop-accounting View RADIUS scheme view Default level 2: System level Parameters retry-times: Maximum number of stop-accounting attempts, in the range 10 to 65535. Description Use the retry stop-accounting command to set the maximum number of stop-accounting attempts. Use the undo retry stop-accounting command to restore the default.
Page 71 View RADIUS scheme view Default level 2: System level Parameters ipv4-address: IPv4 address of the secondary accounting server, in dotted decimal notation. The default is 0.0.0.0. ipv6 ipv6-address: IPv6 address of the secondary accounting server. port-number: UDP port number of the secondary accounting server, which ranges from 1 to 65535 and defaults to 1813.
Page 72: Secondary Authentication (Radius Scheme View)
look for a server in active state from scratch: the new primary server is evaluated at first and then the secondary servers according to the order in which they are configured. If you remove an accounting server being used by online users, the device cannot send real-time accounting requests and stop-accounting requests anymore for the users, and does not buffer the stop-accounting requests.
Page 73 simple key: Specifies a plaintext shared key. In non-FIPS mode, the key is a string of 1 to 64 • characters. In FIPS mode, the key is a string of 8 to 64 characters that must include uppercase letters, lowercase letters, numbers, and special characters. •...
Page 74: Security-Policy-Server
response from the server before the maximum number of retries is reached, the device considers the server as reachable. The device sets the status of the server to block or active according to the status detection result, regardless of the current status of the server. For 802.1X authentication, if the status of every server is block, the device will assign the port connected to an authentication user to the specified 802.1X critical VLAN.
Page 75: Server-Type
Use the undo security-policy-server command to remove one or all security policy servers for a RADIUS scheme. By default, no security policy server is specified for a RADIUS scheme. You can specify up to eight security policy servers for a RADIUS scheme. You can change security policy servers for a RADIUS scheme only when no user is using the scheme.
Page 76: State Primary
state primary Syntax state primary { accounting | authentication } { active | block } View RADIUS scheme view Default level 2: System level Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication/authorization server. active: Specifies the active state, the normal operation state.
Page 77: Stop-Accounting-Buffer Enable (Radius Scheme View)
Default level 2: System level Parameters accounting: Sets the status of the secondary RADIUS accounting server. authentication: Sets the status of the secondary RADIUS authentication/authorization server. ip ipv4-address: Specifies the IPv4 address of the secondary RADIUS server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS server. active: Specifies the active state, the normal operation state.
Page 78: Timer Quiet (Radius Scheme View)
Description Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests getting no responses. Use the undo stop-accounting-buffer enable command to disable the device from buffering stop-accounting requests getting no responses. By default, the device is enabled to buffer stop-accounting requests getting no responses. Stop-accounting requests affect the charge to users.
Page 79: Timer Realtime-Accounting (Radius Scheme View)
Be sure to set the server quiet timer properly. Too short a quiet timer may result in frequent authentication or accounting failures because the device has to repeatedly try to communicate with an unreachable server that is in the active state. Related commands: display radius scheme.
Page 80: Timer Response-Timeout (Radius Scheme View)
Related commands: retry realtime-accounting and radius scheme. Examples # Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer realtime-accounting 51 timer response-timeout (RADIUS scheme view) Syntax timer response-timeout seconds undo timer response-timeout View RADIUS scheme view...
Page 81: Hwtacacs Configuration Commands
View RADIUS scheme view Default level 2: System level Parameters keep-original: Sends the username to the RADIUS server as it is input. with-domain: Includes the ISP domain name in the username sent to the RADIUS server. without-domain: Excludes the ISP domain name from the username sent to the RADIUS server. Description Use the user-name-format command to specify the format of the username to be sent to a RADIUS server.
Page 82: Display Hwtacacs
View HWTACACS scheme view Default level 2: System level Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Page 83 exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, which is a case-sensitive string of 1 to 256 characters. Description Use the display hwtacacs command to display the configuration information or statistics of HWTACACS schemes.
Page 84 Packet unit Table 7 Output description Field Description HWTACACS scheme name Name of the HWTACACS scheme. IP address, port number, status, shared key, and VPN of the primary authentication server. If no primary authentication Primary Authen Server server is specified, this field is not available. This rule is also applicable to the following fields.
Page 85: Display Stop-Accounting-Buffer
display stop-accounting-buffer Syntax display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a string of 1 to 32 characters.
Page 86: Hwtacacs Scheme
Default level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Description Use the hwtacacs nas-ip command to specify a source IP address for outgoing HWTACACS packets. Use the undo hwtacacs nas-ip command to remove the configuration.
Page 87: Key (Hwtacacs Scheme View)
Use the undo hwtacacs scheme command to delete an HWTACACS scheme. By default, no HWTACACS scheme exists. You cannot delete an HWTACACS scheme with online users. Examples # Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key (HWTACACS scheme view)
Page 88: Nas-Ip (Hwtacacs Scheme View)
<Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key accounting hello nas-ip (HWTACACS scheme view) Syntax nas-ip ip-address undo nas-ip View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
Page 89: Primary Accounting (Hwtacacs Scheme View)
primary accounting (HWTACACS scheme view) Syntax primary accounting ip-address [ port-number | key [ cipher | simple ] key ] * undo primary accounting View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address of the primary HWTACACS accounting server, a valid unicast address in dotted decimal notation.
Page 90: Primary Authentication (Hwtacacs Scheme View)
Examples # Specify the IP address and port number of the primary accounting server for HWTACACS scheme test1 as 10.163.155.12 and 49. <Sysname> system-view [Sysname] hwtacacs scheme test1 [Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 primary authentication (HWTACACS scheme view) Syntax primary authentication ip-address [ port-number | key [ cipher | simple ] key ] * undo primary authentication View HWTACACS scheme view...
Page 91: Primary Authorization
The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent. If you configure the command repeatedly, only the last configuration takes effect. You can remove an authentication server only when it is not used by any active TCP connection to send authentication packets.
Page 92: Reset Hwtacacs Statistics
Use the undo primary authorization command to remove the configuration. By default, no primary HWTACACS authorization server is specified. The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails. The shared key configured by using the primary authorization command takes precedence over the one configured by using the key authorization [ cipher | simple ] key command.
Page 93: Reset Stop-Accounting-Buffer
Examples # Clear all HWTACACS statistics. <Sysname> reset hwtacacs statistics all reset stop-accounting-buffer Syntax reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] View User view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a string of 1 to 32 characters.
Page 94: Secondary Accounting (Hwtacacs Scheme View)
Description Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts. Use the undo retry stop-accounting command to restore the default. By default, the maximum number of stop-accounting request transmission attempts is 100. Related commands: reset stop-accounting-buffer, hwtacacs...
Page 95: Secondary Authentication (Hwtacacs Scheme View)
Use the undo secondary accounting command to remove secondary HWTACACS accounting servers. If you specify an IP address, this command removes the secondary HWTACACS accounting server using that IP address. If you do not specify an IP address, this command removes all secondary HWTACACS accounting servers.
Page 96: Secondary Authorization
In FIPS mode, the key is a string of 8 to 373 characters. • simple key: Sets a plaintext shared key. The key argument is case sensitive. If you specify neither this keyword nor the cipher keyword, the shared key is set in plain text. In non-FIPS mode, the key is a string of 1 to 255 characters.
Page 97 Parameters ip-address: IP address of the secondary HWTACACS authorization server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0. port-number: Port number of the secondary HWTACACS authorization server. It ranges from 1 to 65535 and defaults to 49. key [ cipher | simple ] key: Sets the shared key for secure communication with the secondary HWTACACS authorization server.
Page 98: Stop-Accounting-Buffer Enable (Hwtacacs Scheme View)
stop-accounting-buffer enable (HWTACACS scheme view) Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable View HWTACACS scheme view Default level 2: System level Parameters None Description Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests to which no responses are received. Use the undo stop-accounting-buffer enable command to disable the buffering function.
Page 99: Timer Realtime-Accounting (Hwtacacs Scheme View)
Parameters minutes: Primary server quiet period, in minutes. It ranges from 1 to 255. Description Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state. Use the undo timer quiet command to restore the default.
Page 100: Timer Response-Timeout (Hwtacacs Scheme View)
Number of users Real-time accounting interval (minute) 1000 or more 15 or more Examples # Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] timer realtime-accounting 51 timer response-timeout (HWTACACS scheme view) Syntax timer response-timeout seconds undo timer response-timeout...
Page 101 Default level 2: System level Parameters keep-original: Sends the username to the HWTACACS server as it is input. with-domain: Includes the ISP domain name in the username sent to the HWTACACS server. without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server. Description Use the user-name-format command to specify the format of the username to be sent to an HWTACACS server.
Page 102: 802.1X Configuration Commands
802.1X configuration commands display dot1x Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics.
Page 103 Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Reauth Period 3600 s The maximal retransmitting times EAD quick deploy configuration: EAD timeout: The maximum 802.1X user resource number is 1024 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1...
Page 104 Field Description Reauth Period Periodic re-authentication timer in seconds Quiet Period Quiet timer in seconds Status of the quiet timer. In this example, the quiet timer is Quiet Period Timer is disabled enabled. Supp Timeout Client timeout timer in seconds Server Timeout Server timeout timer in seconds Maximum number of attempts for sending an authentication...
Page 105: Dot1X
Field Description Action that the port takes when an active (reachable) authentication server is detected available for the 802.1X users in the critical VLAN: Critical recovery-action reinitialize—The port triggers authentication. NOT configured—The port does not trigger authentication. Max number of on-line users Maximum number of concurrent 802.1X users on the port EAPOL Packet Number of sent (Tx) and received (Rx) EAPOL packets...
Page 106: Dot1X Authentication-Method
Description Use the dot1x command in system view to enable 802.1X globally. Use the undo dot1x command in system view to disable 802.1X globally. Use the dot1x interface command in system view or the dot1x command in Layer 2 Ethernet interface view to enable 802.1X for specified ports.
Page 107: Dot1X Auth-Fail Vlan
PAP transports usernames and passwords in clear text. The authentication method applies to • scenarios that do not require high security. To use PAP, the client must be an HP iNode 802.1X client. CHAP transports username and encrypted password over the network. It is more secure than PAP.
Page 108: Dot1X Critical Vlan
undo dot1x auth-fail vlan View Layer 2 Ethernet interface view Default level 2: System level Parameters authfail-vlan-id: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. The VLAN must already exist. Ensure that the VLAN has been created. Descriptions Use the dot1x auth-fail vlan command to configure an Auth-Fail VLAN for a port.
Page 109: Dot1X Critical Recovery-Action
Default level 2: System level Parameters vlan-id: Specifies a VLAN ID, in the range of 1 to 4094. Make sure the VLAN has been created. Description Use the dot1x critical vlan command to configure an 802.1X critical VLAN on a port for users that fail 802.1X authentication because all the RADIUS servers in their ISP domains have been unreachable.
Page 110: Dot1X Domain-Delimiter
By default, when a reachable RADIUS server is detected, the system removes the port or 802.1X users from the critical VLAN without triggering authentication. The dot1x critical recovery-action command takes effect only for the 802.1X users in the critical VLAN on a port.
Page 111: Dot1X Guest-Vlan
The cut connection user-name user-name and display connection user-name user-name commands are not available for 802.1X users that use back slash (\), forward slash (/), or dot (.) as the domain name delimiter. For more information about the two commands, see Security Command Reference. Examples # Specify the characters @, /, and \ as domain name delimiters.
Page 112: Dot1X Handshake
When you change the access control method from MAC-based to port-based on a port that carries a guest VLAN, the mappings between MAC addresses and the 802.1X guest VLAN are removed. You can use the display mac-vlan command to display MAC-to-VLAN mappings. When you change the access control method from port-based to MAC-based on a port that is in a guest VLAN, the port is removed from the guest VLAN.
