HP FlexFabric 5930 Switch Series Security Command Reference Part number: 5998-4628 Software version: Release 2406 & Release 2407P01 Document version: 6W101-20140404
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents AAA commands ··························································································································································· 1 General AAA commands ················································································································································· 1 aaa session-limit ·················································································································································
timer quiet (RADIUS scheme view) ······················································································································ 48 timer realtime-accounting (RADIUS scheme view) ····························································································· 49 timer response-timeout (RADIUS scheme view) ·································································································· 50 user-name-format (RADIUS scheme view) ·····························
public-key peer import sshkey ···························································································································· 107 PKI commands ························································································································································· 108 attribute································································································································································· 108 ca ide
ssh server compatible-ssh1x enable ·················································································································· 166 ssh server dscp····················································································································································· 166 ssh server enable ················································································································································· 167 ssh server ipv6 acl ·
display ipv6 source binding static ····················································································································· 209 ip source binding (interface view) ····················································································································· 211 ip source binding (system view)························································································································· 212 ip verify source ························
AAA commands General AAA commands aaa session-limit Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method. Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method. Syntax aaa session-limit { ftp | ssh | telnet } max-sessions undo aaa session-limit { ftp | ssh | telnet } Default The maximum number of concurrent users is 16 for each user type.
Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command Default The default accounting method of the ISP domain is used for command line accounting. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Default The default accounting method of the ISP domain is used for login users. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Use undo authentication default to restore the default. Syntax authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authentication default Default The default authentication method of an ISP domain is local.
authentication login Use authentication login to specify the authentication method for login users. Use undo authentication login to restore the default. Syntax authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authentication login Default The default authentication method of the ISP is used for login users.
Related commands • authentication default • hwtacacs scheme • local-user • radius scheme authentication super Use authentication super to specify a method for user role authentication. Use undo authentication super to restore the default. Syntax authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } * undo authentication super Default The default authentication method of the ISP domain is used for user role authentication.
Examples # Configure ISP domain test to use HWTACACS scheme tac for user role authentication. system-view [Sysname] super authentication-mode scheme [Sysname] domain test [Sysname-domain-test] authentication super hwtacacs-scheme tac Related commands • authentication default • hwtacacs scheme • radius scheme authorization command Use authorization command to specify the command authorization method. Use undo authorization command to restore the default.
resource control policy. If a command is permitted by command authorization but denied by the access authorization rules, this command cannot be executed. You can specify one command authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence.
local: Performs local authorization. none: Does not perform authorization. After passing authentication, non-login users can access the network, FTP users use the root directory of the device as the work directory but cannot access it, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. After passing authentication, FTP users use the root directory of the device as the work directory but cannot access it, and other login users get the default user role.
Use undo authorization-attribute to restore the default of an authorization attribute. Syntax authorization-attribute idle-cut minute [ flow ] undo authorization-attribute idle-cut Default No authorization attribute is configured for users in the ISP domain and the idle cut function is disabled. Views ISP domain view Predefined user roles network-admin Parameters idle-cut minute: Sets the idle timeout period in minutes. The value range for the minute argument is 1 to 600.
Predefined user roles network-admin network-operator Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines If no ISP domain is specified, the command displays the configuration of all ISP domains. Examples # Display the configuration of all ISP domains.
Field Description Access-Count Number of online users. Default authentication scheme Default authentication method. Default authorization scheme Default authorization method. Default accounting scheme Default accounting method. Login authentication scheme Authentication method for login users. Login authorization scheme Authorization method for login users. Login accounting scheme Accounting method for login users.
Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain slash (/), back slash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). Usage guidelines All ISP domains are in active state when they are created. The system has a predefined ISP domain named system. You can modify but not remove its configuration.
To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command. Examples # Create an ISP domain named test, and configure it as the default ISP domain. system-view [Sysname] domain test [Sysname-isp-test] quit [Sysname] domain default enable test Related commands • display domain • domain state (ISP domain view) Use state to set the status of an ISP domain.
Local user commands access-limit Use access-limit to set the maximum number of concurrent logins using the local user name. Use undo access-limit to restore the default. Syntax access-limit max-user-number undo access-limit Default The number of concurrent logins using the local user name is not limited. Views Local user view Predefined user roles network-admin Parameters max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.
Default No authorization ACL, idle timeout period, or authorized VLAN is configured for the local users. FTP, SFTP, or SCP users are authorized access to the root directory of the device, but they do not have the access permission. The local users created by a network-admin or level-15 user are assigned the network-operator user role. Views Local user view, user group view Predefined user roles network-admin Parameters acl acl-number: Specifies the authorization ACL.
Related commands • display local-user • display user-group display local-user Use display local-user to display the local user configuration and online user statistics. Syntax display local-user [ class manage | idle-cut { disable | enable } | service-type { ftp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] Views Any view Predefined user roles network-admin network-operator Parameters class manage: Specifies the device management users.
Bind Attributes: Authorization Attributes: Work Directory: flash: User Role List: network-admin Password control configurations: Password aging: Enabled (3 days) Table 2 Command output Field Description State Status of the local user: active or blocked. Service Type Service types that the local user can use, including FTP, SSH, Telnet, and terminal. Access limit Whether the concurrent login limit is enabled. Max access number Maximum number of concurrent logins using the local user name.
display user-group Use display user-group to display the user group configuration. Syntax display user-group [ group-name ] Views Any view Predefined user roles network-admin network-operator Parameters group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines If no user group name is specified, the command displays the configuration of all user groups. Examples # Display the configuration of all user groups.
Field Description Password length This field appears only when password length control is enabled. The minimum password length is displayed in parentheses. Password composition This field appears only when password composition checking is enabled. It also displays the following information in parentheses: • Minimum number of character types that the password must contain. • Minimum number of characters from each type in the password.
local-user Use local-user to add a local user and enter local user view. Use undo local-user to remove local users. Syntax local-user user-name [ class manage ] undo local-user { user-name class manage | all [ service-type { ftp | ssh | telnet | terminal } | class manage ] } Default No local user exists. Views System view Predefined user roles network-admin Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name.
Syntax password [ { cipher | hash | simple } password ] undo password Default There is no password configured for a local user and a local user can pass authentication after entering the correct username and passing attribute checks. Views Local user view Predefined user roles network-admin Parameters cipher: Sets a ciphertext password. hash: Sets a hashed password. simple: Sets a plaintext password. password: Specifies the password string. This argument is case sensitive.
service-type Use service-type to specify the service types that a local user can use. Use undo service-type to delete service types configured for a local user. Syntax service-type { ftp | { ssh | telnet | terminal } * } undo service-type { ftp | { ssh | telnet | terminal } * } Default A local user is authorized with no service and cannot use any service. Views Local user view Predefined user roles network-admin Parameters ftp: Authorizes the user to use the FTP service.
Default A local user is in active state. Views Local user view Predefined user roles network-admin Parameters active: Places the local user in active state to allow the local user to request network services. block: Places the local user in blocked state to prevent the local user from requesting network services. Usage guidelines This command only applies to the local user. It affects no other users. Examples # Place the device management user user1 in blocked state.
The system has a predefined user group named system. You can modify but not remove its configuration. Examples # Create a user group named abc and enter its view. system-view [Sysname] user-group abc [Sysname-ugroup-abc] Related commands display user-group RADIUS commands accounting-on enable Use accounting-on enable to configure the accounting-on feature. Use undo accounting-on enable to restore the default.
[Sysname] radius scheme radius1 [Sysname-radius-radius1] accounting-on enable interval 5 send 15 Related commands display radius scheme data-flow-format (RADIUS scheme view) Use data-flow-format to set the data flow and packet measurement units for traffic statistics. Use undo data-flow-format to restore the default.
Syntax display radius scheme [ radius-scheme-name ] Views Any view Predefined user roles network-admin network-operator Parameters radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines If no RADIUS scheme is specified, the command displays the configuration of all RADIUS schemes. Examples # Display the configuration of all RADIUS schemes.
VPN : Not configured User Name Format : with-domain ------------------------------------------------------------------ Table 4 Command output Field Description Index Index number of the RADIUS scheme. Primary Auth Server Information about the primary authentication server. Primary Acct Server Information about the primary accounting server. Second Auth Server Information about the secondary authentication server. Second Acct Server Information about the secondary accounting server.
display radius statistics Use display radius statistics to display RADIUS packet statistics. Syntax display radius statistics Views Any view Predefined user roles network-admin network-operator Examples # Display RADIUS packet statistics. display radius statistics Auth. Acct. SessCtrl.
