R3303-HP 6600/HSR6600 Routers Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP HSR6602-XG Router

101

102

103

104

105

106

107

108

109

110

Table Of Contents

Title Page
Contents
AAA configuration commands
- aaa nas-id profile
- access-limit enable
- accounting command
- accounting default
- accounting dvpn
- accounting lan-access
- accounting login
- accounting optional
- accounting portal
- accounting ppp
- accounting ssl-vpn
- authentication default
- authentication dvpn
- authentication lan-access
- authentication login
- authentication portal
- authentication ppp
- authentication ssl-vpn
- authentication super
- authorization command
- authorization default
- authorization dvpn
- authorization lan-access
- authorization login
- authorization portal
- authorization ppp
- authorization ssl-vpn
- authorization-attribute user-profile
- cut connection
- display connection
- display domain
- domain
- domain default enable
- domain if-unknown
- idle-cut enable
- ip pool
- nas device-id
- nas-id bind vlan
- self-service-url enable
- session-time include-idle-time
- state (ISP domain view)
- access-limit
- authorization-attribute
- bind-attribute
- display local-user
- display user-group
- expiration-date
- group
- group-attribute allow-guest
- local-user
- password
- service-type
- state (local user view)
- user-group
- validity-date
- accounting-on enable
- attribute 25 car
- data-flow-format (RADIUS scheme view)
- display radius scheme
- display radius statistics
- display stop-accounting-buffer (for RADIUS)
- key (RADIUS scheme view)
- nas-backup-ip
- nas-ip (RADIUS scheme view)
- primary accounting (RADIUS scheme view)
- primary authentication (RADIUS scheme view)
- radius client
- radius nas-backup-ip
- radius nas-ip
- radius scheme
- radius trap
- reset radius statistics
- reset stop-accounting-buffer (for RADIUS)
- retry
- retry realtime-accounting
- retry stop-accounting (RADIUS scheme view)
- secondary accounting (RADIUS scheme view)
- secondary authentication (RADIUS scheme view)
- security-policy-server
- server-type
- state primary
- state secondary
- stop-accounting-buffer enable (RADIUS scheme view)
- timer quiet (RADIUS scheme view)
- timer realtime-accounting (RADIUS scheme view)
- timer response-timeout (RADIUS scheme view)
- user-name-format (RADIUS scheme view)
- vpn-instance (RADIUS scheme view)
- data-flow-format (HWTACACS scheme view)
- display hwtacacs
- display stop-accounting-buffer (for HWTACACS)
- hwtacacs nas-ip
- hwtacacs scheme
- key (HWTACACS scheme view)
- nas-ip (HWTACACS scheme view)
- primary accounting (HWTACACS scheme view)
- primary authentication (HWTACACS scheme view)
- primary authorization
- reset hwtacacs statistics
- reset stop-accounting-buffer (for HWTACACS)
- retry stop-accounting (HWTACACS scheme view)
- secondary accounting (HWTACACS scheme view)
- secondary authentication (HWTACACS scheme view)
- secondary authorization
- stop-accounting-buffer enable (HWTACACS scheme view)
- timer quiet (HWTACACS scheme view)
- timer realtime-accounting (HWTACACS scheme view)
- timer response-timeout (HWTACACS scheme view)
- user-name-format (HWTACACS scheme view)
- vpn-instance (HWTACACS scheme view)
802.1X commands
- display dot1x
- dot1x
- dot1x authentication-method
- dot1x auth-fail vlan
- dot1x critical vlan
- dot1x critical recovery-action
- dot1x domain-delimiter
- dot1x guest-vlan
- dot1x handshake
- dot1x handshake secure
- dot1x mandatory-domain
- dot1x max-user
- dot1x multicast-trigger
- dot1x port-control
- dot1x port-method
- dot1x quiet-period
- dot1x re-authenticate
- dot1x retry
- dot1x supp-proxy-check
- dot1x timer
- dot1x unicast-trigger
- reset dot1x statistics
EAD fast deployment commands
- dot1x free-ip
- dot1x timer ead-timeout
- dot1x url
MAC authentication configuration commands
- display mac-authentication
- mac-authentication
- mac-authentication domain
- mac-authentication max-user
- mac-authentication timer
- mac-authentication user-name-format
- reset mac-authentication statistics
Portal configuration commands
- access-user detect
- display portal acl
- display portal connection statistics
- display portal free-rule
- display portal interface
- display portal server
- display portal server statistics
- display portal tcp-cheat statistics
- display portal user
- portal auth-network
- portal auth-network destination
- portal backup-group
- portal delete-user
- portal device-id
- portal domain
- portal free-rule
- portal max-user
- portal nas-id
- portal nas-id-profile
- portal nas-ip
- portal nas-port-id
- portal nas-port-type
- portal redirect-url
- portal server
- portal server method
- portal server server-detect
- portal server user-sync
- reset portal connection statistics
- reset portal server statistics
- reset portal tcp-cheat statistics
Port security configuration commands
- display port-security
- display port-security mac-address block
- display port-security mac-address security
- port-security authorization ignore
- port-security enable
- port-security intrusion-mode
- port-security mac-address aging-type inactivity