Page 113: Dot1X Handshake Secure
HP recommends that you use the iNode client software to ensure the normal operation of the online user handshake function. Examples # Enable the online user handshake function. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/4 [Sysname-GigabitEthernet1/0/4] dot1x handshake dot1x handshake secure...
Page 114: Dot1X Max-User
View Layer 2 Ethernet Interface view Default level 2: System level Parameters domain-name: Specifies the ISP domain name, a case insensitive string of 1 to 63 characters. The specified domain must already exist. Description Use the dot1x mandatory-domain command to specify a mandatory 802.1X authentication domain on a port.
Page 115 undo dot1x max-user [ interface interface-list ] In Layer 2 Ethernet interface view: dot1x max-user user-number undo dot1x max-user View System view, Layer 2 Ethernet interface view Default level 2: System level Parameters user-number: Specifies the maximum number of concurrent 802.1X users on a port. The value ranges from 1 to 256.
Page 116: Dot1X Multicast-Trigger
dot1x multicast-trigger Syntax dot1x multicast-trigger undo dot1x multicast-trigger View Layer 2 Ethernet interface view Default level 2: System level Parameters None Description Use the dot1x multicast-trigger command to enable the 802.1X multicast trigger function. The device acts as the initiator and multicasts EAP-Request/Identify packets periodically to the clients. Use the undo dot1x multicast-trigger command to disable the function.
Page 117: Dot1X Port-Method
Parameters authorized-force: Places the specified or all ports in the authorized state, enabling users on the ports to access the network without authentication. auto: Places the specified or all ports initially in the unauthorized state to allow only EAPOL packets to pass, and after a user passes authentication, sets the port in the authorized state to allow access to the network.
Page 118: Dot1X Quiet-Period
undo dot1x port-method View System view, Layer 2 Ethernet interface view Default level 2: System level Parameters macbased: Uses MAC-based access control on a port to separately authenticate each user attempting to access the network. In this approach, when an authenticated user logs off, no other online users are affected.
Page 119: Dot1X Re-Authenticate
undo dot1x quiet-period View System view Default level 2: System level Parameters None Description Use the dot1x quiet-period command to enable the quiet timer. When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. Use the undo dot1x quiet-period command to disable the timer.
Page 120: Dot1X Retry
Examples # Enable the 802.1X periodic online user re-authentication function on GigabitEthernet 1/0/1 and set the periodic re-authentication interval to 1800 seconds. <Sysname> system-view [Sysname] dot1x timer reauth-period 1800 [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] dot1x re-authenticate dot1x retry Syntax dot1x retry max-retry-value undo dot1x retry View System view...
Page 121: Dot1X Timer
dot1x timer Syntax dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period reauth-period-value server-timeout server-timeout-value supp-timeout supp-timeout-value | tx-period tx-period-value } undo dot1x timer { handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | tx-period } View System view Default level 2: System level Parameters...
Page 122: Dot1X Unicast-Trigger
Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS • Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server. • Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5 Challenge packet to a client.
Page 123: Reset Dot1X Statistics
reset dot1x statistics Syntax reset dot1x statistics [ interface interface-list ] View User view Default level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &...
Page 124: Ead Fast Deployment Configuration Commands
EAD fast deployment configuration commands dot1x free-ip Syntax dot1x free-ip ip-address { mask-address | mask-length } undo dot1x free-ip { ip-address { mask | mask-length } | all } View System view Default level 2: System level Parameters ip-address: Specifies a freely accessible IP address segment, also called "a free IP." mask: Specifies an IP address mask.
Page 125: Dot1X Url
Default level 2: System level Parameters ead-timeout-value: Specifies the EAD rule timer in minutes. The value ranges from 1 to 1440. Description Use the dot1x timer ead-timeout command to set the EAD rule timer. Use the undo dot1x timer ead-timeout command to restore the default. By default, the timer is 30 minutes.
Page 126 Related commands: display dot1x and dot1x free-ip. Examples # Configure the redirect URL as http://192.168.0.1. <Sysname> system-view [Sysname] dot1x url http://192.168.0.1...
Page 127: Mac Authentication Configuration Commands
MAC authentication configuration commands display mac-authentication Syntax display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1- 1 0>, where &<1- 1 0>...
Page 128 the max allowed user number is 1024 per slot Current user number amounts to 0 Current domain: not configured, use default domain Silent Mac User info: MAC Addr From Port Port Index GigabitEthernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Max number of on-line users is 256 Current online user number is 0...
Page 129: Mac-Authentication
Field Description Information about silent MAC addresses. A MAC address is marked silent when it fails a MAC authentication, and at the same time, a quiet timer starts. Silent Mac User info Before the timer expires, the device drops any packet from the MAC address and does not perform MAC authentication for the MAC address.
Page 130: Mac-Authentication Critical Vlan
port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number. A port range defined without the to interface-type interface-number portion comprises only one port. Description Use the mac-authentication command in system view to enable MAC authentication globally.
Page 131: Mac-Authentication Domain
Use undo mac-authentication critical vlan to restore the default. By default, no MAC authentication critical VLAN is configured on a port. The MAC authentication critical VLAN configuration applies to MAC authentication users that use only RADIUS authentication servers and have failed authentication because all the servers in their ISP domain become unavailable (inactive), for example, for the loss of network connectivity.
Page 132: Mac-Authentication Guest-Vlan
The global authentication domain is applicable to all MAC authentication enabled ports. A port specific authentication domain is applicable only to the port. You can specify different authentication domains on different ports. A port chooses an authentication domain for MAC authentication users in this order: port specific domain, global domain, and the default authentication domain.
Page 133: Mac-Authentication Max-User
Examples # Configure VLAN 5 as the MAC authentication guest VLAN on port GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] mac-authentication guest-vlan 5 mac-authentication max-user Syntax mac-authentication max-user user-number undo mac-authentication max-user View Layer 2 Ethernet interface view Default level 2: System level Parameters...
Page 134: Mac-Authentication User-Name-Format
Parameters offline-detect offline-detect-value: Sets the offline detect timer, in the range of 60 to 2147483647 seconds. This timer sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user.
Page 135: Reset Mac-Authentication Statistics
password: Specifies the password. This argument is case sensitive. If simple is specified, it must be a string of 1 to 63 characters. If cipher is specified, it must be a ciphertext string of 1 to 1 17 characters. Both plaintext passwords and ciphertext passwords are saved in cipher text in the configuration file.
Page 136 Parameters interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1- 1 0>, where &<1- 1 0> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number.
Page 137: Portal Configuration Commands
Portal configuration commands display portal acl Syntax display portal acl { all | dynamic | static } interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters all: Displays all portal access control lists (ACLs), including dynamic and static portal ACLs.
Page 138 VLAN Protocol Destination: : 2.2.5.5 Mask : 255.255.255.255 Rule 1 Inbound interface : all Type : dynamic Action : permit Source: : 8.8.8.8 Mask : 255.255.255.255 : 0015-e9a6-7cfe Interface : any VLAN Protocol Destination: : 0.0.0.0 Mask : 0.0.0.0 Author ACL: Number : 3001 Rule 2...
Page 139 Protocol Destination: : 0.0.0.0 Mask : 0.0.0.0 IPv6 portal ACL rules on Vlan-interface2: Rule 0 Inbound interface : all Type : static Action : permit Source: : :: Prefix length : 0 : 0000-0000-0000 Interface : any VLAN Protocol Destination: : 2::2 Prefix length : 128 Port...
Page 140: Display Portal Connection Statistics
VLAN Protocol Destination: : :: Prefix length : 0 Port : any Table 11 Output description Field Description Rule Sequence number of the portal ACL, which is numbered from 0 in ascending order Inbound interface Interface to which the portal ACL is bound Type Type of the portal ACL Action...
Page 141 Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Page 142 MSG_ARPPKT MSG_PORT_REMOVE MSG_VLAN_REMOVE MSG_IF_REMOVE MSG_IF_SHUT MSG_IF_DISPORTAL MSG_IF_UP MSG_ACL_RESULT MSG_AAACUTBKREQ MSG_CUT_BY_USERINDEX MSG_CUT_L3IF MSG_IP_REMOVE MSG_ALL_REMOVE MSG_IFIPADDR_CHANGE MSG_SOCKET_CHANGE MSG_NOTIFY MSG_SETPOLICY MSG_SETPOLICY_RESULT Table 12 Output description Field Description User state statistics Statistics on portal users State-Name Name of a user state User-Num Number of users in a specific state Message statistics Statistics on messages Msg-Name...
Page 143: Display Portal Free-Rule
Field Description Users-removed message, indicating the users on a Layer 3 interface were MSG_IF_REMOVE removed because the Layer 3 interface was removed. MSG_IF_SHUT Layer 3 interface shutdown message MSG_IF_DISPORTAL Portal-disabled-on-interface message MSG_IF_UP Layer 3 interface came up message MSG_ACL_RESULT ACL deployment failure message MSG_AAACUTBKREQ Message that AAA uses to notify portal to delete backup user information MSG_CUT_BY_USERINDEX...
Page 144 Related commands: portal free-rule. Examples # Display information about all portal-free rules. <Sysname> display portal free-rule Rule-Number Source: : 0.0.0.0 Mask : 0.0.0.0 : 0000-0000-0000 Interface : any Vlan Destination: : 2.2.10.5 Mask : 255.255.255.255 Rule-Number Source: : 1::2 Prefix length : 128 : 0000-0000-0000 Interface : any...
Page 145: Display Portal Interface
display portal interface Syntax display portal interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Page 146: Display Portal Local-Server
Table 14 Output description Field Description Portal configuration of interface Portal configuration on the interface IPv4 IPv4 portal configuration IPv6 IPv6 portal configuration Status of the portal authentication on the interface: • Portal disabled—Portal authentication is disabled. Status • Portal enabled—Portal authentication is enabled but is not functioning. •...
Page 147: Display Portal Server
<Sysname> display portal local-server Protocol: HTTP Local-server IP: 7.7.7.7 Server policy: Protocol: HTTPS Server policy: policy1 Table 15 Output description Field Description Protocol Protocol supported by the local portal server, HTTP or HTTPS. SSL server policy associated with the HTTPS service. Server policy If HTTP is configured, this field is null.
Page 148: Display Portal Server Statistics
: http://192.168.0.111 Status : Up Table 16 Output description Field Description Number of the portal server Name of the portal server IP address of the portal server Port Listening port on the portal server Shared key for exchanges between the access device and portal server. •...
Page 149 Description Use the display portal server statistics command to display portal server statistics on a specific interface or all interfaces. With the all keyword specified, the command displays portal server statistics by interface and therefore statistics about a portal server referenced by more than one interface may be displayed repeatedly. Examples # Display portal server statistics on VLAN-interface 1.
Page 150: Display Portal Tcp-Cheat Statistics
Field Description Authentication acknowledgment message the access device sends to the ACK_AUTH portal server REQ_LOGOUT Logout request message the portal server sends to the access device ACK_LOGOUT Logout acknowledgment message the access device sends to the portal server Affirmation message the portal server sends to the access device after AFF_ACK_AUTH receiving an authentication acknowledgement message NTF_LOGOUT...
Page 151 regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use the display portal tcp-cheat statistics command to display TCP spoofing statistics. Examples # Display TCP spoofing statistics. <Sysname> display portal tcp-cheat statistics TCP Cheat Statistic: Total Opens: 0 Resets Connections: 0 Current Opens: 0...
Page 152: Display Portal User
display portal user Syntax display portal user { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression.
Page 153: Portal Auth-Fail Vlan
Table 19 Output description Field Description Index Index of the portal user State Current status of the portal user SubState Current sub-status of the portal user Authorization ACL of the portal user Work-mode User's working mode MAC address of the portal user IP address of the portal user Vlan VLAN to which the portal user belongs...
