HP High-End Firewalls Access Control Command Reference Part number: 5998-2658 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents ACL configuration commands ····································································································································· 1 acl ·············································································································································································· 1 acl accelerate ················································································································································
display portal server statistics ······························································································································ 54 display portal tcp-cheat statistics ························································································································· 56 display portal user ················································································································································· 57 portal auth-network
self-service-url enable ·········································································································································· 100 state (ISP domain view)······································································································································· 101 Local user configuration commands ··························································································································· 102 access-limit ·······
hwtacacs nas-ip ··················································································································································· 152 hwtacacs scheme················································································································································· 153 key (HWTACACS scheme view)························································································································ 154 nas-ip (HWTACACS scheme view
Index ········································································································································································ 190 v
ACL configuration commands acl Syntax acl number acl-number [ name acl-name ] [ match-order { auto | config } ] undo acl { all | name acl-name | number acl-number } View System view Default level 2: System level Parameters number acl-number: Specifies the number of an access control list (ACL): • 2000 to 2999 for IPv4 basic ACLs • 3000 to 3999 for IPv4 advanced ACLs • 4000 to 4999 for Ethernet frame header ACLs name acl-name: Assigns a name to the ACL for easy identification.
[Sysname-acl-basic-2000] # Create IPv4 basic ACL 2001 with the name flow, and enter its view.
acl copy Syntax acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name } View System view Default level 2: System level Parameters source-acl-number: Specifies a source ACL that already exists by its number: • 2000 to 2999 for IPv4 basic ACLs • 3000 to 3999 for IPv4 advanced ACLs • 4000 to 4999 for Ethernet frame header ACLs name source-acl-name: Specifies a source ACL that already exists by its name.
Default level 2: System level Parameters number acl6-number: Specifies the number of an IPv6 ACL: • 2000 to 2999 for IPv6 basic ACLs • 3000 to 3999 for IPv6 advanced ACLs name acl6-name: Assigns a name to the IPv6 ACL for easy identification. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter, and to avoid confusion, cannot be all.
Default level 2: System level Parameters source-acl6-number: Specifies a source IPv6 ACL that already exists by its number: • 2000 to 2999 for IPv6 basic ACLs • 3000 to 3999 for IPv6 advanced ACLs name source-acl6-name: Specifies a source IPv6 ACL that already exists by its name. The source-acl6-name argument takes a case-insensitive string of 1 to 63 characters. dest-acl6-number: Assigns a unique number to the IPv6 ACL you are creating. This number must be from the same ACL category as the source ACL.
Examples # Enter the view of IPv6 ACL flow. system-view [Sysname] acl ipv6 name flow [Sysname-acl6-basic-2001-flow] acl name Syntax acl name acl-name View System view Default level 2: System level Parameters acl-name: Specifies the name of an existing IPv4 basic, IPv4 advanced, or Ethernet frame header ACL, a case-insensitive string of 1 to 63 characters. It must start with an English letter.
By default, an ACL has no ACL description. Related commands: display acl and display acl ipv6. Examples # Configure a description for IPv4 basic ACL 2000. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] description This is an IPv4 basic ACL. # Configure a description for IPv6 basic ACL 2000. system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] description This is an IPv6 basic ACL.
Examples # Display the configuration and match statistics for all IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs. display acl all Basic ACL 2000, named flow, 3 rules, ACL's step is 5 rule 0 permit rule 5 permit source 1.1.1.1 0 (2 times matched) rule 10 permit vpn-instance mk Basic ACL 2001, named -none-, 3 rules, match-order is auto, ACL's step is 5 rule 10 permit vpn-instance rd rule 10 comment This rule is used in VPN rd. rule 5 permit source 2.2.2.
• 2000 to 2999 for IPv4 basic ACL • 3000 to 3999 for IPv4 advanced ACL all: Displays ACL acceleration status information for all IPv4 ACLs. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
View Any view Default level 1: Monitor level Parameters acl6-number: Specifies an IPv6 ACL by its number: • 2000 to 2999 for IPv6 basic ACLs • 3000 to 3999 for IPv6 advanced ACLs all: Displays information for all IPv6 ACLs. name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter. |: Filters command output by specifying a regular expression.
Field Description 5 times matched There have been five matches for the rule. The statistic counts only IPv6 ACL matches performed by software. This field is not displayed when no packets have matched the rule. display time-range Syntax display time-range { time-range-name | all } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters time-range-name: Specifies a time range name, a case-insensitive string of 1 to 32 characters.
Field Description Time-range Configuration and status of the time range, including its name, status (active or inactive), and start time and end time reset acl counter Syntax reset acl counter { acl-number | all | name acl-name } View User view Default level 2: System level Parameters acl-number: Specifies an ACL by its number: • 2000 to 2999 for IPv4 basic ACLs • 3000 to 3999 for IPv4 advanced ACLs • 4000 to 4999 for Ethernet frame header ACLs all: Clears statistics for all IPv4 basic, IPv4 ad
• 2000 to 2999 for IPv6 basic ACLs • 3000 to 3999 for IPv6 advanced ACLs all: Clears statistics for all IPv6 basic and advanced ACLs. name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter. Description Use reset acl ipv6 counter to clear statistics for the specified IPv6 ACL or all IPv6 basic and IPv6 advanced ACLs. Related commands: display acl ipv6.
lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask. type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames.
View IPv4 advanced ACL view Default level 2: System level Parameters rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Denies matching packets.
Parameters Function Description reflective Specifies that the rule be reflective A rule with the reflective keyword can be defined only for TCP, UDP, or ICMP packets and can only be a permit statement. vpn-instance vpn-instance-name Applies the rule to packets in a VPN instance fragment Applies the rule to only non-first fragments Without this keyword, the rule applies to all fragments and non-fragments.
Parameters Function Description Parameters specific to TCP. { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG established Specifies the flags for indicating the established status of a TCP connection The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). Whether the TCP flags in a rule are ORed.
ICMP message name ICMP message type ICMP message code timestamp-reply 14 0 timestamp-request 13 0 ttl-exceeded 11 0 Description Use rule to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config. Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes.
rule (IPv4 basic ACL view) Syntax rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] * undo rule rule-id [ counting | fragment | logging | source | time-range | vpn-instance ] * View IPv4 basic ACL view Default level 2: System level Parameters rule-id: Specifies a rule ID, which ranges from 0 to 65534.
To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display acl, step, and time-range. Examples # Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255 [Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255 [Sysname-acl-basic-2000] rule permit source 192.
Table 9 Match criteria and other rule information for IPv6 advanced ACL rules Parameters source { source source-prefix | source/source-prefix | any } Function Description Specifies a source IPv6 address The source and source-prefix arguments represent an IPv6 source address, and prefix length that ranges from 1 to 128. The any keyword represents any IPv6 source address. The dest and dest-prefix arguments represent a destination IPv6 address, and prefix length that ranges from 1 to 128.
