Page 1 HPE FlexNetwork 7500 Switch Series Security Command Reference Part number: 5200-1951a Software version: 7500-CMW710-R7557P01 Document version: 6W101-20171020...
Page 2 © Copyright 2017 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3 Contents AAA commands ····························································································· 1 General AAA commands···································································································································· 1 aaa nas-id profile ········································································································································ 1 aaa session-limit ········································································································································ 2 accounting command ································································································································· 2 accounting default ······································································································································ 3 accounting dual-stack ································································································································ 4 accounting lan-access ································································································································ 5 accounting login ········································································································································· 7 accounting portal ········································································································································ 8 accounting quota-out··································································································································...
Page 4 service-type (local user view) ··················································································································· 61 sponsor-department ································································································································· 62 sponsor-email ··········································································································································· 62 sponsor-full-name ···································································································································· 63 state (local user view) ······························································································································ 64 user-group ················································································································································ 64 validity-datetime ······································································································································· 65 RADIUS commands ········································································································································· 66 aaa device-id ············································································································································ 66 accounting-on enable ······························································································································· 67 accounting-on extended ··························································································································· 68 attribute 15 check-mode ···························································································································...
Page 5 nas-ip (HWTACACS scheme view) ········································································································ 125 primary accounting (HWTACACS scheme view) ··················································································· 126 primary authentication (HWTACACS scheme view) ·············································································· 127 primary authorization ······························································································································ 129 reset hwtacacs statistics ························································································································ 130 reset stop-accounting-buffer (for HWTACACS) ····················································································· 131 retry stop-accounting (HWTACACS scheme view) ················································································ 131 secondary accounting (HWTACACS scheme view) ··············································································...
Page 6 dot1x guest-vsi-delay ····························································································································· 184 dot1x handshake ···································································································································· 185 dot1x handshake reply enable ··············································································································· 186 dot1x handshake secure ························································································································ 186 dot1x mac-binding ·································································································································· 187 dot1x mac-binding enable ······················································································································ 188 dot1x mandatory-domain ······················································································································· 189 dot1x max-user ······································································································································ 190 dot1x multicast-trigger ···························································································································· 190 dot1x port-control ···································································································································...
Page 7 display portal packet statistics················································································································ 240 display portal rule ··································································································································· 242 display portal server ······························································································································· 246 display portal user ·································································································································· 247 display portal web-server ······················································································································· 254 display web-redirect rule ························································································································ 255 if-match ·················································································································································· 257 ip (MAC binding server view) ················································································································· 259 ip (portal authentication server view) ·····································································································...
Page 8 display port-security mac-address block ································································································ 311 display port-security mac-address security ···························································································· 312 port-security access-user log enable ····································································································· 313 port-security authentication open ··········································································································· 314 port-security authentication open global ································································································ 315 port-security authorization ignore ··········································································································· 316 port-security authorization-fail offline ····································································································· 316 port-security enable ································································································································ 317 port-security free-vlan ····························································································································...
Page 9 public-key local create ···························································································································· 371 public-key local destroy ·························································································································· 374 public-key local export dsa ····················································································································· 376 public-key local export ecdsa ················································································································· 378 public-key local export rsa ······················································································································ 379 public-key peer ······································································································································· 381 public-key peer import sshkey················································································································ 382 PKI commands ·························································································· 384 attribute ··················································································································································...
Page 10 ssh server acl-deny-log enable ·············································································································· 446 ssh server authentication-retries ············································································································ 447 ssh server authentication-timeout ·········································································································· 448 ssh server compatible-ssh1x enable ······································································································ 448 ssh server dscp ······································································································································ 449 ssh server enable ··································································································································· 450 ssh server ipv6 acl ································································································································· 450 ssh server ipv6 dscp ······························································································································ 451 ssh server pki-domain ····························································································································...
Page 11 pki-domain (SSL client policy view) ········································································································ 510 pki-domain (SSL server policy view) ······································································································ 511 prefer-cipher ··········································································································································· 512 server-verify enable ································································································································ 514 session ··················································································································································· 515 ssl client-policy ······································································································································· 516 ssl renegotiation disable ························································································································· 516 ssl server-policy ····································································································································· 517 ssl version disable ·································································································································· 518 version ····················································································································································...
Page 12 icmpv6-flood detect ipv6 ························································································································ 574 icmpv6-flood detect non-specific ············································································································ 575 icmpv6-flood threshold ··························································································································· 575 reset attack-defense policy flood ············································································································ 576 reset attack-defense statistics local ······································································································· 577 reset blacklist ip ······································································································································ 577 reset blacklist ipv6 ·································································································································· 578 reset blacklist statistics ··························································································································· 579 rst-flood action ········································································································································...
Page 13 arp source-mac ······································································································································ 622 arp source-mac aging-time ···················································································································· 623 arp source-mac exclude-mac ················································································································· 624 arp source-mac threshold ······················································································································ 624 display arp source-mac ·························································································································· 625 ARP packet source MAC consistency check commands··············································································· 626 arp valid-check enable ··························································································································· 626 ARP active acknowledgement commands ····································································································· 626 arp active-ack enable ·····························································································································...
Page 14 ipv6 urpf ················································································································································· 656 MFF commands ························································································· 658 display mac-forced-forwarding interface ································································································ 658 display mac-forced-forwarding vlan ······································································································· 658 mac-forced-forwarding ··························································································································· 659 mac-forced-forwarding gateway probe ··································································································· 660 mac-forced-forwarding network-port ······································································································ 661 mac-forced-forwarding server ················································································································ 661 FIPS commands ························································································ 663 display fips status ··································································································································· 663 fips mode enable ····································································································································...
Page 15 web-auth offline-detect ··························································································································· 708 web-auth proxy port ······························································································································· 708 web-auth server ····································································································································· 709 Document conventions and icons ······························································ 711 Conventions ··················································································································································· 711 Network topology icons ·································································································································· 712 Support and other resources ····································································· 713 Accessing Hewlett Packard Enterprise Support····························································································· 713 Accessing updates ········································································································································· 713 Websites ················································································································································...
Page 16: Aaa Nas-Id Profile
AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa nas-id profile Use aaa nas-id profile to create a NAS-ID profile and enter its view, or enter the view of an existing NAS-ID profile.
Page 17: Aaa Session-Limit
aaa session-limit Use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method. Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method. Syntax In non-FIPS mode: aaa session-limit { ftp | http | https | ssh | telnet } max-sessions...
Page 18: Accounting Default
Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command Default The default accounting methods of the ISP domain are used for command line accounting. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 19: Accounting Dual-Stack
accounting default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo accounting default Default The default accounting method of an ISP domain is local. Views ISP domain view Predefined user roles network-admin mdc-admin...
Page 20: Accounting Lan-Access
Use undo accounting dual-stack to restore the default. Syntax accounting dual-stack { merge | separate } undo accounting dual-stack Default The merge method applies. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters merge: Merges IPv4 data with IPv6 data for accounting. separate: Separates IPv4 data from IPv6 data for accounting.
Page 21 Predefined user roles network-admin mdc-admin Parameters broadcast: Broadcasts accounting requests to servers in RADIUS schemes. radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 22: Accounting Login
Related commands accounting default local-user radius scheme accounting login Use accounting login to specify accounting methods for login users. Use undo accounting login to restore the default. Syntax In non-FIPS mode: accounting login hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting login In FIPS mode:...
Page 23: Accounting Portal
Examples # In ISP domain test, perform local accounting for login users. system-view [Sysname] domain test [Sysname-isp-test] accounting login local # In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup. ...
Page 24: Accounting Quota-Out
local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary accounting method and multiple backup accounting methods. When the primary method is invalid, the device attempts to use the backup methods in sequence.
Page 25: Accounting Start-Fail
Syntax accounting quota-out { offline | online } undo accounting quota-out Default The device logs off users that have used up their data quotas. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters offline: Logs off users that have used up their data quotas. online: Allows users that have used up their data quotas to stay online.
