R3303-HP 6600/HSR6600 Routers Security Command Reference
Table Of Contents
- Title Page
- Contents
- AAA configuration commands
- aaa nas-id profile
- access-limit enable
- accounting command
- accounting default
- accounting dvpn
- accounting lan-access
- accounting login
- accounting optional
- accounting portal
- accounting ppp
- accounting ssl-vpn
- authentication default
- authentication dvpn
- authentication lan-access
- authentication login
- authentication portal
- authentication ppp
- authentication ssl-vpn
- authentication super
- authorization command
- authorization default
- authorization dvpn
- authorization lan-access
- authorization login
- authorization portal
- authorization ppp
- authorization ssl-vpn
- authorization-attribute user-profile
- cut connection
- display connection
- display domain
- domain
- domain default enable
- domain if-unknown
- idle-cut enable
- ip pool
- nas device-id
- nas-id bind vlan
- self-service-url enable
- session-time include-idle-time
- state (ISP domain view)
- access-limit
- authorization-attribute
- bind-attribute
- display local-user
- display user-group
- expiration-date
- group
- group-attribute allow-guest
- local-user
- password
- service-type
- state (local user view)
- user-group
- validity-date
- accounting-on enable
- attribute 25 car
- data-flow-format (RADIUS scheme view)
- display radius scheme
- display radius statistics
- display stop-accounting-buffer (for RADIUS)
- key (RADIUS scheme view)
- nas-backup-ip
- nas-ip (RADIUS scheme view)
- primary accounting (RADIUS scheme view)
- primary authentication (RADIUS scheme view)
- radius client
- radius nas-backup-ip
- radius nas-ip
- radius scheme
- radius trap
- reset radius statistics
- reset stop-accounting-buffer (for RADIUS)
- retry
- retry realtime-accounting
- retry stop-accounting (RADIUS scheme view)
- secondary accounting (RADIUS scheme view)
- secondary authentication (RADIUS scheme view)
- security-policy-server
- server-type
- state primary
- state secondary
- stop-accounting-buffer enable (RADIUS scheme view)
- timer quiet (RADIUS scheme view)
- timer realtime-accounting (RADIUS scheme view)
- timer response-timeout (RADIUS scheme view)
- user-name-format (RADIUS scheme view)
- vpn-instance (RADIUS scheme view)
- data-flow-format (HWTACACS scheme view)
- display hwtacacs
- display stop-accounting-buffer (for HWTACACS)
- hwtacacs nas-ip
- hwtacacs scheme
- key (HWTACACS scheme view)
- nas-ip (HWTACACS scheme view)
- primary accounting (HWTACACS scheme view)
- primary authentication (HWTACACS scheme view)
- primary authorization
- reset hwtacacs statistics
- reset stop-accounting-buffer (for HWTACACS)
- retry stop-accounting (HWTACACS scheme view)
- secondary accounting (HWTACACS scheme view)
- secondary authentication (HWTACACS scheme view)
- secondary authorization
- stop-accounting-buffer enable (HWTACACS scheme view)
- timer quiet (HWTACACS scheme view)
- timer realtime-accounting (HWTACACS scheme view)
- timer response-timeout (HWTACACS scheme view)
- user-name-format (HWTACACS scheme view)
- vpn-instance (HWTACACS scheme view)
- 802.1X commands
- display dot1x
- dot1x
- dot1x authentication-method
- dot1x auth-fail vlan
- dot1x critical vlan
- dot1x critical recovery-action
- dot1x domain-delimiter
- dot1x guest-vlan
- dot1x handshake
- dot1x handshake secure
- dot1x mandatory-domain
- dot1x max-user
- dot1x multicast-trigger
- dot1x port-control
- dot1x port-method
- dot1x quiet-period
- dot1x re-authenticate
- dot1x retry
- dot1x supp-proxy-check
- dot1x timer
- dot1x unicast-trigger
- reset dot1x statistics
- EAD fast deployment commands
- MAC authentication configuration commands
- Portal configuration commands
- access-user detect
- display portal acl
- display portal connection statistics
- display portal free-rule
- display portal interface
- display portal server
- display portal server statistics
- display portal tcp-cheat statistics
- display portal user
- portal auth-network
- portal auth-network destination
- portal backup-group
- portal delete-user
- portal device-id
- portal domain
- portal free-rule
- portal max-user
- portal nas-id
- portal nas-id-profile
- portal nas-ip
- portal nas-port-id
- portal nas-port-type
- portal redirect-url
- portal server
- portal server method