- port-security mac-address dynamic
- port-security mac-address security
- port-security max-mac-count
- port-security ntk-mode
- port-security oui
- port-security port-mode
- port-security timer autolearn aging
- port-security timer disableport
- port-security trap
User profile configuration commands
- display user-profile
- user-profile enable
- user-profile
Password control configuration commands
- display password-control
- display password-control blacklist
- password
- password-control { aging | composition | history | length } enable
- password-control aging
- password-control alert-before-expire
- password-control authentication-timeout
- password-control complexity
- password-control composition
- password-control enable
- password-control expired-user-login
- password-control history
- password-control length
- password-control login idle-time
- password-control login-attempt
- password-control password update interval
- password-control super aging
- password-control super composition
- password-control super length
- reset password-control blacklist
- reset password-control history-record
RSH configuration commands
- rsh
Public key configuration commands
- display public-key local public
- display public-key peer
- peer-public-key end
- public-key-code begin
- public-key-code end
- public-key local create
- public-key local destroy
- public-key local export
- public-key local export public dsa
- public-key local export public rsa
- public-key local import
- public-key peer
- public-key peer import sshkey
PKI configuration commands
- attribute
- ca identifier
- certificate request entity
- certificate request from
- certificate request mode
- certificate request polling
- certificate request url
- common-name
- country
- crl check
- crl update-period
- crl url
- display pki certificate
- display pki certificate access-control-policy
- display pki certificate attribute-group
- display pki crl domain
- fqdn
- ip (PKI entity view)
- ldap-server
- locality
- organization
- organization-unit
- pki certificate access-control-policy
- pki certificate attribute-group
- pki delete-certificate
- pki domain
- pki entity
- pki import-certificate
- pki request-certificate domain
- pki retrieval-certificate
- pki retrieval-crl domain
- pki validate-certificate
- root-certificate fingerprint
- rule (PKI CERT ACP view)
- state
IPsec configuration commands
- ah authentication-algorithm
- connection-name
- cryptoengine enable
- display ipsec policy
- display ipsec policy-template
- display ipsec profile
- display ipsec sa
- display ipsec statistics
- display ipsec transform-set
- display ipsec tunnel
- encapsulation-mode
- esp authentication-algorithm
- esp encryption-algorithm
- ike-peer (IPsec policy view/IPsec policy template view/IPsec profile view)
- ipsec anti-replay check
- ipsec anti-replay window
- ipsec decrypt check
- ipsec fragmentation before-encryption
- ipsec invalid-spi-recovery enable
- ipsec policy (interface view)
- ipsec policy (system view)
- ipsec policy isakmp template
- ipsec policy-template
- ipsec profile (system view)
- ipsec profile (tunnel interface view)
- ipsec sa global-duration
- ipsec transform-set
- pfs
- policy enable
- qos pre-classify
- reset ipsec sa
- reset ipsec statistics
- reverse-route
- reverse-route preference
- reverse-route tag
- sa authentication-hex
- sa duration
- sa encryption-hex
- sa spi
- sa string-key
- security acl
- transform
- transform-set
- tunnel local
- tunnel remote
IKE configuration commands
- authentication-algorithm
- authentication-method
- certificate domain
- dh
- display ike dpd
- display ike peer
- display ike proposal
- display ike sa
- dpd
- encryption-algorithm
- exchange-mode
- id-type
- ike dpd
- ike local-name
- ike next-payload check disabled
- ike peer (system view)
- ike proposal
- ike sa keepalive-timer interval
- ike sa keepalive-timer timeout
- ike sa nat-keepalive-timer interval
- interval-time
- local
- local-address
- local-name
- nat traversal
- peer
- pre-shared-key
- proposal (IKE peer view)
- remote-address
- remote-name
- reset ike sa
- sa duration
- time-out
SSH configuration commands
- display ssh server
- display ssh user-information
- sftp server enable
- sftp server idle-timeout
- ssh server authentication-retries
- ssh server authentication-timeout
- ssh server compatible-ssh1x enable
- ssh server enable
- ssh server rekey-interval
- ssh user
- bye
- cd
- cdup
- delete
- dir
- display sftp client source
- display ssh client source
- display ssh server-info
- exit
- get
- help
- ls
- mkdir
- put
- pwd
- quit
- remove
- rename
- rmdir
- scp
- sftp
- sftp client ipv6 source
- sftp client source
- sftp ipv6
- ssh client authentication server
- ssh client first-time enable
- ssh client ipv6 source
- ssh client source
- ssh2
- ssh2 ipv6
SSL configuration commands
- ciphersuite
- client-verify enable
- client-verify weaken
- close-mode wait
- display ssl client-policy
- display ssl server-policy
- handshake timeout
- pki-domain
- prefer-cipher
- server-verify enable
- session
