HP VPN Firewall Appliances Access Control Command Reference
Table Of Contents
- Title Page
- Contents
- ACL commands
- acl
- acl accelerate
- acl copy
- acl ipv6
- acl ipv6 copy
- acl ipv6 name
- acl name
- description
- display acl
- display acl accelerate
- display acl ipv6
- reset acl counter
- reset acl ipv6 counter
- rule (Ethernet frame header ACL view)
- rule (IPv4 advanced ACL view)
- rule (IPv4 basic ACL view)
- rule (IPv6 advanced ACL view)
- rule (IPv6 basic ACL view)
- rule comment
- rule remark
- step
- Security zone commands
- Address resource commands
- Service resource commands
- Time range resource commands
- Interzone policy commands
- Session management commands
- application aging-time
- display application aging-time
- display session aging-time
- display session relation-table
- display session statistics
- display session statistics history
- display session table
- reset session
- reset session statistics
- session aging-time
- session checksum
- session log bytes-active
- session log enable
- session log packets-active
- session log time-active
- session mode hybrid
- session persist acl
- session synchronization enable
- IP virtual fragment reassembly commands
- Connection limit commands
- Portal commands
- access-user detect
- display portal acl
- display portal connection statistics
- display portal free-rule
- display portal interface
- display portal local-server
- display portal server
- display portal server statistics
- display portal tcp-cheat statistics
- display portal user
- portal auth-network
- portal delete-user
- portal domain
- portal free-rule
- portal local-server
- portal max-user
- portal nas-id-profile
- portal nas-ip
- portal nas-port-id
- portal nas-port-type
- portal redirect-url
- portal server
- portal server banner
- portal server method
- portal server server-detect
- portal server user-sync
- reset portal connection statistics
- reset portal server statistics
- reset portal tcp-cheat statistics
- AAA commands
- General AAA commands
- aaa nas-id profile
- access-limit enable
- accounting command
- accounting default
- accounting dvpn
- accounting login
- accounting optional
- accounting portal
- accounting ppp
- accounting ssl-vpn
- authentication default
- authentication dvpn
- authentication login
- authentication portal
- authentication ppp
- authentication ssl-vpn
- authentication super
- authorization command
- authorization default
- authorization dvpn
- authorization login
- authorization portal
- authorization ppp
- authorization ssl-vpn
- cut connection
- display connection
- display domain
- domain
- domain default enable
- domain if-unknown
- idle-cut enable
- ip pool
- nas-id bind vlan
- self-service-url enable
- session-time include-idle-time
- state (ISP domain view)
- Local user commands
- RADIUS commands
- accounting-on enable
- attribute 25 car
- data-flow-format (RADIUS scheme view)
- display radius scheme
- display radius statistics
- display stop-accounting-buffer (for RADIUS)
- key (RADIUS scheme view)
- nas-ip (RADIUS scheme view)
- primary accounting (RADIUS scheme view)
- primary authentication (RADIUS scheme view)
- radius client
- radius nas-ip
- radius scheme
- radius trap
- reset radius statistics
- reset stop-accounting-buffer (for RADIUS)
- retry
- retry realtime-accounting
- retry stop-accounting (RADIUS scheme view)
- secondary accounting (RADIUS scheme view)
- secondary authentication (RADIUS scheme view)
- security-policy-server
- server-type (RADIUS scheme view)
- state primary
- state secondary
- stop-accounting-buffer enable (RADIUS scheme view)
- timer quiet (RADIUS scheme view)
- timer realtime-accounting (RADIUS scheme view)
- timer response-timeout (RADIUS scheme view)
- user-name-format (RADIUS scheme view)
- vpn-instance (RADIUS scheme view)
- HWTACACS commands
- data-flow-format (HWTACACS scheme view)
- display hwtacacs
- display stop-accounting-buffer (for HWTACACS)
- hwtacacs nas-ip
- hwtacacs scheme
- key (HWTACACS scheme view)
- nas-ip (HWTACACS scheme view)
- primary accounting (HWTACACS scheme view)
- primary authentication (HWTACACS scheme view)
- primary authorization
- reset hwtacacs statistics
- reset stop-accounting-buffer (for HWTACACS)
- retry stop-accounting (HWTACACS scheme view)
- secondary accounting (HWTACACS scheme view)
- secondary authentication (HWTACACS scheme view)
- secondary authorization
- stop-accounting-buffer enable (HWTACACS scheme view)
- timer quiet (HWTACACS scheme view)
- timer realtime-accounting (HWTACACS scheme view)
- timer response-timeout (HWTACACS scheme view)
- user-name-format (HWTACACS scheme view)
- vpn-instance (HWTACACS scheme view)
- General AAA commands
- Password control commands
- display password-control
- display password-control blacklist
- password
- password-control { aging | composition | history | length } enable
- password-control aging
- password-control alert-before-expire
- password-control authentication-timeout
- password-control complexity
- password-control composition
- password-control enable
- password-control expired-user-login
- password-control history
- password-control length
- password-control login idle-time
- password-control login-attempt
- password-control password update interval
- password-control super aging
- password-control super composition
- password-control super length
- reset password-control blacklist
- reset password-control history-record
- FIPS configuration commands
- Support and other resources
- Index
207
Parameters
ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication/authorization server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication/authorization
server, which must be a valid global unicast address.
port-number: Specifies the service port number of the secondary RADIUS authentication/authorization
server. The value range for the UDP port number is 1 to 65535, and the default setting is 1812.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary
RADIUS authentication/authorization server. In FIPS mode, you cannot set a plaintext key, and the key
must contain at least 8 characters comprising uppercase and lowercase letters, digits, and special
characters. In FIPS mode, a key is encrypted and decrypted by using the 3DES algorithm.
• cipher key: Specifies a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117
characters.
• simple key: Specifies a plaintext shared key, a case-sensitive string of 1 to 64 characters.
• If neither cipher nor simple is specified, you set a plaintext shared key string.
vpn-instance vpn-instance-name: Specifies the VPN to which the secondary RADIUS
authentication/authorization server belongs. The vpn-instance-name argument is a case-sensitive string
of 1 to 31 characters. If the server is on the public network, do not specify this option.
probe: Enables the device to detect the status of the secondary RADIUS authentication/authorization
server.
username name: Specifies the username in the authentication request for server status detection.
interval interval: Specifies the detection interval in minutes. The value range for the interval argument is
1 to 3600, and the default setting is 60 minutes.
Usage guidelines
Make sure the port number and shared key settings of the secondary RADIUS
authentication/authorization server are the same as those configured on the server.
The shared key configured by this command takes precedence over that configured by using the key
accounting [ cipher | simple ] key command.
The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS
scheme. With the configuration, if the primary server fails, the device looks for a secondary server in
active state (a secondary RADIUS authentication/authorization server configured earlier has a higher
priority) and tries to communicate with it.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be
of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be different
from each other. Otherwise, the configuration fails.
If the specified server resides on a VPN, specify the VPN by using the vpn-instance vpn-instance-name
option.
If you remove a secondary authentication server in use in the authentication process, the communication
with the secondary server times out, and the device looks for a server in active state from the primary
server on.
For security purposes, all shared keys, including keys configured in plain text, are saved in cipher text.