HP Unified Wired-WLAN Products Security Command Reference HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G Unified Wired-WLAN Module Part number: 5998-4797 Software version: 3507P22 (HP 830 PoE+ Switch Series) 2607P22 (HP 850 Appliance) 2607P22 (HP 870 Appliance) 2507P22 (HP 11900/10500/7500 20G Module) Document version: 6W101-20140418
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents AAA configuration commands ···································································································································· 1 General AAA configuration commands ························································································································· 1 aaa nas-id profile ····················································································································································· 1 access-limi
display user-group ················································································································································· 46 expiration-date (local user view) ·························································································································· 47 group ······································································································································································ 48 group-at
primary authentication (HWTACACS scheme view) ······················································································· 101 primary authorization ········································································································································· 102 reset hwtacacs statistics ······································································································································ 103 reset stop-accounting-buffer (for HWTACACS) ·
mac-authentication trigger after-portal ·············································································································· 153 mac-authentication user-name-format ················································································································ 154 reset mac-authentication statistics ······················································································································ 156 Portal configuration commands···············
port-security port-security port-security port-security port-security port-security port-security port-security port-security port-security port-security port-security enable ············································································································································· 211 intrusion-mode ································································································································ 212 max-mac-count ····························
ca identifier ·························································································································································· 257 certificate request entity ······································································································································ 257 certificate request from ······································································································································· 258 certific
display ssh server-info ········································································································································· 295 exit ········································································································································································ 296 get ····································································································································································
arp anti-attack source-mac threshold ················································································································· 335 display arp anti-attack source-mac ···················································································································· 335 ARP packet source MAC consistency check configuration commands ·································································· 336 arp anti-attack valid-ack enable···································
transform······························································································································································· 379 transform-set ························································································································································· 380 tunnel local ··························································································································································
ASPF configuration commands ··································································································································· 421 aspf-policy ···························································································································································· 421 display aspf all ···················································································································································· 422 displ
user-isolation vlan permit-mac ···························································································································· 465 Source IP address verification commands ············································································································· 466 display wlan client source binding ···················································································································· 466 ip verify source ························
AAA configuration commands General AAA configuration commands aaa nas-id profile Use aaa nas-id profile to create a NAS ID profile and enter its view. A NAS ID profile maintains the bindings between NAS IDs and VLANs. Use undo aaa nas-id profile to remove a NAS ID profile. Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name Views System view Default command level 2: System level Parameters profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters.
Views ISP domain view Default command level 2: System level Parameters max-user-number: Maximum number of online users that the ISP domain will accept, in the range of 1 to 2147483646. Usage guidelines Because system resources can be limited, and user connections might compete for network resources, setting a limit for online users helps provide reliable system performance. Examples # Set a limit of 500 user connections for ISP domain test.
system-view [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac Related commands • accounting default • hwtacacs scheme accounting default Use accounting default to configure the default accounting method for an ISP domain. Use undo accounting default to restore the default.
Related commands • local-user • hwtacacs scheme • radius scheme accounting lan-access Use accounting lan-access to configure the accounting method for LAN users. Use undo accounting lan-access to restore the default. Syntax accounting lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo accounting lan-access Default The default accounting method for the ISP domain is used for LAN users.
accounting login Use accounting login to configure the accounting method for login users through the console port, AUX port, or Telnet. Use undo accounting login to restore the default. Syntax accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting login Default The default accounting method for the ISP domain is used for login users.
accounting optional Use accounting optional to enable the accounting optional feature. Use undo accounting optional to disable the feature. Syntax accounting optional undo accounting optional Default The feature is disabled.
Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use local accounting for portal users.
none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines Support for this command depends on the device model. For more information, see About the Command References for HP Unified Wired-WLAN Products. The specified RADIUS or HWTACACS scheme must have been configured. Examples # Configure ISP domain test to use local accounting for PPP users.
• IP addresses of full 0s. • IP addresses of full 1s. • D-class IP addresses. • E-class IP addresses. • Loopback IP addresses. Usage guidelines In a MAC-BAC network, the NAS-IP-Address attribute (attribute number 4) in a RADIUS Access-Request packet must take the IP address of the master AC. This command does not change the source IP address of a RADIUS Access-Request packet. Examples # Configure the NAS-IP-Address attribute (attribute number 4) as 192.168.0.2 for RADIUS Access-Request packets.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS, HWTACACS, or LDAP scheme must have been configured. The default authentication method is used for all users who support the specified authentication method and have no specific authentication method configured.
Examples # Configure ISP domain test to use local authentication for LAN users. system-view [Sysname] domain test [Sysname-isp-test] authentication lan-access local # Configure ISP domain test to use RADIUS authentication scheme rd for LAN users and use local authentication as the backup.
Usage guidelines The specified RADIUS, HWTACACS, or LDAP scheme must have been configured. Examples # Configure ISP domain test to use local authentication for login users. system-view [Sysname] domain test [Sysname-isp-test] authentication login local # Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local authentication as the backup.
Usage guidelines The specified LDAP or RADIUS scheme must have been configured. Only PAP is supported for LDAP authentication of portal users. Examples # Configure ISP domain test to use local authentication for portal users. system-view [Sysname] domain test [Sysname-isp-test] authentication portal local # Configure ISP domain test to use RADIUS scheme rd for authentication of portal users and use local authentication as the backup.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured. Examples # Configure ISP domain test to use local authentication for PPP users. system-view [Sysname] domain test [Sysname-isp-test] authentication ppp local # Configure ISP domain test to use RADIUS authentication scheme rd for PPP users and use local authentication as the backup.
Usage guidelines The specified RADIUS or HWTACACS authentication scheme must have been configured. Examples # Configure ISP domain test to use HWTACACS scheme tac for user privilege level switching authentication.
authorization command Use authorization command to configure the command-line authorization method. Use undo authorization command to restore the default. Syntax authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none } undo authorization command Default The default authorization method for the ISP domain is used for command-line authorization.
authorization default Use authorization default to configure the default authorization method for an ISP domain. Use undo authorization default to restore the default. Syntax authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization default Default The default authorization method for the ISP domain of an ISP domain is local.
• radius scheme • ldap scheme authorization lan-access Use authorization lan-access to configure the authorization method for LAN users. Use undo authorization lan-access to restore the default. Syntax authorization lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo authorization lan-access Default The default authorization method for the ISP domain is used for LAN users.
authorization login Use authorization login to configure the authorization method for login users through the console port, AUX port, Telnet, or FTP. Use undo authorization login to restore the default. Syntax authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization login Default The default authorization method for the ISP domain is used for login users.
Related commands • local-user • authorization default • hwtacacs scheme • radius scheme • ldap scheme authorization portal Use authorization portal to configure the authorization method for portal users. Use undo authorization portal to restore the default. Syntax authorization portal { local | none | radius-scheme radius-scheme-name [ local ] } undo authorization portal Default The default authorization method for the ISP domain is used for portal users.
Related commands • local-user • authorization default • radius scheme authorization ppp Use authorization ppp to configure the authorization method for PPP users. Use undo authorization ppp to restore the default. Syntax authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization ppp Default The default authorization method for the ISP domain is used for PPP users.
system-view [Sysname] domain test [Sysname-isp-test] authorization ppp radius-scheme rd local Related commands • local-user • authorization default • hwtacacs scheme • radius scheme authorization-attribute user-profile Use authorization-attribute user-profile to specify the default authorization user profile for an ISP domain. Use undo authorization-attribute user-profile to restore the default.
Syntax cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id } Views System view Default command level 2: System level Parameters access-type: Specifies the user connections for the specified access type. • dot1x: Indicates 802.1X authentication. • mac-authentication: Indicates MAC address authentication.
Related commands • display connection • service-type display connection Use display connection to display information about AAA user connections.
Usage guidelines This command does not display information about FTP user connections. With no parameter specified, this command displays brief information about all AAA user connections. If you specify the ucibindex ucib-index option, this command displays detailed information. Otherwise, this command displays brief information. If an interface is configured with a mandatory authentication domain (for example, an 802.
Start=2013-07-16 10:53:03 ,Current=2013-07-16 10:57:06 ,Online=00h04m03s Total 1 connection matched. # Display information about AAA user connections with an index of 1. The authentication response packet contains the username test1, which is used for accounting. display connection ucibindex 1 Index=1 , Username=test@system MAC=00-15-E9-A6-7C-FE IP=10.0.0.
Related commands cut connection display domain Use display domain to display the configuration of ISP domains. Syntax display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters isp-name: Name of an existing ISP domain, a string of 1 to 24 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Default authorization scheme : local Default accounting scheme : local Lan-access authentication scheme : radius:test, local Lan-access authorization scheme : hwtacacs:hw, local Lan-access accounting scheme : local Domain User Template: Idle-cut : Disabled Session-time : exclude-idle-time Self-service : Disabled Authorization attributes : User-profile : profile1 Default Domain Name: system Total 2 domain(s). Table 2 Command output Field Description Domain ISP domain name.
Field Description Self-service Indicates whether the self-service function is enabled. With the self-service function enabled, users can launch a browser and enter the self-service URL in the address bar to access the self-service pages and perform self-service operations. Authorization attributes Default authorization attributes for the ISP domain. User-profile Default authorization user profile.
Related commands • state • display domain domain default enable Use domain default enable to specify the default ISP domain. Users without a domain name included in their usernames are considered to be in the default domain. Use undo domain default enable to restore the default. Syntax domain default enable isp-name undo domain default enable Default The default ISP domain is the system predefined ISP domain system.
Use undo domain if-unknown to restore the default. Syntax domain if-unknown isp-name undo domain if-unknown Default No ISP domain is specified for users with unknown domain names.
Default command level 2: System level Parameters profile-name: Name of the EAP profile, a case-insensitive string of 1 to 16 characters. Usage guidelines An EAP profile is a collection of local EAP authentication settings, including the authentication method to be used and, for some authentication methods, the SSL server policy to be referenced. Examples # Create an EAP profile, and enter its view.
In a portal stateful failover situation, set the idle cut interval to be greater than 5 minutes to make sure online users' data can be backed up. Examples # Enable the idle cut function and set the idle timeout period to 50 minutes and the traffic threshold to 1024 bytes for ISP domain test. system-view [Sysname] domain test [Sysname-isp-test] idle-cut enable 50 1024 Related commands domain ip pool Use ip pool to configure an address pool for assigning addresses to PPP users.
local-server authentication eap-profile Use local-server authentication eap-profile to specify the EAP profile for the local authentication server to use. Use undo local-server authentication eap-profile to remove the configuration. Syntax local-server authentication eap-profile profile-name undo local-server authentication eap-profile Views System view Default command level 2: System level Parameters profile-name: Name of an existing EAP profile, a case-insensitive string of 1 to 16 characters.
tls: Specifies the TLS authentication method. ttls: Specifies the TTLS authentication method. Usage guidelines You can specify more than one EAP authentication method for an EAP profile. The most recent authentication method configuration has the lowest priority. The peap-gtc and peap-mschapv2 keywords cannot be simultaneously configured for an EAP profile. The local server first negotiates the EAP authentication method with the EAP client when this command is used for EAP authentication of an EAP client.
Parameters device-id: Specifies the device ID for the device. In stateful failover mode, it must be 1 or 2. Usage guidelines Support for this command depends on the device model. For more information, see About the Command References for HP Unified Wired-WLAN Products. In stateful failover mode, a device is uniquely identified from the other device by its device ID. Configuring or changing the device ID of a device logs off all online users of the device.
[Sysname] ldap scheme test [Sysname-ldap-test] quit [Sysname] eap-profile aprf2 [Sysname-eap-prof-aprf2] user-credentials ldap-scheme test local nas-id bind vlan Use nas-id bind vlan to bind a NAS ID with a VLAN. Use undo nas-id bind vlan to remove a NAS ID-VLAN binding. Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id Default No NAS ID-VLAN binding exists.
undo self-service-url enable Default The self-service server location function is disabled. Views ISP domain view Default command level 2: System level Parameters url-string: URL of the self-service server, a string of 1 to 64 characters that starts with http:// and does not contain a question mark. This URL was specified by the RADIUS server administrator during RADIUS server installation. Usage guidelines With the self-service function, users can manage and control their accounts and passwords.
Examples # Configure the device to include the idle cut time in the user online time uploaded to the server for ISP domain test. system-view [Sysname] domain test [Sysname-isp-test] session-time include-idle-time Related commands idle-cut enable ssl-server-policy Use ssl-server-policy to specify an SSL server policy for the EAP authentication. Use undo ssl-server-policy to remove the configuration.
undo state Default An ISP domain is in active state. Views ISP domain view Default command level 2: System level Parameters active: Places the ISP domain in active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. Usage guidelines Blocking an ISP domain disables the domain's offline users from requesting network services. The online users are not affected.
Usage guidelines This command takes effect only when local accounting is used for the user account. This limit has no effect on FTP users because accounting is not available for FTP users. Examples # Limit the maximum number of concurrent users of local user account abc to 5.
user-profile profile-name: Specifies the authorization user profile. The profile-name argument is a case-sensitive string of 1 to 32 characters. It can contain letters, digits, and underscores (_), and must start with a letter. After a user passes authentication and gets online, the device uses the settings in the user profile to restrict the access behavior of the user. For more information about user profiles, see Security Configuration Guide. user-role: Specifies the role for the local user.
Use undo bind-attribute to remove binding attributes of a local user. Syntax bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location port slot-number subslot-number port-number | mac mac-address | vlan vlan-id } * undo bind-attribute { call-number | ip | location | mac | vlan } * Default No binding attribute is configured for a local user.
Syntax display local-user [ idle-cut { disable | enable } | service-type { ftp | lan-access | portal | ppp | ssh | telnet | terminal | web } | state { active | block } | user-name user-name | vlan vlan-id ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled. service-type: Specifies the local users who use a specified type of service.
Access-limit: Enabled Max AccessNum: 300 User-group: system Current AccessNum: 0 Bind attributes: IP address: 1.2.3.
Related commands local-user display user-group Use display user-group to display the configuration of user groups. Syntax display user-group [ group-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters group-name: Specifies a user group name, a case-insensitive string of 1 to 32 characters. |: Filters command output by specifying a regular expression.
Table 4 Command output Field Description Idle-cut Idle timeout interval, in minutes. Work Directory Directory that FTP/SFTP users in the group can access. Level Level of the local users in the group. ACL Number Authorization ACL for the local users in the group. VLAN ID Authorized VLAN for the local users in the group. User-Profile User profile for local user authorization. Callback-number Authorized PPP callback number for the local users in the group.
for local authentication and passes the authentication, the access device checks whether the current system time is between the validity time and the expiration time. If it is, the device permits the user to access the network. Otherwise, the device denies the access request of the user. Examples # Set the expiration time of user abc to 12:10:20 on May 31, 2013.
Default The guest attribute is not set for a user group, and guest users created by a guest manager through the Web interface cannot join the group. Views User group view Default command level 3: Manage level Usage guidelines The guest attribute is set for the system predefined user group system and you cannot remove the attribute for the user group. Examples # Set the guest attribute for user group test.
• ppp: PPP users. Support for this keyword depends on the device model. For more information, see About the Command References for HP Unified Wired-WLAN Products. • ssh: SSH users. • telnet: Telnet users. This keyword is not supported in FIPS mode. • terminal: Users logging in through the console or AUX port. In FIPS mode, you must specify this keyword. • web: Web users. Examples # Add a local user named user1.
When the password control feature is enabled globally (by using the password-control enable command), local user passwords, such as the length and complexity, are under the restriction of the password control feature and are not displayed. At the same time, you cannot use the password hash cipher command to configure passwords. The password command is not supported in FIPS mode. You must use the password control feature to configure passwords for local users.
lan-access: Authorizes the user to use the LAN access service. The users are mainly Ethernet users such as 802.1X users. ssh: Authorizes the user to use the SSH service. telnet: Authorizes the user to use the Telnet service. This keyword is not supported in FIPS mode. terminal: Authorizes the user to use the terminal service, allowing the user to log in from the console or AUX port. In FIPS mode, you must specify this keyword. portal: Authorizes the user to use the Portal service.
[Sysname] local-user user1 [Sysname-luser-user1] state block Related commands local-user user-group Use user-group to create a user group and enter its view. Use undo user-group to remove a user group. Syntax user-group group-name undo user-group group-name Views System view Default command level 3: Manage level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters.
Default A local user has no validity time and no time validity checking is performed. Views Local user view Default command level 3: Manage level Parameters time: Validity time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where the value range for HH is 0 to 23, and those for MM and SS are 0 to 59.
Views RADIUS scheme view Default command level 2: System level Parameters seconds: Time interval for retransmitting an accounting-on packet in seconds, in the range of 1 to 15. The default is 3 seconds. send-times: Maximum number of accounting-on packet transmission attempts, in the range of 1 to 255. The default is 50.
Examples # Specify the device to interpret RADIUS attribute 25 as CAR parameters. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] attribute 25 car Related commands • display radius scheme • display connection data-flow-format (RADIUS scheme view) Use data-flow-format to set the traffic statistics unit for data flows or packets. Use undo data-flow-format to restore the default.
display radius scheme Use display radius scheme to display the configuration of RADIUS schemes. Syntax display radius scheme [ radius-scheme-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters radius-scheme-name: RADIUS scheme name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Encryption Key : N/A Probe username : N/A Probe interval : N/A Second Acct Server: IP: 1.1.2.
Field Description Probe username Username used for server status detection. Probe interval Server status detection interval, in minutes. Auth Server Encryption Key Shared key for secure authentication communication, displayed as a series of asterisks (******). If no shared key is configured, this field displays N/A. Acct Server Encryption Key Shared key for secure accounting communication, displayed as a series of asterisks (******). If no shared key is configured, this field displays N/A.
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Account success Num = 4 Account failure Num = 3 Server ctrl req Num = 0 RecError_MSG_sum = 0 SndMSG_Fail_sum = 0 Timer_Err = 0 Alloc_Mem_Err = 0 State Mismatch = 0 Other_Error = 0 No-response-acct-stop packet = 1 Discarded No-response-acct-stop packet for buffer overflow = 0 Table 6 Command output Field Description User statistics, by state. state statistic The value range depends on the device model.