Page 154: Portal Auth-Network
[Sysname] vlan 5 [Sysname-vlan5] quit [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port link-type hybrid [Sysname-GigabitEthernet1/0/1] mac-vlan enable [Sysname-GigabitEthernet1/0/1] portal auth-fail vlan 5 portal auth-network Syntax portal auth-network { ipv4-network-address { mask-length | mask } | ipv6 ipv6-network-address prefix-length } undo portal auth-network { ipv4-network-address | all | ipv6 ipv6-network-address } View Interface view Default level...
Page 155: Portal Delete-User
[Sysname] interface vlan-interface 2 [Sysname–Vlan-interface2] portal auth-network 10.10.10.0 24 portal delete-user Syntax portal delete-user { ipv4-address | all | interface interface-type interface-number | ipv6 ipv6-address } View System view Default level 2: System level Parameters ipv4-address: Logs off the portal user with the specified IPv4 address. all: Logs off all portal users.
Page 156: Portal Free-Rule
Description Use the portal domain command to specify an authentication domain for portal users on an interface. Then, the device uses the authentication domain for authentication, authorization and accounting (AAA) of the portal users on the interface. Use the undo portal domain command to delete the authentication domain specified for portal users. By default, no authentication domain is specified for portal users on an interface.
Page 157: Portal Local-Server
If you specify both a source IPv4 address and a source MAC address in a portal-free rule, the IP address must be a host address with a 32-bit mask. Otherwise, the specified MAC address does not take effect. If you specify both a source IPv6 address and a source MAC address in a portal-free rule, the IPv6 address must be a host address with a 128-bit prefix.
Page 158: Portal Local-Server Enable
If you specify HTTP in this command, the redirection URL for HTTP packets is in the format of http://IP address of the device/portal/logon.htm, and clients and the portal server exchange authentication information through HTTP. If you specify HTTPS in this command, the redirection URL for HTTP packets is in the format of https://IP address of the device/portal/logon.htm, and clients and the portal server exchange authentication information through HTTPS.
Page 159: Portal Local-Server Ip
For normal operation of portal authentication on a Layer 2 port, you must disable portal authentication on all Layer 3 interfaces and HP recommends disabling port security, guest VLAN of 802.1X, and EAD fast deployment of 802.1X on the port. For information about port security and 802.1X features, see Security Configuration Guide.
Page 160: Portal Max-User
[Sysname] portal local-server ip 1.1.1.1 portal max-user Syntax portal max-user max-number undo portal max-user View System view Default level 2: System level Parameters max-number: Maximum number of online portal users allowed in the system. The value is in the range of 1 to 512.
Page 161: Portal Nas-Id-Profile
user can continue to access the network (without re-authentication) if the following conditions are satisfied: The new port is up. • The original port and the new port belong to the same VLAN. • The authorization information of the user, if any, is assigned to the new port successfully. •...
Page 162: Portal Nas-Ip
If the interface does not support NAS ID configuration or has no NAS ID configured, the device uses • the device name as the interface NAS ID. Examples # Specify NAS ID profile aaa for VLAN-interface 2. <Sysname> system-view [Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] portal nas-id-profile aaa portal nas-ip Syntax...
Page 163: Portal Offline-Detect Interval
View Interface view Default level 2: System level Parameters ethernet: Specifies the access port type as Ethernet, which corresponds to code 15. wireless: Specifies the access port type as IEEE 802.1 1 standard wireless interface, which corresponds to code 19. This keyword is usually specified on an interface for wireless portal users, making sure that the NAS-Port-Type value delivered by the access device to the RADIUS server is wireless.
Page 164: Portal Redirect-Url
This detection interval must be equal to or less than the MAC address entry aging time. Otherwise, many portal users are considered offline due to aged MAC address entries. Examples # Set the online Layer 2 portal user detection interval to 3600 seconds on port GigabitEthernet 1/0/1. <Sysname>...
Page 165: Portal Server
portal server Syntax portal server server-name { ip ipv4-address [ key [ cipher | simple ] key-string | port port-id | url url-string ] * | ipv6 ipv6-address [ key [ cipher | simple ] key-string | port port-id | url url-string ] * } undo portal server server-name [ key | port | url ] View System view...
Page 166: Portal Server Banner
For local portal server configuration, the keywords key, and url are usually not required and, if configured, does not take effect. For security purposes, all keys, including keys configured in plain text, are saved in cipher text. Related commands: display portal server. Examples # Configure portal server pts, setting the IP address to 192.168.0.1 1 1, the plaintext key to portal, and the redirection URL to http://192.168.0.1 1 1/portal.
Page 167: Portal Server Server-Detect
View Interface view Default level 2: System level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. method: Specifies the authentication mode to be used. direct: Direct authentication. layer3: Cross-subnet authentication. Description Use the portal server method command to enable Layer 3 portal authentication on an interface, and specify the portal server and the authentication mode to be used.
Page 168 Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed. server-detect method { http | portal-heartbeat }: Specifies the portal server detection method. Two detection methods are available: http: Probes HTTP connections.
Page 169: Portal Server User-Sync
Use the undo portal server server-detect command to cancel the detection of the specified portal server. By default, the portal server detection function is not configured. You can specify one or more detection methods and the actions to be taken. If both detection methods are specified, a portal server is regarded as unreachable as long as one detection method fails, and an unreachable portal server is regarded as recovered only when both detection methods succeed.
Page 170: Portal Web-Proxy Port
retry retries: Specifies the maximum number of consecutive failed checks. The retries argument ranges from 1 to 5 and defaults to 4. If the access device finds that one of its users does not exist in the user synchronization packets from the portal server within N consecutive probe intervals (N = retries), it considers that the user does not exist on the portal server and logs the user off.
Page 171: Reset Portal Connection Statistics
Parameters port-number: Web proxy server port number, in the range of 1 to 65535. all: Specifies all Web proxy server port numbers. Description Use the portal web-proxy port command to add the port number of a Web proxy server, so that HTTP requests forwarded by the Web proxy server trigger portal authentication.
Page 172: Reset Portal Server Statistics
reset portal server statistics Syntax reset portal server statistics { all | interface interface-type interface-number } View User view Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Description Use the reset portal server statistics command to clear portal server statistics on a specific interface or all interfaces.
Page 173: Port Security Configuration Commands
Port security configuration commands display port-security Syntax display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters Interface interface-list: Specifies Ethernet ports by an Ethernet port list in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1- 1 0>, where &<1- 1 0>...
Page 174 RALM logoff trap is enabled RALM logfailure trap is enabled Disableport Timeout: 20s OUI value: Index is 1, OUI value is 000d1a Index is 2, OUI value is 003c12 GigabitEthernet1/0/1 is link-down Port mode is userLoginWithOUI NeedToKnow mode is NeedToKnowOnly Intrusion Portection mode is DisablePort Max MAC address number is 50 Stored MAC address number is 0...
Page 175: Display Port-Security Mac-Address Block
Field Description Port security mode, which can be one of the following modes: • noRestrictions • autoLearn • macAddressWithRadius • macAddressElseUserLoginSecure • macAddressElseUserLoginSecureExt Port mode • secure • userLogin • userLoginSecure • userLoginSecureExt • macAddressOrUserLoginSecure • macAddressOrUserLoginSecureExt • userLoginWithOUI Need to know (NTK) mode, which can be one of the following modes: •...
Page 176 View Any view Default level 2: System level Parameters interface interface-type interface-number: Specifies a port by its type and number. vlan vlan-id: Specifies a VLAN by its ID, which is in the range 1 to 4094. count: Displays only the count of the blocked MAC addresses. |: Filters command output by specifying a regular expression.
Page 177: Display Port-Security Mac-Address Security
--- 1 MAC address(es) found --- # Display information about all blocked MAC addresses of port GigabitEthernet1/0/1. <Sysname> display port-security mac-address block interface gigabitethernet1/0/1 MAC ADDR From Port VLAN ID 000f-3d80-0d2d GigabitEthernet1/0/1 --- On slot 1, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses of port GigabitEthernet1/0/1 in VLAN 30.
Page 178 begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256 characters. Description Use the display port-security mac-address security command to display information about secure MAC addresses.
Page 179: Port-Security Authorization Ignore
Table 22 Output description Field Description MAC ADDR Secure MAC address VLAN ID ID of the VLAN to which the port belongs Type of the MAC address added. "Security" means it is a secure MAC STATE address. PORT INDEX Port to which the secure MAC address belongs Period of time before the secure MAC address ages out.
Page 180: Port-Security Enable
port-security enable Syntax port-security enable undo port-security enable View System view Default level 2: System level Parameters None Description Use the port-security enable command to enable port security. Use the undo port-security enable command to disable port security. By default, port security is disabled. Port security cannot be enabled when 802.1X or MAC authentication is enabled globally.
Page 181: Port-Security Mac-Address Security
Default level 2: System level Parameters blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This implements illegal traffic filtering on the port. A blocked MAC address is restored to normal after being blocked for three minutes, which is fixed and cannot be changed.
Page 182: Port-Security Max-Mac-Count
interface interface-type interface-number: Specifies a Layer 2 Ethernet port by its type and number. vlan vlan-id: Specifies the VLAN to which the secure MAC address belongs. vlan-id represents the ID of the VLAN in the range 1 to 4094. Make sure that you have assigned the Layer 2 port to the specified VLAN.
Page 183: Port-Security Ntk-Mode
By default, the maximum number of secure MAC addresses is not limited. Secure MAC addresses include MAC addresses automatically learned by the port in a security mode and those configured manually with the port-security mac-address security command. The maximum number of secure MAC addresses for a port must not be less than the number of MAC addresses stored on the port.
Page 184: Port-Security Oui
[Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port-security ntk-mode ntkonly port-security oui Syntax port-security oui oui-value index index-value undo port-security oui index index-value View System view Default level 2: System level Parameters oui-value: Specifies an Organizationally unique identifier (OUI) string, a 48-bit MAC address in the H-H-H format.
Page 185 Default level 2: System level Parameters Keyword Security mode Description In this mode, a port can learn MAC addresses, and allows frames sourced from learned or configured the MAC addresses to pass. These dynamically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.
Page 186 Keyword Security mode Description Similar to the userLoginSecure mode except that this mode userlogin-secure-ext userLoginSecureExt supports multiple online 802.1X users. This mode is the combination of the userLoginSecure and macAddressWithRadius modes. macAddressOrUserL userlogin-secure-or-mac For wired users, the port performs MAC authentication oginSecure upon receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames.
Page 187: Port-Security Timer Disableport
port-security timer disableport Syntax port-security timer disableport time-value undo port-security timer disableport View System view Default level 2: System level Parameters time-value: Specifies the silence period during which the port remains disabled, in seconds. It ranges from 20 to 300. Description Use the port-security timer disableport command to set the silence period during which the port remains disabled.
Page 188 Parameters addresslearned: Enables MAC address learning traps. The port security module sends traps when a port learns a new MAC address. dot1xlogfailure: Enables 802.1X authentication failure traps. The port security module sends traps when an 802.1X authentication fails. dot1xlogon: Enables 802.1X authentication success traps. The port security module sends traps when an 802.1X authentication is passed.
Page 189: User Profile Configuration Commands
User profile configuration commands display user-profile Syntax display user-profile [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 190: User-Profile Enable
Field Description User profile User profile name Authentication type of the user profile, which takes one of the following values: AuthType • DOT1X: 802.1X authentication • PORTAL: portal authentication Total user profiles Total number of user profiles that have been created Enabled user profiles Total number of user profiles that have been enabled user-profile enable...
Page 191 Default level 2: System level Parameters profile-name: Assign a name for the use profile. The name is a, case sensitive string of 1 to 31 characters. It can only contain English letters, numbers, and underlines, and it must start with an English letter. A user profile name must be globally unique.
Page 192: Password Control Configuration Commands
Password control configuration commands The switch supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Syntax display password-control [ super ] [ | { begin | exclude | include } regular-expression ]...
