R3303-HP 6600/HSR6600 Routers Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP HSR6602-G Router

101

102

103

104

105

106

107

108

109

110

Table Of Contents

Title Page
Contents
AAA configuration commands
- aaa nas-id profile
- access-limit enable
- accounting command
- accounting default
- accounting dvpn
- accounting lan-access
- accounting login
- accounting optional
- accounting portal
- accounting ppp
- accounting ssl-vpn
- authentication default
- authentication dvpn
- authentication lan-access
- authentication login
- authentication portal
- authentication ppp
- authentication ssl-vpn
- authentication super
- authorization command
- authorization default
- authorization dvpn
- authorization lan-access
- authorization login
- authorization portal
- authorization ppp
- authorization ssl-vpn
- authorization-attribute user-profile
- cut connection
- display connection
- display domain
- domain
- domain default enable
- domain if-unknown
- idle-cut enable
- ip pool
- nas device-id
- nas-id bind vlan
- self-service-url enable
- session-time include-idle-time
- state (ISP domain view)
- access-limit
- authorization-attribute
- bind-attribute
- display local-user
- display user-group
- expiration-date
- group
- group-attribute allow-guest
- local-user
- password
- service-type
- state (local user view)
- user-group
- validity-date
- accounting-on enable
- attribute 25 car
- data-flow-format (RADIUS scheme view)
- display radius scheme
- display radius statistics
- display stop-accounting-buffer (for RADIUS)
- key (RADIUS scheme view)
- nas-backup-ip
- nas-ip (RADIUS scheme view)
- primary accounting (RADIUS scheme view)
- primary authentication (RADIUS scheme view)
- radius client
- radius nas-backup-ip
- radius nas-ip
- radius scheme
- radius trap
- reset radius statistics
- reset stop-accounting-buffer (for RADIUS)
- retry
- retry realtime-accounting
- retry stop-accounting (RADIUS scheme view)
- secondary accounting (RADIUS scheme view)
- secondary authentication (RADIUS scheme view)
- security-policy-server
- server-type
- state primary
- state secondary
- stop-accounting-buffer enable (RADIUS scheme view)
- timer quiet (RADIUS scheme view)
- timer realtime-accounting (RADIUS scheme view)
- timer response-timeout (RADIUS scheme view)
- user-name-format (RADIUS scheme view)
- vpn-instance (RADIUS scheme view)
- data-flow-format (HWTACACS scheme view)
- display hwtacacs
- display stop-accounting-buffer (for HWTACACS)
- hwtacacs nas-ip
- hwtacacs scheme
- key (HWTACACS scheme view)
- nas-ip (HWTACACS scheme view)
- primary accounting (HWTACACS scheme view)
- primary authentication (HWTACACS scheme view)
- primary authorization
- reset hwtacacs statistics
- reset stop-accounting-buffer (for HWTACACS)
- retry stop-accounting (HWTACACS scheme view)
- secondary accounting (HWTACACS scheme view)
- secondary authentication (HWTACACS scheme view)
- secondary authorization
- stop-accounting-buffer enable (HWTACACS scheme view)
- timer quiet (HWTACACS scheme view)
- timer realtime-accounting (HWTACACS scheme view)
- timer response-timeout (HWTACACS scheme view)
- user-name-format (HWTACACS scheme view)
- vpn-instance (HWTACACS scheme view)
802.1X commands
- display dot1x
- dot1x
- dot1x authentication-method
- dot1x auth-fail vlan
- dot1x critical vlan
- dot1x critical recovery-action
- dot1x domain-delimiter
- dot1x guest-vlan
- dot1x handshake
- dot1x handshake secure
- dot1x mandatory-domain
- dot1x max-user
- dot1x multicast-trigger
- dot1x port-control
- dot1x port-method
- dot1x quiet-period
- dot1x re-authenticate
- dot1x retry
- dot1x supp-proxy-check
- dot1x timer
- dot1x unicast-trigger
- reset dot1x statistics
EAD fast deployment commands
- dot1x free-ip
- dot1x timer ead-timeout
- dot1x url
MAC authentication configuration commands
- display mac-authentication
- mac-authentication
- mac-authentication domain
- mac-authentication max-user
- mac-authentication timer
- mac-authentication user-name-format
- reset mac-authentication statistics
Portal configuration commands
- access-user detect
- display portal acl
- display portal connection statistics
- display portal free-rule
- display portal interface
- display portal server
- display portal server statistics
- display portal tcp-cheat statistics
- display portal user
- portal auth-network
- portal auth-network destination
- portal backup-group
- portal delete-user
- portal device-id
- portal domain
- portal free-rule
- portal max-user
- portal nas-id
- portal nas-id-profile
- portal nas-ip
- portal nas-port-id
- portal nas-port-type
- portal redirect-url
- portal server
- portal server method
- portal server server-detect
- portal server user-sync
- reset portal connection statistics
- reset portal server statistics
- reset portal tcp-cheat statistics
Port security configuration commands
- display port-security
- display port-security mac-address block
- display port-security mac-address security
- port-security authorization ignore
- port-security enable
- port-security intrusion-mode
- port-security mac-address aging-type inactivity
