HP Firewalls and UTM Devices Access Control Command Reference Part number: 5998-4175 Software version: F1000-A-EI: Feature 3722 F1000-S-EI: Feature 3722 F5000: Feature 3211 F1000-E: Feature 3174 Firewall module: Feature 3174 Enhanced firewall module: ESS 3807 U200-A: ESS 5132 U200-S: ESS 5132 Document version: 6PW100-20121228
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents ACL configuration commands ····································································································································· 1 acl ·············································································································································································· 1 acl accelerate ················································································································································
display object name ·············································································································································· 52 display object service ··········································································································································· 52 display object service default ······························································································································· 53 display object-gro
connection-limit policy··········································································································································· 98 display connection-limit policy ····························································································································· 99 limit ······································································································································································· 100 Portal
authorization default ··········································································································································· 153 authorization dvpn ·············································································································································· 154 authorization login ·············································································································································· 156 authorization
secondary authentication (RADIUS scheme view) ··························································································· 212 security-policy-server ··········································································································································· 215 server-type (RADIUS scheme view) ···················································································································· 216 state primary ···································
reset password-control blacklist ························································································································· 261 reset password-control history-record ················································································································ 261 FIPS configuration commands ································································································································ 263 Feature and hardware compatibility ·
ACL configuration commands The following matrix shows the feature and hardware compatibility: Hardware IPv6 ACL compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No acl Use acl to create an IPv4 basic, IPv4 advanced, or Ethernet frame header ACL, and enter its view. If the ACL has been created, you directly enter its view. Use undo acl to delete the specified ACLs.
• config—Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default. all: Deletes all IPv4 basic, IPv4 advanced, or Ethernet frame header ACLs. Usage guidelines You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name. You can change match order only for ACLs that do not contain any rules.
For example, when you use a large ACL for a session-based service, such as NAT or ASPF, you can enable ACL acceleration to avoid session timeouts caused by ACL processing delays. Enable ACL acceleration in an ACL after editing the ACL rules. ACL acceleration always uses ACL criteria that have been set before it is enabled for rule matching. It does not synchronize with any subsequent match criterion changes. ACL acceleration is not available for ACLs that contain a non-contiguous wildcard mask.
dest-acl-number: Assigns a unique number to the ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include: • 2000 to 2999 for IPv4 basic ACLs • 3000 to 3999 for IPv4 advanced ACLs • 4000 to 4999 for Ethernet frame header ACLs name dest-acl-name: Assigns a unique name to the ACL you are creating. The dest-acl-name takes a case-insensitive string of 1 to 63 characters.
• config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default. all: Delete all IPv6 basic and IPv6 advanced ACLs. Usage guidelines You can assign a name to an ACL only when you create it. After an ACL is created, you cannot rename it or remove its name. You can change match order only for ACLs that do not contain any rules.
cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL. Usage guidelines You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name. Examples # Create IPv6 basic ACL 2002 by copying IPv6 basic ACL 2001.
Parameters acl-name: Specifies an IPv4 basic, IPv4 advanced, or Ethernet frame header ACL name, a case-insensitive string of 1 to 63 characters. It must start with an English letter. The ACL must already exist. Examples # Enter the view of IPv4 basic ACL flow. system-view [Sysname] acl name flow [Sysname-acl-basic-2001-flow] Related commands acl description Use description to configure a description for an ACL. Use undo description to remove the ACL description.
display acl Use display acl to display configuration and match statistics for IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs.
rule 5 permit source 2.2.2.2 0 rule 0 permit Table 1 Command output Field Description Basic ACL 2000 Category and number of the ACL. The following field information is about IPv4 basic ACL 2000. named flow The name of the ACL is flow. "-none-" means the ACL is not named. 3 rules The ACL contains three rules. match-order is auto The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config. This is an IPv4 basic ACL.
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Syntax display acl ipv6 { acl6-number | all | name acl6-name } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters acl6-number: Specifies an ACL by its number: • 2000 to 2999 for IPv6 basic ACLs • 3000 to 3999 for IPv6 advanced ACLs all: Displays information for all IPv6 basic and IPv6 advanced ACLs. name acl6-name: Specifies an ACL by its name. The acl6-name argument takes a case-insensitive string of 1 to 63 characters.
Table 3 Command output Field Description Basic IPv6 ACL 2000 Category and number of the ACL. The following field information is about this IPv6 basic ACL 2000. named flow The name of the ACL is flow. "-none-" means the ACL is not named. 3 rules The ACL contains three rules. match-order is auto The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config. This is an IPv6 basic ACL. Description of the ACL.
reset acl counter 2001 Related commands display acl reset acl ipv6 counter Use reset acl ipv6 counter to clear statistics for one or all IPv6 basic and IPv6 advanced ACLs. Syntax reset acl ipv6 counter { acl6-number | all | name acl6-name } Views User view Default command level 2: System level Parameters acl6-number: Specifies an ACL by its number: • 2000 to 2999 for IPv6 basic ACLs • 3000 to 3999 for IPv6 advanced ACLs all: Clears statistics for all IPv6 basic and advanced ACLs.
Views Ethernet frame header ACL view Default command level 2: System level Parameters rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Denies matching packets.
Related commands • acl • display acl • step • time-range rule (IPv4 advanced ACL view) Use rule to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config. Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, this command deletes the entire rule. If optional keywords or arguments are provided, this command deletes the specified attributes.
Table 4 Match criteria and other rule information for IPv4 advanced ACL rules Parameters source { source-address source-wildcard | any } Function Description Specifies a source address The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword specifies any source IP address.
NOTE: If you provide the precedence or tos keyword in addition to the dscp keyword, only the dscp keyword takes effect. If the protocol argument takes tcp (6) or udp (7), set the parameters shown in Table 5. Table 5 TCP/UDP-specific parameters for IPv4 advanced ACL rules Parameters Function Description source-port operator port1 [ port2 ] Specifies one or more UDP or TCP source ports.
Table 7 ICMP message names supported in IPv4 advanced ACL rules ICMP message name ICMP message type ICMP message code echo 8 0 echo-reply 0 0 fragmentneed-DFset 3 4 host-redirect 5 1 host-tos-redirect 5 3 host-unreachable 3 1 information-reply 16 0 information-request 15 0 net-redirect 5 0 net-tos-redirect 5 2 net-unreachable 3 0 parameter-problem 12 0 port-unreachable 3 3 protocol-unreachable 3 2 reassembly-timeout 11 1 source-quench 4 0 source-route-faile
[Sysname-acl-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255 # Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.
deny: Denies matching packets. permit: Allows matching packets to pass. counting: Counts the number of times the ACL rule has been matched. This option is disabled by default. fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both fragments and non-fragments. logging: Logs matching packets. This function is available only when the application module that uses the ACL supports the logging function.
Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, this command deletes the entire rule. If optional keywords or arguments are provided, this command deletes the specified attributes.
Parameters Function Description counting Counts the number of times the ACL rule has been matched. This option is disabled by default. N/A dscp dscp Specifies a DSCP preference. The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).
Table 9 TCP/UDP-specific parameters for IPv6 advanced ACL rules Parameters Function Description source-port operator port1 [ port2 ] Specifies one or more UDP or TCP source ports. The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). destination-port operator port1 [ port2 ] Specifies one or more UDP or TCP destination ports. The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535.
ICMPv6 message name ICMPv6 message type ICMPv6 message code frag-time-exceeded 3 1 hop-limit-exceeded 3 0 host-admin-prohib 1 1 host-unreachable 1 3 neighbor-advertisement 136 0 neighbor-solicitation 135 0 network-unreachable 1 0 packet-too-big 2 0 port-unreachable 1 4 redirect 137 0 router-advertisement 134 0 router-solicitation 133 0 unknown-ipv6-opt 4 2 unknown-next-hdr 4 1 Usage guidelines Within an ACL, the permit or deny statement of each rule must be uniqu
system-view [Sysname] acl ipv6 number 3003 [Sysname-acl6-adv-3003] rule permit udp source-port eq snmp [Sysname-acl6-adv-3003] rule permit udp source-port eq snmptrap [Sysname-acl6-adv-3003] rule permit udp destination-port eq snmp [Sysname-acl6-adv-3003] rule permit udp destination-port eq snmptrap Related commands • acl ipv6 • display ipv6 acl • step • time-range rule (IPv6 basic ACL view) Use rule to create or edit an IPv6 basic ACL rule.
routing [ type routing-type ]: Matches a specific type of routing header or any type of routing header. The routing-type argument takes a value in the range of 0 to 255. If no routing header type is specified, the rule matches any type of routing header. source { source-address source-prefix | source-address/source-prefix | any }: Matches a source IP address. The source-address and source-prefix arguments represent a source IPv6 address and address prefix length in the range of 1 to 128.
Views IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view Default command level 2: System level Parameters rule-id: Specifies an ACL rule ID, in the range of 0 to 65534. The ACL rule must already exist. text: Specifies a comment about the ACL rule, a case-sensitive string of 1 to 127 characters. Examples # Create a rule in IPv4 basic ACL 2000 and add a comment about the rule.
text: Specifies a remark, a case-sensitive string of 1 to 63 characters. Usage guidelines A rule range remark always appears immediately above the specified rule. If the specified rule has not been created yet, the position of the comment in the ACL is as follows: • If the match order is config, the remark is inserted into the ACL in descending order of rule ID. • If the match order is auto, the remark is placed at the end of the ACL. After you create the rule, the remark appears above the rule.
rule 10 permit source 192.168.0.0 0.0.0.255 rule 15 permit source 1.1.1.1 0 rule 20 permit source 10.1.1.1 0 rule 25 permit counting rule 26 remark Rules for VIP_end # return Related commands • display this • display current-configuration (System Management and Maitenance Command Reference) step Use step to set a rule numbering step for an ACL. The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5.