- portal server server-detect
- portal server user-sync
- reset portal connection statistics
- reset portal server statistics
- reset portal tcp-cheat statistics
- Port security configuration commands
- display port-security
- display port-security mac-address block
- display port-security mac-address security
- port-security authorization ignore
- port-security enable
- port-security intrusion-mode
- port-security mac-address aging-type inactivity
- port-security mac-address dynamic
- port-security mac-address security
- port-security max-mac-count
- port-security ntk-mode
- port-security oui
- port-security port-mode
- port-security timer autolearn aging
- port-security timer disableport
- port-security trap
- User profile configuration commands
- Password control configuration commands
- display password-control
- display password-control blacklist
- password
- password-control { aging | composition | history | length } enable
- password-control aging
- password-control alert-before-expire
- password-control authentication-timeout
- password-control complexity
- password-control composition
- password-control enable
- password-control expired-user-login
- password-control history
- password-control length
- password-control login idle-time
- password-control login-attempt
- password-control password update interval
- password-control super aging
- password-control super composition
- password-control super length
- reset password-control blacklist
- reset password-control history-record
- RSH configuration commands
- Public key configuration commands
- display public-key local public
- display public-key peer
- peer-public-key end
- public-key-code begin
- public-key-code end
- public-key local create
- public-key local destroy
- public-key local export
- public-key local export public dsa
- public-key local export public rsa
- public-key local import
- public-key peer
- public-key peer import sshkey
- PKI configuration commands
- attribute
- ca identifier
- certificate request entity
- certificate request from
- certificate request mode
- certificate request polling
- certificate request url
- common-name
- country
- crl check
- crl update-period
- crl url
- display pki certificate
- display pki certificate access-control-policy
- display pki certificate attribute-group
- display pki crl domain
- fqdn
- ip (PKI entity view)
- ldap-server
- locality
- organization
- organization-unit
- pki certificate access-control-policy
- pki certificate attribute-group
- pki delete-certificate
- pki domain
- pki entity
- pki import-certificate
- pki request-certificate domain
- pki retrieval-certificate
- pki retrieval-crl domain
- pki validate-certificate
- root-certificate fingerprint
- rule (PKI CERT ACP view)
- state
- IPsec configuration commands
- ah authentication-algorithm
- connection-name
- cryptoengine enable
- display ipsec policy
- display ipsec policy-template
- display ipsec profile
- display ipsec sa
- display ipsec statistics
- display ipsec transform-set
- display ipsec tunnel
- encapsulation-mode
- esp authentication-algorithm
- esp encryption-algorithm
- ike-peer (IPsec policy view/IPsec policy template view/IPsec profile view)
- ipsec anti-replay check
- ipsec anti-replay window
- ipsec decrypt check
- ipsec fragmentation before-encryption
- ipsec invalid-spi-recovery enable
- ipsec policy (interface view)
- ipsec policy (system view)
- ipsec policy isakmp template
- ipsec policy-template
- ipsec profile (system view)
- ipsec profile (tunnel interface view)
- ipsec sa global-duration
- ipsec transform-set
- pfs
- policy enable
- qos pre-classify
- reset ipsec sa
- reset ipsec statistics
- reverse-route
- reverse-route preference
- reverse-route tag
- sa authentication-hex
- sa duration
- sa encryption-hex
- sa spi
- sa string-key
- security acl
- transform
- transform-set
- tunnel local
- tunnel remote
- IKE configuration commands
- authentication-algorithm
- authentication-method
- certificate domain
- dh
- display ike dpd
- display ike peer
- display ike proposal
- display ike sa
- dpd
- encryption-algorithm
- exchange-mode
- id-type
- ike dpd
- ike local-name
- ike next-payload check disabled
- ike peer (system view)
- ike proposal
- ike sa keepalive-timer interval
- ike sa keepalive-timer timeout