- port-security mac-address dynamic
- port-security mac-address security
- port-security max-mac-count
- port-security ntk-mode
- port-security oui
- port-security port-mode
- port-security timer autolearn aging
- port-security timer disableport
- port-security trap
User profile configuration commands
- display user-profile
- user-profile enable
- user-profile
Password control configuration commands
- display password-control
- display password-control blacklist
- password
- password-control { aging | composition | history | length } enable
- password-control aging
- password-control alert-before-expire
- password-control authentication-timeout
- password-control complexity
- password-control composition
- password-control enable
- password-control expired-user-login
- password-control history
- password-control length
- password-control login idle-time
- password-control login-attempt
- password-control password update interval
- password-control super aging
- password-control super composition
- password-control super length
- reset password-control blacklist
- reset password-control history-record
RSH configuration commands
- rsh
Public key configuration commands
- display public-key local public
- display public-key peer
- peer-public-key end
- public-key-code begin
- public-key-code end
- public-key local create
- public-key local destroy
- public-key local export
- public-key local export public dsa
- public-key local export public rsa
- public-key local import
- public-key peer
- public-key peer import sshkey
PKI configuration commands
- attribute
- ca identifier
- certificate request entity
- certificate request from
- certificate request mode
- certificate request polling
- certificate request url
- common-name
- country
- crl check
- crl update-period
- crl url
- display pki certificate
- display pki certificate access-control-policy
- display pki certificate attribute-group
- display pki crl domain
- fqdn
- ip (PKI entity view)
- ldap-server
- locality
- organization
- organization-unit
- pki certificate access-control-policy
- pki certificate attribute-group
- pki delete-certificate
- pki domain
- pki entity
- pki import-certificate
- pki request-certificate domain
- pki retrieval-certificate
- pki retrieval-crl domain
- pki validate-certificate
- root-certificate fingerprint
- rule (PKI CERT ACP view)
- state
IPsec configuration commands
- ah authentication-algorithm
- connection-name
- cryptoengine enable
- display ipsec policy
- display ipsec policy-template
- display ipsec profile
- display ipsec sa
- display ipsec statistics
- display ipsec transform-set
- display ipsec tunnel
- encapsulation-mode
- esp authentication-algorithm
- esp encryption-algorithm
- ike-peer (IPsec policy view/IPsec policy template view/IPsec profile view)
- ipsec anti-replay check
- ipsec anti-replay window
- ipsec decrypt check
- ipsec fragmentation before-encryption
- ipsec invalid-spi-recovery enable
- ipsec policy (interface view)
- ipsec policy (system view)
- ipsec policy isakmp template
- ipsec policy-template
- ipsec profile (system view)
- ipsec profile (tunnel interface view)
- ipsec sa global-duration
- ipsec transform-set
- pfs
- policy enable
- qos pre-classify
- reset ipsec sa
- reset ipsec statistics
- reverse-route
- reverse-route preference
- reverse-route tag
- sa authentication-hex
- sa duration
- sa encryption-hex
- sa spi
- sa string-key
- security acl
- transform
- transform-set
- tunnel local
- tunnel remote
IKE configuration commands
- authentication-algorithm
- authentication-method
- certificate domain
- dh
- display ike dpd
- display ike peer
- display ike proposal
- display ike sa
- dpd
- encryption-algorithm
- exchange-mode
- id-type
- ike dpd
- ike local-name
- ike next-payload check disabled
- ike peer (system view)
- ike proposal
- ike sa keepalive-timer interval
- ike sa keepalive-timer timeout
- ike sa nat-keepalive-timer interval
- interval-time
- local
- local-address
- local-name
- nat traversal
- peer
- pre-shared-key
- proposal (IKE peer view)
- remote-address
- remote-name
- reset ike sa
- sa duration
- time-out
SSH configuration commands
- display ssh server
- display ssh user-information
- sftp server enable
- sftp server idle-timeout
- ssh server authentication-retries
- ssh server authentication-timeout
- ssh server compatible-ssh1x enable
- ssh server enable
- ssh server rekey-interval
- ssh user
- bye
- cd
- cdup
- delete
- dir
- display sftp client source
- display ssh client source
- display ssh server-info
- exit
- get
- help
- ls
- mkdir
- put
- pwd
- quit
- remove
- rename
- rmdir
- scp
- sftp
- sftp client ipv6 source
- sftp client source
- sftp ipv6
- ssh client authentication server
- ssh client first-time enable
- ssh client ipv6 source
- ssh client source
- ssh2
- ssh2 ipv6
SSL configuration commands
- ciphersuite
- client-verify enable
- client-verify weaken
- close-mode wait
- display ssl client-policy
- display ssl server-policy
- handshake timeout
- pki-domain
- prefer-cipher
- server-verify enable
- session