Field Description Account Stop Number of stop-accounting packets. Terminate Request Number of packets for logging off users forcibly. Set Policy Number of packets for updating user authorization information. Packet With Response Number of packets for which responses were received. Packet Without Response Number of packets for which no responses were received. Access Rejects Number of Access-Reject packets. Dropped Packet Number of discarded packets.
For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext. Examples # For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting simple ok Related commands display radius scheme nas-ip (RADIUS scheme view) Use nas-ip to specify a source IP address for outgoing RADIUS packets.
If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. HP recommends you to configure a loopback interface address as the source IP address for outgoing RADIUS packets. A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new address overwrites the old one.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server.
Default No primary RADIUS authentication server is specified. Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server. ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication server. port-number: Specifies the service port number of the primary RADIUS authentication server, a UDP port number in the range of 1 to 65535. The default setting is 1812.
Related commands • display radius scheme • key (RADIUS scheme view) • secondary authentication (RADIUS scheme view) • vpn-instance (RADIUS scheme view) radius nas-ip Use radius nas-ip to specify a source address for outgoing RADIUS packets. Use undo radius nas-ip to delete a source address for outgoing RADIUS packets.
Examples # Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1. system-view [Sysname] radius nas-ip 129.10.10.1 Related commands nas-ip (RADIUS scheme view) radius scheme Use radius scheme to create a RADIUS scheme and enter its view. Use undo radius scheme to delete a RADIUS scheme. Syntax radius scheme radius-scheme-name undo radius scheme radius-scheme-name Default No RADIUS scheme is defined.
undo radius session-control enable Default The session-control feature is disabled and the UDP port 1812 is closed. Views System view Predefined user roles network-admin Usage guidelines The session-control feature enables the device to receive RADIUS session-control packets on UDP port 1812 from a RADIUS server that runs on IMC. Examples # Enable the session-control feature.
Default The maximum number of RADIUS packet transmission attempts is 3. Views RADIUS scheme view Predefined user roles network-admin Parameters retry-times: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20. Usage guidelines Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request.
Usage guidelines Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If it does not receive a real-time accounting request for a user in the timeout period from the NAS, it considers that a line or device failure has occurred, and stops accounting for the user.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server. port-number: Specifies the service port number of the secondary RADIUS accounting server, a UDP port number in the range of 1 to 65535. The default setting is 1813. key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS accounting server. • cipher string: Sets a ciphertext shared key. The string argument is case sensitive. The key is a string of 1 to 117 characters.
[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813 Related commands • display radius scheme • key (RADIUS scheme view) • primary accounting (RADIUS scheme view) • vpn-instance (RADIUS scheme view) secondary authentication (RADIUS scheme view) Use secondary authentication to specify a secondary RADIUS authentication server. Use undo secondary authentication to remove a secondary RADIUS authentication server.
You can configure up to 16 secondary RADIUS authentication servers for a RADIUS scheme. With the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary RADIUS authentication server configured earlier has a higher priority) and tries to communicate with it. Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings.
Default No security policy server is specified. Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the security policy server. ipv6 ipv6-address: Specifies the IPv6 address of the security policy server. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the security policy server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.
Parameters accounting-server-down: Sends a notification when the RADIUS accounting server becomes unreachable. accounting-server-up: Sends a notification when the RADIUS accounting server becomes reachable. authentication-error-threshold: Sends a notification when the number of authentication failures exceeds the specified threshold. The threshold is represented by the ratio of the authentication failures to the total number of authentication attempts.
Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication server. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state. Usage guidelines During an authentication or accounting process, the device first tries to communicate with the primary server if the primary server is in active state.
port-number: Service port number of a secondary RADIUS server, a UDP port number in the range of 1 to 65535. The default port number of a secondary accounting server is 1813 and that of a secondary authentication is 1812. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. active: Specifies the active state, the normal operation state.
Parameters minutes: Specifies the server quiet period in minutes, in the range of 1 to 255. Usage guidelines Make sure the server quiet timer is set correctly. A timer that is too short might result in frequent authentication or accounting failures because the device will continue to attempt to communicate with an unreachable server that is in active state.
Table 6 Recommended real-time accounting intervals Number of users Real-time accounting interval 1 to 99 3 minutes 100 to 499 6 minutes 500 to 999 12 minutes 1000 or more 15 minutes or longer Examples # Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.
[Sysname-radius-radius1] timer response-timeout 5 Related commands • display radius scheme • retry user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Use undo user-name-format to restore the default. Syntax user-name-format { keep-original | with-domain | without-domain } undo user-name-format Default The ISP domain name is included in the username.
vpn-instance (RADIUS scheme view) Use vpn-instance to specify a VPN for a RADIUS scheme. Use undo vpn-instance to remove the configuration. Syntax vpn-instance vpn-instance-name undo vpn-instance Default The RADIUS scheme belongs to the public network. Views RADIUS scheme view Predefined user roles network-admin Parameters vpn-instance-name: Name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters.
Views HWTACACS scheme view Predefined user roles network-admin Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Examples # Displays the configuration of all HWTACACS schemes. display hwtacacs scheme Total 1 TACACS schemes -----------------------------------------------------------------HWTACACS Scheme Name : hwtac Index : 0 Primary Auth Server: IP : 2.2.2.2 Port: 49 State: Active VPN Instance: 2 Single-connection: Enabled Primary Author Server: IP : 2.2.2.
Field Description Single connection status: Single-connection • Enabled—Establish only one TCP connection for all users to communicate with the server. • Disabled—Establish a TCP connection for each user to communicate with the server. State Status of the HWTACACS server: active or blocked. VPN Instance MPLS L3VPN to which the HWTACACS server or scheme belongs. If no VPN is specified for the server or scheme, this field displays Not configured.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. To configure a public-network source IPv4 address, do not specify this option. Usage guidelines The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address.
You can configure up to 16 HWTACACS schemes. Examples # Create an HWTACACS scheme named hwt1 and enter its view. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] Related commands display hwtacacs scheme key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication. Use undo key to remove the configuration.
system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&! # Set the shared key for secure HWTACACS authorization communication to 123456TESTautr&! in plain text. [Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&! # Set the shared key for secure HWTACACS accounting communication to 123456TESTacct&! in plain text.
If you execute the command multiple times, the most recent configuration takes effect. Examples # Set the source address for outgoing HWTACACS packets to 10.1.1.1 for HWTACACS scheme hwt1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1 Related commands hwtacacs nas-ip primary accounting (HWTACACS scheme view) Use primary accounting to specify the primary HWTACACS accounting server. Use undo primary accounting to remove the configuration.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure that the port number and shared key settings of the primary HWTACACS accounting server are the same as those configured on the server.
Parameters ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server. ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server. port-number: Specifies the service port number of the primary HWTACACS authentication server, a TCP port number in the range of 1 to 65535. The default setting is 49. key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authentication server.
primary authorization Use primary authorization to specify the primary HWTACACS authorization server. Use undo primary authorization to remove the configuration. Syntax primary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * undo primary authorization Default No primary HWTACACS authorization server is specified.
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext. Examples # Specify the primary accounting server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1.
Use undo secondary accounting to remove a secondary HWTACACS accounting server. Syntax secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] Default No secondary HWTACACS accounting server is specified.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.
• cipher string: Sets a ciphertext shared key. The string argument is case sensitive. The key is a string of 1 to 373 characters. • simple string: Sets a plaintext shared key. The string argument is case sensitive. The key is a string of 1 to 255 characters. single-connection: The device and the secondary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users.
secondary authorization Use secondary authorization to specify a secondary HWTACACS authorization server. Use undo secondary authorization to remove a secondary HWTACACS authorization server.
If you use the undo secondary authorization command without specifying any parameter, the command removes all secondary authorization servers. Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings. If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
Examples # Set the server quiet timer to 10 minutes. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] timer quiet 10 Related commands display hwtacacs scheme timer realtime-accounting (HWTACACS scheme view) Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default. Syntax timer realtime-accounting minutes undo timer realtime-accounting Default The real-time accounting interval is 12 minutes.
