HP VPN Firewall Appliances Access Control Command Reference
Table Of Contents
- Title Page
- Contents
- ACL commands
- acl
- acl accelerate
- acl copy
- acl ipv6
- acl ipv6 copy
- acl ipv6 name
- acl name
- description
- display acl
- display acl accelerate
- display acl ipv6
- reset acl counter
- reset acl ipv6 counter
- rule (Ethernet frame header ACL view)
- rule (IPv4 advanced ACL view)
- rule (IPv4 basic ACL view)
- rule (IPv6 advanced ACL view)
- rule (IPv6 basic ACL view)
- rule comment
- rule remark
- step
- Security zone commands
- Address resource commands
- Service resource commands
- Time range resource commands
- Interzone policy commands
- Session management commands
- application aging-time
- display application aging-time
- display session aging-time
- display session relation-table
- display session statistics
- display session statistics history
- display session table
- reset session
- reset session statistics
- session aging-time
- session checksum
- session log bytes-active
- session log enable
- session log packets-active
- session log time-active
- session mode hybrid
- session persist acl
- session synchronization enable
- IP virtual fragment reassembly commands
- Connection limit commands
- Portal commands
- access-user detect
- display portal acl
- display portal connection statistics
- display portal free-rule
- display portal interface
- display portal local-server
- display portal server
- display portal server statistics
- display portal tcp-cheat statistics
- display portal user
- portal auth-network
- portal delete-user
- portal domain
- portal free-rule
- portal local-server
- portal max-user
- portal nas-id-profile
- portal nas-ip
- portal nas-port-id
- portal nas-port-type
- portal redirect-url
- portal server
- portal server banner
- portal server method
- portal server server-detect
- portal server user-sync
- reset portal connection statistics
- reset portal server statistics
- reset portal tcp-cheat statistics
- AAA commands
- General AAA commands
- aaa nas-id profile
- access-limit enable
- accounting command
- accounting default
- accounting dvpn
- accounting login
- accounting optional
- accounting portal
- accounting ppp
- accounting ssl-vpn
- authentication default
- authentication dvpn
- authentication login
- authentication portal
- authentication ppp
- authentication ssl-vpn
- authentication super
- authorization command
- authorization default
- authorization dvpn
- authorization login
- authorization portal
- authorization ppp
- authorization ssl-vpn
- cut connection
- display connection
- display domain
- domain
- domain default enable
- domain if-unknown
- idle-cut enable
- ip pool
- nas-id bind vlan
- self-service-url enable
- session-time include-idle-time
- state (ISP domain view)
- Local user commands
- RADIUS commands
- accounting-on enable
- attribute 25 car
- data-flow-format (RADIUS scheme view)
- display radius scheme
- display radius statistics
- display stop-accounting-buffer (for RADIUS)
- key (RADIUS scheme view)
- nas-ip (RADIUS scheme view)
- primary accounting (RADIUS scheme view)
- primary authentication (RADIUS scheme view)
- radius client
- radius nas-ip
- radius scheme
- radius trap
- reset radius statistics
- reset stop-accounting-buffer (for RADIUS)
- retry
- retry realtime-accounting
- retry stop-accounting (RADIUS scheme view)
- secondary accounting (RADIUS scheme view)
- secondary authentication (RADIUS scheme view)
- security-policy-server
- server-type (RADIUS scheme view)
- state primary
- state secondary
- stop-accounting-buffer enable (RADIUS scheme view)
- timer quiet (RADIUS scheme view)
- timer realtime-accounting (RADIUS scheme view)
- timer response-timeout (RADIUS scheme view)
- user-name-format (RADIUS scheme view)
- vpn-instance (RADIUS scheme view)
- HWTACACS commands
- data-flow-format (HWTACACS scheme view)
- display hwtacacs
- display stop-accounting-buffer (for HWTACACS)
- hwtacacs nas-ip
- hwtacacs scheme
- key (HWTACACS scheme view)
- nas-ip (HWTACACS scheme view)
- primary accounting (HWTACACS scheme view)
- primary authentication (HWTACACS scheme view)
- primary authorization
- reset hwtacacs statistics
- reset stop-accounting-buffer (for HWTACACS)
- retry stop-accounting (HWTACACS scheme view)
- secondary accounting (HWTACACS scheme view)
- secondary authentication (HWTACACS scheme view)
- secondary authorization
- stop-accounting-buffer enable (HWTACACS scheme view)
- timer quiet (HWTACACS scheme view)
- timer realtime-accounting (HWTACACS scheme view)
- timer response-timeout (HWTACACS scheme view)
- user-name-format (HWTACACS scheme view)
- vpn-instance (HWTACACS scheme view)
- General AAA commands
- Password control commands
- display password-control
- display password-control blacklist
- password
- password-control { aging | composition | history | length } enable
- password-control aging
- password-control alert-before-expire
- password-control authentication-timeout
- password-control complexity
- password-control composition
- password-control enable
- password-control expired-user-login
- password-control history
- password-control length
- password-control login idle-time
- password-control login-attempt
- password-control password update interval
- password-control super aging
- password-control super composition
- password-control super length
- reset password-control blacklist
- reset password-control history-record
- FIPS configuration commands
- Support and other resources
- Index
206
If the specified server resides on a VPN, specify the VPN by using the vpn-instance vpn-instance-name
option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS
scheme.
If you remove a secondary accounting server when the device has already sent a start-accounting
request to the server, the communication with the secondary server times out, and the device looks for a
server in active state from the primary server on.
If you remove an accounting server being used by online users, the device can no longer send real-time
accounting requests or stop-accounting requests for the users, and it does not buffer the stop-accounting
requests.
For security purposes, all shared keys, including keys configured in plain text, are saved in cipher text.
Examples
# For RADIUS scheme radius1, specify two secondary accounting servers with the server IP addresses of
10.110 .1.1 a n d 10 .110.1.2 and the UDP port number of 1813. Set the shared keys to hello in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813 key hello
[Sysname-radius-radius1] secondary accounting 10.110.1.2 1813 key hello
# For RADIUS scheme radius2, set the IP address of the secondary accounting server to 10.110 .1.1, t h e
UDP port to 1813, and the shared key to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in cipher text.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813 key cipher
$c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B
Related commands
• key
• state
• vpn-instance (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
Use secondary authentication to specify a secondary RADIUS authentication/authorization server.
Use undo secondary authentication to remove the configuration.
Syntax
secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ]
key | probe username name [ interval interval ] | vpn-instance vpn-instance-name ] *
undo secondary authentication [ ipv4-address | ipv6 ipv6-address ]
Default
No secondary RADIUS authentication/authorization server is specified.
Views
RADIUS scheme view
Default command level
2: System level