- ssl client-policy
- ssl server-policy
- version
SSL VPN configuration commands
- ssl-vpn enable
- ssl-vpn server-policy
Firewall configuration commands
- display firewall ipv6 statistics
- display firewall-statistics
- firewall default
- firewall enable
- firewall ipv6 default
- firewall ipv6 enable
- firewall packet-filter
- firewall packet-filter ipv6
- reset firewall ipv6 statistics
- reset firewall-statistics
- aspf-policy
- display aspf all
- display aspf interface
- display aspf policy
- display port-mapping
- firewall aspf
- icmp-error drop
- port-mapping
- tcp syn-check
ALG configuration commands
- alg
Session management commands
- application aging-time
- display application aging-time
- display session aging-time
- display session hardware
- display session relation-table
- display session statistics
- display session table
- reset session
- reset session statistics
- session aging-time
- session checksum
- session early-ageout
- session log bytes-active
- session log enable
- session log packets-active
- session log time-active
- session max-entries
- session persist acl
Connection limit configuration commands
- connection-limit apply policy
- connection-limit policy
- display connection-limit policy
- limit
Web filtering configuration commands
- display firewall http activex-blocking
- display firewall http java-blocking
- display firewall http url-filter host
- display firewall http url-filter parameter
- firewall http activex-blocking acl
- firewall http activex-blocking enable
- firewall http activex-blocking suffix
- firewall http java-blocking acl
- firewall http java-blocking enable
- firewall http java-blocking suffix
- firewall http url-filter host acl
- firewall http url-filter host default
- firewall http url-filter host enable
- firewall http url-filter host ip-address
- firewall http url-filter host url-address
- firewall http url-filter parameter
- firewall http url-filter parameter enable
- reset firewall http
Attack detection and protection configuration commands
- attack-defense apply policy
- attack-defense logging enable
- attack-defense policy
- blacklist enable
- blacklist ip
- defense icmp-flood action drop-packet
- defense icmp-flood enable
- defense icmp-flood ip
- defense icmp-flood rate-threshold
- defense scan add-to-blacklist
- defense scan blacklist-timeout
- defense scan enable
- defense scan max-rate
- defense syn-flood action
- defense syn-flood enable
- defense syn-flood ip
- defense syn-flood rate-threshold
- defense udp-flood action drop-packet
- defense udp-flood enable
- defense udp-flood ip
- defense udp-flood rate-threshold
- display attack-defense policy
- display attack-defense statistics interface
- display blacklist
- display flow-statistics statistics
- display flow-statistics statistics interface
- display tcp-proxy protected-ip
- flow-statistics enable
- reset attack-defense statistics interface
- signature-detect
- signature-detect action drop-packet
- signature-detect large-icmp max-length
- tcp-proxy enable
- tcp-proxy mode
TCP attack protection configuration commands
- display tcp status
- tcp anti-naptha enable
- tcp state
- tcp syn-cookie enable
- tcp timer check-state
IP source guard configuration commands
- display ip source binding
- ip source binding
- ip verify source
- ip verify source max-entries
ARP attack protection configuration commands
- arp resolving-route enable
- arp source-suppression enable
- arp source-suppression limit
- display arp source-suppression
- arp rate-limit
- arp anti-attack valid-ack enable
- arp anti-attack active-ack enable
- arp authorized enable
- arp detection
- arp detection enable
- arp detection trust
- arp detection validate
- arp restricted-forwarding enable
- display arp detection
- display arp detection statistics
- reset arp detection statistics
- arp fixup
- arp scan
- arp filter source
- arp filter binding
ND attack defense configuration commands
- ipv6 nd mac-check enable
URPF configuration commands
- ip urpf
FIPS configuration commands
- display fips status
- fips mode enable
- fips self-test
Group Domain VPN commands
- display gdoi ks
- display gdoi ks acl
- display gdoi ks members
- display gdoi ks policy
- display gdoi ks redundancy
- display gdoi ks rekey
- gdoi ks group
- gdoi ks redundancy port
- gdoi ks rekey
- identity address
- identity number
- ipsec
- local priority
- peer address
- profile (GDOI KS group IPsec policy view)
- redundancy enable
- redundancy hello
- redundancy retransmit
- rekey acl
- rekey authentication
- rekey encryption
- rekey lifetime
- rekey retransmit
- rekey transport unicast
- reset gdoi ks
- reset gdoi ks members
- reset gdoi ks redundancy role
- security acl (GDOI KS group IPsec policy view)
- source address
- client registration interface
- display gdoi gm
- display gdoi gm acl
- display gdoi gm ipsec sa
- display gdoi gm members
- display gdoi gm pubkey
- display gdoi gm rekey
- gdoi gm group
- group
- identity
- reset gdoi gm
- server address
Support and other resources
- Subscription service
- Documents
- Websites
Index