Table 10 TCP/UDP-specific parameters for IPv6 advanced ACL rules Parameters Function Description source-port operator port1 [ port2 ] Specifies one or more UDP or TCP source ports The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range).
ICMPv6 message name ICMPv6 message type ICMPv6 message code frag-time-exceeded 3 1 hop-limit-exceeded 3 0 host-admin-prohib 1 1 host-unreachable 1 3 neighbor-advertisement 136 0 neighbor-solicitation 135 0 network-unreachable 1 0 packet-too-big 2 0 port-unreachable 1 4 redirect 137 0 router-advertisement 134 0 router-solicitation 133 0 unknown-ipv6-opt 4 2 unknown-next-hdr 4 1 Description Use rule to create or edit an IPv6 advanced ACL rule.
# Create IPv6 advanced ACL rules to permit inbound and outbound FTP packets. system-view [Sysname] acl ipv6 number 3002 [Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp [Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp-data [Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp [Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp-data # Create IPv6 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
vpn-instance vpn-instance-name: Applies the rule to packets in a VPN instance. The vpn-instance-name argument takes a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies only to non-VPN packets. Description Use rule to create or edit an IPv6 basic ACL rule. You can edit ACL rules only when the match order is config. Use undo rule to delete an entire IPv6 basic ACL rule or some attributes in the rule.
By default, an IPv4 ACL rule has no rule description. Related commands: display acl and display acl ipv6. Examples # Create a rule in IPv4 basic ACL 2000 and configure a description for this rule. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0 [Sysname-acl-basic-2000] rule 0 comment This rule is used on GigabitEthernet 0/1. # Create a rule in IPv6 basic ACL 2000 and configure a description for this rule.
system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] step 2 27
Time Range Resource commands display time-range Syntax display time-range { time-range-name | all } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters time-range-name: Specifies a time range name, a case-insensitive string of 1 to 32 characters. It must start with an English letter. all: Displays the configuration and status of all existing time ranges. |: Filters command output by specifying a regular expression.
Table 13 Command output Field Description Current time Current system time Time-range Configuration and status of the time range, including its name, status (active or inactive), and start time and end time.
Description Use time-range to configure a time range. Use undo time-range to delete a time range or a statement in the time range. By default, no time range exists. You can create multiple statements in a time range. Each time statement can take one of the following forms: • Periodic statement in the start-time to end-time days format. A periodic statement recurs periodically on a day or days of the week. • Absolute statement in the from time1 date1 to time2 date2 format.
Session management commands application aging-time Syntax application aging-time { dns | ftp | msn | qq | sip } time-value undo application aging-time [ dns | ftp | msn | qq | sip ] View System view Default level 2: System level Parameters dns: Specifies the aging time for DNS sessions. ftp: Specifies the aging time for FTP sessions. msn: Specifies the aging time for MSN sessions. qq: Specifies the aging time for QQ sessions. sip: Specifies the aging time for SIP sessions.
Parameters vd-name vd-name: Displays the relationship table entries of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Field Description Total find Total number of found relationship table entries display session statistics Syntax display session statistics [ vd-name vd-name ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters vd-name vd-name: Displays the session statistics of the specified virtual device. The vd-name argument specifies the name of a virtual device.
UDP Session establishment rate: 184503/s ICMP Session establishment rate: 0/s RAWIP Session establishment rate: 0/s Received TCP: Received UDP: 1538 packet(s) 86810494849 packet(s) 337567 byte(s) 4340524910260 byte(s) Received ICMP: Received RAWIP: 307232 packet(s) 0 packet(s) 17206268 byte(s) 0 byte(s) Dropped TCP: 0 packet(s) 0 byte(s) Dropped UDP: 0 packet(s) 0 byte(s) Dropped ICMP: 0 packet(s) 0 byte(s) Dropped RAWIP: 0 packet(s) 0 byte(s) Table 15 Command output Fiel
display session table Syntax display session table [ vd-name vd-name ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ verbose ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters vd-name vd-name: Displays the sessions of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines.
Total find: 2 # Display detailed information about all sessions. display session table verbose Initiator: Source IP/Port : 192.168.1.19/137 Dest IP/Port : 192.168.1.255/137 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 192.168.1.255/137 Dest IP/Port : 192.168.1.
Field Description Session status. Possible values are: • Accelerate • SYN • TCP-EST • FIN State • UDP-OPEN • UDP-READY • ICMP-OPEN • ICMP-CLOSED • RAWIP-OPEN • RAWIP-READY Start Time Session establishment time TTL Remaining lifetime of the session, in seconds.
source-port source-port: Specifies the sessions with the specified source port of the initiator. destination-port destination-port: Specifies the sessions with the specified destination port of the initiator. vpn-instance vpn-instance-name: Specifies the sessions of the specified VPN. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Description Use reset session to clear sessions. With no virtual device specified, the command clears sessions of all virtual devices.
View System view Default level 2: System level Parameters accelerate: Specifies the aging time for the sessions in the accelerate queue. fin: Specifies the aging time for the TCP sessions in the FIN_WAIT state. icmp-closed: Specifies the aging time for the ICMP sessions in the CLOSED state. icmp-open: Specifies the aging time for the ICMP sessions in the OPEN state. rawip-open: Specifies the aging time for the sessions in the RAWIP_OPEN state.
icmp: Enables checksum verification for ICMP packets. tcp: Enables checksum verification for TCP packets. udp: Enables checksum verification for UDP packets. Description Use session checksum to enable checksum verification for protocol packets. Use undo session checksum to disable checksum verification. By default, checksum verification is disabled. Examples # Enable checksum verification for UDP packets.
Connection limit configuration commands connection-limit apply policy Syntax connection-limit apply policy policy-number undo connection-limit apply policy policy-number View System view Default level 2: System level Parameters policy-number: Number of an existing connection limit policy. The value can only be 0. Description Use connection-limit apply policy to apply a connection limit policy. The connection limit policy to be applied must contain at least one limit rule.
all: Specifies all connection limit policies. Description Use connection-limit policy to create a connection limit policy and enter connection limit policy view. Use undo connection-limit policy to delete a specified or all connection limit policies. A connection limit policy contains a set of rules for limiting the number of connections of a specified user. After applying a connection limit policy in system view, you cannot modify, add, or remove connection limit rules in the policy.
Table 17 Command output Field Description Connection-limit policy Number of the connection limit policy refcount 1, 2 limits Number of times that the policy is applied and number of rules in the policy. limit Rule in the policy. For more information, see the limit command.
per-source: Limits connections by source IP address. per-source-destination: Limits connections by source-desitnation IP address pair. Description Use limit to configure an IP address-based connection limit policy rule. Within a connection limit policy, the criteria of each rule must be unique. Use undo limit to remove a connection limit policy rule. The connection limit rules become invalid when the VPN with which the rules are associated are removed.
