HP VPN Firewall Appliances Access Control Command Reference Part number: 5998-4175 Software version: F1000-A-EI/F1000-S-EI (Feature 3726) F1000-E (Release 3177) F5000 (Feature 3211) F5000-S/F5000-C (Release 3808) VPN firewall modules (Release 3177) 20-Gbps VPN firewall modules (Release 3817) Document version: 6PW101-20130923
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents ACL commands ···························································································································································· 1 acl ·············································································································································································· 1 acl accelerate ·······································································································································
display object name ·············································································································································· 51 display object service ··········································································································································· 51 display object service default ······························································································································· 52 display object-gro
connection-limit policy··········································································································································· 95 display connection-limit policy ····························································································································· 96 limit ········································································································································································· 97 Porta
authorization default ··········································································································································· 149 authorization dvpn ·············································································································································· 150 authorization login ·············································································································································· 152 authorization
secondary authentication (RADIUS scheme view) ··························································································· 206 security-policy-server ··········································································································································· 208 server-type (RADIUS scheme view) ···················································································································· 209 state primary ···································
reset password-control blacklist ························································································································· 255 reset password-control history-record ················································································································ 255 FIPS configuration commands ································································································································ 257 Feature and hardware compatibility ·
ACL commands acl Use acl to create an IPv4 basic, IPv4 advanced, or Ethernet frame header ACL, and enter its view. If the ACL has been created, you directly enter its view. Use undo acl to delete the specified ACLs. Syntax acl number acl-number [ name acl-name ] [ match-order { auto | config } ] undo acl { all | name acl-name | number acl-number } Default No ACL exists.
system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] # Create IPv4 basic ACL 2001 with the name flow, and enter its view. system-view [Sysname] acl number 2001 name flow [Sysname-acl-basic-2001-flow] acl accelerate Use acl accelerate to enable ACL acceleration for an IPv4 basic or IPv4 advanced ACL. Use undo acl accelerate to disable ACL acceleration for an IPv4 basic or IPv4 advanced ACL.
Related commands display acl accelerate acl copy Use acl copy to create an IPv4 basic, IPv4 advanced, or Ethernet frame header ACL by copying an ACL that already exists. The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.
Use undo acl ipv6 to delete the specified ACLs. Syntax acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ] undo acl ipv6 { all | name acl6-name | number acl6-number } Default No ACL exists. Views System view Default command level 2: System level Parameters number acl6-number: Specifies the number of an ACL: • 2000 to 2999 for IPv6 basic ACLs. • 3000 to 3999 for IPv6 advanced ACLs. name acl6-name: Assigns a name to the ACL for easy identification.
acl ipv6 copy Use acl ipv6 copy to create an IPv6 basic or IPv6 advanced ACL by copying an ACL that already exists. The new ACL has the same properties and content as the source ACL, but not the same ACL number and name. Syntax acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name } Views System view Default command level 2: System level Parameters source-acl6-number: Specifies an existing source ACL by its number: • 2000 to 2999 for IPv6 basic ACLs.
Default command level 2: System level Parameters acl6-name: Specifies an IPv6 basic or IPv6 advanced ACL name, a case-insensitive string of 1 to 63 characters. It must start with an English letter. The ACL must already exist. Examples # Enter the view of IPv6 basic ACL flow. system-view [Sysname] acl ipv6 name flow [Sysname-acl6-basic-2001-flow] Related commands acl ipv6 acl name Use acl name to enter the view of an IPv4 basic, IPv4 advanced, or Ethernet frame header ACL that has a name.
undo description Default An ACL has no ACL description. Views IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view Default command level 2: System level Parameters text: Specifies an ACL description, a case-sensitive string of 1 to 127 characters. Examples # Configure a description for IPv4 basic ACL 2000. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] description This is an IPv4 basic ACL.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Field Description rule 10 comment This rule is used in VPN rd. Comment about ACL rule 10. display acl accelerate Use display acl accelerate to display ACL acceleration status for the specified ACLs. Syntax display acl accelerate { acl-number | all } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters acl-number: Specifies an ACL number: • 2000 to 2999 for IPv4 basic ACL. • 3000 to 3999 for IPv4 advanced ACL.
Field Description Whether ACL acceleration is enabled: Accelerate • ACC—Enabled. • UNACC—Disabled. Whether ACL acceleration is using up to date criteria for rule matching: • UTD—The ACL criteria are up to date and have not changed since ACL acceleration was Status enabled. • OOD—The ACL criteria are out of date. This state is displayed, if you modified the ACL after ACL acceleration was enabled. ACL acceleration matches packets against the old criteria.
Basic IPv6 ACL 2000, named flow, 3 rules, This is an IPv6 basic ACL. ACL's step is 5 rule 0 permit rule 5 permit source 1::/64 (2 times matched) rule 10 permit vpn-instance mk Basic IPv6 ACL 2001, named -none-, 3 rules, match-order is auto, ACL's step is 5 rule 10 permit vpn-instance rd rule 10 comment This rule is used in VPN rd. rule 5 permit source 1::/64 rule 0 permit Table 3 Command output Field Description Basic IPv6 ACL 2000 Category and number of the ACL.
Default command level 2: System level Parameters acl-number: Specifies an ACL by its number: • 2000 to 2999 for IPv4 basic ACLs. • 3000 to 3999 for IPv4 advanced ACLs. • 4000 to 4999 for Ethernet frame header ACLs. all: Clears statistics for all IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs. name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.
rule (Ethernet frame header ACL view) Use rule to create or edit an Ethernet frame header ACL rule. You can edit ACL rules only when the match order is config. Use undo rule to delete an Ethernet frame header ACL rule or some attributes in the rule. If no optional keywords are provided, this command deletes the entire rule. If optional keywords or arguments are provided, this command deletes the specified attributes.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. Usage guidelines Within an ACL, the permit or deny statement of each rule must be unique.
Default command level 2: System level Parameters rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Denies matching packets. permit: Allows matching packets to pass.
Parameters Function Description reflective Specifies that the rule be reflective A rule with the reflective keyword can be defined only for TCP, UDP, or ICMP packets and can only be a permit statement. vpn-instance vpn-instance-name Applies the rule to packets in a VPN instance fragment Applies the rule to only non-first fragments Without this keyword, the rule applies to all fragments and non-fragments.
Parameters Function established Specifies the flags for indicating the established status of a TCP connection. Description Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set. If the protocol argument is icmp (1), set the parameters shown in Table 6. Table 6 ICMP-specific parameters for IPv4 advanced ACL rules Parameters Function Description The icmp-type argument is in the range of 0 to 255.
Usage guidelines Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt fails. To view rules in an ACL and their rule IDs, use the display acl all command. Examples # Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from 129.9.0.0/16 to 202.38.160.0/24, and enable logging matching packets.
Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule. If no optional keywords are provided, this command deletes the entire rule. If optional keywords or arguments are provided, this command deletes the specified attributes.
Examples # Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255 [Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255 [Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.
numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Denies matching packets. permit: Allows matching packets to pass. protocol: Matches protocol carried over IPv6. It can be a number in the range of 0 to 255, or in words, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17).
Parameters Function Description time-range time-range-name Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. vpn-instance vpn-instance-name Applies the rule to packets in a VPN instance.
Table 10 ICMPv6-specific parameters for IPv6 advanced ACL rules Parameters Function Description The icmp6-type argument is in the range of 0 to 255. icmp6-type { icmp6-type icmp6-code | icmp6-message } Specifies the ICMPv6 message type and code. The icmp6-code argument is in the range of 0 to 255. The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 11.
# Create IPv6 advanced ACL rules to permit all IPv6 packets but the ICMPv6 packets destined for FE80:5060:1001::/48. system-view [Sysname] acl ipv6 number 3001 [Sysname-acl6-adv-3001] rule permit ipv6 [Sysname-acl6-adv-3001] rule deny icmpv6 destination fe80:5060:1001:: 48 # Create IPv6 advanced ACL rules to permit inbound and outbound FTP packets.
Default command level 2: System level Parameters rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Denies matching packets. permit: Allows matching packets to pass.
Related commands • acl ipv6 • display ipv6 acl • step • time-range rule comment Use rule comment to add a comment about an existing ACL rule or edit its comment to make the rule easy to understand. Use undo rule comment to delete the ACL rule comment. Syntax rule rule-id comment text undo rule rule-id comment Default An ACL rule has no rule comment.
Use undo rule remark to delete the specified or all rule range remarks. Syntax rule [ rule-id ] remark text undo rule [ rule-id ] remark [ text ] Default No rule range remarks are configured. Views IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view Default command level 2: System level Parameters rule-id: Specifies a rule number in the range of 0 to 65534. The specified rule can be one that has been created or not.
rule 0 permit source 14.1.1.0 0.0.0.255 rule 5 permit source 10.1.1.1 0 time-range work-time rule 10 permit source 192.168.0.0 0.0.0.255 rule 15 permit source 1.1.1.1 0 rule 20 permit source 10.1.1.1 0 rule 25 permit counting # return # Add a start comment "Rules for VIP_start" and an end comment "Rules for VIP_end" for the rule range 10 to 25. [Sysname-acl-basic-2000] rule 10 remark Rules for VIP_start [Sysname-acl-basic-2000] rule 26 remark Rules for VIP_end # Verify the configuration.
Views IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view Default command level 2: System level Parameters step-value: ACL rule numbering step, in the range of 1 to 20. Usage guidelines After you restore the default numbering step by using the undo step command, the rules are renumbered in steps of 5. Examples # Set the rule numbering step to 2 for IPv4 basic ACL 2000.