[Sysname-hwtacacs-hwt1] timer realtime-accounting 51 Related commands display hwtacacs scheme timer response-timeout (HWTACACS scheme view) Use timer response-timeout to set the HWTACACS server response timeout timer. Use undo timer response-timeout to restore the default. Syntax timer response-timeout seconds undo timer response-timeout Default The HWTACACS server response timeout time is 5 seconds.
Views HWTACACS scheme view Predefined user roles network-admin Parameters keep-original: Sends the username to the HWTACACS server as it is entered. with-domain: Includes the ISP domain name in the username sent to the HWTACACS server. without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server. Usage guidelines A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs.
Parameters vpn-instance-name: Name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN specified here takes effect for all servers in the HWTACACS scheme for which no VPN is specified. Examples # Specify VPN test for HWTACACS scheme hwt1.
Password control commands display password-control Use display password-control to display password control configuration. Syntax display password-control [ super ] Views Any view Predefined user roles network-admin network-operator Parameters super: Displays the password control information for the super passwords. Without this keyword, the command displays the global password control configuration. Examples # Display the global password control configuration.
Table 9 Command output Field Description Password control Whether the password control feature is enabled. Password aging Whether password expiration is enabled and, if enabled, the expiration time. Password length Whether the minimum password length restriction function is enabled and, if enabled, the setting. Password composition Whether the password composition restriction function is enabled and, if enabled, the settings.
ipv6 ipv6-address: Specifies the IPv6 address of a user. Usage guidelines With no arguments provided, this command displays information about all users in the password control blacklist. If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist. You can use this command to view information about these users in the blacklist.
Views System view Predefined user roles network-admin Parameters aging: Enables the password expiration function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function. Usage guidelines To enable a specific password control function, first enable the global password control feature.
Default A password expires after 90 days. The password expiration time for a user group equals the global setting, and the password expiration time for a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Predefined user roles network-admin Parameters aging-time: Specifies the password expiration time in days, in the range of 1 to 365.
Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default The default is 7 days. Views System view Predefined user roles network-admin Parameters alert-time: Specifies the number of days before a user password expires during which the user is notified of the pending password expiration. The value range is 1 to 30.
Predefined user roles network-admin Parameters same-character: Refuses a password that contains any character repeated consecutively three or more times. For example, the password aaabc is not complex enough. user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
Views System view, user group view, local user view Predefined user roles network-admin Parameters type-number type-number: Specifies the minimum number of character types that a password must contain. The value range for the type-number argument is 1 to 4. The following character types are available: • Uppercase letters A to Z. • Lowercase letters a to z. • Digits 0 to 9. • Special characters in Table 11.
A password composition policy with a smaller application scope has higher priority. The system prefers to use the password composition policy in local user view for a local user. If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs. If no policy is configured for the user group, the system uses the global policy.
Usage guidelines A specific password control function takes effect only after the global password control feature is enabled. After the global password control feature is enabled, you cannot display the password and super password configurations for device management users by using the corresponding display commands. However, the configuration for network access user passwords can be displayed. The first password configured for device management users must contain at least four different characters.
Related commands display password-control password-control history Use password-control history to set the maximum number of history password records for each user. Use undo password-control history to restore the default. Syntax password-control history max-record-num undo password-control history Default The maximum number of history password records for each user is 4.
Syntax password-control length length undo password-control length Default The global minimum password length is 10 characters. The minimum password length for a user group equals the global setting, and the minimum password length for a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Predefined user roles network-admin Parameters length: Specifies the minimum password length in characters.
• password-control length enable password-control login idle-time Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, you can no longer use this account to log in to the device. Use undo password-control login idle-time to restore the default.
• A user failing to log in after the specified number of attempts must wait for 1 minute before trying again. The login-attempt settings for a user group equal the global settings. The login-attempt settings for a local user equal those for the user group to which the local user belongs. Views System view, user group view, local user view Predefined user roles network-admin Parameters login-times: Specifies the maximum number of consecutive failed login attempts. The value range is 2 to 10.
Examples # Set the maximum number of login attempts to 4 and permanently prohibit a user from logging in if the user fails to log in after four attempts. system-view [Sysname] password-control login-attempt 4 exceed lock Later, if a user fails to log in after four attempts, you can find it in the password control blacklist, with its status changed from unlock to lock: [Sysname] display password-control blacklist Username: test IP: 192.168.44.
Views System view Predefined user roles network-admin Parameters aging-time: Specifies the super password expiration time in days, in the range of 1 to 365. Examples # Set the super passwords to expire after 10 days. system-view [Sysname] password-control super aging 10 Related commands • display password-control • password-control aging password-control super composition Use password-control super composition to configure the composition policy for super passwords.
[Sysname] password-control super composition type-number 4 type-length 5 Related commands • display password-control • password-control composition password-control super length Use password-control super length to set the minimum length for super passwords. Use undo password-control super length to restore the default. Syntax password-control super length length undo password-control super length Default The minimum super password length is 10 characters.
Views System view Predefined user roles network-admin Parameters interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval. Usage guidelines The set minimum interval is not effective on a user who is prompted to change the password at the first login or after the password expires. Examples # Set the minimum password update interval to 36 hours.
reset password-control history-record Use reset password-control history-record to delete history password records. Syntax reset password-control history-record [ super [ role role name ] | user-name name ] Views User view Predefined user roles network-admin Parameters super: Deletes the history records of a specified super password or all super passwords. role role name: Specifies a user role, in the range of 1 to 63.
Public key management commands display public-key local public Use display public-key local public to display local public keys. Syntax display public-key local { dsa | ecdsa | rsa } public [ name key-name ] Views Any view Predefined user roles network-admin network-operator Parameters dsa: Specifies the DSA key pair type. ecdsa: Specifies the ECDSA key pair type. rsa: Specifies the RSA key pair type. name key-name: Specifies the name of a local asymmetric key pair.
Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2011/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D 426E7095AA45CD6BF1F87343D952569AC223A0
585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display all local ECDSA public keys.
DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF
Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name. name publickey-name: Displays detailed information about a peer public key, including its key code. The publickey-name argument specifies the peer public key name, a case-sensitive string of 1 to 64 characters.
Type Modulus Name --------------------------RSA 1024 idrsa DSA 1024 10.1.1.1 Table 14 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits. Name Name of the peer public key. Related commands • public-key peer • public-key peer import sshkey peer-public-key end Use peer-public-key end to exit public key view to system view and save the configured peer public key.
[Sysname-pkey-public-key-key1]0001 [Sysname-pkey-public-key-key1] peer-public-key end [Sysname] Related commands • display public-key local public • display public-key peer • public-key peer public-key local create Use public-key local create to create local asymmetric key pairs. Syntax public-key local create { dsa | ecdsa | rsa } [ name key-name ] Default No local asymmetric key pair exists. Views System view Predefined user roles network-admin Parameters dsa: Creates a DSA key pair.
The name of a key pair must be unique among all manually named key pairs that use the same key algorithm, but can be the same as a key pair that uses a different key algorithm. If a name conflict occurs, the system asks whether you want to overwrite the existing key pair. The key pairs are automatically saved and can survive system reboots.
...+.................+..........+...+....+.......+.....+............+.........+. ........................+........+..........+..............+.....+...+.......... ..............+.........+..........+...........+........+....+.................. .....+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the default name. system-view [Sysname] public-key local create ecdsa Generating Keys... Create the key pair successfully.
public-key local destroy Use public-key local destroy to destroy local key pairs. Syntax public-key local destroy { dsa | ecdsa | rsa } [ name key-name ] Views System view Predefined user roles network-admin Parameters dsa: Specifies the DSA type. ecdsa: Specifies the ECDSA type. rsa: Specifies the RSA type. name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-).
# Destroy the local ECDSA key pair ecdsa1. system-view [Sysname] public-key local destroy ecdsa name ecdsa1 Confirm to destroy the key pair? [Y/N]:y Related commands public-key local create public-key local export dsa Use public-key local export dsa to display local DSA host public keys in a specific format, or export the key in a specific format to a file.
SSH2.0 and OpenSSH are different public key formats. Choose the proper format that is supported on the device where you import the host public key. Examples # Export the host public key of the local DSA key pair with the default name in OpenSSH format to a file named key.pub. system-view [Sysname] public-key local export dsa openssh key.pub # Display the host public key of the local DSA key pair with the default name in SSH2.0 format.