Portal configuration commands The following matrix shows the feature and firewall compatibility: Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module Portal Yes No No No access-user detect Syntax access-user detect type arp retransmit number interval interval undo access-user detect View Interface view Default level 2: System level Parameters type arp: Uses ARP requests as probe packets.
display portal acl Syntax display portal acl { all | dynamic | static } interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters all: Displays all portal access control lists (ACLs), including dynamic and static portal ACLs. dynamic: Displays dynamic portal ACLs—ACLs generated dynamically after a user passes portal authentication.
Mask : 255.255.255.255 Rule 1 Inbound interface : GigabitEthernet0/1 Type : static Action : redirect Source: IP : 0.0.0.0 Mask : 0.0.0.0 MAC : 0000-0000-0000 Interface : any VLAN : 2 Protocol : 6 Destination: IP : 0.0.0.0 Mask : 0.0.0.0 Rule 2 Inbound interface : GigabitEthernet0/1 Type : dynamic Action : permit Source: IP : 2.2.2.2 Mask : 255.255.255.255 MAC : 000d-88f8-0eab Interface : any VLAN : 0 Protocol : 0 Destination: IP : 0.0.0.0 Mask : 0.0.0.
Field Description Interface Source interface in the portal ACL VLAN Source VLAN in the portal ACL Protocol Protocol type in the portal ACL Destination Destination information in the portal ACL IP Destination IP address in the portal ACL Mask Subnet mask of the destination IP address in the portal ACL Author ACL Authorization ACL information. It is displayed only when the value of the Type field is dynamic. Number Authorization ACL number assigned by the RADIUS server.
DISCOVERED 0 WAIT_AUTHEN_ACK 0 WAIT_AUTHOR_ACK 0 WAIT_LOGIN_ACK 0 WAIT_ACL_ACK 0 WAIT_NEW_IP 0 WAIT_USERIPCHANGE_ACK 0 ONLINE 1 WAIT_LOGOUT_ACK 0 WAIT_LEAVING_ACK 0 Message statistics: Msg-Name Err Discard MSG_AUTHEN_ACK 3 Total 0 0 MSG_AUTHOR_ACK 3 0 0 MSG_LOGIN_ACK 3 0 0 MSG_LOGOUT_ACK 2 0 0 MSG_LEAVING_ACK 0 0 0 MSG_CUT_REQ 0 0 0 MSG_AUTH_REQ 3 0 0 MSG_LOGIN_REQ 3 0 0 MSG_LOGOUT_REQ 2 0 0 MSG_LEAVING_REQ 0 0 0 MSG_ARPPKT 0 0 0 MSG_PORT_R
Field Description Total Total number of messages of a specific type Err Number of erroneous messages of a specific type Discard Number of discarded messages of a specific type MSG_AUTHEN_ACK Authentication acknowledgment message MSG_AUTHOR_ACK Authorization acknowledgment message MSG_LOGIN_ACK Accounting acknowledgment message MSG_LOGOUT_ACK Accounting-stop acknowledgment message MSG_LEAVING_ACK Leaving acknowledgment message MSG_CUT_REQ Cut request message MSG_AUTH_REQ Authentication r
View Any view Default level 1: Monitor level Parameters rule-number: Specifies the number of a portal-free rule. The portal rule number ranges from 0 to 15. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Field Description Mask Subnet mask of the destination IP address in the portal-free rule display portal interface Syntax display portal interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Field Description Authentication type Authentication mode enabled on the interface Authentication domain Mandatory authentication domain of the interface Authentication network Information of the portal authentication source subnet address IP address of the portal authentication subnet mask Subnet mask of the IP address of the portal authentication subnet display portal server Syntax display portal server [ server-name ] [ | { begin | exclude | include } regular-expression ] View Any view Defa
Field Description aaa Name of the portal server IP IP address of the portal server Port Listening port on the portal server Key URL Shared key for exchanges between the access device and portal server Not configured will be displayed if no key is configured. Address the packets are to be redirected to Not configured will be displayed if no address is configured. Current status of the portal server.
Examples # Display portal server statistics on GigabitEthernet 0/1.
Field Description REQ_INFO Information request message ACK_INFO Information acknowledgment message NTF_USERDISCOVER User discovery notification message the portal server sends to the access device NTF_USERIPCHANGE User IP change notification message the access device sends to the portal server AFF_NTF_USERIPCHA NGE User IP change success notification message the portal server sends to the access device ACK_NTF_LOGOUT Forced logout acknowledgment message from the portal server NTF_USERSYNC Use
HTTP Packets Sent: 0 Connection State: SYN_RECVD: 0 ESTABLISHED: 0 CLOSE_WAIT: 0 LAST_ACK: 0 FIN_WAIT_1: 0 FIN_WAIT_2: 0 CLOSING: 0 Table 24 Command output Field Description TCP Cheat Statistic TCP spoofing statistics Total Opens Total number of opened connections Resets Connections Number of connections reset through RST packets Current Opens Number of connections being set up Packets Received Number of received packets Packets Sent Number of sent packets Packets Retransmitted Number of ret
interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Field Description Vlan VLAN to which the portal user belongs Interface Interface to which the portal user is attached Total 2 user(s) matched, 2 listed Total number of portal users portal auth-network Syntax portal auth-network network-address { mask-length | mask } undo portal auth-network { network-address | all } View Interface view Default level 2: System level Parameters network-address: IP address of the authentication source subnet.
portal delete-user Syntax portal delete-user { ip-address | all | interface interface-type interface-number } View System view Default level 2: System level Parameters ip-address: Logs off the user with the specified IP address. all: Logs off all users. interface interface-type interface-number: Logs off all users on the specified interface. Description Use portal delete-user to log off users. Related commands: display portal user. Examples # Log out the user whose IP address is 1.1.1.1.
Examples # Configure the authentication domain to be used for portal users on GigabitEthernet 0/1 as my-domain.
A Layer 2 interface in an aggregation group cannot be specified as the source interface of a portal-free rule, and the source interface of a portal-free rule cannot be added to an aggregation group. Related commands: display portal free-rule. Examples # Configure a portal-free rule, allowing any packet whose source IP address is 10.10.10.1/24 and source interface is GigabitEthernet 0/1 to bypass portal authentication. system-view [Sysname] portal free-rule 15 source ip 10.10.10.
Default level 2: System level Parameters profile-name: Name of the profile that defines the binding relationship between VLANs and NAS IDs, a case-insensitive string of 1 to 16 characters. The profile can be configured by using the aaa nas-id profile command. Description Use portal nas-id-profile to specify a NAS ID profile for the interface. Use undo portal nas-id-profile to cancel the configuration. By default, an interface is not specified with any NAS ID profile.
[Sysname-GigabitEthernet0/1] portal nas-ip 2.2.2.2 portal nas-port-type Syntax portal nas-port-type { ethernet | wireless } undo portal nas-port-type View Interface view Default level 2: System level Parameters ethernet: Specifies the access port type as Ethernet, which corresponds to code 15. wireless: Specifies the access port type as IEEE 802.11 standard wireless interface, which corresponds to code 19.