Security zone commands import interface Use import interface to add an interface to a security zone. Use undo import interface to remove an interface from a security zone. Syntax import interface interface-type interface-number [ vlan vlan-list ] undo import interface interface-type interface-number [ vlan vlan-list ] Default A security zone contains no interface.
[Sysname-zone-Trust] import interface gigabitethernet 0/1 [Sysname-zone- Trust] quit # Add Layer 2 Ethernet interface Gigabitethernet 0/1 and VLAN 10 to security zone Untrust. system-view [Sysname] zone name Untrust [Sysname-zone-Untrust] import interface gigabitethernet 0/1 vlan 10 [Sysname-zone-Untrust] quit Related commands zone interzone Use interzone to create an interzone instance and enter interzone instance view. Use undo interzone to remove an interzone instance.
Examples # Create an interzone instance with the source security zone Trust and destination zone Untrust, and enable ASPF for the instance. system-view [Sysname] interzone source Trust destination Untrust [Sysname-interzone-Trust-Untrust] firewall aspf enable # Log in to VD vdtest, create an interzone instance with the source security zone Zoffice and destination zone Zpublic, and enable ASPF for the instance.
share enable Use share enable to enable the share attribute of a security zone. Use undo share enable to restore the default. Syntax share enable undo share enable Default The share attribute of a security zone is disabled. Views Security zone view Default command level 2: System level Usage guidelines A security zone with its share attribute enabled can be used by other VDs' interzone instances as the destination security zone.
Parameters zone-name: Specifies the security zone name, a case-insensitive string of 1 to 20 characters that contains no question mark (?), less-than sign (<), greater-than sign (>), backward slash (\), quotation mark ("), percentage sign (%), apostrophe ('), ampersand (&), or number sign (#). zone-id: Specifies the security zone ID.
Address resource commands On a virtual device (VD), you can configure different categories of objects, and configure multiple objects for each category. Each object on a VD is uniquely identified by its name. For more information about VDs, see "Configuring VDs." For more information about the switchto vd command, see System Management and Maintenance Configuration Guide. One group object might comprise other group objects, and a member group object might also comprise other group objects.
display object mac Use display object mac to display MAC address objects. Syntax display object mac [ vd vd-name ] Views Any view Default command level 1: Monitor level Parameters vd vd-name: Displays the MAC address objects of a VD. The vd-name argument is a case-insensitive string of 1 to 20 characters. If you do not specify this option, MAC address objects of the default VD are displayed. Examples # Display the MAC address objects of the default VD.
Default command level 1: Monitor level Parameters object-name: Displays a specific object. This argument is a case-insensitive string of 1 to 31 characters. vd vd-name: Displays a specific object on a VD. The vd-name argument is a case-insensitive string of 1 to 20 characters. If you do not specify this option, an object by the name on the default VD is displayed. Examples # Display host address object hosttest on the default VD.
Host name: pc3 Host IP address records Name: hosttest Status: Out of Use Host IP addresses: 1.1.1.1, 1.1.1.5 Range IP address records Name: rangetest Status: Out of Use Range IP address: 2.2.2.2-2.2.2.20 Exclude IP addresses: 2.2.2.10 Subnet IP address records Name: subnettest Status: Out of Use Subnet IP address: 3.3.3.3/0.0.0.255 Exclude IP addresses: 3.3.3.1, 3.3.3.255 Table 13 Command output Field Description Host name records Host address objects that comprise a host name.
Syntax display object-group { mac | name object-group-name | network | service } [ vd vd-name ] Views Any view Default command level 1: Monitor level Parameters mac: Displays MAC address group objects. name object-group-name: Displays a specific group object. The object-group-name argument is a case-insensitive string of 1 to 31 characters. network: Displays IP address group objects. service: Displays service group objects. vd vd-name: Displays the group objects of a VD.
Field Description Description Description for the object. This field is displayed only when a description is configured for the object. Objects Members of the object. This field is displayed only when one or more objects are added to the group object. host address Use host address to add a host IP address to a host address object. Use undo host address to remove a host IP address from a host address object. Use undo host to restore the default.
Related commands host name host name Use host name to add a host name to a host address object. Use undo host name to remove a host name from a host address object. Use undo host to restore the default. Syntax host name host-name undo host [ name ] Default A host address object has no host IP address or host name members. Views Host address object view Default command level 2: System level Parameters name host-name: Specifies a host name, a case-insensitive string of 1 to 60 characters.
Use undo mac-address mac-address to remove a MAC address from a MAC address object. Use undo mac-address to restore the default. Syntax mac-address mac-address undo mac-address [ mac-address ] Default A MAC address object has no MAC address members. Views MAC address object view Default command level 2: System level Parameters mac-address: Specifies a MAC address, in the format H-H-H, such as 0010-dc28-a4e9. Usage guidelines A MAC address object can comprise multiple MAC addresses.
Views MAC address group object view Default command level 2: System level Parameters object-name: Specifies the name of an existing MAC address object or MAC address group object, a case-insensitive string of 1 to 31 characters. Usage guidelines A MAC address group object can comprise multiple MAC address objects and MAC address group objects. To do so, execute the mac-object command multiple times.
Parameters object-name: Specifies the name of an existing IP address object or IP address group object, a case-insensitive string of 1 to 31 characters. Usage guidelines An IP address group object can comprise multiple IP address objects and IP address group objects. To do so, execute the network-object command multiple times. Examples # Add IP address objects objectaddr1 and objectaddr2 to IP address group object groupaddr on the default VD.
# Create MAC address object objectmac on VD virdev. system-view [Sysname] switchto vd virdev [Sysname-vsys-virdev] object mac objectmac Related commands mac-address object network Use object network to create an IP address object and enter its view. If the object already exists, you enter its view. Use undo object network to delete an IP address object.
system-view [Sysname] switchto vd virdev [Sysname-vsys-virdev] object network host objectaddr # Create address range object objectaddr on VD virdev. system-view [Sysname] switchto vd virdev [Sysname-vsys-virdev] object network range objectaddr # Create subnet address object objectaddr on VD virdev.
object-group network Use object-group network to create an IP address group object and enter IP address group object view. If the object already exists, you enter its view. Use undo object-group network to delete an IP address group object. Syntax object-group network object-group-name undo object-group network object-group-name Default No IP address group object is configured.
Default command level 2: System level Parameters ip-address-start ip-address-end: Specifies a range of IP addresses by specifying a start IP address and an end IP address. The end IP address must be higher than the start IP address. exclude ip-address: Specifies an IP address to be excluded from the IP address range. Usage guidelines An address range object can comprise only one range of IP addresses. If you execute the range command multiple times, the most recent configuration takes effect.
Default command level 2: System level Parameters net-address: Specifies a subnet IP address. wildcard-mask: Specifies the wildcard mask of the subnet IP address. exclude ip-address: Specifies an IP address to be excluded from the subnet IP address. Usage guidelines A subnet address object can comprise only one subnet address. If you execute the subnet command multiple times, the most recent configuration takes effect.
Service resource commands On a virtual device (VD), you can configure different categories of objects, and configure multiple objects for each category. Each object on a VD is uniquely identified by its name. For more information about VDs, see "Configuring VDs." For more information about the switchto vd command, see System Management and Maintenance Configuration Guide. One group object might include other group objects, and a member group object might also include other group objects.
display object name Use display object name to display a specific object. Syntax display object name object-name [ vd vd-name ] Views Any view Default command level 1: Monitor level Parameters object-name: Displays a specific object. This argument is a case-insensitive string of 1 to 31 characters. vd vd-name: Displays a specific object on a VD. The vd-name argument is a case-insensitive string of 1 to 20 characters.
Description: forprotocol2 Protocol: Other Protocol Number: 2 Name: icmp Protocol: ICMP Status: Out of Use Type: 20 Message Code: 30 Name: tcp Protocol: TCP Status: Out of Use Source Port: Any Destination Port: 100-200 Table 15 Command output Field Description Name Object name. Whether the object is referenced: Status • Out of use—Not referenced. • In use—Referenced. Description Description for the object. This field is displayed only when a description is configured for the object.
98 records in total.
name object-group-name: Displays a specific group object. The object-group-name argument is a case-insensitive string of 1 to 31 characters. network: Displays IP address group objects. service: Displays service group objects. vd vd-name: Displays the group objects of a VD. The vd-name argument is a case-insensitive string of 1 to 20 characters. If you do not specify this option, this command displays group objects of the default VD. Examples # Display all MAC address group objects on the default VD.
Syntax object service name undo object service name Default There are some system pre-defined service objects on the device. Views VD system view Default command level 2: System level Parameters name: Specifies the object name, a case-insensitive string of 1 to 31 characters. Usage guidelines The system pre-defined service objects cannot be deleted or changed. To view the system pre-defined service objects, use the display object service default command.
Parameters object-group-name: Specifies the object name, a case-insensitive string of 1 to 31 characters. Examples # Create service group object groupsrv on the default VD. system-view [Sysname] object-group service groupsrv # Create service group object groupsrv on VD virdev. system-view [Sysname] switchto vd virdev [Sysname-vsys-virdev] object-group service groupsrv service Use service to add a protocol to a service object. Use undo service to restore the default.
Usage guidelines A service object can include only one protocol. If you execute the service command multiple times, the most recent configuration takes effect. Examples # Add TCP to service object objectsrv on the default VD, with any source port number and the destination port number 21. system-view [Sysname] object service objectsrv [Sysname-obj-service-objectsrv] service tcp destination-port 21 # Add ICMP to service object objectecho on VD virdev, with the message type 8 and code 0.