Page 26: Accounting Update-Fail
system-view [Sysname] domain test [Sysname-isp-test] accounting start-fail online accounting update-fail Use accounting update-fail to configure access control for users that have failed all their accounting-update attempts. Use undo accounting update-fail to restore the default. Syntax accounting update-fail { [ max-times max-times ] offline | online } undo accounting update-fail Default The device allows users that have failed all their accounting-update attempts to stay online.
Page 27 authentication default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authentication default Default The default authentication method of an ISP domain is local. Views ISP domain view Predefined user roles...
Page 28: Authentication Lan-Access
authentication lan-access Use authentication lan-access to specify authentication methods for LAN users. Use undo authentication lan-access to restore the default. Syntax In non-FIPS mode: authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication lan-access In FIPS mode:...
Page 29: Authentication Login
[Sysname] domain test [Sysname-isp-test] authentication lan-access radius-scheme rd local Related commands authentication default hwtacacs scheme ldap scheme local-user radius scheme authentication login Use authentication login to specify authentication methods for login users. Use undo authentication login to restore the default. Syntax In non-FIPS mode: authentication...
Page 30: Authentication Onu
Usage guidelines You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication).
Page 31: Authentication Portal
mdc-admin Parameters local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence.
Page 32: Authentication Super
Views ISP domain view Predefined user roles network-admin mdc-admin Parameters ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 33: Authorization Command
Default The default authentication methods of the ISP domain are used for user role authentication. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 34 Default The default authorization methods of the ISP domain are used for command authorization. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization.
Page 35: Authorization Default
hwtacacs scheme local-user authorization default Use authorization default to specify default authorization methods for an ISP domain. Use undo authorization default to restore the default. Syntax In non-FIPS mode: authorization default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization default In FIPS mode:...
Page 36: Authorization Lan-Access
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one primary authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence.
Page 37: Authorization Login
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme. You can specify one primary authorization method and multiple backup authorization methods.
Page 38 Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The following default authorization information applies after users pass authentication: •...
Page 39: Authorization Portal
authorization portal Use authorization portal to specify authorization methods for portal users. Use undo authorization portal to restore the default. Syntax In non-FIPS mode: authorization portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization portal In FIPS mode: authorization portal { local | radius-scheme radius-scheme-name [ local ] }...
Page 40: Authorization-Attribute (Isp Domain View)
[Sysname-isp-test] authorization portal radius-scheme rd local Related commands authorization default local-user radius scheme authorization-attribute (ISP domain view) Use authorization-attribute to configure authorization attributes for users in an ISP domain. Use undo authorization-attribute to restore the default of an authorization attribute. Syntax authorization-attribute { acl acl-number | car inbound cir committed-information-rate [ pir peak-information-rate ] outbound cir committed-information-rate [ pir peak-information-rate ] |...
Page 41: Display Domain
idle-cut minutes: Specifies an idle timeout period in minutes. The value range for the minutes argument is 1 to 600. This option is applicable only to portal users. flow: Specifies the minimum traffic that must be generated in the idle timeout period in bytes. The value range is 1 to 10240000, and the default value is 10240.
Page 42 Syntax display domain [ isp-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains. Examples # Display the configuration of all ISP domains.
Page 43 Accounting update failure action: Online Accounting quota out policy: Offline Service type: HSI Session time: Include idle time Dual-stack accounting method: Merge Authorization attributes: Idle cut : Enabled Idle timeout: 2 minutes Flow: 10240 bytes Traffic direction: Both IP pool: appy Inbound CAR: CIR 64000 bps PIR 640000 bps Outbound CAR: CIR 64000 bps PIR 640000 bps ACL number: 3000...
Page 44 Field Description RADIUS RADIUS scheme. HWTACACS HWTACACS scheme. LDAP LDAP scheme. Local Local scheme. None No authentication, no authorization, or no accounting. Access control for users that encounter accounting-start failures: • Accounting start failure action Online—Allows the users to stay online. •...
Page 45: Domain
Field Description Authorization inbound CAR: • CIR—Committed information rate in bps. Inbound CAR • PIR—Peak information rate in bps. If no inbound CAR is authorized, this field displays N/A. Authorization outbound CAR: • CIR—Committed information rate in bps. Outbound CAR •...
Page 46: Domain Default Enable
You can modify settings for the system-defined ISP domain system, but you cannot delete this domain. An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.
Page 47: Domain If-Unknown
system-view [Sysname] domain test [Sysname-isp-test] quit [Sysname] domain default enable test Related commands display domain domain domain if-unknown Use domain if-unknown to specify an ISP domain to accommodate users that are assigned to nonexistent domains. Use undo domain if-unknown to restore the default. Syntax domain if-unknown isp-name undo domain if-unknown...
Page 48: Nas-Id Bind Vlan
Examples # Specify ISP domain test to accommodate users that are assigned to nonexistent domains. system-view [Sysname] domain if-unknown test Related commands display domain nas-id bind vlan Use nas-id bind vlan to bind a NAS-ID with a VLAN. Use undo nas-id bind vlan to remove a NAS-ID and VLAN binding. Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id...
Page 49: Session-Time Include-Idle-Time
Syntax service-type { hsi | stb | voip } undo service-type Default The service type is hsi for users in an ISP domain. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hsi: Specifies the High Speed Internet (HSI) service. This service is applicable to users that access the network through 802.1X.
Page 50: State (Isp Domain View)
Views ISP domain view Predefined user roles network-admin mdc-admin Usage guidelines Whether to configure the device to include the idle timeout period in the user online duration sent to the server, depending on the accounting policy in your network. Typically, the idle timeout period is assigned by the authorization server after users pass authentication.
Page 51: User-Address-Type
Parameters active: Places the ISP domain in active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services.
Page 52: Access-Limit
Examples # Specify the private IPv4 address type for users in ISP domain test. system-view [Sysname] domain test [Sysname-isp-test] user-address-type private-ipv4 Related commands display domain Local user commands access-limit Use access-limit to set the maximum number of concurrent logins using the local user name. Use undo access-limit to restore the default.
Page 53: Authorization-Attribute (Local User View/User Group View)
authorization-attribute (local user view/user group view) Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user. Use undo authorization-attribute to restore the default of an authorization attribute.
Page 54 work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist. Usage guidelines Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.
Page 55: Bind-Attribute
[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit This operation will delete all other roles of the user. Are you sure? [Y/N]:y Related commands display local-user display user-group bind-attribute Use bind-attribute to configure binding attributes for a local user. Use undo bind-attribute to remove binding attributes of a local user. Syntax bind-attribute { ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *...
Page 56: Company
• If the user is an 802.1X user, specify the 802.1X-enabled Layer 2 Ethernet interface or Layer 2 aggregate interface. • If the user is a MAC authentication user, specify the MAC authentication-enabled Layer 2 Ethernet interface or Layer 2 aggregate interface. •...
Page 57: Description
description Use description to configure a description for a network access user. Use undo description to restore the default. Syntax description text undo description Default No description is configured for a network access user. Views Network access user view Predefined user roles network-admin mdc-admin Parameters...
Page 58 network: Network access user. guest: Guest user account. idle-cut { disable | enable }: Specifies local users by the status of the idle cut feature. service-type: Specifies the local users that use a specific type of service. ftp: FTP users. http: HTTP users.
Page 59 User group: system Bind attributes: IP address: 2.2.2.2 Location bound: Ten-GigabitEthernet1/0/1 MAC address: 0001-0001-0001 VLAN ID: Authorization attributes: Idle timeout: 33 minutes Work directory: flash: ACL number: 2000 User role list: network-operator, level-0, level-3 Description: A network access user from company cc Validity period: Start date and time: 2016/01/01-00:01:01...