Description Use portal redirect-url to specify the auto redirection URL for authenticated portal users. Use undo portal redirect-url to restore the default. By default, a user authenticated is redirected to the URL the user typed in the address bar before portal authentication. With Layer 3 portal authentication, this feature requires the cooperation of the IMC server and the IMC must support the page auto-redirection function. Examples # Configure the firewall to redirect a portal user to http://www.
If the specified portal server exists and no user is on the interfaces referencing the portal server, using the undo portal server server-name command removes the specified portal server, and if keyword port or url is also provided, the command will restore the destination port number or URL address to the default. The configured portal server and its parameters can be removed or modified only when the portal server is not referenced by an interface.
[Sysname-GigabitEthernet0/1] portal server pts method direct portal server server-detect Syntax portal server server-name server-detect method { http | portal-heartbeat } * action { log | permit-all | trap } * [ interval interval ] [ retry retries ] undo portal server server-name server-detect View System view Default level 2: System level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed.
• trap: Specifies the action as sending a trap message. When the status (reachable/unreachable) of a portal server changes, the access device sends a trap message to the network management server (NMS). Trap message contains the portal server name and the current state of the portal server. interval interval: Interval at which probe attempts are made. The interval argument ranges from 20 to 600 and defaults to 20, in seconds. retry retries: Maximum number of probe attempts.
undo portal server server-name user-sync View System view Default level 2: System level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed. user-sync: Enables the portal user synchronization function. interval interval: Specifies the interval at which the firewall checks the user synchronization packets. The interval argument ranges from 60 to 3600 and defaults to 300, in seconds.
[Sysname] portal server pts user-sync interval 600 retry 2 reset portal connection statistics Syntax reset portal connection statistics { all | interface interface-type interface-number } View User view Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Description Use reset portal connection statistics to clear portal connection statistics on a specific interface or all interfaces.
View User view Default level 1: Monitor level Parameters None Description Use reset portal tcp-cheat statistics to clear TCP spoofing statistics. Examples # Clear TCP spoofing statistics.
AAA configuration commands The following matrix shows the feature and firewall compatibility: Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module FIPS No No No Yes General AAA configuration commands aaa nas-id profile Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name View System view Default level 2: System level Parameters profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters.
Default level 2: System level Parameters max-user-number: Maximum number of users that the ISP domain can accommodate, in the range of 1 to 2147483646. Description Use access-limit enable to enable limitation of the number of users in an ISP domain and set the allowed maximum number. After the number of users reaches the allowed maximum number, no more users are accepted. Use undo access-limit enable to restore the default. By default, there is no limit to the number of users in an ISP domain.
Examples # Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting.
accounting dvpn Syntax accounting dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo accounting dvpn View ISP domain view Default level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use accounting dvpn to configure the accounting method for DVPN users.
undo accounting login View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Parameters None Description Use accounting optional to enable the accounting optional feature. Use undo accounting optional to disable the feature. By default, the feature is disabled. After you configure the accounting optional command for a domain, a user who would otherwise be disconnected can continue to use the network resources when no accounting server is available or when the communication with the current accounting server fails.
Related commands: local-user, accounting default, and radius scheme. Examples # Configure ISP domain test to use local accounting for portal users. system-view [Sysname] domain test [Sysname-isp-test] accounting portal local # Configure ISP domain test to use RADIUS scheme rd for accounting on portal users and use local accounting as the backup.
# Configure ISP domain test to use RADIUS accounting scheme rd for PPP users and use local accounting as the backup.
View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use authentication default to configure the default authentication method for an ISP domain.
Description Use authentication dvpn to configure the authentication method for DVPN users. Use undo authentication dvpn to restore the default. By default, the default authentication method for the ISP domain is used for DVPN users. The specified RADIUS scheme must have been configured. Related commands: local-user, authentication default, and radius scheme.
Description Use authentication login to configure the authentication method for login users through the console port, Telnet, or FTP. Use undo authentication login to restore the default. By default, the default authentication method for the ISP domain is used for login users. The specified RADIUS or HWTACACS scheme must have been configured. Related commands: local-user, authentication default, hwtacacs scheme, and radius scheme.
system-view [Sysname] domain test [Sysname-isp-test] authentication portal local # Configure ISP domain test to use RADIUS scheme rd for authentication of portal users and use local authentication as the backup.
authentication ssl-vpn Syntax authentication ssl-vpn radius-scheme radius-scheme-name undo authentication ssl-vpn View ISP domain view Default level 2: System level Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use authentication ssl-vpn to configure the authentication RADIUS method for SSL VPN users. Use undo authentication ssl-vpn to restore the default.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use authentication super to configure the authentication method for user privilege level switching. Use undo authentication super to restore the default.
The specified HWTACACS scheme must have been configured. With command line authorization configured, a user who has logged in to the firewall can execute only the commands with a level lower than or equal to that of the local user. Related commands: local-user, authorization default, and hwtacacs scheme. Examples # Configure ISP domain test to use local command line authorization.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. Related commands: local-user, hwtacacs scheme, and radius scheme. Examples # Configure the default authorization method for ISP domain test to use RADIUS authorization scheme rd and use local authorization as the backup.
[Sysname] domain test [Sysname-isp-test] authorization dvpn local # Configure ISP domain test to use RADIUS authorization scheme rd for DVPN users and use local authorization as the backup.
# Configure ISP domain test to use RADIUS authorization scheme rd for login users and use local authorization as the backup. system-view [Sysname] domain test [Sysname-isp-test] authorization login radius-scheme rd local authorization portal Syntax authorization portal { local | none | radius-scheme radius-scheme-name [ local ] } undo authorization portal View ISP domain view Default level 2: System level Parameters local: Performs local authorization.
[Sysname] domain test [Sysname-isp-test] authorization portal radius-scheme rd local authorization ppp Syntax authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization ppp View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization.
authorization ssl-vpn Syntax authorization ssl-vpn radius-scheme radius-scheme-name undo authorization ssl-vpn View ISP domain view Default level 2: System level Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use authorization ssl-vpn to configure the authorization method for SSL VPN users. Use undo authorization ssl-vpn to restore the default.
Parameters profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. Description Use authorization-attribute user-profile to specify the default authorization user profile for an ISP domain. Use undo authorization-attribute user-profile to restore the default. By default, an ISP domain has no default authorization user profile.
user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system assumes that the user is in the default domain or the mandatory authentication domain. vlan vlan-id: Specifies the user connections of a VLAN. The vlan-id argument ranges from 1 to 4094. Description Use cut connection to tear down the specified user connections forcibly.
user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system assumes that the user is in the default domain name or the mandatory authentication domain. vlan vlan-id: Specifies the user connections of a VLAN. The vlan-id argument ranges from 1 to 4094. |: Filters command output by specifying a regular expression.
Port Type=Virtual ,Port Name=N/A Initial VLAN=999, Authorized VLAN=20 ACL Group=Disable User Profile=N/A CAR=Disable Priority=Disable Start=2009-07-16 10:53:03 ,Current=2009-07-16 10:57:06 ,Online=00h04m03s Total 1 connection matched. Table 26 Command output Field Description Username Username of the connection, in the format username@domain. IP IPv4 address of the user. IPv6 IPv6 address of the user. Access User access type. ACL Group Authorization ACL group.