[Sysname-obj-grp-service-groupsrv] service-object objectsrv2 # Add service objects objectsrv1 and objectsrv2 to service group object groupsrv on VD virdev.
Time range resource commands display time-range Use display time-range to display the configuration and status of the specified time range or all time ranges. Syntax display time-range { time-range-name | all } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters time-range-name: Specifies a time range name, a case-insensitive string of 1 to 32 characters. It must start with an English letter.
time-range Use time-range to configure a time range. If you provide an existing time range name, the command adds a statement to the time range. Use undo time-range to delete a time range or a statement in the time range.
Usage guidelines You can create multiple statements in a time range. Each time statement can take one of the following forms: • Periodic statement in the start-time to end-time days format. A periodic statement recurs periodically on a day or days of the week. • Absolute statement in the from time1 date1 to time2 date2 format. An absolute statement does not recur. • Compound statement in the start-time to end-time days from time1 date1 to time2 date2 format.
Interzone policy commands comment Use comment to add a comment about an interzone policy rule or edit its comment to make the rule easy to understand. Use undo comment to delete the interzone policy rule comment. Syntax comment text undo comment Default No comment is configured for an interzone policy rule. Views Interzone policy rule view Default command level 2: System level Parameters text: Specifies a comment for the interzone policy rule, a case-sensitive string of 1 to 31 characters.
undo destination-ip dest-ip-obj-name Default No destination IP object is referenced in an interzone policy rule. Views Interzone policy rule view Default command level 2: System level Parameters dest-ip-obj-name: Specifies the name of the destination IP object. This argument is a case-insensitive string of 1 to 31 characters. Examples # Reference destination IP object named ip2 in interzone policy rule 0 for the interzone instance with source zone office and destination zone library.
[Sysname-interzone-office-library-rule-0] destination-mac mac2 display interzone-policy Use display interzone-policy to display the interzone policy configuration.
rule acl 3001 rule acl 3002 rule acl enable Table 18 Command output Field Description 1 times matched The interzone policy rule has been matched once. When the interzone policy rule has never been matched, the field is not displayed. When the time-range is changed, the field is not cleared. source-ip Name of the source IP object referenced by an interzone policy rule. destination-ip Name of the destination IP object referenced by an interzone policy rule.
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display the interzone policy acceleration status of the default VD, which is named Root.
insert-rule-id: Specifies the ID of the rule before which the rule specified by rule-id is placed. The value range for this argument is 0 to 65535. To move the rule to the end, set this argument to 65535. Usage guidelines When the insert-rule-id argument is the same as the rule-id argument or any of the rules specified by the two arguments does not exist, no operation is performed.
View User view Default level 1: Monitor level Parameters vd vd-name: Clears the information of a VD specified by its name, which is a case-insensitive string of 1 to 20 characters excluding question mark (?), less-than sign (<), greater-than sign (>), backward slash (\), quotation mark ("), percentage sign (%), apostrophe ('), ampersand (&), and number sign (#).If no VD is specified, this command clears the information of the default VD, which is named Root.
content-filter policy-template-name: Specifies a content filtering policy template by its name for a rule. The policy-template-name argument is a case-sensitive string of 1 to 32 characters. logging: Logs matching packets. time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters and must start with an English letter. If the specified time range is not configured, the system creates the rule.
Usage guidelines You can enable interzone policy acceleration only for an interzone instance which has interzone policy rules. Examples # Create an interzone policy rule for the interzone instance with source zone office and destination zone library, and enable interzone policy acceleration.
Related commands rule rule acl enable Use rule acl enable to enable an interzone policy group. Use undo rule acl enable to disable an interzone policy group. Syntax rule acl enable undo rule acl enable Default The interzone policy group is disabled.
Parameters None Usage guidelines Before enabling an interzone policy rule, make sure the rule has referenced at least one source IP object, one destination IP object, and one service object. Examples # For the interzone instance with source zone office and destination zone library, reference source IP object named ip1, destination IP object named ip2, and service object named http in interzone policy rule 0, and enable the interzone policy rule.
[Sysname] interzone source office destination library [Sysname-interzone-office-library] rule permit [Sysname-interzone-office-library-rule-0] service http source-ip Use source-ip to reference a source IP object in an interzone policy rule. Use undo source-ip to remove a source IP object from an interzone policy rule. Syntax source-ip sour-ip-obj-name undo source-ip sour-ip-obj-name Default No source IP object is referenced in an interzone policy rule.
Default command level 2: System level Parameters sour-mac-obj-name: Specifies a source MAC object by its name. This argument is a case-insensitive string of 1 to 31 characters. Examples # Reference source MAC object named mac1 in interzone policy rule 0 for the interzone instance with source zone office and destination zone library.
Session management commands application aging-time Use application aging-time to set the aging timer for the sessions of an application layer protocol. Use undo application aging-time to restore the default. Syntax application aging-time { dns | ftp | msn | qq | sip } time-value undo application aging-time [ dns | ftp | msn | qq | sip ] Default The default session aging times for the application layer protocols are as follows: • dns: 60 seconds. • ftp: 3600 seconds. • msn: 3600 seconds.
display application aging-time Use display application aging-time to display the session aging timers for the application layer protocols. Syntax display application aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Syntax display session aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Syntax display session relation-table [ vd vd-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters vd vd-name: Displays the relationship table entries of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be digits, letters and underlines. |: Filters command output by specifying a regular expression.
Field Description Pro Transport layer protocol, TCP or UDP. TTL Remaining lifetime of the relationship table entry in seconds. AllowConn Number of sessions allowed by the relationship table entry. Total find Total number of found relationship table entries. display session statistics Use display session statistics to display statistics for the sessions.
Current relation table(s): 50000 Session establishment rate: 184503/s TCP Session establishment rate: 0/s UDP Session establishment rate: 184503/s ICMP Session establishment rate: 0/s RAWIP Session establishment rate: 0/s Received TCP: 1538 packet(s) 337567 byte(s) Received UDP: 86810494849 packet(s) 4340524910260 byte(s) Received ICMP: 307232 packet(s) 17206268 byte(s) Received RAWIP: 0 packet(s) 0 byte(s) Dropped TCP: 0 packet(s) 0 byte(s) Dropped UDP: 0 packet(s) 0 by
display session statistics history Use display session statistics history to display historical session statistics. Syntax display session statistics history [ vd vd-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters vd vd-name: Specifies a virtual device by its name. The vd-name argument represents the name of a virtual device, a case-insensitive string of 1 to 20 characters.
display session table Use display session table to display information about session table entries.
display session table Initiator: Source IP/Port : 192.168.1.18/2048 Dest IP/Port : 192.168.1.55/768 Pro : ICMP(ICMP(1)) VPN-Instance/VLAN ID/VLL ID: Initiator: Source IP/Port : 192.168.1.18/1212 Dest IP/Port : 192.168.1.55/23 Pro : TCP(TCP(6)) VPN-Instance/VLAN ID/VLL ID: Total find: 2 # Display detailed information about all session table entries. display session table verbose Initiator: Source IP/Port : 192.168.1.19/137 Dest IP/Port : 192.168.1.
Table 24 Command output Field Description Initiator: Initiator's session information. Responder: Responder's session information. Pro Transport layer protocol, TCP, UDP, ICMP, or Raw IP. VPN-Instance/VLAN ID/VLL ID VPN that the session belongs to and the VLAN and INLINE that the session belongs to during Layer 2 forwarding. App Application layer protocol, FTP, DNS, MSN, or QQ. Unknown indicates protocol type of a non-well-known port. Session status: State • • • • • • • • • • Accelerate. SYN.
Parameters vd vd-name: Clears the session table entries on the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be only digits, letters, and underlines. source-ip source-ip: Clears the session table entries with the specified source IP address of the initiator. destination-ip destination-ip: Clears the session table entries with the specified destination IP address of the initiator.
Examples # Clear all session statistics. reset session statistics session aging-time Use session aging-time to set the aging timer for sessions of a specific protocol that are in a specific state. Use undo session aging-time to restore the default. If no keyword is specified, the command restores the session aging timers for all protocol states to the defaults.
udp-open: Specifies the aging timer for the UDP sessions in the OPEN state. udp-ready: Specifies the aging timer for the UDP sessions in the READY state. time-value: Specifies the aging timer in seconds. The value range is 5 to 100000. Usage guidelines To display the session aging timers in different protocol states, use the display session aging-time command. Examples # Set the aging time for TCP sessions in the SYN_SENT or SYN_RCV state to 60 seconds.
Syntax session log bytes-active bytes-value undo session log bytes-active Default The system does not output session logs based on the byte count threshold. Views System view Default command level 2: System level Parameters bytes-value: Byte count threshold for session logging, in the range of 1 to 1000 megabytes. Examples # Set the byte count threshold for session logging to 10 megabytes.
Related commands interzone (see Access Control Command Reference). session log packets-active Use session log packets-active to set the packet count threshold for session logging. Use undo session log packets-active to restore the default. Syntax session log packets-active packets-value undo session log packets-active Default The system does not output session logs based on the packet count threshold.
Examples # Set the holdtime threshold for session logging to 50 minutes. system [Sysname] session log time-active 50 session mode hybrid Use session mode hybrid to configure the hybrid mode for session management. In this mode, session management can process both bidirectional sessions and unidirectional sessions. Use undo session mode to configure the bidirectional mode.