[Sysname] public-key local export dsa name dsa1 openssh ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBAKHkVsjaKtG7g7G98 qGmtaboNkK0YEAkRdp
{ Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } filename command to export the host public key to the file. You cannot export the host public key to the folder pkey and its subfolders. 2. Transfer a copy of the file to the peer device, for example, by using FTP or TFTP in binary mode. 3. On the peer device, use the public-key peer import sshkey command to import the host public key from the file. SSH1.5, SSH2.0 and OpenSSH are different public key formats.
q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8b a8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ== rsa-key Related commands • public-key local create • public-key peer import sshkey public-key peer Use public-key peer to specify a name for a peer public key and enter public key view. Use undo public-key peer to delete a peer public key. Syntax public-key peer keyname undo public-key peer keyname Default The local device has no peer public key.
public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from the public key file. Use undo public-key peer to remove the specified peer host public key. Syntax public-key peer keyname import sshkey filename undo public-key peer keyname Default The device has no peer public key. Views System view Predefined user roles network-admin Parameters keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters.
PKI commands attribute Use attribute to configure an attribute rule for certificate issuer name, subject name, or alternative subject name. Use undo attribute to remove an attribute rule. Syntax attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ } attribute-value undo attribute id Default No attribute rule exists.
Different combinations of attribute fields and operation keywords make different matching criteria, as listed in Table 17. Table 17 Combinations of attribute fields and operation keywords Operation DN FQDN/IP ctn The DN contains the specified attribute value. Any FQDN or IP address contains the specified attribute value. nctn The DN does not the specified attribute value. All FQDNs and IP addresses do not contain the specified attribute value.
Default No trusted CA is specified. Views PKI domain view Predefined user roles network-admin Parameters name: Specifies the name of the trusted CA, a case-sensitive string of 1 to 63 characters. Usage guidelines To obtain a CA certificate, you must specify the trusted CA name. The trusted CA name is contained in SCEP messages and typically ignored by the CA server. The CA server does not use the trusted CA name unless the server has two CAs configured with the same registration server.
You can specify only one PKI entity for a PKI domain. If you configure this command for a PKI domain multiple times, the most recent configuration takes effect. Examples # Specify the PKI entity for certificate request as en1. system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request entity en1 Related commands pki entity certificate request from Use certificate request from to specify the authority for accepting certificate requests.
Syntax certificate request mode { auto [ password { cipher | simple } password ] | manual } undo certificate request mode Default The certificate request mode is manual. Views PKI domain view Predefined user roles network-admin Parameters auto: Specifies the certificate request mode as auto. password: Specifies a password for certificate revocation. cipher: Sets a ciphertext password for certificate revocation. simple: Sets a plaintext password for certificate revocation.
certificate request polling Use certificate request polling to set the polling interval and the maximum number of attempts for querying certificate request status. Use undo certificate request polling to restore the defaults. Syntax certificate request polling { count count | interval minutes } undo certificate request polling { count | interval } Default The polling interval is 20 minutes, and the maximum number of attempts is 50.
Syntax certificate request url url-string [ vpn-instance vpn-instance-name ] undo certificate request url Default The URL of the registration server is not specified. Views PKI domain view Predefined user roles network-admin Parameters url-string: Specifies the URL of the registration server for certificate request, a case-sensitive string of 1 to 511 characters.
Default No common name is set for a PKI entity. Views PKI entity view Predefined user roles network-admin Parameters common-name-sting: Specifies a common name, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set the username of the PKI entity as the common name. Examples # Set test as the common name of the PKI entity en.
Use undo crl check enable to disable CRL checking. Syntax crl check enable undo crl check enable Default CRL checking is enabled. Views PKI domain view Predefined user roles network-admin Usage guidelines A CRL is a file issued by a CA to publish all certificates that have been revoked. Revocation of a certificate might occur before the certificate expires. CRL checking is intended for checking whether a certificate has been revoked. A revoked certificate is no longer trusted.
Parameters url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 511 characters in the format of ldap://server_location or http://server_location, where server_location can be an IP address or a domain name. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the CRL repository belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the CRL repository is on the public network, do not specify this option.
Parameters policy-name: Specifies the name of a certificate access control policy, a case-insensitive string of 1 to 31 characters. Usage guidelines If no policy name is specified, this command displays information about all certificate access control policies. Examples # Display information about the certificate access control policy mypolicy.
Predefined user roles network-admin network-operator Parameters group-name: Specifies the name of a certificate attribute group, a case-insensitive string of 1 to 31 characters. Usage guidelines If no certificate attribute group is specified, this command displays information about all certificate attribute groups. Examples # Display information about the certificate attribute group mygroup.
Syntax display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] } Views Any view Predefined user roles network-admin network-operator Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40: 4a:9e:8d:c0:cb:d9:10:9b:61:eb:0c:e0:22:ce:f6: 57:7c:bb:bb:1b:1d:b6:81:ad:90:77:3d:25:21:e6: 7e:11:0a:d8:1d:3c:8e:a4:17:1e:8c:38:da:97:f6: 6d:be:09:e3:5f:21:c5:a0:6f:27:4b:e3:fb:9f:cd: c1:91:18:ff:16:ee:d8:cf:8c:e3:4c:a3:1b:08:5d: 84:7e:11:32:5f:1a:f8:35:25:c0:7e:10:bd:aa:0f: 52:db:7b:cd:5d:2b:66:5a:fb Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 6d:b1:4e:d7:ef:bb:1d:67:53:67:d0:8f:7c:96:1d:2a:03:98: 3b:48:41:08:a4:8f:a9:c1:98:e3:ac:7d:05:
Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 91:95:51:DD:BF:4F:55:FA:E4:C4:D0:10:C2:A1:C2:99:AF:A5:CB:30 X509v3 Authority Key Identifier: keyid:DF:D2:C9:1A:06:1F:BC:61:54:39:FE:12:C4:22:64:EB:57:3B:11:9F X509v3 Subject Alternative Name: email:abc@ccc.
Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7 Subject Name: CN=sldsslserver # Display detailed information about a specific peer certificate in the PKI domain aaa.
Signature Algorithm: sha1WithRSAEncryption 61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3: 31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59: 36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c: 85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5: 17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72: ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2: ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8: f0:a5 Related commands • pki domain • pki retrieve-certificate display pki cert
Status: Pending Key usage: General Remain polling attempts: 10 Next polling attempt after : 1191 seconds Certificate Request Transaction 2 Domain name: domain2 Status: Pending Key usage: Signature Remain polling attempts: 10 Next polling attempt after : 188 seconds Table 20 Command output Field Description Certificate Request Transaction number Certificate request transaction number, starting from 1. Status Certificate request status, including only the pending status.
vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe ('). Usage guidelines Use this command to check whether a certificate has been revoked. Examples # Display information about the locally saved CRLs.
Field Description Last Update Last CRL update time. Next Update Next CRL update time. X509v3 Authority Key Identifier X509v3 ID of the CA that issues the CRL. Key ID. keyid One CA might have multiple key pairs. This field identifies the key pair used to sign the CRL. Signature Algorithm: Signature algorithm and signature data. Related commands pki retrieve-crl fqdn Use fqdn to set the FQDN of an entity. Use undo fqdn to remove the configuration.
Syntax ip { ip-address | interface interface-type interface-number } undo ip Default No IP address is configured for a PKI entity. Views PKI entity view Predefined user roles network-admin Parameters ip-address: Configures an IPv4 address. interface interface-type interface-number: Specifies the primary IPv4 address of an interface as the IPv4 address of the PKI entity.
Parameters host host-name: Specifies the host name of an LDAP server, a case-sensitive string of 1 to 255 characters. It can be an IPv4 or IPv6 address or a domain name. port port-number: Specifies the port number of an LDAP server, in the range of 1 to 65535. The default setting is 389. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the LDAP server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Predefined user roles network-admin Parameters locality-name: Specifies a locality, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set a city name as the locality. Examples # Set Beijing as the locality of the PKI entity en. system-view [Sysname] pki entity en [Sysname-pki-entity-en] locality BeiJing organization Use organization to set the organization name for a PKI entity. Use undo organization to remove the configuration.
Default No organization unit name is set for a PKI entity. Views PKI entity view Predefined user roles network-admin Parameters org-unit-name: Sets an organization unit name for identifying a department or a unit in an organization, a case-sensitive string of 1 to 63 characters. No comma can be included. Examples # Sets rdtest as the organization unit name for the PKI entity en.