- ike sa nat-keepalive-timer interval
- interval-time
- local
- local-address
- local-name
- nat traversal
- peer
- pre-shared-key
- proposal (IKE peer view)
- remote-address
- remote-name
- reset ike sa
- sa duration
- time-out
- SSH configuration commands
- display ssh server
- display ssh user-information
- sftp server enable
- sftp server idle-timeout
- ssh server authentication-retries
- ssh server authentication-timeout
- ssh server compatible-ssh1x enable
- ssh server enable
- ssh server rekey-interval
- ssh user
- bye
- cd
- cdup
- delete
- dir
- display sftp client source
- display ssh client source
- display ssh server-info
- exit
- get
- help
- ls
- mkdir
- put
- pwd
- quit
- remove
- rename
- rmdir
- scp
- sftp
- sftp client ipv6 source
- sftp client source
- sftp ipv6
- ssh client authentication server
- ssh client first-time enable
- ssh client ipv6 source
- ssh client source
- ssh2
- ssh2 ipv6
- SSL configuration commands
- SSL VPN configuration commands
- Firewall configuration commands
- display firewall ipv6 statistics
- display firewall-statistics
- firewall default
- firewall enable
- firewall ipv6 default
- firewall ipv6 enable
- firewall packet-filter
- firewall packet-filter ipv6
- reset firewall ipv6 statistics
- reset firewall-statistics
- aspf-policy
- display aspf all
- display aspf interface
- display aspf policy
- display port-mapping
- firewall aspf
- icmp-error drop
- port-mapping
- tcp syn-check
- ALG configuration commands
- Session management commands
- application aging-time
- display application aging-time
- display session aging-time
- display session hardware
- display session relation-table
- display session statistics
- display session table
- reset session
- reset session statistics
- session aging-time
- session checksum
- session early-ageout
- session log bytes-active
- session log enable
- session log packets-active
- session log time-active
- session max-entries
- session persist acl
- Connection limit configuration commands
- Web filtering configuration commands
- display firewall http activex-blocking
- display firewall http java-blocking
- display firewall http url-filter host
- display firewall http url-filter parameter
- firewall http activex-blocking acl
- firewall http activex-blocking enable
- firewall http activex-blocking suffix
- firewall http java-blocking acl
- firewall http java-blocking enable
- firewall http java-blocking suffix
- firewall http url-filter host acl
- firewall http url-filter host default
- firewall http url-filter host enable
- firewall http url-filter host ip-address
- firewall http url-filter host url-address
- firewall http url-filter parameter
- firewall http url-filter parameter enable
- reset firewall http
- Attack detection and protection configuration commands
- attack-defense apply policy
- attack-defense logging enable
- attack-defense policy
- blacklist enable
- blacklist ip
- defense icmp-flood action drop-packet
- defense icmp-flood enable
- defense icmp-flood ip
- defense icmp-flood rate-threshold
- defense scan add-to-blacklist
- defense scan blacklist-timeout
- defense scan enable
- defense scan max-rate
- defense syn-flood action
- defense syn-flood enable
- defense syn-flood ip
- defense syn-flood rate-threshold
- defense udp-flood action drop-packet
- defense udp-flood enable
- defense udp-flood ip
- defense udp-flood rate-threshold
- display attack-defense policy
- display attack-defense statistics interface
- display blacklist
- display flow-statistics statistics
- display flow-statistics statistics interface
- display tcp-proxy protected-ip
- flow-statistics enable
- reset attack-defense statistics interface
- signature-detect
- signature-detect action drop-packet
- signature-detect large-icmp max-length
- tcp-proxy enable
- tcp-proxy mode
- TCP attack protection configuration commands
- IP source guard configuration commands
- ARP attack protection configuration commands
- arp resolving-route enable
- arp source-suppression enable
- arp source-suppression limit
- display arp source-suppression
- arp rate-limit
- arp anti-attack valid-ack enable
- arp anti-attack active-ack enable
- arp authorized enable
- arp detection
- arp detection enable
- arp detection trust
- arp detection validate
- arp restricted-forwarding enable
- display arp detection