Default command level 2: System level Parameters acl-number: ACL number, in the range of 2000 to 3999. aging-time time-value: Specifies the aging time for persistent sessions, in hours. The value is 0 to 360, and the default is 24. A value of 0 means that the persistent sessions are never aged out. Usage guidelines Persistent sessions will not be removed because they are not matched with any packets within the aging time. You can manually remove such sessions when necessary.
IP virtual fragment reassembly commands display ip virtual-reassembly Use display ip virtual-reassembly to display fragment information in the security zone, including actual number of fragment queues, maximum number of fragment queues, maximum number of packets in each fragment queue, and fragment queue aging time.
Fragments per reassembly(max-fragments): 16 Reassembly timeout(timeout): 3 second(s) Drop fragments: OFF Current reassembly count: 12 Current fragment count: 48 Total reassembly count: 6950 Total reassembly failures: 9 Table 25 Command output Field Description Concurrent reassemblies (max-reassemblies) Maximum number of concurrent reassemblies. Fragments per reassembly(max-fragments) Maximum number of fragments per reassembly. Reassembly timeout(timeout) Timeout interval of each reassembly.
Usage guidelines When the maximum number of concurrent reassemblies is reached, the device discards all subsequent fragments (not including fragments that belong to assemblies established before the number is reached) and sends a syslog message. When the maximum number of fragments per reassembly is reached, the device discards all fragments of the reassembly and sends a syslog.
Connection limit commands connection-limit apply policy Use connection-limit apply policy to apply a connection limit policy to the NAT module. Use undo connection-limit apply policy to remove the application. Syntax connection-limit apply policy policy-number undo connection-limit apply policy policy-number Views System view Default command level 2: System level Parameters policy-number: Number of an existing connection limit policy. The value must be 0.
Parameters policy-number: Specifies the number of a connection limit policy. The value must be 0. Usage guidelines A connection limit policy contains a set of rules for limiting the number of connections of a specific user. A policy number uniquely identifies a connection limit policy. After applying a connection limit policy in system view, you cannot modify, add, or remove connection limit rules in the policy. Examples # Create a connection limit policy numbered 0 and enter its view.
Table 26 Command output Field Description Connection-limit policy Number of the connection limit policy. refcount 0, 1 limit Number of times that the policy is applied and number of rules in the policy. limit xxx Rule in the policy. For more information, see the limit command. Related commands limit limit Use limit to configure an IP address-based connection limit policy rule. Within a connection limit policy, the criteria of each rule must be unique.
• ip: Specifies the IP protocol. • tcp: Specifies the TCP protocol. • udp: Specifies the UDP protocol. max-connections max-num: Maximum number of the connections.
# Configure connection limit rule 5 to limit the maximum number of IP connections from vpn1 to vpn2.
Portal commands Dialer interfaces, virtual-template interfaces, and tunnel interfaces do not support portal authentication. access-user detect Use access-user detect to configure the online portal user detection function. Use undo access-user detect to restore the default. Syntax access-user detect type arp retransmit number interval interval undo access-user detect Default The portal user detection function is not configured on an interface.
display portal acl Use display portal acl to display the ACLs on a specific interface. Syntax display portal acl { all | dynamic | static } interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Displays all portal ACLs, including dynamic and static portal ACLs. dynamic: Displays dynamic portal ACLs—ACLs generated dynamically after a user passes portal authentication.
Port : any Rule 1 Inbound interface : GigabitEthernet0/1 Type : static Action : redirect Protocol : 6 Source: IP : 0.0.0.0 Mask : 0.0.0.0 Port : any MAC : 0000-0000-0000 Interface: any VLAN : 0 Destination: IP : 0.0.0.0 Mask : 0.0.0.0 Port : 80 Rule 2 Inbound interface : GigabitEthernet0/1 Type : dynamic Action : permit Source: IP : 2.2.2.2 Mask : 255.255.255.255 MAC : 000d-88f8-0eab Interface: GigabitEthernet0/1 VLAN : 0 Protocol : 0 Destination: IP : 0.0.0.
Field Description MAC Source MAC address in the portal ACL. Interface Source interface in the portal ACL. VLAN Source VLAN in the portal ACL. Protocol Protocol type in the portal ACL. Destination Destination information in the portal ACL. IP Destination IP address in the portal ACL. Port Destination transport layer port number in the portal ACL. Mask Subnet mask of the destination IP address in the portal ACL. Author ACL Authorization ACL information.
State-Name User-Num VOID 0 DISCOVERED 0 WAIT_AUTHEN_ACK 0 WAIT_AUTHOR_ACK 0 WAIT_LOGIN_ACK 0 WAIT_ACL_ACK 0 WAIT_NEW_IP 0 WAIT_USERIPCHANGE_ACK 0 ONLINE 1 WAIT_LOGOUT_ACK 0 WAIT_LEAVING_ACK 0 Message statistics: Msg-Name Err Discard MSG_AUTHEN_ACK 3 Total 0 0 MSG_AUTHOR_ACK 3 0 0 MSG_LOGIN_ACK 3 0 0 MSG_LOGOUT_ACK 2 0 0 MSG_LEAVING_ACK 0 0 0 MSG_CUT_REQ 0 0 0 MSG_AUTH_REQ 3 0 0 MSG_LOGIN_REQ 3 0 0 MSG_LOGOUT_REQ 2 0 0 MSG_LEAVING_REQ 0 0 0
Field Description State-Name Name of a user state. User-Num Number of users in a specific state. Message statistics Statistics on messages. Msg-Name Message type. Total Total number of messages of a specific type. Err Number of erroneous messages of a specific type. Discard Number of discarded messages of a specific type. MSG_AUTHEN_ACK Authentication acknowledgment message. MSG_AUTHOR_ACK Authorization acknowledgment message. MSG_LOGIN_ACK Accounting acknowledgment message.
Field Description MSG_SETPOLICY_RESULT Set policy response message. display portal free-rule Use display portal free-rule to display information about a specific portal-free rule or all portal-free rules. Syntax display portal free-rule [ rule-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters rule-number: Specifies the number of a portal-free rule. The value ranges from 0 to 15.
Field Description IP Source IP address in the portal-free rule. Mask Subnet mask of the source IP address in the portal-free rule. Port Source transport layer port number in the portal-free rule. MAC Source MAC address in the portal-free rule. Interface Source interface in the portal-free rule. Vlan Source VLAN in the portal-free rule. Destination Destination information in the portal-free rule. IP Destination IP address in the portal-free rule.
Status: Portal running Portal server: servername Authentication type: Layer3 Authentication domain: my-domain Authentication network: Source IP: 1.1.1.1 Mask : 255.255.0.0 Table 30 Command output Field Description Portal configuration of interface Portal configuration on the interface. IPv4 IPv4 portal configuration. Status of the portal authentication on the interface: Status • Portal disabled—Portal authentication is disabled.
Usage guidelines The following matrix shows the display portal local-server command and hardware compatibility: Hardware Compatibility F1000-A-EI/F1000-S-EI Yes F1000-E No F5000 No F5000-S/F5000-C No VPN firewall modules No 20-Gbps VPN firewall modules No Examples # Display the configuration of the local portal server.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about portal server aaa. display portal server aaa Portal server: 1)aaa: IP : 192.168.0.111 VPN instance : vpn1 Port : 50100 Key : ****** URL Status : http://192.168.0.111 : Up Table 32 Command output Field Description 1) Number of the portal server. aaa Name of the portal server.
Views Any view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
AFF_NTF_USER_NOTIFY 0 NTF_AUTH ACK_NTF_AUTH REQ_QUERY_STATE 0 0 0 0 ACK_QUERY_STATE 0 0 0 0 0 0 0 0 0 0 REQ_MACBINDING_INFO 0 0 0 ACK_MACBINDING_INFO 0 0 0 NTF_USER_LOGON 0 RESERVED33 0 NTF_USER_LOGOUT 0 0 0 0 0 0 0 RESERVED35 PT_TYPE_REQ_USER_OFFLINE 0 0 0 0 0 0 Table 33 Command output Field Description Interface Interface referencing the portal server. Server name Name of the portal server. Invalid packets Number of invalid packets. Pkt-Name Packet type.
Field Description ACK_NTF_LOGOUT Forced logout acknowledgment message from the portal server. NTF_HEARTBEAT Portal heartbeat message the portal server sent to the access device. NTF_USERSYNC User synchronization packet the access device received from the portal server. ACK_NTF_USERSYNC User synchronization acknowledgment packet the access device sent to the portal server. NTF_CHALLENGE Challenge request the access device sent to the portal server.
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Field Description LAST_ACK Number of connections in LAST-ACK state. FIN_WAIT_1 Number of connections in FIN_WAIT_1 state. FIN_WAIT_2 Number of connections in FIN_WAIT_2 state. CLOSING Number of connections in CLOSING state. display portal user Use display portal user to display information about portal users on a specific interface or all interfaces.
SubState:NONE ACL:3000 Work-mode:Primary VPN instance:NONE MAC IP Vlan Interface --------------------------------------------------------------------000d-88f8-0eac 3.3.3.3 0 GigabitEthernet0/2 Total 2 user(s) matched, 2 listed. Table 35 Command output Field Description Index Index of the portal user. State Current status of the portal user. SubState Current sub-status of the portal user. ACL Authorization ACL of the portal user. User's working mode: Work-mode • Primary. • Secondary.