- ssl client-policy
- ssl server-policy
- version
SSL VPN configuration commands
- ssl-vpn enable
- ssl-vpn server-policy
Firewall configuration commands
- display firewall ipv6 statistics
- display firewall-statistics
- firewall default
- firewall enable
- firewall ipv6 default
- firewall ipv6 enable
- firewall packet-filter
- firewall packet-filter ipv6
- reset firewall ipv6 statistics
- reset firewall-statistics
- aspf-policy
- display aspf all
- display aspf interface
- display aspf policy
- display port-mapping
- firewall aspf
- icmp-error drop
- port-mapping
- tcp syn-check
ALG configuration commands
- alg
Session management commands
- application aging-time
- display application aging-time
- display session aging-time
- display session hardware
- display session relation-table
- display session statistics
- display session table
- reset session
- reset session statistics
- session aging-time
- session checksum
- session early-ageout
- session log bytes-active
- session log enable
- session log packets-active
- session log time-active
- session max-entries
- session persist acl
Connection limit configuration commands
- connection-limit apply policy
- connection-limit policy
- display connection-limit policy
- limit
Web filtering configuration commands
- display firewall http activex-blocking
- display firewall http java-blocking
- display firewall http url-filter host
- display firewall http url-filter parameter
- firewall http activex-blocking acl
- firewall http activex-blocking enable
- firewall http activex-blocking suffix
- firewall http java-blocking acl
- firewall http java-blocking enable
- firewall http java-blocking suffix
- firewall http url-filter host acl
- firewall http url-filter host default
- firewall http url-filter host enable
- firewall http url-filter host ip-address
- firewall http url-filter host url-address
- firewall http url-filter parameter
- firewall http url-filter parameter enable
- reset firewall http
Attack detection and protection configuration commands
- attack-defense apply policy
- attack-defense logging enable
- attack-defense policy
- blacklist enable
- blacklist ip
- defense icmp-flood action drop-packet
- defense icmp-flood enable
- defense icmp-flood ip
- defense icmp-flood rate-threshold
- defense scan add-to-blacklist
- defense scan blacklist-timeout
- defense scan enable
- defense scan max-rate
- defense syn-flood action
- defense syn-flood enable
- defense syn-flood ip
- defense syn-flood rate-threshold
- defense udp-flood action drop-packet
- defense udp-flood enable
- defense udp-flood ip
- defense udp-flood rate-threshold
- display attack-defense policy
- display attack-defense statistics interface
- display blacklist
- display flow-statistics statistics
- display flow-statistics statistics interface
- display tcp-proxy protected-ip
- flow-statistics enable
- reset attack-defense statistics interface
- signature-detect
- signature-detect action drop-packet
- signature-detect large-icmp max-length
- tcp-proxy enable
- tcp-proxy mode
TCP attack protection configuration commands
- display tcp status
- tcp anti-naptha enable
- tcp state
- tcp syn-cookie enable
- tcp timer check-state
IP source guard configuration commands
- display ip source binding
- ip source binding
- ip verify source
- ip verify source max-entries
ARP attack protection configuration commands
- arp resolving-route enable
- arp source-suppression enable
- arp source-suppression limit
- display arp source-suppression
- arp rate-limit
- arp anti-attack valid-ack enable
- arp anti-attack active-ack enable
- arp authorized enable
- arp detection
- arp detection enable
- arp detection trust
- arp detection validate
- arp restricted-forwarding enable
- display arp detection
- display arp detection statistics
- reset arp detection statistics
- arp fixup
- arp scan
- arp filter source
- arp filter binding
ND attack defense configuration commands
- ipv6 nd mac-check enable
URPF configuration commands
- ip urpf
FIPS configuration commands
- display fips status
- fips mode enable
- fips self-test
Group Domain VPN commands
- display gdoi ks
- display gdoi ks acl
- display gdoi ks members
- display gdoi ks policy
- display gdoi ks redundancy
- display gdoi ks rekey
- gdoi ks group
- gdoi ks redundancy port
- gdoi ks rekey
- identity address
- identity number
- ipsec
- local priority
- peer address
- profile (GDOI KS group IPsec policy view)
- redundancy enable
- redundancy hello
- redundancy retransmit
- rekey acl
- rekey authentication
- rekey encryption
- rekey lifetime
- rekey retransmit
- rekey transport unicast
- reset gdoi ks
- reset gdoi ks members
- reset gdoi ks redundancy role
- security acl (GDOI KS group IPsec policy view)
- source address
- client registration interface
- display gdoi gm
- display gdoi gm acl
- display gdoi gm ipsec sa
- display gdoi gm members
- display gdoi gm pubkey
- display gdoi gm rekey
- gdoi gm group
- group
- identity
- reset gdoi gm
- server address
Support and other resources
- Subscription service
- Documents
- Websites
Index