- display arp detection statistics
- reset arp detection statistics
- arp fixup
- arp scan
- arp filter source
- arp filter binding
- ND attack defense configuration commands
- URPF configuration commands
- FIPS configuration commands
- Group Domain VPN commands
- display gdoi ks
- display gdoi ks acl
- display gdoi ks members
- display gdoi ks policy
- display gdoi ks redundancy
- display gdoi ks rekey
- gdoi ks group
- gdoi ks redundancy port
- gdoi ks rekey
- identity address
- identity number
- ipsec
- local priority
- peer address
- profile (GDOI KS group IPsec policy view)
- redundancy enable
- redundancy hello
- redundancy retransmit
- rekey acl
- rekey authentication
- rekey encryption
- rekey lifetime
- rekey retransmit
- rekey transport unicast
- reset gdoi ks
- reset gdoi ks members
- reset gdoi ks redundancy role
- security acl (GDOI KS group IPsec policy view)
- source address
- client registration interface
- display gdoi gm
- display gdoi gm acl
- display gdoi gm ipsec sa
- display gdoi gm members
- display gdoi gm pubkey
- display gdoi gm rekey
- gdoi gm group
- group
- identity
- reset gdoi gm
- server address
- Support and other resources
- Index
183
ip ip-address: Specifies the IP address of the portal server. In portal stateful failover environments, HP
recommends specifying the virtual IP address of the VRRP group to which the downlink belongs as the
portal server IP address.
key: Specifies a shared key for communication with the portal server. Portal packets exchanged between
the access device and the portal server carry an authenticator, which is generated with the shared key.
The receiver uses the authenticator to check the correctness of the received portal packets.
cipher: Sets a ciphertext shared key.
simple: Sets a plaintext shared key.
key-string: Specifies the shared key. This argument is case sensitive. If simple is specified, it must be a
string of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 53 characters. If
neither simple nor cipher is specified, you set a plaintext shared key.
port port-id: Specifies the destination port number used when the device sends an unsolicited message
to the portal server, in the range of 1 to 65534. The default is 50100.
server-type { cmcc | imc }: Specifies the portal server type. The default is imc.
• cmcc—CMCC portal server. To use a CMCC portal server, you must also specify a device ID for the
access device by using the portal device-id command.
• imc—HP IMC portal server portal server.
url url-string: Specifies the uniform resource locator (URL) to which HTTP packets are to be redirected. The
default URL is in the http://ip-address format, where ip-address is the IP address of the portal server. You
can also specify the domain name of the portal server, in which case you must use the portal free-rule
command to configure the IP address of the DNS server as a portal authentication-free destination IP
address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the portal server belongs.
vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the portal server is on the public
network, do not specify this option.
Usage guidelines
If the specified portal server exists and no user is on the interfaces referencing the portal server, using the
undo portal server server-name command removes the specified portal server, and if keyword port,
server-type, or url is also provided, the command restores the destination port number or URL address to
the default.
The configured portal server and its parameters can be removed or modified only when the portal server
is not referenced by an interface. To remove or modify the settings of a portal server that has been
referenced by an interface, you must first remove the portal configuration on the interface by using the
undo portal command.
For security purposes, all passwords, including passwords configured in plain text, are saved in cipher
text to the configuration file.
Examples
# Configure portal server pts, setting the IP address to 192.168.0.111, t h e ke y t o portal in plain text, and
the redirection URL to http://192.168.0.113 / p o r t a l .
<Sysname> system-view
[Sysname] portal server pts ip 192.168.0.111 key simple portal url
http://192.168.0.113/portal
Related commands
• display portal server