HP High-End Firewalls Access Control Command Reference Part number: 5998-2638 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents ACL configuration commands ····································································································································· 1 acl ·············································································································································································· 1 acl accelerate ················································································································································
portal nas-id ··························································································································································· 50 portal nas-id-profile ··············································································································································· 51 portal nas-ip ···························································································································································
attribute 25 car ······················································································································································ 92 data-flow-format (RADIUS scheme view) ············································································································· 93 display radius scheme ·········································································································································· 94 display radius statistics
Related information ······················································································································································ 137 Documents ···························································································································································· 137 Websites······························································································································································
ACL configuration commands acl Syntax acl number acl-number [ name acl-name ] [ match-order { auto | config } ] undo acl { all | name acl-name | number acl-number } View System view Default level 2: System level Parameters number acl-number: Specifies the number of an IPv4 access control list (ACL): • 2000 to 2999 for IPv4 basic ACLs • 3000 to 3999 for IPv4 advanced ACLs • 4000 to 4999 for Ethernet frame header ACLs name acl-name: Assigns a name for the IPv4 ACL for easy identification.
[Sysname-acl-basic-2000] # Create IPv4 basic ACL 2001 with the name flow, and enter its view.
acl copy Syntax acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name } View System view Default level 2: System level Parameters source-acl-number: Specifies a source IPv4 ACL that already exists by its number: • 2000 to 2999 for IPv4 basic ACLs • 3000 to 3999 for IPv4 advanced ACLs • 4000 to 4999 for Ethernet frame header ACLs name source-acl-name: Specifies a source IPv4 ACL that already exists by its name.
Default level 2: System level Parameters acl-name: Specifies the name of an existing IPv4 ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter. Description Use the acl name command to enter the view of an IPv4 ACL that has a name. Related commands: acl. Examples # Enter the view of IPv4 ACL flow.
View Any view Default level 1: Monitor level Parameters acl-number: Specifies an IPv4 ACL by its number: • 2000 to 2999 for basic ACLs • 3000 to 3999 for advanced ACLs • 4000 to 4999 for Ethernet frame header ACLs all: Displays information for all IPv4 ACLs. name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
Field Description rule 0 permit Content of rule 0 There have been five matches for the rule. The statistic counts only ACL matches performed in software. 5 times matched This field is not displayed when no packets have matched the rule. rule 10 comment This rule is used in VPN rd. The description of ACL rule 10 is "This rule is used in VPN rd.
Field Description Whether ACL acceleration is enabled: Accelerate • ACC—Enabled • UNACC—Disabled Whether ACL acceleration is using up to date criteria for rule matching: • UTD—The ACL criteria are up to date and have not changed Status since ACL acceleration was enabled. • OOD—The ACL criteria are out of date. This state is displayed, if you have modified the ACL after ACL acceleration was enabled. ACL acceleration matches packets still against the old criteria.
rule (Ethernet frame header ACL view) Syntax rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac sour-addr source-mask | time-range time-range-name ] * undo rule rule-id View Ethernet frame header ACL view Default level 2: System level Parameters rule-id: Specifies a rule ID, which ranges from 0 to 65534.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display acl, step, and time-range. Examples # Create a rule in ACL 4000 to permit ARP packets and deny RARP packets.
Table 3 Match criteria and other rule information for IPv4 advanced ACL rules Parameters source { sour-addr sour-wildcard | any } Function Specifies a source address Description The sour-addr sour-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword specifies any source IP address.
Parameters Function Description fragment Applies the rule to only non-first fragments Without this keyword, the rule applies to all fragments and non-fragments. Specifies a time range for the rule The time-range-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule; however, the rule using the time range can take effect only after you configure the timer range.
Parameters Function Description Parameters specific to TCP. { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG The value for each argument can be 0 (flag bit not set) or 1 (flag bit set).
ICMP message name ICMP message type ICMP message code timestamp-reply 14 0 timestamp-request 13 0 ttl-exceeded 11 0 Description Use the rule command to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule.
[Sysname-acl-adv-3003] rule permit udp destination-port eq snmptrap rule (IPv4 basic ACL view) Syntax rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] * undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] * View IPv4 basic ACL view Default level 2: System level Parameters rule-id: Specifies a rule ID, which ranges from 0 to 65534.
To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display acl, step, and time-range. Examples # Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255 [Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255 [Sysname-acl-basic-2000] rule permit source 192.
View IPv4 basic/advanced ACL view, Ethernet frame header ACL view Default level 2: System level Parameters step-value: ACL rule numbering step, which ranges from 1 to 20. Description Use the step command to set a rule numbering step for an ACL. The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on.
Time range resource commands display time-range Syntax display time-range { time-range-name | all } View Any view Default level 1: Monitor level Parameters time-range-name: Specifies a time range name, which is a case insensitive string of 1 to 32 characters. It must start with an English letter. all: Displays the configuration and status of all existing time ranges. Description Use the display time-range command to display the configuration and status of the specified time range or all time ranges.
undo time-range time-range-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ] View System view Default level 2: System level Parameters time-range-name: Specifies a time range name. The name is a case insensitive string of 1 to 32 characters. It must start with an English letter and to avoid confusion, cannot be all. start-time to end-time: Specifies a periodic statement.
example, to create a time range that is active from 08:00 to 12:00 on Monday between January 1, 2010 00:00 and December 31, 2010 23:59, use the time-range test 08:00 to 12:00 mon from 00:00 01/01/2010 to 23:59 12/31/2010 command. The active period of a time range is calculated as follows: 1. Combining all periodic statements 2. Combining all absolute statements 3.
