R211x-HP Flexfabric 11900 Security Command Reference
Table Of Contents
- Title Page
- Contents
- AAA commands
- General AAA commands
- aaa session-limit
- accounting command
- accounting default
- accounting lan-access
- accounting login
- authentication default
- authentication lan-access
- authentication login
- authentication super
- authorization command
- authorization default
- authorization lan-access
- authorization login
- authorization-attribute (ISP domain view)
- display domain
- domain
- domain default enable
- state (ISP domain view)
- Local user commands
- RADIUS commands
- accounting-on enable
- data-flow-format (RADIUS scheme view)
- display radius scheme
- display radius statistics
- key (RADIUS scheme view)
- nas-ip (RADIUS scheme view)
- primary accounting (RADIUS scheme view)
- primary authentication (RADIUS scheme view)
- radius nas-ip
- radius session-control enable
- radius scheme
- reset radius statistics
- retry
- retry realtime-accounting
- secondary accounting (RADIUS scheme view)
- secondary authentication (RADIUS scheme view)
- security-policy-server
- snmp-agent trap enable radius
- state primary
- state secondary
- timer quiet (RADIUS scheme view)
- timer realtime-accounting (RADIUS scheme view)
- timer response-timeout (RADIUS scheme view)
- user-name-format (RADIUS scheme view)
- vpn-instance (RADIUS scheme view)
- HWTACACS commands
- data-flow-format (HWTACACS scheme view)
- display hwtacacs scheme
- hwtacacs nas-ip
- hwtacacs scheme
- key (HWTACACS scheme view)
- nas-ip (HWTACACS scheme view)
- primary accounting (HWTACACS scheme view)
- primary authentication (HWTACACS scheme view)
- primary authorization
- reset hwtacacs statistics
- secondary accounting (HWTACACS scheme view)
- secondary authentication (HWTACACS scheme view)
- secondary authorization
- timer quiet (HWTACACS scheme view)
- timer realtime-accounting (HWTACACS scheme view)
- timer response-timeout (HWTACACS scheme view)
- user-name-format (HWTACACS scheme view)
- vpn-instance (HWTACACS scheme view)
- LDAP commands
- General AAA commands
- 802.1X commands
- MAC authentication commands
- Port security commands
- display port-security
- display port-security mac-address block
- display port-security mac-address security
- port-security authorization ignore
- port-security enable
- port-security intrusion-mode
- port-security mac-address security
- port-security mac-move permit
- port-security max-mac-count
- port-security ntk-mode
- port-security oui
- port-security port-mode
- port-security timer autolearn aging
- port-security timer disableport
- Password control commands
- display password-control
- display password-control blacklist
- password-control { aging | composition | history | length } enable
- password-control aging
- password-control alert-before-expire
- password-control complexity
- password-control composition
- password-control enable
- password-control expired-user-login
- password-control history
- password-control length
- password-control login idle-time
- password-control login-attempt
- password-control super aging
- password-control super composition
- password-control super length
- password-control update-interval
- reset password-control blacklist
- reset password-control history-record
- Public key management commands
- IPsec commands
- ah authentication-algorithm
- description
- display ipsec { ipv6-policy | policy }
- display ipsec sa
- display ipsec statistics
- display ipsec transform-set
- display ipsec tunnel
- encapsulation-mode
- esp authentication-algorithm
- esp encryption-algorithm
- ike-profile
- ipsec anti-replay check
- ipsec anti-replay window
- ipsec apply
- ipsec decrypt-check enable
- ipsec logging packet enable
- ipsec df-bit
- ipsec global-df-bit
- ipsec { ipv6-policy | policy }
- ipsec { ipv6-policy | policy } local-address
- ipsec sa global-duration
- ipsec sa idle-time
- ipsec transform-set
- local-address
- pfs
- protocol
- qos pre-classify
- remote-address
- reset ipsec sa
- reset ipsec statistics
- sa duration
- sa hex-key authentication
- sa hex-key encryption
- sa idle-time
- sa spi
- sa string-key
- security acl
- snmp-agent trap enable ipsec
- transform-set
- IKE commands
- authentication-algorithm
- authentication-method
- dh
- display ike proposal
- display ike sa
- dpd
- encryption-algorithm
- exchange-mode
- ike dpd
- ike identity
- ike invalid-spi-recovery enable