[Sysname-acl6-basic-2000] step 2 Related commands • display acl • display acl ipv6 30
Security zone configuration commands import interface Use import interface to add an interface to a security zone. Use undo import interface to remove an interface from a security zone. Syntax import interface interface-type interface-number [ vlan vlan-list ] undo import interface interface-type interface-number [ vlan vlan-list ] Default A security zone contains no interface.
[Sysname-zone- Trust] quit # Add Layer 2 Ethernet interface GigabitEthernet 0/1 and VLAN 10 to security zone Untrust. system-view [Sysname] zone name Untrust [Sysname-zone-Untrust] import interface gigabitethernet 0/1 vlan 10 [Sysname-zone-Untrust] quit Related commands zone interzone Use interzone to create an interzone instance and enter interzone instance view. Use undo interzone to remove an interzone instance.
system-view [Sysname] interzone source Trust destination Untrust [Sysname-interzone-Trust-Untrust] firewall aspf enable # Log in to VD vdtest, create an interzone instance with the source security zone Zoffice and destination zone Zpublic, and enable ASPF for the instance.
Use undo share enable to restore the default. Syntax share enable undo share enable Default The share attribute of a security zone is disabled. Views Security zone view Default command level 2: System level Usage guidelines A security zone with its share attribute enabled can be used by other VDs' interzone instances as the destination security zone. A security zone with its share attribute disabled can only be used by an interzone instance of its native VD.
zone-id: Specifies the security zone ID. The following matrix shows the value range for the zone-id argument on different firewalls and UTM devices: Hardware Value range F1000-A-EI/F1000-S-EI 0 to 512 F1000-E 0 to 1024 F5000 0 to 1024 Firewall module 0 to 1024 U200-A 0 to 256 U200-S 0 to 32 Usage guidelines When creating a security zone, you must specify a security zone name and a security zone ID that are respectively unique on the VD.
Address resource commands On a virtual device (VD), you can configure different categories of objects, and configure multiple objects for each category. Each object on a VD is uniquely identified by its name. For more information about VDs, see "Configuring VDs." For more information about the switchto vd command, see System Management and Maintenance Configuration Guide. One group object may comprise other group objects, and a member group object may also comprise other group objects.
display object mac Use display object mac to display MAC address objects. Syntax display object mac [ vd vd-name ] Views Any view Default command level 1: Monitor level Parameters vd vd-name: Displays the MAC address objects of a VD. The vd-name argument is a case-insensitive string of 1 to 20 characters. If you do not specify this option, MAC address objects of the default VD are displayed. Examples # Display the MAC address objects of the default VD.
Default command level 1: Monitor level Parameters object-name: Displays a specific object. This argument is a case-insensitive string of 1 to 31 characters. vd vd-name: Displays a specific object on a VD. The vd-name argument is a case-insensitive string of 1 to 20 characters. If you do not specify this option, an object by the name on the default VD is displayed. Examples # Display host address object hosttest on the default VD.
Host name: pc3 Host IP address records Name: hosttest Status: Out of Use Host IP addresses: 1.1.1.1, 1.1.1.5 Range IP address records Name: rangetest Status: Out of Use Range IP address: 2.2.2.2-2.2.2.20 Exclude IP addresses: 2.2.2.10 Subnet IP address records Name: subnettest Status: Out of Use Subnet IP address: 3.3.3.3/0.0.0.255 Exclude IP addresses: 3.3.3.1, 3.3.3.255 Table 13 Command output Field Description Host name records Host address objects that comprise a host name.
Syntax display object-group { mac | name object-group-name | network | service } [ vd vd-name ] Views Any view Default command level 1: Monitor level Parameters mac: Displays MAC address group objects. name object-group-name: Displays a specific group object. The object-group-name argument is a case-insensitive string of 1 to 31 characters. network: Displays IP address group objects. service: Displays service group objects. vd vd-name: Displays the group objects of a VD.
Field Description Description Description for the object. This field is displayed only when a description is configured for the object. Objects Members of the object. This field is displayed only when one or more objects are added to the group object. host address Use host address to add a host IP address to a host address object. Use undo host address to remove a host IP address from a host address object. Use undo host to restore the default.
Related commands host name host name Use host name to add a host name to a host address object. Use undo host name to remove a host name from a host address object. Use undo host to restore the default. Syntax host name host-name undo host [ name ] Default A host address object has no host IP address or host name members. Views Host address object view Default command level 2: System level Parameters name host-name: Specifies a host name, a case-insensitive string of 1 to 60 characters.
Use undo mac-address mac-address to remove a MAC address from a MAC address object. Use undo mac-address to restore the default. Syntax mac-address mac-address undo mac-address [ mac-address ] Default A MAC address object has no MAC address members. Views MAC address object view Default command level 2: System level Parameters mac-address: Specifies a MAC address, in the format H-H-H, such as 0010-dc28-a4e9. Usage guidelines A MAC address object can comprise multiple MAC addresses.
Views MAC address group object view Default command level 2: System level Parameters object-name: Specifies the name of an existing MAC address object or MAC address group object, a case-insensitive string of 1 to 31 characters. Usage guidelines A MAC address group object can comprise multiple MAC address objects and MAC address group objects. To do so, execute the mac-object command multiple times.
Parameters object-name: Specifies the name of an existing IP address object or IP address group object, a case-insensitive string of 1 to 31 characters. Usage guidelines An IP address group object can comprise multiple IP address objects and IP address group objects. To do so, execute the network-object command multiple times. Examples # Add IP address objects objectaddr1 and objectaddr2 to IP address group object groupaddr on the default VD.
system-view [Sysname] switchto vd virdev [Sysname-vsys-virdev] object mac objectmac Related commands mac-address object network Use object network to create an IP address object and enter its view. If the object already exists, you enter its view. Use undo object network to delete an IP address object. Syntax object network { host | range | subnet } name undo object network { host | range | subnet } name Default No IP address object is configured.
[Sysname] switchto vd virdev [Sysname-vsys-virdev] object network host objectaddr # Create address range object objectaddr on VD virdev. system-view [Sysname] switchto vd virdev [Sysname-vsys-virdev] object network range objectaddr # Create subnet address object objectaddr on VD virdev.
object-group network Use object-group network to create an IP address group object and enter IP address group object view. If the object already exists, you enter its view. Use undo object-group network to delete an IP address group object. Syntax object-group network object-group-name undo object-group network object-group-name Default No IP address group object is configured.
Default command level 2: System level Parameters ip-address-start ip-address-end: Specifies a range of IP addresses by specifying a start IP address and an end IP address. The end IP address must be higher than the start IP address. exclude ip-address: Specifies an IP address to be excluded from the IP address range. Usage guidelines An address range object can comprise only one range of IP addresses. If you execute the range command multiple times, the most recent configuration takes effect.
Default command level 2: System level Parameters net-address: Specifies a subnet IP address. wildcard-mask: Specifies the wildcard mask of the subnet IP address. exclude ip-address: Specifies an IP address to be excluded from the subnet IP address. Usage guidelines A subnet address object can comprise only one subnet address. If you execute the subnet command multiple times, the most recent configuration takes effect.
Service resource commands On a virtual device (VD), you can configure different categories of objects, and configure multiple objects for each category. Each object on a VD is uniquely identified by its name. For more information about VDs, see "Configuring VDs." For more information about the switchto vd command, see System Management and Maintenance Configuration Guide. One group object may comprise other group objects, and a member group object may also comprise other group objects.
display object name Use display object name to display a specific object. Syntax display object name object-name [ vd vd-name ] Views Any view Default command level 1: Monitor level Parameters object-name: Displays a specific object. This argument is a case-insensitive string of 1 to 31 characters. vd vd-name: Displays a specific object on a VD. The vd-name argument is a case-insensitive string of 1 to 20 characters.
Protocol: Other Protocol Number: 2 Name: icmp Protocol: ICMP Status: Out of Use Type: 20 Message Code: 30 Name: tcp Protocol: TCP Status: Out of Use Source Port: Any Destination Port: 100-200 Table 15 Command output Field Description Name Object name. Indicates whether the object is referenced: Status • Out of use—Not referenced. • In use—Referenced. Description Description for the object. This field is displayed only when a description is configured for the object.
Protocol: TCP Source Port: Any Destination Port: 179 Name: chargen Protocol: TCP Status: Out of Use Source Port: Any Destination Port: 19 Name: cmd Protocol: TCP Status: Out of Use Source Port: Any Destination Port: 514 Name: daytime Protocol: TCP Status: Out of Use Source Port: Any Destination Port: 13 Name: discard_tcp Protocol: TCP Status: Out of Use Source Port: Any Destination Port: 13 Name: uucp Protocol: UDP Status: Out of Use Source Port: Any Destination Port: 540 Name: vdo-live Pr
service: Displays service group objects. vd vd-name: Displays the group objects of a VD. The vd-name argument is a case-insensitive string of 1 to 20 characters. If you do not specify this option, this command displays group objects of the default VD. Examples # Display all MAC address group objects on the default VD. display object-group mac 1 records in total for VD root.
Default There are some system pre-defined service objects on the device. Views VD system view Default command level 2: System level Parameters name: Specifies the object name, a case-insensitive string of 1 to 31 characters. Usage guidelines The system pre-defined service objects cannot be deleted or changed. To view the system pre-defined service objects, use the display object service default command. Examples # Create service object objectsrv on the default VD.
Examples # Create service group object groupsrv on the default VD. system-view [Sysname] object-group service groupsrv # Create service group object groupsrv on VD virdev. system-view [Sysname] switchto vd virdev [Sysname-vsys-virdev] object-group service groupsrv service Use service to add a protocol to a service object. Use undo service to restore the default.