Session management commands Session management commands application aging-time Syntax application aging-time { dns | ftp | msn | qq } time-value undo application aging-time [ dns | ftp | msn | qq ] View System view Default level 2: System level Parameters dns: Specifies the aging time for DNS sessions. ftp: Specifies the aging time for FTP sessions. msn: Specifies the aging time for MSN sessions. qq: Specifies the aging time for QQ sessions.
display session relation-table Syntax display session relation-table [ vd-name vd-name ] View Any view Default level 2: System level Parameters vd-name vd-name: Displays the relationship table entries of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines. Description Use the display session relation-table command to display relationship table entries.
Field Description AllowConn Number of sessions allowed by the relationship table entry Total find Total number of found relationship table entries display session statistics Syntax display session statistics [ vd-name vd-name ] View Any view Default level 2: System level Parameters vd-name vd-name: Displays the session statistics of the specified virtual device. The vd-name argument specifies the name of a virtual device.
Received UDP: Received ICMP: Received RAWIP: 0 packet(s) 0 byte(s) TCP: 0 packet(s) 0 byte(s) Dropped UDP: 0 packet(s) 0 byte(s) Dropped ICMP: 0 packet(s) 0 byte(s) Dropped RAWIP: 0 packet(s) 0 byte(s) Dropped 86810494849 packet(s) 4340524910260 byte(s) 307232 packet(s) 17206268 byte(s) Table 9 Output description Field Description Current session(s) Total number of sessions Current TCP session(s) Number of TCP sessions Half-Open Number of TCP sessions in the half-open stat
View Any view Default level 2: System level Parameters vd-name vd-name: Displays the sessions of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines. source-ip source-ip: Displays the sessions with the specified source IP address. destination-ip destination-ip: Displays sessions with the specified destination IP address.
Root Zone(in): Management Zone(out): Local Received packet(s)(Init): 6 packet(s) 468 byte(s) Received packet(s)(Reply): 0 packet(s) 0 byte(s) Initiator: Source IP/Port : 192.168.1.18/1212 Dest IP/Port : 192.168.1.55/23 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 192.168.1.55/23 Dest IP/Port : 192.168.1.
Field Description Zone(in) Security zone (in) Zone(out) Security zone (out) Received packet(s)(Init) Counts of packets and bytes from the initiator to the responder Received packet(s)(Reply) Counts of packets and bytes from the responder to the initiator Total find Total number of sessions currently found reset session Syntax reset session [ vd-name vd-name ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type { icmp | raw-ip | tcp | udp } ] [ source-port source-port ] [ de
reset session source-ip 10.10.10.10 reset session statistics Syntax reset session statistics [ vd-name vd-name ] View User view Default level 2: System level Parameters vd-name vd-name: Clears the session statistics of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines. Description Use the reset session statistics command to clear session statistics.
tcp-est: Specifies the aging time for the TCP sessions in the ESTABLISHED state. udp-open: Specifies the aging time for the UDP sessions in the OPEN state. udp-ready: Specifies the aging time for the UDP sessions in the READY state. time-value: Aging time, in seconds, in the range 5 to 100000. Description Use the session aging-time command to set the aging time for sessions of a specified protocol that are in a specified state. Use the undo session aging-time command to restore the default.
Description Use the session checksum command to enable checksum verification for protocol packets. Use the undo session checksum command to disable checksum verification. By default, checksum verification is disabled. Examples # Enable checksum verification for UDP packets.
Connection limit configuration commands connection-limit apply policy Syntax connection-limit apply policy policy-number undo connection-limit apply policy policy-number View System view Default level 2: System level Parameters policy-number: Number of the existing connection limit policy, which can only be 0. Description Use the connection-limit apply policy command to apply a connection limit policy. The connection limit policy to be applied must contain at least one limit rule.
all: Specifies all connection limit policies. Description Use the connection-limit policy command to create a connection limit policy and enter connection limit policy view. Use the undo connection-limit policy command to delete a specified or all connection limit policies. By default, no connection limit policy is created. A connection limit policy contains a set of rules that are defined to limit the number of connections of a specified user.
There are 2 policies: Connection-limit policy 0, refcount 1, 2 limits limit 0 source any amount dns 100 http 200 tcp 300 other 400 rate 100 shared limit 1 source 1.1.1.0 24 amount tcp 100 bandwidth 200 shared Connection-limit policy 1, refcount 0, 1 limit limit 4500 source 2.2.0.0 16 amount dns 200 # Display information about all connection limit policies. display connection-limit policy all There are 1 policies: Connection-limit policy 0, refcount 0, 1 limit limit 0 source ip 3.3.3.
destination-vpn dst-vpn-name: Specifies a destination VPN by its instance name, a case-sensitive string of 1 to 31 characters. Absence of the keyword and argument combination indicates the public network. protocol: Specifies connections of a protocol. • dns: Specifies connections of the DNS protocol. • http: Specifies connections of the HTTP protocol. • ip: Specifies connections of the IP protocol. • tcp: Specifies connections of the TCP protocol. • udp: Specifies connections of the UDP protocol.