• pki request-certificate domain pki certificate access-control-policy Use pki certificate access-control-policy to create a certificate access control policy and enter its view. Use undo pki certificate access-control-policy to remove a specified certificate access control policy.
Predefined user roles network-admin Parameters group-name: Specifies a group name, a case-insensitive string of 1 to 31 characters. Usage guidelines A certificate attribute group is a set of attribute rules (defined by using the attribute command). Each attribute rule defines a matching criterion for the issuer names, subject names, and alternative subject names of certificates.
Usage guidelines When you remove the CA certificate in a PKI domain, the system also removes the local certificates, peer certificates and CRLs in the same PKI domain. If you want to remove a peer certificate, you must specify the serial number of the certificate by using the display pki certificate command. Examples # Remove the CA certificate in the PKI domain aaa.
Views System view Predefined user roles network-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
[Sysname] pki entity en [Sysname-pki-entity-en] Related commands pki domain pki export Use pki export to export the CA certificate and the local certificates in a PKI domain to local files or display them on a terminal.
filename filename: Specifies a file name for storing a certificate. The file name is a case-insensitive string. If you do not specify a file name for the certificates in PEM format, this command displays the certificates on the terminal. Usage guidelines When you export the CA certificate of a PKI domain, if the PKI domain has a CA certificate or a CA certificate chain, this command exports the CA certificate or the CA certificate chain to a specified file or display it on the terminal.
system-view [Sysname] pki export domain domain1 der local filename cert-lo.der # Export all certificates in the PKI domain to a file named cert-all.p7b in DER format. system-view [Sysname] pki export domain domain1 der all filename cert-all.p7b # Export the CA certificate in the PKI domain to a file named cacert in PEM format.
L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12 X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK 7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw== -----END CERTIFICATE----Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09
AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0 CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOcGtpQG9w ZW5jYS5vcmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0c
friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIcUSKSW9GVmICAggA MBEGBSsOAwIHBAi5QZM+lSYWPASCAoBKDYulE5f2BXL9ZhI9zWAJpx2cShz/9PsW 5Qm106D+xSj1eAzkx/m4Xb4xRU8oOAuzu1DlWfSHKXoaa0OoRSiOEX1eg0eo/2vv CHCvKHfTJr4gVSSa7i4I+aQ6AItrI6q99WlkN/e/IE5U1UE4ZhcsIiFJG+IvG7S8 f9liWQ2CImy/hjgFCD9nqSLN8wUzP7O2SdLVlUb5z4FR6VISZdgTFE8j7ko2HtUs HVSg0nm114EwPtPMMbHefcuQ6b82y1M+d
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcuJsWhAJXEDmowGb5z7VDVms54TKi xnaNJCWvBOrU64ftvpVB7xQekbkjgAS9FjDyXlLQ8IyIsYIp5ebJr8P+n9i9Pl7j lBx5mi4XeIldyv2OjfNx5oSQ+gWY9/m1R8uv13RS05r3rxPg+7EvKBjmiy0Giddw vu3Y3WrjBPp6GQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJrQddzVQEiy4AcgtzUL ltkmlmWoz87+jUsgFB+H+xeyiZE4sancf2UwH8kXWqZ5AuReFCCBC2fkvvQvUGnV cso7JXAhfw8sUFok9eHz2R+GSoEk5BZFzZ8eCmNyGq9ln6mJsO1hAqMpsCW6G2zh 5mus7FTHhywXpJ22/fnHg61m -----END CERTIFICATE---------BEGIN CERTIFICATE----MIIB8DCCAVkCEQD2PBUx/rvslNw9uTrZB3DlMA0GCSqGSIb
Syntax pki import domain domain-name { der { ca | local | peer } filename filename | p12 local filename filename | pem { ca | local | peer } [ filename filename ] } Views System view Predefined user roles network-admin Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.
• If the local certificates or peer certificates to be imported do not contain the CA certificate chain, but the certificate of the CA that issues the local certificate or peer certificate already exists in a PKI domain, you can directly import the local certificates or peer certificates. When you import the CA certificate: • If the CA certificate to be imported is the CA root certificate or contains the certificate chain with the root certificate, you can import the CA certificate.
system-view [Sysname] pki import domain bbb p12 local filename local-ca.p12 Please input challenge password: ****** [Sysname] # Import the local certificate in PEM format to the PKI domain bbb by copying and pasting the contents of the certificate. The certificate contains the key pair and the CA certificate chain. system-view [Sysname] pki import domain bbb pem local Enter PEM-formatted certificate. End with a Ctrl+c on a line by itself.
SAGG+EIBAQQEAwIGQDASBgNVHREECzAJggdoM2MuY29tMB0GA1UdDgQWBBQ8dpWb 3cJ/X5iDt8eg+JkeS9cvJjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vczAzMTMw LmgzYy5odWF3ZWktM2NvbS5jb206NDQ3L3NzbC5jcmwwDQYJKoZIhvcNAQEFBQAD gYEAYS15x0kW474lu4twNzEy5dPjMSwtwfm/UK01S8GQjGV5tl9ZNiTHFGNEFx7k zxBp/JPpcFM8hapAfrVHdQ/wstq0pVDdBkrVF6XKIBks6XgCvRl32gcaQt9yrQd9 5RbWdetuBljudjFj25airYO2u7pLeVmdWWx3WVvZBzOo8KU= -----END CERTIFICATE----Bag Attributes: subject=/C=cn/O=ccc/OU=sec/CN=ssl issuer=/C=cn/O=ccc/OU=sec/CN=ssl -----BEGIN C
pki request-certificate Use pki request-certificate to submit a local certificate request or generate a certificate request in PKCS#10 format. Syntax pki request-certificate domain domain-name [ password password ] [ pkcs10 [ filename filename ] ] Views System view Predefined user roles network-admin Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.
# Request the local certificates. [Sysname] pki request-certificate domain openca Start to request the general certificate ... … Request certificate of domain openca successfully Related commands display pki certificate pki retrieve-certificate Use pki retrieve-certificate to obtain a certificate from the certificate distribution server.
The trusted CA's finger print is: MD5 fingerprint:5C41 E657 A0D6 ECB4 6BD6 1823 7473 AABC SHA1 fingerprint:1616 E7A5 D89A 2A99 9419 1C12 D696 8228 87BC C266 Is the finger print correct?(Y/N):y # Obtain the local certificates from the certificate distribution server. system-view [Sysname] pki retrieve-certificate domain aaa local # Obtain the certificate of the peer entity en1 from the certificate distribution server.
• If the PKI domain is not configured with the CRL repository, the device looks up the local certificates and then the CA certificate for the CRL repository. If a CRL repository is found, the device obtains CRLs from the point. Otherwise, the device obtains CRLs through the SCEP protocol. Examples # Obtain CRLs from the CRL repository.
system-view [Sysname] pki storage certificates flash:/pki-new # Specifies pki-new as the storage path for the CRLs. system-view [Sysname] pki storage crls pki-new pki validate-certificate Use pki validate-certificate to verify the validity of certificates.
CN=rootca Subject: C=cn O=abc OU=test CN=aca Verify result: OK Verifying certificate...... Serial Number: 5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6 Issuer: C=cn O=ccc OU=ppp CN=rootca Subject: C=cn O=ccc OU=ppp CN=rootca Verify result: OK # Verify the local certificates in the PKI domain aaa. system-view [Sysname] pki validate-certificate domain aaa local Verifying certificate......
Use undo public-key to remove the configuration. Syntax public-key dsa name key-name [ length key-length ] undo public-key Default No key pair is specified. Views PKI domain view Predefined user roles network-admin Parameters name key-name: Specifies a key pair by its name, a case-insensitive string of 1 to 64 characters, which can include only letters, digits, and hyphen (-). length key-length: Specifies the key length, in bits. The value range is 512 to 2048, and the default is 1024.
Use undo public-key to remove the configuration. Syntax public-key rsa { { encryption name encryption-key-name [ length key-length ] | signature name signature-key-name [ length key-length ] } * | general name key-name [ length key-length ] } undo public-key Default No key pair is specified. Views PKI domain view Predefined user roles network-admin Parameters encryption: Specifies a key pair for encryption.
system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] public-key rsa general name abc length 2048 # Specify the RSA encryption key pair rsa1 with the key length 2048 bits, and the RSA signing key pair sig1 with the key length 2048 bits for certificate request.
certificate contains a CA root certificate that is not stored locally, the device uses the specified fingerprint in the PKI domain for verification and requires you to confirm the fingerprint. If you specify a wrong fingerprint, you cannot import or obtain the CA certificate. Examples # Set an MD5 fingerprint for verifying the validity of the CA root certificate.