Field Description RADIUS received messages statistic Statistics for received RADIUS messages. Auth request Counts of authentication requests. Account request Counts of accounting requests. Account off request Counts of stop-accounting requests. PKT auth timeout Counts of authentication timeout messages. PKT acct_timeout Counts of accounting timeout messages. Realtime Account timer Counts of real-time accounting requests. PKT response Counts of responses from servers.
display stop-accounting-buffer (for RADIUS) Use display stop-accounting-buffer to display information about buffered stop-accounting requests.
Related commands • reset stop-accounting-buffer • stop-accounting-buffer enable • user-name-format • retry • retry stop-accounting eap offload Use eap offload to enable the EAP offload feature. Use undo eap offload to disable the EAP offload feature. Syntax eap offload method peap-mschapv2 undo eap offload method peap-mschapv2 Default The EAP offload feature is disabled, and the device forwards received EAP authentication requests in pass-through mode, rather than performing offload operations.
Syntax key { accounting | authentication } [ cipher | simple ] key undo key { accounting | authentication } Default No shared key is configured. Views RADIUS scheme view Default command level 2: System level Parameters accounting: Sets the shared key for secure RADIUS accounting communication. authentication: Sets the shared key for secure RADIUS authentication/authorization communication. cipher: Sets a ciphertext shared key. simple: Sets a plain text shared key. key: Specifies the shared key string.
[Sysname-radius-radius1] key authentication cipher $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B Related commands display radius scheme nas-backup-ip Use nas-backup-ip to specify a backup source IP address for outgoing RADIUS packets in a stateful failover situation. Use undo nas-backup-ip to restore the default. Syntax nas-backup-ip ip-address undo nas-backup-ip Default A RADIUS scheme is configured with no backup source IP address for outgoing RADIUS packets.
On the backup device, you must set the source IP address and backup source IP address for outgoing RADIUS packets to 3.3.3.3 and 2.2.2.2, respectively. Related commands • nas-ip • radius nas-ip nas-ip (RADIUS scheme view) Use nas-ip to specify a source IP address for outgoing RADIUS packets. Use undo nas-ip to restore the default.
system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] nas-ip 10.1.1.1 Related commands radius nas-ip primary accounting (RADIUS scheme view) Use primary accounting to specify the primary RADIUS accounting server. Use undo primary accounting to remove the configuration.
Usage guidelines Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server. The IP addresses of the accounting servers and those of the authentication/authorization servers must be of the same IP version. The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, the configuration fails.
primary authentication (RADIUS scheme view) Use primary authentication to specify the primary RADIUS authentication/authorization server. Use undo primary authentication to remove the configuration. Syntax primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | probe username name [ interval interval ] ] * undo primary authentication Default No primary RADIUS authentication/authorization server is specified.
The IP addresses of the primary and secondary authentication/authorization servers must be different from each other. Otherwise, the configuration fails. If you remove the primary authentication server when an authentication process is in progress, the communication with the primary server times out, and the device looks for a server in active state from the new primary server on. For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.
Default The RADIUS client service is enabled. Views System view Default command level 2: System level Usage guidelines When the RADIUS client service is disabled, the following events occur: • No more stop-accounting requests of online users can be sent out or buffered, and the RADIUS server can no longer receive logoff requests from online users. After a user goes offline, the RADIUS server still has the user's record during a certain period of time.
radius nas-backup-ip Use radius nas-backup-ip to specify a backup source IP address for outgoing RADIUS packets. Use undo radius nas-backup-ip to restore the default. Syntax radius nas-backup-ip ip-address undo radius nas-backup-ip Default A device is configured with no backup source IP address for outgoing RADIUS packets. Views System view Default command level 2: System level Parameters ip-address: Backup source IP address for outgoing RADIUS packets.
radius nas-ip Use radius nas-ip to specify a source address for outgoing RADIUS packets. Use undo radius nas-ip to remove the configuration. Syntax radius nas-ip { ipv4-address | ipv6 ipv6-address } undo radius nas-ip { ipv4-address | ipv6 ipv6-address } Default The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface. Views System view Default command level 2: System level Parameters ipv4-address: IPv4 address in dotted decimal notation.
Syntax radius scheme radius-scheme-name undo radius scheme radius-scheme-name Default No RADIUS scheme is defined. Views System view Default command level 3: Manage level Parameters radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be referenced by more than one ISP domain at the same time. A RADIUS scheme referenced by ISP domains cannot be removed. Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
authentication-error-threshold: Sends traps when the number of authentication failures exceed the specified threshold. The threshold is represented by the ratio of the number of failed request transmission attempts to the total number of transmission attempts. The value range is 1 to 100, and the default is 30. This threshold can only be configured through the MIB. authentication-server-down: Sends traps when the reachability of the authentication server changes.
Views User view Default command level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive string of 1 to 32 characters. session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters.
Parameters retry-times: Maximum number of RADIUS packet transmission attempts, in the range of 1 to 20. Usage guidelines Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request.
The maximum number of accounting attempts, together with some other parameters, controls how the NAS sends accounting request packets.
command), and the maximum number of stop-accounting request transmission attempts is 20 (set with the retry stop-accounting command). For each stop-accounting request, if the device receives no response within 3 seconds, it retransmits the request. If it receives no responses after retransmitting the request five times, it considers the attempt a failure, buffers the request, and makes another attempt. If 20 consecutive attempts fail, the device discards the request.
• simple key: Specifies a plaintext shared key, a case-sensitive string of 1 to 64 characters. • If neither cipher nor simple is specified, you set a plaintext shared key string. • In FIPS mode, the shared key must be at least eight characters that contain digits, uppercase letters, lowercase letters, and special characters, and must use 3DES for encryption and decryption. probe: Enables the device to detect the status of the secondary RADIUS accounting server.
Examples # For RADIUS scheme radius1, specify two secondary accounting servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813. Set the shared keys to hello in plain text. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary accounting 10.110.1.1 1813 key hello [Sysname-radius-radius1] secondary accounting 10.110.1.2 1813 key hello # For RADIUS scheme radius2, set the IP address of the secondary accounting server to 10.110.1.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary RADIUS authentication/authorization server. • cipher key: Specifies a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters. • simple key: Specifies a plaintext shared key, a case-sensitive string of 1 to 64 characters. • If neither cipher nor simple is specified, you set a plaintext shared key string.
When the server status detection function is enabled, the quiet timer specified by the timer quiet command does not take effect. Examples # Specify two secondary authentication/authorization servers for RADIUS scheme radius1, with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813. Set the shared keys to hello in plain text. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary authentication 10.110.1.
all: Specifies all security policy servers. Usage guidelines You can specify up to eight security policy servers for a RADIUS scheme. You can change security policy servers for a RADIUS scheme only when no user is using the scheme. Examples # Specify security policy server 10.110.1.2 for RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] security-policy-server 10.110.1.2 server-type (RADIUS scheme view) Use server-type to specify the RADIUS server type.
Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Default command level 2: System level Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication/authorization server. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state.
Default command level 2: System level Parameters accounting: Sets the status of the secondary RADIUS accounting server. authentication: Sets the status of the secondary RADIUS authentication/authorization server. ip ipv4-address: Specifies the IPv4 address of the secondary RADIUS server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS server. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state.
Default command level 2: System level Usage guidelines Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request that receives no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission attempts reaches the configured limit. In the latter case, the NAS discards the packet.
If you determine that the primary server is unreachable because the device's port connected to the server is out of service temporarily or the server is busy, you can set the server quiet period to 0 so that the device uses the primary server whenever possible. Be sure to set the server quiet timer properly. Too short a quiet timer may result in frequent authentication or accounting failures because the device has to repeatedly try to communicate with an unreachable server that is in active state.
Table 7 Recommended real-time accounting intervals Number of users Real-time accounting interval (in minutes) 1 to 99 3 100 to 499 6 500 to 999 12 1000 or more 15 or longer Examples # Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.
[Sysname] radius scheme radius1 [Sysname-radius-radius1] timer response-timeout 5 Related commands retry user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Syntax user-name-format { keep-original | with-domain | without-domain } Default The ISP domain name is included in the username.
Related commands radius scheme HWTACACS configuration commands data-flow-format (HWTACACS scheme view) Use data-flow-format to set the traffic statistics unit for data flows or packets. Use undo data-flow-format to restore the default. Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default The unit for data flows is byte and that for data packets is one-packet.
Syntax display hwtacacs [ hwtacacs-scheme-name [ statistics ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters hwtacacs-scheme-name: HWTACACS scheme name. statistics: Displays the statistics for the HWTACACS servers specified in the HWTACACS scheme. Without this keyword, the command displays the configuration of the HWTACACS scheme. |: Filters command output by specifying a regular expression.
Data traffic-unit : B Packet traffic-unit : one-packet -------------------------------------------------------------------- Table 8 Command output Field Description HWTACACS-server template name Name of the HWTACACS scheme. Primary-authentication-server IP address and port number of the primary authentication server. If no primary authentication server is specified, this field displays 0.0.0.0:0. This rule also applies to the following eight fields.
HWTACACS authen client packet dropped number: 4 HWTACACS authen client access request change password number: 0 HWTACACS authen client access request login number: 5 HWTACACS authen client access request send authentication number: 0 HWTACACS authen client access request send password number: 0 HWTACACS authen client access connect abort number: 0 HWTACACS authen client access connect packet number: 5 HWTACACS authen client access response error number: 0 HWTACACS authen client access response failure numbe
HWTACACS account client round trip time(s): 0 Related commands hwtacacs scheme display stop-accounting-buffer (for HWTACACS) Use display stop-accounting-buffer to display information about buffered stop-accounting requests.
Default The source IP address of a packet sent to the server is the IP address of the outbound interface. Views System view Default command level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address. Usage guidelines The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server.
Parameters hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines An HWTACACS scheme can be referenced by more than one ISP domain at the same time. An HWTACACS scheme referenced by ISP domains cannot be removed. Examples # Create an HWTACACS scheme named hwt1, and enter HWTACACS scheme view.
Usage guidelines The shared keys configured on the device must match those configured on the HWTACACS servers. For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext. Examples # Set the shared key for secure HWTACACS accounting communication to hello in plain text for HWTACACS scheme hwt1.
Usage guidelines The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS. If it is, the server processes the packet. If it is not, the server drops the packet.
You can remove an accounting server only when it is not used by any active TCP connection to send accounting packets. Removing an accounting server only affects accounting processes that occur after the remove operation. Examples # Specify the IP address and port number of the primary accounting server for HWTACACS scheme test1 as 10.163.155.12 and 49. system-view [Sysname] hwtacacs scheme test1 [Sysname-hwtacacs-test1] primary accounting 10.163.155.
[Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 Related commands display hwtacacs primary authorization Use primary authorization to specify the primary HWTACACS authorization server. Use undo primary authorization to remove the configuration. Syntax primary authorization ip-address [ port-number ] undo primary authorization Default No primary HWTACACS authorization server is specified.
reset hwtacacs statistics Use reset hwtacacs statistics to clear HWTACACS statistics. Syntax reset hwtacacs statistics { accounting | all | authentication | authorization } Views User view Default command level 1: Monitor level Parameters accounting: Specifies the HWTACACS accounting statistics. all: Specifies all HWTACACS statistics. authentication: Specifies the HWTACACS authentication statistics. authorization: Specifies the HWTACACS authorization statistics.
• display stop-accounting-buffer retry stop-accounting (HWTACACS scheme view) Use retry stop-accounting to set the maximum number of stop-accounting request transmission attempts. Use undo retry stop-accounting to restore the default. Syntax retry stop-accounting retry-times undo retry stop-accounting Default The maximum number of stop-accounting request transmission attempts is 100.
Default command level 2: System level Parameters ip-address: IP address of the secondary HWTACACS accounting server in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the secondary HWTACACS accounting server, in the range of 1 to 65535. The default is 49. Usage guidelines The IP addresses of the primary and secondary accounting servers must be different. Otherwise, the configuration fails.
port-number: Service port number of the secondary HWTACACS authentication server, in the range of 1 to 65535. The default is 49. Usage guidelines The IP addresses of the primary and secondary authentication servers must be different. Otherwise, the configuration fails. If you configure the command multiple times, only the most recent configuration takes effect. You can remove an authentication server only when it is not used by any active TCP connection to send authentication packets is using it.
You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets. Removing an authorization server only affects authorization processes that occur after the remove operation. Examples # Configure the secondary authorization server 10.163.155.13 with TCP port number 49. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.
timer quiet (HWTACACS scheme view) Use timer quiet to set the quiet timer for the primary server. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default The primary server quiet period is 5 minutes. Views HWTACACS scheme view Default command level 2: System level Parameters minutes: Primary server quiet period, in the range of 1 to 255, in minutes.
Default command level 2: System level Parameters seconds: HWTACACS server response timeout period in seconds, in the range of 1 to 300. Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server. Examples # Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.
If the HWTACACS scheme is used for wireless users, specify the keep-original keyword. Otherwise, authentication of the wireless users may fail. Examples # Specify the device to remove the ISP domain name in the username sent to the HWTACACS servers for the HWTACACS scheme hwt1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] user-name-format without-domain LDAP configuration commands authentication-server Use authentication-server to specify an LDAP authentication server.
authorization-server Use authorization-server to specify an LDAP authorization server. Use undo authorization-server to cancel the specified LDAP authorization server. Syntax authorization-server ip-address [ port-number ] undo authorization-server Default No LDAP authorization server is specified. Views LDAP scheme view Default command level 2: System level Parameters ip-address: IP address of the LDAP authorization server.
Parameters scheme-name: LDAP scheme name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Table 9 Command output Field Description Scheme name LDAP scheme name. Index LDAP scheme index. Authentication IP/Port IP address/port number of the authentication server. If no authentication server is specified, the IP address is 0.0.0.0 and the port number is the default. Authorization IP/Port IP address/port number of the authorization server. If no authorization server is specified, the IP address is 0.0.0.0 and the port number is the default.
undo group-parameters { group-name-attribute | group-object-class | member-name-attribute | search-base-dn | search-scope } Default The search base DN is not specified, the group name attribute is cn, the search scope is all-level, the customized group object class is not specified, and the customized member name attribute is not specified.
Use undo ldap scheme to remove an LDAP scheme. Syntax ldap scheme ldap-scheme-name undo ldap scheme ldap-scheme-name Default No LDAP scheme is created. Views System view Default command level 3: Manage level Parameters ldap-scheme-name: LDAP scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines LDAP protocol configurations are made in LDAP schemes.
Default command level 2: System level Parameters dn-string: Administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters. Usage guidelines The administrator DN specified on the device must be consistent with that configured on the LDAP server. If you change the administrator DN, the change is effective only to the LDAP authentication and authorization after your change. Examples # Specify the administrator DN as uid=test, ou=people, o=example, c=city.
For security purposes, all passwords, including passwords configured in plain text, are saved in ciphertext. Examples # Configure the administrator password to abcdefg in plain text system-view [Sysname] ldap scheme ldap1 [Sysname-ldap-ldap1] login-password simple abcdefg # Configure the administrator password to /tbw94rb4yDN1Ez5vkK1pw== in ciphertext.
[Sysname-ldap-ldap1] protocol-version v2 Related commands display ldap scheme server-timeout Use server-timeout to set the LDAP server timeout period, the maximum time that the devices waits for the LDAP server's replies during authentication or authorization. Use undo server-timeout to restore the default. Syntax server-timeout time-interval undo server-timeout Default The LDAP server timeout period is 10 seconds.
Default The LDAP server type is Microsoft. Views LDAP scheme view Default command level 2: System level Parameters ibm: Specifies the LDAP server manufacturer as IBM. microsoft: Specifies the LDAP server manufacturer as Microsoft. sun: Specifies the LDAP server manufacturer as Sun. Usage guidelines The LDAP server type specified on the device must be consistent with that specified on the server.
Parameters search-base-dn base-dn: Specifies the base DN for user search. The base-dn argument represents a DN value, a case-insensitive string of 1 to 255 characters. search-scope { all-level | single-level }: Specifies user search scope. The all-level keyword means that the search goes through all sub-directories of the base DN, and the single-level keyword means that the search goes through only the next lower level of sub-directories of the base DN.
802.1X commands display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics. interface interface-list: Specifies a port list, which can contain multiple ports.
Supp Timeout Reauth Period 30 s, Server Timeout 3600 s The maximal retransmitting times 2 The maximum 802.1X user resource number is 20480 per slot Total current used 802.1X resource number is 1 Ten-GigabitEthernet1/0/1 is link-up 802.1X protocol is disabled Proxy trap checker is disabled Proxy logoff checker is disabled Handshake is enabled Handshake secure is disabled 802.
Mandatory authentication domain: NOT configured Guest VLAN: NOT configured Auth-Fail VLAN: NOT configured Max number of on-line users is 20480 EAPOL Packet: Tx 0, Rx 0 Sent EAP Request/Identity Packets : 0 EAP Request/Challenge Packets: 0 EAP Request/Challenge Packets: 0 Received EAPOL Start Packets : 0 EAPOL LogOff Packets: 0 EAP Response/Identity Packets : 0 EAP Response/Challenge Packets: 0 Error Packets: 0 Controlled User(s) amount to 0 WLAN-ESS1 is link-up 802.
Proxy trap checker is disabled Proxy logoff checker is disabled Handshake is enabled Handshake secure is disabled 802.1X unicast-trigger is disabled Periodic reauthentication is disabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac-based 802.
Field Description The maximum 802.1X user resource number per slot Maximum number of concurrent 802.1X users on the device. The value depends on the device model. For more information, see About the Command References for HP Unified Wired-WLAN Products. Total current used 802.1X resource number Total number of online 802.1X users. Ten-GigabitEthernet1/0/1 is link-up Status of the port. In this example, Ten-GigabitEthernet 1/0/1 is up. 802.1X protocol is disabled Whether 802.
Field Description Authenticated user User that has passed 802.1X authentication. Controlled User(s) amount Number of authenticated users on the port. Related commands • reset dot1x statistics • dot1x retry • dot1x max-user • dot1x port-control • dot1x port-method • dot1x timer display dot1x synchronization Use display dot1x synchronization to display stateful failover information for 802.1X sessions.