Examples # Display the configuration of all ISP domains. display domain 0 Domain : system State : Active Access-limit : Disabled Accounting method : Required Default authentication scheme : local Default authorization scheme : local Default accounting scheme : local Domain User Template: Idle-cut : Disabled Self-service : Disabled Authorization attributes : Default Domain Name: system Total 1 domain(s). Table 27 Command output Field Description Domain ISP domain name.
Field Description Authorization attributes Default authorization attributes for the ISP domain. User-profile Default authorization user profile. domain Syntax domain isp-name undo domain isp-name View System view Default level 3: Manage level Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain any slash (/), backslash (\), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
View System view Default level 3: Manage level Parameters isp-name: Name of the ISP domain, a case-insensitive string of 1 to 24 characters. Description Use domain default enable to specify the default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain. Use undo domain default enable to restore the default. By default, the default ISP domain is the system predefined ISP domain system. There can be only one default ISP domain.
timeout period, and logs out any user in the domain whose traffic during the idle timeout period is less than the specified minimum traffic. Use undo idle-cut enable to restore the default. By default, the function is disabled. You can also set the idle timeout period on the server to make the server log out users whose traffic during the idle timeout period is less than 10240 bytes, but your setting on the server takes effect only when you disable the idle cut function on the firewall.
is required. To address the issue, configure address pools for ISP domains and assign addresses from them to the PPP users by domain. Related commands: ip pool and remote address. Examples # Configure the IP address pool 0 with the address range of 129.102.0.1 to 129.102.0.10. system-view [Sysname] domain test [Sysname-isp-test] ip pool 0 129.102.0.1 129.102.0.
View ISP domain view Default level 2: System level Parameters url-string: URL of the self-service server, a string of 1 to 64 characters. It must start with http:// and contain no question mark. This URL was specified by the RADIUS server administrator during RADIUS server installation. Description Use self-service-url enable to enable the self-service server location function and specify the URL of the self-service server. Use undo self-service-url enable to restore the default.
By blocking an ISP domain, you disable users of the domain that are offline from requesting network services. The online users are not affected. Examples # Place the current ISP domain test to the state of blocked.
undo authorization-attribute { acl | callback-number | idle-cut | level | user-profile | user-role | vlan | work-directory } * View Local user view, user group view Default level 3: Manage level Parameters acl acl-number: Specifies the authorization ACL. The ACL ranges from 2000 to 5999. After passing authentication, a local user is authorized to access the network resources specified by this ACL. callback-number callback-number: Specifies the authorized PPP callback number.
Every configurable authorization attribute has its definite application environments and purposes. Consider the service types of users when assigning authorization attributes. Authorization attributes configured for a user group are effective for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.
Binding attribute checking does not take the service types of the users into account. A configured binding attribute is effective for all types of users. Be cautious when deciding which binding attributes should be configured for which type of local users. Examples # Configure the bound IP of local user abc as 3.3.3.3. system-view [Sysname] local-user abc [Sysname-luser-abc] bind-attribute ip 3.3.3.
The following matrix shows the keyword and firewall compatibility: Keyword F1000-A-EI/S-EI F1000-E F5000 Firewall module dvpn No Yes Yes Yes Description Use display local-user to display the configuration and statistics of local users. If you do not specify any parameter, the command displays information about all local users. Related commands: local-user. Examples # Display information about all local users.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
expiration-date (local user view) Syntax expiration-date time undo expiration-date View Local user view Default level 3: Manage level Parameters time: Expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH ranges from 0 to 23, and MM and SS range from 0 to 59.
Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use group to assign a local user to a user group. Use undo group to restore the default. By default, a local user belongs to the system default user group system. Examples # Assign local user 111 to user group abc.
undo local-user { user-name | all [ service-type { dvpn | ftp | portal | ppp | ssh | telnet | terminal | web } ] } View System view Default level 3: Manage level Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@), and cannot be a, al, or all.
undo local-user password-display-mode View System view Default level 2: System level Parameters auto: Displays the password of a local user in the mode that is specified for the user by using the password command. cipher-force: Displays the passwords of all local users in cipher text. Description Use local-user password-display-mode to set the password display mode for all local users. Use undo local-user password-display-mode to restore the default. By default, the password display mode is auto.
must be a string of 1 to 63 characters that contains no blank space, for example, aabbcc. A password in cipher text must be a string of 24 or 88 characters, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!. Description Use password to configure a password for a local user and specify whether to display the password in cipher text or plain text. Use undo password to delete the password of a local user.
terminal: Authorizes the user to use the terminal service, allowing the user to login from the console or AUX port. portal: Authorizes the user to use the portal service. ppp: Authorizes the user to use the PPP service. web: Authorizes the user to use the Web service. The following matrix shows the keyword and firewall compatibility: Keyword F1000-A-EI/S-EI F1000-E F5000 Firewall module dvpn No Yes Yes Yes Description Use service-type to specify the service types that a user can use.
Examples # Place local user user1 to the blocked state. system-view [Sysname] local-user user1 [Sysname-luser-user1] state block user-group Syntax user-group group-name undo user-group group-name View System view Default level 3: Manage level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use user-group to create a user group and enter its view. Use undo user-group to remove a user group.
Default level 3: Manage level Parameters time: Validity time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH ranges from 0 to 23, and MM and SS range from 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted.
send-times: Maximum number of accounting-on packet transmission attempts, ranging from 1 to 255. The default setting is 50. Description Use accounting-on enable to configure the accounting-on feature. This feature enables the firewall to, after rebooting, automatically sends an accounting-on message to the RADIUS accounting server to log out online users. Use undo accounting-on enable to disable the accounting-on feature. By default, the accounting-on feature is disabled.
system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] attribute 25 car data-flow-format (RADIUS scheme view) Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } View RADIUS scheme view Default level 2: System level Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte
Parameters radius-scheme-name: RADIUS scheme name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Interval for realtime accounting(minute) : 12 Retransmission times of realtime-accounting packet : 5 Retransmission times of stop-accounting packet : 500 Quiet-interval(min) : 5 Username format : without-domain Data flow unit : Byte Packet unit : one NAS-IP address : 1.1.1.1 Attribute 25 : car -----------------------------------------------------------------Total 1 RADIUS scheme(s). Table 30 Command output Field Description SchemeName Name of the RADIUS scheme.
Field Description Retransmission times of realtime-accounting packet Maximum number of accounting attempts. Retransmission times of stop-accounting packet Maximum number of stop-accounting attempts. Quiet-interval(min) Quiet interval for the primary server. Username format Format of the usernames to be sent to the RADIUS server. Data flow unit Unit for data flows sent to the RADIUS server. Packet unit Unit for packets sent to the RADIUS server.