Usage guidelines You can associate a nonexistent certificate attribute group when you create a statement. Later you can use the pki certificate attribute-group command to create the certificate attribute group. If the associated certificate attribute group does not exist, or the group has no attribute rules (set by the attribute command), any certificates can match the statement. The statements in a policy are sorted in an ascending order.
command to use the IP address of the interface as the source IP address if the IP address is dynamically obtained. The route between the specified source IP address and the CA server must be reachable. A PKI domain can have only one source IP address. If you configure this command multiple times, the most recent configuration takes effect. Examples # Specify the source IP address of PKI protocol packets as 111.1.1.8. system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] source ip 111.1.1.
system-view [Sysname] pki entity en [Sysname-pki-entity-en] state countryA usage Use usage to specify the extension for certificates. Use undo usage to remove the configuration. Syntax usage { ssl-client | ssl-server } * undo usage [ssl-client | ssl-server ] * Default No extension is specified, and a certificate can be used for all applications, including SSL clients and SSL servers.
SSH commands SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions. Syntax display ssh server { session | status } Views Any view Predefined user roles network-admin network-operator Parameters session: Displays the SSH server sessions. status: Displays the SSH server status. Examples # Display the SSH server status. display ssh server status SSH server: Disable SSH version : 1.
Field Description SFTP server Idle-Timeout SFTP connection idle timeout timer. # Display the SSH server sessions. display ssh server session UserPid SessID Ver 184 0 2.0 Encrypt State aes128-cbc Established Retries Serv Username 1 Stelnet abc@123 Table 23 Command output Field Description UserPid User process ID. SessID Session ID. Ver Protocol version of the SSH server. Encrypt Encryption algorithm used on the SSH server.
Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. Usage guidelines This command only displays information about SSH users configured with the ssh user command on the SSH server. Examples # Display information about all SSH users.
Views System view Predefined user roles network-admin Examples # Enable the SFTP server function. system-view [Sysname] sftp server enable Related commands display ssh server sftp server idle-timeout Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections on an SFTP server. Use undo sftp server idle-timeout to restore the default. Syntax sftp server idle-timeout time-out-value undo sftp server idle-timeout Default The idle timeout timer is 10 minutes.
Use undo ssh server acl to restore the default. Syntax ssh server acl acl-number undo ssh server acl Default An SSH server allows all IPv4 SSH clients to access the server. Views System view Predefined user roles network-admin Parameters acl-number: Specifies an ACL number in the range of 2000 to 4999.
Default The maximum number of authentication attempts for SSH users is 3. Views System view Predefined user roles network-admin Parameters times: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to 5. Usage guidelines You can set this limit to prevent malicious hacking of usernames and passwords. This configuration takes effect only on the users at next login.
Usage guidelines If a user does not finish the authentication when the timeout timer expires, the connection cannot be established. You can set a small value for the timeout timer to prevent malicious occupation of TCP connections while authentications are suspended. Examples # Set the SSH user authentication timeout timer to 10 seconds.
Syntax ssh server dscp dscp-value undo ssh server dscp Default The DSCP value in IPv4 packets sent by the SSH server is 48. Views System view Predefined user roles network-admin Parameters dscp-value: Specifies the DSCP value in the outbound IPv4 packets, in the range of 0 to 63. Usage guidelines The DSCP value of a packet specifies the priority of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
ssh server ipv6 acl Use ssh server ipv6 acl to control access to the IPv6 SSH server. Use undo ssh server ipv6 acl to restore the default. Syntax ssh server ipv6 acl [ ipv6 ] acl-number undo ssh server ipv6 acl Default An SSH server allows all IPv6 SSH clients to access the server. Views System view Predefined user roles network-admin Parameters ipv6: Specifies an IPv6 ACL. If this keyword is not specified, Layer 2 ACL is applied. acl-number: Specifies an ACL by its number.
ssh server ipv6 dscp Use ssh server ipv6 dscp to set the DSCP value in the IPv6 packets that the SSH server sends to the SSH clients. Use undo ssh server ipv6 dscp to restore the default. Syntax ssh server ipv6 dscp dscp-value undo ssh server ipv6 dscp Default The DSCP value in IPv6 packets sent by the SSH server is 48. Views System view Predefined user roles network-admin Parameters dscp-value: Specifies the DSCP value in the outbound IPv6 packets, in the range of 0 to 63.
Parameters hours: Specifies an interval for updating the server key pair, in the range of 1 to 24 hours. Usage guidelines Updating the RSA server key pair periodically can prevent malicious hacking to the key pair and enhance security of the SSH connections. This command takes effect only on the SSH clients that use SSH1 client software. Examples # Set the RSA server key pair update interval to 3 hours.
• any: Specifies either password authentication or publickey authentication. • password-publickey: Specifies both password authentication and publickey authentication (featuring higher security) if the client runs SSH2, and specifies either type of authentication if the client runs SSH1. • publickey: Specifies publickey authentication. This authentication method has complicated and slow encryption, but it provides strong authentication that can defend against brute-force attacks.
[Sysname] ssh user user1 service-type sftp authentication-type password-publickey assign publickey key1 # Create a local device management user named user1, set the password as 123456TESTplat&! in plain text and the service type as ssh, and assign the working directory as flash:, the user role as network-admin.
Predefined user roles network-admin Parameters remote-path: Specifies the name of a path on the server. Usage guidelines You can use the cd .. command to return to the upper-level directory. You can use the cd / command to return to the root directory of the system. Examples # Change the working path to new1. sftp> cd new1 Current Directory is:/new1 sftp> pwd Remote working directory: /new1 sftp> cdup Use cdup to return to the upper-level directory.
Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies the files to delete from the server. Usage guidelines This command functions as the remove command. Examples # Delete the file temp.c from the server. sftp> delete temp.c Removing /temp.c dir Use dir to display information about the files and sub-directories under a directory.
new2 pub2 # Display detailed information about the files and sub-directories under the current working directory in the form of a list. sftp> dir –l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.
Views Any view Predefined user roles network-admin network-operator Examples # Display the source IP address configured for the Stelnet client. display ssh client source The source IP address of the SSH client is 192.168.0.1 The source IPv6 address of the SSH client is 2:2::2:2. Related commands • ssh client ipv6 source • ssh client source exit Use exit to terminate the connection with an SFTP server and return to user view.
Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file. If this argument is not specified, the file will be saved locally with the same name as that on the server. Examples # Download the file temp1.c and save it as temp.c locally. sftp> get temp1.c temp.c Fetching /temp1.c to temp.c /temp.c 100% 1424 1.4KB/s help Use help to display help information of an SFTP client command.
rename oldpath newpath Rename remote file remove path Delete remote file rmdir path Delete remote empty directory ? Synonym for help ls Use ls to display information about the files and sub-directories under a directory. Syntax ls [ -a | -l ] [ remote-path ] Views SFTP client view Predefined user roles network-admin Parameters -a: Displays the names of the files and sub-directories under a directory.
mkdir Use mkdir to create a directory on an SFTP server. Syntax mkdir remote-path Views SFTP client view Predefined user roles network-admin Parameters remote-path: Specifies the name for the directory on an SFTP server Examples # Create a directory named test on the SFTP server. sftp> mkdir test put Use put to upload a local file to an SFTP server.
Views SFTP client view Predefined user roles network-admin Examples # Display the current working directory of the SFTP server. sftp> pwd Remote working directory: / The output shows that the current working directory is the root directory. quit Use quit to terminate the connection with an SFTP server and return to user view. Syntax quit Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the bye and exit commands.
Examples # Delete the file temp.c from the SFTP server. sftp> remove temp.c Removing /temp.c rename Use rename to change the name of a file or directory on an SFTP server. Syntax rename old-name new-name Views SFTP client view Predefined user roles network-admin Parameters oldname: Specifies the name of an existing file or directory. newname: Specifies a new name for the file or directory. Examples # Change the name of a file on the SFTP server from temp1.c to temp2.c. sftp> dir aa.pub temp1.
scp Use scp to establish a connection to an IPv4 SCP server and transfer files with the server.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. Algorithm sha1 features stronger security but costs more time in calculation than md5. • md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange.