Usage guidelines The system typically sends multiple 802.1X stateful failover messages in one packet to the failover peer. As a result, the sum of stateful failover messages sent and received on each interface might be greater than the total number of stateful failover packets sent and received by the device. Examples # Display stateful failover information for all 802.1X sessions.
WLAN-ESS0 : Not Configured WLAN-ESS1 : Configured WLAN-ESS2 : Ready WLAN-ESS3 : Local running WLAN-DBSS3:1 : Local running WLAN-ESS4 : Both running WLAN-DBSS4:1 : Both running # Display the 802.1X stateful failover state of WLAN-DBSS 3:1. display dot1x synchronization status interface WLAN-DBSS3:1 WLAN-DBSS3:1 : Local running Table 12 Command output Field Description Not Configured 802.1X stateful failover (port-security synchronization) is not enabled on the interface.
Backup Message Statistics on interface WLAN-DBSS1:2 Msg-Name SendTotal RcvTotal MSG_USR_BACKUP 0 0 MSG_USR_DETELE 0 0 MSG_REQ_BATCH 0 0 MSG_USR_UPDATE 0 0 MSG_USR_COMPARE 0 0 MSG_NTF_STATUS 0 0 MSG_REQ_USER 0 0 MSG_DEL_ACK 0 0 # Display 802.1X stateful failover message statistics for interface WLAN-DBSS 1:1.
Field Description SendTotal Number of messages sent on the interface by message type. RcvTotal Number of messages received on the interface by message type. Related commands • port-security synchronization enable • reset dot1x synchronization statistics dot1x accounting-delay Use dot1x accounting-delay to enable accounting delay for 802.1X users on an interface. Use undo dot1x accounting-delay to restore the default.
[Sysname] interface wlan-ess 1 [Sysname-WLAN-ESS1] dot1x accounting-delay logoff time 15 dot1x authentication-method Use dot1x authentication-method to specify an EAP message handling method. Use undo dot1x authentication-method to restore the default. Syntax dot1x authentication-method { chap | eap | pap } undo dot1x authentication-method Default The network access device performs EAP termination and uses CHAP to communicate with the RADIUS server.
Local authentication supports PAP, CHAP, and EAP. If RADIUS authentication is used, you must configure the network access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server. Examples # Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.
system-view [Sysname] interface wlan-ess 1 [Sysname-WLAN-ESS1] dot1x auth-fail vlan 3 Related commands dot1x port-method dot1x domain-delimiter Use dot1x domain-delimiter to specify a set of domain name delimiters supported by the access device. You can use any character in the configured set as the domain name delimiter for 802.1X authentication users. Use undo dot1x domain-delimiter to restore the default.
access a limited set of network resources, such as a software server, to download anti-virus software and system patches. Use undo dot1x guest-vlan to remove the 802.1X guest VLAN on the specified or all ports. Syntax In system view: dot1x guest-vlan guest-vlan-id [ interface interface-list ] undo dot1x guest-vlan [ interface interface-list ] In Layer 2 interface view, WLAN-ESS interface view: dot1x guest-vlan guest-vlan-id undo dot1x guest-vlan Default No 802.1X guest VLAN is configured on a port.
system-view [Sysname] interface wlan-ess 1 [Sysname-WLAN-ESS1] dot1x guest-vlan 3 Related commands • dot1x port-method • dot1x multicast-trigger • mac-vlan enable and display mac-vlan (Layer 2—LAN Switching Command Reference) dot1x handshake Use dot1x handshake to enable the online user handshake function. The function enables the device to periodically send handshake messages to the client to check whether a user is online. Use undo dot1x handshake to disable the function.
undo dot1x handshake secure Default The function is disabled. Views Layer 2 Ethernet Interface view, WLAN-ESS interface view Default command level 2: System level Usage guidelines The online user handshake security function is implemented based on the online user handshake function. To bring the security function into effect, make sure the online user handshake function is enabled.
To display or cut all 802.1X connections in a mandatory domain, use the display connection domain isp-name or cut connection domain isp-name command. The output from the display connection command without any parameters displays domain names entered by users at login. For more information about the display connection command or the cut connection command, see "AAA configuration commands." Examples # Configure the mandatory authentication domain my-domain for 802.1X users on WLAN-ESS 1.
Parameters user-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range and default value vary with devices. For more information, see About the Command References for HP Unified Wired-WLAN Products. interface interface-list: Specifies a port list, which can contain multiple ports.
Usage guidelines You can use the dot1x timer tx-period command to set the interval for sending multicast Identify EAP-Request packets. Examples # Enable the multicast trigger function on interface WLAN-ESS 1. system-view [Sysname] interface wlan-ess 1 [Sysname-WLAN-ESS1] dot1x multicast-trigger Related commands display dot1x dot1x port-control Use dot1x port-control to set the authorization state for the specified or all ports. Use undo dot1x port-control to restore the default.
and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type. Usage guidelines In system view, if no interface is specified, the command applies to all ports. Examples # Set the authorization state of port WLAN-ESS 1 to unauthorized-force.
interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges for this argument. The start port number must be smaller than the end number and the two ports must be the same type.
dot1x re-authenticate Use dot1x re-authenticate to enable the periodic online user re-authentication function. Use undo dot1x re-authenticate to disable the function. Syntax dot1x re-authenticate undo dot1x re-authenticate Default The periodic online user re-authentication function is disabled. Views Layer 2 Ethernet interface view, WLAN-ESS interface view Default command level 2: System level Usage guidelines Periodic re-authentication enables the access device to periodically authenticate online 802.
Default command level 2: System level Parameters max-retry-value: Specifies the maximum number of attempts for sending an authentication request to a client, in the range of 1 to 10.
reauth-period-value: Sets the periodic re-authentication timer in seconds. It is in the range of 60 to 7200. server-timeout-value: Sets the server timeout timer in seconds. It is in the range of 100 to 300. supp-timeout-value: Sets the client timeout timer in seconds. It is in the range of 1 to 120. tx-period-value: Sets the username request timeout timer in seconds. It is in the range of 10 to 120.
Syntax dot1x unicast-trigger undo dot1x unicast-trigger Default The unicast trigger function is disabled. Views Layer 2 Ethernet interface view Default command level 2: System level Usage guidelines The unicast trigger function enables the network access device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address.
Usage guidelines If a list of ports is specified, the command clears 802.1X statistics for all the specified ports. If no ports are specified, the command clears all 802.1X statistics. Examples # Clear 802.1X statistics on port WLAN-ESS 1. reset dot1x statistics interface wlan-ess 1 Related commands display dot1x reset dot1x synchronization statistics Use reset dot1x synchronization statistics to clear 802.1X stateful failover packet statistics.
MAC authentication configuration commands display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics, including global settings, and port-specific settings and MAC authentication and online user statistics.
Current user number amounts to 0 Current domain: not configured, use default domain Silent Mac User info: MAC Addr From Port Port Index Ten-GigabitEthernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Max number of on-line users is 128 Current online user number is 0 MAC Addr Authenticate state AuthIndex … Table 14 Command output Field Description MAC address authentication is enabled Whether MAC authentication is enabled.
Field Description Ten-GigabitEthernet1/0/1 is link-up Status of the link on port Ten-GigabitEthernet 1/0/1. In this example, the link is up. MAC address authentication is enabled Whether MAC authentication is enabled on port Ten-GigabitEthernet 1/0/1. Authenticate success: 0, failed: 0 MAC authentication statistics, including the number of successful and unsuccessful authentication attempts. Max number of on-line users Maximum number of concurrent online users allowed on the port.
Default command level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number.
Parameters domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain name cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or at sign (@). Usage guidelines The global authentication domain is applicable to all MAC authentication enabled ports. A port specific authentication domain is applicable only to the port.
Usage guidelines To use the MAC authentication guest VLAN function on a port, you must enable MAC-based VLAN on the port, in addition to enabling MAC authentication both globally and on the port. To delete a VLAN that has been set as a MAC authentication guest VLAN, remove the guest VLAN configuration first. Examples # Configure VLAN 5 as the MAC authentication guest VLAN on port WLAN-ESS 1.
Use undo mac-authentication timer to restore the default settings. Syntax mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value } undo mac-authentication timer { offline-detect | quiet | server-timeout } Default The offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100 seconds.
Views WLAN-ESS interface view Default command level 2: System level Usage guidelines The portal-before-MAC feature triggers MAC authentication for only portal-authenticated users. The AC allows only these users to pass MAC authentication and assigns them to VLANs that perform local forwarding on an AP. For more information about local forwarding, see WLAN Configuration Guide.
Default command level 2: System level Parameters fixed: Uses a shared account for all MAC authentication users. account name: Specifies the username for the shared account. The name takes a case-insensitive string of 1 to 55 characters. If no username is specified, the default name mac applies. password: Specifies the password for the shared user account: cipher: Sets a ciphertext password. simple: Sets a plaintext password. password: Specifies the password. This argument is case sensitive.
Related commands display mac-authentication reset mac-authentication statistics Use reset mac-authentication statistics to clear MAC authentication statistics.
Portal configuration commands access-user detect Use access-user detect to configure the online portal user detection function. Use undo access-user detect to restore the default. Syntax access-user detect type arp retransmit number interval interval undo access-user detect Default The portal user detection function is not configured on an interface. Views Interface view Default command level 2: System level Parameters type arp: Uses ARP requests as probe packets.
display portal acl Use display portal acl to display the ACLs on a specific interface. Syntax display portal acl { all | dynamic | static } interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Displays all portal ACLs, including dynamic and static portal ACLs. dynamic: Displays dynamic portal ACLs—ACLs generated dynamically after a user passes portal authentication.
Port : any Rule 1 Inbound interface : all Type : dynamic Action : permit Protocol : 0 Source: IP : 8.8.8.8 Mask : 255.255.255.255 MAC : 0015-e9a6-7cfe Interface: any VLAN : 2 Destination: IP : 0.0.0.0 Mask : 0.0.0.0 Author ACL: Number : 3001 Rule 2 Inbound interface : all Type : static Action : permit Protocol : 0 Source: IP : 0.0.0.0 Mask : 0.0.0.0 MAC : 0000-0000-0000 Interface : any VLAN : 2 SSID : abcd Spot : MSM460 Destination: IP : 0.0.0.0 Mask : 0.0.0.
VLAN : 2 Destination: IP : 0.0.0.0 Mask : 0.0.0.0 Port : 80 Rule 4 Inbound interface : all Type : static Action : deny Protocol : 0 Source: IP : 0.0.0.0 Mask : 0.0.0.0 Port : any MAC : 0000-0000-0000 Interface : any VLAN : 2 Destination: IP : 0.0.0.0 Mask : 0.0.0.
Interface VLAN Protocol : any : 2 : 6 Destination: IP : :: Prefix length : 0 Port : 80 Rule 2 Inbound interface : any Type : static Action : deny Source: IP : :: Prefix length : 0 MAC Interface VLAN Protocol : 0000-0000-0000 : any : 2 : 0 Destination: IP : :: Prefix length : 0 Port : any Table 15 Command output Field Description Rule Sequence number of the portal ACL, which is numbered from 0 in ascending order. Inbound interface Interface to which the portal ACL is bound.
Field Description IP Destination IP address in the portal ACL. Port Destination transport layer port number in the portal ACL. Mask Subnet mask of the destination IP address in the portal ACL. Prefix length Destination IPv6 address prefix in the portal ACL. Author ACL Authorization ACL information. It is displayed only when the value of the Type field is dynamic. Number Authorization ACL number assigned by the RADIUS server. None indicates that the server did not assign any ACL.
WAIT_AUTHOR_ACK 0 WAIT_LOGIN_ACK 0 WAIT_ACL_ACK 0 WAIT_NEW_IP 0 WAIT_USERIPCHANGE_ACK 0 ONLINE 1 WAIT_LOGOUT_ACK 0 WAIT_LEAVING_ACK 0 Message statistics: Msg-Name MSG_AUTHEN_ACK MSG_CONTINUE_ACK Total 3 0 Err Discard 0 0 0 0 MSG_AUTHOR_ACK 3 0 0 MSG_LOGIN_ACK 3 0 0 MSG_LOGOUT_ACK 2 0 0 MSG_LEAVING_ACK 0 0 0 MSG_CUT_REQ 0 0 0 MSG_AUTH_REQ 3 0 0 MSG_LOGIN_REQ 3 0 0 MSG_LOGOUT_REQ 2 0 0 MSG_LEAVING_REQ 0 0 0 MSG_ARPPKT 0 0 0 MSG_PORT_REMOVE 0 0
Field Description Total Total number of messages of a specific type. Err Number of erroneous messages of a specific type. Discard Number of discarded messages of a specific type. MSG_AUTHEN_ACK Authentication acknowledgment message. MSG_CONTINUE_ACK Authentication interaction message. MSG_AUTHOR_ACK Authorization acknowledgment message. MSG_LOGIN_ACK Accounting acknowledgment message. MSG_LOGOUT_ACK Accounting-stop acknowledgment message. MSG_LEAVING_ACK Leaving acknowledgment message.
display portal free-rule Use display portal free-rule to display information about a specific portal-free rule or all portal-free rules. Syntax display portal free-rule [ rule-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters rule-number: Specifies the number of a portal-free rule. The value range varies with devices. For more information, see About the Command References for HP Unified Wired-WLAN Products.
Field Description Mask Subnet mask of the source IP address in the portal-free rule. Prefix length Source IPv6 address prefix in the portal-free rule. Port Source transport layer port number in the portal-free rule. MAC Source MAC address in the portal-free rule. SSID Source SSID in the portal-free rule. Spot AP name. Interface Source interface in the portal-free rule. Vlan Source VLAN in the portal-free rule. Destination Destination information in the portal-free rule.
Examples # Display the portal configuration for interface VLAN-interface 2. display portal interface vlan-interface 2 Portal configuration of Vlan-interface2 IPv4: Status: Portal running Portal server: servername Portal backup-group: 1 Authentication type: Layer3 Authentication domain: my-domain Authentication network: Source IP: 1.1.1.1 Mask : 255.255.0.
display portal local-server Use display portal local-server to display configuration information about the local portal server, including the supported protocol type, the referenced SSL server policy, and the SSID binding information. Syntax display portal local-server [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.
display portal server Use display portal server to display information about a specific portal server or all portal servers. Syntax display portal server [ server-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters server-name: Specifies a portal server by its name, a case-sensitive string of 1 to 32 characters. |: Filters command output by specifying a regular expression.
Field Description Server Type Type of the portal server. IMC represents the HP IMC portal server. Current status of the portal server. Possible values include: • N/A—The server is not referenced on any interface, or the server detection function is not enabled. The reachability of the portal server is unknown. • Up—The portal server is referenced on an interface and the portal server detection Status function is enabled, and the portal server is reachable.
display portal server statistics interface vlan-interface 3 ---------------Interface: Vlan-interface3---------------------Invalid packets: 0 Pkt-Name Total Discard Checkerr REQ_CHALLENGE 3 0 0 ACK_CHALLENGE 3 0 0 REQ_AUTH 3 0 0 ACK_AUTH 3 0 0 REQ_LOGOUT 1 0 0 ACK_LOGOUT 1 0 0 AFF_ACK_AUTH 3 0 0 NTF_LOGOUT 1 0 0 REQ_INFO 6 0 0 ACK_INFO 6 0 0 NTF_USERDISCOVER 0 0 0 NTF_USERIPCHANGE 0 0 0 0 0 AFF_NTF_USERIPCHANGE ACK_NTF_LOGOUT 0 1 NTF_HEARTBEAT
Field Description ACK_CHALLENGE Challenge acknowledgment message the access device sent to the portal server. REQ_AUTH Authentication request message the portal server sent to the access device. ACK_AUTH Authentication acknowledgment message the access device sent to the portal server. REQ_LOGOUT Logout request message the portal server sent to the access device. ACK_LOGOUT Logout acknowledgment message the access device sent to the portal server.
Field Description NTF_USER_LOGON User login notification message the access device sent to the MAC binding server. RESERVED33 Reserved. NTF_USER_LOGOUT User logoff notification message the access device sent to the MAC binding server. RESERVED35 Reserved. PT_TYPE_REQ_USER_OFFLINE Forced user offline request the MAC binding server sent to the access device. display portal tcp-cheat statistics Use display portal tcp-cheat statistics to display TCP spoofing statistics.
CLOSE_WAIT: 0 LAST_ACK: 0 FIN_WAIT_1: 0 FIN_WAIT_2: 0 CLOSING: 0 Table 22 Command output Field Description TCP Cheat Statistic TCP spoofing statistics. Total Opens Total number of opened connections. Resets Connections Number of connections reset through RST packets. Current Opens Number of connections being set up. Packets Received Number of received packets. Packets Sent Number of sent packets. Packets Retransmitted Number of retransmitted packets.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
portal auth-network Use portal auth-network to configure a portal authentication source subnet on an interface. Use undo portal auth-network to remove a specific portal authentication source subnet or all portal authentication subnets. Syntax portal auth-network { ipv4-network-address { mask-length | mask } | ipv6 ipv6-network-address prefix-length } undo portal auth-network { ipv4-network-address | all | ipv6 ipv6-network-address } Default The portal authentication source IPv4 subnet is 0.0.0.
portal backup-group Use portal backup-group to specify the portal group to which the interface belongs. Use undo portal backup-group to restore the default. Syntax portal backup-group group-id undo portal backup-group Default A portal service backup interface does not belong to any portal group. Views Interface view Default command level 2: System level Parameters group-id: Specifies a portal group by its ID, in the range of 1 to 256.
Use undo portal control-mode to restore the default. Syntax portal control-mode { mac | ip-mac } undo portal control-mode Default The IP+MAC control mode is used. Views Interface view Default command level 2: System level Parameters mac: Specifies the MAC control mode. In this mode, the device allows a packet to pass the interface if the MAC address of the packet is the same as that of a portal authenticated user. ip-mac: Specifies the IP+MAC control mode.