# Configure connection limit rule 5 to limit IP connections from vpn1 to vpn2 with the upper connection limit of 200.
Portal configuration commands display portal acl Syntax display portal acl { all | dynamic | static } interface interface-type interface-number View Any view Default level 1: Monitor level Parameters all: Displays all portal access control lists (ACLs), including dynamic ones and static ones. dynamic: Displays dynamic portal ACLs, namely, ACLs generated after a user passes portal authentication. static: Displays static portal ACLs, namely, ACLs generated by related configurations.
Source: IP : 0.0.0.0 Mask : 0.0.0.0 MAC : 0000-0000-0000 Interface : any VLAN : 2 Protocol : 6 Destination: IP : 0.0.0.0 Mask : 0.0.0.0 Rule 2 Inbound interface : GigabitEthernet0/0 Type : dynamic Action : permit Source: IP : 2.2.2.2 Mask : 255.255.255.255 MAC : 000d-88f8-0eab Interface : GigabitEthernet0/1 VLAN : 0 Protocol : 0 Destination: IP : 0.0.0.0 Mask : 0.0.0.
Field Description IP Destination IP address in the portal ACL Mask Subnet mask of the destination IP address in the portal ACL Author ACL Authorization ACL of portal ACL. It is displayed only when the Type field has a value of dynamic. Number Authorization ACL number assigned by the server. None indicates that the server did not assign any ACL.
MSG_AUTHOR_ACK 3 0 0 MSG_LOGIN_ACK 3 0 0 MSG_LOGOUT_ACK 2 0 0 MSG_LEAVING_ACK 0 0 0 MSG_CUT_REQ 0 0 0 MSG_AUTH_REQ 3 0 0 MSG_LOGIN_REQ 3 0 0 MSG_LOGOUT_REQ 2 0 0 MSG_LEAVING_REQ 0 0 0 MSG_ARPPKT 0 0 0 MSG_TMR_REQAUTH 1 0 0 MSG_TMR_AUTHEN 0 0 0 MSG_TMR_AUTHOR 0 0 0 MSG_TMR_LOGIN 0 0 0 MSG_TMR_LOGOUT 0 0 0 MSG_TMR_LEAVING 0 0 0 MSG_TMR_NEWIP MSG_TMR_USERIPCHANGE 0 0 0 0 0 0 MSG_PORT_REMOVE 0 0 0 MSG_VLAN_REMOVE 0 0 0 MSG_IF_REMOVE
Field Description WAIT_LOGOUT_ACK Number of users in wait_logout_ack state WAIT_LEAVING_ACK Number of users in wait_leaving_ack state Message statistics Statistics on messages Msg-Name Message type Total Total number of messages Err Number of erroneous messages Discard Number of discarded messages MSG_AUTHEN_ACK Authentication acknowledgment message MSG_AUTHOR_ACK Authorization acknowledgment message MSG_LOGIN_ACK Accounting acknowledgment message MSG_LOGOUT_ACK Accounting-stop acknow
Field Description MSG_SETPOLICY_RESULT Set policy response message display portal free-rule Syntax display portal free-rule [ rule-number ] View Any view Default level 1: Monitor level Parameters rule-number: Number of a portal-free rule. The value ranges from 0 to 15. Description Use the display portal free-rule command to display information about a specified portal-free rule or all portal-free rules. Related commands: portal free-rule. Examples # Display information about portal-free rule 1.
Field Description Destination Destination information in the portal-free rule IP Destination IP address in the portal-free rule Mask Subnet mask of the destination IP address in the portal-free rule display portal interface Syntax display portal interface interface-type interface-number View Any view Default level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number.
Field Description address IP address of the portal authentication subnet mask Subnet mask of the IP address of the portal authentication subnet display portal server Syntax display portal server [ server-name ] View Any view Default level 1: Monitor level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. Description Use the display portal server command to display information about a specified portal server or all portal servers.
display portal server statistics Syntax display portal server statistics { all | interface interface-type interface-number } View Any view Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. Description Use the display portal server statistics command to display portal server statistics on a specified interface or all interfaces.
Field Description Pkt-Name Packet type Total Total number of packets Discard Number of discarded packets Checkerr Number of erroneous packets REQ_CHALLENGE Challenge request message the portal server sends to the access device ACK_CHALLENGE Challenge acknowledgment message the access device sends to the portal server REQ_AUTH Authentication request message the portal server sends to the access device ACK_AUTH Authentication acknowledgment message the access device sends to the portal server
Description Use the display portal tcp-cheat statistics command to display TCP spoofing statistics. Examples # Display TCP spoofing statistics.
display portal user Syntax display portal user { all | interface interface-type interface-number } View Any view Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. Description Use the display portal user command to display information about portal users on a specified interface or all interfaces. Examples # Display information about portal users on all interfaces.