The IP addresses of the primary and secondary authentication/authorization servers must be different

from each other. Otherwise, the configuration fails.

If you remove a secondary authentication server in use in the authentication process, the communication

with the secondary server times out, and the device looks for a server in active state from the primary

server on.

With the server status detection feature enabled, the device sends an authentication request that carries

the specified username to the secondary server at the specified interval. If the device receives no

response from the server within the time interval specified by the timer response-timeout command, the

device sends the authentication request again.

If the maximum number of retries (specified by the retry command) is reached and the device still receives

no response from the server, the device considers the server as unreachable. If the device receives a

response from the server before the maximum number of retries is reached, the device considers the

server as reachable. The device sets the status of the server to block or active according to the status

detection result, regardless of the current status of the server.

For 802.1X authentication, if the status of every server is block, the device assigns the port connected to

an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X

critical VLAN, see Security Configuration Guide.

To make sure the device can set the server to its actual status, set a longer quiet timer for the secondary

server with the timer quiet command. If you set a short quiet timer and configure 802.1X critical VLAN on

a port, the device might frequently change the server status, and the port might frequently join and leave

the critical VLAN.

Examples

# Specify two secondary authentication/authorization servers for RADIUS scheme radius1, with the

server IP addresses of 10.110 .1.1 a n d 10 .110.1.2 and the UDP port number of 1813. Set the shared keys to

hello in plain text.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.1 1812 key simple hello

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 key simple hello

# For RADIUS scheme radius2, set the IP address of the secondary authentication/authorization server

to 10.110.1.2, the UDP port to 1812, and the shared key to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B

in cipher text.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812 key cipher

$c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B

# In RADIUS scheme radius1, set the username used for status detection of the secondary

authentication/authorization server to test, and set the server status detection interval to 120 minutes.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.1 probe username test interval

120

Related commands

• key (RADIUS scheme view)

• vpn-instance (RADIUS scheme view)