Parameters ipv4-network-address: IPv4 address of the authentication source subnet. mask-length: Length of the subnet mask, in the range of 0 to 32. mask: Subnet mask, in dotted decimal notation. all: Specifies all authentication source subnets. Usage guidelines You can use this command to configure multiple portal authentication source subnets on an interface. Then, only HTTP packets from the subnets can trigger portal authentication on the interface.
Related commands display portal user portal domain Use portal domain to specify an authentication domain for portal users on an interface. Use undo portal domain to delete the authentication domain specified for portal users. Syntax portal domain domain-name undo portal domain Default No authentication domain is specified for portal users on an interface.
Views System view Default command level 2: System level Parameters rule-number: Number for the portal-free rule. The value ranges from 0 to 15. any: Imposes no limitation on the previous keyword. ip ipv4-address: Specifies an IPv4 address for the portal-free rule. mask { mask-length | mask }: Specifies a mask or mask length for the IP address. The mask argument is a subnet mask in dotted decimal notation. The mask-length argument is a subnet mask length, an integer in the range of 0 to 32.
portal local-server Use portal local-server to configure the protocol type to be supported by the local portal server and load the default authentication page file. Use undo portal local-server to cancel the configuration. Syntax portal local-server { http | https server-policy policy-name } undo portal local-server { http | https } Default The local portal server does not support any protocol type.
Hardware Compatibility F1000-A-EI/F1000-S-EI Yes F1000-E No F5000 No F5000-S/F5000-C No VPN firewall modules No 20-Gbps VPN firewall modules No Examples # Configure the local portal server to support HTTP. system-view [Sysname] portal local-server http # Configure the local portal server to support HTTPS and reference SSL server policy policy1, which has been configured already.
Usage guidelines If the maximum number of portal users specified in the command is less than that of the current online portal users, the command can be executed successfully and does not impact the online portal users, but the system does not allow new portal users to log in until the number drops down below the limit. Examples # Set the maximum number of portal users allowed in the system to 100.
Syntax portal nas-ip ipv4-address undo portal nas-ip Default No source IP address is specified for outgoing portal packets on an interface, and the interface uses the IP address of the user access interface as the source IP address for outgoing portal packets. Views Interface view Default command level 2: System level Parameters ipv4-address: Specifies a source IPv4 address for outgoing portal packets. This IP address must be a local IP address, and cannot be 0.0.0.0, 255.255.255.
Usage guidelines If the device uses a RADIUS server for authentication, authorization, and accounting of portal users, when a portal user logs on from an interface, the device sends a RADIUS request that carries the NAS-Port-ID attribute to the RADIUS server. Examples # Specify the NAS-Port-ID value of GigabitEthernet 0/1 as ap1.
Syntax portal redirect-url url-string [ wait-time period ] undo portal redirect-url Default An authenticated portal user is redirected to the URL that the user entered in the address bar before portal authentication. Views System view Default command level 2: System level Parameters url-string: Autoredirection URL for authenticated portal users, a string of 1 to 127 characters. It must start with http:// or https:// and must be a fully qualified URL.
Parameters server-name: Specifies a name for the portal server, a case-sensitive string of 1 to 32 characters. ip ipv4-address: Specifies the IPv4 address of the portal server. If you specify the local portal server, the IP address specified must be that of a Layer 3 interface on the device and must be reachable from the portal clients. key: Specifies a shared key for communication with the portal server.
portal server banner Use portal server banner to configure the welcome banner of the default webpage provided by the local portal server. Use undo portal server banner to restore the default. Syntax portal server banner banner-string undo portal server banner Default No webpage welcome banner is configured. Views System view Default command level 2: System level Parameters banner-string: Welcome banner for the webpage, a case-sensitive string of 1 to 50 characters.
Use undo portal to disable the specified portal server or all portal servers on an interface. Syntax portal server server-name method { direct | layer3 | redhcp } undo portal Default Layer 3 portal authentication is disabled on an interface. Views Interface view Default command level 2: System level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. method: Specifies the authentication mode to be used. direct: Direct authentication.
Default The portal server detection function is not configured. Views System view Default command level 2: System level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed. server-detect method { http | portal-heartbeat }: Specifies the portal server detection method. Two detection methods are available: • http: Probes HTTP connections.
retry retries: Maximum number of probe attempts. The retries argument ranges from 1 to 5 and defaults to 3. If the number of consecutive, failed probes reaches this value, the access device considers that the portal server is unreachable. Usage guidelines You can specify one or more detection methods and the actions to be taken.
Default command level 2: System level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed. user-sync: Enables the portal user synchronization function. interval interval: Specifies the interval at which the device checks the user synchronization packets. The interval argument ranges from 60 to 3600 and defaults to 300, in seconds. retry retries: Specifies the maximum number of consecutive failed checks.
Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Examples # Clear portal connection statistics on interface GigabitEthernet 0/1. reset portal connection statistics interface gigabitethernet 0/1 reset portal server statistics Use reset portal server statistics to clear portal server statistics on a specific interface or all interfaces.
AAA commands General AAA commands aaa nas-id profile Use aaa nas-id profile to create a NAS ID profile and enter its view. A NAS ID profile maintains the bindings between NAS IDs and VLANs. Use undo aaa nas-id profile to remove a NAS ID profile. Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name Views System view Default command level 2: System level Parameters profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters.
Views ISP domain view Default command level 2: System level Parameters max-user-number: Specifies the maximum number of online users that the ISP domain can accommodate. The value range is 1 to 2147483646. Usage guidelines System resources are limited, and user connections might compete for network resources when there are many users. Setting a correct limit to the number of online users helps provide reliable system performance. Examples # Set a limit of 500 user connections for ISP domain test.
Examples # Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting. system-view [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac Related commands • accounting default • hwtacacs scheme accounting default Use accounting default to configure the default accounting method for an ISP domain. Use undo accounting default to restore the default.
[Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local Related commands • local-user • hwtacacs scheme • radius scheme accounting dvpn Use accounting dvpn to configure the accounting method for DVPN users. Use undo accounting dvpn to restore the default. Syntax accounting dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo accounting dvpn Default The default accounting method for the ISP domain is used for DVPN users.
Examples # Configure ISP domain test to use local accounting for DVPN users. system-view [Sysname] domain test [Sysname-isp-test] accounting dvpn local # Configure ISP domain test to use RADIUS accounting scheme rd for DVPN users and use local accounting as the backup.
Examples # Configure ISP domain test to use local accounting for login users. system-view [Sysname] domain test [Sysname-isp-test] accounting login local # Configure ISP domain test to use RADIUS accounting scheme rd for login users and use local accounting as the backup.
[Sysname-isp-test] accounting optional accounting portal Use accounting portal to configure the accounting method for portal users. Use undo accounting portal to restore the default. Syntax accounting portal { local | none | radius-scheme radius-scheme-name [ local ] } undo accounting portal Default The default accounting method for the ISP domain is used for portal users. Views ISP domain view Default command level 2: System level Parameters local: Performs local accounting.
Use undo accounting ppp to restore the default. Syntax accounting ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting ppp Default The default accounting method for the ISP domain is used for PPP users. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Syntax accounting ssl-vpn radius-scheme radius-scheme-name undo accounting ssl-vpn Default The default accounting method for the ISP domain is used for SSL VPN users. Views ISP domain view Default command level 2: System level Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters Usage guidelines The specified RADIUS scheme must already exist.
Syntax authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authentication default Default The default authentication method of an ISP domain is local. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication.
Default The default authentication method for the ISP domain is used for DVPN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must already exist.
authentication login Use authentication login to configure the authentication method for login users through the console port, Telnet, or FTP. Use undo authentication login to restore the default. Syntax authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authentication login Default The default authentication method for the ISP domain is used for login users.
authentication portal Use authentication portal to configure the authentication method for portal users. Use undo authentication portal to restore the default. Syntax authentication portal { local | none | radius-scheme radius-scheme-name [ local ] } undo authentication portal Default The default authentication method for the ISP domain is used for portal users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authentication.
Syntax authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authentication ppp Default The default authentication method for the ISP domain is used for PPP users. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication.
Syntax authentication ssl-vpn radius-scheme radius-scheme-name undo authentication ssl-vpn Default The default authentication method for the ISP domain is used for SSL VPN users. Views ISP domain view Default command level 2: System level Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must already exist.
Syntax authentication super radius-scheme-name } { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme undo authentication super Default The default authentication method for the ISP domain is used for user privilege level switching authentication. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated user can access only commands of Level 0. Usage guidelines The specified HWTACACS scheme must already exist.
Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and other login users can access only the commands of Level 0.
Views ISP domain view Default command level 2: System level Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must already exist.
authorization login Use authorization login to configure the authorization method for login users through the console port, Telnet, or FTP. Use undo authorization login to restore the default. Syntax authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization login Default The default authorization method for the ISP domain is used for login users.
• authorization default • hwtacacs scheme • radius scheme authorization portal Use authorization portal to configure the authorization method for portal users. Use undo authorization portal to restore the default. Syntax authorization portal { local | none | radius-scheme radius-scheme-name [ local ] } undo authorization portal Default The default authorization method for the ISP domain is used for portal users.
• radius scheme authorization ppp Use authorization ppp to configure the authorization method for PPP users. Use undo authorization ppp to restore the default. Syntax authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization ppp Default The default authorization method for the ISP domain is used for PPP users.
• authorization default • hwtacacs scheme • radius scheme authorization ssl-vpn Use authorization ssl-vpn to configure the authorization method for SSL VPN users. Use undo authorization ssl-vpn to restore the default. Syntax authorization ssl-vpn radius-scheme radius-scheme-name undo authorization ssl-vpn Default The default authorization method for the ISP domain is used for SSL VPN users.