Views System view Default command level 2: System level Parameters ipv4-address: Logs off the portal user with the specified IPv4 address. all: Logs off all portal users. interface interface-type interface-number: Logs off all IPv4 and IPv6 portal users on the specified interface. ipv6 ipv6-address: Logs off the portal user with the specified IPv6 address. Examples # Log out the portal user whose IP address is 1.1.1.1. system-view [Sysname] portal delete-user 1.1.1.
Examples # Configure the authentication domain for IPv4 portal users on VLAN-interface 100 as my-domain. system-view [Sysname] interface vlan-interface 100 [Sysname–Vlan-interface100] portal domain my-domain Related commands display portal interface portal forbidden-rule Use portal forbidden-rule to configure a portal-forbidden rule and specify the forbidden resource to access. Use undo portal forbidden-rule to remove a portal-forbidden rule or all portal-forbidden rules.
system-view [Sysname] portal forbidden-rule 13 destination tcp 80 # Configure a portal-forbidden rule, denying any packet whose destination IP address is 2.2.2.2/32. system-view [Sysname] portal forbidden-rule 14 destination ip 2.2.2.2 mask 32 portal free-rule Use portal free-rule to configure a portal-free rule and specify the source filtering condition, destination filtering condition, or both. Use undo portal free-rule to remove a specific portal-free rule or all portal-free rules.
all: Specifies all portal-free rules. Usage guidelines If you specify both a source IPv4 address and a source MAC address in a portal-free rule, the IP address must be a host address with a 32-bit mask. Otherwise, the specified MAC address does not take effect. If you specify both a source IPv6 address and a source MAC address in a portal-free rule, the IPv6 address must be a host address with a 128-bit prefix. Otherwise, the specified MAC address does not take effect.
Syntax portal host-check dhcp-snooping undo portal host-check dhcp-snooping Default By default, the device performs host identity check through ARP entries. Views System view Default command level 2: System level Examples # Enable host identity check through DHCP snooping entries.
If you specify HTTP in this command, the redirection URL for HTTP packets is in the format of http://IP address of the device/portal/logon.htm, and clients and the portal server exchange authentication information through HTTP. If you specify HTTPS in this command, the redirection URL for HTTP packets is in the format of https://IP address of the device/portal/logon.htm, and clients and the portal server exchange authentication information through HTTPS.
Default command level 2: System level Parameters ssid ssidname&<1-10>: Specifies the SSIDs to be bound. The ssidname argument indicates the identifier of an SSID service template, a case-insensitive string of 1 to 32 characters. An SSID string can contain letters, numerals, and spaces, but cannot include spaces at the beginning or end of the string and cannot be f, fi, fil, or file. &<1-10> indicates that you can specify one to ten SSIDs. file filename: Specifies the file to be bound.
Default command level 2: System level Examples # Enable logging for portal packets. system-view [Sysname] portal log packet portal mac-trigger enable Use portal mac-trigger enable to enable MAC-based quick portal authentication (also referred to as MAC-triggered authentication) on an interface. Use undo portal mac-trigger enable to restore the default.
• Use portal server to specify the MAC binding server's IP address as the portal server's IP address, and specify any name for the portal server. You do not need to specify other parameters in the portal server command. Examples # Enable MAC-triggered authentication on VLAN-interface 1, specify the traffic inspection interval as 300 seconds, and specify the traffic threshold as 10240 bytes.
Syntax portal mac-trigger server ip ip-address [ port port-number ] undo portal mac-trigger server Default No MAC binding server is specified. Views System view Default command level 2: System level Parameters ip ip-address: Specifies the IPv4 address of a MAC binding server. port port-number: Specifies the UDP port number that the MAC binding server uses to listen to the MAC binding requests from the access device. The value range for the port-number argument is 1 to 65534, and the default is 50100.
Parameters max-number: Specifies the maximum number of online portal users allowed in the system. The value range and default value vary with the device model. Usage guidelines If the maximum number of portal users specified in the command is less than that of the current online portal users, the command can be executed successfully and does not impact the online portal users, but the system does not allow new portal users to log in until the number drops down below the limit.
portal nas-id-profile Use portal nas-id-profile to specify a NAS ID profile for the interface. Use undo portal nas-id-profile to cancel the configuration. Syntax portal nas-id-profile profile-name undo portal nas-id-profile Default An interface is not specified with any NAS ID profile. Views Interface view Default command level 2: System level Parameters profile-name: Specifies the name of the profile that defines the binding relationship between VLANs and NAS IDs.
Default No source IP address is specified for outgoing portal packets on an interface, and the interface uses the IP address of the user access interface as the source IP address for outgoing portal packets. Views Interface view Default command level 2: System level Parameters ipv4-address: Specifies a source IPv4 address for outgoing portal packets. This IP address must be a local IP address, and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
Usage guidelines If the device uses a RADIUS server for authentication, authorization, and accounting of portal users, when a portal user logs on from an interface, the device sends a RADIUS request that carries the NAS-Port-ID attribute to the RADIUS server. Examples # Specify the NAS-Port-ID value of VLAN-interface 2 as ap1.
Syntax portal redirect-url url-string [ wait-time period ] undo portal redirect-url Default An authenticated portal user is redirected to the URL that the user entered in the address bar before portal authentication. Views System view Default command level 2: System level Parameters url-string: Specifies the autoredirection URL for authenticated portal users, a string of 1 to 127 characters. It must start with http:// or https:// and must be a fully qualified URL.
Parameters server-name: Specifies a name for the portal server, a case-sensitive string of 1 to 32 characters. ip ipv4-address: Specifies the IPv4 address of the portal server. If you specify the local portal server, the IP address specified must be that of a Layer 3 interface on the device and must be reachable from the portal clients. In portal stateful failover environments, however, HP recommends specifying the virtual IP address of the VRRP group to which the downlink belongs.
system-view [Sysname] portal server pts ip 192.168.0.111 key simple portal url http://192.168.0.111/portal Related commands display portal server portal server banner Use portal server banner to configure the welcome banner of the default webpage provided by the local portal server. Use undo portal server banner to restore the default. Syntax portal server banner banner-string undo portal server banner Default No webpage welcome banner is configured.
Default Layer 3 portal authentication is disabled on an interface. Views Interface view Default command level 2: System level Parameters server-name: Specifies a portal server by its name, a case-sensitive string of 1 to 32 characters. method: Specifies the authentication mode to be used. direct: Specifies the direct authentication. layer3: Specifies the cross-subnet authentication. redhcp: Specifies the re-DHCP authentication. Usage guidelines The specified portal server must exist.
portal server server-detect Use portal server server-detect to configure portal server detection, including the detection method, action, probe interval, and maximum number of probe attempts. When this function is configured, the device checks the status of the specified server periodically and takes the specified actions when the server status changes. Use undo portal server server-detect to cancel the detection of the specified portal server.
• permit-all: Specifies the action as disabling portal authentication—enabling portal authentication bypass. When the device detects that a portal server is unreachable, it disables portal authentication on the interface referencing the portal server, allowing all portal users on this interface to access network resources.
portal server user-sync Use portal server user-sync to configure portal user information synchronization with a specific portal server. When this function is configured, the device periodically checks and responds to the user synchronization packet received from the specified portal server, so as to keep the consistency of the online user information on the device and the portal server.
Examples # Configure the device to synchronize portal user information with portal server pts: • Setting the synchronization probe interval to 600 seconds • Specifying the device to log off users if information of the users does not exist in the user synchronization packets sent from the server in two consecutive probe intervals.
4. Uses the global NAS ID configured by using the portal nas-id command. After the previous operations, if no NAS ID is found, the redirection URL does not carry the NAS ID. Examples # Configure carrying the NAS ID parameter in the redirection URL, with the parameter name as wlanasid. system-view [Sysname] portal url-param include nas-id param-name wlannasid After the previous configuration, if the NAS ID is test, the redirection URL the device sent to the client 10.1.2.
Examples # Add Web proxy server port number 8080 on the device, so that users using a Web proxy server with the port number can be redirected to the portal authentication page. system-view [Sysname] portal web-proxy port 8080 portal wlan ssid Use portal wlan ssid command to associate an SSID and AP name with a portal server and authentication domain.
Related command • domain • portal free-rule • portal server • nas-id, nas-port-id, and service-template (WLAN Command Reference). portal wlan ssid-switch Use portal wlan ssid-switch logoff to enable forced logoff for users who switch SSIDs. Use undo portal wlan ssid-switch logoff to restore the default. Syntax portal wlan ssid-switch logoff undo portal wlan ssid-switch logoff Default Wireless portal users are not logged off after switching SSIDs.
Examples # Clear portal connection statistics on interface VLAN-interface 2. reset portal connection statistics interface vlan-interface 2 reset portal server statistics Use reset portal server statistics to clear portal server statistics on a specific interface or all interfaces. Syntax reset portal server statistics { all | interface interface-type interface-number } Views User view Default command level 1: Monitor level Parameters all: Specifies all interfaces.
undo web-redirect Default This function is not configured on an interface. Views Interface view Default command level 2: System level Parameters url-string: Specifies the URL address to which a Web access request is to be redirected. interval interval: Specifies the redirection interval in the range of 60 to 86400 seconds. The default is 86400 seconds. Usage guidelines You cannot configure both the portal function and the mandatory webpage pushing function on an interface.
Port security configuration commands display port-security Use display port-security to display port security configuration information, operation information, and statistics for one or more ports.
Ten-GigabitEthernet1/0/2 is link-up WLAN-ESS1 is link-down Port mode is userLoginWithOUI NeedToKnow mode is disabled Intrusion Protection mode is NoAction Max MAC address number is not configured Stored MAC address number is 0 Authorization is permitted Synchronization is disabled Table 24 Command output Field Description Equipment port-security Whether the port security is enabled or not. Trap Whether the trap function is enabled or not.
Field Description Stored MAC address number Number of MAC addresses stored. Whether the authorization information from the server is ignored or not: Authorization • permitted—Authorization information from the RADIUS server takes effect. • ignored—Authorization information from the RADIUS server does not take effect. Synchronization Stateful failover status for port security. Port security supports only 802.1X stateful failover.
Usage guidelines With no keyword or argument specified, the command displays information about all blocked MAC addresses. Examples # Display information about all blocked MAC addresses. display port-security mac-address block MAC ADDR 000f-e280-d70c --- From Port VLAN ID WLAN-ESS0 1 1 mac address(es) found --- Table 25 Command output Field Description MAC ADDR Blocked MAC address. From Port Port having received frames with the blocked MAC address being the source address.
Usage guidelines If the interface interface-type interface-number parameters are not provided, the command displays information about PSK users on all ports. Examples # Display information about PSK users on all ports. display port-security preshared-key user Index Mac-Address VlanID Interface ----------------------------------------------------0 000a-eba2-7f9d 1 WLAN-DBSS1:0 1 000a-eba2-7f9d 2 WLAN-DBSS1:1 # Display information about PSK users on the specified WLAN-DBSS port.
Examples # Configure port WLAN-ESS 1 to ignore the authorization information from the authentication server. system-view [Sysname] interface wlan-ess 1 [Sysname-WLAN-ESS1] port-security authorization ignore Related commands display port-security port-security enable Use port-security enable to enable port security. Use undo port-security enable to disable port security. Syntax port-security enable undo port-security enable Default Port security is enabled.
port-security intrusion-mode Use port-security intrusion-mode to configure the intrusion protection feature so that the port takes the pre-defined actions when intrusion protection is triggered on the port. Use undo port-security intrusion-mode to restore the default. Syntax port-security intrusion-mode { blockmac | disableport | disableport-temporarily } undo port-security intrusion-mode Default Intrusion protection is disabled.
Syntax port-security max-mac-count count-value undo port-security max-mac-count Default Port security has no limit on the number of MAC addresses on a port. Views Layer 2 Ethernet interface view, WLAN-ESS interface view, WLAN-MESH interface view Default command level 2: System level Parameters count-value: Specifies the maximum number of MAC addresses that port security allows on the port. The value range is 1 to 1024. Usage guidelines In any other mode that enables 802.
Views System view, interface view Default command level 3: Manage level Parameters profile-name: Specifies the name of a profile that defines NAS ID-VLAN bindings. The profile name is a case-insensitive string of 1 to 16 characters. To create a profile, use the aaa nas-id profile command (see "AAA configuration commands"). Usage guidelines You can specify only one NAS ID profile for port security in either of the system view or interface view.
ntk-withmulticasts: Forwards only broadcast frames, multicast frames, and unicast frames with authenticated destination MAC addresses. ntkonly: Forwards only unicast frames with authenticated destination MAC addresses. Usage guidelines The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, preventing illegal devices from intercepting network traffic.
Examples # Configure an OUI value of 000d2a, setting the index to 4. system-view [Sysname] port-security oui 000d-2a10-0033 index 4 Related commands display port-security port-security port-mode Use port-security port-mode to set the port security mode of a port. Use undo port-security port-mode to restore the default.
Keyword Security mode Description mac-else-userlogin-secu re-ext macAddressElseUserL oginSecureExt Similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. psk presharedKey In this mode, a user must use a pre-configured static key, also called "the PSK," to negotiate with the device and can access the port only after the negotiation succeeds.
Usage guidelines To change the security mode of a port enabled with port security, you must set the port in noRestrictions mode first. When the port has online users, you cannot change port security mode. When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes.
Default command level 2: System level Parameters pass-phrase: Enters a PSK in the form of a character string. raw-key: Enters a PSK in the form of a hexadecimal number. cipher: Sets a ciphertext PSK. simple: Sets a plaintext PSK. key: Specifies the PSK. This argument is case sensitive. If simple is specified, it must be a non-hexadecimal string of 8 to 63 characters or a 64-character hexadecimal string. If cipher is specified, it must be a ciphertext string of 8 to 117 characters.
Default command level 2: System level Usage guidelines If port security stateful failover is enabled on the WLAN-ESS interfaces with the same interface number on two devices that back up each other, the 802.1X client information on the local WLAN-ESS interface is synchronized to the peer WLAN-ESS interface in real time. The WLAN-DBSS interface created by the WLAN-ESS interface automatically copies the port security stateful failover configuration of the WLAN-ESS interface.
[Sysname-WLAN-ESS1] port-security intrusion-mode disableport-temporarily Related commands display port-security port-security trap Use port-security trap to enable port security traps. Use undo port-security trap to disable port security traps.
Usage guidelines You can enable certain port security traps for monitoring user behaviors. Examples # Enable MAC address learning traps. system-view [Sysname] port-security trap addresslearned Related commands display port-security port-security tx-key-type 11key Use port-security tx-key-type 11key to enable key negotiation of the 11key type. Use undo port-security tx-key-type to disable key negotiation of the 11key type.
User profile configuration commands display user-profile Use display user-profile to display information about all existing user profiles. Syntax display user-profile [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Syntax user-profile profile-name enable undo user-profile profile-name enable Default A created user profile is disabled. Views System view Default command level 2: System level Parameters profile-name: Specifies a user profile name, a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. The user profile must already exist. Usage guidelines Only enabled user profiles can be applied to authenticated users.
Parameters profile-name: Assigns a name to the user profile. The name is a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. A user profile name must be globally unique. Examples # Create user profile a123. system-view [Sysname] user-profile a123 [Sysname-user-profile-a123] # Enter the user profile view of a123.
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Password complexity: Disabled (username checking) Disabled (repeated characters checking) # Display the password control configuration for super passwords. display password-control super Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 29 Command output Field Description Password control Whether the password control feature is enabled.
Views Any view Default command level 2: System level Parameters user-name name: Specifies a user by the name, a string of 1 to 80 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Syntax password undo password Views Local user view Default command level 2: System level Usage guidelines Valid characters for a local user password include the following types: • Uppercase letters A to Z. • Lowercase letters a to z. • Digits 0 to 9 • Special characters in Table 31.
[Sysname-luser-test] password Password:********** Confirm :********** Updating user(s) information, please wait.... password-control { aging | composition | history | length } enable Use password-control { aging | composition | history | length } enable to enable the password aging, composition restriction, history, or minimum password length restriction function. Use undo password-control { aging | composition | history | length } enable to disable the specified function.
# Enable the password composition restriction function. [Sysname] password-control composition enable # Enable the password aging function. [Sysname] password-control aging enable # Enable the minimum password length restriction function. [Sysname] password-control length enable # Enable the password history function.
Examples # Globally set the passwords to expire after 80 days. system-view [Sysname] password-control aging 80 # Set the passwords for user group test to expire after 90 days. [Sysname] user-group test [Sysname-ugroup-test] password-control aging 90 [Sysname-ugroup-test] quit # Set the password for local user abc to expire after 100 days.
password-control authentication-timeout Use password-control authentication-timeout to set the user authentication timeout time. Use undo password-control authentication-timeout to restore the default. Syntax password-control authentication-timeout authentication-timeout undo password-control authentication-timeout Default The default is 60 seconds.
Usage guidelines You can enable both username checking and repeated character checking. After the password complexity checking is enabled, complexity-incompliant passwords will be refused. Examples # Configure the password complexity checking policy, refusing any password that contains the username or the reverse of the username.
• The policy in local user view applies only to the local user. A password composition policy with a smaller application scope has higher priority. The system prefers to use the password composition policy in local user view for a local user. • If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs. • If no policy is configured for the user group, the system uses the global policy.
Usage guidelines A specific password control function takes effect only after the password control feature is enabled globally. Examples # Enable the password control feature globally. system-view [Sysname] password-control enable Related commands display password-control password-control expired-user-login Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires.
Syntax password-control history max-record-num undo password-control history Default The maximum number of history password records for each user is 4. Views System view Default command level 2: System level Parameters max-record-num: Specifies the maximum number of history password records for each user. The value range is 2 to 15. Examples # Set the maximum number of history password records for each user to 10.
• The setting in local user view applies only to the local user. A minimum password length setting with a smaller application scope has higher priority. The system prefers to use the minimum password length in local user view for a local user. • If no minimum password length is configured for the local user, the system uses the minimum password length for the user group to which the local user belongs.
Examples # Set the maximum account idle time to 30 days. system-view [Sysname] password-control login idle-time 30 Related commands display password-control password-control login-attempt Use password-control login-attempt to configure the login attempt limit. The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached. Use undo password-control login-attempt to restore the default.