Page 60 Field Description VLAN ID Binding VLAN of the local user. Authorization attributes Authorization attributes of the local user. Idle timeout Idle timeout period of the user, in minutes. Session-timeout Session timeout timer for the user, in minutes. Work directory Directory that the FTP, SFTP, or SCP user can access. ACL number Authorization ACL of the local user.
Page 61: Display User-Group
display user-group Use display user-group to display user group configuration. Syntax display user-group { all | name group-name } Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters all: Specifies all user groups. name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.
Page 62: Email
Field Description IP pool IPv4 address pool authorized to the user group. IPv6 pool IPv6 address pool authorized to the user group. Password control configurations Password control attributes that are configured for the user group. Password aging Password expiration time. Password length Minimum number of characters that a password must contain.
Page 63: Full-Name
[Sysname-luser-network(guest)-abc] email [email protected] Related commands display local-user full-name Use full-name to configure the name of a local guest. Use undo full-name to restore the default. Syntax full-name name-string undo full-name Default No name is configured for a local guest. Views Local guest view Predefined user roles network-admin...
Page 64: Local-Guest Email Format
mdc-admin Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. Examples # Assign device management user 111 to user group abc. system-view [Sysname] local-user 111 class manage [Sysname-luser-manage-111] group abc Related commands display local-user local-guest email format Use local-guest email format to configure the subject and body for the email notifications of local guest information.
Page 65: Local-Guest Email Sender
Examples # Configure the subject and body for the email notifications to send to the local guest. system-view [Sysname] local-guest email format to guest subject Guest account information [Sysname] local-guest email format to guest body A guest account has been created for you. The username, password, and validity period of the account are given below.
Page 66: Local-Guest Email Smtp-Server
local-guest email smtp-server Use local-guest email smtp-server to specify an SMTP server to send email notifications of local guests. Use undo local-guest email smtp-server to restore the default. Syntax local-guest email smtp-server url-string undo local-guest email smtp-server Default No SMTP server is specified to send email notifications of local guests. Views System view Predefined user roles...
Page 67 Parameters username-prefix name-prefix: Specifies the name prefix. The name-prefix argument is a case-sensitive string of 1 to 45 characters. The prefix cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).
Page 68: Local-Guest Send-Email
display local-user local-guest send-email Use local-guest send-email to send emails to a local guest or guest sponsor. Syntax local-guest send-email user-name user-name to { guest | sponsor } Views User view Predefined user roles network-admin mdc-admin Parameters user-name user-name: Specifies a local guest by user name, a case-sensitive string of 1 to 55 characters.
Page 69 Default No local users exist. Views System view Predefined user roles network-admin mdc-admin Parameters user-name: Specifies the local user name, a case-sensitive string of 1 to 55 characters. The name must meet the following requirements: • Cannot contain a domain name. •...
Page 70: Local-User Auto-Delete Enable
# Add a local guest named user3 and enter local guest view. Sysname> system-view [Sysname] local-user user3 class network guest [Sysname-luser-network(guest)-user3] Related commands display local-user service-type local-user auto-delete enable Use local-user auto-delete enable to enable the local user auto-delete feature. Use undo local-user auto-delete enable to restore the default.
Page 71: Local-User-Import
mdc-admin Parameters class: Specifies the local user type. network: Specifies the network access user. guest: Specifies the local guest. url url-string: Specifies the URL of the destination file, a case-insensitive string of 1 to 255 characters. Usage guidelines You can import the user account information back to the device or to other devices that support the local-user-import command.
Page 72 Parameters class: Specifies the local user type. network: Specifies the network access user. guest: Specifies the local guest. url url-string: Specifies the source file path. The url-string argument is a case-insensitive string of 1 to 255 characters. validity-datetime: Specifies the guest validity period of the local guests. start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD.
Page 73: Password (Device Management User View)
The value of each parameter in the file must meet the requirements of the local user attributes on the device. Any violation results in account import failure and interruption. The system displays the number of the line where the account import is interrupted. Separate different account entries by a carriage return and separate each parameter value in an account entry by a comma (,).
Page 74: Password (Network Access User View)
In FIPS mode, a device management user does not have a password and cannot pass authentication. Views Device management user view Predefined user roles network-admin mdc-admin Parameters hash: Specifies a password encrypted by the hash algorithm. simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
Page 75: Phone
undo password Default A network access user does not have a password and can pass authentication after entering the correct username and passing attribute checks. Views Network access user view Predefined user roles network-admin mdc-admin Parameters cipher: Specifies a password in encrypted form. simple: Specifies a password in plaintext form.
Page 76: Service-Type (Local User View)
Parameters phone-number: Specifies the phone number, a string of 1 to 32 characters that can contain only digits and hyphens (-). Examples # Specify the phone number as 138-137239201 for local guest abc. system-view [Sysname] local-user abc class network guest [Sysname-luser-network(guest)-abc] phone 138-137239201 Related commands display local-user...
Page 77: Sponsor-Department
Usage guidelines You can assign multiple service types to a user. Examples # Authorize device management user user1 to use the Telnet and FTP services. system-view [Sysname] local-user user1 class manage [Sysname-luser-manage-user1] service-type telnet [Sysname-luser-manage-user1] service-type ftp Related commands display local-user sponsor-department Use sponsor-department to specify the department of the guest sponsor for a local guest.
Page 78: Sponsor-Full-Name
Default No email address is specified for the guest sponsor. Views Local guest view Predefined user roles network-admin mdc-admin Parameters email-string: Specifies the email address, a case-sensitive string of 1 to 255 characters. The address must comply with RFC 822. Examples # Specify the email address as [email protected] for the guest sponsor of local guest abc.
Page 79: State (Local User View)
state (local user view) Use state to set the status of a local user. Use undo state to restore the default. Syntax state { active | block } undo state Default A local user is in active state. Views Local user view Predefined user roles network-admin mdc-admin...
Page 80: Validity-Datetime
Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.
Page 81: Radius Commands
to: Specifies the expiration date and time for the user. If you do not specify this option, the command defines only the validity start date and time of the user. expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12.
Page 82: Accounting-On Enable
Parameters device-id: Specifies a device ID in the range of 1 to 255. Usage guidelines RADIUS uses the value of the Acct-Session-ID attribute as the accounting ID for a user. The device generates an Acct-Session-ID value for each online user based on the system time, random digits, and device ID.
Page 83: Accounting-On Extended
system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] accounting-on enable interval 5 send 15 Related commands display radius scheme accounting-on extended Use accounting-on extended to enable the extended accounting-on feature. Use undo accounting-on extended to disable the extended accounting-on feature. Syntax accounting-on extended undo accounting-on extended Default...
Page 84: Attribute 15 Check-Mode
display radius scheme attribute 15 check-mode Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users. Use undo attribute 15 check-mode to restore the default. Syntax attribute 15 check-mode { loose | strict } undo attribute 15 check-mode Default The strict check method applies for SSH, FTP, and terminal users.
Page 85: Attribute 31 Mac-Format
Default The RADIUS class attribute is not interpreted as CAR parameters. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Usage guidelines Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user-based traffic monitoring and control. Examples # In RADIUS scheme radius1, configure the device to interpret the RADIUS class attribute as CAR parameters.
Page 86: Attribute Convert (Radius Das View)
uppercase: Specifies the letters in a MAC address to be in upper case. Usage guidelines Configure the MAC address format for RADIUS attribute 31 to meet the requirements of the RADIUS servers. Examples # In RADIUS scheme radius1, specify the MAC address format as hh:hh:hh:hh:hh:hh for RADIUS attribute 31.
Page 87: Attribute Convert (Radius Scheme View)
When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines: • The source and destination RADIUS attributes in a rule must use the same data type. • The source and destination RADIUS attributes in a rule cannot use the same name. •...
Page 88: Attribute Reject (Radius Das View)
Usage guidelines The device replaces the attribute in packets that match a RADIUS attribute conversion rule with the destination RADIUS attribute in the rule. The conversion rules take effect only when the RADIUS attribute translation feature is enabled. When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines: •...