Syntax scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ publickey
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. Algorithm sha1 features stronger security but costs more time in calculation than md5. • md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange.
Syntax sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | publickey keyname | source { interface interface-type interface-number s | ip ip-address } ]
• dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128. prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1. dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets sent by the SFTP client, in the range of 0 to 63. The default value is 48. The DSCP value determines the transmission priority of the packet.
Views System view Predefined user roles network-admin Parameters interface interface-type interface-number: Specifies the IPv6 address of the interface which matches the destination address of the outbound packets using the longest match criteria as the source IPv6 address. The interface-type interface-number argument specifies a source interface by its type and number. ipv6 ipv6-address: Specifies a source IPv6 address.
Parameters interface interface-type interface-number: Specifies the primary IP address of the interface as the source address. The interface-type interface-number argument specifies a source interface by its type and number. ip ip-address: Specifies a source IPv4 address. Usage guidelines The SFTP client uses the specified source interface and source IP address to communicate with the server. If you execute the sftp client source command multiple times, the most recent configuration takes effect.
-i interface-type interface-number: Specifies the outgoing interface used by the client to connect to the server. The specified outgoing interface must have a link-local address. The argument interface-type interface-number specifies the outgoing interface by its type and number. This option is used when the server uses a link-local address to provide the SFTP service for the client. identity-key: Specifies the public key algorithm for the client, either dsa or rsa. The default is dsa.
Usage guidelines When the server adopts publickey authentication to authenticate a client, the client must get the local private key for digital signature. Because publickey authentication uses either RSA or DSA algorithm, you must specify a public key algorithm (by using the identity-key keyword) in order to get the correct data for the local private key. Examples # Connect an SFTP client to the IPv6 SFTP server 2000::1 and specify the public key of the server as svkey.
If you use the ssh2 ipv6 command to connect to an Stelnet server and specify another source IPv6 address, the Stelnet client uses the new source IPv6 address for the current connection instead of that specified by the ssh client ipv6 source command. The source address specified by the ssh client ipv6 source command applies to all Stelnet connections, and the source address specifies by the ssh2 ipv6 command applies only to the current connection.
Examples # Specify the source IPv4 address for the Stelnet client as 192.168.0.1. system-view [Sysname] ssh client source ip 192.168.0.1 Related commands display ssh client source ssh2 Use ssh2 to establish a connection to an IPv4 Stelnet server.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. Algorithm sha1 features stronger security but costs more time in calculation than md5. • md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange.
ssh2 ipv6 Use ssh2 ipv6 to establish a connection to an IPv6 Stelnet server.
• md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange. Algorithm dh-group14 features stronger security but costs more time in calculation than dh-group1 • dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.
SSL commands SSL server policy configuration commands ciphersuite Use ciphersuite to specify the cipher suites supported by an SSL server policy. Use undo ciphersuite to restore the default.
rsa_des_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm DES_CBC, and the MAC algorithm SHA. rsa_rc4_128_md5: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit RC4, and the MAC algorithm MD5. rsa_rc4_128_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit RC4, and the MAC algorithm SHA. Usage guidelines SSL employs the following algorithms: • Data encryption algorithms—Encrypt data to ensure privacy.
Default The SSL server does not authenticate SSL clients. Views SSL server policy view Predefined user roles network-admin Usage guidelines The SSL client and server use digital certificates to authenticate each other. For more information about digital certificates, see Security Configuration Guide. If you execute the client-verify enable command, an SSL client must send its own digital certificate to the SSL server for authentication.
Client-verify: enabled Table 25 Command output Field Description Client-verify Indicates whether the server is enabled to use digital certificates to authenticate clients. pki-domain (SSL server policy view) Use pki-domain to specify a PKI domain for an SSL server policy. Use undo pki-domain to restore the default. Syntax pki-domain domain-name undo pki-domain Default No PKI domain is specified for an SSL server policy.
undo session cachesize Default The SSL server can cache 500 sessions at most. Views SSL server policy view Predefined user roles network-admin Parameters size: Specifies the maximum number of cached sessions, in the range of 100 to 1000. Usage guidelines The SSL handshake protocol follows a complicated procedure to negotiate session parameters and establish sessions. To simplify the procedure, SSL allows you to reuse negotiated session parameters to establish sessions.
Usage guidelines This command creates an SSL server policy for which you can configure SSL parameters such as a PKI domain and supported cipher suits. An SSL server policy takes effect only after it is associated with an application. Examples # Create SSL server policy policy1 and enter SSL server policy view.
pki-domain (SSL client policy view) Use pki-domain to specify a PKI domain for the SSL client policy. Use undo pki-domain to restore the default. Syntax pki-domain domain-name undo pki-domain Default No PKI domain is specified for an SSL client policy. Views SSL client policy view Predefined user roles network-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
Views SSL client policy view Predefined user roles network-admin Parameters dhe_rsa_aes_128_cbc_sha: Specifies the export cipher suite that uses the key exchange algorithm DHE RSA, the data encryption algorithm 128-bit AES, and the MAC algorithm SHA. dhe_rsa_aes_256_cbc_sha: Specifies the export cipher suite that uses the key exchange algorithm DHE RSA, the data encryption algorithm 256-bit AES, and the MAC algorithm SHA.
If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure the SSL client policy policy1 to support the key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
ssl client-policy Use ssl client-policy to create an SSL client policy and enter SSL client policy view. Use undo ssl client-policy to delete an SSL client policy. Syntax ssl client-policy policy-name undo ssl client-policy policy-name Default No SSL client policy exists on the device. Views System view Predefined user roles network-admin Parameters policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.
Predefined user roles network-admin Parameters ssl3.0: Specifies SSL 3.0. tls1.0: Specifies TLS 1.0. Usage guidelines If you execute this command multiple times, the most recent configuration takes effect. Examples # Specify the SSL version for SSL client policy policy1 as TLS 1.0. system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] version tls1.
IP source guard commands display ip source binding Use display ip source binding to display IPv4 source guard binding entries.
Examples # Display IPv4 source guard binding entries on all interfaces on the public network and all global static IPv4 source guard binding entries. display ip source binding Total entries found: 5 IP Address MAC Address Interface VLAN Type 10.1.0.5 040a-0000-4000 FGE1/0/1 1 DHCP snooping 10.1.0.6 040a-0000-3000 FGE1/0/1 1 DHCP snooping 10.1.0.7 040a-0000-2000 FGE1/0/1 1 DHCP snooping 10.1.0.8 040a-0000-1000 FGE1/0/2 N/A DHCP relay 10.1.0.
Parameters static: Displays static IPv6 source guard binding entries. ip-address ipv6-address: Displays static IPv6 source guard binding entries for an IPv6 address. mac-address mac-address: Displays static IPv6 source guard binding entries for a MAC address. The MAC address must be specified in H-H-H format. vlan vlan-id: Displays static IPv6 source guard binding entries for a VLAN. The vlan-id argument is the bound VLAN ID, in the range of 1 to 4094.
ip source binding (interface view) Use ip source binding to configure a static IPv4 source guard binding entry on an interface. Use undo ip source binding to delete the static IPv4 source guard binding entries configured on an interface.
ip source binding (system view) Use ip source binding to configure a global static IPv4 source guard binding entry. Use undo ip source binding to delete one or all global static IPv4 source guard binding entries. Syntax ip source binding ip-address ip-address mac-address mac-address undo ip source binding { all | ip-address ip-address mac-address mac-address } Default No global static IPv4 source guard binding entry exists.
Default The IPv4 source guard function is disabled on an interface. Views Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, VLAN interface view, Layer 3 aggregate interface view Predefined user roles network-admin Parameters ip-address: Filters packets by source IPv4 addresses. With this keyword specified, the IP source guard function on the interface filters a received packet by using source IP addresses of the IPv4 source guard binding entries.