Related commands • authorization default • radius scheme cut connection Use cut connection to tear down the specified user connections forcibly. Syntax cut connection { access-type portal | all | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id } Views System view Default command level 2: System level Parameters access-type portal: Specifies portal authentication as the access type.
system-view [Sysname] cut connection domain test Related commands • display connection • service-type display connection Use display connection to display information about AAA user connections.
Usage guidelines This command does not display information about FTP user connections. With no parameter specified, this command displays brief information about all AAA user connections. If you specify the ucibindex ucib-index option, this command displays detailed information. Otherwise, this command displays brief information.
Field Description ACL Group Authorization ACL group. When no authorization ACL group is assigned, this field displays Disable. CAR(kbps) Authorized CAR parameters. SessionTimeout • The remaining online time of the user if Terminate-Action is Default. • The re-authentication interval for the user if Terminate-Action is Session timeout value received from the server, in seconds. The value indicates: Radius-Request. Action to take when the session timeout expires.
Default authentication scheme : local Default authorization scheme : local Default accounting scheme : local Domain User Template: Idle-cut : Disabled Self-service : Disabled Authorization attributes : 1 Domain : test State : Active Access-limit : Disabled Accounting method : Required Default authentication scheme : local Default authorization scheme : local Default accounting scheme : local Domain User Template: Idle-cut : Disabled Session-time : exclude-idle-time Self-service : Disabled Auth
Field Description Indicates whether the idle cut time is included in the user online time to be uploaded to the server. Options include: Session-time • Exclude-idle-time—The idle cut time is excluded from the user online time. • Include-idle-time—The idle cut time is included in the user online time. Self-service Indicates whether the self-service function is enabled.
system-view [Sysname] domain test [Sysname-isp-test] Related commands • state • display domain domain default enable Use domain default enable to specify the default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain. Use undo domain default enable to restore the default. Syntax domain default enable isp-name undo domain default enable Default The default ISP domain is the system predefined ISP domain system.
domain if-unknown Use domain if-unknown to specify an ISP domain for users with unknown domain names. Use undo domain if-unknown to restore the default. Syntax domain if-unknown isp-name undo domain if-unknown Default No ISP domain is specified for users with unknown domain names.
undo idle-cut enable Default The function is disabled. Views ISP domain view Default command level 2: System level Parameters minute: Specifies the idle timeout period in the range of 1 to 600 minutes. flow: Specifies the minimum traffic during the idle timeout period in bytes. The value range is 1 to 10240000, and the default is 10240.
Parameters pool-number: Specifies the address pool number in the range of 0 to 99. low-ip-address and high-ip-address: Specifies the start and end IP addresses of the address pool. Up to 1024 addresses are allowed for an address pool. If you do not specify the end IP address, there is only one IP address in the pool, which is the start IP address. Usage guidelines You can also configure an address pool for PPP users in system view.
vlan-id: Specifies the ID of the VLAN to be bound with the NAS ID. The value range for the VLAN ID is 1 to 4094. Usage guidelines In a NAS ID profile view, you can configure multiple NAS ID–VLAN bindings. A NAS ID can be bound with more than one VLAN, but one VLAN can be bound with only one NAS ID. If you bind a VLAN with different NAS IDs, only the last binding takes effect. Examples # Bind NAS ID 222 with VLAN 2.
session-time include-idle-time Use session-time include-idle-time to include the idle cut time in the user online time to be uploaded to the server. Use undo session-time include-idle-time to restore the default. Syntax session-time include-idle-time undo session-time include-idle-time Default The user online time uploaded to the server excludes the idle cut time.
Default command level 2: System level Parameters active: Places the ISP domain in active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected. Examples # Place the ISP domain test to the blocked state.
[Sysname] local-user abc [Sysname-luser-abc] access-limit 5 Related commands display local-user authorization-attribute (local user view/user group view) Use authorization-attribute to configure authorization attributes for the local user or user group. After the local user or a local user of the user group passes authentication, the device assigns these attributes to the user. Use undo authorization-attribute to remove authorization attributes and restore the defaults.
• security-audit: An authenticated security log administrator can manage security log files. The commands that a security log administrator can use are described in the information center commands. For more information, see System Management and Maintenance Command Reference. vlan vlan-id: Specifies the ID of the authorized VLAN, in the range of 1 to 4094. After passing authentication, a local user can access the resources in this VLAN.
Views Local user view Default command level 3: Manage level Parameters call-number call-number: Specifies a calling number for ISDN user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users. subcall-number: Specifies the sub-calling number. The total length of the calling number and the sub-calling number cannot be more than 62 characters. ip ip-address: Specifies the IP address of the user.
Hardware Keyword compatible F1000-A-EI/F1000-S-EI No F1000-E Yes F5000 Yes F5000-S/F5000-C Yes VPN firewall modules Yes 20-Gbps VPN firewall modules No • ftp: FTP users. • portal: Portal users. • ppp: PPP users. • ssh: SSH users. • telnet: Telnet users. • terminal: Users logging in through the console or AUX port. Support for AUX logins depends on the device model. For more information, see Getting Started Guide. • web: Web users.
Total 1 local user(s) matched. Table 38 Command output Field Description VD Name of the VD to which the local user belongs. State Status of the local user: active or blocked. ServiceType Service types that the local user can use, including DVNP, FTP, PPP, portal, SSH, Telnet, terminal, and Web. Access-limit Whether or not to limit the number of concurrent connections of the username. Current AccessNum Number of connections that use the username.
Idle-cut: 120(min) Work Directory: FLASH: Level: 1 Acl Number: 2000 Vlan ID: 1 Callback-number: 1 Password aging: Enabled (1 days) Password length: Enabled (4 characters) Password composition: Enabled (1 types, 1 characters per type) Total 1 user group(s) matched. Table 39 Command output Field Description Idle-cut Idle timeout interval, in minutes. Work Directory Directory that FTP/SFTP users in the group can access. Level Level of the local users in the group.
Parameters time: Specifies the expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH is in the range of 0 to 23, and MM and SS are in the range of 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY is in the range of 2000 to 2035, MM is in the range of 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted.
group-attribute allow-guest Use group-attribute allow-guest to set the guest attribute for a user group so that guest users created by a guest manager through the Web interface can join the group. Use undo group-attribute allow-guest to restore the default. Syntax group-attribute allow-guest undo group-attribute allow-guest Default The guest attribute is not set for a user group, and guest users created by a guest manager through the Web interface cannot join the group.
Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@), and cannot be a, al, all, v, or vd. vd vd-name: Specifies the VD to which the local user belongs. The vd-name argument represents the VD name, a case-insensitive string of 1 to 20 characters.
password (local user view) Use password to configure a password for a local user. Use undo password to delete the password of a local user. Syntax password [ [ hash ] { cipher | simple } password ] undo password Views Local user view Default command level 2: System level Parameters hash: Enables hash-based encryption. cipher: Sets a ciphertext password. simple: Sets a plaintext password. password: Specifies the password string. This argument is case sensitive.
# Set the password to 123456 in plain text for local user user1 and enable hash-based encryption for the password. system-view [Sysname] local-user user1 [Sysname-luser-user1] password hash simple 123456 Related commands display local-user service-type Use service-type to specify the service types that a user can use. Use undo service-type to delete one or all service types configured for a user.
portal: Authorizes the user to use the portal service. ppp: Authorizes the user to use the PPP service. web: Authorizes the user to use the Web service. Usage guidelines You assign multiple service types to a user. Examples # Authorize user user1 to use the Telnet service. system-view [Sysname] local-user user1 [Sysname-luser-user1] service-type telnet state (local user view) Use state to set the status of a local user. Use undo state to restore the default.
user-group Use user-group to create a user group and enter its view. Use undo user-group to remove a user group. Syntax user-group group-name undo user-group group-name Views System view Default command level 3: Manage level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Usage guidelines A user group consists of a group of local users and has a set of local user attributes.
Default command level 3: Manage level Parameters time: Specifies the validity time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH is in the range of 0 to 23, and MM and SS are in the range of 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY is in the range of 2000 to 2035, MM is in the range of 1 to 12, and the range of DD depends on the month.
Parameters interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the seconds argument is 1 to 15, and the default is 3 seconds. send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default is 50.
Related commands • display radius scheme • display connection data-flow-format (RADIUS scheme view) Use data-flow-format to set the traffic statistics unit for data flows or packets. Use undo data-flow-format to restore the default. Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default The unit for data flows is byte and that for data packets is one-packet.
Views Any view Default command level 2: System level Parameters radius-scheme-name: RADIUS scheme name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Encryption Key : N/A VPN instance : N/A Auth Server Encryption Key : ****** Acct Server Encryption Key : N/A VPN instance : 1 Accounting-On packet disable, send times : 50 , interval : 3s Interval for timeout(second) : 3 Retransmission times for timeout : 3 Interval for realtime accounting(minute) : 12 Retransmission times of realtime-accounting packet : 5 Retransmission times of stop-accounting packet : 500 Quiet-interval(min) : 5 Username format : without-domain Data flow unit : Byte P
Field Description Auth Server Encryption Key Shared key for secure authentication communication, displayed as a series of asterisks (******). If no shared key is configured, this field displays N/A. Acct Server Encryption Key Shared key for secure accounting communication, displayed as a series of asterisks (******). If no shared key is configured, this field displays N/A. VPN instance VPN to which the scheme belongs. If no VPN instance is specified for the scheme, this field displays N/A.