1 508 2 508 Total 1016 RADIUS received packets statistic: Code = 2 Num = 15 Err = 0 Code = 3 Num = 4 Err = 0 Code = 5 Num = 4 Err = 0 Code = 11 Num = 0 Err = 0 Running statistic: RADIUS received messages statistic: auth request Num = 24 Err = 0 Succ = 24 Account request Num = 4 Err = 0 Succ = 4 Account off request Num = 503 Err = 0 Succ = 503 PKT auth timeout Num = 15 Err = 5 Succ = 10 PKT acct_timeout Num = 1509 Err = 503 Succ = 1006 Realtime Account timer Num = 0
Field Description RLTWait Number of users waiting for real-time accounting AcctStop Number of users in the state of accounting waiting stopped OnLine Number of online users Stop Number of users in the state of stop Received and Sent packets statistic Statistics for packets received and sent by the RADIUS module Sent PKT total Number of packets sent Received PKT total Number of packets received Resend Times Number of transmission attempts Resend total Number of packets retransmitted Total
Field Description RecError_MSG_sum Number of received packets in error SndMSG_Fail_sum Number of packets that failed to be sent out Timer_Err Number of packets for indicating timer startup failures Alloc_Mem_Err Number of packets for indication memory allocation failures State Mismatch Number of packets for indicating mismatching status Other_Error Number of packets for indicating other types of errors No-response-acct-stop packet Number of times that no response was received for stop-account
Description Use display stop-accounting-buffer to display information about the stop-accounting requests buffered in the firewall. NOTE: If the firewall sends a stop-accounting request to a RADIUS server but receives no response, it retransmits it up to a certain number of times (defined by the retry command). If the firewall still receives no response, it considers the stop-accounting attempt a failure, buffers the request, and makes another stop-accounting attempt.
In FIPS mode, the key must be a ciphertext string of at least 8 characters that must contain uppercase letters, lowercase letters, digits, and special characters. • Description Use key to set the shared key for RADIUS authentication/authorization or accounting packets. Use undo key to restore the default. By default, no shared key is configured. The shared keys specified during the configuration of the RADIUS servers, if any, take precedence.
undo nas-ip View RADIUS scheme view Default level 2: System level Parameters ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the firewall and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. ipv6 ipv6-address: Specifies an IPv6 address. It must be an address of the firewall and must be a unicast address that is neither a loopback address nor a link-local address.
undo primary accounting View RADIUS scheme view Default level 2: System level Parameters ipv4-address: IPv4 address of the primary accounting server. ipv6 ipv6-address: IPv6 address of the primary accounting server. port-number: Service port number of the primary accounting server, a UDP port number in the range of 1 to 65535. The default setting is 1813. key [ cipher | simple ] key: Specifies the shared key (case-sensitive) for exchanging accounting packets with the primary RADIUS accounting server.
If you remove an accounting server being used by users, the firewall no longer sends real-time accounting requests and stop-accounting requests for the users, and does not buffer the stop-accounting requests. NOTE: • The shared key configured by this command takes precedence over that configured by using the key accounting [ cipher | simple ] key command. • The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
• With neither the cipher keyword nor the cipher keyword specified, the key must be a plaintext string of 1 to 64 characters, and the key is displayed in cipher text. • In FIPS mode, the key must be a ciphertext string of at least 8 characters that must contain uppercase letters, lowercase letters, digits, and special characters, and is encrypted and decrypted with the 3DES algorithm.
Default level 2: System level Parameters None Description Use radius client enable to enable the RADIUS listening port of a RADIUS client. Use undo radius client to disable the RADIUS listening port of a RADIUS client. By default, the RADIUS listening port is enabled. When the listening port of the RADIUS client is disabled: • No more stop-accounting requests of online users cannot be sent out or buffered, and the RADIUS server can no longer receive logoff requests from online users.
Description Use radius nas-ip to specify a source address for outgoing RADIUS packets. Use undo radius nas-ip to remove the configuration. By default, the source IP address of an outgoing RADIUS packet is the IP address of the outbound interface. You can specify up to one public-network source IP address and 15 private-network source IP addresses. A newly specified public-network source IP address overwrites the previous one. Each VPN can have only one private-network source IP address.
Related commands: display radius scheme. Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
reset radius statistics Syntax reset radius statistics View User view Default level 2: System level Parameters None Description Use reset radius statistics to clear RADIUS statistics. Related commands: display radius statistics. Examples # Clear RADIUS statistics.
Examples # Clear the stop-accounting requests buffered for user user0001@test. reset stop-accounting-buffer user-name user0001@test # Clear the stop-accounting requests buffered in the time range from 0:0:0 to 23:59:59 on August 31, 2006.
View RADIUS scheme view Default level 2: System level Parameters retry-times: Maximum number of accounting attempts, in the range of 1 to 255. Description Use retry realtime-accounting to set the maximum number of accounting attempts. Use undo retry realtime-accounting to restore the default. By default, the maximum number of accounting attempts is 5. A RADIUS server usually checks whether a user is online by using a timeout timer.
Default level 2: System level Parameters retry-times: Maximum number of stop-accounting attempts, in the range of 10 to 65535. Description Use retry stop-accounting to set the maximum number of stop-accounting attempts. Use undo retry stop-accounting to restore the default. By default, the maximum number of stop-accounting attempts is 500. The maximum number of stop-accounting attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets.
key [ cipher | simple ] key: Specifies the shared key (case-sensitive) for exchanging accounting packets with the secondary RADIUS accounting server. Follow these guidelines: • This shared key must be the same as that configured on the RADIUS server. • With the cipher keyword specified, the key must be a ciphertext string of 12, 24, 32, 44, 64, 76, 88, or 96 characters, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!, and the key is displayed in cipher text.
Examples # For RADIUS scheme radius1, set the IP address of the secondary accounting server to 10.110.1.1, the UDP port to 1813, and the shared key to the ciphertext string IT8Q4sHnitM=, and specify to display the key in cipher text. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary accounting 10.110.1.1 1813 key cipher IT8Q4sHnitM= # For RADIUS scheme radius2, specify two secondary accounting servers with the server IP addresses of 10.110.1.1 and 10.110.1.
• In FIPS mode, the key must be a ciphertext string of at least 8 characters that must contain uppercase letters, lowercase letters, digits, and special characters, and is encrypted with the 3DES algorithm. vpn-instance vpn-instance-name: Specifies the VPN to which the secondary RADIUS authentication/authorization server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
security-policy-server Syntax security-policy-server ip-address undo security-policy-server { ip-address | all } View RADIUS scheme view Default level 2: System level Parameters ip-address: Specifies a security policy server by its IP address. all: Specifies all security policy servers. Description Use security-policy-server to specify a security policy server for a RADIUS scheme. Use undo security-policy-server to remove one or all security policy servers for a RADIUS scheme.