Page 89: Attribute Reject (Radius Scheme View)
Usage guidelines Configure RADIUS attribute rejection rules for the following purposes: • Delete attributes from the RADIUS packets to be sent if the destination RADIUS server does not identify the attributes. • Ignore unwanted attributes in the RADIUS packets received from a RADIUS server. The RADIUS attribute rejection rules take effect only when the RADIUS attribute translation feature is enabled.
Page 90: Attribute Remanent-Volume
Usage guidelines Configure RADIUS attribute rejection rules for the following purposes: • Delete attributes from the RADIUS packets to be sent if the destination RADIUS server does not identify the attributes. • Ignore unwanted attributes in the RADIUS packets received from a RADIUS server. The RADIUS attribute rejection rules take effect only when the RADIUS attribute translation feature is enabled.
Page 91: Attribute Translate
Examples # In RADIUS scheme radius1, set the data measurement unit to kilobyte for the Remanent_Volume attribute. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] attribute remanent-volume unit kilo-byte Related commands display radius scheme attribute translate Use attribute translate to enable the RADIUS attribute translation feature. Use undo attribute translate to disable the RADIUS attribute translation feature.
Page 92 Use undo client to remove a RADIUS DAC. Syntax client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default No RADIUS DACs are specified.
Page 93: Data-Flow-Format (Radius Scheme View)
port data-flow-format (RADIUS scheme view) Use data-flow-format to set the data flow and packet measurement units for traffic statistics. Use undo data-flow-format to restore the default. Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default...
Page 94: Display Radius Scheme
display radius scheme Use display radius scheme to display RADIUS scheme configuration. Syntax display radius scheme [ radius-scheme-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 95 Weight: 40 Second accounting server: Host name: Not configured : 3.3.3.3 Port: 1813 : Not configured State: Block (Mandatory) Weight: 0 Accounting-On function : Enabled extended function : Enabled retransmission times retransmission interval(seconds) Timeout Interval(seconds) Retransmission Times Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) Realtime Accounting Interval(seconds) : 22...
Page 96 Field Description Service port number of the server. If no port number is specified, this field Port displays the default port number. MPLS L3VPN instance to which the server or the RADIUS scheme belongs. If no VPN instance is specified for the server, this field displays Not configured.
Page 97: Display Radius Statistics
Field Description RADIUS attribute 25 interpretation status: • Standard—The attribute is not interpreted as CAR parameters. Attribute 25 • CAR—The attribute is interpreted as CAR parameters. Attribute Remanent-Volume Data measurement unit for the RADIUS Remanent_Volume attribute. unit Status of the RADIUS server load sharing feature: •...
Page 98: Display Stop-Accounting-Buffer (For Radius)
Table 7 Command output Field Description Auth. Authentication packets. Acct. Accounting packets. SessCtrl. Session-control packets. Request Packet Number of request packets. Retry Packet Number of retransmitted request packets. Timeout Packet Number of request packets timed out. Access Challenge Number of access challenge packets. Account Start Number of start-accounting packets.
Page 99: Key (Radius Scheme View)
session-id session-id: Specifies a session by its ID. The session-id argument is a string of 1 to 64 characters and cannot contain a letter. A session ID uniquely identifies an online user for a RADIUS scheme. time-range start-time end-time: Specifies a time range. The start time and end time must be in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.
Page 100: Nas-Ip (Radius Scheme View)
Parameters accounting: Specifies the shared key for secure RADIUS accounting communication. authentication: Specifies the shared key for secure RADIUS authentication communication. cipher: Specifies the key in encrypted form. simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
Page 101: Port
Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
Page 102: Primary Accounting (Radius Scheme View)
Views RADIUS DAS view Predefined user roles network-admin mdc-admin Parameters port-number: Specifies a UDP port number in the range of 1 to 65535. Usage guidelines The destination port in DAE packets on the DAC must be the same as the RADIUS DAS port on the DAS.
Page 103 key: Specifies the shared key for secure communication with the primary RADIUS accounting server. cipher: Specifies the key in encrypted form. simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key.
Page 104: Primary Authentication (Radius Scheme View)
secondary accounting (RADIUS scheme view) server-load-sharing enable vpn-instance (RADIUS scheme view) primary authentication (RADIUS scheme view) Use primary authentication to specify the primary RADIUS authentication server. Use undo primary authentication to restore the default. Syntax primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value ] * undo primary authentication...
Page 105: Radius Attribute Extended
weight weight-value: Specifies a weight value for the RADIUS server. The value range for the weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS server will not be used for load sharing. This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme.
Page 106 undo radius attribute extended [ attribute-name ] Default No user-defined extended RADIUS attributes exist. Views System view Predefined user roles network-admin mdc-admin Parameters attribute-name: Specifies the RADIUS attribute name, a case-insensitive string of 1 to 63 characters. The name must be unique among all RADIUS attributes, including the standard and extended RADIUS attributes.
Page 107: Radius Dscp
[Sysname] radius attribute extended Owner-Password vendor 122 code 80 type string Related commands attribute convert (RADIUS DAS view) attribute convert (RADIUS scheme view) attribute reject (RADIUS DAS view) attribute reject (RADIUS scheme view) attribute translate radius dscp Use radius dscp to change the DSCP priority of RADIUS packets. Use undo radius dscp to restore the default.
Page 108: Radius Nas-Ip
undo radius dynamic-author server Default The RADIUS DAS feature is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines After you enable the RADIUS DAS feature, the device listens to the RADIUS DAS port to receive DAE packets from specified DACs. Based on the DAE packet type and contents, the device performs one of the following operations: •...
Page 109: Radius Scheme
Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
Page 110: Radius Session-Control Client
undo radius scheme radius-scheme-name Default No RADIUS schemes exist. Views System view Predefined user roles network-admin mdc-admin Parameters radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be used by more than one ISP domain at the same time. The device supports a maximum of 16 RADIUS schemes.
Page 111: Radius Session-Control Enable
key: Specifies the shared key for secure communication with the session-control client. cipher: Specifies the key in encrypted form. simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key.
Page 112: Radius-Server Test-Profile
Predefined user roles network-admin mdc-admin Usage guidelines An HPE IMC RADIUS server uses session-control packets to deliver dynamic authorization change requests or disconnection requests to the device. The session-control feature enables the device to receive the RADIUS session-control packets on UDP port 1812. This feature must work with HPE IMC servers.
Page 113: Reset Radius Statistics
Usage guidelines You can execute this command multiple times to configure multiple test profiles. If you specify a nonexistent test profile for a RADIUS server, the device does not detect the status of the server until you create the test profile on the device. When you delete a test profile, the device stops detecting the status of the RADIUS servers that use the test profile.
Page 114: Retry
mdc-admin Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. session-id session-id: Specifies a session by its ID. The session-id argument is a string of 1 to 64 characters and cannot contain a letter. A session ID uniquely identifies an online user for a RADIUS scheme.
Page 115: Retry Realtime-Accounting
If the device does not receive a response to its request from the RADIUS server within the response timeout period, the device retransmits the RADIUS request. To set the response timeout period, use the timer response-timeout command. If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.
Page 116: Retry Stop-Accounting (Radius Scheme View)
Usage guidelines Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period, it considers that a line or device failure has occurred. The server stops accounting for the user. To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs.
Page 117: Secondary Accounting (Radius Scheme View)
Predefined user roles network-admin mdc-admin Parameters retries: Specifies the maximum number of transmission attempts. The value range is 10 to 65535. Usage guidelines The maximum number of stop-accounting request transmission attempts controls the transmission of stop-accounting requests together with the following parameters: •...
Page 118 Predefined user roles network-admin mdc-admin Parameters host-name: Specifies the host name of a secondary RADIUS accounting server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of a secondary RADIUS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS accounting server. port-number: Specifies the service port number of the secondary RADIUS accounting server.