Field Description Working mode of the portal user, which can be: Primary Work-mode Secondary Stand-alone MAC MAC address of the portal user IP IP address of the portal user Vlan VLAN to which the portal user belongs Interface Interface to which the portal user is attached Total 2 user(s) matched, 2 listed Total number of portal users portal auth-network Syntax portal auth-network network-address { mask-length | mask } undo portal auth-network { network-address | all } View Interface view Def
portal delete-user Syntax portal delete-user { ip-address | all | interface interface-type interface-number } View System view Default level 2: System level Parameters ip-address: IP address of a user. all: Logs out all users. interface interface-type interface-number: Logs out all users on the specified interface. Description Use the portal delete-user command to log out users. Related commands: display portal user. Examples # Log out user 1.1.1.1. system-view [Sysname] portal delete-user 1.
Examples # On GigabithEthernet 0/0, configure the authentication domain as my-domain.
Examples # Configure a portal-free rule, allowing any packet whose source IP address is 10.10.10.1/24 and source interface is GigabitEthernet 0/0 to bypass portal authentication. system-view [Sysname] portal free-rule 15 source ip 10.10.10.
Parameters nas-identifier: NAS ID for the interface, a case-sensitive string of 1 to 16 characters. This value will be used as the value of the NAS-Identifier attribute in the RADIUS request to be sent to the RADIUS server when a portal user logs on through the interface. Description Use the portal nas-id command to specify a NAS ID for an interface. Use the undo portal nas-id command to restore the default.
[Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] portal nas-id-profile aaa portal nas-ip Syntax portal nas-ip ip-address undo portal nas-ip View Interface view Default level 2: System level Parameters ip-address: Source IP address to be specified for portal packets. This IP address must be a local IP address, and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
key-string: Shared key for communication with the portal server, a case-sensitive string of 1 to 16 characters. port-id: Destination port number used when the firewall sends a message to the portal server unsolicitedly, in the range 1 to 65534. The default is 50100. url-string: Uniform resource locator (URL) to which HTTP packets are to be redirected. The default URL is in the http://ip-address format, where ip-address is the IP address of the portal server.
layer3: Layer 3 authentication. redhcp: Re-DHCP authentication. Description Use the portal server command to enable portal authentication on an interface, and specify the portal server to be referenced and the authentication mode. Use the undo portal command to disable portal authentication on an interface. By default, portal authentication is disabled on an interface. The portal server to be referenced must exist.
View User view Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Description Use the reset portal server statistics command to clear portal server statistics on a specified interface or all interfaces. Examples # Clear portal server statistics on interface GigabitEthernet 0/0.
AAA configuration commands General AAA configuration commands aaa nas-id profile Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name View System view Default level 2: System level Parameters profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters. Description Use the aaa nas-id profile command to create a NAS ID profile and enter its view. A NAS ID profile maintains the bindings between NAS IDs and VLANs.
Parameters max-user-number: Maximum number of online users that the ISP domain can accommodate. The valid range from 1 to 2147483646. Description Use the access-limit enable command to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users will be accepted. Use the undo access-limit enable command to restore the default. By default, there is no limit to the number of online users in an ISP domain.
[Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac accounting default Syntax accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting default View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a case-insensitive string of 1 to 32 characters. local: Performs local accounting.
undo accounting login View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a case-insensitive string of 1 to 32 characters.
Parameters None Description Use the accounting optional command to enable the accounting optional feature. Use the undo accounting optional command to disable the feature. By default, the feature is disabled. After you configure the accounting optional command for a domain, a user that will be disconnected otherwise can continue to use the network resources when no accounting server is available or the communication with the current accounting server fails.
Related commands: local-user, accounting default, and radius scheme. Examples # Configure ISP domain test to use local accounting for portal users. system-view [Sysname] domain test [Sysname-isp-test] accounting portal local # Configure ISP domain test to use RADIUS scheme rd for accounting on portal users and use local accounting as the backup.
# Configure ISP domain test to use RADIUS accounting scheme rd for PPP users and use local accounting as the backup.
authentication login Syntax authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authentication login View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication.
View ISP domain view Default level 2: System level Parameters local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a case-insensitive string of 1 to 32 characters. Description Use the authentication portal command to configure the authentication method for portal users. Use the undo authentication portal command to restore the default.
local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a case-insensitive string of 1 to 32 characters. Description Use the authentication ppp command to configure the authentication method for PPP users. Use the undo authentication ppp command to restore the default. By default, the default authentication method for the ISP domain is used for PPP users.
The specified HWTACACS scheme must have been configured. With command line authorization configured, a user who has logged in to the device can execute only the commands with a level lower than or equal to that of the local user. Related commands: local-user, authorization default, and hwtacacs scheme. Examples # Configure ISP domain test to use local command line authorization.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. Related commands: local-user, hwtacacs scheme and radius scheme. Examples # Configure the default authorization method for ISP domain test to use RADIUS authorization scheme rd and use local authorization as the backup.