Examples # Add TCP to service object objectsrv on the default VD, with any source port number and the destination port number 21. system-view [Sysname] object service objectsrv [Sysname-obj-service-objectsrv] service tcp destination-port 21 # Add ICMP to service object objectecho on VD virdev, with the message type 8 and code 0.
[Sysname-vsys-virdev] object-group service groupsrv [Sysname-vsys-virdev-obj-grp-service-groupsrv] service-object objectsrv1 [Sysname-vsys-virdev-obj-grp-service-groupsrv] service-object objectsrv2 59
Time range resource configuration commands display time-range Use display time-range to display the configuration and status of the specified time range or all time ranges. Syntax display time-range { time-range-name | all } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters time-range-name: Specifies a time range name, a case-insensitive string of 1 to 32 characters. It must start with an English letter.
time-range Use time-range to configure a time range. If you provide an existing time range name, the command adds a statement to the time range. Use undo time-range to delete a time range or a statement in the time range.
Usage guidelines You can create multiple statements in a time range. Each time statement can take one of the following forms: • Periodic statement in the start-time to end-time days format. A periodic statement recurs periodically on a day or days of the week. • Absolute statement in the from time1 date1 to time2 date2 format. An absolute statement does not recur. • Compound statement in the start-time to end-time days from time1 date1 to time2 date2 format.
Interzone policy commands comment Use comment to add a comment about an interzone policy rule or edit its comment to make the rule easy to understand. Use undo comment to delete the interzone policy rule comment. Syntax comment text undo comment Default No comment is configured for an interzone policy rule. Views Interzone policy rule view Default command level 2: System level Parameters text: Specifies a comment for the interzone policy rule, a case-sensitive string of 1 to 31 characters.
Default No destination IP object is referenced in an interzone policy rule. Views Interzone policy rule view Default command level 2: System level Parameters dest-ip-obj-name: Specifies the name of the destination IP object. This argument is a case-insensitive string of 1 to 31 characters. Examples # Reference destination IP object named ip2 in interzone policy rule 0 for the interzone instance with source zone office and destination zone library.
display interzone-policy Use display interzone-policy [ ipv6 ]to display the interzone policy configuration. Syntax display interzone-policy [ ipv6 ] [ vd vd-name ] [ source sour-zone-name destination dest-zone-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters ipv6: Displays information of interzone policy groups referencing IPv6 advanced ACLs.
Examples # Display information of interzone policy rules and interzone policy groups referencing IPv4 advanced ACLs on the default VD Root.
display interzone-policy accelerate Use display interzone-policy accelerate to display the interzone policy acceleration status.
display interzone-policy accelerate source office destination library S(Status): UTD -- up to date, OOD -- out of date A(Accelerate): ACC -- accelerated, Source-Zone UNACC -- unaccelerated Destination-Zone A S -------------------------------------------------------------------------office library ACC OOD Table 19 Command output Field Description Source-Zone Name of the source zone. Destination-Zone Name of the destination zone.
system-view [Sysname] interzone source office destination library [Sysname-interzone-office-library] move rule 5 before 2 move rule acl Use move rule acl [ ipv6 ] to move an ACL in the interzone policy group. Syntax move rule acl [ ipv6 ] acl-number before insert-acl-number Views Interzone instance view Default command level 2: System level Parameters acl-number: Specifies the number of the advanced IPv4 or IPv6 ACL to be moved. This argument ranges from 3000 to 3999.
Syntax reset interzone-policy counter [ vd vd-name ] { all | source sour-zone-name destination dest-zone-name } View User view Default level 1: Monitor level Parameters vd vd-name: Clears the information of a VD specified by its name, which is a case-insensitive string of 1 to 20 characters excluding question mark (?), less-than sign (<), greater-than sign (>), backward slash (\), quotation mark ("), percentage sign (%), apostrophe ('), ampersand (&), and number sign (#).
permit: Allows matching packets to pass through. content-filter policy-template-name: Specifies a content filtering policy template by its name for a rule. The policy-template-name argument is a case-sensitive string of 1 to 32 characters. logging: Logs matching packets. time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters and must start with an English letter.
Parameters None Usage guidelines You can enable interzone policy acceleration only for an interzone instance which has interzone policy rules.
Parameters acl acl-number: References an IPv4 or IPv6 advanced ACL by its number in the interzone policy. The acl-number argument ranges from 3000 to 3999. If the ipv6 keyword is not specified, an IPv4 advanced ACL is specified. Otherwise, an IPv6 advanced ACL is specified.
Parameters ipv6: Enables an interzone policy referencing IPv6 advanced ACLs. If this keyword is not specified, an interzone policy group referencing IPv4 advanced ACLs is enabled.
Examples # For the interzone instance with source zone office and destination zone library, reference source IP object named ip1, destination IP object named ip2, and service object named http in interzone policy rule 0, and enable the interzone policy rule.
Use undo source-ip to remove a source IP object from an interzone policy rule. Syntax source-ip sour-ip-obj-name undo source-ip sour-ip-obj-name Default No source IP object is referenced in an interzone policy rule. Views Interzone policy rule view Default command level 2: System level Parameters sour-ip-obj-name: Specifies a source IP object by its name. This argument is a case-insensitive string of 1 to 31 characters.
system-view [Sysname] interzone source office destination library [Sysname-interzone-office-library] rule permit [Sysname-interzone-office-library-rule-0] source-mac mac1 77
Session management commands application aging-time Use application aging-time to set the aging timer for the sessions of an application layer protocol. Use undo application aging-time to restore the default. Syntax application aging-time { dns | ftp | msn | qq | sip } time-value undo application aging-time [ dns | ftp | msn | qq | sip ] Default The default session aging times for the application layer protocols are as follows: • dns: 60 seconds. • ftp: 3600 seconds. • msn: 3600 seconds.
display application aging-time Use display application aging-time to display the session aging timers for the application layer protocols. Syntax display application aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Syntax display session aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Syntax display session relation-table [ vd vd-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters vd vd-name: Displays the relationship table entries of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be digits, letters and underlines. |: Filters command output by specifying a regular expression.
Field Description Pro Transport layer protocol, TCP, or UDP. TTL Remaining lifetime of the relationship table entry, in seconds. AllowConn Number of sessions allowed by the relationship table entry. Total find Total number of found relationship table entries. display session statistics Use display session statistics to display statistics for the sessions.
Current relation table(s): 50000 Session establishment rate: 184503/s TCP Session establishment rate: UDP Session establishment rate: 184503/s ICMP Session establishment rate: 0/s RAWIP Session establishment rate: 0/s Received TCP: Received UDP: 0/s 1538 packet(s) 86810494849 packet(s) 337567 byte(s) 4340524910260 byte(s) Received ICMP: Received RAWIP: 307232 packet(s) 0 packet(s) 17206268 byte(s) 0 byte(s) Dropped TCP: 0 packet(s) 0 byte(s) Dropped UDP: 0 packet(s) 0 byte(s
display session statistics history Use display session statistics history to display historical session statistics. Syntax display session statistics history [ vd vd-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters vd vd-name: Specifies a virtual device by its name. The vd-name argument represents the name of a virtual device, a case-insensitive string of 1 to 20 characters.
display session table Use display session table to display information about session table entries.
Initiator: Source IP/Port : 192.168.1.18/2048 Dest IP/Port Pro : 192.168.1.55/768 : ICMP(ICMP(1)) VPN-Instance/VLAN ID/VLL ID: Initiator: Source IP/Port : 192.168.1.18/1212 Dest IP/Port Pro : 192.168.1.55/23 : TCP(TCP(6)) VPN-Instance/VLAN ID/VLL ID: Total find: 2 # Display detailed information about all session table entries. display session table verbose Initiator: Source IP/Port : 192.168.1.19/137 Dest IP/Port : 192.168.1.
Table 24 Command output Field Description Initiator: Initiator's session information. Responder: Responder's session information. Pro Transport layer protocol, TCP, UDP, ICMP, or Raw IP. VPN-Instance/VLAN ID/VLL ID VPN that the session belongs to and the VLAN and INLINE that the session belongs to during Layer 2 forwarding. Application layer protocol, FTP, DNS, MSN or QQ. App Unknown indicates protocol type of a non-well-known port. Session status: • Accelerate. • SYN. • TCP-EST. • FIN.
Views User view Default command level 2: System level Parameters vd vd-name: Clears the session table entries on the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be only digits, letters and underlines. source-ip source-ip: Clears the session table entries with the specified source IP address of the initiator.
Parameters vd vd-name: Clears the session statistics of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be digits, letters and underlines. Usage guidelines If no virtual device is specified, the command clears the session statistics for all virtual devices. Examples # Clear all session statistics.
icmp-closed: Specifies the aging timer for the ICMP sessions in the CLOSED state. icmp-open: Specifies the aging timer for the ICMP sessions in the OPEN state. rawip-open: Specifies the aging timer for the sessions in the RAWIP_OPEN state. rawip-ready: Specifies the aging timer for the sessions in the RAWIP_READY state. syn: Specifies the aging timer for the TCP sessions in the SYN_SENT or SYN_RCV state. tcp-est: Specifies the aging timer for the TCP sessions in the ESTABLISHED state.
[Sysname] session checksum udp session log bytes-active Use session log bytes-active to set the byte count threshold for session logging. Use undo session log bytes-active to restore the default. Syntax session log bytes-active bytes-value undo session log bytes-active Default The system does not output session logs based on the byte count threshold.
Examples # Create an interzone instance from security zone Trust to security zone Untrust, and enable interzone session logging. system-view [Sysname] interzone source Trust destination Untrust [Sysname-interzone-Trust-Untrust] session log enable Related commands interzone (see Access Control Command Reference). session log packets-active Use session log packets-active to set the packet count threshold for session logging. Use undo session log packets-active to restore the default.