Page 119: Secondary Authentication (Radius Scheme View)
• When the RADIUS server load sharing feature is enabled, the device returns an accounting failure message rather than searching for another active accounting server. If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests.
Page 120 ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS authentication server. port-number: Specifies the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812. key: Specifies the shared key for secure communication with the secondary RADIUS authentication server.
Page 121: Server-Load-Sharing Enable
Examples # In RADIUS scheme radius1, specify a secondary authentication server with IP address 10.110.1.2 and UDP port 1812. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 # In RADIUS scheme radius2, specify two secondary authentication servers with IP addresses 10.110.1.1 and 10.110.1.2 and UDP port 1812.
Page 122: Snmp-Agent Trap Enable Radius
Examples # Enable the RADIUS server load sharing feature for RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] server-load-sharing enable Related commands primary authentication (RADIUS scheme view) primary accounting (RADIUS scheme view) secondary authentication (RADIUS scheme view) secondary accounting (RADIUS scheme view) snmp-agent trap enable radius Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS.
Page 123: State Primary
When SNMP notifications for RADIUS are enabled, the device supports the following notifications generated by RADIUS: • RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.
Page 124: State Secondary
When the RADIUS server load sharing feature is enabled, the device checks the weight value and number of currently served users only for servers in active state. The most appropriate active server is selected for communication. When the primary server and all secondary servers are in blocked state, the device tries to communicate with the primary server.
Page 125: Stop-Accounting-Buffer Enable (Radius Scheme View)
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary RADIUS server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state. Usage guidelines If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers.
Page 126: Timer Quiet (Radius Scheme View)
Default The device buffers the RADIUS stop-accounting requests to which no responses have been received. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Usage guidelines This command enables the device to buffer a RADIUS stop-accounting request that has no response after the maximum transmission attempts (set by using the retry command) have been made.
Page 127: Timer Realtime-Accounting (Radius Scheme View)
A timer that is too short might result in frequent authentication or accounting failures. This is because the device will continue to attempt to communicate with an unreachable server that is in active state. A timer that is too long might temporarily block a reachable server that has recovered from a failure. This is because the server will remain in blocked state until the timer expires.
Page 128: Timer Response-Timeout (Radius Scheme View)
Number of users Real-time accounting interval 500 to 999 12 minutes 1000 or more 15 minutes or longer Examples # In RADIUS scheme radius1, set the real-time accounting interval to 51 minutes. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer realtime-accounting 51 Related commands retry realtime-accounting timer response-timeout (RADIUS scheme view)
Page 129: User-Name-Format (Radius Scheme View)
Examples # In RADIUS scheme radius1, set the RADIUS server response timeout timer to 5 seconds. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer response-timeout 5 Related commands display radius scheme retry user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Use undo user-name-format to restore the default.
Page 130: Vpn-Instance (Radius Scheme View)
[Sysname] radius scheme radius1 [Sysname-radius-radius1] user-name-format without-domain Related commands display radius scheme vpn-instance (RADIUS scheme view) Use vpn-instance to specify an MPLS L3VPN instance for a RADIUS scheme. Use undo vpn-instance to restore the default. Syntax vpn-instance vpn-instance-name undo vpn-instance Default The RADIUS scheme belongs to the public network.
Page 131: Display Hwtacacs Scheme
Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default Traffic is counted in bytes and packets. Views HWTACACS scheme view Predefined user roles...
Page 132 Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes. statistics: Displays the HWTACACS service statistics.
Page 133 Table 10 Command output Field Description Index Index number of the HWTACACS scheme. Primary Auth Server Primary HWTACACS authentication server. Primary Author Server Primary HWTACACS authorization server. Primary Acct Server Primary HWTACACS accounting server. Secondary Auth Server Secondary HWTACACS authentication server. Secondary Author Server Secondary HWTACACS authorization server.
Page 134 # Display statistics for HWTACACS scheme tac. display hwtacacs scheme tac statistics Primary authentication server : 111.8.0.244 Round trip time: 20 seconds Request packets: Login request packets: Change-password request packets: Request packets including plaintext passwords: Request packets including ciphertext passwords: 0 Response packets: Pass response packets: Failure response packets:...
Page 135 Pending request packets: Response packets: Success response packets: Error response packets: Follow response packets: Malformed response packets: Timeout response packets: Unknown type response packets: Dropped response packets: Table 11 Command output Field Description Primary authentication server Primary HWTACACS authentication server. Primary authorization server Primary HWTACACS authorization server.
Page 136: Display Stop-Accounting-Buffer (For Hwtacacs)
Field Description Unknown type response packets Number of unknown-type response packets. Dropped response packets Number of dropped response packets. Number of received PassAdd response packets. The packets PassAdd response packets indicate that all requested authorization attributes are assigned and additional authorization attributes are added. Number of received PassReply response packets.
Page 137: Hwtacacs Nas-Ip
Table 12 Command output Field Description First sending time Time when the stop-accounting request was first sent. Number of attempts that were made to send the stop-accounting Attempts request. Related commands reset stop-accounting-buffer (for HWTACACS) retry stop-accounting (HWTACACS scheme view) stop-accounting-buffer enable (HWTACACS scheme view) user-name-format (HWTACACS scheme view) hwtacacs nas-ip...
Page 138: Hwtacacs Scheme
As a best practice, specify a loopback interface address as the source IP address for outgoing HWTACACS packets to avoid HWTACACS packet loss caused by physical port errors. If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply: •...
Page 139: Key (Hwtacacs Scheme View)
Examples # Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] Related commands display hwtacacs scheme key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.
Page 140: Nas-Ip (Hwtacacs Scheme View)
system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&! # Set the shared key to 123456TESTautr&! in plaintext form for secure HWTACACS authorization communication. [Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&! # Set the shared key to 123456TESTacct&! in plaintext form for secure HWTACACS accounting communication.
Page 141: Primary Accounting (Hwtacacs Scheme View)
As a best practice, specify a loopback interface address as the source IP address for outgoing HWTACACS packets to avoid HWTACACS packet loss caused by physical port errors. If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply: •...
Page 142: Primary Authentication (Hwtacacs Scheme View)
key: Specifies the shared key for secure communication with the primary HWTACACS accounting server. cipher: Specifies the key in encrypted form. simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key.
Page 143 Syntax primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * undo primary authentication Default The primary HWTACACS authentication server is not specified. Views HWTACACS scheme view Predefined user roles...
Page 144: Primary Authorization
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme. You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.
Page 145: Reset Hwtacacs Statistics
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key. This argument is case sensitive. • In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
Page 146: Reset Stop-Accounting-Buffer (For Hwtacacs)
Views User view Predefined user roles network-admin mdc-admin Parameters accounting: Clears the HWTACACS accounting statistics. all: Clears all HWTACACS statistics. authentication: Clears the HWTACACS authentication statistics. authorization: Clears the HWTACACS authorization statistics. Examples # Clear all HWTACACS statistics. reset hwtacacs statistics all Related commands display hwtacacs scheme reset stop-accounting-buffer (for HWTACACS)
Page 147: Secondary Accounting (Hwtacacs Scheme View)
Syntax retry stop-accounting retries undo retry stop-accounting Default The maximum number of transmission attempts for individual HWTACACS stop-accounting requests is 100. Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters retries: Specifies the maximum number of transmission attempts for HWTACACS stop-accounting requests.
Page 148 Parameters host-name: Specifies the host name of a secondary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of a secondary HWTACACS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of a secondary HWTACACS accounting server. port-number: Specifies the service port number of the secondary HWTACACS accounting server.
Page 149: Secondary Authentication (Hwtacacs Scheme View)
[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple 123456TESTacct&! Related commands display hwtacacs scheme key (HWTACACS scheme view) primary accounting (HWTACACS scheme view) vpn-instance (HWTACACS scheme view) secondary authentication (HWTACACS scheme view) Use secondary authentication to specify a secondary HWTACACS authentication server. Use undo secondary authentication to remove a secondary HWTACACS authentication server.