Views

RADIUS scheme view

Default command level

2: System level

Parameters

ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication/authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication/authorization

server, which is a valid global unicast address.

port-number: Specifies the service port number of the secondary RADIUS authentication/authorization

server, which is a UDP port number ranging from 1 to 65535 and defaults to 1812.

key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary

RADIUS authentication/authorization server. In FIPS mode, the shared key must be a string of at least 8

characters that contain numbers, uppercase letters, lowercase letters, and special characters, and is

encrypted and decrypted by using 3DES.

• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 117

characters.

• simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64 characters.

• If neither cipher nor simple is specified, you set a plaintext shared key string.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS

authentication/authorization server belongs. The vpn-instance-name argument is a case-sensitive string

of 1 to 31 characters. If the server is on the public network, do not specify this option.

probe: Enables the device to detect the status of the secondary RADIUS authentication/authorization

server.

username name: Specifies the username in the authentication request that is used to detect the status of

the secondary RADIUS authentication/authorization server.

interval interval: Specifies the interval between two server status detections. The value ranges from 1 to

3600 and defaults to 60, in minutes.

Usage guidelines

Make sure the port number and shared key settings of the secondary RADIUS

authentication/authorization server are the same as those configured on the server.

The shared key configured by this command takes precedence over that configured by using the key

accounting [ cipher | simple ] key command. For secrecy, all shared keys, including keys configured in

plain text, are saved in cipher text.

If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance

vpn-instance-name option. The VPN specified by this command takes precedence over the VPN

specified for the RADIUS scheme.

You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS

scheme. After the configuration, if the primary server fails, the device looks for a secondary server in

active state (a secondary RADIUS authentication/authorization server configured earlier has a higher

priority) and tries to communicate with it.

The IP addresses of the authentication/authorization servers and those of the accounting servers must be

of the same IP version.