- ike keepalive interval
- ike keepalive timeout
- ike keychain
- ike limit
- ike nat-keepalive
- ike profile
- ike proposal
- inside-vpn
- keychain
- local-identity
- match local address (IKE keychain view)
- match local address (IKE profile view)
- match remote
- pre-shared-key
- priority (IKE keychain view)
- priority (IKE profile view)
- proposal
- reset ike sa
- reset ike statistics
- sa duration
- snmp-agent trap enable ike
- SSH commands
- SSH server commands
- display ssh server
- display ssh user-information
- sftp server enable
- sftp server idle-timeout
- ssh server acl
- ssh server authentication-retries
- ssh server authentication-timeout
- ssh server compatible-ssh1x enable
- ssh server dscp
- ssh server enable
- ssh server ipv6 acl
- ssh server ipv6 dscp
- ssh server rekey-interval
- ssh user
- SSH client commands
- SSH server commands
- IP source guard commands
- ARP attack protection commands
- Unresolvable IP attack protection commands
- ARP packet rate limit commands
- Source MAC-based ARP attack detection commands
- ARP packet source MAC consistency check commands
- ARP active acknowledgement commands
- Authorized ARP commands
- ARP detection commands
- ARP automatic scanning and fixed ARP commands
- ARP gateway protection commands
- ARP filtering commands
- uRPF commands
- Crypto engine commands
- FIPS commands
- Support and other resources
- Index
107
mdc-admin
Parameters
handshake-period handshake-period-value: Sets the handshake timer in seconds. The value range for
the handshake-period-value argument is 5 to 1024.
quiet-period quiet-period-value: Sets the quiet timer in seconds. The value range for the
quiet-period-value argument is 10 to 120.
reauth-period reauth-period-value: Sets the periodic re-authentication timer in seconds. The value range
for the reauth-period-value argument is 60 to 7200.
server-timeout server-timeout-value: Sets the server timeout timer in seconds. The value range for the
server-timeout-value argument is 100 to 300.
supp-timeout supp-timeout-value: Sets the client timeout timer in seconds. The value range for the
supp-timeout-value argument is 1 to 120.
tx-period tx-period-value: Sets the username request timeout timer in seconds. The value range for the
tx-period-value argument is 10 to 120.
Usage guidelines
In most cases, the default settings are sufficient. You can edit the timers depending on your network
conditions:
• In a low-speed network, increase the client timeout timer.
• In a vulnerable network, set the quiet timer to a high value.
• In a high-performance network with quick authentication response, set the quiet timer to a low
value.
• In a network with authentication servers of different performance, adjust the server timeout timer.
The network device uses the following 802.1X timers:
• Handshake timer (handshake-period)—Sets the interval at which the access device sends client
handshake requests to check the online status of a client that has passed authentication. If the
device receives no response after sending the maximum number of handshake requests, it considers
that the client has logged off.
• Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait
the time period before it can process the authentication attempts from the client.
• Periodic re-authentication timer (reauth-period)—Sets the interval at which the network device
periodically re-authenticates online 802.1X users. To enable periodic online user re-authentication
on a port, use the dot1x re-authenticate command. The change to the periodic re-authentication
timer applies to the users that have been online only after the old timer expires.
• Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS
Access-Request packet to the authentication server. If no response is received when this timer
expires, the access device retransmits the request to the server.
• Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5
Challenge packet to a client. If no response is received when this timer expires, the access device
retransmits the request to the client.
• Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity
packet to a client in response to an authentication request. If the device receives no response before
this timer expires, it retransmits the request. The timer also sets the interval at which the network
device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request
authentication.