Page 150: Secondary Authorization
keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Page 151 Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters host-name: Specifies the host name of a secondary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of a secondary HWTACACS authorization server. ipv6 ipv6-address: Specifies the IPv6 address of a secondary HWTACACS authorization server.
Page 152: Stop-Accounting-Buffer Enable (Hwtacacs Scheme View)
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation. Examples # In HWTACACS scheme hwt1, specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.
Page 153: Timer Quiet (Hwtacacs Scheme View)
Related commands display stop-accounting-buffer (for HWTACACS) reset stop-accounting-buffer (for HWTACACS) timer quiet (HWTACACS scheme view) Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default...
Page 154: Timer Response-Timeout (Hwtacacs Scheme View)
mdc-admin Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server. Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically.
Page 155: User-Name-Format (Hwtacacs Scheme View)
Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server. The client timeout period of the associated access module cannot be shorter than the total response timeout timer of all HWTACACS servers in the scheme.
Page 156: Vpn-Instance (Hwtacacs Scheme View)
Examples # In HWTACACS scheme hwt1, configure the device to remove the ISP domain name from the usernames sent to the HWTACACS servers. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] user-name-format without-domain Related commands display hwtacacs scheme vpn-instance (HWTACACS scheme view) Use vpn-instance to specify an MPLS L3VPN instance for an HWTACACS scheme.
Page 157: Authentication-Server
Use undo attribute-map to restore the default. Syntax attribute-map map-name undo attribute-map Default An LDAP scheme does not use an LDAP attribute map. Views LDAP scheme view Predefined user roles network-admin mdc-admin Parameters map-name: Specifies an LDAP attribute map by its name, a case-insensitive string of 1 to 31 characters.
Page 158: Authorization-Server
Predefined user roles network-admin mdc-admin Parameters server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters. Usage guidelines You can specify only one LDAP authentication server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
Page 159: Display Ldap Scheme
[Sysname-ldap-ldap1] authorization-server ccc Related commands display ldap scheme ldap server display ldap scheme Use display ldap scheme to display LDAP scheme configuration. Syntax display ldap scheme [ ldap-scheme-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 160 LDAP protocol version : LDAPv3 Server timeout interval : 10 seconds Login account DN : Not configured Base DN : Not configured Search scope : all-level User searching parameters: User object class : Not configured Username attribute : cn Username format : with-domain Attribute map : map1...
Page 161: Ipv6
Syntax ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ] undo ip Default An LDAP server does not have an IP address. Views LDAP server view Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies the IP address of the LDAP server. port port-number: Specifies the TCP port number of the LDAP server.
Page 162: Ldap Attribute-Map
Predefined user roles network-admin mdc-admin Parameters ipv6-address: Specifies the IPv6 address of the LDAP server. port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the LDAP server belongs.
Page 163: Ldap Scheme
Usage guidelines Execute this command multiple times to create multiple LDAP attribute maps. You can add multiple mapping entries to an LDAP attribute map. Each entry defines the mapping between an LDAP attribute and an AAA attribute. Examples # Create an LDAP attribute map named map1 and enter LDAP attribute map view. ...
Page 164: Ldap Server
ldap server Use ldap server to create an LDAP server and enter its view, or enter the view of an existing LDAP server. Use undo ldap server to delete an LDAP server. Syntax ldap server server-name undo ldap server server-name Default No LDAP servers exist.
Page 165: Login-Password
Parameters dn-string: Specifies the administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters. Usage guidelines The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server. If you change the administrator DN, the change is effective only on the LDAP authentication that occurs after the change.
Page 166 [Sysname] ldap server ccc [Sysname-ldap-server-ccc] login-password simple abcdefg Related commands display ldap scheme login-dn Use map to configure a mapping entry in an LDAP attribute map. Use undo map to delete the specified mapping entries from the LDAP attribute map. Syntax map ldap-attribute ldap-attribute-name [ prefix prefix-value delimiter delimiter-value ] aaa-attribute user-group...
Page 167: Protocol-Version
[Sysname-ldap-map-map1] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group Related commands ldap attribute-map user-group protocol-version Use protocol-version to specify the LDAP version. Use undo protocol-version to restore the default. Syntax protocol-version { v2 | v3 } undo protocol-version Default The LDAP version is LDAPv3.
Page 168: Search-Scope
Syntax search-base-dn base-dn undo search-base-dn Default No base DN is specified for user search. Views LDAP server view Predefined user roles network-admin mdc-admin Parameters base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters. Examples # Specify the base DN for user search as dc=ldap,dc=com for LDAP server ccc.
Page 169: Server-Timeout
Examples # Specify the search scope for the LDAP authentication as all subdirectories of the base DN for LDAP server ccc. system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] search-scope all-level Related commands display ldap scheme ldap server server-timeout Use server-timeout to set the LDAP server timeout period, the maximum time that the device waits for an LDAP response.
Page 170: Display Radius-Server Active-Client
Syntax user-parameters { user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name } undo user-parameters { user-name-attribute | user-name-format | user-object-class } Default The LDAP username attribute is cn and the username format is without-domain. No user object class is specified and the default user object class of the LDAP server is used.
Page 171: Display Radius-Server Active-User
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display information about all activated RADIUS clients. display radius-server active-client Total 2 RADIUS clients. Client IP: 2.2.2.2 Client IP: 3.3.3.3 Related commands radius-server client display radius-server active-user Use display radius-server active-user to display information about activated RADIUS users.
Page 172: Radius-Server Activate
Username: test Description: A network access user from company cc Authorization attributes: VLAN ID: 2 ACL number: 2000 Validity period: Expiration time: 2015/04/03-18:00:00 # Display information about all activated RADIUS users. display radius-server active-user Total 2 RADIUS users matched. Username: 123 Description: A network access user from company cc Authorization attributes:...
Page 173: Radius-Server Client
Syntax radius-server activate Views System view Predefined user roles network-admin mdc-admin Usage guidelines Use this command to immediately activate the most recent RADIUS server configuration after you have added, modified, or deleted RADIUS clients and network access users from which RADIUS user data is generated.
Page 174 string: Specifies a case-sensitive key string. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters. all: Specifies all RADIUS clients. Usage guidelines The IP address of a RADIUS client must be the same as the source IP address for outgoing RADIUS packets specified on the RADIUS client.
Page 175: Display Dot1X
802.1X commands display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics.
Page 176 Online 802.1X wired users Ten-GigabitEthernet1/0/1 is link-up 802.1X authentication : Enabled Handshake : Enabled Handshake reply : Disabled Handshake security : Disabled Unicast trigger : Disabled Periodic reauth : Disabled Port role : Authenticator Authorization mode : Auto Port access control : Port-based Multicast trigger : Enabled...
Page 177 Field Description Performs EAP termination and uses CHAP to communicate with the CHAP authentication RADIUS server. Relays EAP packets and supports any of the EAP authentication EAP authentication methods to communicate with the RADIUS server. Performs EAP termination and uses PAP to communicate with the PAP authentication RADIUS server.
Page 178 Field Description Access control method of the port: • MAC-based—MAC-based access control. Port access control • Port-based—Port-based access control. Multicast trigger Whether the 802.1X multicast trigger feature is enabled. Mandatory auth domain Mandatory authentication domain on the port. 802.1X guest VLAN configured on the port. Guest VLAN If no 802.1X guest VLAN is configured on the port, this field displays Not configured.
Page 179: Display Dot1X Connection
Field Description Status and mode of the 802.1X guest VSI assignment delay feature on a port: • EAPOL only—EAPOL-triggered 802.1X guest VSI assignment delay is enabled. • NewMAC only—New MAC-triggered 802.1X guest VSI Add Guest VSI delay assignment delay is enabled. •...
