R211x-HP Flexfabric 11900 Security Command Reference
Table Of Contents
- Title Page
- Contents
- AAA commands
- General AAA commands
- aaa session-limit
- accounting command
- accounting default
- accounting lan-access
- accounting login
- authentication default
- authentication lan-access
- authentication login
- authentication super
- authorization command
- authorization default
- authorization lan-access
- authorization login
- authorization-attribute (ISP domain view)
- display domain
- domain
- domain default enable
- state (ISP domain view)
- Local user commands
- RADIUS commands
- accounting-on enable
- data-flow-format (RADIUS scheme view)
- display radius scheme
- display radius statistics
- key (RADIUS scheme view)
- nas-ip (RADIUS scheme view)
- primary accounting (RADIUS scheme view)
- primary authentication (RADIUS scheme view)
- radius nas-ip
- radius session-control enable
- radius scheme
- reset radius statistics
- retry
- retry realtime-accounting
- secondary accounting (RADIUS scheme view)
- secondary authentication (RADIUS scheme view)
- security-policy-server
- snmp-agent trap enable radius
- state primary
- state secondary
- timer quiet (RADIUS scheme view)
- timer realtime-accounting (RADIUS scheme view)
- timer response-timeout (RADIUS scheme view)
- user-name-format (RADIUS scheme view)
- vpn-instance (RADIUS scheme view)
- HWTACACS commands
- data-flow-format (HWTACACS scheme view)
- display hwtacacs scheme
- hwtacacs nas-ip
- hwtacacs scheme
- key (HWTACACS scheme view)
- nas-ip (HWTACACS scheme view)
- primary accounting (HWTACACS scheme view)
- primary authentication (HWTACACS scheme view)
- primary authorization
- reset hwtacacs statistics
- secondary accounting (HWTACACS scheme view)
- secondary authentication (HWTACACS scheme view)
- secondary authorization
- timer quiet (HWTACACS scheme view)
- timer realtime-accounting (HWTACACS scheme view)
- timer response-timeout (HWTACACS scheme view)
- user-name-format (HWTACACS scheme view)
- vpn-instance (HWTACACS scheme view)
- LDAP commands
- General AAA commands
- 802.1X commands
- MAC authentication commands
- Port security commands
- display port-security
- display port-security mac-address block
- display port-security mac-address security
- port-security authorization ignore
- port-security enable
- port-security intrusion-mode
- port-security mac-address security
- port-security mac-move permit
- port-security max-mac-count
- port-security ntk-mode
- port-security oui
- port-security port-mode
- port-security timer autolearn aging
- port-security timer disableport
- Password control commands
- display password-control
- display password-control blacklist
- password-control { aging | composition | history | length } enable
- password-control aging
- password-control alert-before-expire
- password-control complexity
- password-control composition
- password-control enable
- password-control expired-user-login
- password-control history
- password-control length
- password-control login idle-time
- password-control login-attempt
- password-control super aging
- password-control super composition
- password-control super length
- password-control update-interval
- reset password-control blacklist
- reset password-control history-record
- Public key management commands
- IPsec commands
- ah authentication-algorithm
- description
- display ipsec { ipv6-policy | policy }
- display ipsec sa
- display ipsec statistics
- display ipsec transform-set
- display ipsec tunnel
- encapsulation-mode
- esp authentication-algorithm
- esp encryption-algorithm
- ike-profile
- ipsec anti-replay check
- ipsec anti-replay window
- ipsec apply
- ipsec decrypt-check enable
- ipsec logging packet enable
- ipsec df-bit
- ipsec global-df-bit
- ipsec { ipv6-policy | policy }
- ipsec { ipv6-policy | policy } local-address
- ipsec sa global-duration
- ipsec sa idle-time
- ipsec transform-set
- local-address
- pfs
- protocol
- qos pre-classify
- remote-address
- reset ipsec sa
- reset ipsec statistics
- sa duration
- sa hex-key authentication
- sa hex-key encryption
- sa idle-time
- sa spi
- sa string-key
- security acl
- snmp-agent trap enable ipsec
- transform-set
- IKE commands
- authentication-algorithm
- authentication-method
- dh
- display ike proposal
- display ike sa
- dpd
- encryption-algorithm
- exchange-mode
- ike dpd
- ike identity
- ike invalid-spi-recovery enable
- ike keepalive interval
- ike keepalive timeout
- ike keychain
- ike limit
- ike nat-keepalive
- ike profile
- ike proposal
- inside-vpn
- keychain
- local-identity
- match local address (IKE keychain view)
- match local address (IKE profile view)
- match remote
- pre-shared-key
- priority (IKE keychain view)
- priority (IKE profile view)
- proposal
- reset ike sa
- reset ike statistics
- sa duration
- snmp-agent trap enable ike
- SSH commands
- SSH server commands
- display ssh server
- display ssh user-information
- sftp server enable
- sftp server idle-timeout
- ssh server acl
- ssh server authentication-retries
- ssh server authentication-timeout
- ssh server compatible-ssh1x enable
- ssh server dscp
- ssh server enable
- ssh server ipv6 acl
- ssh server ipv6 dscp
- ssh server rekey-interval
- ssh user
- SSH client commands
- SSH server commands
- IP source guard commands
- ARP attack protection commands
- Unresolvable IP attack protection commands
- ARP packet rate limit commands
- Source MAC-based ARP attack detection commands
- ARP packet source MAC consistency check commands
- ARP active acknowledgement commands
- Authorized ARP commands
- ARP detection commands
- ARP automatic scanning and fixed ARP commands
- ARP gateway protection commands
- ARP filtering commands
- uRPF commands
- Crypto engine commands
- FIPS commands
- Support and other resources
- Index
153
IP: 192.168.44.1 Login failures: 4 Lock flag: lock
Blacklist items matched: 1.
The user can no longer log in.
# Set the maximum number of login attempts to 2 and prohibit a user from logging in within 3 minutes
if the user fails to log in after two attempts.
<Sysname> system-view
[Sysname] password-control login-attempt 2 exceed lock-time 3
Later, if a user fails to log in after two attempts, you can find it in the password control blacklist, with its
status changed from unlock to lock:
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failures: 2 Lock flag: lock
Blacklist items matched: 1.
After 3 minutes, the user is removed from the password control blacklist and can log in again.
Related commands
• display local-user
• display password-control
• display password-control blacklist
• display user-group
• reset password-control blacklist
password-control super aging
Use password-control super aging to set the expiration time for super passwords.
Use undo password-control super aging to restore the default.
Syntax
password-control super aging aging-time
undo password-control super aging
Default
A super password expires after 90 days.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
aging-time: Specifies the super password expiration time in days in the range of 1 to 365.