Default command level 2: System level Parameters time-value: Holdtime threshold, in minutes. It is a multiple of 10 in the range of 10 to 120. Examples # Set the holdtime threshold for session logging to 50 minutes. system [Sysname] session log time-active 50 session mode hybrid Use session mode hybrid to configure the hybrid mode for session management. In this mode, session management can process both bidirectional sessions and unidirectional sessions.
Default No persistent session rule is specified. Views System view Default command level 2: System level Parameters acl-number: ACL number, in the range of 2000 to 3999. aging-time time-value: Specifies the aging time for persistent sessions, in hours. The value ranges from 0 to 360 and defaults to 24. A value of 0 means that the persistent sessions are never aged out. Usage guidelines Persistent sessions will not be removed because they are not matched with any packets within the aging time.
IP virtual fragment reassembly configuration commands display ip virtual-reassembly Use display ip virtual-reassembly to display fragment information on an interface in the security zone, including fragment interface type, actual number of fragment queues, maximum number of fragment queues, maximum number of packets in each fragment queue, and fragment queue aging time.
[Sysname-zone-trust] ip virtual-reassembly # Display fragment information for security zone Trust. display ip virtual-reassembly vd 1 zone trust Zone trust: Virtual Fragment Reassembly is enabled.
max-reassemblies number: Specifies the maximum number of concurrent reassemblies. It ranges from 1 to 1024, and the default is 64. timeout seconds: Specifies the timeout interval of a reassembly in seconds (1 to 64). The default value is 3 seconds. Usage guidelines When the maximum number of concurrent reassemblies is reached, the device discards all subsequent fragments (not including fragments that belong to assemblies established before the number is reached) and sends a syslog message.
Connection limit configuration commands connection-limit apply policy Use connection-limit apply policy to apply a connection limit policy to the NAT module. Use undo connection-limit apply policy to remove the application. Syntax connection-limit apply policy policy-number undo connection-limit apply policy policy-number Views System view Default command level 2: System level Parameters policy-number: Number of an existing connection limit policy. The value must be 0.
Parameters policy-number: Specifies the number of a connection limit policy. The value must be 0. Usage guidelines A connection limit policy contains a set of rules for limiting the number of connections of a specific user. A policy number uniquely identifies a connection limit policy. After applying a connection limit policy in system view, you cannot modify, add, or remove connection limit rules in the policy. Examples # Create a connection limit policy numbered 0 and enter its view.
Table 26 Command output Field Description Connection-limit policy Number of the connection limit policy. refcount 0, 1 limit Number of times that the policy is applied and number of rules in the policy. limit xxx Rule in the policy. For more information, see the limit command. Related commands limit limit Use limit to configure an IP address-based connection limit policy rule. Within a connection limit policy, the criteria of each rule must be unique.
• ip: Specifies the IP protocol. • tcp: Specifies the TCP protocol. • udp: Specifies the UDP protocol. max-connections max-num: Maximum number of the connections.
# Configure connection limit rule 5 to limit the maximum number of IP connections from vpn1 to vpn2.
Portal configuration commands Dialer interfaces, virtual-template interfaces, and tunnel interfaces do not support portal authentication. The following matrix shows the feature and hardware compatibility: Hardware Portal compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 No Firewall module Yes U200-A Yes U200-S Yes access-user detect Use access-user detect to configure the online portal user detection function. Use undo access-user detect to restore the default.
from the portal user when the maximum number of probes is reached, the device logs off the portal user. If the device receives a reply from the portal user before the maximum number of probes is reached, it stops sending probe packets and restarts the probe timer. The device repeats the process to detect whether portal users are online. This function is available only for the direct and re-DHCP portal authentication configured on a Layer 3 interface.
Type : static Action : permit Protocol : 0 Source: IP : 0.0.0.0 Mask : 0.0.0.0 Port : 23 MAC : 0000-0000-0000 Interface: any VLAN : 0 Destination: IP : 192.168.0.111 Mask : 255.255.255.255 Port : any Rule 1 Inbound interface : GigabitEthernet0/1 Type : static Action : redirect Protocol : 6 Source: IP : 0.0.0.0 Mask : 0.0.0.0 Port : any MAC : 0000-0000-0000 Interface: any VLAN : 0 Destination: IP : 0.0.0.0 Mask : 0.0.0.
Table 27 Command output Field Description Rule Sequence number of the portal ACL, which is numbered from 0 in ascending order. Inbound interface Interface to which the portal ACL is bound. Type Type of the portal ACL. Action Match action in the portal ACL. Protocol Transport layer protocol number in the portal ACL. Source Source information in the portal ACL. IP Source IP address in the portal ACL. Mask Subnet mask of the source IP address in the portal ACL.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
MSG_CUT_L3IF 0 0 0 MSG_IP_REMOVE 0 0 0 MSG_ALL_REMOVE 1 MSG_IFIPADDR_CHANGE 0 MSG_SOCKET_CHANGE 8 MSG_NOTIFY MSG_SETPOLICY MSG_SETPOLICY_RESULT 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Table 28 Command output Field Description User state statistics Statistics on portal users. State-Name Name of a user state. User-Num Number of users in a specific state. Message statistics Statistics on messages. Msg-Name Message type. Total Total number of messages of a specific type.
Field Description MSG_CUT_BY_USERINDEX Force-user-offline message. MSG_CUT_L3IF Users-removed message, indicating the users on a Layer 3 interface were removed because they were logged out. MSG_IP_REMOVE User-with-an-IP-removed message. MSG_ALL_REMOVE All-users-removed message. MSG_IFIPADDR_CHANGE Interface IP address change message. MSG_SOCKET_CHANGE Socket change message. MSG_NOTIFY Notification message. MSG_SETPOLICY Set policy message for assigning security ACL.
Destination: IP : 0.0.0.0 Mask : 0.0.0.0 Port : any Protocol : 6 Table 29 Command output Field Description Rule-Number Number of the portal-free rule. Source Source information in the portal-free rule. IP Source IP address in the portal-free rule. Mask Subnet mask of the source IP address in the portal-free rule. Port Source transport layer port number in the portal-free rule. MAC Source MAC address in the portal-free rule. Interface Source interface in the portal-free rule.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display the portal configuration for interface GigabitEthernet 0/1.
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Default command level 1: Monitor level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Related commands portal server display portal server statistics Use display portal server statistics to display portal server statistics on a specific interface or all interfaces. Syntax display portal server statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all interfaces.
REQ_INFO 6 0 0 ACK_INFO 6 0 0 NTF_USERDISCOVER 0 0 0 NTF_USERIPCHANGE 0 0 0 0 0 AFF_NTF_USERIPCHANGE ACK_NTF_LOGOUT 0 1 NTF_HEARTBEAT NTF_USERSYNC ACK_NTF_USERSYNC 0 2 0 0 0 0 0 0 0 0 0 NTF_CHALLENGE 0 0 0 NTF_USER_NOTIFY 0 0 0 AFF_NTF_USER_NOTIFY 0 0 0 NTF_AUTH 0 ACK_NTF_AUTH REQ_QUERY_STATE 0 0 0 ACK_QUERY_STATE 0 0 0 0 0 0 0 0 REQ_MACBINDING_INFO 0 0 0 ACK_MACBINDING_INFO 0 0 0 NTF_USER_LOGON 0 RESERVED33 NTF_USER_LOGOUT 0 0 0 0 0 0 0
Field Description NTF_LOGOUT Forced logout notification message the access device sent to the portal server. REQ_INFO Information request message. ACK_INFO Information acknowledgment message. NTF_USERDISCOVER User discovery notification message the portal server sent to the access device. NTF_USERIPCHANGE User IP change notification message the access device sent to the portal server. AFF_NTF_USERIPCHANGE User IP change success notification message the portal server sent to the access device.
display portal tcp-cheat statistics Use display portal tcp-cheat statistics to display TCP spoofing statistics. Syntax display portal tcp-cheat statistics [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Field Description Current Opens Number of connections being set up. Packets Received Number of received packets. Packets Sent Number of sent packets. Packets Retransmitted Number of retransmitted packets. Packets Dropped Number of dropped packets. HTTP Packets Sent Number of HTTP packets sent. Connection State Statistics of connections in various states. ESTABLISHED Number of connections in ESTABLISHED state. CLOSE_WAIT Number of connections in CLOSE_WAIT state.
State:ONLINE SubState:NONE ACL:NONE Work-mode:Stand-alone VPN instance:NONE VPN instance:NONE MAC IP Vlan Interface --------------------------------------------------------------------000d-88f8-0eab 2.2.2.2 0 GigabitEthernet0/1 Index:3 State:ONLINE SubState:NONE ACL:3000 Work-mode:Primary VPN instance:NONE MAC IP Vlan Interface --------------------------------------------------------------------000d-88f8-0eac 3.3.3.3 0 GigabitEthernet0/2 Total 2 user(s) matched, 2 listed.
Syntax portal auth-network ipv4-network-address { mask-length | mask } undo portal auth-network { ipv4-network-address | all } Default The portal authentication source IPv4 subnet is 0.0.0.0/0, and users in all subnets must pass portal authentication. Views Interface view Default command level 2: System level Parameters ipv4-network-address: IPv4 address of the authentication source subnet. mask-length: Length of the subnet mask, in the range of 0 to 32. mask: Subnet mask, in dotted decimal notation.
Parameters ipv4-address: Logs off the portal user with the specified IPv4 address. all: Logs off all portal users. interface interface-type interface-number: Logs off all IPv4 portal users on the specified interface. Examples # Log out the portal user whose IP address is 1.1.1.1. system-view [Sysname] portal delete-user 1.1.1.1 Related commands display portal user portal domain Use portal domain to specify an authentication domain for portal users on an interface.
portal free-rule Use portal free-rule to configure a portal-free rule and specify the source filtering condition, destination filtering condition, or both. Use undo portal free-rule to remove a specific portal-free rule or all portal-free rules.