Page 193: Display Password-Control Blacklist
Login with aged password: 3 times in 30 days Password complexity: Disabled (username checking) Disabled (repeated characters checking) # Display the password control configuration information for super passwords. <Sysname> display password-control super Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition:...
Page 194: Password
Default level 2: System level Parameters user-name name: Specifies a user by the name, which is a string of 1 to 80 characters. ip ipv4-address: IPv4 address of a user. ipv6 ipv6-address: IPv6 address of a user. |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 195: Password-Control Aging
View Local user view Default level 2: System level Parameters None Description Use the password command to set a password for a local user in interactive mode. Use the undo password command to remove the password for a local user. Valid characters for a local user password include uppercase letters A to Z, lowercase letters a to z, •...
Page 196: Password-Control Alert-Before-Expire
The setting in system view has global significance and applies to all user groups, the setting in user • group view applies to all local users in the user group, and the setting in local user view applies to only the local user. •...
Page 197: Password-Control Authentication-Timeout
password-control authentication-timeout Syntax password-control authentication-timeout authentication-timeout undo password-control authentication-timeout View System view Default level 2: System level Parameters authentication-timeout: User authentication timeout time in seconds, in the range 30 to 120. Description Use the password-control authentication-timeout command to set the user authentication timeout time. Use the undo password-control authentication-timeout command to restore the default.
Page 198: Password-Control Composition
Related commands: display password-control. Examples # Configure the password complexity checking policy, refusing any password that contains the username or the reverse of the username. <Sysname> system-view [Sysname] password-control complexity user-name check password-control composition Syntax password-control composition type-number type-number [ type-length type-length ] undo password-control composition View System view, user group view, local user view...
Page 199: Password-Control { Aging | Composition | History | Length } Enable
Examples # Specify that all passwords must contain at least three types of characters and each type must contain at least five characters. <Sysname> system-view [Sysname] password-control composition type-number 3 type-length 5 # Specify that the password of the user group test must contain at least three types of characters and each type must contain at least five characters.
Page 200: Password-Control Enable
The system stops recording history passwords after you execute the undo password-control history • enable command, but it does not delete the prior records. Related commands: display password-control and password-control enable. Examples # Enable the password control feature globally. <Sysname> system-view [Sysname] password-control enable # Enable the password composition restriction function.
Page 201: Password-Control Expired-User-Login
password-control expired-user-login Syntax password-control expired-user-login delay delay times times undo password-control expired-user-login View System view Default level 2: System level Parameters delay: Maximum number of days during which a user can log in using an expired password. It must be in the range 1 to 90.
Page 202: Password-Control Length
By default, the maximum number of history password records for each user is 4. Examples # Set the maximum number of history password records for each user to 10. <Sysname> system-view [Sysname] password-control history 10 password-control length Syntax password-control length length undo password-control length View System view, user group view, local user view...
Page 203: Password-Control Login Idle-Time
[Sysname-ugroup-test] password-control length 9 [Sysname-ugroup-test] quit # Set the minimum password length to 9 characters for local user abc. [Sysname] local-user abc [Sysname-luser-abc] password-control length 9 password-control login idle-time Syntax password-control login idle-time idle-time undo password-control login idle-time View System view Default level 2: System level Parameters...
Page 204 exceed: Specifies the action to be taken when a user fails to log in after the specified number of attempts. lock: Permanently prohibits a user who fails to log in after the specified number of attempts from logging lock-time time: Forces a user who fails to log in after the specified number of attempts to wait for a period of time before trying again.
Page 205: Password-Control Password Update Interval
Total 1 blacklist item(s) matched. 1 listed. After three minutes, the user is removed from the blacklist and can log in again. password-control password update interval Syntax password-control password update interval interval undo password-control password update interval View System view Default level 2: System level Parameters...
Page 206: Password-Control Super Composition
Description Use the password-control super aging command to set the aging time for super passwords. Use the undo password-control super aging command to restore the default. By default, the aging time of super passwords is the same as the global password aging time. If you do not specify an aging time for super passwords, the system applies the global password aging time to super passwords.
Page 207: Password-Control Super Length
Examples # Specify that the super passwords must each contain at least three types of characters and each type contains at least five characters. <Sysname> system-view [Sysname] password-control super composition type-number 3 type-length 5 password-control super length Syntax password-control super length length undo password-control super length View System view...
Page 208: Reset Password-Control History-Record
Parameters all: Clears all users in the password control blacklist. user-name name: Specifies the username of the user to be removed from the blacklist. name is a case-sensitive string of 1 to 80 characters. Description Use the reset password-control blacklist command to remove all or one user from the blacklist. Related commands: display password-control blacklist.
Page 209: Habp Configuration Commands
HABP configuration commands display habp Syntax display habp [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 210: Display Habp Table
display habp table Syntax display habp table [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 211: Habp Client Vlan
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 212: Habp Enable
Description Use the habp client vlan command to specify the VLAN to which the HABP client belongs. HABP packets will be transmitted within the VLAN. Use the undo habp client vlan command to restore the default. By default, an HABP client belongs to VLAN 1. Examples # Specify the HABP client to belong to VLAN 2.
Page 213: Habp Timer
Parameters vlan-id: ID of the VLAN in which HABP packets are to be transmitted, in the range 1 to 4094. Description Use the habp server vlan command to configure HABP to work in server mode and specify the VLAN in which HABP packets are to be transmitted.
Page 214: Public Key Configuration Commands
Public key configuration commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Syntax display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ]...
Page 215 28F0F5CBA630DA8CD1C16ECE8A7A65282F2407E8757E7937DCCDB5DB620CD1F471401B711713970234844 4A2D8900497A87B8D5F13D61C4DEFA3D14A7DC07624791FC1D226F62DF3020301 0001 ===================================================== Time of Key pair created: 19:59:17 2011/01/25 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 20:00:16 2011/01/25...
Page 216: Display Public-Key Peer
display public-key peer Syntax display public-key peer [ brief | name publickey-name ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters brief: Displays brief information about all the public keys of remote hosts. name publickey-name: Displays information about a remote host's public key.
Page 217: Peer-Public-Key End
Spaces and carriage returns are allowed between characters. If the remote host is an HP device, input the key data displayed by the display public-key local public command so that the key is format compliant.
Page 218: Public-Key-Code End
Do not configure an RSA server public key of the remote host for identity authentication in SSH applications. Authentication in SSH applications uses the RSA host public key. For more information about SSH, see the chapter "SSH2.0 configuration." Related commands: public-key peer and public-key-code end. Examples # Enter public key code view and input the key.
Page 219: Public-Key Local Create
[Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6 B80EB5F52698FCF3D6 [Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1 DDE675AC30CB020301 [Sysname-pkey-key-code]0001 [Sysname-pkey-key-code] public-key-code end [Sysname-pkey-public-key] public-key local create Syntax public-key local create { dsa | rsa } View System view Default level 2: System level Parameters dsa: Creates a DSA key pair. rsa: Creates an RSA key pair. Description Use the public-key local create command to create local key pairs.
Page 220: Public-Key Local Destroy
++++++++ ++++++++ # Create a local DSA key pair. <Sysname> system-view [Sysname] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
Page 221 View System view Default level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh2: Uses the format of SSH2.0. filename: Specifies the name of the file for storing the local public key. For more information about file name, see the Fundamentals Configuration Guide. Description Use the public-key local export dsa command to display the local DSA public key on the screen or export it to a specified file.
Page 222: Public-Key Local Export Rsa
public-key local export rsa Syntax In non-FIPS mode: public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ] In FIPS mode: public-key local export rsa { openssh | ssh2 } [ filename ] View System view Default level 2: System level Parameters...
Page 223: Public-Key Peer
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAo0dVYR1S5f30eLKGNKuqb5HU3M0TTSaGlER2GmcRI2sgSegbo1x6u t5NIc5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j +o0MpOpzh3W768/+u1riz+1LcwVTs51Q== rsa-key public-key peer Syntax public-key peer keyname undo public-key peer keyname View System view Default level 2: System level Parameters keyname: Specifies the public key name of a remote host, a case sensitive string of 1 to 64 characters. Description Use the public-key peer command to specify a name for a remote host's public key and enter public key view.
Page 224 Default level 2: System level Parameters keyname: Specifies a public key name, a case sensitive string of 1 to 64 characters. filename: Specifies the name of the file that saves a remote host's host public key. For more information about file name, see the Fundamentals Configuration Guide. Description Use the public-key peer import sshkey command to import a remote host's host public key from the public key file.
Page 225: Pki Configuration Commands
PKI configuration commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Syntax attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn |...
Page 226: Ca Identifier
The attribute of the alternative certificate subject name does not appear as a distinguished name, and therefore the dn keyword is not available for the attribute. Examples # Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc. <Sysname>...
Page 227: Certificate Request From
View PKI domain view Default level 2: System level Parameters entity-name: Specifies an entity name, a case-insensitive string of 1 to 15 characters. Description Use the certificate request entity command to specify the entity for certificate request. Use the undo certificate request entity command to remove the configuration. By default, no entity is specified for certificate request.
Page 228: Certificate Request Mode
certificate request mode Syntax certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual } undo certificate request mode View PKI domain view Default level 2: System level Parameters auto: Specifies to request a certificate in auto mode. key-length: Specifies the length of the RSA keys in bits.
Page 229: Certificate Request Url
View PKI domain view Default level 2: System level Parameters count count: Specifies the maximum number of attempts to poll the status of the certificate request, in the range 1 to 100. interval minutes: Specifies the polling interval in minutes, in the range 5 to 168. Description Use the certificate request polling command to specify the certificate request polling interval and attempt limit.
Page 230: Common-Name
Use the undo certificate request url command to remove the configuration. By default, no URL is specified for a PKI domain. Examples # Specify the URL of the server for certificate request. <Sysname> system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] certificate request url http://169.254.0.100/certsrv/mscep/mscep.dll common-name Syntax...
Page 231: Crl Check
Parameters country-code-str: Specifies a country code for the entity, a case-insensitive string of 2 characters. Description Use the country command to specify the code of the country to which an entity belongs. It is a standard 2-character code, for example, CN for China. Use the undo country command to remove the configuration.
Page 232: Crl Url
View PKI domain view Default level 2: System level Parameters hours: Specifies the CRL update period in hours, in the range 1 to 720. Description Use the crl update-period command to set the interval at which a PKI entity with a certificate downloads the latest CRL from the LDAP server.
Page 233: Display Pki Certificate
[Sysname-pki-domain-1] crl url ldap://169.254.0.30 display pki certificate Syntax display pki certificate { { ca | local } domain domain-name | request-status } [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters ca: Displays the CA certificate.
Page 234: Display Pki Certificate Access-Control-Policy
Validity Not Before: Jan 13 08:57:21 2004 GMT Not After : Jan 20 09:07:21 2005 GMT Subject: C=CN ST=Country B L=City Y CN=pki test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00D41D1F …...
Page 235: Display Pki Certificate Attribute-Group
Default level 1: Monitor level Parameters policy-name: Specifies a certificate attribute-based access control policy by its name, a string of 1 to 16 characters. all: Specifies all certificate attribute-based access control policies. |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 236: Display Pki Crl Domain
|: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 237 |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 238: Fqdn
Field Description ID of the public key keyid A CA might have multiple key pairs. This field indicates the key pair used by the CRL's signature. Revoked Certificates Revoked certificates Serial Number Serial number of the revoked certificate Revocation Date Revocation date of the certificate fqdn Syntax...
Page 239: Ldap-Server
Default level 2: System level Parameters ip-address: Configure the IP address of an entity. Description Use the ip command to configure the IP address of an entity. Use the undo ip command to remove the configuration. By default, no IP address is configured for an entity. Examples # Configure the IP address of PKI entity 1 as 1 1.0.0.1.
Page 240: Locality
locality Syntax locality locality-name undo locality View PKI entity view Default level 2: System level Parameters locality-name: Specifies a geographical locality name, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use the locality command to configure the geographical locality of an entity, which can be, for example, a city name.