Examples # Allow a maximum of four consecutive login failures on a user account, and disable the user account if the limit is reached. system-view [Sysname] password-control login-attempt 4 exceed lock # Use the user account test to log in to the device, and enter incorrect password for four times. # Display the password control blacklist. The output shows that the user account is on the blacklist, and its status is lock. [Sysname] display password-control blacklist Username: test IP: 192.168.44.
Default The minimum password update interval is 24 hours. Views System view Default command level 2: System level Parameters interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval. Usage guidelines This function is not effective on a user who is prompted to change the password at the first login or after the password expires. Examples # Set the minimum password update interval to 36 hours.
Examples # Set the super passwords to expired after 10 days. system-view [Sysname] password-control super aging 10 Related commands password-control aging password-control super composition Use password-control super composition to configure the composition policy for super passwords. Use undo password-control super composition to restore the default.
password-control super length Use password-control super length to set the minimum length for super passwords. Use undo password-control super length to restore the default. Syntax password-control super length length undo password-control super length Default The minimum super password length is the same as the global setting. Views System view Default command level 2: System level Parameters length: Specifies the minimum length for super passwords in characters.
user-name name: Specifies the user to be removed from the password control blacklist. The name argument is the username, a case-sensitive string of 1 to 80 characters. Examples # Delete the user named test from the password control blacklist.
Public key configuration commands display public-key local public Use display public-key local public to display the public key information of local asymmetric key pairs. Syntax display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters dsa: Specifies an DSA key pair. rsa: Specifies an RSA key pair. |: Filters command output by specifying a regular expression.
Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 Table 32 Command output Field Description Time of Key pair created Date and time when the local asymmetric key pair was created. Key name: Key name • HOST_KEY—Host public key. • SERVER_KEY—Server public key.
Usage guidelines If you do not specify the brief keyword or the name publickey-name option, the command displays detailed information about all locally saved peer public keys. You can use the public-key peer command or the public-key peer import sshkey command to get a local copy of a peer public key. Examples # Display detailed information about the peer host public key named idrsa.
peer-public-key end Use peer-public-key end to return from public key view to system view. Syntax peer-public-key end Views Public key view Default command level 2: System level Related commands public-key peer Examples # Exit public key view. system-view [Sysname] public-key peer key1 [Sysname-pkey-public-key] peer-public-key end [Sysname] public-key-code begin Use public-key-code begin to enter public key code view.
[Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6 B80EB5F52698FCF3D6 [Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1 DDE675AC30CB020301 [Sysname-pkey-key-code]0001 Related commands • public-key peer • public-key-code end public-key-code end Use public-key-code end to return from public key code view to public key view and to save the configured public key.
public-key local create Use public-key local create to create local asymmetric key pairs. The created local key pairs are automatically saved, and can survive a reboot. Syntax public-key local create { dsa | rsa } Default No asymmetric key pair exists. Views System view Default command level 2: System level Parameters dsa: Specifies an DSA key pair. rsa: Specifies an RSA key pair.
It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++ +++++++ +++++++++ +++ Related commands • public-key local destroy • display public-key local public public-key local destroy Use public-key local destroy to destroy the local asymmetric key pairs. Syntax public-key local destroy { dsa| rsa } Views System view Default command level 2: System level Parameters dsa: Specifies an DSA key pair.
Default command level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh2: Uses the format of SSH2.0. filename: Specifies the name of the file for saving the local host public key. For more information about file name, see Fundamentals Configuration Guide. Usage guidelines Whether the command exports or displays the local DSA host public key depends on the presence of the filename argument. SSH2.0 and OpenSSH are different public key formats.
public-key local export rsa Use public-key local export rsa without the filename argument to display the host public key of the local RSA key pairs in a specific key format. Use public-key local export rsa with the filename argument to export the host public key of the local RSA key pairs to a specific file.
t5NIc5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j +o0MpOpzh3W768/+u1riz+1LcwVTs51Q== rsa-key Related commands • public-key local create • public-key local destroy public-key peer Use public-key peer to specify a name for the peer public key and enter public key view. Use undo public-key peer to remove the public key.
public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from the public key file. Use undo public-key peer to remove the specified peer host public key. Syntax public-key peer keyname import sshkey filename undo public-key peer keyname Views System view Default command level 2: System level Parameters keyname: Specifies a public key name, a case-sensitive string of 1 to 64 characters. filename: Specifies the name of the file that saves the peer host public key.
PKI configuration commands attribute Use attribute to configure the attribute rules of the certificate issuer name, certificate subject name and alternative certificate subject name. Use undo attribute to delete the attribute rules of one or all certificates.
Examples # Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc. system-view [Sysname] pki certificate attribute-group mygroup [Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc # Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc.
Syntax certificate request entity entity-name undo certificate request entity Default No entity is specified for certificate request. Views PKI domain view Default command level 2: System level Parameters entity-name: Specifies an entity for certificate request by the entity name, a case-insensitive string of 1 to 15 characters. Examples # Specify the entity for certificate request as entity1.
system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] certificate request from ca certificate request mode Use certificate request mode to set the certificate request mode. Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual } undo certificate request mode Default Manual mode is used.
certificate request polling Use certificate request polling to specify the certificate request polling interval and attempt limit. Use undo certificate request polling to restore the defaults. Syntax certificate request polling { count count | interval minutes } undo certificate request polling { count | interval } Default The polling is executed every 20 minutes for up to 50 times.
Views PKI domain view Default command level 2: System level Parameters url-string: Specifies the URL of the server for certificate request, a case-insensitive string of 1 to 127 characters. It comprises the location of the server and the location of CGI command interface script in the format of http://server_location/ca_script_location, where server_location must be an IP address and does not support domain name resolution. Examples # Specify the URL of the server for certificate request.
country Use country to specify the code of the country to which an entity belongs. It is a standard 2-character code. For example, CN represents China. Use undo country to remove the configuration. Syntax country country-code-str undo country Default No country code is specified. Views PKI entity view Default command level 2: System level Parameters country-code-str: Specifies the country code for the entity, a case-insensitive string of two characters.
Usage guidelines CRLs are files issued by the CA to publish all certificates that have been revoked. Revocation of a certificate might occur before the certificate expires. CRL checking is intended for checking whether a certificate has been revoked. A revoked certificate is no longer trusted. Examples # Disable CRL checking.
Default No CRL distribution point URL is specified. Views PKI domain view Default command level 2: System level Parameters url-string: Specifies the URL of the CRL distribution point, a case-insensitive string of 1 to 125 characters in the format of ldap://server_location or http://server_location, where server_location must be an IP address or a domain name.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display the local certificate. display pki certificate local domain 1 Certificate: Data: Version: 3 (0x2) Serial Number: 10B7D4E3 00010000 0086 Signature Algorithm: md5WithRSAEncryption Issuer: emailAddress=myca@aabbcc.
Field Description Issuer Issuer of the certificate. Validity Validity period of the certificate. Subject Entity holding the certificate. Subject Public Key Info Public key information of the entity. X509v3 extensions Extensions of the X.509 (version 3) certificate. X509v3 CRL Distribution Points Distribution points of X.509 (version 3) CRLs.
Table 37 Command output Field Description access-control-policy Name of the certificate access control policy. rule number Number of the access control rule. display pki certificate attribute-group Use display pki certificate attribute-group to display information about one or all certificate attribute groups.
Field Description abc Value of attribute 1. issuer-name Name of the certificate issuer. fqdn FQDN of the entity. nctn Not-contain operations. app Value of attribute 2. display pki crl domain Use display pki crl domain to display the locally saved CRLs. Syntax display pki crl domain domain-name [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters.
Revoked Certificates: Serial Number: 05a234448E… Revocation Date: Sep 6 12:33:22 2013 GMT CRL entry extensions:… Serial Number: 05a278445E… Revocation Date: Sep 7 12:33:22 2013 GMT CRL entry extensions:… Table 39 Command output Field Description Version Version of the CRL. Signature Algorithm Signature algorithm used by the CRLs. Issuer CA issuing the CRLs. Last Update Last update time. Next Update Next update time. CRL extensions Extensions of CRL.
Parameters name-str: Specifies the FQDN for an entity, a case-insensitive string of 1 to 127 characters. Usage guidelines An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain name and can be resolved into an IP address. Examples # Configure the FQDN of an entity as pki.domain-name.com. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] fqdn pki.domain-name.com ip (PKI entity view) Use ip to configure the IP address of an entity.
Default No LDP server is specified for a PKI domain. Views PKI domain view Default command level 2: System level Parameters ip-address: Specifies an LDAP server by its IP address, in dotted decimal format. port-number: Specifies the port number of the LDAP server, in the range of 1 to 65535. The default is 389. version-number: Specifies the LDAP version number, either 2 or 3. The default is 2. Examples # Specify an LDAP server for PKI domain 1.
organization Use organization to configure the name of the organization to which the entity belongs. Use undo organization to remove the configuration. Syntax organization org-name undo organization Default No organization name is specified for an entity. Views PKI entity view Default command level 2: System level Parameters org-name: Specifies the organization name, a case-insensitive string of 1 to 31 characters. Commas cannot be included.
Examples # Configure the name of the organization unit to which an entity belongs as group1. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] organization-unit group1 pki certificate access-control-policy Use pki certificate access-control-policy to create a certificate access control policy and enter its view. Use undo pki certificate access-control-policy to remove one or all certificate access control policies.
Default command level 2: System level Parameters group-name: Specifies a name for the certificate attribute group, a case-insensitive string of 1 to 16 characters. It cannot be "a", "al", or "all". all: Specifies all certificate attribute groups. Examples # Create a certificate attribute group named mygroup and enter its view.
Views System view Default command level 2: System level Parameters domain-name: Specifies a name for the PKI domain, a case-insensitive string of 1 to 15 characters. Usage guidelines You can create up to 32 PKI domains on a device. Examples # Create a PKI domain and enter its view. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] pki entity Use pki entity to create a PKI entity and enter its view. Use undo pki entity to remove a PKI entity.
pki import-certificate Use pki import-certificate to import a CA certificate or local certificate from a file and save it locally. Syntax pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ] Views System view Default command level 2: System level Parameters ca: Specifies the CA certificate. local: Specifies the local certificate. domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters. der: Specifies the certificate format of DER.
Views System view Default command level 2: System level Parameters domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters. password: Specifies the password for certificate revocation, a case-sensitive string of 1 to 31 characters. pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to request a certification by an out-of-band means, like phone, disk, or email.
domain-name: Specifies the name of the PKI domain used for certificate request. Examples # Retrieve the CA certificate from the certificate issuing server. system-view [Sysname] pki retrieval-certificate ca domain 1 Related commands pki domain pki retrieval-crl domain Use pki retrieval-crl domain to retrieve the latest CRLs from the server for CRL distribution.
local: Verifies the local certificate. domain-name: Specifies the name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters. Usage guidelines The focus of certificate validity verification will check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked. Examples # Verify the validity of the local certificate.
[Sysname-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 rule (PKI CERT ACP view) Use rule to create a certificate attribute access control rule. Use undo rule to delete one or all access control rules. Syntax rule [ id ] { deny | permit } group-name undo rule { id | all } Default No access control rule exists.
Syntax state state-name undo state Default No state or province is specified. Views PKI entity view Default command level 2: System level Parameters state-name: Specifies the state or province name, a case-insensitive string of 1 to 31 characters. Commas cannot be included. Examples # Specify the state where an entity resides.
SSH configuration commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server configuration commands display ssh server Use the display ssh server command on an SSH server to display the SSH server status or sessions.
Table 40 Command output Field Description SSH Server Whether the SSH server function is enabled. SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval. SSH Authentication retries Maximum number of SSH authentication attempts. SFTP Server Whether the Secure FTP (SFTP) server function is enabled.
display ssh user-information Use the display ssh user-information command on an SSH server to display information about SSH users. Syntax display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters username: Specifies an SSH username, a string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users.
Field Description Service-type Service type: SFTP, Stelnet, SCP, or all. If all authentication methods are supported, this field displays all. Related commands ssh user sftp server enable Use sftp server enable to enable the SFTP server function. Use undo sftp server enable to disable the SFTP server function. Syntax sftp server enable undo sftp server enable Default The SFTP server function is disabled.
Default command level 3: Manage level Parameters time-out-value: Specifies a timeout timer in minutes, in the range of 1 to 35791. Usage guidelines If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection. If many SFTP connections are established, you can set a smaller value so that the connection resources can be promptly released. Examples # Set the idle timeout timer for SFTP user connections to 500 minutes.
Examples # Set the maximum number of SSH connection authentication attempts to 4. system-view [Sysname] ssh server authentication-retries 4 Related commands display ssh server ssh server authentication-timeout Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server. Use undo ssh server authentication-timeout to restore the default.
undo ssh server compatible-ssh1x Default The SSH server supports SSH1 clients. Views System view Default command level 3: Manage level Usage guidelines The configuration takes effect only on the clients at next login. Examples # Enable the SSH server to support SSH1 clients. system-view [Sysname] ssh server compatible-ssh1x enable Related commands display ssh server ssh server enable Use ssh server enable to enable the SSH server function.
Use undo ssh server rekey-interval to restore the default. Syntax ssh server rekey-interval hours undo ssh server rekey-interval Default The interval for updating the RSA server key pair is 0. The system does not update the RSA server key pair. Views System view Default command level 3: Manage level Parameters hours: Specifies an interval for updating the server key pair, in the range of 1 to 24.
Default command level 3: Manage level Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. service-type: Specifies the service type for an SSH user: • all: Specifies Stelnet, SFTP, and SCP. • scp: Specifies the service type as SCP. • sftp: Specifies the service type as SFTP. • stelnet: Specifies the service type as Stelnet. authentication-type: Specifies the authentication method of an SSH user. • password: Specifies password authentication.
If you use the ssh user command to specify a public key or PKI domain for a user multiple times, the most recent configuration takes effect. You can change parameters for an SSH user that has logged in, but your changes take effect only on the user at next login. If an SFTP or SCP user has been assigned a public key or PKI domain, it is necessary to set a working folder for the user.
cd Use cd to change the working path on an SFTP server. Syntax cd [ remote-path ] Views SFTP client view Default command level 3: Manage level Parameters remote-path: Specifies the name of a path on the server. If this argument is not specified, this command displays the current working path. Usage guidelines You can use the cd .. command to return to the upper-level directory. You can use the cd / command to return to the root directory of the system. Examples # Change the working path to new1.
Syntax delete remote-file&<1-10> Views SFTP client view Default command level 3: Manage level Parameters remote-file&<1-10>: Specifies the names of files on the server. &<1-10> means that you can provide up to 10 file names, which are separated by spaces. Usage guidelines This command functions as the remove command. Examples # Delete the file temp.c from the server. sftp-client> delete temp.c The following files will be deleted: /temp.
Examples # Display detailed information about the files and subdirectories under the current working directory in a list. sftp-client> dir -rwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.
Syntax display ssh client source [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines This command is also available on an SFTP client. When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for the authentication. If the authentication fails, you can use this command to check the public key of the server saved on the client. Examples # Display the mappings between SSH servers and their host public keys on the client.
get Use get to download a file from the SFTP server and save it locally. Syntax get remote-file [ local-file ] Views SFTP client view Default command level 3: Manage level Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Name for the local file. If this argument is not specified, the file will be saved locally with the same name as that on the SFTP server. Examples # Download file temp1.c and save it as temp.c locally. sftp-client> get temp1.c temp.
ls Use ls to display file and folder information under a directory. Syntax ls [ -a | -l ] [ remote-path ] Views SFTP client view Default command level 3: Manage level Parameters -a: Displays the file names and folder names under a directory. -l: Displays in a list form detailed information of the files and folders under a directory. remote-path: Specifies the name of the directory to be queried.
Examples # Create a directory named test on the SFTP server. sftp-client> mkdir test New directory created put Use put to upload a local file to an SFTP server. Syntax put local-file [ remote-file ] Views SFTP client view Default command level 3: Manage level Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name for the file on an SFTP server. If this argument is not specified, the file will be saved remotely with the same name as the local one.
Syntax quit Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the bye and exit commands. Examples # Terminate the connection with the SFTP server. sftp-client> quit Bye Connection closed. remove Use remove to delete files from a remote server. Syntax remove remote-file&<1-10> Views SFTP client view Default command level 3: Manage level Parameters remote-file&<1-10>: Specifies the names of files on an SFTP server.
rename Use rename to change the name of the specified file or directory on an SFTP server. Syntax rename oldname newname Views SFTP client view Default command level 3: Manage level Parameters oldname: Specifies the name of an existing file or directory. newname: Specifies a new name for the file or directory. Examples # Change the name of a file on the SFTP server from temp1.c to temp2.c. sftp-client> rename temp1.c temp2.
scp [ ipv6 ] server [ port-number ] { get | put } source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode: scp [ ipv6 ] server [ port-number ] { get | put } source-file-path [ desti
• md5-96: Specifies the HMAC algorithm hmac-md5-96. This keyword is not supported in FIPS mode. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange. • dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not supported in FIPS mode.
sftp server [ port-number ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * Views User view Default command level 3: Manage level Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 20 characters. port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22.
Usage guidelines When the client's authentication method is publickey, the client must get the local private key for digital signature. In non-FIPS mode, because the publickey authentication uses RSA or DSA algorithm, you must specify an algorithm by using the identity-key keyword. In this way, you can get the correct local private key.
ipv6 ipv6-address: Specifies a source IPv6 address. Usage guidelines HP recommends that you specify a loopback interface or dialer interface as the source interface for SFTP packets for the following purposes: • Ensuring the communication between SFTP client and the SFTP server. • Improving the manageability of SFTP clients in the authentication service. Examples # Specify the source IPv6 address of SFTP packets as 2:2::2:2.
Related commands display sftp client source sftp ipv6 Use sftp ipv6 to establish a connection to an IPv6 SFTP server and enter SFTP client view.
• sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode and dh-group14 in FIPS mode. • dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not supported in FIPS mode. • dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not supported in FIPS mode.
undo ssh client authentication server server assign publickey Default The name of the server's host public key is not specified. When the client logs into a server, it uses the IP address or host name of the server as the public key name. Views System view Default command level 2: System level Parameters server: Specifies a server by IP address or host name, a string of 1 to 80 characters. assign publickey keyname: Specifies the name of the server's host public key, a string of 1 to 64 characters.