# Enable IPv4 source guard on VLAN-interface 100 to filter packets received on the interface by using source IPv4 and MAC addresses of IPv4 source guard binding entries. system-view [Sysname] interface vlan-interface 100 [Sysname-Vlan-interface100] ip verify source ip-address mac-address # Enable IPv4 source guard on Layer 3 Ethernet interface FortyGigE 1/0/2 to filter packets received on the interface by using source IPv4 and MAC addresses of IPv4 source guard binding entries.
vlan vlan-id: Specifies a VLAN ID for the static IPv6 source guard binding entry. The value range is 1 to 4094. This option is supported only in Layer 2 Ethernet interface view. Usage guidelines Static IPv6 source guard binding entries on an interface filter IPv6 packets received on the interface. You cannot configure static IPv6 source guard binding entries on an interface that is in a service loopback group.
Examples # Configure a global static IPv6 source guard binding entry to allow only the packets with source IPv6 address 2001::1 and source MAC address 0002-0002-0002 to pass. system-view [Sysname] ipv6 source binding ipv6-address 2001::1 mac-address 0002-0002-0002 Related commands • display ipv6 source binding static • ipv6 source binding (interface view) ipv6 verify source Use ipv6 verify source to enable the IPv6 source guard function. Use undo ipv6 verify source to restore the default.
Examples # Enable IPv6 source guard on Layer 2 Ethernet port FortyGigE 1/0/1 to filter packets received on the port based on the source IPv6 and MAC addresses.
ARP attack protection commands Unresolvable IP attack protection commands arp resolving-route enable Use arp resolving-route enable to enable ARP blackhole routing. Use undo arp resolving-route enable to disable ARP blackhole routing. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP blackhole routing is enabled. Views System view Predefined user roles network-admin Usage guidelines Configure this feature on the gateways.
undo arp source-suppression enable Default ARP source suppression function is disabled. Views System view Predefined user roles network-admin Usage guidelines Configure this feature on the gateways. Examples # Enable the ARP source suppression function.
system-view [Sysname] arp source-suppression limit 100 Related commands display arp source-suppression. display arp source-suppression Use display arp source-suppression to display information about the current ARP source suppression configuration. Syntax display arp source-suppression Views Any view Predefined user roles network-admin network-operator Examples # Display information about the current ARP source suppression configuration.
Views Layer 2 Ethernet interface view, Layer 2 aggregate interface view Predefined user roles network-admin Parameters pps: Specifies the upper limit for ARP packet rate in pps. Examples # Specify the maximum ARP packet rate on FortyGigE 1/0/1 as 50 pps. system-view [Sysname] interface fortygige 1/0/1 [Sysname-FortyGigE1/0/1] arp rate-limit 50 arp rate-limit log enable Use arp rate-limit log enable to enable logging for ARP packet rate limit.
Syntax arp rate-limit log interval seconds undo arp rate-limit log interval Default The device sends notifications or log messages at an interval of 60 seconds when the receiving rate of ARP packets on an interface exceeds the rate limit. Views System view Predefined user roles network-admin Parameters Seconds: Specifies an interval in the range of 1 to 86400 seconds. Usage guidelines The interval applies to both notification sending and log message sending.
Parameters rate-limit: Specifies the ARP packet rate limit feature. Usage guidelines When notification sending for ARP packet rate limit is enabled, the device sends the peak exceeding ARP packet rate within the sending interval in a notification to the SNMP module. Use the command together with the snmp-agent target-host command. The snmp-agent target-host command specifies the notification type (inform or trap) and the destination host.
If neither the filter nor the monitor keyword is specified in the undo arp anti-attack source-mac command, both handling methods are disabled. Examples # Enable the source MAC-based ARP attack detection and specify the filter handling method. system-view [Sysname] arp source-mac filter arp source-mac aging-time Use arp source-mac aging-time to configure the aging time for ARP attack entries. Use undo arp anti-attack source-mac aging-time to restore the default.
Predefined user roles network-admin Parameters mac-address&<1-10>: MAC address list. The mac-address argument indicates an excluded MAC address in the format H-H-H. &<1-10> indicates the number of excluded MAC addresses that you can configure. Usage guidelines If you do not specify any MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses. Examples # Exclude a MAC address from source MAC-based ARP attack detection.
Syntax display arp source-mac { slot slot-number | interface interface-type interface-number } Views Any view Predefined user roles network-admin network-operator Parameters interface interface-type interface-number: Displays ARP attack entries detected on a specific interface. slot slot-number: Displays ARP attack entries detected on the device. The slot number is fixed at 1.
Predefined user roles network-admin Usage guidelines Configure this feature on gateways. After you execute this command, the gateway device can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. Examples # Enable ARP packet source MAC address consistency check.
ARP detection commands arp detection enable Use arp detection enable to enable ARP detection. Use undo arp detection enable to restore the default. Syntax arp detection enable undo arp detection enable Default ARP detection is disabled. Views VLAN view Predefined user roles network-admin Examples # Enable ARP detection for VLAN 2. system-view [Sysname] vlan 2 [Sysname-vlan2] arp detection enable arp detection trust Use arp detection trust to configure a port as an ARP trusted port.
arp detection validate Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line. Use undo arp detection validate to disable ARP packet validity check. If no keyword is specified, this command deletes all objects. Syntax arp detection validate { dst-mac | ip | src-mac } * undo arp detection validate [ dst-mac | ip | src-mac ] * Default ARP packet validity check is disabled.
Predefined user roles network-admin Examples # Enable ARP restricted forwarding in VLAN 2. system-view [Sysname] vlan 2 [Sysname-vlan2] arp restricted-forwarding enable display arp detection Use display arp detection to display the VLANs enabled with ARP detection. Syntax display arp detection Views Any view Predefined user roles network-admin network-operator Examples # Display the VLANs enabled with ARP detection.
Usage guidelines This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify any interface, the command displays statistics for all interfaces. Examples # Display the ARP detection statistics for all interfaces.
ARP automatic scanning and fixed ARP commands arp fixup Use arp fixup to change the existing dynamic ARP entries into static ARP entries. You can use this command again to change the dynamic ARP entries learned later into static. Syntax arp fixup Views System view Predefined user roles network-admin Usage guidelines The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries.
Parameters start-ip-address: Specifies the start IP address of the scanning range. end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address. Usage guidelines If the start and end IP addresses are specified, the device scans the neighbor IP addresses in the specified address range to learn ARP entries.
Predefined user roles network-admin Parameters ip-address: Specifies the IP address of a protected gateway. Usage guidelines You can enable ARP gateway protection for up to eight gateways on an interface. You cannot configure both arp filter source and arp filter binding commands on the same interface. Examples # Enable ARP gateway protection for the gateway with IP address 1.1.1.1. system-view [Sysname] interface fortygige 1/0/1 [Sysname-FortyGigE1/0/1] arp filter source 1.1.1.
[Sysname] interface fortygige 1/0/1 [Sysname-FortyGigE1/0/1] arp filter binding 1.1.1.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHIKLMNOPQRSTUVW A bye,172 aaa session-limit,1 C access-limit,17 ca identifier,109 accounting command,1 cd,172 accounting default,2 cdup,173 accounting login,3 certificate request entity,110 accounting-on enable,27 certificate request from,111 arp active-ack enable,227 certificate request mode,111 arp detection enable,228 certificate request polling,113 arp detection trust,228 certificate request url,113 arp detection validate,229 ciphersuite,197 arp filter binding,234 cli
display public-key local public,92 M display public-key peer,95 mkdir,179 display radius scheme,28 N display radius statistics,31 nas-ip (HWTACACS scheme view),58 display sftp client source,175 display ssh client source,175 nas-ip (RADIUS scheme view),33 display ssh server,160 O display ssh user-information,161 organization,130 display ssl client-policy,202 organization-unit,130 display ssl server-policy,199 P display user-group,21 password,23 Documents,236 password-control { aging | co
primary accounting (HWTACACS scheme view),59 server-verify enable,205 primary accounting (RADIUS scheme view),34 service-type,25 primary authentication (HWTACACS scheme view),60 session cachesize,200 primary authentication (RADIUS scheme view),35 sftp,185 primary authorization,62 sftp client ipv6 source,187 public-key dsa,152 sftp client source,188 public-key local create,98 sftp ipv6,189 public-key local destroy,101 sftp server enable,162 public-key local export dsa,102 sftp server idle-ti
user-group,26 vpn-instance (HWTACACS scheme view),71 user-name-format (HWTACACS scheme view),70 vpn-instance (RADIUS scheme view),52 user-name-format (RADIUS scheme view),51 W V Websites,236 version,206 242