Page 241: Organization-Unit
Examples # Configure the name of the organization to which an entity belongs as test-lab. <Sysname> system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] organization test-lab organization-unit Syntax organization-unit org-unit-name undo organization-unit View PKI entity view Default level 2: System level Parameters org-unit-name: Specifies an organization unit name, a case-insensitive string of 1 to 31 characters.
Page 242: Pki Certificate Attribute-Group
Description Use the pki certificate access-control-policy command to create a certificate attribute-based access control policy and enter its view. Use the undo pki certificate access-control-policy command to remove one or all certificate attribute-based access control policies. No access control policy exists by default. Examples # Configure an access control policy named mypolicy and enter its view.
Page 243: Pki Domain
Default level 2: System level Parameters ca: Deletes the locally stored CA certificate. local: Deletes the locally stored local certificate. domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters. Description Use the pki delete-certificate command to delete the certificate locally stored for a PKI domain. Examples # Delete the local certificate for PKI domain cer.
Page 244: Pki Import-Certificate
View System view Default level 2: System level Parameters entity-name: Specifies a name for the entity, a case-insensitive string of 1 to 15 characters. Description Use the pki entity command to create a PKI entity and enter its view. Use the undo pki entity command to remove a PKI entity. By default, no entity exists.
Page 245: Pki Request-Certificate Domain
Related commands: pki domain. Examples # Import the CA certificate for PKI domain cer in the format of PEM. <Sysname> system-view [Sysname] pki import-certificate ca domain cer pem pki request-certificate domain Syntax pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ] View System view Default level...
Page 246: Pki Retrieval-Certificate
pki retrieval-certificate Syntax pki retrieval-certificate { ca | local } domain domain-name View System view Default level 2: System level Parameters ca: Retrieves the CA certificate. local: Retrieves the local certificate. domain-name: Specifies the name of the PKI domain used for certificate request. Description Use the pki retrieval-certificate command to retrieve a certificate from the server for certificate distribution.
Page 247: Pki Validate-Certificate
pki validate-certificate Syntax pki validate-certificate { ca | local } domain domain-name View System view Default level 2: System level Parameters ca: Verifies the CA certificate. local: Verifies the local certificate. domain-name: Specifies the name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters.
Page 248: Rule (Pki Cert Acp View)
Use the undo root-certificate fingerprint command to remove the configuration. By default, no fingerprint is configured for verifying the validity of the CA root certificate. Examples # Configure an MD5 fingerprint for verifying the validity of the CA root certificate. <Sysname>...
Page 249: State
[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup state Syntax state state-name undo state View PKI entity view Default level 2: System level Parameters state-name: Specifies a state or province name, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use the state command to specify the name of the state or province where an entity resides.
Page 250: Ssh2.0 Configuration Commands
SSH2.0 configuration commands The switch supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH2.0 server configuration commands display ssh server Syntax...
Page 251: Display Ssh User-Information
SSH authentication-timeout : 60 second(s) SSH server key generating interval : 0 hour(s) SSH Authentication retries : 3 time(s) SFTP Server: Disable SFTP Server Idle-Timeout: 10 minute(s) Table 34 Output description Field Description SSH Server Whether the SSH server function is enabled SSH protocol version SSH version When the SSH supports SSH1, the protocol version is...
Page 252: Ssh Server Authentication-Retries
Default level 1: Monitor level Parameters username: SSH username, a string of 1 to 80 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 253: Ssh Server Authentication-Timeout
undo ssh server authentication-retries View System view Default level 3: Manage level Parameters times: Maximum number of authentication attempts for SSH users, in the range 1 to 5. Description Use the ssh server authentication-retries command to set the maximum number of connection authentication attempts for SSH users.
Page 254: Ssh Server Compatible-Ssh1X
By default, the authentication timeout period is 60 seconds. Related commands: display ssh server. Examples # Set the SSH user authentication timeout period to 10 seconds. <Sysname> system-view [Sysname] ssh server authentication-timeout 10 ssh server compatible-ssh1x Syntax ssh server compatible-ssh1x [ enable ] undo ssh server compatible-ssh1x View System view...
Page 255: Ssh Server Rekey-Interval
Default level 3: Manage level Parameters None Description Use the ssh server enable command to enable the SSH server function. Use the undo ssh server enable command to disable the SSH server function. By default, SSH server is disabled. Examples # Enable SSH server.
Page 256: Ssh User
ssh user Syntax In non-FIPS mode: ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign publickey keyname } ssh user username service-type { all | scp | sftp } authentication-type { password | { any | password-publickey | publickey } assign publickey keyname work-directory directory-name } undo ssh user username In FIPS mode:...
Page 257: Ssh2.0 Client Configuration Commands
Use the undo ssh user command to delete an SSH user. For a publickey authentication user, you must configure the username and the public key on the device. For a password authentication user, you can configure the account information on either the device or the remote authentication server such as a RADIUS server.
Page 258: Display Ssh Server-Info
Description Use the display ssh client source command to display the source IP address or source interface currently set for the SSH client. If neither source IP address nor source interface is specified for the SSH client, the system will display such a message "Neither source IP address nor source interface was specified for the Stelnet client."...
Page 259: Ssh Client Authentication Server
192.168.0.1 abc_key01 192.168.0.2 abc_key02 Table 37 Output description Field Description Server Name(IP) Name or IP address of the server Server public key name Name of the host public key of the server ssh client authentication server Syntax ssh client authentication server server assign publickey keyname undo ssh client authentication server server assign publickey View System view...
Page 260: Ssh Client Ipv6 Source
undo ssh client first-time View System view Default level 2: System level Parameters enable: Enables the first-time authentication of the SSH client to the SSH server. This keyword is not necessary. Even if it is not specified, the command can also enable the first-time authentication function. Description Use the ssh client first-time command to enable the first-time authentication function.
Page 261: Ssh Client Source
Description Use the ssh client ipv6 source command to specify the source IPv6 address or source interface for the SSH client. Use the undo ssh client ipv6 source command to remove the configuration. By default, an SSH client uses the IPv6 address of the interface specified by the route of the device to access the SSH server.
Page 262 ssh2 server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode: ssh2 server [ port-number ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } |...
Page 263: Ssh2 Ipv6
algorithm by using the identity-key keyword to get the correct data for the local private key. By default, the public key algorithm is DSA. Examples # Log in to remote SSH2.0 server 10.214.50.51, using the following algorithms: Preferred key exchange algorithm: DH-group1 •...
Page 264 prefer-kex: Preferred key exchange algorithm, default to dh-group-exchange in non-FIPS mode, and dh-group14 in FIPS mode. dh-group-exchange: Key exchange algorithm diffie-hellman-group-exchange-sha1. • dh-group1: Key exchange algorithm diffie-hellman-group1-sha1. • dh-group14: Key exchange algorithm diffie-hellman-group14-sha1. • prefer-stoc-cipher: Preferred encryption algorithm from server to client, defaulted to aes128. prefer-stoc-hmac: Preferred HMAC algorithm from server to client, defaulted to sha1-96.
Page 265: Sftp Configuration Commands
SFTP configuration commands The switch supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SFTP server configuration commands sftp server enable Syntax...
Page 266: Sftp Client Configuration Commands
Parameters time-out-value: Timeout period in minutes. It ranges from 1 to 35,791. Description Use the sftp server idle-timeout command to set the idle timeout period for SFTP user connections. Use the undo sftp server idle-timeout command to restore the default. By default, the idle timeout period is 10 minutes.
Page 267: Cdup
Default level 3: Manage level Parameters remote-path: Name of a path on the server. Description Use the cd command to change the working path on a remote SFTP server. With the argument not specified, the command displays the current working path. NOTE: You can use the cd ..
Page 268: Dir
Default level 3: Manage level Parameters remote-file&<1- 1 0>: Names of files on the server. &<1- 1 0> means that you can provide up to 10 filenames, which are separated by space. Description Use the delete command to delete files from a server. This command functions as the remove command.
Page 269: Display Sftp Client Source
Examples # Display detailed information about the files and sub-directories under the current working directory in the form of a list. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup...
Page 270: Get
View SFTP client view Default level 3: Manage level Parameters None Description Use the exit command to terminate the connection with a remote SFTP server and return to user view. This command functions as the bye and quit commands. Examples # Terminate the connection with the remote SFTP server.
Page 271 View SFTP client view Default level 3: Manage level Parameters all: Displays a list of all commands. command-name: Name of a command. Description Use the help command to display a list of all commands or the help information of an SFTP client command.
Page 272: Mkdir
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2 -rwxrwxrwx 1 noone...
Page 273: Pwd
sftp-client> put temp.c temp1.c Local file:temp.c ---> Remote file: /temp1.c Uploading file successfully ended Syntax View SFTP client view Default level 3: Manage level Parameters None Description Use the pwd command to display the current working directory of a remote SFTP server. Examples # Display the current working directory of the remote SFTP server.
Page 274: Remove
remove Syntax remove remote-file&<1- 1 0> View SFTP client view Default level 3: Manage level Parameters remote-file&<1- 1 0>: Names of files on an SFTP server. &<1- 1 0> means that you can provide up to 10 filenames, which are separated by space. Description Use the remove command to delete files from a remote server.
Page 275: Rmdir
rmdir Syntax rmdir remote-path&<1- 1 0> View SFTP client view Default level 3: Manage level Parameters remote-path&<1- 1 0>: Names of directories on the remote SFTP server. &<1- 1 0> means that you can provide up to 10 directory names that are separated by space. Description Use the rmdir command to delete the specified directories from an SFTP server.
Page 276: Sftp Client Ipv6 Source
aes128: Encryption algorithm aes128-cbc. • • aes256: Encryption algorithm aes256-cbc. des: Encryption algorithm des-cbc. • prefer-ctos-hmac: Preferred HMAC algorithm from client to server, defaulted to sha1-96. md5: HMAC algorithm hmac-md5. • md5-96: HMAC algorithm hmac-md5-96. • • sha1: HMAC algorithm hmac-sha1. sha1-96: HMAC algorithm hmac-sha1-96.
Page 277: Sftp Client Source
Parameters ipv6 ipv6-address: Specifies a source IPv6 address. interface interface-type interface-number: Specifies a source interface by its type and number. Description Use the sftp client ipv6 source command to specify the source IPv6 address or source interface for an SFTP client. Use the undo sftp client ipv6 source command to remove the configuration.
Page 278: Sftp Ipv6
sftp ipv6 Syntax In non-FIPS mode: sftp ipv6 server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode:...
Page 279 When the client's authentication method is publickey, the client needs to get the local private key for validation. As the publickey authentication includes RSA and DSA algorithms, you must specify an algorithm by using the identity-key keyword to get the correct data for the local private key. By default, the public key algorithm is DSA.
Page 280: Scp Configuration Commands
SCP configuration commands The switch supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SCP client configuration commands Syntax In non-FIPS mode:...
Page 281 prefer-ctos-hmac: Specifies the preferred HMAC algorithm from client to server, defaulted to sha1-96. • md5: Specifies the HMAC algorithm hmac-md5. md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm, defaulted to dh-group-exchange in non-FIPS mode, and dh-group14 in FIPS mode.
Page 282: Ssl Configuration Commands
SSL configuration commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ciphersuite Syntax In non-FIPS mode:...
Page 283: Client-Verify Enable
[Sysname-ssl-server-policy-policy1] ciphersuite rsa_rc4_128_md5 rsa_rc4_128_sha client-verify enable Syntax client-verify enable undo client-verify enable View SSL server policy view Default level 2: System level Parameters None Description Use the client-verify enable command to enable certificate-based SSL client authentication so that the SSL server authenticates the client by the client's certificate during the SSL handshake process.