Usage guidelines When a client not configured with the server's host public key accesses the server for the first time, one of the following conditions exists: • If first-time authentication is disabled, the client refuses to access the server. To enable the client to access the server, you must complete the following tasks in advance: a. Configure the server's host public key locally. b. Specify the public key name for authentication.
Examples # Specify the source IPv6 address as 2:2::2:2 for SSH packets. system-view [Sysname] ssh client ipv6 source ipv6 2:2::2:2 Related commands display ssh client source ssh client source Use ssh client source to specify the source IPv4 address or source interface of SSH packets. Use undo ssh client source to remove the configuration.
Syntax In non-FIPS mode: ssh2 server [ port-number ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa | prefer-ctos-cipher { aes128 |
• dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not supported in FIPS mode. • dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128. prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1-96.
Views User view Default command level 0: Visit level Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 46 characters. port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22. identity-key: Specifies the public key algorithm for the client, either dsa or rsa. • dsa: Specifies the public key algorithm dsa. This keyword is not supported in FIPS mode. • rsa: Specifies the public key algorithm rsa.
The following table shows the default algorithms used in FIPS and non-FIPS modes: Preferred algorithm In non-FIPS mode In FIPS mode Public key algorithm dsa rsa Preferred client-to-server encryption algorithm aes128 aes128 Preferred client-to-server HMAC algorithm sha1-96 sha1-96 Preferred key exchange algorithm dh-group-exchange dh-group14 Preferred server-to-client encryption algorithm aes128 aes128 Preferred server-to-client HMAC algorithm sha1-96 sha1-96 Examples # Log in to Stelnet
SSL configuration commands ciphersuite Use ciphersuite to specify the cipher suites for an SSL server policy to support. Syntax In non-FIPS mode: ciphersuite [ rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] * | rsa_aes_256_cbc_sha | In FIPS mode: ciphersuite [ dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha ] * Default An SSL server policy supports all cipher suites.
[Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] ciphersuite rsa_rc4_128_md5 rsa_rc4_128_sha Related commands display ssl server-policy client-verify enable Use client-verify enable to configure the SSL server to require the client to pass certificate-based authentication. Use undo client-verify enable to restore the default. Syntax client-verify enable undo client-verify enable Default The SSL server does not require certificate-based SSL client authentication.
Syntax client-verify weaken undo client-verify weaken Default SSL client weak authentication is disabled. Views SSL server policy view Default command level 2: System level Usage guidelines The client-verify weaken command takes effect only when the SSL server requires certificate-based client authentication. If the SSL server requires certificate-based client authentication and the SSL client weak authentication function is enabled, whether the client must be authenticated is up to the client.
Views SSL server policy view Default command level 2: System level Examples # Set the SSL connection close mode to wait. system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] close-mode wait Related commands display ssl server-policy display ssl client-policy Use display ssl client-policy to view information about one or all SSL client policies.
Table 44 Command output Field Description SSL Client Policy SSL client policy name. SSL Version Version of the protocol used by the SSL client policy: SSL 3.0 or TLS 1.0. PKI Domain PKI domain of the SSL client policy. Prefer Ciphersuite Preferred cipher suite of the SSL client policy. Server-verify Whether server authentication is enabled for the SSL client policy. display ssl server-policy Use display ssl server-policy to view information about one or all SSL server policies.
Session Timeout: 3600 Session Cachesize: 500 Client-verify: disabled Client-verify weaken: disabled Table 45 Command output Field Description SSL Server Policy SSL server policy name. PKI domain used by the SSL server policy. PKI Domain If no PKI domain is specified for the SSL server policy, nothing is displayed for this field, and the SSL server generates and signs a certificate for itself and does not obtain a certificate from a CA server.
Usage guidelines If the SSL server receives no packet from the SSL client before the handshake timeout time expires, the SSL server terminates the handshake process. Examples # Set the handshake timeout time of SSL server policy policy1 to 3000 seconds.
• display ssl client-policy prefer-cipher Use prefer-cipher to specify the preferred cipher suite for an SSL client policy. Use undo prefer-cipher to restore the default.
Related commands display ssl client-policy server-verify enable Use server-verify enable to enable certificate-based SSL server authentication so that the SSL client authenticates the server by the server’s certificate during the SSL handshake process. Use undo server-verify enable to disable certificate-based SSL server authentication. When certificate-based SSL server authentication is disabled, it is assumed that the SSL server is valid.
Parameters cachesize size: Specifies the maximum number of cached sessions. The range is 100 to 1000. timeout time: Specifies the caching timeout time in seconds. The range is 1800 to 72000. Usage guidelines It is a complicated process to use the SSL handshake protocol to negotiate session parameters and establish sessions. To simplify the process, SSL allows reusing negotiated session parameters to establish sessions. This feature requires that the SSL server maintain information about existing sessions.
Related commands display ssl client-policy ssl server-policy Use ssl server-policy to create an SSL server policy and enter its view. Use undo ssl server-policy to delete a specified SSL server policy or all SSL server policies.
undo version Default The SSL protocol version for an SSL client policy is TLS 1.0. Views SSL client policy view Default command level 2: System level Parameters ssl3.0: Specifies SSL 3.0. tls1.0: Specifies TLS 1.0. Examples # Specify the SSL protocol version for SSL client policy policy1 as SSL 3.0. system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] version ssl3.
TCP attack protection configuration commands display tcp status Use display tcp status to display the status of all TCP connections for monitoring TCP connections. Syntax display tcp status [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
tcp syn-cookie enable Use tcp syn-cookie enable to enable the SYN Cookie feature to protect the device against SYN Flood attacks. Use undo tcp syn-cookie enable to disable the SYN Cookie feature. Syntax tcp syn-cookie enable undo tcp syn-cookie enable Default The SYN Cookie feature is enabled. Views System view Default command level 2: System level Examples # Enable the SYN Cookie feature.
ARP attack protection configuration commands IP flood protection configuration commands arp resolving-route enable Use arp resolving-route enable to enable ARP blackhole routing. Use undo arp resolving-route enable to disable the function. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP blackhole routing is enabled. Views System view Default command level 2: System level Examples # Enable ARP blackhole routing.
Examples # Enable the ARP source suppression function. system-view [Sysname] arp source-suppression enable Related commands display arp source-suppression arp source-suppression limit Use arp source-suppression limit to set the maximum number of unresolvable IP packets that can be received from a device in 5 seconds. Unresolvable IP packets refer to packets that cannot be resolved by ARP. Use undo arp source-suppression limit to restore the default value, which is 10.
Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Default command level 2: System level Parameters disable: Disables ARP packet rate limit. rate pps: Specifies the ARP packet rate in pps, in the range of 5 to 3072. drop: Discards the exceeded packets. Examples # Specify the ARP packet rate as 50 pps on interface WLAN-ESS 0, and specify the interface to discard exceeded packets.
Examples # Enable the source MAC-based ARP attack detection and specify the filter handling method. system-view [Sysname] arp anti-attack source-mac filter arp anti-attack source-mac aging-time Use arp anti-attack source-mac aging-time to configure the aging time for source MAC addresses based ARP attack detection entries. Use undo arp anti-attack source-mac aging-time to restore the default.
Parameters mac-address&<1-10>: Specifies the MAC address list. The mac-address argument indicates an excluded MAC address in the format H-H-H. &<1-10> indicates the number of MAC addresses that you can exclude. Usage guidelines If you do not specify any MAC address in the undo arp anti-attack source-mac exclude-mac command, this command removes all excluded MAC addresses. Examples # Exclude a MAC address from source MAC-based ARP attack detection.
Syntax display arp anti-attack source-mac [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters interface interface-type interface-number: Displays ARP attack entries detected on the interface. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Views System view Default command level 2: System level Usage guidelines After you execute the arp anti-attack valid-check enable command, the gateway device can filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message. Examples # Enable ARP packet source MAC address consistency check.
Authorized ARP configuration commands NOTE: This feature is supported only on VLAN interfaces. arp authorized enable Use arp authorized enable to enable authorized ARP on an interface. Use undo arp authorized enable to restore the default. Syntax arp authorized enable undo arp authorized enable Default Authorized ARP is not enabled on the interface. Views VLAN interface view Default command level 2: System level Examples # Enable authorized ARP on VLAN-interface 2.
Default command level 2: System level Parameters id-number: Specifies the sequence number of the user validity check rule, in the range of 0 to 511. The smaller the value, the higher the priority. deny: Denies the matching ARP packets. permit: Permits the matching ARP packets. ip { any | ip-address [ ip-address-mask ] }: Specifies the sender IP address range. • any: Matches any sender IP address. • ip-address: Matches a sender IP address.
Views VLAN view Default command level 2: System level Examples # Enable ARP detection for VLAN 2. system-view [Sysname] vlan 2 [Sysname-Vlan2] arp detection enable arp detection trust Use arp detection trust to configure the port as an ARP trusted port. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust Default The port is an ARP untrusted port.
Views System view Default command level 2: System level Parameters dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded. ip: Checks the sender and target IP addresses of ARP packets. The all-zero, all-one, or multicast IP addresses are considered invalid and the corresponding packets are discarded.
display arp detection Use display arp detection to display the VLANs enabled with ARP detection. Syntax display arp detection [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
reset arp detection statistics ARP gateway protection configuration commands arp filter source Use arp filter source to enable ARP gateway protection for a gateway. Use undo arp filter source to disable ARP gateway protection for a gateway. Syntax arp filter source ip-address undo arp filter source ip-address Default ARP gateway protection is disabled.
Default No ARP filtering entry is configured. Views Layer 2 Ethernet interface view, Layer 2 aggregate interface view, WLAN-ESS interface view Default command level 2: System level Parameters ip-address: Specifies a permitted sender IP address. mac-address: Specifies a permitted sender MAC address. Usage guidelines You can configure up to eight ARP filtering entries on a port. You cannot configure both arp filter source and arp filter binding commands on a port.
IPsec configuration commands All HP wireless products support IPsec between ACs and APs. Only HP 830 series PoE+ unified wired-WLAN switches support IPsec between ACs. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol. Use undo ah authentication-algorithm to restore the default. Syntax ah authentication-algorithm { md5 | sha1 } * undo ah authentication-algorithm Default In FIPS mode, AH uses SHA-1 for authentication.
connection-name Use connection-name to configure an IPsec connection name. This name functions only as a description of the IPsec policy. Use undo connection-name to restore the default. Syntax connection-name name undo connection-name Default No IPsec connection name is configured. Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters name: Specifies an IPsec connection name, a case-insensitive string of 1 to 32 characters.
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameters, the command displays detailed information about all IPsec policies.
-----------------------------------IPsec policy name: "policy_isakmp" sequence number: 10 acl version: IPv4 mode: isakmp ------------------------------------security data flow : 3000 selector mode: standard ike-peer name: per transform-set name: prop1 IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes policy enable: True Table 50 Command output Field Description security data flow ACL referenced by the IPsec policy.
Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all IPsec policy templates. name: Displays detailed information about a specific IPsec policy template or IPsec policy template group. template-name: Specifies the name of the IPsec policy template, a string of 1 to 15 characters. seq-number: Specifies the sequence number of the IPsec policy template, in the range of 1 to 65535. |: Filters command output by specifying a regular expression.
--------------------------------Policy template name: "test" sequence number: 1 --------------------------------security data flow : ACL's Version: acl4 ike-peer name: per transform-set name: testprop IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes Table 52 Command output Field Description security data flow ACL referenced by the IPsec policy template. ACL's Version ACL version. Only IPv4 ACL is supported.
standby: Displays detailed information about the standby IPsec SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For more information, see About the Command References for HP Unified Wired-WLAN Products. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
IPsec policy name: "r2" sequence number: 1 acl version: ACL4 mode: isakmp ----------------------------connection id: 3 encapsulation mode: tunnel tunnel: local address: 2.2.2.2 remote address: 1.1.1.2 flow: sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.1.0/255.255.255.
Field Description local address Local IP address of the IPsec tunnel. remote address Remote IP address of the IPsec tunnel. flow Data flow. sour addr Source IP address of the data flow. dest addr Destination IP address of the data flow. port Port number. protocol Protocol type. inbound Information of the inbound SA. spi Security parameter index. transform-set Security protocol and algorithms used by the IPsec transform set. sa duration Lifetime of the IPsec SA.
Default command level 1: Monitor level Parameters tunnel-id integer: Specifies an IPsec tunnel by its ID in the range of 1 to 2000000000. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
wrong SA: 0 Table 55 Command output Field Description Connection ID ID of the tunnel. input/output security packets Counts of inbound and outbound IPsec protected packets. input/output security bytes Counts of inbound and outbound IPsec protected bytes. input/output dropped security packets Counts of inbound and outbound IPsec protected packets that are discarded by the device. dropped security packet detail Detailed information about inbound/outbound packets that get dropped.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameters, the command displays information about all IPsec transform sets. Examples # Display information about all IPsec transform sets.
Views Any view Default command level 1: Monitor level Parameters active: Displays information about the active IPsec tunnels in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For more information, see About the Command References for HP Unified Wired-WLAN Products. standby: Displays information about the standby IPsec tunnels in an IPsec stateful failover scenario. Support for this keyword depends on the device model.
outbound : 675720232 (0x2846ac28) [ESP] tunnel : local address: 44.44.44.44 remote address : 44.44.44.45 flow : as defined in acl 3001 Table 57 Command output Field Description connection id Connection ID, used to uniquely identify an IPsec Tunnel. Whether the tunnel is in active or standby state. This field is displayed only when IPsec stateful failover is enabled. status Support for IPsec stateful failover depends on the device model.
Examples # Configure IPsec transform set tran1 to use the transport encapsulation mode. system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] encapsulation-mode transport Related commands ipsec transform-set esp authentication-algorithm Use esp authentication-algorithm to specify authentication algorithms for ESP. Use undo esp authentication-algorithm to restore the default.
esp encryption-algorithm Use esp encryption-algorithm to specify encryption algorithms for ESP. Use undo esp encryption-algorithm to restore the default. Syntax esp encryption-algorithm { 3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des } * undo esp encryption-algorithm Default In non-FIPS mode, ESP uses AES-128 for encryption. In non-FIPS mode, ESP uses DES for encryption.
Use undo ike peer to remove the reference. Syntax ike-peer peer-name undo ike-peer peer-name Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters peer-name: Specifies the IKE peer name, a string of 1 to 32 characters. Examples # Configure a reference to an IKE peer in an IPsec policy.
Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The size of the anti-replay window is 32. Views System view Default command level 2: System level Parameters width: Size of the anti-replay window. It can be 32, 64, 128, 256, 512, or 1024. Usage guidelines Your configuration takes effect only on IPsec SAs negotiated later. Examples # Set the size of the anti-replay window to 64.
system-view [Sysname] ipsec invalid-spi-recovery enable ipsec policy (interface view) Use ipsec policy to apply an IPsec policy group to an interface. Use undo ipsec policy to remove the application. Syntax ipsec policy policy-name undo ipsec policy [ policy-name ] Views VLAN interface view Default command level 2: System level Parameters policy-name: Specifies the name of the existing IPsec policy group to be applied to the interface, a string of 1 to 15 characters.
undo ipsec policy policy-name [ seq-number ] Default No IPsec policy exists. Views System view Default command level 2: System level Parameters policy-name: Specifies the name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No hyphen (-) can be included. seq-number: Specifies the sequence number for the IPsec policy, in the range of 1 to 65535. isakmp: Sets up SAs through IKE negotiation. Usage guidelines When creating an IPsec policy, you must specify the generation mode.
Views System view Default command level 2: System level Parameters policy-name: Specifies the name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No hyphen (-) can be included. seq-number: Specifies the sequence number for the IPsec policy, in the range of 1 to 65535. isakmp template template-name: Name of the IPsec policy template to be referenced. Usage guidelines In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
Parameters template-name: Specifies the name for the IPsec policy template, a case-insensitive string of 1 to 41 characters. No hyphen (-) can be included. seq-number: Specifies the sequence number for the IPsec policy template, in the range of 1 to 65535. Usage guidelines Using the undo command without the seq-number argument deletes an IPsec policy template group. In an IPsec policy template group, an IPsec policy template with a smaller sequence number has a higher priority.
You can configure both a time-based and a traffic-based global SA lifetime. An SA is aged out when it has existed for the specified time period or has processed the specified volume of traffic. The SA lifetime applies only to IKE negotiated SAs. It does not take effect on manually configured SAs. Examples # Set the time-based global SA lifetime to 7200 seconds (2 hours).
Use undo ipsec transform-set to delete an IPsec transform set. Syntax ipsec transform-set transform-set-name undo ipsec transform-set transform-set-name Default No IPsec transform set exists. Views System view Default command level 2: System level Parameters transform-set-name: Specifies the name of an IPsec transform set, a case-insensitive string of 1 to 32 characters. Examples # Create an IPsec transform set named tran1 and enter its view.
Examples # Enable the IPsec policy with the name policy1 and sequence number 100. system-view [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] policy enable Related commands • ipsec policy (system view) • ipsec policy-template reset ipsec sa Use reset ipsec sa to clear IPsec SAs.
IPsec SAs appear in pairs. If you specify the parameters keyword to clear an IPsec SA, the IPsec SA in the other direction is also automatically cleared. If you do not specify any parameter, the command clears all IPsec SAs. If you specify neither active nor standby, the command clears both active and standby IPsec SAs. When you clear the active IPsec SAs on the active device, the active device automatically notifies the standby device to clear the standby IPsec SAs.
sa authentication-hex Use sa authentication-hex to configure an authentication key for an SA. Use undo sa authentication-hex to remove the configuration. Syntax sa authentication-hex { inbound | outbound } { ah | esp } [ cipher string-key | simple hex-key ] undo sa authentication-hex { inbound | outbound } { ah | esp } Views IPsec policy view Default command level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets.
[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah simple aabbccddeeff001100aabbccddeeff00 Related commands ipsec policy (system view) sa duration Use sa duration to set an SA lifetime for the IPsec policy. Use undo sa duration to restore the default. Syntax sa duration { time-based seconds | traffic-based kilobytes } undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy equals the current global SA lifetime.