For Layer 2 portal authentication, you can configure only portal-free rules that are from any source address to any or a specific destination address. When such a portal-free rule is configured, users can access the specified address without portal authentication. Examples # Configure a portal-free rule, allowing any packet whose source IP address is 10.10.10.1/24 and source interface is GigabitEthernet 0/1 to bypass portal authentication. system-view [Sysname] portal free-rule 15 source ip 10.
You cannot remove an SSL server policy using the undo ssl server-policy command if the policy has been referenced by the HTTPS service. On the device, all the SSL server policies referenced by the HTTPS service must be the same. If an online portal user exists on the device, you cannot remove or change the configured protocol type, or modify the SSL server policies referenced.
Views System view Default command level 2: System level Parameters max-number: Maximum number of online portal users allowed in the system.
Parameters profile-name: Name of the profile that defines the binding relationship between VLANs and NAS IDs, a case-insensitive string of 1 to 16 characters. The profile can be configured by using the aaa nas-id profile command. Usage guidelines If an interface is specified with a NAS ID profile, the interface prefers to use the binding defined in the profile.
Use undo portal nas-port-id to restore the default. Syntax portal nas-port-id nas-port-id-value undo portal nas-port-id Default No NAS-Port-ID value is specified for an interface, and the device uses the information obtained from the physical interface where the portal user accesses as the NAS-Port-ID value in a RADIUS request. Views Interface view Default command level 2: System level Parameters nas-port-id-value: NAS-Port-ID value, a case-sensitive string of 1 to 253 characters.
Parameters ethernet: Specifies the access port type as Ethernet, which corresponds to code 15. wireless: Specifies the access port type as IEEE 802.11 standard wireless interface, which corresponds to code 19. This keyword is usually specified on an interface for wireless portal users, making sure that the NAS-Port-Type value delivered by the access device to the RADIUS server is wireless. Examples # Specify the NAS-Port-Type value of GigabitEthernet 0/1 as IEEE 802.11 standard wireless interface.
portal server Use portal server to configure a portal server for Layer 3 portal authentication. Use undo portal server to remove a portal server, restore the default destination port and default URL address, or delete the shared key or the VPN instance configuration.
The configured portal server and its parameters can be removed or modified only when the portal server is not referenced by an interface. To remove or modify the settings of a portal server that has been referenced by an interface, you must first remove the portal configuration on the interface by using the undo portal command. For local portal server configuration, the keywords key, port, and url are usually not required and, if configured, do not take effect.
Hardware Command compatible F1000-E No F5000 No Firewall module No U200-A Yes U200-S Yes Examples # Configure the welcome banner of the default webpage provided by the local portal server as Welcome to Portal Authentication. system-view [Sysname] portal server banner Welcome to Portal Authentication portal server method Use portal server method to enable Layer 3 portal authentication on an interface, and specify the portal server and the authentication mode to be used.
Examples # Enable Layer 3 portal authentication on interface GigabitEthernet 0/1, referencing portal server pts and setting the authentication mode to direct.
function. Currently, only the IMC portal server supports this function. To implement detection with this method, you also need to configure the portal server heartbeat function on the IMC portal server and make sure that the server heartbeat interval configured on the portal server is shorter than or equal to the probe interval configured on the device. action { log | permit-all | trap }: Specifies the actions to be taken when the status of a portal server changes.
• Specifying the device to send a server unreachable trap message, send a log message and disable portal authentication to permit unauthenticated portal users, if two consecutive probes fail. system-view [Sysname] portal server pts server-detect method http portal-heartbeat action log permit-all trap interval 600 retry 2 portal server user-sync Use portal server user-sync to configure portal user information synchronization with a specific portal server.
If you configure the user synchronization function for a portal server for multiple times, the last configuration takes effect. If you do not specify an optional parameter, the default setting of the parameter is used. For redundant user information on the device—information of the users considered as nonexistent on the portal server, the device deletes the information during the (N+1)th probe interval, where N equals to the value of retries configured in the portal server user-sync command.
Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Examples # Clear portal server statistics on interface GigabitEthernet 0/1. reset portal server statistics interface gigabitethernet 0/1 reset portal tcp-cheat statistics Use reset portal tcp-cheat statistics to clear TCP spoofing statistics.
AAA configuration commands General AAA configuration commands aaa nas-id profile Use aaa nas-id profile to create a NAS ID profile and enter its view. A NAS ID profile maintains the bindings between NAS IDs and VLANs. Use undo aaa nas-id profile to remove a NAS ID profile. Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name Views System view Default command level 2: System level Parameters profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters.
Views ISP domain view Default command level 2: System level Parameters max-user-number: Maximum number of online users that the ISP domain can accommodate. The value ranges from 1 to 2147483646. Usage guidelines System resources are limited, and user connections may compete for network resources when there are many users. Setting a proper limit to the number of online users helps provide reliable system performance. Examples # Set a limit of 500 user connections for ISP domain test.
Examples # Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting. system-view [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac Related commands • accounting default • hwtacacs scheme accounting default Use accounting default to configure the default accounting method for an ISP domain. Use undo accounting default to restore the default.
[Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local Related commands • local-user • hwtacacs scheme • radius scheme accounting dvpn Use accounting dvpn to configure the accounting method for DVPN users. Use undo accounting dvpn to restore the default. Syntax accounting dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo accounting dvpn Default The default accounting method for the ISP domain is used for DVPN users.
[Sysname] domain test [Sysname-isp-test] accounting dvpn local # Configure ISP domain test to use RADIUS accounting scheme rd for DVPN users and use local accounting as the backup. system-view [Sysname] domain test [Sysname-isp-test] accounting dvpn radius-scheme rd local Related commands • local-user • accounting default • radius scheme accounting login Use accounting login to configure the accounting method for login users through the console port or Telnet.
[Sysname-isp-test] accounting login local # Configure ISP domain test to use RADIUS accounting scheme rd for login users and use local accounting as the backup. system-view [Sysname] domain test [Sysname-isp-test] accounting login radius-scheme rd local Related commands • local-user • accounting default • hwtacacs scheme • radius scheme accounting optional Use accounting optional to enable the accounting optional feature. Use undo accounting optional to disable the feature.
Use undo accounting portal to restore the default. Syntax accounting portal { local | none | radius-scheme radius-scheme-name [ local ] } undo accounting portal Default The default accounting method for the ISP domain is used for portal users. Views ISP domain view Default command level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting.
• accounting default • radius scheme accounting ppp Use accounting ppp to configure the accounting method for PPP users. Use undo accounting ppp to restore the default. Syntax accounting ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting ppp Default The default accounting method for the ISP domain is used for PPP users.
radius scheme • accounting ssl-vpn Use accounting ssl-vpn to configure the accounting method for SSL VPN user. Use undo accounting ssl-vpn to restore the default. Syntax accounting ssl-vpn radius-scheme radius-scheme-name undo accounting ssl-vpn Default The default accounting method for the ISP domain is used for SSL VPN users.
authentication default Use authentication default to configure the default authentication method for an ISP domain. Use undo authentication default to restore the default. Syntax authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authentication default Default The default authentication method of an ISP domain is local.
Syntax authentication dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo authentication dvpn Default The default authentication method for the ISP domain is used for DVPN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
• radius scheme authentication login Use authentication login to configure the authentication method for login users through the console port, Telnet, or FTP. Use undo authentication login to restore the default. Syntax authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authentication login Default The default authentication method for the ISP domain is used for login users.
authentication portal Use authentication portal to configure the authentication method for portal users. Use undo authentication portal to restore the default. Syntax authentication portal { local | none | radius-scheme radius-scheme-name [ local ] } undo authentication portal Default The default authentication method for the ISP domain is used for portal users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authentication.
[Sysname-isp-test] authentication portal radius-scheme rd local Related commands • local-user • authentication default • radius scheme authentication ppp Use authentication ppp to configure the authentication method for PPP users. Use undo authentication ppp to restore the default.
Related commands • local-user • authentication default • hwtacacs scheme • radius scheme authentication ssl-vpn Use authentication ssl-vpn to configure the authentication RADIUS method for SSL VPN users. Use undo authentication ssl-vpn to restore the default. Syntax authentication ssl-vpn radius-scheme radius-scheme-name undo authentication ssl-vpn Default The default authentication method for the ISP domain is used for SSL VPN users.
Related commands • authentication default • radius scheme authentication super Use authentication super to configure the authentication method for user privilege level switching. Use undo authentication super to restore the default. Syntax authentication super radius-scheme-name } { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme undo authentication super Default The default authentication method for the ISP domain is used for user privilege level switching authentication.
Use undo authorization command to restore the default. Syntax authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none } undo authorization command Default The default authorization method for the ISP domain is used for command line authorization. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Syntax authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization default Default The default authorization method for the ISP domain of an ISP domain is local. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization.
Syntax authorization dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo authorization dvpn Default The default authorization method for the ISP domain is used for DVPN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access the network directly.
Related commands • local-user • authorization default • radius scheme authorization login Use authorization login to configure the authorization method for login users through the console port, Telnet, or FTP. Use undo authorization login to restore the default.
[Sysname] domain test [Sysname-isp-test] authorization login radius-scheme rd local Related commands • local-user • authorization default • hwtacacs scheme • radius scheme authorization portal Use authorization portal to configure the authorization method for portal users. Use undo authorization portal to restore the default.
Hardware Command compatible U200-S Yes Examples # Configure ISP domain test to use local authorization for portal users. system-view [Sysname] domain test [Sysname-isp-test] authorization portal local # Configure ISP domain test to use RADIUS scheme rd for authorization of portal users and use local authorization as the backup.
Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. Examples # Configure ISP domain test to use local authorization for PPP users.
The following matrix shows the authorization ssl-vpn command and firewalls and UTM devices compatibility: Hardware Command compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 No Firewall module No U200-A Yes U200-S Yes Examples # Configure ISP domain test to use RADIUS authorization scheme rd for SSL VPN users.
Hardware Command compatible U200-S Yes all: Specifies all user connections. domain isp-name: Specifies the user connections of an ISP domain. The isp-name argument represents the name of an existing ISP domain and is a string of 1 to 24 characters. interface interface-type interface-number: Specifies the user connections on an interface. Only Layer 2 Ethernet interfaces are supported. ip ip-address: Specifies the user connections for an IP address.
Default command level 1: Monitor level Parameters access-type portal: Specifies portal authentication as the access type. The following matrix shows the access-type portal keyword and firewalls and UTM devices compatibility: Hardware Keyword compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 No Firewall module Yes U200-A Yes U200-S Yes domain isp-name: Specifies the user connections of an ISP domain.
interface through the specified access type. To display connections of such users, use the display connection domain isp-name command and specify the mandatory authentication domain. How the device displays the username of a user on an interface configured with a mandatory authentication domain depends on the format of the username entered by the user at login: • If the username does not contain the at sign (@), the device displays the username in the format username@mandatory authentication domain name.
Field Description Action to take when the session timeout expires. The action can be: Terminate-Action • Default—Cuts off the user. • Radius-Request—Re-authenticates the user. Related commands cut connection display domain Use display domain to display the configuration of ISP domains.
1 Domain : test State : Active Access-limit : Disabled Accounting method : Required Default authentication scheme : local Default authorization scheme : local Default accounting scheme : local Domain User Template: Idle-cut : Disabled Session-time : exclude-idle-time Self-service : Disabled Authorization attributes : Default Domain Name: system Total 2 domain(s). Table 37 Command output Field Description Domain ISP domain name. State Status of the ISP domain: active or blocked.
Field Description Authorization attributes Default authorization attributes for the ISP domain. Related commands • access-limit enable • domain • state domain Use domain to create an ISP domain and enter ISP domain view. Use undo domain to remove an ISP domain. Syntax domain isp-name undo domain isp-name Default There is a system predefined ISP domain named system in the system.
domain default enable Use domain default enable to specify the default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain. Use undo domain default enable to restore the default. Syntax domain default enable isp-name undo domain default enable Default The default ISP domain is the system predefined ISP domain system.
Default No ISP domain is specified for users with unknown domain names. Views System view Default command level 3: Manage level Parameters isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain the slash (/), backslash (\), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), quotation marks ("), or at sign (@).
Parameters minute: Idle timeout period, ranging from 1 to 600 minutes. flow: Minimum traffic during the idle timeout period in bytes. It ranges from 1 to 10240000 and defaults to 10240. Usage guidelines With the idle cut function enabled for a domain, the device checks the traffic of each online user in the domain at the idle timeout interval, and it logs out any user in the domain whose traffic during the idle timeout period is less than the specified minimum traffic.
the address pool used for assigning an IP address to the peer device, use the remote address command in interface view. An IP address pool configured in ISP domain view is used to assign IP addresses to the ISP domain's PPP users who must be authenticated. Configure IP address pools for ISP domains in scenarios where an interface serves a great amount of PPP users but the address resources are inadequate. For example, a GigabitEthernet interface running PPPoE can accommodate up to 4096 users.
[Sysname] aaa nas-id profile aaa [Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2 Related commands aaa nas-id profile self-service-url enable Use self-service-url enable to enable the self-service server location function and specify the URL of the self-service server. Use undo self-service-url enable to restore the default. Syntax self-service-url enable url-string undo self-service-url enable Default The self-service server location function is disabled.
Default The user online time uploaded to the server excludes the idle cut time. Views ISP domain view Default command level 2: System level Usage guidelines The device uploads to the server the online user time when a user is logged off. However, the online user time of an abnormally logged-off user can contain an idle timeout interval or a detection interval when the idle cut function or online portal user detection is enabled.
Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected. Examples # Place the ISP domain test to the blocked state. system-view [Sysname] domain test [Sysname-isp-test] state block Local user configuration commands access-limit Use access-limit to limit the number of concurrent users of the same local user account. Use undo access-limit to remove the limitation.
authorization-attribute (local user view/user group view) Use authorization-attribute to configure authorization attributes for the local user or user group. After the local user or a local user of the user group passes authentication, the device assigns these attributes to the user. Use undo authorization-attribute to remove authorization attributes and restore the defaults.
work-directory directory-name: Specifies the work directory, if the user or users use the FTP or SFTP service. The directory-name argument is a case-insensitive string of 1 to 135 characters. The directory must already exist. By default, an FTP or SFTP user can access the root directory of the device. Usage guidelines Every configurable authorization attribute has its definite application environments and purposes. Consider the service types of users when assigning authorization attributes.
Parameters call-number call-number: Specifies a calling number for ISDN user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users. subcall-number: Specifies the sub-calling number. The total length of the calling number and the sub-calling number cannot be more than 62 characters. ip ip-address: Specifies the IP address of the user. This option applies to Telnet, SSH, and FTP users.
Hardware Keyword compatible Firewall module Yes U200-A No U200-S No • ftp: FTP users. • portal: Portal users. The following matrix shows the portal keyword and firewalls and UTM devices compatibility: Hardware Keyword compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 No Firewall module Yes U200-A Yes U200-S Yes • ppp: PPP users. • ssh: SSH users. • telnet: Telnet users. • terminal: Users logging in through the console or AUX port.
State: Active ServiceType: telnet/web Access-limit: Disabled User-group: system Current AccessNum: 2 Bind attributes: Authorization attributes: User Privilege: 3 Total 1 local user(s) matched. Table 38 Command output Field Description VD Name of the VD to which the local user belongs. State Status of the local user: active or blocked. ServiceType Service types that the local user can use, including DVNP, FTP, PPP, portal, SSH, Telnet, terminal, and Web.
Usage guidelines If you do not specify any user group name, the command displays the configuration of all user groups. Examples # Display the configuration of user group abc.
Views Local user view Default command level 3: Manage level Parameters time: Expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH ranges from 0 to 23, and MM and SS range from 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month.
Examples # Assign local user 111 to user group abc. system-view [Sysname] local-user 111 [Sysname-luser-111] group abc group-attribute allow-guest Use group-attribute allow-guest to set the guest attribute for a user group so that guest users created by a guest manager through the Web interface can join the group. Use undo group-attribute allow-guest to restore the default.
Views System view Default command level 3: Manage level Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@), and cannot be a, al, all, v, or vd. vd vd-name: Specifies the VD to which the local user belongs.
• terminal: Users logging in through the console or AUX port. Support for AUX logins depends on the device model. For more information, see Getting Started Guide. In FIPS mode, you must specify the terminal type. • web: Web users. Examples # Add a local user named user1. system-view [Sysname] local-user user1 [Sysname-luser-user1] Related commands • display local-user • service-type password (local user view) Use password to configure a password for a local user.
system-view [Sysname] local-user user1 [Sysname-luser-user1] password simple 123456 # Set a plaintext password 123456 in interactive mode for local user user1. system-view [Sysname] local-user user1 [Sysname-luser-user1] password Password:****** Confirm :****** Related commands display local-user service-type Use service-type to specify the service types that a user can use. Use undo service-type to delete one or all service types configured for a user.
terminal: Authorizes the user to use the terminal service, allowing the user to log in from the console or AUX port. Support for AUX logins depends on the device model. For more information, see Getting Started Guide. portal: Authorizes the user to use the portal service.
Usage guidelines By blocking a user, you disable the user from requesting network services. No other users are affected. Examples # Place local user user1 to the blocked state. system-view [Sysname] local-user user1 [Sysname-luser-user1] state block Related commands local-user user-group Use user-group to create a user group and enter its view. Use undo user-group to remove a user group.
Use undo validity-date to remove the configuration. Syntax validity-date time undo validity-date Default A local user has no validity time and no time validity checking is performed. Views Local user view Default command level 3: Manage level Parameters time: Validity time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH ranges from 0 to 23, and MM and SS range from 0 to 59.
undo accounting-on enable Default The accounting-on feature is disabled. Views RADIUS scheme view Default command level 2: System level Parameters seconds: Time interval for retransmitting an accounting-on packet in seconds, ranging from 1 to 15. The default is 3 seconds. send-times: Maximum number of accounting-on packet transmission attempts, ranging from 1 to 255. The default is 50.
Default command level 2: System level Examples # Specify the device to interpret RADIUS attribute 25 as CAR parameters. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] attribute 25 car Related commands • display radius scheme • display connection data-flow-format (RADIUS scheme view) Use data-flow-format to set the traffic statistics unit for data flows or packets. Use undo data-flow-format to restore the default.
display radius scheme Use display radius scheme to display the configuration of RADIUS schemes. Syntax display radius scheme [ radius-scheme-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters radius-scheme-name: RADIUS scheme name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Encryption Key : N/A VPN instance : N/A Probe username : N/A Probe interval : N/A Second Acct Server: IP: 1.1.2.
Field Description Encryption Key Shared key for secure authentication or accounting communication, displayed as a series of asterisks (******). If no shared key is configured, this field displays N/A. VPN instance VPN to which the server belongs. If no VPN instance is specified for the server, this field does not appear. Probe username Username used for server status detection. Probe interval Server status detection interval, in minutes.
Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Auth accept Num = 10 Auth reject Num = 14 EAP auth replying Num = 0 Account success Num = 4 Account failure Num = 3 Server ctrl req Num = 0 RecError_MSG_sum = 0 SndMSG_Fail_sum = 0 Timer_Err = 0 Alloc_Mem_Err = 0 State Mismatch = 0 Other_Error = 0 No-response-acct-stop packet = 1 Discarded No-response-acct-stop packet for buffer overflow = 0 Table 41 Command output Field Description state statistic User statistics, by state. DEAD Number of idle users.