Page 284: Display Ssl Client-Policy
Use the undo close-mode wait command to restore the default. By default, an SSL server sends a close-notify alert message to the client and closes the connection without waiting for the close-notify alert message from the client. Related commands: display ssl server-policy. Examples # Set the SSL connection close mode to wait.
Page 285: Display Ssl Server-Policy
Table 38 Output description Field Description SSL Client Policy SSL client policy name Version of the protocol used by the SSL client policy, SSL Version SSL 3.0 or TLS 1.0 PKI Domain PKI domain of the SSL client policy Prefer Ciphersuite Preferred cipher suite of the SSL client policy Whether server authentication is enabled for the SSL Server-verify...
Page 286: Handshake Timeout
RSA_AES_128_CBC_SHA RSA_AES_256_CBC_SHA Handshake Timeout: 3600 Close-mode: wait disabled Session Timeout: 3600 Session Cachesize: 500 Client-verify: disabled Table 39 Output description Field Description SSL Server Policy SSL server policy name PKI Domain PKI domain used by the SSL server policy Ciphersuite Cipher suites supported by the SSL server policy Handshake timeout time of the SSL server policy, in Handshake Timeout...
Page 287: Pki-Domain
Parameters time: Handshake timeout time in seconds, in the range 180 to 7200. Description Use the handshake timeout command to set the handshake timeout time for an SSL server policy. Use the undo handshake timeout command to restore the default. By default, the handshake timeout time is 3600 seconds.
Page 288: Prefer-Cipher
prefer-cipher Syntax In non-FIPS mode: prefer-cipher { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } undo prefer-cipher In FIPS mode: prefer-cipher { dhe_rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha } undo prefer-cipher View SSL client policy view Default level 2: System level Parameters dhe_rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of DH_RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.
Page 289: Session
View SSL client policy view Default level 2: System level Parameters None Description Use the server-verify enable command to enable certificate-based SSL server authentication so that the SSL client authenticates the server by the server's certificate during the SSL handshake process. Use the undo server-verify enable command to disable certificate-based SSL server authentication.
Page 290: Ssl Client-Policy
If the number of sessions in the cache reaches the maximum, SSL rejects to cache new sessions. • • If a session has been cached for a period equal to the caching timeout time, SSL will remove the information of the session. Related commands: display ssl server-policy.
Page 291: Version
Default level 2: System level Parameters policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters, which cannot be "a", "al", or "all". all: Specifies all SSL server policies. Description Use the ssl server-policy command to create an SSL server policy and enter its view. Use the undo ssl server-policy command to delete a specified SSL server policy or all SSL server policies.
Page 292 Examples # Specify the SSL protocol version for SSL client policy policy1 as SSL 3.0. <Sysname> system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] version ssl3.0...
Page 293: Tcp Attack Protection Configuration Commands
TCP attack protection configuration commands display tcp status Syntax display tcp status [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 294: Tcp Anti-Naptha Enable
tcp anti-naptha enable Syntax tcp anti-naptha enable undo tcp anti-naptha enable View System view Default level 2: System level Parameters None Description Use the tcp anti-naptha enable command to enable the protection against Naptha attack. Use the undo tcp anti-naptha enable command to disable the protection against Naptha attack. By default, the protection against Naptha attack is disabled.
Page 295: Tcp Syn-Cookie Enable
syn-received: SYN_RECEIVED state of a TCP connection. connection-number number: Maximum number of TCP connections in a certain state. The argument number is in the range of 0 to 500. Description Use the tcp state command to configure the maximum number of TCP connections in a state. When this number is exceeded, the aging of TCP connections in this state will be accelerated.
Page 296: Tcp Timer Check-State
tcp timer check-state Syntax tcp timer check-state time-value undo tcp timer check-state View System view Default level 2: System level Parameters time-value: TCP connection state check interval in seconds, in the range of 1 to 60. Description Use the tcp timer check-state command to configure the TCP connection state check interval. Use the undo tcp timer check-state command to restore the default.
Page 297: Ip Source Guard Configuration Commands
IP source guard configuration commands display ip check source Syntax display ip check source [ ipv6 ] [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level...
Page 298: Display User-Bind
040a-0000-0000 GE1/0/3 DHCP-RLY # Display all IPv6 source guard entries. <Sysname> display ip check source ipv6 Total entries found: 3 MAC Address IP Address VLAN Interface Type 040a-0000-0003 2001::3 GE1/0/1 Static-IPv6 040a-0000-0001 2001::1 GE1/0/2 DHCPv6-SNP 040a-0000-0002 2001::2 GE1/0/3 ND-SNP Table 41 Output description Field Description Total entries found...
Page 299 mac-address mac-address: Displays the static IP source guard entries of an MAC address (in the format H-H-H). |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 300: Ip Check Source
ip check source Syntax ip check source { ip-address | ip-address mac-address | mac-address } undo ip check source View Layer 2 Ethernet interface view, VLAN interface view Default level 2: System level Parameters ip-address: Binds source IPv4 addresses to the port. ip-address mac-address: Binds source IPv4 addresses and MAC addresses to the port.
Page 301: Ip Check Source Max-Entries
Default level 2: System level Parameters ipv6: Configures dynamic IPv6 source guard. ip-address: Binds source IPv6 addresses to the port. ip-address mac-address: Binds source IPv6 addresses and MAC addresses to the port. mac-address: Binds source MAC addresses to the port. Description Use the ip check source ipv6 command to configure the dynamic IPv6 source guard function on a port.
Page 302: User-Bind
By default, the maximum number for IPv4 is 256, and the maximum number of IPv6 is 256. If the maximum number of IPv4 (or IPv6) binding entries to be configured is smaller than the number of existing IPv4 (or IPv6) binding entries on the port, the maximum number can be configured successfully and the existing entries will not be affected.
Page 303: User-Bind Ipv6
user-bind ipv6 Syntax user-bind ipv6 ip-address ipv6-address [ mac-address mac-address ] [vlan vlan-id ] undo user-bind ipv6 ip-address ipv6-address [ mac-address mac-address ] [vlan vlan-id ] View Layer 2 Ethernet interface view Default level 2: System level Parameters ipv6: Binds an IPv6 address. ip-address ip-address: Specifies the IPv6 address for the static binding.
Page 304: Arp Attack Protection Configuration Commands
ARP attack protection configuration commands ARP packet rate limit configuration commands arp rate-limit Syntax arp rate-limit { disable | rate pps drop } undo arp rate-limit View Layer 2 Ethernet port view, Layer 2 aggregate interface view Default level 2: System level Parameters disable: Disables ARP packet rate limit.
Page 305: Arp Anti-Attack Source-Mac Aging-Time
View System view Default level 2: System level Parameters filter: Specifies the filter mode. monitor: Specifies the monitor mode. Description Use the arp anti-attack source-mac command to enable source MAC address based ARP attack detection and specify the detection mode. Use the undo arp anti-attack source-mac command to restore the default.
Page 306: Arp Anti-Attack Source-Mac Exclude-Mac
By default, the age timer for protected MAC addresses is 300 seconds (five minutes). Examples # Configure the age timer for protected MAC addresses as 60 seconds. <Sysname> system-view [Sysname] arp anti-attack source-mac aging-time 60 arp anti-attack source-mac exclude-mac Syntax arp anti-attack source-mac exclude-mac mac-address&<1- 1 0>...
Page 307: Display Arp Anti-Attack Source-Mac
Parameters threshold-value: Threshold for source MAC address based ARP attack detection, in the range 10 to 100. Description Use the arp anti-attack source-mac threshold command to configure the threshold for source MAC address based ARP attack detection. If the number of ARP packets sent from a MAC address within five seconds exceeds this threshold, the switch considers this an attack.
Page 308: Arp Packet Source Mac Address Consistency Check Configuration Commands
23f3-1122-3355 4094 GE1/0/2 23f3-1122-33ff 4094 GE1/0/3 23f3-1122-33ad 4094 GE1/0/4 23f3-1122-33ce 4094 GE1/0/5 ARP packet source MAC address consistency check configuration commands arp anti-attack valid-check enable Syntax arp anti-attack valid-check enable undo arp anti-attack valid-check enable View System view Default level 2: System level Parameters None...
Page 309: Arp Detection Configuration Commands
View System view Default level 2: System level Parameters None Description Use the arp anti-attack active-ack enable command to enable the ARP active acknowledgement function. Use the undo arp anti-attack active-ack enable command to restore the default. By default, the ARP active acknowledgement function is disabled. This feature is configured on gateway devices to identify invalid ARP packets.
Page 310: Arp Detection Trust
arp detection trust Syntax arp detection trust undo arp detection trust View Layer 2 Ethernet port view, Layer 2 aggregate interface view Default level 2: System level Parameters None Description Use the arp detection trust command to configure the port as an ARP trusted port. Use the undo arp detection trust command to restore the default.
Page 311: Arp Restricted-Forwarding Enable
Description Use the arp detection validate command to configure ARP detection based on specified objects. You can specify one or more objects in one command line. Use the undo arp detection validate command to remove detected objects. If no keyword is specified, all the detected objects are removed.
Page 312: Display Arp Detection Statistics
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 313: Reset Arp Detection Statistics
Description Use the display arp detection statistics command to display statistics about ARP detection. This command only displays numbers of discarded packets. If no interface is specified, the statistics of all the interfaces will be displayed. Examples # Display the ARP detection statistics of all the interfaces. <Sysname>...
Page 314: Arp Gateway Protection Configuration Commands
<Sysname> reset arp detection statistics ARP gateway protection configuration commands arp filter source Syntax arp filter source ip-address undo arp filter source ip-address View Layer 2 Ethernet port view, Layer 2 aggregate interface view Default level 2: System level Parameters ip-address: IP address of a protected gateway.
Page 315 Parameters ip-address: Permitted sender IP address. mac-address: Permitted sender MAC address. Description Use the arp filter binding command to configure an ARP filtering entry. If the sender IP and MAC addresses of an ARP packet match an ARP filtering entry, the ARP packet is permitted. If not, it is discarded.
Page 316: Nd Attack Defense Configuration Commands
ND attack defense configuration commands Source MAC consistency check commands ipv6 nd mac-check enable Syntax ipv6 nd mac-check enable undo ipv6 nd mac-check enable View System view Default level 2: System level Parameters None Description Use the ipv6 nd mac-check enable command to enable source MAC consistency check for ND packets. Use the undo ipv6 nd mac-check enable command to disable source MAC consistency check for ND packets.
Page 317: Display Ipv6 Nd Detection Statistics
Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 318: Ipv6 Nd Detection Enable
Parameters interface interface-type interface-number: Displays ND detection statistics for the interface identified by interface-type interface-number. The interface-type interface-number arguments represent the interface type and number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Page 319: Ipv6 Nd Detection Trust
Examples # Enable ND detection in VLAN 10. <Sysname> system-view [Sysname] vlan 10 [Sysname-vlan 10] ipv6 nd detection enable ipv6 nd detection trust Syntax ipv6 nd detection trust undo ipv6 nd detection trust View Layer 2 Ethernet interface view, Layer 2 aggregate interface view Default level 2: System level Parameters...
Page 320 Default level 2: System level Parameters interface interface-type interface-number: Clears the statistics of the interface identified by interface-type interface-number. The interface-type interface-number arguments represent the interface type and number. Description Use the reset ipv6 nd detection statistics command to clear the ND detection statistics of an interface. If no interface is specified, the ND detection statistics of all interfaces are cleared.
Page 321: Savi Configuration Commands
SAVI configuration commands ipv6 savi dad-delay Syntax ipv6 savi dad-delay value undo ipv6 savi dad-delay View System view Default level 2: System level Parameters value: Specifies the time in centiseconds to wait for a duplicate address detection (DAD) NA, ranging from 0 to 2147483647.
Page 322: Ipv6 Savi Down-Delay
Description Use the ipv6 savi dad-preparedelay command to set the time to wait for a DAD NS from a DHCPv6 client. Use the undo ipv6 savi dad-preparedelay command to restore the default. By default, the time to wait for a DAD NS from a DHCPv6 client is 100 centiseconds (1 second). This command is used with the DHCPv6 snooping function.