• ipsec policy (system view) sa encryption-hex Use sa encryption-hex to configure an encryption key for an SA. Use undo sa encryption-hex to remove the configuration. Syntax sa encryption-hex { inbound | outbound } esp [ cipher string-key | simple hex-key ] undo sa encryption-hex { inbound | outbound } esp Views IPsec policy view Default command level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets.
[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex outbound esp simple abcdefabcdef1234 Related commands ipsec policy (system view) sa spi Use sa spi to configure an SPI for an SA. Use undo sa spi to remove the configuration. Syntax sa spi { inbound | outbound } { ah | esp } spi-number undo sa spi { inbound | outbound } { ah | esp } Default No SPI is configured for an SA.
sa string-key Use sa string-key to set a key string for an SA. Use undo sa string-key to remove the configuration. Syntax sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string-key undo sa string-key { inbound | outbound } { ah | esp } Views IPsec policy view Default command level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
Related commands ipsec policy (system view) security acl Use security acl to specify the ACL for the IPsec policy to reference. Use undo security acl to remove the configuration. Syntax security acl acl-number [ aggregation | per-host ] undo security acl Default An IPsec policy references no ACL.
An IPsec policy references only one ACL. If you specify more than one ACL for an IPsec policy, the IPsec policy references the one last specified. Examples # Configure IPsec policy policy2 to reference ACL 3002, and set the data flow protection mode to aggregation. system-view [Sysname] acl number 3002 [Sysname-acl-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2 0.0.0.255 [Sysname-acl-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2 0.0.0.
in the range of 0 to 1000. If you set the argument to 0, inbound anti-replay window synchronization is disabled. outbound-number: Interval at which the device, when functioning as the active device, synchronizes the outbound anti-replay sequence number to the standby device. It is expressed in the number of sent packets and in the range of 1000 to 100000. Usage guidelines In an IPsec stateful failover scenario, the active device regularly synchronizes anti-replay information to the standby device.
ah-esp: Uses ESP first and then AH. esp: Uses the ESP protocol. Usage guidelines The IPsec transform sets at the two ends of an IPsec tunnel must use the same security protocol. If the security protocol is ESP, the default encryption algorithm is DES, and the default authentication algorithm is MD5. If the security protocol is AH, the default authentication algorithm is MD5.
Examples # Configure IPsec policy policy1 to reference IPsec transform set tran1. [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] quit [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] transform-set tran1 Related commands • ipsec transform-set • ipsec policy (system view) tunnel local Use tunnel local to configure the local address of an IPsec tunnel. Use undo tunnel local to remove the configuration.
tunnel remote Use tunnel remote to configure the remote address of an IPsec tunnel. Use undo tunnel remote to remove the configuration. Syntax tunnel remote ip-address undo tunnel remote [ ip-address ] Default No remote address is configured for the IPsec tunnel. Views IPsec policy view Default command level 2: System level Parameters ip-address: Remote address for the IPsec tunnel. Usage guidelines This command applies to only manual IPsec policies.
IKE configuration commands authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default. Syntax authentication-algorithm { md5 | sha } undo authentication-algorithm Default An IKE proposal uses the SHA1 authentication algorithm. Views IKE proposal view Default command level 2: System level Parameters md5: Uses HMAC-MD5. sha: Uses HMAC-SHA1. Usage guidelines In FIPS mode, MD5 is not supported.
Default An IKE proposal uses the pre-shared key authentication method. Views IKE proposal view Default command level 2: System level Parameters pre-share: Uses the pre-shared key method. rsa-signature: Uses the RSA digital signature method. Examples # Specify that IKE proposal 10 uses the pre-shared key authentication method.
• pki domain dh Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal. Use undo dh to restore the default. Syntax dh { group1 | group2 | group5 | group14 } undo dh Default Group1, the 768-bit Diffie-Hellman group, is used. Views IKE proposal view Default command level 2: System level Parameters group1: Uses the 768-bit Diffie-Hellman group for key negotiation in phase 1 group2: Uses the 1024-bit Diffie-Hellman group for key negotiation in phase 1.
Parameters dpd-name: Specifies the DPD name, a string of 1 to 15 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Syntax display ike proposal [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
• dh • sa duration display ike sa Use display ike sa to display information about the current IKE SAs. Syntax display ike sa [ active | standby | verbose [ connection-id connection-id | remote-address remote-address ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters active: Displays the summary of active IKE SAs and IPsec SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model.
flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT # Display summary information about IKE SAs and IPsec SAs in an IPsec stateful failover scenario. display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi status -------------------------------------------------------------------1 202.38.0.2 RD|ST 1 IPSEC ACTIVE 2 202.38.0.
local id: 4.4.4.4 remote ip: 4.4.4.5 remote id type: IPV4_ADDR remote id: 4.4.4.5 authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400 remaining key duration(sec): 86379 exchange-mode: MAIN diffie-hellman group: GROUP1 # Display detailed information about the IKE SA with the connection ID of 2.
local id: 4.4.4.4 remote ip: 4.4.4.5 remote id type: IPV4_ADDR remote id: 4.4.4.5 authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400 remaining key duration(sec): 82236 exchange-mode: MAIN diffie-hellman group: GROUP1 Table 62 Command output Field Description connection id Identifier of the ISAKMP SA. transmitting entity Entity in the IKE negotiation. status Stateful failover status of the SA, active or standby.
Use undo dpd to remove the application. Syntax dpd dpd-name undo dpd Default No DPD detector is applied to an IKE peer. Views IKE peer view Default command level 2: System level Parameters dpd-name: Specifies the DPD detector name, a string of 1 to 32 characters. Examples # Apply dpd1 to IKE peer peer1. system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] dpd dpd1 encryption-algorithm Use encryption-algorithm to specify an encryption algorithm for an IKE proposal.
des-cbc: Uses the DES algorithm in CBC mode as the encryption algorithm. The DES algorithm uses 56-bit keys for encryption. In FIPS mode, DES-CBC is not supported. Examples # Use 56-bit DES in CBC mode as the encryption algorithm for IKE proposal 10. system-view [Sysname] ike proposal 10 [Sysname-ike-proposal-10] encryption-algorithm des-cbc Related commands • ike proposal • display ike proposal exchange-mode Use exchange-mode to select an IKE negotiation mode.
id-type Use id-type to select the type of the ID for IKE negotiation. Use undo id-type to restore the default. Syntax id-type { ip | name | user-fqdn } undo id-type Default The ID type is IP address. Views IKE peer view Default command level 2: System level Parameters ip: Uses an IP address as the ID during IKE negotiation. name: Uses a name of the Fully Qualified Domain Name (FQDN) type as the ID during IKE negotiation. user-fqdn: Uses a name of the user FQDN type as the ID during IKE negotiation.
Use undo ike dpd to remove a DPD detector. Syntax ike dpd dpd-name undo ike dpd dpd-name Views System view Default command level 2: System level Parameters dpd-name: Specifies the name for the DPD detector, a string of 1 to 32 characters. Usage guidelines DPD irregularly detects dead IKE peers. It works as follows: 1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer. 2.
Views System view Default command level 2: System level Parameters name: Specifies the name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters.
Examples # Disable Next payload field checking for the last payload of an IKE message. system-view [Sysname] ike next-payload check disabled ike peer (system view) Use ike peer to create an IKE peer and enter IKE peer view. Use undo ike peer to delete an IKE peer. Syntax ike peer peer-name undo ike peer peer-name Views System view Default command level 2: System level Parameters peer-name: Specifies the IKE peer name, a string of 1 to 32 characters.
Usage guidelines The system provides a default IKE proposal, which has the lowest priority and uses the settings as shown in Table 63: Table 63 Default values in non-FIPS mode and FIPS mode Default parameter Default value in non-FIPS mode Default value in FIPS mode Encryption algorithm DES-CBC AES_CBC_128 Authentication algorithm HMAC-SHA1 SHA Authentication method Pre-shared key Pre-shared key DH group MODP_768 MODP_1024 SA lifetime 86400 seconds 86400 seconds Examples # Create IKE propos
Examples # Set the keepalive interval to 200 seconds. system-view [Sysname] ike sa keepalive-timer interval 200 Related commands ike sa keepalive-timer timeout ike sa keepalive-timer timeout Use ike sa keepalive-timer timeout to set the ISAKMP SA keepalive timeout. Use undo ike sa keepalive-timer timeout to disable the function. Syntax ike sa keepalive-timer timeout seconds undo ike sa keepalive-timer timeout Default No keepalive packet is sent.
Default The NAT keepalive interval is 20 seconds. Views System view Default command level 2: System level Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300. Examples # Set the NAT keepalive interval to 5 seconds. system-view [Sysname] ike sa nat-keepalive-timer interval 5 interval-time Use interval-time to set the DPD query triggering interval for a DPD detector. Use undo interval-time to restore the default.
Syntax local { multi-subnet | single-subnet } undo local Default The subnet is a single one. Views IKE peer view Default command level 2: System level Parameters multi-subnet: Sets the subnet type to multiple. single-subnet: Sets the subnet type to single. Usage guidelines Use this command to enable interoperability with a NetScreen device. Examples # Set the subnet type of the local security gateway to multiple.
system-view [Sysname] ike peer xhy [Sysname-ike-peer-xhy] local-address 1.1.1.1 local-name Use local-name to configure a name for the local security gateway to be used in IKE negation. Use undo local-name to restore the default. Syntax local-name name undo local-name Default The device name is used as the name of the local security gateway view.
Use undo nat traversal to disable the NAT traversal function of IKE/IPsec. Syntax nat traversal undo nat traversal Default The NAT traversal function is disabled. Views IKE peer view Default command level 2: System level Examples # Enable the NAT traversal function for IKE peer peer1. system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] nat traversal peer Use peer to set the subnet type of the peer security gateway for IKE negotiation. Use undo peer to restore the default.
pre-shared-key Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation. Use undo pre-shared-key to remove the configuration. Syntax pre-shared-key [ [ cipher | simple ] key ] undo pre-shared-key Views IKE peer view Default command level 2: System level Parameters cipher: Sets a ciphertext pre-shared key. simple: Sets a plaintext pre-shared key. key: Specifies the key string. This argument is case sensitive.
undo proposal [ proposal-number ] Default An IKE peer references no IKE proposals and, when initiating IKE negotiation, it uses the IKE proposals configured in system view. Views IKE peer view Default command level 2: System level Parameters proposal-number&<1-6>: Specifies the sequence number of the IKE proposal for the IKE peer to reference, in the range of 1 to 65535. &<1-6> means that you can specify the proposal-number argument for up to six times.
Parameters hostname: Specifies the host name of the IPsec remote security gateway, a case-insensitive string of 1 to 255 characters. The host name uniquely identifies the remote IPsec peer and can be resolved to an IP address by the DNS server. dynamic: Specifies to use dynamic address resolution for the IPsec remote peer name. If you do not provide this keyword, the local end has the remote host name resolved only once after you configure the remote host name.
Views IKE peer view Default command level 2: System level Parameters name: Specifies the name of the peer security gateway for IKE negotiation, a string of 1 to 32 characters. Usage guidelines If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator.
Usage guidelines If you do not specify any parameter, the command clears all ISAKMP SAs. When you clear a local IPsec SA, its ISAKMP SA can transmit the Delete message to notify the remote end to delete the paired IPsec SA. If the ISAKMP SA has been cleared, the local end cannot notify the remote end to clear the paired IPsec SA, and you must manually clear the remote IPsec SA. If you specify neither active nor standby, the command clears both active and standby IKE SAs.
4 201.31.0.9 RD|ST 2 IPSEC STANDBY Related commands display ike sa sa duration Use sa duration to set the ISAKMP SA lifetime for an IKE proposal. Use undo sa duration to restore the default. Syntax sa duration seconds undo sa duration Default The ISAKMP SA lifetime is 86400 seconds. Views IKE proposal view Default command level 2: System level Parameters seconds: Specifies the ISAKMP SA lifetime in seconds, in the range of 60 to 604800.
Views IKE DPD view Default command level 2: System level Parameters time-out: Specifies the DPD packet retransmission interval in seconds, in the range of 1 to 60. Usage guidelines The default DPD packet retransmission interval is 5 seconds. Examples # Set the DPD packet retransmission interval to 1 second for dpd2.
ALG configuration commands alg Use alg to enable ALG for a protocol. Use undo alg to disable ALG for a protocol. Syntax alg { all | dns | ftp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } undo alg { all | dns | ftp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } Default The ALG feature is enabled for all protocols. Views System view Default command level 2: System level Parameters all: Enables ALG for all protocols. dns: Enables ALG for DNS.
system-view [Sysname] undo alg dns 413
Firewall configuration commands Packet-filter firewall configuration commands display firewall ipv6 statistics Use display firewall ipv6 statistics to view the packet filtering statistics of the IPv6 firewall. Syntax display firewall ipv6 statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Displays the packet filtering statistics of all interfaces of the IPv6 firewall.
Table 64 Command output Field Description Interface Interface configured with the IPv6 packet filtering function. In-bound Policy IPv6 ACL configured in the inbound direction of the interface. Out-bound Policy IPv6 ACL configured in the outbound direction of the interface. acl6 IPv6 ACL number. 0 packets, 0 bytes, 0% permitted Counts for packets permitted by IPv6 ACL rules: the number of packets and bytes, and the percentage of the permitted to the total.
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display all packet filtering statistics of the firewall.
Use undo firewall enable to disable the IPv4 firewall function. Syntax firewall enable undo firewall enable Default The IPv4 firewall function is disabled. Views System view Default command level 2: System level Examples # Enable the IPv4 firewall function. system-view [Sysname] firewall enable firewall ipv6 default Use firewall ipv6 default to specify the default firewall filtering action of the IPv6 firewall.
Syntax firewall ipv6 enable undo firewall ipv6 enable Default The IPv6 firewall function is disabled. Views System view Default command level 2: System level Examples # Enable the IPv6 firewall function. system-view [Sysname] firewall ipv6 enable firewall packet-filter (interface view) Use firewall packet-filter to apply an IPv4 ACL to an interface to filter packets. Use undo firewall packet-filter to cancel the configuration.
system-view [Sysname] interface wlan-ess 1 [Sysname-WLAN-ESS1] firewall packet-filter 2001 outbound firewall packet-filter (user-profile view) Use firewall packet-filter to apply an IPv4 ACL to a user profile to filter packets. Use undo firewall packet-filter to cancel the configuration.
Syntax firewall packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound } undo firewall packet-filter ipv6 [ { acl6-number | name acl6-name } ] { inbound | outbound } Default IPv6 packets are not filtered on the interface. Views Interface view Default command level 2: System level Parameters acl6-number: Specifies a basic IPv6 ACL number in the range of 2000 to 2999, or an advanced IPv6 ACL number in the range of 3000 to 3999.
Examples # Clear the packet filtering statistics on VLAN-interface 100 of the IPv6 firewall. reset firewall ipv6 statistics interface Vlan-interface 100 Related commands display firewall ipv6 statistics reset firewall-statistics Use reset firewall-statistics to clear packet filtering statistics of the IPv4 firewall.
Parameters aspf-policy-number: ASPF policy number, in the range of 1 to 99 Usage guidelines A defined ASPF policy can be applied through its policy number. Examples # Create an ASPF policy and enter the corresponding ASPF policy view. system-view [Sysname] aspf-policy 1 [Sysname-aspf-policy-1] display aspf all Use display aspf all to view the information of all the ASPF policies and sessions.
Table 65 Command output Field Description [ASPF Policy Configuration] ASPF policy configuration information. Policy Number ASPF policy number. icmp-error drop Drop ICMP error messages. tcp syn-check Drop any non-SYN packet that is the first packet over a TCP connection. undo icmp-error drop Do not drop ICMP error messages. undo tcp syn-check Do not drop a non-SYN packet that is the first packet over a TCP connection. [Interface Configuration] ASPF policy application information of interface.
Table 66 Command output Field Description InboundPolicy Inbound ASPF policy. OutboundPolicy Outbound ASPF policy. display aspf policy Use display aspf policy to view the information of an ASPF policy. Syntax display aspf policy aspf-policy-number [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters aspf-policy-number: ASPF policy number, in the range of 1 to 99 |: Filters command output by specifying a regular expression.
Field Description undo tcp syn-check Do not drop a non-SYN packet that is the first packet over a TCP connection. display port-mapping Use display port-mapping to view port mapping information. Syntax display port-mapping [ application-name | port port-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters application-name: Name of the application to be used for port mapping.
Table 68 Command output Field Description SERVICE Application layer protocol that is mapped to a port. PORT Number of the port for the application layer protocol. ACL Number of the ACL specifying the host range. TYPE Port mapping type, system predefined or user customized. Related commands port-mapping firewall aspf (interface) Use firewall aspf to apply an ASPF policy to the interface. Use undo firewall aspf to remove an ASPF policy from the interface.
undo firewall aspf aspf-policy-number { inbound | outbound } Default No ASPF policy is applied to a user profile. Views User profile view Default command level 2: System level Parameters aspf-policy-number: Number of the ASPF policy, in the range of 1 to 99. inbound: Applies ASPF policy to inbound packets. outbound: Applies ASPF policy to outbound packets.
system-view [Sysname] aspf-policy 1 [Sysname-aspf-policy-1] icmp-error drop Related commands aspf-policy port-mapping Use port-mapping to map a port to an application layer protocol. Use undo port-mapping to remove a port mapping entry. Syntax port-mapping application-name port port-number [ acl acl-number ] undo port-mapping [ application-name port port-number [ acl acl-number ] ] Default There is no mapping between the port and the application layer.
undo tcp syn-check Default A non-SYN packet that is the first packet over a TCP connection is not dropped. Views ASPF policy view Default command level 2: System level Examples # Configure ASPF policy 1 to drop any non-SYN packet which is the first packet over a TCP connection.