Page 180 mdc-operator Parameters open: Displays information only about 802.1X users that use nonexistent usernames or incorrect passwords for network access in open authentication mode. If you do not specify this keyword, the command displays information about all online 802.1X users. interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays online 802.1X user information for all ports.
Page 181 Field Description User MAC address MAC address of the user. Access interface Interface through which the user access the device. Access state of the user. • Successful—The user passes 802.1X authentication and comes User access state online. • Open—The user uses a nonexistent username or an incorrect password to come online in open authentication mode.
Page 182: Display Dot1X Mac-Address
display dot1x mac-address Use display dot1x mac-address to display MAC address information of 802.1X users in 802.1X VLANs or VSIs of a specific type. Syntax display dot1x mac-address { auth-fail-vlan | auth-fail-vsi | critical-vlan | critical-vsi | guest-vlan | guest-vsi } [ interface interface-type interface-number ] Views Any view Predefined user roles...
Page 183: Dot1X
MAC addresses: 8 0800-2700-9427 0800-2700-2341 0800-2700-2324 0800-2700-2351 0800-2700-5627 0800-2700-2251 0800-2700-8624 0800-2700-3f51 Interface: Ten-GigabitEthernet1/0/4 Auth-Fail VSI: text1-vsi Aging time: 30 sec MAC addresses: 2 0801-2700-9427 0801-2700-2341 Table 18 Command output Field Description Total number of MAC addresses in the specified VLAN or VSI on the Total MAC addresses specified port or all ports.
Page 184: Dot1X Access-User Log Enable
Views System view Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines For the 802.1X feature to take effect on a port, you must enable the feature both globally and on the port.
Page 185: Dot1X After-Mac-Auth Max-Attempt
successful-login: Specifies logs generated for successful logins of 802.1X users. Usage guidelines As a best practice, disable this feature to prevent excessive output of logs for 802.1X users. If you do not specify any parameters, this command enables all logging functions for 802.1X users. Examples # Enable logging for login failures of 802.1X users.
Page 186: Dot1X Authentication-Method
Related commands display dot1x dot1x authentication-method Use dot1x authentication-method to specify an EAP message handling method. Use undo dot1x authentication-method to restore the default. Syntax dot1x authentication-method { chap | eap | pap } undo dot1x authentication-method Default The access device performs EAP termination and uses CHAP to communicate with the RADIUS server.
Page 187: Dot1X Auth-Fail Vlan
If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS commands." If RADIUS authentication is used, you must configure the access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.
Page 188: Dot1X Auth-Fail Vsi
system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x auth-fail vlan 100 Related commands display dot1x dot1x auth-fail vsi Use dot1x auth-fail vsi to configure an 802.1X Auth-Fail VSI on a port. Use undo dot1x auth-fail vsi to restore the default. Syntax dot1x auth-fail vsi authfail-vsi-name undo dot1x auth-fail vsi...
Page 189: Dot1X Critical Eapol
dot1x critical eapol Use dot1x critical eapol to enable the sending of an EAP-Success packet to a client when the 802.1X client user is assigned to the 802.1X critical VLAN on a port. Use undo dot1x critical eapol to restore the default. Syntax dot1x critical eapol undo dot1x critical eapol...
Page 190: Dot1X Critical Vsi
Default No 802.1X critical VLAN exists on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters critical-vlan-id: Specifies the ID of the 802.1X critical VLAN on the port. The value range for the VLAN ID is 1 to 4094.
Page 191: Dot1X Critical-Voice-Vlan
Predefined user roles network-admin mdc-admin Parameters critical-vsi-name: Specifies the name of the 802.1X critical VSI on the port, a case-sensitive string of 1 to 31 characters. Usage guidelines An 802.1X critical VSI accommodates users that have failed 802.1X authentication because all the RADIUS servers in their ISP domains are unreachable.
Page 192: Dot1X Domain-Delimiter
• The port is configured with the voice VLAN. To configure a voice VLAN on a port, use the voice-vlan enable command (see Layer 2—LAN Switching Command Reference). • LLDP is enabled both globally and on the port. The device uses LLDP to identify voice users. For information about LLDP commands, see Layer 2—LAN Switching Command Reference.
Page 193: Dot1X Ead-Assistant Enable
If a username string contains multiple configured delimiters, the device takes the rightmost delimiter in the username string as the domain name delimiter. For example, if you configure the forward slash (/), dot (.), and backslash (\) as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash (\).
Page 194: Dot1X Ead-Assistant Free-Ip
dot1x ead-assistant url http-redirect https-port (Layer 3—IP Services Command Reference) dot1x ead-assistant free-ip Use dot1x ead-assistant free-ip to configure a free IP. Use undo dot1x ead-assistant free-ip to remove the specified or all free IP addresses. Syntax dot1x ead-assistant free-ip ip-address { mask-address | mask-length } undo dot1x ead-assistant free-ip { ip-address { mask-address | mask-length } | all } Default No free IPs exist.
Page 195: Dot1X Eapol Untag
undo dot1x ead-assistant url Default No redirect URL exists for EAD assistant. Views System view Predefined user roles network-admin mdc-admin Parameters url-string: Specifies the redirect URL, a case-sensitive string of 1 to 256 characters in the format http://string or https://string. If the specified URL does not start with http:// or https://, the URL is considered to start with http:// by default.
Page 196: Dot1X Guest-Vlan
Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines This command enables the device to send 802.1X protocol packets out of an 802.1X-enabled port without VLAN tags. Use this command to prevent terminal devices connected to the port from failing 802.1X authentication when the following conditions exist: •...
Page 197: Dot1X Guest-Vlan-Delay
Usage guidelines An 802.1X guest VLAN accommodates users that have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. You cannot specify a VLAN as both a super VLAN and an 802.1X guest VLAN on a port. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.
Page 198: Dot1X Guest-Vsi
When 802.1X authentication is triggered on a port, the device performs the following operations: Sends a unicast EAP-Request/Identity packet to the MAC address that triggers the authentication. Retransmits the packet if no response has been received within the username request timeout interval set by using the dot1x timer tx-period command.
Page 199: Dot1X Guest-Vsi-Delay
You can configure only one 802.1X guest VSI on a port. The 802.1X guest VSIs on different ports can be different. On a port, the 802.1X guest VSI configuration is mutually exclusive with the 802.1X guest VLAN, 802.1X Auth-Fail VLAN, and 802.1X critical VLAN settings. Examples # Specify VSI vsiuser as the 802.1X guest VSI on Ten-GigabitEthernet 1/0/1.
Page 200: Dot1X Handshake
Assigns the port to the 802.1X guest VSI after the maximum number of request attempts set by using the dot1x retry command is reached. If you use the undo command without any keyword, the command disables both EAPOL-triggered and new MAC-triggered 802.1X guest VSI assignment delays on a port. Examples # Enable EAPOL-triggered 802.1X guest VSI assignment delay on Ten-GigabitEthernet 1/0/1.
Page 201: Dot1X Handshake Reply Enable
Related commands display dot1x dot1x timer handshake-period dot1x retry dot1x handshake reply enable Use dot1x handshake reply enable to enable the 802.1X online user handshake reply feature. Use undo dot1x handshake reply enable to disable the 802.1X online user handshake reply feature.
Page 202: Dot1X Mac-Binding
Default The online user handshake security feature is disabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The online user handshake security feature enables the device to prevent users from using illegal client software.
Page 203: Dot1X Mac-Binding Enable
Parameters mac-address: Specifies a MAC address in the format of H-H-H, excluding broadcast, multicast, and all-zero MAC addresses. all: Specifies all MAC addresses that are bound to a port. Usage guidelines This command takes effect only when the 802.1X MAC address binding feature takes effect. 802.1X MAC address binding entries, both manually added and automatically generated, never age out.