Page 323 View System view Default level 2: System level Parameters None Description Use the ipv6 savi strict command to enable the SAVI function. Use the undo ipv6 savi strict command to disable the SAVI function. By default, the SAVI function is disabled. Examples # Enable the SAVI function.
Page 324: System-Guard Configuration Commands
System-guard configuration commands display system-guard Syntax display system-guard [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Page 325: System-Guard Aging Time
system-guard aging time Syntax system-guard aging-time time undo system-guard aging-time View System view Default level 2: System level Parameters aging-time time: Sets an aging timer in seconds for system-guard, in the range of 30 to 600. Description Use the system-guard aging-time command to configure an aging timer for system-guard assigned ACLs and system-guard disabled ports.
Page 326: System-Guard Detect-Threshold
By default, the system-guard control function is disabled on a port. Examples # Enable system-guard control function on GigabitEthernet 1/0/1. <sysname> system-view [sysname] interface gigabitethernet 1/0/1 [sysname-GigabitEthernet1/0/1] system-guard control system-guard detect-threshold Syntax system-guard detect-threshold threshold-value undo system-guard detect-threshold View System view Default level 2: System level Parameters...
Page 327: System-Guard Rate-Limit
Description Use the system-guard enable command to enable the system-guard function on the port. Use the undo system-guard enable command to disable the system-guard function on the port. By default, system-guard is disabled on a port. Examples # Enable system-guard on port GigabitEthernet 1/0/1. <Sysname>...
Page 328: Fips Configuration Commands
FIPS configuration commands fips mode enable Syntax fips mode enable undo fips mode enable View System view Default level 2: System level Parameters None Description Use the fips mode enable command to enable the FIPS mode. Use the undo fips mode enable command to disable the FIPS mode. By default, the FIPS mode is disabled.
Page 329: Fips Self-Test
Description Use the display fips status command to display the current FIPS mode. Related commands: fips mode enable. Examples # Display the current FIPS mode. <Sysname> display fips status FIPS mode is enabled fips self-test Syntax fips self-test Views System view Default level 3: Manage level Parameters...
Page 330: Ipsec Configuration Commands
IPsec configuration commands IPsec configuration commands are available only for the switches in FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Syntax ah authentication-algorithm sha1 undo ah authentication-algorithm View IPsec proposal view Default level 2: System level Parameters sha1: Uses SHA1.
Page 331: Display Ipsec Policy
Default level 2: System level Parameters name: IPsec connection name, a case-insensitive string of 1 to 32 characters. Description Use the connection-name command to configure an IPsec connection name. This name functions only as a description of the IPsec policy. Use the undo connection-name command to restore the default.
Page 332 If you specify the name policy-name option but leave the seq-number argument, the command displays detailed information about the specified IPsec policy group. Related commands: ipsec policy (system view). Examples # Display brief information about all IPsec policies. <Sysname> display ipsec policy brief IPsec-Policy-Name Mode ike-peer name...
Page 333 AH string-key: AH authentication hex key: inbound ESP setting: ESP spi: ESP string-key: ESP encryption hex key: ESP authentication hex key: outbound AH setting: AH spi: AH string-key: AH authentication hex key: outbound ESP setting: ESP spi: ESP string-key: ESP encryption hex key: ESP authentication hex key: =========================================== IPsec Policy Group: "policy1"...
Page 334: Display Ipsec Proposal
Field Description tunnel local address Local IP address of the tunnel. tunnel remote address Remote IP address of the tunnel. perfect forward secrecy Whether PFS is enabled. proposal name Proposal referenced by the IPsec policy. policy enable Whether the IPsec policy is enabled or not. AH/ESP settings in the inbound/outbound direction, including the inbound/outbound AH/ESP setting SPI and keys.
Page 335: Display Ipsec Sa
Table 49 Output description Field Description IPsec proposal name Name of the IPsec proposal encapsulation mode Encapsulation mode used by the IPsec proposal, transport or tunnel Security protocol(s) used by the IPsec proposal: AH, ESP, or both. If both transform protocols are configured, IPsec uses ESP before AH.
Page 336 -------------------------------------------------------- 10.1.1.1 10.1.1.2 E:AES-192; A:HMAC-SHA1-96 10.1.1.2 10.1.1.1 E:AES-192; A:HMAC-SHA1-96 Table 50 Output description Field Description Src Address Local IP address Dst Address Remote IP address Security parameter index Protocol Security protocol used by IPsec Authentication algorithm and encryption algorithm used by the security protocol, Algorithm where E indicates the encryption algorithm and A indicates the authentication algorithm.
Page 337 [outbound ESP SAs] spi: 801701189 (0x2fc8fd45) proposal: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 max sent sequence-number: 6 udp encapsulation used for nat traversal: N Table 51 Output description Field Description Interface Interface referencing the IPsec policy. path MTU Maximum IP packet length supported by the interface.
Page 338: Display Ipsec Session
Field Description anti-replay check enable Whether IPsec anti-replay checking is enabled. anti-replay window size Size of the anti-replay window. display ipsec session Syntax display ipsec session [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ] View Any view Default level...
Page 339: Display Ipsec Statistics
------------------------------------------------------------ tunnel-id : 4 session idle duration/total duration (sec) : 7/300 session flow : (3 times matched) Sour Addr : 12.12.12.1 Sour Port: Protocol : 1 Dest Addr : 13.13.13.1 Dest Port: Protocol : 1 # Display information about the session with an IPsec tunnel ID of 5. <Sysname>...
Page 340 Parameters tunnel-id integer: Specifies an IPsec tunnel by its ID, which is in the range 1 to 2000000000. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 341: Display Ipsec Tunnel
Field Description authentication has failed Number of packets dropped due to authentication failure wrong length Number of packets dropped due to wrong packet length replay packet Number of packets replayed packet too long Number of packets dropped due to excessive packet length wrong SA Number of packets dropped due to improper SA display ipsec tunnel...
Page 342: Encapsulation-Mode
------------------------------------------------ connection id: 5 perfect forward secrecy: SA's SPI: inbound: 12345 (0x3039) [ESP] outbound: 12345 (0x3039) [ESP] tunnel: flow: current Encrypt-card: Table 54 Output description Field Description connection id Connection ID, used to uniquely identify an IPsec Tunnel Perfect forward secrecy, indicating which DH group is to be used for fast perfect forward secrecy negotiation mode in IKE phase 2 SA's SPI...
Page 343: Esp Authentication-Algorithm
Examples # Configure IPsec proposal prop2 to encapsulate IP packets in transport mode. <Sysname> system-view [Sysname] ipsec proposal prop2 [Sysname-ipsec-proposal-prop2] encapsulation-mode transport esp authentication-algorithm Syntax esp authentication-algorithm sha1 undo esp authentication-algorithm View IPsec proposal view Default level 2: System level Parameters sha1: Uses the SHA1 algorithm, which uses a 160-bit key.
Page 344: Ike-Peer (Ipsec Policy View)
Default level 2: System level Parameters aes: Uses the Advanced Encryption Standard (AES) in CBC mode as the encryption algorithm. The AES algorithm uses a 128- bit, 192-bit, or 256-bit key for encryption. key-length: Key length for the AES algorithm, which can be 128, 192, and 256 and defaults to 128. This argument is for AES only.
Page 345: Ipsec Anti-Replay Check
Examples # Configure a reference to an IKE peer in an IPsec policy. <Sysname> system-view [Sysname] ipsec policy policy1 10 isakmp [Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer1 ipsec anti-replay check Syntax ipsec anti-replay check undo ipsec anti-replay check View System view Default level 2: System level Parameters None...
Page 346: Ipsec Decrypt Check
By default, the size of the anti-replay window is 32. Your configuration affects only IPsec SAs negotiated later. Examples # Set the size of the anti-replay window to 64. <Sysname> system-view [Sysname] ipsec anti-replay window 64 ipsec decrypt check Syntax ipsec decrypt check undo ipsec decrypt check View...
Page 347: Ipsec Policy (System View)
Description Use the ipsec policy command to apply an IPsec policy group to an interface. Use the undo ipsec policy command to remove the application. IPsec policies can be applied only to VLAN interfaces on the switch. Only one IPsec policy group can be applied to an interface. To apply another IPsec policy group to the interface, remove the original application first.
Page 348: Ipsec Proposal
You cannot change the generation mode of an existing IPsec policy; you can only delete the policy and then re-create it with the new mode. IPsec policies with the same name constitute an IPsec policy group. An IPsec policy is identified uniquely by its name and sequence number.
Page 349: Ipsec Sa Global-Duration
ipsec sa global-duration Syntax ipsec sa global-duration { time-based seconds | traffic-based kilobytes } undo ipsec sa global-duration { time-based | traffic-based } View System view Default level 2: System level Parameters seconds: Time-based global SA lifetime in seconds, in the range 180 to 604800. kilobytes: Traffic-based global SA lifetime in kilobytes, in the range 2560 to 4294967295.
Page 350: Pfs
View System view Default level 2: System level Parameters Seconds: IPsec session idle timeout in seconds, in the range of 60 to 3,600. Description Use the ipsec session idle-time command to set the idle timeout for IPsec sessions. Use the undo ipsec session idle-time command to restore the default. By default, the IPsec session idle timeout is 300 seconds.
Page 351: Policy Enable
Related commands: ipsec policy (system view). Examples # Enable and configure PFS for IPsec policy policy1. <Sysname> system-view [Sysname] ipsec policy policy1 200 isakmp [Sysname-ipsec-policy-isakmp-policy1-200] pfs dh-group2 policy enable Syntax policy enable undo policy enable View IPsec policy view Default level 2: System level Parameters None...
Page 352: Qos Pre-Classify
View IPsec policy view Default level 2: System level Parameters proposal-name&<1-6>: Name of the IPsec proposal, a string of 1 to 32 characters. &<1-6> means that you can specify the proposal-name argument for up to six times. Description Use the proposal command to specify an IPsec proposal for the IPsec policy to reference. Use the undo proposal command to remove an IPsec proposal reference by the IPsec policy .
Page 353: Reset Ipsec Sa
By default, packet information pre-extraction is disabled. With the packet information pre-extraction feature enabled, QoS classifies a packet based on the header of the original IP packet—the header of the IP packet that has not been encapsulated by IPsec. Related commands: ipsec policy (system view). Examples # Enable packet information pre-extraction.
Page 354: Reset Ipsec Session
Examples # Clear all IPsec SAs. <Sysname> reset ipsec sa # Clear the IPsec SA with a remote IP address of 10.1.1.2. <Sysname> reset ipsec sa remote 10.1.1.2 # Clear the IPsec SA of the IPsec policy with the name of policy1 and sequence number of 10. <Sysname>...
Page 355: Sa Authentication-Hex
Description Use the reset ipsec statistics command to clear IPsec packet statistics. Related commands: display ipsec statistics. Examples # Clear IPsec packet statistics. <Sysname> reset ipsec statistics sa authentication-hex Syntax sa authentication-hex { inbound | outbound } { ah | esp } [ cipher | simple ] hex-key undo sa authentication-hex { inbound | outbound } { ah | esp } View IPsec policy view...
Page 356: Sa Duration
<Sysname> system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex inbound ah 112233445566778899aabbccddeeff00 [Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah aabbccddeeff001100aabbccddeeff00 sa duration Syntax sa duration { time-based seconds | traffic-based kilobytes } undo sa duration { time-based | traffic-based } View IPsec policy view Default level...
Page 357: Sa Encryption-Hex
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480 sa encryption-hex Syntax sa encryption-hex { inbound | outbound } esp [ cipher | simple ] hex-key undo sa encryption-hex { inbound | outbound } esp View IPsec policy view Default level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets.