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display statistics about RADIUS packets.
Alloc_Mem_Err = 0 State Mismatch = 0 Other_Error = 0 No-response-acct-stop packet = 1 Discarded No-response-acct-stop packet for buffer overflow = 0 Table 41 Command output Field Description state statistic User statistics, by state. DEAD Number of idle users. AuthProc Number of users waiting for authentication. AuthSucc Number of users who have passed authentication. AcctStart Number of users for whom accounting has been started.
Field Description PKT response Counts of responses from servers. Session ctrl pkt Counts of session control messages. Normal author request Counts of normal authorization requests. Set policy result Counts of responses to the Set policy packets. Accounting on request Counts of accounting-on requests. Accounting on response Counts of accounting-on responses. Dynamic Author Ext request Counts of dynamic authorization extension requests.
display stop-accounting-buffer (for RADIUS) Use display stop-accounting-buffer to display information about buffered stop-accounting requests.
Related commands • reset stop-accounting-buffer • stop-accounting-buffer enable • user-name-format • retry • retry stop-accounting key (RADIUS scheme view) Use key to set the shared key for secure RADIUS authentication/authorization or accounting communication. Use undo key to remove the configuration. Syntax key { accounting | authentication } [ cipher | simple ] key undo key { accounting | authentication } Default No shared key is configured.
# For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting ok # For RADIUS scheme radius1, set the shared key for secure authentication/authorization communication to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in cipher text.
A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new one overwrites the old one. The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence. Examples # Set the source IP address for outgoing RADIUS packets to 10.1.1.1.
vpn-instance vpn-instance-name: Specifies the VPN to which the primary RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server.
Views RADIUS scheme view Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication/authorization server. ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication/authorization server, which must be a valid global unicast address. port-number: Specifies the service port number of the primary RADIUS authentication/authorization server.
With the server status detection feature enabled, the device sends an authentication request that carries the specified username to the primary server at the specified interval. If the device receives no response from the server within the time interval specified by the timer response-timeout command, the device sends the authentication request again.
Usage guidelines When the RADIUS client service is disabled: • No more stop-accounting requests of online users cannot be sent out or buffered, and the RADIUS server can no longer receive logoff requests from online users. After a user goes offline, the RADIUS server still has the user's record during a certain period of time.
one private-network source IP address. A private-network source IP address newly specified for a VPN overwrites the previous one. The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of any managed NAS. If it is, the server processes the packet.
Related commands display radius scheme radius trap Use radius trap to enable the trap function for RADIUS. Use undo radius trap to disable the trap function for RADIUS. Syntax radius trap { accounting-server-down | authentication-error-threshold | authentication-server-down } undo radius trap { authentication-server-down } accounting-server-down | authentication-error-threshold | Default The trap function is disabled for RADIUS.
Syntax reset radius statistics Views User view Default command level 2: System level Examples # Clear RADIUS statistics. reset radius statistics Related commands display radius statistics reset stop-accounting-buffer (for RADIUS) Use reset stop-accounting-buffer to clear buffered stop-accounting requests for which no responses have been received.
Related commands • stop-accounting-buffer enable • display stop-accounting-buffer retry Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Use undo retry to restore the default. Syntax retry retry-times undo retry Default The maximum number of RADIUS packet transmission attempts is 3.
Syntax retry realtime-accounting retry-times undo retry realtime-accounting Default The maximum number of accounting attempts is 5. Views RADIUS scheme view Default command level 2: System level Parameters retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255. Usage guidelines A RADIUS server usually checks whether a user is online by using a timeout timer.
Use undo retry stop-accounting to restore the default. Syntax retry stop-accounting retry-times undo retry stop-accounting Default The maximum number of stop-accounting request transmission attempts is 500. Views RADIUS scheme view Default command level 2: System level Parameters retry-times: Specifies the maximum number of stop-accounting request transmission attempts, in the range of 10 to 65535.
Syntax secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * undo secondary accounting [ ipv4-address | ipv6 ipv6-address ] Default No secondary RADIUS accounting server is specified. Views RADIUS scheme view Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.
If the specified server resides on a VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. If you remove a secondary accounting server when the device has already sent a start-accounting request to the server, the communication with the secondary server times out, and the device looks for a server in active state from the primary server on.
Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication/authorization server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication/authorization server, which must be a valid global unicast address. port-number: Specifies the service port number of the secondary RADIUS authentication/authorization server. The value range for the UDP port number is 1 to 65535, and the default setting is 1812.
With the server status detection feature enabled, the device sends an authentication request that carries the specified username to the secondary server at the specified interval. If the device receives no response from the server within the time interval specified by the timer response-timeout command, the device sends the authentication request again.
Default No security policy server is specified for a RADIUS scheme. Views RADIUS scheme view Default command level 2: System level Parameters ip-address: Specifies a security policy server by its IP address. all: Specifies all security policy servers. Usage guidelines You can specify up to eight security policy servers for a RADIUS scheme. You can change security policy servers for a RADIUS scheme only when no user is using the scheme. Examples # Specify security policy server 10.110.1.
Examples # Configure the RADIUS server type of RADIUS scheme radius1 as standard. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] server-type standard state primary Use state primary to set the status of a primary RADIUS server. Syntax state primary { accounting | authentication } { active | block } Default The primary RADIUS server specified for a RADIUS scheme is in active state.
state secondary Use state secondary to set the status of a secondary RADIUS server. Syntax state secondary { accounting | authentication } [ ip ipv4-address | ipv6 ipv6-address ] { active | block } Default Every secondary RADIUS server specified in a RADIUS scheme is in active state. Views RADIUS scheme view Default command level 2: System level Parameters accounting: Sets the status of the secondary RADIUS accounting server.
stop-accounting-buffer enable (RADIUS scheme view) Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no responses are received. Use undo stop-accounting-buffer enable to disable the buffering function. Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable Default The device buffers stop-accounting requests to which no responses are received.
Views RADIUS scheme view Default command level 2: System level Parameters minutes: Specifies the server quiet period in minutes, in the range of 0 to 255. If you set this argument to 0, when the device attempts to send an authentication or accounting request but the current server is unreachable, the device sends the request to the next server in active state, without changing the current server's status.
Parameters minutes: Specifies the real-time accounting interval in minutes. The value can be 0 or a multiple of 3, in the range of 3 to 60. Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command sets the interval.
Parameters seconds: Specifies the RADIUS server response timeout period in seconds, in the range of 1 to 10. Usage guidelines If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
Examples # Specify the device to remove the domain name in the username sent to the RADIUS servers for the RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] user-name-format without-domain Related commands radius scheme vpn-instance (RADIUS scheme view) Use vpn-instance to specify a VPN instance for a RADIUS scheme. Use undo vpn-instance to remove the configuration.
Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default The unit for data flows is byte and that for data packets is one-packet. Views HWTACACS scheme view Default command level 2: System level Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
statistics: Displays the statistics for the HWTACACS servers specified in the HWTACACS scheme. Without this keyword, the command displays the configuration of the HWTACACS scheme. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Table 43 Command output Field Description HWTACACS-server template name Name of the HWTACACS scheme. Primary-authentication-server IP address and port number of the primary authentication server. If no primary authentication server is specified, this field displays 0.0.0.0:0. This rule also applies to the following eight fields. Primary-authorization-server IP address and port number of the primary authorization server.
HWTACACS authen client access connect packet number: 5 HWTACACS authen client access response error number: 0 HWTACACS authen client access response failure number: 0 HWTACACS authen client access response follow number: 0 HWTACACS authen client access response getdata number: 0 HWTACACS authen client access response getpassword number: 5 HWTACACS authen client access response getuser number: 0 HWTACACS authen client access response pass number: 1 HWTACACS authen client access response restart number: 0 HWT
display stop-accounting-buffer (for HWTACACS) Use display stop-accounting-buffer to display information about buffered stop-accounting requests. Syntax display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme.
Views System view Default command level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address. vpn-instance vpn-instance-name: Specifies the VPN to which the source IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. With a VPN specified, the command specifies a private-network source IP address.
Views System view Default command level 3: Manage level Parameters hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines An HWTACACS scheme can be referenced by more than one ISP domain at the same time. An HWTACACS scheme referenced by ISP domains cannot be removed. Examples # Create an HWTACACS scheme named hwt1, and enter HWTACACS scheme view.
Usage guidelines The shared keys configured on the device must match those configured on the HWTACACS servers. For security purposes, all shared keys, including keys configured in plain text, are saved in cipher text. In FIPS mode, you cannot set a plaintext key, and the key is encrypted and decrypted by using the 3DES algorithm. Examples # Set the shared key for secure HWTACACS accounting communication to hello in plain text for HWTACACS scheme hwt1.
Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address. Usage guidelines The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address.
vpn-instance vpn-instance-name: Specifies the VPN to which the primary HWTACACS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines The IP addresses of the primary and secondary accounting servers must be different. Otherwise, the configuration fails. If the specified server resides on a VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the port number is 1 to 65535, and the default setting is 49. vpn-instance vpn-instance-name: Specifies the VPN to which the primary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Parameters ip-address: IP address of the primary HWTACACS authorization server in dotted decimal notation. The default is 0.0.0.0. port-number: Specifies the service port number of the primary HWTACACS authorization server. The value range for the port number is 1 to 65535, and the default setting is 49. vpn-instance vpn-instance-name: Specifies the VPN to which the primary HWTACACS authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
authentication: Specifies the HWTACACS authentication statistics. authorization: Specifies the HWTACACS authorization statistics. Examples # Clear all HWTACACS statistics. reset hwtacacs statistics all Related commands display hwtacacs reset stop-accounting-buffer (for HWTACACS) Use reset stop-accounting-buffer to clear the buffered stop-accounting requests for which no responses have been received.