[Sysname-isp-test] authorization login local # Configure ISP domain test to use RADIUS authorization scheme rd for login users and use local authorization as the backup.
authorization ppp Syntax authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization ppp View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange.
undo authorization-attribute user-profile View ISP domain view Default level 3: Manage level Parameters profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. Description Use the authorization-attribute user-profile command to specify the default authorization user profile for an ISP domain. Use the undo authorization-attribute user-profile command to restore the default. By default, an ISP domain has no default authorization user profile.
ip ip-address: Specifies the user connections for an IP address. mac mac-address: Specifies the user connections for a MAC address, with mac-address in the format H-H-H. ucibindex ucib-index: Specifies the user connection that uses the connection index. The value range from 0 to 4294967295. user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters.
mac mac-address: Specifies the user connections of a MAC address, with mac-address in the format H-H-H. ucibindex ucib-index: Specifies the user connection that uses the connection index. The value range from 0 to 4294967295. user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters.
Priority=Disable Start=2009-07-16 10:53:03 ,Current=2009-07-16 10:57:06 ,Online=00h04m03s Total 1 connection matched. Table 20 Output description Field Description Index The index number of user connection Username Username of the connection, in the format username@domain MAC MAC address of the user IP IPv4 address of the user Access User access type ACL Group Authorization ACL group. Disable means no authorization ACL group is assigned.
Accounting method : Required Default authentication scheme : local Default authorization scheme : local Default accounting scheme : local Domain User Template: Idle-cut : Disabled Self-service : Disabled Authorization attributes : 1 Domain : test State : Active Access-limit : Disabled Accounting method : Required Default authentication scheme : local Default authorization scheme : local Default accounting scheme : local Domain User Template: Idle-cut : Disabled Self-service : Disabled Authoriza
Field Description Idle-cut Indicates whether the idle cut function is enabled. With the idle cut function enabled for a domain, the system logs out any user in the domain whose traffic is less than the specified minimum traffic during the idle timeout period. Self-service Indicates whether the self service function is enabled.
[Sysname] domain test [Sysname-isp-test] domain default enable Syntax domain default enable isp-name undo domain default enable View System view Default level 3: Manage level Parameters isp-name: Name of the ISP domain, a case-insensitive string of 1 to 24 characters. Description Use the domain default enable command to specify the default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain.
Parameters minute: Idle timeout period, in the range 1 to 120 minutes. flow: Minimum traffic during the idle timeout period, which is in the range 1 to 10240000 bytes and defaults to 10240. Description Use the idle-cut enable command to enable the idle cut function and set the relevant parameters.
You can also configure an address pool for PPP users in system view. An IP address pool configured in system view is used to assign IP addresses to PPP users who do not need to be authenticated. To specify the address pool used for assigning an IP address to the peer device, use the remote address command in interface view. An IP address pool configured in ISP domain view is used to assign IP addresses to the ISP domain’s PPP users who must be authenticated.
self-service-url enable Syntax self-service-url enable url-string undo self-service-url enable View ISP domain view Default level 2: System level Parameters url-string: URL of the self-service server, a string of 1 to 64 characters. It must start with http:// and contain no question mark. This URL was specified by the RADIUS server administrator during RADIUS server installation.
block: Places the ISP domain in the blocked state to prevent users in the ISP domain from requesting network services. Description Use the state command to set the status of an ISP domain. Use the undo state command to restore the default. By default, an ISP domain is in the active state. By blocking an ISP domain, you disable users of the domain that are offline from requesting network services. The online users are not affected. Examples # Place the current ISP domain test to the state of blocked.
authorization-attribute (local user view/user group view) Syntax authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | vlan vlan-id | work-directory directory-name } * undo authorization-attribute { acl | callback-number | idle-cut | level | user-profile | vlan | work-directory } * View Local user view, user group view Default level 3: Manage level Parameters acl acl-number: Specifies the authorization ACL.
Authorization attributes configured for a user group are effective for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view. If an authorization attribute is configured in user group view but not in local user view, the setting in user group view takes effect.
mac mac-address: Specifies the MAC address of the user in the format H-H-H. This keyword and argument combination is applicable to only LAN users. vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range 1 to 4094. This keyword and argument combination is applicable to only LAN users. Description Use the bind-attribute command to configure binding attributes for a local user. Use the undo bind-attribute command to remove binding attributes of a local user.
user-name user-name: Specifies all local users using the specified username. The username is a case-sensitive string of 1 to 55 characters and does not contain the domain name. Description Use the display local-user command to display configuration and statistics information about local users. If you do not specify any parameter, the command displays information about all local users. Related commands: local-user. Examples # Display information about all local users.
display user-group Syntax display user-group [ group-name ] View Any view Default level 2: System level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use the display user-group command to display configuration information about one or all user groups. If you do no specify any user group name, the command displays information about all users groups. Related commands: user-group. Examples # Display configuration information about user group abc.
and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2008/2/2 equals to 02:02:00-2008/02/02. Description Use the expiration-date command to set the expiration time of a local user. Use the undo expiration-date command to remove the configuration. By default, a local user has no expiration time and no time validity checking is performed.
local-user Syntax local-user user-name undo local-user { user-name | all [ service-type { ftp |portal | ppp | ssh | telnet | terminal } ] } View System view Default level 3: Manage level Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name.