Description Use server-type to configure the RADIUS server type. Use undo server-type to restore the default. By default, the supported RADIUS server type is standard. Examples # Configure the RADIUS server type of RADIUS scheme radius1 as standard.
state secondary Syntax state secondary { accounting | authentication } [ ip ipv4-address | ipv6 ipv6-address ] { active | block } View RADIUS scheme view Default level 2: System level Parameters accounting: Sets the status of the secondary RADIUS accounting server. authentication: Sets the status of the secondary RADIUS authentication/authorization server. ip ipv4-address: Specifies the IPv4 address of the secondary RADIUS server.
View RADIUS scheme view Default level 2: System level Parameters None Description Use stop-accounting-buffer enable to enable the firewall to buffer stop-accounting requests to which no responses are received. Use undo stop-accounting-buffer enable to disable the buffering function. By default, the firewall buffers stop-accounting requests to which no responses are received. Stop-accounting requests affect the charge to users.
Description Use timer quiet to set the quiet timer for the servers, that is, the duration during which the servers stay blocked before resuming the active state. Use undo timer quiet to restore the default. By default, the server quiet period is 5 minutes. You can use the command to adjust the duration during which a server must stay quiet, and control whether the firewall changes the status of an unreachable server.
Different real-time accounting intervals impose different performance requirements on the NAS and the RADIUS server. A shorter interval helps achieve higher accounting precision but requires higher performance. Use a longer interval when there are a large number of users (1000 or more).
Examples # Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer response-timeout 5 user-name-format (RADIUS scheme view) Syntax user-name-format { keep-original | with-domain | without-domain } View RADIUS scheme view Default level 2: System level Parameters keep-original: Sends the username to the RADIUS server as it is entered.
vpn-instance (RADIUS scheme view) Syntax vpn-instance vpn-instance-name undo vpn-instance View RADIUS scheme view Default level 2: System level Parameters vpn-instance-name: Name of the VPN, a case-sensitive string of 1 to 31 characters. Description Use vpn-instance to specify a VPN instance for a RADIUS scheme. Use undo vpn-instance to remove the configuration. The VPN instance specified here applies to for all IPv4 servers in the RADIUS scheme for which no specific VPN instance is specified.
packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet. Description Use data-flow-format to set the traffic statistics unit for data flows or packets. Use undo data-flow-format to restore the default. By default, the unit for data flows is byte and that for data packets is one-packet. The unit for data flows and that for packets must be consistent with those on the HWTACACS server.
Related commands: hwtacacs scheme. Examples # Display the configuration of HWTACACS scheme gy. display hwtacacs gy -------------------------------------------------------------------HWTACACS-server template name : gy Primary-authentication-server : 172.31.1.11:49 VPN instance : vpn1 Primary-authorization-server : 172.31.1.11:49 VPN instance : vpn1 Primary-accounting-server : 172.31.1.11:49 VPN instance : vpn1 Secondary-authentication-server : 0.0.0.
Field Description Secondary-authorization-server IP address and port number of the secondary authorization server. Secondary-accounting-server IP address and port number of the secondary accounting server. Current-authentication-server IP address and port number of the currently used authentication server. Current-authorization-server IP address and port number of the currently used authorization server. Current-accounting-server IP address and port number of the currently used accounting server.
HWTACACS authen client round trip time(s): 5 ---[HWTACACS template gy primary authorization]--HWTACACS server open number: 1 HWTACACS server close number: 1 HWTACACS author client request packet number: 1 HWTACACS author client response packet number: 1 HWTACACS author client timeout number: 0 HWTACACS author client packet dropped number: 0 HWTACACS author client unknown type number: 0 HWTACACS author client request EXEC number: 1 HWTACACS author client request PPP number: 0 HWTACACS author client request V
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a case-insensitive string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.
[Sysname-hwtacacs-hwt1] key (HWTACACS scheme view) Syntax key { accounting | authentication | authorization } [ cipher | simple ] key undo key { accounting | authentication | authorization } View HWTACACS scheme view Default level 2: System level Parameters accounting: Sets the shared key for HWTACACS accounting packets. authentication: Sets the shared key for HWTACACS authentication packets. authorization: Sets the shared key for HWTACACS authorization packets. key: Shared key, case-sensitive.
return # Set the shared key for HWTACACS accounting packets to plain text hello for HWTACACS scheme hwt1 and specify to display the key in cipher text. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key accounting hello [Sysname-hwtacacs-hwt1] display this # hwtacacs scheme hwt1 key accounting cipher IT8Q4sHnitM= # return # Set the shared key for HWTACACS accounting packets to cipher text KWk+qJsfs9M= for HWTACACS scheme hwt1 and specify to display the key in cipher text.
Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server drops the packet. If you configure the command repeatedly, only the last configuration takes effect. NOTE: The setting configured by the nas-ip command in HWTACACS scheme view is only for the HWTACACS scheme, whereas that configured by the hwtacacs nas-ip command in system view is for all HWTACACS schemes.
If you configure the command repeatedly, only the last configuration takes effect. You can remove an accounting server only when it is not used by any active TCP connection to send accounting packets. Removing an accounting server affects only accounting processes that occur after the remove operation. NOTE: The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. Related commands: display hwtacacs and vpn-instance (HWTACACS scheme view).
If you configure the command repeatedly, only the last configuration takes effect. You can remove an authentication server only when it is not used by any active TCP connection to send authentication packets. Removing an authentication server affects only authentication processes that occur after the remove operation. NOTE: The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. Related commands: display hwtacacs and vpn-instance (HWTACACS scheme view).
If you configure the command repeatedly, only the last configuration takes effect. You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets. Removing an authorization server affects only authorization processes that occur after the remove operation. NOTE: The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. Related commands: display hwtacacs and vpn-instance (HWTACACS scheme view).
View User view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a case-insensitive string of 1 to 32 characters. Description Use reset stop-accounting-buffer to clear buffered stop-accounting requests that get no responses. Related commands: stop-accounting-buffer enable and display stop-accounting-buffer.
secondary accounting (HWTACACS scheme view) Syntax secondary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary accounting View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address of the secondary HWTACACS accounting server, in dotted decimal notation. The default setting is 0.0.0.0. port-number: Service port number of the secondary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49.
secondary authentication (HWTACACS scheme view) Syntax secondary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary authentication View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address of the secondary HWTACACS authentication server, in dotted decimal notation. The default setting is 0.0.0.0. port-number: Service port number of the secondary HWTACACS authentication server. It ranges from 1 to 65535 and defaults to 49.
secondary authorization Syntax secondary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary authorization View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address of the secondary HWTACACS authorization server, in dotted decimal notation. The default setting is 0.0.0.0. port-number: Service port number of the secondary HWTACACS authorization server. It ranges from 1 to 65535 and defaults to 49.
undo stop-accounting-buffer enable View HWTACACS scheme view Default level 2: System level Parameters None Description Use stop-accounting-buffer enable to enable the firewall to buffer stop-accounting requests to which no responses are received. Use undo stop-accounting-buffer enable to disable the buffering function. By default, the firewall buffers stop-accounting requests to which no responses are received. Stop-accounting requests affect the charge to users.
By default, the primary server quiet period is 5 minutes. Related commands: display hwtacacs. Examples # Set the quiet timer for the primary server to 10 minutes.