Field Description RADIUS received messages statistic Statistics for received RADIUS messages. Normal auth request Counts of normal authentication requests. Account request Counts of accounting requests. Account off request Counts of stop-accounting requests. PKT auth timeout Counts of authentication timeout messages. PKT acct_timeout Counts of accounting timeout messages. Realtime Account timer Counts of real-time accounting requests. PKT response Counts of responses from servers.
F5000 8192 Firewall module 8192 U200-A 1024 U200-S 1024 Related commands radius scheme display stop-accounting-buffer (for RADIUS) Use display stop-accounting-buffer to display information about buffered stop-accounting requests.
stop-accounting attempt. The maximum number of the stop-accounting attempts is defined by the retry stop-accounting command. If all attempts fail, the device discards the request. Examples # Display information about the stop-accounting requests buffered for user abc.
The shared keys specified during the configuration of the RADIUS servers take precedence. The shared keys configured on the device must match those configured on the RADIUS servers. Examples # For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting simple ok # For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text.
The following matrix shows the ipv6 ipv6-address option and firewalls and UTM devices compatibility: Hardware Option compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Usage guidelines The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address.
Views RADIUS scheme view Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server, which must be a valid global unicast address.
If the specified server resides on a VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. If you change the primary accounting server when the device has already sent a start-accounting request to the server, the communication with the primary server times out, and the device looks for a server in active state from the new primary server on.
Hardware Option compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No port-number: Specifies the service port number of the primary RADIUS authentication/authorization server, a UDP port number ranging from 1 to 65535. The default setting is 1812. key [ cipher | simple ] key: Specifies the shared key for secure communication with the primary RADIUS authentication/authorization server.
With the server status detection feature enabled, the device sends an authentication request that carries the specified username to the primary server at the specified interval. If the device receives no response from the server within the time interval specified by the timer response-timeout command, the device sends the authentication request again.
• No more stop-accounting requests of online users cannot be sent out or buffered, and the RADIUS server can no longer receive logoff requests from online users. After a user goes offline, the RADIUS server still has the user's record during a certain period of time. • The buffered accounting packets cannot be sent out and are deleted from the buffer when the configured maximum number of attempts is reached, affecting the precision of user accounting.
vpn-instance vpn-instance-name: Specifies the VPN to which the source IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. With a VPN specified, the command specifies a private-network source IPv4 address. With no VPN specified, the command specifies a public-network source IPv4 address. Usage guidelines You can specify up to one public-network source IP address and 15 private-network source IP addresses.
Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] Related commands display radius scheme radius trap Use radius trap to enable the trap function for RADIUS. Use undo radius trap to disable the trap function for RADIUS.
reset radius statistics Use reset radius statistics to clear RADIUS statistics. Syntax reset radius statistics Views User view Default command level 2: System level Examples # Clear RADIUS statistics. reset radius statistics Related commands display radius statistics reset stop-accounting-buffer (for RADIUS) Use reset stop-accounting-buffer to clear buffered stop-accounting requests for which no responses have been received.
# Clear the stop-accounting requests buffered in the time range from 0:0:0 to 23:59:59 on August 31, 2006. reset stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006 Related commands • stop-accounting-buffer enable • display stop-accounting-buffer retry Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Use undo retry to restore the default.
retry realtime-accounting Use retry realtime-accounting to set the maximum number of accounting attempts. Use undo retry realtime-accounting to restore the default. Syntax retry realtime-accounting retry-times undo retry realtime-accounting Default The maximum number of accounting attempts is 5. Views RADIUS scheme view Default command level 2: System level Parameters retry-times: Maximum number of accounting attempts, ranging from 1 to 255.
retry stop-accounting (RADIUS scheme view) Use retry stop-accounting to set the maximum number of stop-accounting request transmission attempts. Use undo retry stop-accounting to restore the default. Syntax retry stop-accounting retry-times undo retry stop-accounting Default The maximum number of stop-accounting request transmission attempts is 500.
Use undo secondary accounting to remove the configuration. Syntax secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * undo secondary accounting [ ipv4-address | ipv6 ipv6-address ] Default No secondary RADIUS accounting server is specified. Views RADIUS scheme view Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.
You can configure up to 16 secondary RADIUS accounting servers for a RADIUS scheme. With the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary RADIUS accounting server configured earlier has a higher priority) and tries to communicate with it. The IP addresses of the accounting servers and those of the authentication/authorization servers must be of the same IP version.
Syntax secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | probe username name [ interval interval ] | vpn-instance vpn-instance-name ] * undo secondary authentication [ ipv4-address | ipv6 ipv6-address ] Default No secondary RADIUS authentication/authorization server is specified.
interval interval: Specifies the detection interval. The value ranges from 1 to 3600, in minutes. The default setting is 60 minutes. Usage guidelines Make sure the port number and shared key settings of the secondary authentication/authorization server are the same as those configured on the server. RADIUS The shared key configured by this command takes precedence over that configured by using the key accounting [ cipher | simple ] key command.
# For RADIUS scheme radius2, set the IP address of the secondary authentication/authorization server to 10.110.1.2, the UDP port to 1812, and the shared key to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in cipher text. system-view [Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary authentication 10.110.1.
[Sysname-radius-radius1] security-policy-server 10.110.1.2 server-type (RADIUS scheme view) Use server-type to specify the RADIUS server type. Use undo server-type to restore the default. Syntax server-type { extended | standard } undo server-type Default The supported RADIUS server type is standard.
authentication: Sets the status of the primary RADIUS authentication/authorization server. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state. Usage guidelines During an authentication or accounting process, the device first tries to communicate with the primary server if the primary server is in active state.
Hardware Option compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state. Usage guidelines If no IP address is specified, this command changes the status of all configured secondary servers for authentication/authorization or accounting.
Views RADIUS scheme view Default command level 2: System level Usage guidelines Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request that receives no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission attempts reaches the configured limit.
Usage guidelines The quiet timer controls whether the device changes the status of an unreachable server from active to blocked and how long the device keeps an unreachable server in blocked state. If you determine that the primary server is unreachable because the device's port connected to the server is out of service temporarily or the server is busy, you can set the server quiet period to 0 so that the device uses the primary server whenever possible. Be sure to set the server quiet timer properly.
Different real-time accounting intervals impose different performance requirements on the NAS and the RADIUS server. A shorter interval helps achieve higher accounting precision but requires higher performance. Use a longer interval when there are a large number of users (1000 or more).
Examples # Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer response-timeout 5 Related commands retry user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Syntax user-name-format { keep-original | with-domain | without-domain } Default The ISP domain name is included in the username.
vpn-instance (RADIUS scheme view) Use vpn-instance to specify a VPN instance for a RADIUS scheme. Use undo vpn-instance to remove the configuration. Syntax vpn-instance vpn-instance-name undo vpn-instance Views RADIUS scheme view Default command level 2: System level Parameters vpn-instance-name: Name of the VPN, a case-sensitive string of 1 to 31 characters.
Default command level 2: System level Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet. Usage guidelines The unit for data flows and that for packets must be consistent with those on the HWTACACS server.
Usage guidelines If no HWTACACS scheme is specified, the command displays the configuration of all HWTACACS schemes. Examples # Display the configuration of HWTACACS scheme gy. display hwtacacs gy -------------------------------------------------------------------HWTACACS-server template name : gy Primary-authentication-server : 172.31.1.11:49 VPN instance : vpn1 Primary-authorization-server : 172.31.1.11:49 VPN instance : vpn1 Primary-accounting-server : 172.31.1.
Field Description Secondary-authentication-server IP address and port number of the secondary authentication server. Secondary-authorization-server IP address and port number of the secondary authorization server. Secondary-accounting-server IP address and port number of the secondary accounting server. Current-authentication-server IP address and port number of the currently used authentication server.
HWTACACS authen client access response restart number: 0 HWTACACS authen client malformed access response number: 0 HWTACACS authen client round trip time(s): 5 ---[HWTACACS template gy primary authorization]--HWTACACS server open number: 1 HWTACACS server close number: 1 HWTACACS author client request packet number: 1 HWTACACS author client response packet number: 1 HWTACACS author client timeout number: 0 HWTACACS author client packet dropped number: 0 HWTACACS author client unknown type number: 0 HWTACAC
Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a case-insensitive string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
command specifies a private-network source IP address. With no VPN specified, the command specifies a public-network source IP address. Usage guidelines The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS.
Examples # Create an HWTACACS scheme named hwt1, and enter HWTACACS scheme view. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication. Use undo key to remove the configuration.
# Set the shared key for secure HWTACACS accounting communication to hello in plain text for HWTACACS scheme hwt1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key accounting hello # Set the shared key for secure HWTACACS accounting communication $c$3$jaeN0ej15fjuHKeuVh8mqicHzaHdMw== in cipher text for HWTACACS scheme hwt1.
Examples # Set the source address for outgoing HWTACACS packets to 10.1.1.1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1 Related commands hwtacacs nas-ip primary accounting (HWTACACS scheme view) Use primary accounting to specify the primary HWTACACS accounting server. Use undo primary accounting to remove the configuration.
Examples # Specify the IP address and port number of the primary accounting server for HWTACACS scheme test1 as 10.163.155.12 and 49. system-view [Sysname] hwtacacs scheme test1 [Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) primary authentication (HWTACACS scheme view) Use primary authentication to specify the primary HWTACACS authentication server.
The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. Examples # Specify the IP address and port number of the primary authentication server for HWTACACS scheme hwt1 as 10.163.155.13 and 49. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authentication 10.163.155.