Default level 2: System level Parameters auto: Displays the password of a local user in the mode that is specified for the user by using the password command. cipher-force: Displays the passwords of all local users in cipher text. Description Use the local-user password-display-mode command to set the password display mode for all local users. Use the undo local-user password-display-mode command to restore the default. By default, the password display mode is auto.
Description Use the password command to configure a password for a local user and specify whether to display the password in cipher text or plain text. Use the undo password command to delete the password of a local user. When the password control feature is enabled globally (by using the password-control enable command), local user passwords, such as the length and complexity, will be under the restriction of the password control feature, and will not be displayed.
Parameters ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default. ssh: Authorizes the user to use the SSH service. Support for this keyword depends on the device model. telnet: Authorizes the user to use the Telnet service. terminal: Authorizes the user to use the terminal service, allowing the user to login from the console or AUX Asyn port. portal: Authorizes the user to use the Portal service. ppp: Authorizes the user to use the PPP service.
Examples # Place local user user1 to the blocked state. system-view [Sysname] local-user user1 [Sysname-luser-user1] state block user-group Syntax user-group group-name undo user-group group-name View System view Default level 3: Manage level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use the user-group command to create a user group and enter its view. Use the undo user-group command to remove a user group.
View RADIUS scheme view Default level 2: System level Parameters seconds: Time interval for retransmitting an accounting-on packet in seconds, ranging from 1 to 15. The default is 3 seconds. send-times: Maximum number of accounting-on packet transmission attempts, ranging from 1 to 255. The default is 50. Description Use the accounting-on enable command to configure the accounting-on feature.
Description Use the attribute 25 car command to specify to interpret the RADIUS class attribute (attribute 25) as CAR parameters. Use the undo attribute 25 car command to restore the default. By default, RADIUS attribute 25 is not interpreted as CAR parameters. Related commands: display radius scheme and display connection. Examples # Specify to interpret RADIUS attribute 25 as CAR parameters.
display radius scheme Syntax display radius scheme [ radius-scheme-name ] View Any view Default level 2: System level Parameters radius-scheme-name: RADIUS scheme name. Description Use the display radius scheme command to display the configuration information of RADIUS schemes. If you do not specify any RADIUS scheme, the command displays the configuration information of all RADIUS schemes. Related commands: radius scheme. Examples # Display the configuration information of all RADIUS schemes.
Username format : without-domain Data flow unit : Byte Packet unit : one NAS-IP address : 1.1.1.1 Attribute 25 : car -----------------------------------------------------------------Total 1 RADIUS scheme(s). Table 23 Output description Field Description SchemeName Name of the RADIUS scheme. Index Index number of the RADIUS scheme. Type Type of the RADIUS server, extended or standard. Primary Auth Server Information about the primary authentication server.
Field Description Packet unit Unit for packets sent to the RADIUS server. NAS-IP address Source IP address for RADIUS packets to be sent. Attribute 25 Interprets RADIUS attribute 25 as the CAR parameters. display radius statistics Syntax display radius statistics View Any view Default level 2: System level Parameters None Description Use the display radius statistics command to display statistics about RADIUS packets. Related commands: radius scheme.
PKT acct_timeout Num = 1509 Err = 503 Succ = 1006 Realtime Account timer Num = 0 Err = 0 Succ = 0 PKT response Num = 23 Err = 0 Succ = 23 Accounting on response Num = 0 Err = 0 Succ = 0 Session ctrl pkt Num = 0 Err = 0 Succ = 0 Normal author request Num = 0 Err = 0 Succ = 0 Set policy result Num = 0 Err = 0 Succ = 0 RADIUS sent messages statistic: Auth accept Num = 10 Auth reject Num = 14 EAP auth replying Num = 0 Account success Num = 4 Account failure Num = 3 Server c
Field Description Total Total number of packets retransmitted RADIUS received packets statistic Statistics for packets received by the RADIUS module Code Packet type Num Total number of packets Err Number of packets that the device failed to process Succ Number of messages that the device successfully processed Running statistic Statistics for RADIUS messages received and sent by the RADIUS module RADIUS received messages statistic Statistics for received RADIUS messages Normal auth reques
Field Description Discarded No-response-acct-stop packet for buffer overflow Number of stop-accounting packets that were buffered but then discarded due to full memory display stop-accounting-buffer (for RADIUS) Syntax display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } View Any view Default level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that
Total 2 record(s) Matched key (RADIUS scheme view) Syntax key { accounting | authentication } key undo key { accounting | authentication } View RADIUS scheme view Default level 2: System level Parameters accounting: Sets the shared key for authenticating RADIUS accounting packets. authentication: Sets the shared key for authenticating RADIUS authentication/authorization packets.
View RADIUS scheme view Default level 2: System level Parameters ip-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Description Use the nas-ip command to specify a source IP address for outgoing RADIUS packets. Use the undo nas-ip command to restore the default.
Default level 2: System level Parameters ip-address: IPv4 address of the primary accounting server. port-number: Service port number of the primary accounting server, a UDP port number in the range 1 to 65535. The default is 1813. Description Use the primary accounting command to specify the primary RADIUS accounting server. Use the undo primary accounting command to remove the configuration. By default, no primary RADIUS accounting server is specified.