[Sysname-hwtacacs-hwt1] timer realtime-accounting 51 timer response-timeout (HWTACACS scheme view) Syntax timer response-timeout seconds undo timer response-timeout View HWTACACS scheme view Default level 2: System level Parameters seconds: HWTACACS server response timeout period in seconds, in the range of 1 to 300. Description Use timer response-timeout to set the HWTACACS server response timeout timer. Use undo timer response-timeout to restore the default.
By default, the ISP domain name is included in the username. A username is generally in the format userid@isp-name, of which isp-name is used by the firewall to determine the ISP domain to which a user belongs. Some earlier HWTACACS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the firewall must remove the domain name.
Password control configuration commands IMPORTANT: The FIPS mode is available only for the firewall modules. For more information about FIPS, see "Configuring FIPS." display password-control Syntax display password-control [ super ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters super: Displays the password control information of the super passwords.
Minimum password update time: 24 hours User account idle-time: 90 days Login with aged password: 3 times in 30 days Password complexity: Disabled (username checking) Disabled (repeated characters checking) # Display the password control configuration information for super passwords.
View Any view Default level 2: System level Parameters user-name name: Specifies a user by the name, a string of 1 to 80 characters. ipv4-address: IPv4 address of a user. ipv6-address: IPv6 address of a user. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
undo password View Local user view Default level 2: System level Parameters None Description Use password to set a password for a local user in interactive mode. Use undo password to remove the password for a local user.
length: Enables the minimum password length restriction function. Description Use password-control { aging | composition | history | length } enable to enable the password aging, composition restriction, history, or minimum password length restriction function. Use undo password-control { aging | composition | history | length } enable to disable the specified function. By default, the four password control functions are all enabled.
Description Use password-control aging to set the password aging time. Use undo password-control aging to restore the default. By default, the global password aging time is 90 days, the password aging time of a user group equals the global setting, and the password aging time of a local user equals that of the user group to which the local user belongs.
By default, a user is warned of pending password expiration 7 days before the user's password expires. Examples # Configure the firewall to warn a user about pending password expiration 10 days before the user's password expires.
Description Use password-control complexity to configure the password complexity checking policy. Unqualified passwords will be refused. Use the undo password-control complexity check command to remove a password complexity checking item. By default, no user password complexity checking is performed, and a password can contain the username, the reverse of the username, or a character repeated three or more times consecutively. Related commands: display password-control.
Examples # Specify that all passwords must each contain at least 3 types of characters and each type must contain at least 5 characters. system-view [Sysname] password-control composition type-number 3 type-length 5 # Specify that passwords in user group test must contain at least 3 types of characters and each type must contain at least 5 characters.
View System view Default level 2: System level Parameters delay: Maximum number of days during which a user can log in using an expired password. It must be in the range of 1 to 90. times: Maximum number of times a user can log in after the password expires, in the range of 0 to 10. 0 means that a user cannot log in after the password expires.
password-control length Syntax password-control length length undo password-control length View System view, user group view, local user view Default level 2: System level Parameters length: Minimum password length in characters, in the range of 8 to 32. Description Use password-control length to set the minimum password length. Use undo password-control length to restore the default.
View System view Default level 2: System level Parameters idle-time: Maximum account idle time, in the range of 0 to 365, in days. 0 means no restriction for account idle time. Description Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, it becomes invalid. Use undo password-control login idle-time to restore the default. By default, the maximum account idle time is 90 days. Related commands: display password-control.
By default, the maximum number of consecutive failed login attempts is three and a user failing to log in after the specified number of attempts must wait for one minute before trying again. • If prohibited permanently, a user can log in only after you remove the user from the blacklist. • If prohibited temporarily, a user can log in again after the lock time elapses or an administrator removes the user from the blacklist.
Default level 2: System level Parameters interval: Minimum password update interval, in the range of 0 to 168, in hours. 0 means no requirements for password update interval. Description Use password-control password update interval to set the minimum password update interval, that is, the minimum interval at which users can change their passwords. Use undo password-control password update interval to restore the default. By default, the minimum password update interval is 24 hours.
password-control super composition Syntax password-control super composition type-number type-number [ type-length type-length ] undo password-control super composition View System view Default level 2: System level Parameters type-number type-number: Specifies the minimum number of character types that a super password must contain, in the range of 1 to 4. In FIPS mode, the type-number argument must be 4.
Description Use password-control super length to set the minimum length for super passwords. Use undo password-control super length to restore the default. By default, the minimum super password length is 10 characters. The setting for super passwords, if present, overrides that for all passwords. Related commands: password-control length. Examples # Set the minimum length for super passwords to 10 characters.
Parameters user-name name: Specifies the username of the user whose password records are to be deleted. name is a case-sensitive string of 1 to 80 characters. super: Deletes the history records of the super password specified by the level level combination or the history records of all super passwords. level level: Specifies a user level, in the range of 1 to 3. Description Use reset password-control history-record to delete history password records.
FIPS configuration commands FIPS configuration commands are available only for firewall modules. display fips status Syntax display fips status View Any view Default level 1: Monitor level Parameters None Description Use display fips status to display FIPS state. Related commands: fips mode enable. Examples # Display FIPS state.
The FIPS mode complies with FIPS 140-2. In CC evaluation, a device in FIPS mode means that the device operates in compliance with the CC evaluation standards. Related commands: display fips status. Examples # Enable FIPS mode. system-view [Sysname] fips mode enable fips self-test Syntax fips self-test View System view Default Level 3: Manage level Parameters None Description Use fips self-test to trigger a self-test on the password algorithms.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ABCDEFGHIKLNPRSTUVW authorization-attribute (local user view/user group view),102 A aaa nas-id profile,72 authorization-attribute user-profile,91 access-limit,102 B access-limit enable,72 access-user detect,45 bind-attribute,104 accounting command,73 C accounting default,74 connection-limit apply policy,41 accounting dvpn,75 connection-limit policy,41 accounting login,75 cut connection,92 accounting optional,76 D accounting portal,77 accounting ppp,78 data-flow-format (HWTACACS schem
display stop-accounting-buffer (for HWTACACS),151 password-control authentication-timeout,174 display stop-accounting-buffer (for RADIUS),123 password-control complexity,174 display time-range,11 password-control composition,175 display time-range,28 password-control enable,176 display user-group,106 password-control expired-user-login,176 Documents,187 password-control history,177 domain,97 password-control length,178 domain default enable,97 password-control login idle-time,178 E password
reset portal tcp-cheat statistics,70 state (local user view),113 reset radius statistics,133 state primary,141 reset session,37 state secondary,142 reset session statistics,38 step,26 reset stop-accounting-buffer (for HWTACACS),159 stop-accounting-buffer enable (HWTACACS scheme view),163 reset stop-accounting-buffer (for RADIUS),133 stop-accounting-buffer enable (RADIUS scheme view),142 retry,134 retry realtime-accounting,134 retry stop-accounting (HWTACACS scheme view),160 Subscription service