You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets. Removing an authorization server only affects authorization processes that occur after the remove operation. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. Examples # Configure the IP address and port number of the primary authorization server for HWTACACS scheme hwt1 as 10.163.155.13 and 49.
Views User view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a case-insensitive string of 1 to 32 characters. Examples # Clear the stop-accounting requests buffered for HWTACACS scheme hwt1.
secondary accounting (HWTACACS scheme view) Use secondary accounting to specify a secondary HWTACACS accounting server. Use undo secondary accounting to remove the configuration. Syntax secondary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary accounting Default No secondary HWTACACS accounting server is specified.
• vpn-instance (HWTACACS scheme view) secondary authentication (HWTACACS scheme view) Use secondary authentication to specify a secondary HWTACACS authentication server. Use undo secondary authentication to remove the configuration. Syntax secondary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary authentication Default No secondary HWTACACS authentication server is specified.
Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) secondary authorization Use secondary authorization to specify a secondary HWTACACS authorization server. Use undo secondary authorization to remove the configuration. Syntax secondary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary authorization Default No secondary HWTACACS authorization server is specified.
Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) stop-accounting-buffer enable (HWTACACS scheme view) Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no responses are received. Use undo stop-accounting-buffer enable to disable the buffering function. Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable Default The device buffers stop-accounting requests to which no responses are received.
Default The primary server quiet period is 5 minutes. Views HWTACACS scheme view Default command level 2: System level Parameters minutes: Primary server quiet period. The value ranges from 1 to 255, in minutes. Usage guidelines When the primary server is found unreachable, the device changes the status of the server from active to blocked and keeps the server in blocked state until the quiet timer expires. Examples # Set the quiet timer for the primary server to 10 minutes.
Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval. A shorter interval requires higher performance. Use a longer interval when there are a large number of users (more than 1000, inclusive).
Related commands display hwtacacs user-name-format (HWTACACS scheme view) Use user-name-format to specify the format of the username to be sent to an HWTACACS server. Syntax user-name-format { keep-original | with-domain | without-domain } Default The ISP domain name is included in the username. Views HWTACACS scheme view Default command level 2: System level Parameters keep-original: Sends the username to the HWTACACS server as it is entered.
Syntax vpn-instance vpn-instance-name undo vpn-instance Views HWTACACS scheme view Default command level 2: System level Parameters vpn-instance-name: Specifies the VPN name, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN specified here takes effect for all servers in the HWTACACS scheme for which no specific VPN instance is specified. Examples # Specify VPN instance test for HWTACACS scheme hwt1.
Password control configuration commands display password-control Use display password-control to display password control configuration. Syntax display password-control [ super ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters super: Displays the password control information of the super passwords. Without this keyword, the command displays the password control information for all passwords.
Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 45 Command output Field Description Password control Whether the password control feature is enabled. Password aging Whether password aging is enabled and, if enabled, the aging time. Password length Whether the minimum password length restriction function is enabled and, if enabled, the setting.
Parameters user-name name: Specifies a user by the name, a string of 1 to 80 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. The following matrix shows the keyword ipv6 and firewall and UTM compatibility: Hardware Keywords compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No |: Filters command output by specifying a regular expression.
password Use password to set a password for a local user in interactive mode. Use undo password to remove the password for a local user.
Views System view Default command level 2: System level Parameters aging: Enables the password aging function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function. Usage guidelines For these four functions to take effect, the password control feature must be enabled globally. You must enable a function for its relevant configurations to take effect.
Default The global password aging time is 90 days, the password aging time of a user group equals the global setting, and the password aging time of a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Default command level 2: System level Parameters aging-time: Password aging time in days, in the range of 1 to 365.
Default A user is notified of pending password expiration during 7 days before the user's password expires. Views System view Default command level 2: System level Parameters alert-time: Number of days before a user's password expires during which the user is notified of the pending password expiration. The value range is 1 to 30. Examples # Configure the device to notify a user about pending password expiration 10 days before the user's password expires.
Syntax password-control complexity { same-character | user-name } check undo password-control complexity { same-character | user-name } check Default No user password complexity checking is performed, and a password can contain the username, the reverse of the username, or a character repeated three or more times consecutively. Views System view Default command level 2: System level Parameters same-character: Refuses a password that contains any character repeated consecutively three or more times.
Parameters type-number type-number: Specifies the minimum number of character types that a password must contain. The value range for the type-number argument is 1 to 4. In FIPS mode, type-number must be 4. type-length type-length: Specifies the minimum number of characters that each type must contain. The value rang for the type-length argument is 1 to 63.
Default command level 2: System level Usage guidelines The password control functions take effect only after the password control feature is enabled globally. Examples # Enable the password control feature globally. system-view [Sysname] password-control enable Related commands display password-control password-control expired-user-login Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires.
Use undo password-control history to restore the default. Syntax password-control history max-record-num undo password-control history Default The maximum number of history password records for each user is 4. Views System view Default command level 2: System level Parameters max-record-num: Maximum number of history password records for each user. The value range is 2 to 15. Examples # Set the maximum number of history password records for each user to 10.
A minimum password length setting with a smaller application range has a higher priority. That is, the system prefers the setting for a local user. If there is no setting for the local user, the system will use the setting for the user group. If there is no setting for the user group, the system will use the global setting. Examples # Set the global minimum password length to 9 characters.
Related commands display password-control password-control login-attempt Use password-control login-attempt to specify the maximum number of consecutive failed login attempts and the action to be taken when a user fails to log in after the specified number of attempts. Use undo password-control login-attempt to restore the default.
[Sysname] display password-control blacklist Username: test IP: 192.168.44.1 Login failed times: 4 Lock flag: lock Total 1 blacklist item(s) matched. 1 listed. The user can no longer log in. # Set the maximum number of login attempts to 2 and prohibit a user from logging in within 3 minutes if the user fails to log in after two attempts.
Usage guidelines This function is not effective in the case that a user is prompted to change the password when the user logs in for the first time or after the password is aged out. Examples # Set the minimum password update interval to 36 hours. system-view [Sysname] password-control password update interval 36 Related commands display password-control password-control super aging Use password-control super aging to set the aging time for super passwords.
undo password-control super composition Default The composition policy of super passwords is the same as the global password composition policy. Views System view Default command level 2: System level Parameters type-number type-number: Specifies the minimum number of character types that a super password must contain. The value range for the type-number argument is 1 to 4.
Usage guidelines The setting for super passwords, if present, overrides that for all passwords. Examples # Set the minimum length for super passwords to 10 characters. system-view [Sysname] password-control super length 10 Related commands password-control length reset password-control blacklist Use reset password-control blacklist to remove all or one user from the password control blacklist.
super: Deletes the history records of the super password specified by the level level option or the history records of all super passwords. level level: Specifies a user level, in the range of 1 to 3. Usage guidelines With no arguments or keywords specified, this command deletes the history password records of all local users. With the super keyword specified but the level argument not specified, this command deletes the history records of all super passwords.
FIPS configuration commands Feature and hardware compatibility Hardware FIPS compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A No U200-S No display fips status Syntax display fips status View Any view Default level 1: Monitor level Parameters None Description Use the display fips status command to display FIPS state. Related commands: fips mode enable. Examples # Display FIPS state.
Default level 2: System level Parameters None Description Use the fips mode enable command to enable FIPS mode. Use the undo fips mode enable command to disable FIPS mode. By default, the FIPS mode is disabled. The FIPS mode complies with FIPS 140-2. The way for using FIPS mode: • Delete all MD5-based digital certificates • Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs. • Enable FIPS mode. • Enable password-control function.
fips self-test Syntax fips self-test View System view Default Level 3: Manage level Parameters None Description Use the fips self-test command to trigger a self-test on the password algorithms. To verify whether the password algorithm modules operate normally, use this command to trigger a self-test on the password algorithms. The triggered self-test is the same as the automatic self-test when the device starts up. If the self-test fails, the device automatically reboots.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall product or a UTM device. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ABCDEFGHIKLMNOPRSTUVWZ authorization-attribute (local user view/user group view),174 A aaa nas-id profile,137 B access-limit,173 access-limit enable,137 bind-attribute,175 access-user detect,103 C accounting command,138 comment,63 accounting default,139 connection-limit apply policy,98 accounting dvpn,140 connection-limit policy,98 accounting login,141 cut connection,160 accounting optional,142 D accounting portal,142 accounting ppp,144 data-flow-format (HWTACACS scheme view),223 ac
display object-group,54 import interface,31 display password-control,245 interzone,32 display password-control blacklist,246 ip pool,169 display portal acl,104 ip virtual-reassembly,96 display portal connection statistics,106 K display portal free-rule,109 key (HWTACACS scheme view),230 display portal interface,110 key (RADIUS scheme view),197 display portal local-server,111 display portal server,112 L display portal server statistics,114 limit,100 display portal tcp-cheat statistics,117
password-control login-attempt,257 reset session,87 password-control password update interval,258 reset session statistics,88 password-control super aging,259 reset stop-accounting-buffer (for HWTACACS),235 password-control super composition,259 reset stop-accounting-buffer (for RADIUS),207 password-control super length,260 retry,208 portal auth-network,119 retry realtime-accounting,209 portal delete-user,120 retry stop-accounting (HWTACACS scheme view),236 portal domain,121 retry stop-accoun
session-time include-idle-time,171 timer realtime-accounting (RADIUS scheme view),220 share enable,33 timer response-timeout (HWTACACS scheme view),242 source-ip,75 timer response-timeout (RADIUS scheme view),221 source-mac,76 state (ISP domain view),172 time-range,61 state (local user view),185 U state primary,216 user-group,186 state secondary,217 user-name-format (HWTACACS scheme view),243 step,29 user-name-format (RADIUS scheme view),222 stop-accounting-buffer enable (HWTACACS scheme vie