Parameters ip-address: IPv4 address of the primary authentication/authorization server. port-number: Service port number of the primary authentication/authorization server, a UDP port number in the range 1 to 65535. The default is 1812. Description Use the primary authentication command to specify the primary RADIUS authentication/authorization server. Use the undo primary authentication command to remove the configuration. By default, no primary RADIUS authentication/authorization server is specified.
Use the undo radius client command to disable the RADIUS listening port of a RADIUS client. By default, the RADIUS listening port is enabled. When the listening port of the RADIUS client is disabled: • No more stop-accounting requests of online users cannot be sent out or buffered, and the RADIUS server can no longer receive logoff requests from online users. After a user goes offline, the RADIUS server still has the user’s record during a certain period of time.
NOTE: The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence. Related commands: nas-ip. Examples # Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1. system-view [Sysname] radius nas-ip 129.10.10.
View System view Default level 2: System level Parameters accounting-server-down: Sends traps when the reachability of the accounting server changes. authentication-server-down: Sends traps when the reachability of the authentication server changes. Description Use the radius trap command to enable the trap function for RADIUS. Use the undo radius trap command to disable the trap function for RADIUS. By default, the trap function is disabled for RADIUS.
reset stop-accounting-buffer (for RADIUS) Syntax reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } View User view Default level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive string of 1 to 32 characters.
Parameters retry-times: Maximum number of RADIUS packet transmission attempts, in the range 1 to 20. Description Use the retry command to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Use the undo retry command to restore the default. By default, the maximum number of RADIUS packet transmission attempts is 3. Because RADIUS uses UDP packets to transmit data, the communication is not reliable.
NOTE: The maximum number of accounting attempts, together with some other parameters, controls how the NAS sends accounting request packets.
NOTE: The maximum number of stop-accounting attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets. Suppose that the RADIUS server response timeout period is three seconds (set with the timer response-timeout command), the maximum number of transmission attempts is five (set with the retry command), and the maximum number of stop-accounting attempts is 20 (set with the retry stop-accounting command).
The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, the configuration fails. If you remove a secondary accounting server when the device has already sent a start-accounting request to the server, the communication with the secondary server will time out, and the device will look for a server in the active state from the primary server on.
Use the undo secondary authentication authentication/authorization server. command to remove a secondary RADIUS By default, no secondary RADIUS authentication/authorization server is specified. You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS scheme by executing this command repeatedly.
Parameters ip-address: Specifies a security policy server by its IP address. all: Specifies all security policy servers. Description Use the security-policy-server command to specify a security policy server for a RADIUS scheme. Use the undo security-policy-server command to remove one or all security policy servers for a RADIUS scheme. By default, no security policy server is specified for a RADIUS scheme. You can specify up to eight security policy servers for a RADIUS scheme.
[Sysname-radius-radius1] server-type standard state primary Syntax state primary { accounting | authentication } { active | block } View RADIUS scheme view Default level 2: System level Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication/authorization server. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state.
Default level 2: System level Parameters accounting: Sets the status of the secondary RADIUS accounting server. authentication: Sets the status of the secondary RADIUS authentication/authorization server. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state. Description Use the state secondary command to set the status of a secondary RADIUS server.
Use the undo stop-accounting-buffer enable command to disable the buffering function. By default, the device buffers stop-accounting requests to which no responses are received. Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers.
Related commands: display radius scheme. Examples # Set the quiet timer for the servers to 10 minutes. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer quiet 10 timer realtime-accounting (RADIUS scheme view) Syntax timer realtime-accounting minutes undo timer realtime-accounting View RADIUS scheme view Default level 2: System level Parameters minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range 3 to 60.
system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer realtime-accounting 51 timer response-timeout (RADIUS scheme view) Syntax timer response-timeout seconds undo timer response-timeout View RADIUS scheme view Default level 2: System level Parameters seconds: RADIUS server response timeout period in seconds, in the range 1 to 10. Description Use the timer response-timeout command to set the RADIUS server response timeout timer.
Parameters keep-original: Sends the username to the RADIUS server as it is input. with-domain: Includes the ISP domain name in the username sent to the RADIUS server. without-domain: Excludes the ISP domain name from the username sent to the RADIUS server. Description Use the user-name-format command to specify the format of the username to be sent to a RADIUS server. By default, the ISP domain name is included in the username.
Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet. Description Use the data-flow-format command to set the traffic statistics unit for data flows or packets. Use the undo data-flow-format command to restore the default.
HWTACACS-server template name : 1 Primary-authentication-server : 0.0.0.0:0 Primary-authorization-server : 0.0.0.0:0 Primary-accounting-server : 0.0.0.0:0 Secondary-authentication-server : 0.0.0.0:0 Secondary-authorization-server : 0.0.0.0:0 Secondary-accounting-server : 0.0.0.0:0 Current-authentication-server : 0.0.0.0:0 Current-authorization-server : 0.0.0.0:0 Current-accounting-server : 0.0.0.0:0 Nas-IP address : 0.0.0.
Field Description Data traffic-unit Unit for data flows. Packet traffic-unit Unit for data packets. # Display the statistics for the servers specified in HWTACACS scheme gy.