Views HWTACACS scheme view Default command level 2: System level Parameters retry-times: Specifies the maximum number of stop-accounting request transmission attempts, in the range of 1 to 300. Examples # Set the maximum number of stop-accounting request transmission attempts to 50 for HWTACACS scheme hwt1.
Usage guidelines The IP addresses of the primary and secondary accounting servers must be different. Otherwise, the configuration fails. If you execute the command multiple times, the most recent configuration takes effect. If the specified server resides on a VPN, specify the VPN by using the vpn-instance vpn-instance-name option. You can remove an accounting server only when it is not used by any active TCP connection to send accounting packets.
vpn-instance vpn-instance-name: Specifies the VPN to which the secondary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines The IP addresses of the primary and secondary authentication servers must be different. Otherwise, the configuration fails.
port-number: Specifies the service port number of the secondary HWTACACS authorization server. The value range for the port number is 1 to 65535, and the default setting is 49. vpn-instance vpn-instance-name: Specifies the VPN to which the secondary HWTACACS authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
receives no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or until the number of transmission attempts reaches the configured limit. In the latter case, the NAS discards the packet. Examples # In HWTACACS scheme hwt1, enable the device to buffer the stop-accounting requests that receive no responses.
timer realtime-accounting (HWTACACS scheme view) Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default. Syntax timer realtime-accounting minutes undo timer realtime-accounting Default The real-time accounting interval is 12 minutes. Views HWTACACS scheme view Default command level 2: System level Parameters minutes: Specifies the real-time accounting interval in minutes.
Syntax timer response-timeout seconds undo timer response-timeout Default The HWTACACS server response timeout time is 5 seconds. Views HWTACACS scheme view Default command level 2: System level Parameters seconds: Specifies the HWTACACS server response timeout period in seconds, in the range of 1 to 300. Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.
Usage guidelines A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier HWTACACS servers, however, cannot recognize a username that includes an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Access Control Configuration Guide. display password-control Use display password-control to display password control configuration.
Password complexity: Disabled (username checking) Disabled (repeated characters checking) # Display the password control configuration for super passwords. display password-control super Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 45 Command output Field Description Password control Whether the password control feature is enabled.
Views Any view Default command level 2: System level Parameters user-name name: Specifies a user by the name, a string of 1 to 80 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Syntax password undo password Views Local user view Default command level 2: System level Usage guidelines Valid characters for a local user password include: • Uppercase letters A to Z. • Lowercase letters a to z. • Digits 0 to 9. • Special characters in Table 47. Table 47 Special characters Character name Symbol Character name Symbol Ampersand sign & Apostrophe ' Asterisk * At sign @ Back quote ` Back slash \ Blank space N/A Caret ^ Colon : Comma , Dollar sign $ Dot .
[Sysname-luser-test] password Password:********** Confirm :********** Updating user(s) information, please wait.... password-control { aging | composition | history | length } enable Use password-control { aging | composition | history | length } enable to enable the password aging, composition restriction, history, or minimum password length restriction function. Use undo password-control { aging | composition | history | length } enable to disable the specified function.
[Sysname] password-control aging enable # Enable the minimum password length restriction function. [Sysname] password-control length enable # Enable the password history function. [Sysname] password-control history enable Related commands • password-control enable • display password-control password-control aging Use password-control aging to set the password aging time. Use undo password-control aging to restore the default.
# Set the password aging time for local user abc to 100 days. [Sysname] local-user abc [Sysname-luser-abc] password-control aging 100 Related commands • display password-control • local-user • user-group password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default.
Views System view Default command level 2: System level Parameters authentication-timeout: User authentication timeout time in seconds, in the range of 30 to 120. Examples # Set the user authentication timeout time to 40 seconds. system-view [Sysname] password-control authentication-timeout 40 password-control complexity Use password-control complexity to configure the password complexity checking policy. Complexity-incompliant passwords will be refused.
password-control composition Use password-control composition to configure the password composition policy. Use undo password-control composition to restore the default.
[Sysname-ugroup-test] password-control composition type-number 3 type-length 5 [Sysname-ugroup-test] quit # Specify that the password of local user abc must contain at least three types of characters and each type must contain at least five characters.
undo password-control expired-user-login Default A user can log in three times within 30 days after the password expires. Views System view Default command level 2: System level Parameters delay: Maximum number of days during which a user can log in using an expired password. It must be in the range of 1 to 90. times: Maximum number of times a user can log in after the password expires. The value range is 0 to 10 and 0 means that a user cannot log in after the password expires.
password-control length Use password-control length to set the minimum password length. Use undo password-control length to restore the default. Syntax password-control length length undo password-control length Default The global minimum password length is 10 characters. The minimum password length of a user group equals the global setting. The minimum password length of a local user equals that of the user group to which the local user belongs.
password-control login idle-time Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, it becomes invalid. Use undo password-control login idle-time to restore the default. Syntax password-control login idle-time idle-time undo password-control login idle-time Default The maximum account idle time is 90 days.
Parameters login-times: Maximum number of consecutive failed login attempts, in the range of 2 to 10. exceed: Specifies the action to be taken when a user fails to log in after the specified number of attempts. lock: Permanently prohibits a user who fails to log in after the specified number of attempts from logging in. lock-time time: Forces a user who fails to log in after the specified number of attempts to wait for a period of time before trying again.
• display password-control blacklist • reset password-control blacklist password-control password update interval Use password-control password update interval to set the minimum password update interval, that is, the minimum interval at which users can change their passwords. Use undo password-control password update interval to restore the default.
Views System view Default command level 2: System level Parameters aging-time: Super password aging time in days, in the range of 1 to 365. Usage guidelines If you do not specify an aging time for super passwords, the system applies the global password aging time to super passwords. If you have specified an aging time for super passwords, the system applies the aging time to super passwords. Examples # Set the aging time for super passwords to 10 days.
Usage guidelines If you do not specify a composition policy for super passwords, the system applies the global password composition policy to super passwords. If you have specified a composition policy for super passwords, the system applies the composition policy to super passwords. Examples # Specify that a super password must contain at least three types of characters and each type must contain at least five characters.
reset password-control blacklist Use reset password-control blacklist to remove all or one user from the password control blacklist. Syntax reset password-control blacklist [ user-name name ] Views User view Default command level 3: Manage level Parameters user-name name: Specifies the user to be removed from the password control blacklist. The name argument is the username, a case-sensitive string of 1 to 80 characters. Examples # Delete the user named test from the password control blacklist.
Examples # Clear the history password records of all local users (enter Y to confirm).
FIPS configuration commands Feature and hardware compatibility fips mode enable Syntax fips mode enable undo fips mode enable View System view Default level 2: System level Parameters None Description Use the fips mode enable command to enable FIPS mode. Use the undo fips mode enable command to disable FIPS mode. By default, the FIPS mode is disabled. The FIPS mode complies with FIPS 140-2.
• The SSL server only supports TLS1.0. • The SSH server does not support SSHv1 clients • The SSH only supports RSA. • RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs must have a modulus length from 1024 to 2048 bits. • SSH, SNMPv3, IPsec and SSL do not support DES, RC4, 3DES, or MD5. Related commands: display fips status. Examples # Enable FIPS mode.
View Any view Default level 1: Monitor level Parameters None Description Use the display fips status command to display FIPS state. Related commands: fips mode enable. Examples # Display FIPS state.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device.
Index ABCDEFGHIKLMNOPRSTUVWZ authorization-attribute (local user view/user group view),169 A aaa nas-id profile,133 B access-limit,168 access-limit enable,133 bind-attribute,170 access-user detect,100 C accounting command,134 comment,62 accounting default,135 connection-limit apply policy,95 accounting dvpn,136 connection-limit policy,95 accounting login,137 cut connection,156 accounting optional,138 D accounting portal,139 accounting ppp,139 data-flow-format (HWTACACS scheme view),216 ac
import interface,30 display object-group,38 display password-control,238 interzone,31 display password-control blacklist,239 ip pool,164 display portal acl,101 ip virtual-reassembly,93 display portal connection statistics,103 K display portal free-rule,106 key (HWTACACS scheme view),223 display portal interface,107 key (RADIUS scheme view),192 display portal local-server,108 display portal server,109 L display portal server statistics,110 limit,97 display portal tcp-cheat statistics,113 lo
password-control login-attempt,250 reset session,84 password-control password update interval,252 reset session statistics,85 password-control super aging,252 reset stop-accounting-buffer (for HWTACACS),229 password-control super composition,253 reset stop-accounting-buffer (for RADIUS),201 password-control super length,254 retry,202 portal auth-network,116 retry realtime-accounting,202 portal delete-user,117 retry stop-accounting (HWTACACS scheme view),229 portal domain,118 retry stop-accoun
session-time include-idle-time,167 timer realtime-accounting (RADIUS scheme view),213 share enable,33 timer response-timeout (HWTACACS scheme view),235 source-ip,73 timer response-timeout (RADIUS scheme view),214 source-mac,73 state (ISP domain view),167 time-range,60 state (local user view),180 U state primary,210 user-group,181 state secondary,211 user-name-format (HWTACACS scheme view),236 step,28 user-name-format (RADIUS scheme view),215 stop-accounting-buffer enable (HWTACACS scheme vie