Page 358: Sa Spi
sa spi Syntax sa spi { inbound | outbound } { ah | esp } spi-number undo sa spi { inbound | outbound } { ah | esp } View IPsec policy view Default level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
Page 359: Transform
Parameters acl-number: Number of the ACL for the IPsec policy to reference, in the range 3000 to 3999. Description Use the security acl command to specify the ACL for the IPsec policy to reference. Use the undo security acl command to remove the configuration. By default, an IPsec policy references no ACL.
Page 360: Tunnel Local
ah-esp: Uses ESP first and then AH. esp: Uses the ESP protocol. Description Use the transform command to specify a security protocol for an IPsec proposal. Use the undo transform command to restore the default. By default, the ESP protocol is used. •...
Page 361: Tunnel Remote
<Sysname> system-view [Sysname] interface loopback 0 [Sysname-LoopBack0] ip address 10.0.0.1 32 [Sysname-LoopBack0] quit [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] tunnel local 10.0.0.1 tunnel remote Syntax tunnel remote ip-address undo tunnel remote [ ip-address ] View IPsec policy view Default level 2: System level Parameters ip-address: Remote address for the IPsec tunnel.
Page 362: Ike Configuration Commands
IKE configuration commands IKE configuration commands are available only for the switches in FIPS mode. For more information about FIPS mode, see Security Configuration Guide. authentication-algorithm Syntax authentication-algorithm sha undo authentication-algorithm View IKE proposal view Default level 2: System level Parameters sha: Uses HMAC-SHA1.
Page 363: Certificate Domain
rsa-signature: Uses the RSA digital signature method. Description Use the authentication-method command to specify an authentication method for an IKE proposal. Use the undo authentication-method command to restore the default. By default, an IKE proposal uses the pre-shared key authentication method. Related commands: ike proposal and display ike proposal.
Page 364: Display Ike Dpd
View IKE proposal view Default level 2: System level Parameters group2: Uses the 1024-bit Diffie-Hellman group for key negotiation in phase 1. group5: Uses the 1536-bit Diffie-Hellman group for key negotiation in phase 1. group14: Uses the 2048-bit Diffie-Hellman group for key negotiation in phase 1. Description Use the dh command to specify the DH group to be used in key negotiation phase 1 for an IKE proposal.
Page 365: Display Ike Peer
Related commands: ike dpd. Examples # Display information about all DPD detectors. <Sysname> display ike dpd --------------------------- IKE dpd: dpd1 references: 1 interval-time: 10 time_out: 5 --------------------------- Table 55 Output description Field Description references Number of IKE peers that use the DPD detector Interval-time DPD query trigging interval in seconds time_out...
Page 366: Display Ike Proposal
<Sysname> display ike peer --------------------------- IKE Peer: aaa exchange mode: main on phase 1 peer id type: ip peer ip address: 0.0.0.0 ~ 255.255.255.255 local ip address: peer name: nat traversal: disable dpd: --------------------------- Table 56 Output description Field Description exchange mode IKE negotiation mode in phase 1 pre-shared-key...
Page 367: Display Ike Sa
This command displays the configuration information of all IKE proposals in the descending order of proposal priorities. Related commands: authentication-method, proposal, encryption-algorithm, authentication-algorithm, dh, and sa duration. Examples # Display the settings of all IKE proposals. <Sysname> display ike proposal priority authentication authentication encryption Diffie-Hellman duration method algorithm...
Page 368 regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use the display ike sa command to display information about the current IKE SAs. If you do not specify any parameters or keywords, the command displays brief information about the current IKE SAs.
Page 369 local id type: IPV4_ADDR local id: 4.4.4.4 remote ip: 4.4.4.5 remote id type: IPV4_ADDR remote id: 4.4.4.5 authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: AES-CBC life duration(sec): 86400 remaining key duration(sec): 86379 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO # Display detailed information about the IKE SA with the connection ID of 2. <Sysname>...
Page 370: Dpd
remote ip: 4.4.4.5 remote id type: IPV4_ADDR remote id: 4.4.4.5 authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: AES-CBC life duration(sec): 86400 remaining key duration(sec): 82236 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO Table 59 Output description Field Description connection id Identifier of the ISAKMP SA transmitting entity Entity in the IKE negotiation local ip...
Page 371: Encryption-Algorithm
Default level 2: System level Parameters dpd-name: DPD detector name, a string of 1 to 32 characters. Description Use the dpd command to apply a DPD detector to an IKE peer. Use the undo dpd command to remove the application. By default, no DPD detector is applied to an IKE peer.
Page 372: Exchange-Mode
exchange-mode Syntax exchange-mode main undo exchange-mode View IKE peer view Default level 2: System level Parameters main: Main mode. Description Use the exchange-mode command to select an IKE negotiation mode. Use the undo exchange-mode command to restore the default. By default, main mode is used. Related commands: id-type.
Page 373: Ike Dpd
In main mode, only the ID type of IP address can be used in IKE negotiation and SA creation. Related commands: local-name, ike local-name, remote-name, remote-address, local-address, and exchange-mode. Examples # Use the ID type of name during IKE negotiation. <Sysname>...
Page 374: Ike Next-Payload Check Disabled
Parameters name: Name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters. Description Use the ike local-name command to configure a name for the local security gateway. Use the undo ike local-name command to restore the default. By default, the device name is used as the name of the local security gateway.
Page 375: Ike Peer (System View)
[Sysname] ike next-payload check disabled ike peer (system view) Syntax ike peer peer-name undo ike peer peer-name View System view Default level 2: System level Parameters peer-name: IKE peer name, a string of 1 to 32 characters. Description Use the ike peer command to create an IKE peer and enter IKE peer view. Use the undo ike peer command to delete an IKE peer.
Page 376: Ike Sa Keepalive-Timer Interval
Authentication algorithm HMAC-SHA1 • • Authentication method Pre-shared key DH group MODP_1024 • SA lifetime 86400 seconds • Related commands: display ike proposal. Examples # Create IKE proposal 10 and enter IKE proposal view. <Sysname> system-view [Sysname] ike proposal 10 [Sysname-ike-proposal-10] ike sa keepalive-timer interval Syntax...
Page 377: Ike Sa Nat-Keepalive-Timer Interval
View System view Default level 2: System level Parameters seconds: ISAKMP SA keepalive timeout in seconds, in the range 20 to 28800. Description Use the ike sa keepalive-timer timeout command to set the ISAKMP SA keepalive timeout. Use the undo ike sa keepalive-timer timeout command to disable the function. By default, no keepalive packet is sent.
Page 378: Interval-Time
interval-time Syntax interval-time interval-time undo interval-time View IKE DPD view Default level 2: System level Parameters interval-time: Sets DPD interval in seconds, in the range of 1 to 300 seconds. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.
Page 379: Local-Name
By default, the primary address of the interface referencing the IPsec policy is used as the local security gateway IP address for IKE negotiation. Use this command if you want to specify a different address for the local security gateway. Examples # Set the IP address of the local security gateway to 1.1.1.1.
Page 380: Nat Traversal
nat traversal Syntax nat traversal undo nat traversal View IKE peer view Default level 2: System level Parameters None Description Use the nat traversal command to enable the NAT traversal function of IKE/IPsec. Use the undo nat traversal command to disable the NAT traversal function of IKE/IPsec. By default, the NAT traversal function is disabled.
Page 381: Pre-Shared-Key
Examples # Set the subnet type of the peer security gateway to multiple. <Sysname> system-view [Sysname] ike peer xhy [Sysname-ike-peer-xhy] peer multi-subnet pre-shared-key Syntax pre-shared-key [ cipher | simple ] key undo pre-shared-key View IKE peer view Default level 2: System level Parameters key: Plaintext pre-shared key to be displayed in cipher text, a case-sensitive string of 8 to 128 characters.
Page 382: Remote-Address
Parameters proposal-number&<1-6>: Sequence number of the IKE proposal for the IKE peer to reference, in the range 1 to 65535. &<1-6> means that you can specify the proposal-number argument for up to six times. An IKE proposal with a smaller sequence number has a higher priority. Description Use the proposal command to specify the IKE proposals for the IKE peer to reference.
Page 383: Remote-Name
Use the undo remote-address command to remove the configuration. The IP address configured with the remote-address command must match the local security gateway IP address that the remote security gateway uses for IKE negotiation, which is the IP address configured with the local-address command or, if the local-address command is not configured, the primary IP address of the interface to which the policy is applied.
Page 384: Reset Ike Sa
Examples # Configure the remote security gateway name as apple for IKE peer peer1. <Sysname> system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] remote-name apple reset ike sa Syntax reset ike sa [ connection-id ] View User view Default level 2: System level Parameters connection-id: Connection ID of the IKE SA to be cleared, in the range 1 to 2000000000.
Page 385: Sa Duration
sa duration Syntax sa duration seconds undo sa duration View IKE proposal view Default level 2: System level Parameters Seconds: Specifies the ISAKMP SA lifetime in seconds, in the range 60 to 604800. Description Use the sa duration command to set the ISAKMP SA lifetime for an IKE proposal. Use the undo sa duration command to restore the default.
Page 386 Examples # Set the DPD packet retransmission interval to 1 second for dpd2. <Sysname> system-view [Sysname] ike dpd dpd2 [Sysname-ike-dpd-dpd2] time-out 1...
Page 387: Support And Other Resources
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Page 388: Conventions
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 389 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 390: Index
Index A B C D E F G H I K L M N O P Q R S T U V authorization portal,15 authorization-attribute (local user view/user group aaa nas-id profile,1 view),27 access-limit,26 authorization-attribute user-profile,15 access-limit enable,1 accounting command,2 bind-attribute,28 accounting default,3...
Page 391 display domain,20 display ssh client source,246 display dot1x,91 display ssh server,239 display fips status,317 display ssh server-info,247 display habp,198 display ssh user-information,240 display habp table,199 display ssl client-policy,273 display habp traffic,199 display ssl server-policy,274 display hwtacacs,71 display stop-accounting-buffer,46 display ike dpd,353 display stop-accounting-buffer,74...
Page 392 exit,258 ipv6 nd detection enable,307 expiration-date (local user view),32 ipv6 nd detection trust,308 ipv6 nd mac-check enable,305 ipv6 savi dad-delay,310 fips mode enable,317 ipv6 savi dad-preparedelay,310 fips self-test,318 ipv6 savi down-delay,31 1 fqdn,227 ipv6 savi strict,31 1 get,259 key (HWTACACS scheme view),76 group,33 key (RADIUS scheme...
Page 393 password-control complexity,186 portal server server-detect,156 password-control composition,187 portal server user-sync,158 password-control enable,189 portal web-proxy port,159 password-control expired-user-login,190 port-security authorization ignore,168 password-control history,190 port-security enable,169 password-control length,191 port-security intrusion-mode,169 password-control login idle-time,192 port-security mac-address security,170 password-control login-attempt,192 port-security max-mac-count,171 password-control password update interval,194 port-security ntk-mode,172...
Page 394 reset arp detection statistics,302 sftp,264 reset dot1x statistics,1 12 sftp client ipv6 source,265 reset hwtacacs statistics,81 sftp client source,266 reset ike sa,373 sftp ipv6,267 reset ipsec sa,342 sftp server enable,254 reset ipsec session,343 sftp server idle-timeout,254 reset ipsec statistics,343 ssh client authentication server,248 reset ipv6 nd detection statistics,308...
Page 395 timer response-timeout (HWTACACS scheme view),89 user-group,37 timer response-timeout (RADIUS scheme view),69 user-name-format (HWTACACS scheme view),89 transform,348 user-name-format (RADIUS scheme view),69 tunnel local,349 user-profile,179 tunnel remote,350 user-profile enable,179 user-bind,291 version,280 user-bind ipv6,292...

HP 5120 SI series Command Reference Manual

Quick Links

Command Reference

Related Manuals for HP 5120 SI series

Summary of Contents for HP 5120 SI series