HWTACACS account client request packet number: 0 HWTACACS account client response packet number: 0 HWTACACS account client unknown type number: 0 HWTACACS account client timeout number: 0 HWTACACS account client packet dropped number: 0 HWTACACS account client request command level number: 0 HWTACACS account client request connection number: 0 HWTACACS account client request EXEC number: 0 HWTACACS account client request network number: 0 HWTACACS account client request system event number: 0 HWTACACS accou
Default level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Description Use the hwtacacs nas-ip command to specify a source IP address for outgoing HWTACACS packets. Use the undo hwtacacs nas-ip command to remove the configuration. By default, the source IP address of a packet sent to the server is the IP address of the outbound interface.
An HWTACACS scheme can be referenced by more than one ISP domain at the same time. An HWTACACS scheme referenced by ISP domains cannot be removed. Examples # Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.
nas-ip (HWTACACS scheme view) Syntax nas-ip ip-address undo nas-ip View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Description Use the nas-ip command to specify a source address for outgoing HWTACACS packets. Use the undo nas-ip command to restore the default.
View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address of the primary HWTACACS accounting server, in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49. Description Use the primary accounting command to specify the primary HWTACACS accounting server. Use the undo primary accounting command to remove the configuration.
port-number: Service port number of the primary HWTACACS authentication server. It ranges from 1 to 65535 and defaults to 49. Description Use the primary authentication command to specify the primary HWTACACS authentication server. Use the undo primary authentication command to remove the configuration. By default, no primary HWTACACS authentication server is specified. The IP addresses of the primary and secondary authentication servers must be different. Otherwise, the configuration fails.
If you configure the command repeatedly, only the last configuration takes effect. You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets. Removing an authorization server affects only authorization processes that occur after the remove operation. Related commands: display hwtacacs. Examples # Configure the IP address and port number of the primary authorization server for HWTACACS scheme hwt1 as 10.163.155.13 and 49.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a case-insensitive string of 1 to 32 characters. Description Use the reset stop-accounting-buffer command to clear buffered stop-accounting requests that get no responses. Related commands: stop-accounting-buffer enable and display stop-accounting-buffer.
View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address of the secondary HWTACACS accounting server, in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the secondary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49. Description Use the secondary accounting command to specify the secondary HWTACACS accounting server. Use the undo secondary accounting command to remove the configuration.
port-number: Service port number of the secondary HWTACACS authentication server. It ranges from 1 to 65535 and defaults to 49. Description Use the secondary authentication command to specify the secondary HWTACACS authentication server. Use the undo secondary authentication command to remove the configuration. By default, no secondary HWTACACS authentication server is specified. The IP addresses of the primary and secondary authentication servers must be different. Otherwise, the configuration fails.
If you configure the command repeatedly, only the last configuration takes effect. You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets. Removing an authorization server affects only authorization processes that occur after the remove operation. Related commands: display hwtacacs. Examples # Configure the secondary authorization server 10.163.155.13 with TCP port number 49.
timer quiet (HWTACACS scheme view) Syntax timer quiet minutes undo timer quiet View HWTACACS scheme view Default level 2: System level Parameters minutes: Primary server quiet period, in minutes. It ranges from 1 to 255. Description Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state. Use the undo timer quiet command to restore the default.
For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is for setting the interval. The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the HWTACACS server. A shorter interval requires higher performance. Use a longer interval when there are a large number of users (more than 1000, inclusive).
[Sysname-hwtacacs-hwt1] timer response-timeout 30 user-name-format (HWTACACS scheme view) Syntax user-name-format { keep-original | with-domain | without-domain } View HWTACACS scheme view Default level 2: System level Parameters keep-original: Sends the username to the HWTACACS server as it is input. with-domain: Includes the ISP domain name in the username sent to the HWTACACS server. without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall chassis or a firewall module. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ABCDEGHIKLNPRSTUW data-flow-format (HWTACACS scheme view),119 A data-flow-format (RADIUS scheme view),93 aaa nas-id profile,56 description,4 access-limit,80 display acl,4 access-limit enable,56 display acl accelerate,6 accounting command,57 display connection,71 accounting default,58 display connection-limit policy,31 accounting login,58 display domain,73 accounting optional,59 display hwtacacs,120 accounting portal,60 display local-user,83 accounting ppp,61 display portal acl,35
I reset radius statistics,106 idle-cut enable,76 reset session,26 reset session statistics,27 ip pool,77 reset stop-accounting-buffer (for HWTACACS),129 K reset stop-accounting-buffer (for RADIUS),107 key (HWTACACS scheme view),125 retry,107 key (RADIUS scheme view),100 retry realtime-accounting,108 L retry stop-accounting (HWTACACS scheme view),130 limit,32 retry stop-accounting (RADIUS scheme view),109 rule (Ethernet frame header ACL view),8 local-user,87 rule (IPv4 advanced ACL view),9
timer response-timeout (HWTACACS scheme view),135 user-group,91 timer response-timeout (RADIUS scheme view),118 user-name-format (RADIUS scheme view),118 user-name-format (HWTACACS scheme view),136 time-range,17 W U Websites,137 142