Session management commands application aging-time Use application aging-time to set the aging timer for the sessions of an application layer protocol. Use undo application aging-time to restore the default. Syntax application aging-time { dns | ftp | msn | qq | sip } time-value undo application aging-time [ dns | ftp | msn | qq | sip ] Default The default session aging times for the application layer protocols are as follows: • DNS: 60 seconds. • FTP: 3600 seconds. • MSN: 3600 seconds.
display application aging-time Use display application aging-time to display the session aging timers for the application layer protocols. Syntax display application aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Syntax display session aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Syntax display session relation-table [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
display session statistics Use display session statistics to display statistics for the sessions. Syntax display session statistics [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Dropped UDP: 0 packet(s) 0 byte(s) Dropped ICMP: 0 packet(s) 0 byte(s) Dropped RAWIP: 0 packet(s) 0 byte(s) Table 72 Command output Field Description Current session(s) Total number of sessions. Current TCP session(s) Number of TCP sessions. Half-Open Number of TCP sessions in the half-open state. Half-Close Number of TCP sessions in the half-close state. Current UDP session(s) Number of UDP sessions. Current ICMP session(s) Number of ICMP sessions.
Parameters source-ip source-ip: Displays the session table entries with the specified source IP address. destination-ip destination-ip: Displays session table entries with the specified destination IP address. protocol-type { icmp | raw-ip | tcp | udp }: Display the session table entries for the specified protocol, including ICMP, RawIP, TCP, and UDP. source-port source-port: Displays the session table entries with the specified source port. The source-port argument is in the range of 0 to 65535.
Responder: Source IP/Port : 192.168.1.255/137 Dest IP/Port : 192.168.1.19/137 VLAN ID/VLL ID: Pro: UDP(17) App: NBT-name Start time: 2013-03-17 10:39:43 State: UDP-OPEN TTL: 2s Received packet(s)(Init): 6 packet(s) 468 byte(s) Received packet(s)(Reply): 0 packet(s) 0 byte(s) Initiator: Source IP/Port : 192.168.1.18/1212 Dest IP/Port : 192.168.1.55/23 VLAN ID/VLL ID: Responder: Source IP/Port : 192.168.1.55/23 Dest IP/Port : 192.168.1.
Field Description Session status. Possible values are: State • • • • • • • • • • Accelerate. SYN. TCP-EST. FIN. UDP-OPEN. UDP-READY. ICMP-OPEN. ICMP-CLOSED. RAWIP-OPEN. RAWIP-READY. Start Time Session establishment time. TTL Remaining lifetime of the session, in seconds. Received packet(s)(Init) Counts of packets and bytes from the initiator to the responder. Received packet(s)(Reply) Counts of packets and bytes from the responder to the initiator. Total find Total number of found sessions.
Examples # Clear all session table entries. reset session # Clear all sessions with the source IP address as 10.10.10.10 of the initiator. reset session source-ip 10.10.10.10 reset session statistics Use reset session statistics to clear session statistics. Syntax reset session statistics Views User view Default command level 2: System level Examples # Clear all session statistics.
• UDP READY state: 60 seconds. Views System view Default command level 2: System level Parameters accelerate: Specifies the aging timer for the sessions in the accelerate queue. fin: Specifies the aging timer for the TCP sessions in the FIN_WAIT state. icmp-closed: Specifies the aging timer for the ICMP sessions in the CLOSED state. icmp-open: Specifies the aging timer for the ICMP sessions in the OPEN state. rawip-open: Specifies the aging timer for the sessions in the RAWIP_OPEN state.
Parameters all: Enables checksum verification for TCP, UDP, and ICMP packets. icmp: Enables checksum verification for ICMP packets. tcp: Enables checksum verification for TCP packets. udp: Enables checksum verification for UDP packets. Examples # Enable checksum verification for UDP packets. system-view [Sysname] session checksum udp session log bytes-active Use session log bytes-active to set the byte-based threshold for traffic-based logging.
Views Interface view Default command level 2: System level Parameters acl acl-number: Specifies an ACL by its number in the range of 2000 to 3999. inbound: Specifies the inbound direction. outbound: Specifies the outbound direction. Usage guidelines If you do not specify an ACL, this command enables session logging for all sessions on the interface. If neither inbound nor outbound keyword is specified, you enable session logging on both directions.
Examples # Configure the device to output session logs on a per-10-mega-packet basis. system-view [Sysname] session log packets-active 10 session log time-active Use session log time-active to set the time-based session logging. Use undo session log time-active to restore the default. Syntax session log time-active time-value undo session log time-active Default The device does not output session logs.
Default command level 2: System level Usage guidelines In a bidirectional session, all packets in any direction pass the device. In a unidirectional session, only the packets in one direction pass the device, and the packets in the opposite direction do not pass the device. Examples # Set the hybrid mode for session management. system-view [Sysname] session mode unidirection session persist acl Use session persist acl to specify persistent sessions.
Related commands reset session 445
Web filtering configuration commands display firewall http activex-blocking Use display firewall http activex-blocking to display information about ActiveX blocking. Syntax display firewall http activex-blocking [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all ActiveX blocking suffix keywords. item keywords: Specifies a blocking suffix keyword.
---------------------------------------------1 5 .OCX 2 0 .vbs Table 74 Command output Field Description SN Serial number. Match-Times Number of times that a suffix keyword is matched. Keywords ActiveX blocking suffix keyword. # Display detailed ActiveX blocking information. display firewall http activex-blocking verbose ActiveX blocking is enabled. No ACL group has been configured. There are 5 packet(s) being filtered. There are 0 packet(s) being passed.
Examples # Display brief information about Java blocking. display firewall http java-blocking Java blocking is enabled. # Display Java blocking information for a specific suffix keyword. display firewall http java-blocking item .class The HTTP request packet including ".class" had been matched for 10 times. # Display Java blocking information for all suffix keywords.
item keywords: Specifies a filtering keyword, The keywords argument is a case-insensitive string of 1 to 80 characters. Valid characters include 0 to 9, a to z, A to Z, dot (.), hyphen (-), underline (_), and wildcards caret (^), dollar sign ($), ampersand (&), and asterisk (*). For meanings and usage guidelines of the wildcards, see the relevant description for command firewall http url-filter host url-address. verbose: Specifies detailed information.
Table 77 Command output Field Description Default method Default URL address filtering action, which can be permit or deny. The support for IP address Support for website IP addresses, permit or deny. display firewall http url-filter parameter Use display firewall http url-filter parameter to display information about URL parameter filtering.
display firewall http url-filter parameter all SN Match-Times Keywords ---------------------------------------------1 0 ^select$ 2 0 ^insert$ 3 0 ^update$ 4 0 ^delete$ 5 0 ^drop$ 6 0 -- 7 0 ‘ 8 0 ^exec$ 9 10 %27 10 0 qqqqq Table 78 Command output Field Description SN Serial number. Match-Times Number of times that the keyword has been matched. Keywords URL parameter filtering keyword. # Display detailed information about URL parameter filtering.
Usage guidelines After the command takes effect, all Web requests containing any suffix keywords in the ActiveX blocking suffix list will be processed according to the ACL. You can specify multiple ACLs for ActiveX blocking, but only the last one takes effect. You can specify a non-existing ACL, but ActiveX blocking based on the ACL takes effect only after you create and configure the ACL correctly. Examples # Specify the ACL for ActiveX blocking as ACL 2003.
Syntax firewall http activex-blocking suffix keywords undo firewall http activex-blocking suffix keywords Views System view Default command level 2: System level Parameters keywords: Specifies the blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters. Usage guidelines You can add a maximum of 5 ActiveX blocking suffix keywords. You cannot add or remove the default suffix keyword ".
You can specify multiple ACLs for Java blocking, but only the last one takes effect. You can specify a non-existing ACL, but Java blocking based on the ACL takes effect only after you create and configure the ACL correctly. Examples # Specify the ACL for Java blocking as ACL 2002.
Views System view Default command level 2: System level Parameters keywords: Specifies the blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters. Usage guidelines You can add a maximum of five Java blocking suffix keywords. You cannot remove the default block suffix keywords .class and .jar. Examples # Add .js to the Java blocking suffix list.
Examples # Specify URL address filtering to permit Web requests with website IP addresses permitted by ACL 2000. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 permit source 3.3.3.3 0.0.0.0 [Sysname-acl-basic-2000] quit [Sysname] firewall http url-filter host acl 2000 Related commands display firewall http url-filter host firewall http url-filter host default Use firewall http url-filter host default to specify the default action for URL address filtering.
Default The URL address filtering function is disabled. Views System view Default command level 2: System level Examples # Enable the URL address filtering function. system-view [Sysname] firewall http url-filter host enable Related commands display firewall http url-filter host firewall http url-filter host ip-address Use firewall http url-filter host ip-address to enable/disable support for IP address in URL address filtering.
firewall http url-filter host url-address Use firewall http url-filter host url-address to add a URL address filtering entry and set the filtering action. Use undo firewall http url-filter host url-address to remove one or all URL address filtering entries. Syntax firewall http url-filter host url-address { deny | permit } url-address undo firewall http url-filter host url-address [ url-address ] Views System view Default command level 2: System level Parameters deny: Denies matched URL addresses.
• If asterisk (*) is present at the beginning of a filtering entry, it must be present in the format like *.xxx, where xxx represents a keyword, for example, *.com or *.webfilter.com. • A filtering entry with only numerals is invalid. To filter a website address like www.123.com, you can define a filtering entry like ^123$, www.123.com, or 123.com, instead of 123. In other words, you are recommended to use exact match to filter numeral website addresses.
Wildcard Meaning Usage guidelines $ Matches parameters ending with the keyword It can be present once at the end of a filtering entry. & Stands for one valid character It can be present multiple times at any position of a filtering entry, consecutively or inconsecutively, and cannot be used next to an asterisk (*). If it is present at the beginning or end of a filtering entry, it must be next to a caret (^) or a dollar sign ($).
Default command level 2: System level Examples # Enable the URL parameter filtering function. system-view [Sysname] firewall http url-filter parameter enable Related commands display firewall http url-filter parameter reset firewall http Use reset firewall http to clear Web filtering statistics.
User isolation commands display user-isolation statistics Use display user-isolation statistics to display user isolation statistics for the specified VLAN or all VLANs. Syntax display user-isolation statistics [ vlan vlan-id ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters vlan-id: Specifies a VLAN ID in the range of 1 to 4094. If no VLAN ID is specified, this command displays user isolation statistics for all VLANs.
reset user-isolation statistics Use reset user-isolation statistics to clear user isolation statistics for the specified VLAN or all VLANs. Syntax reset user-isolation statistics [ vlan vlan-id ] Views User view Default command level 1: Monitor level Parameters vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094. If no VLAN ID is specified, this command clears user isolation statistics for all VLANs. Examples # Clear user isolation statistics for VLAN 1.
Use undo user-isolation permit broadcast to prevent broadcast and multicast packets sent by a wired user from accessing a wireless user in the same VLAN. Syntax user-isolation permit broadcast undo user-isolation permit broadcast Default Broadcast and multicast packets sent by a wired user are permitted to access a wireless user in the same VLAN.
user-isolation vlan permit-mac Use user-isolation vlan permit-mac to add permitted MAC addresses for the specified VLANs. Use undo user-isolation vlan permit-mac to delete the specified or all permitted MAC addresses for the specified VLANs. Syntax user-isolation vlan vlan-list permit-mac mac-list undo user-isolation vlan vlan-list permit-mac { mac-list | all } Default No permitted MAC addresses are specified.
Source IP address verification commands display wlan client source binding Use display wlan client source binding to display IPv4/IPv6 binding entries. Syntax display wlan client { ip | ipv6 } source binding [ mac-address mac-address ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters ip: Displays IPv4 binding entries. ipv6: Displays IPv6 binding entries. mac-address mac-address: Displays binding entries of an MAC address.
MAC Address APID/RID Type Binding IP Address -----------------------------------------------------------001d-0f31-87dd 1/2 001c-f08f-f7f1 10/2 001c-70cd-65a1 1/1 N/A N/A DHCPv6 2001::1 DHCPv6 2001::2 ND 2001:: ------------------------------------------------------------ Table 82 Output description Field Description Total Number of Clients Total number of binding entries, which is consistent with the number of online clients. MAC Address MAC address of the binding entry.
Views Service template view Default command level 2: System level Examples # Enable source IP address verification for IPv4 clients. system-view [Sysname] wlan service-template 1 [Sysname-wlan-st-1] ip verify source Related commands display wlan client source binding ipv6 verify source Use ipv6 verify source command to enable source IP address verification for IPv6 clients. Use undo ipv6 verify source to restore the default.
FIPS configuration commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Default command level 1: Monitor level Examples # Display the current FIPS mode state. display fips status FIPS mode is enabled Related commands fips mode enable fips mode enable Use fips mode enable to enable FIPS mode. Use undo fips mode enable to disable FIPS mode.
1. Enable FIPS mode. 2. Enable the password control function. 3. Configure the username and password to log in to the device in FIPS mode. The password must include at least 10 characters, and must contain uppercase and lowercase letters, digits, and special characters. 4. Delete all MD5-based digital certificates. 5. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs. 6. Save the configuration.
Default command Level 3: Manage level Usage guidelines To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device automatically reboots. Examples # Trigger a self-test on the cryptographic algorithms. system-view [Sysname] fips self-test Self-tests are running. Please wait... Self-tests succeeded.
Protocol packet rate limit configuration commands anti-attack enable Use anti-attack enable to enable protocol packet rate limit. Use undo anti-attack enable to disable protocol packet rate limit. Default Protocol packet rate limit is disabled. Syntax anti-attack enable undo anti-attack enable Views System view Default command level 2: System level Examples # Enable protocol packet rate limit.
Parameters all: Specifies all protocols. protocol: Specifies a protocol by its type, a string of 1 to 31 characters. Examples # Enable per-protocol bandwidth limit for ARP frames. system-view [Sysname] anti-attack protocol arp enable anti-attack protocol threshold Use anti-attack protocol threshold to configure the threshold for per-protocol bandwidth limit. Use undo anti-attack protocol threshold to restore the default.
Views System view Default command level 2: System level Parameters protocol: Specifies a protocol by its name, a string of 1 to 31 characters. flow-limit-rate: Specifies the per-flow bandwidth limit threshold in the range of 0 to 102400 pps. When the maximum bandwidth is exceeded, the packets are discarded. Examples # Configure the per-flow bandwidth limit threshold for ARP frames as 50pps.
Anti-attack statistics -------------------------------------------------------------------------------Protocol Priority Limit(pps) Rate(pps) Passed Dropped -------------------------------------------------------------------------------default 2 256 0 3 0 udp 2 2048 0 0 0 tcp 2 1024 0 0 0 dot1x 1 1024 0 0 0 dhcp 2 1800 0 0 0 igmp 2 1024 0 0 0 ntp 2 256 0 0 0 arp 1 900 0 1 0 snmp 0 1024 0 0 0 telnet 0 1024 0 0 0 icmp 0 1024 0 4 0 lwapp 1
Field Description Limit(pps) Rate limit value. This field displays the default value if you have not configured it. Rate(pps) Current rate of the protocol packets. Passed Number of passed packets. Dropped Number of dropped packets. # Display rate limit information for ICMP packets.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHIKLMNOPQRSTUVW aspf-policy,421 A attribute,256 aaa nas-id profile,1 attribute 25 car,55 access-limit,40 attribute 4,8 access-limit enable,1 authentication default,9 access-user detect,157 authentication lan-access,10 accounting command,2 authentication login,11 accounting default,3 authentication portal,12 accounting lan-access,4 authentication ppp,13 accounting login,5 authentication super,14 accounting optional,6 authentication wlan-ap,15 accounting portal,6 authenticat
ciphersuite,316 display ipsec sa,351 client-verify enable,317 display ipsec statistics,354 client-verify weaken,317 display ipsec transform-set,356 close-mode wait,318 display ipsec tunnel,357 common-name,261 display ldap scheme,111 connection-name,347 display local-user,43 country,262 display mac-authentication,147 crl check,262 display password-control,226 crl update-period,263 display password-control blacklist,227 crl url,263 display pki certificate,264 cut connection,22 display pki
display user-isolation statistics,462 firewall http activex-blocking suffix,452 display user-profile,223 firewall http java-blocking acl,453 display wlan client source binding,466 firewall http java-blocking enable,454 Documents,477 firewall http java-blocking suffix,454 domain,29 firewall http url-filter host acl,455 domain default enable,30 firewall http url-filter host default,456 domain if-unknown,30 firewall http url-filter host enable,456 dot1x accounting-delay,130 firewall http url-fil
ip pool,33 nas-ip (RADIUS scheme view),67 ip verify source,467 nat traversal,403 ipsec anti-replay check,362 O ipsec anti-replay window,362 organization,272 ipsec invalid-spi-recovery enable,363 organization-unit,272 ipsec policy (interface view),364 ipsec policy (system view),364 P ipsec policy isakmp template,365 password,50 ipsec policy-template,366 password,228 ipsec sa global-duration,367 ipsec synchronization enable,368 password-control { aging | composition | history | length } enabl
primary authentication (RADIUS scheme view),70 portal forbidden-rule,180 portal free-rule,181 primary authorization,102 portal host-check dhcp-snooping,182 proposal,405 portal local-server,183 protocol-version,117 portal local-server bind,184 public-key local create,250 portal log packet,185 public-key local destroy,251 portal mac-trigger enable,186 public-key local export dsa,251 portal mac-trigger nas-port-type,187 public-key local export rsa,253 portal mac-trigger server,187 public-key pe
reset session,438 session-time include-idle-time,38 reset session statistics,439 sftp,303 reset stop-accounting-buffer (for HWTACACS),103 sftp client ipv6 source,305 reset stop-accounting-buffer (for RADIUS),76 sftp client source,306 reset user-isolation statistics,463 sftp ipv6,307 retry,77 sftp server enable,285 retry realtime-accounting,78 sftp server idle-timeout,285 retry stop-accounting (HWTACACS scheme view),104 ssh client authentication server,308 retry stop-accounting (RADIUS scheme
tunnel local,381 user-parameters,119 tunnel remote,382 user-profile,224 U user-profile enable,223 user-credentials,36 V user-group,53 validity-date,53 user-isolation enable,463 version,326 user-isolation permit broadcast,463 W user-isolation vlan enable,464 web-redirect,204 user-isolation vlan permit-mac,465 Websites,477 user-name-format (HWTACACS scheme view),109 user-name-format (RADIUS scheme view),91 486