Page 204: Dot1X Mandatory-Domain
The 802.1X MAC address binding feature automatically binds MAC addresses of authenticated 802.1X users to the users' access port and generates 802.1X MAC address binding entries. 802.1X MAC address binding entries, both automatically generated and manually added, never age out. They can survive a user logoff or a device reboot. To delete an entry, you must use the undo dot1x mac-binding mac-address command.
Page 205: Dot1X Max-User
Default ISP domain. Examples # Specify my-domain as the mandatory authentication domain for 802.1X users on Ten-GigabitEthernet 1/0/1. system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x mandatory-domain my-domain Related commands display dot1x dot1x max-user Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port. Use undo dot1x max-user to restore the default.
Page 206: Dot1X Port-Control
Use undo dot1x multicast-trigger to disable the 802.1X multicast trigger feature. Syntax dot1x multicast-trigger undo dot1x multicast-trigger Default The 802.1X multicast trigger feature is enabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The multicast trigger feature enables the device to act as the initiator.
Page 207: Dot1X Port-Method
mdc-admin Parameters authorized-force: Places the port in authorized state, enabling users on the port to access the network without authentication. auto: Places the port initially in unauthorized state to allow only EAPOL packets to pass, and places the port in authorized state after a user passes authentication. You can use this option in most scenarios.
Page 208: Dot1X Quiet-Period
Examples # Configure Ten-GigabitEthernet 1/0/1 to implement port-based access control. system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x port-method portbased Related commands display dot1x dot1x quiet-period Use dot1x quiet-period to enable the quiet timer. Use undo dot1x quiet-period to disable the quiet timer. Syntax dot1x quiet-period undo dot1x quiet-period...
Page 209: Dot1X Re-Authenticate Manual
Default The 802.1X periodic reauthentication feature is disabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines Periodic reauthentication enables the access device to periodically authenticate online 802.1X users on a port. This feature tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL and VLAN.
Page 210: Dot1X Re-Authenticate Server-Unreachable Keep-Online
[Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x re-authenticate manual Related commands dot1x re-authenticate dot1x re-authenticate server-unreachable keep-online Use dot1x re-authenticate server-unreachable keep-online to enable the keep-online feature on a port. Use undo dot1x re-authenticate server-unreachable to restore the default. Syntax dot1x re-authenticate server-unreachable keep-online undo dot1x re-authenticate server-unreachable Default The keep-online feature is disabled on a port.
Page 211: Dot1X Timer
Default A maximum of two attempts are made to send an authentication request to a client. Views System view Predefined user roles network-admin mdc-admin Parameters retries: Specifies the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.
Page 212 • Periodic reauthentication timer: 3600 seconds. • Server timeout timer: 100 seconds. • Client timeout timer: 30 seconds. • Username request timeout timer: 30 seconds. Views System view Predefined user roles network-admin mdc-admin Parameters ead-timeout ead-timeout-value: Specifies the EAD rule timer in minutes. The value range for the ead-timeout-value argument is 1 to 1440.
Page 213: Dot1X Timer Reauth-Period
• Periodic reauthentication timer (reauth-period)—Sets the interval at which the network device periodically reauthenticates online 802.1X users. To enable 802.1X periodic reauthentication on a port, use the dot1x re-authenticate command. • Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server.
Page 214: Dot1X Unicast-Trigger
Usage guidelines The device reauthenticates online 802.1X users on a port at the specified periodic reauthentication interval when the port is enabled with periodic reauthentication. To enable periodic reauthentication on a port, use the dot1x re-authenticate command. A change to the periodic reauthentication timer applies to online users only after the old timer expires.
Page 215: Dot1X User-Ip Freeze
system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x unicast-trigger Related commands display dot1x dot1x multicast-trigger dot1x retry dot1x timer dot1x user-ip freeze Use dot1x user-ip freeze to enable 802.1X user IP freezing. Use undo dot1x user-ip freeze to disable 802.1X user IP freezing. Syntax dot1x user-ip freeze undo dot1x user-ip freeze...
Page 216: Reset Dot1X Guest-Vsi
Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies the MAC address of an 802.1X user in the guest VLAN. If you do not specify this option, the command removes all 802.1X users from the 802.1X guest VLAN on the port.
Page 217 Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command clears 802.1X statistics on all ports. Examples # Clear 802.1X statistics on Ten-GigabitEthernet 1/0/1. ...
Page 218: Display Mac-Authentication
MAC authentication commands display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics. Syntax display mac-authentication [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. If the specified port is not enabled with MAC authentication, this command displays only global MAC authentication information.
Page 219 Auth-delay period : 60 s Periodic reauth : Enabled Reauth period : 120 s Re-auth server-unreachable : Logoff Guest VLAN : 100 Guest VLAN auth-period : 150 s Critical VLAN : Not configured Critical voice VLAN : Disabled Host mode : Multiple VLAN Offline detection : Enabled...
Page 220 Field Description MAC authentication domain specified in system view. Authentication domain If no authentication domain is specified in system view, this field displays Not configured, use default domain. Number of wired online MAC authentication users, including users Online MAC-auth wired users that have passed MAC authentication and users that are performing MAC authentication.
Page 221: Display Mac-Authentication Connection
Field Description If parallel processing of MAC authentication and 802.1X authentication is disabled, this field displays Default. Authentication order If parallel processing of MAC authentication and 802.1X authentication is enabled, this field displays Parallel. MAC authentication guest VSI configured on the port. Guest VSI If no MAC authentication guest VSI is configured, this field displays Not configured.
Page 222 interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays information about online MAC authentication users for all ports. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information about online MAC authentication users for all cards.
Page 223: Display Mac-Authentication Mac-Address
Field Description Access state of the user: • Successful—The user passes MAC authentication and comes User access state online. • Open—The user uses a nonexistent username or an incorrect password to come online in open authentication mode. Authentication domain MAC authentication domain to which the user belongs. IPv4 address of the user.
Page 224 mdc-admin mdc-operator Parameters critical-vlan: Specifies the MAC authentication critical VLAN. critical-vsi: Specifies the MAC authentication critical VSI. guest-vlan: Specifies the MAC authentication guest VLAN. guest-vsi: Specifies the MAC authentication guest VSI. interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays MAC address information of MAC authentication users in the specified MAC authentication VLAN or VSI on all ports.
Page 225: Mac-Authentication
Field Description VLAN or VSI information for MAC authentication users. The Type argument has the following values: • Critical VLAN. Type VLAN/VSI • Critical VSI. • Guest VLAN. • Guest VSI. MAC address aging time in seconds. Aging time This field displays N/A if the MAC addresses do not age out. MAC addresses Number of matching MAC addresses on a port.
Page 226: Mac-Authentication Access-User Log Enable
[Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] mac-authentication Related commands display mac-authentication mac-authentication access-user log enable Use mac-authentication access-user log enable to enable logging for MAC authentication users. Use undo mac-authentication access-user log enable to disable logging for MAC authentication users. Syntax mac-authentication access-user log enable [ failed-login | logoff | successful-login ] * undo mac-authentication access-user log enable [ failed-login | logoff | successful-login ] * Default...
Page 227: Mac-Authentication Critical Vlan
Syntax mac-authentication carry user-ip undo mac-authentication carry user-ip Default A MAC authentication request does not include the user IP address. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines This command solves the IP conflict issue which might be caused by users' IP address modification. After you configure this command, users cannot pass MAC authentication if the IP and MAC information in the authentication requests do not match the users' IP-MAC mappings on the IMC server.
Page 228: Mac-Authentication Critical Vsi
Default No MAC authentication critical VLAN exists on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters critical-vlan-id: Specifies a VLAN as the MAC authentication critical VLAN. The value range for the VLAN ID is 1 to 4094.
Page 229: Mac-Authentication Critical-Voice-Vlan
Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters critical-vsi-name: Specifies the name of the MAC authentication critical VSI on the port, a case-sensitive string of 1 to 31 characters. Usage guidelines The MAC authentication critical VSI accommodates users that have failed MAC authentication because all the servers in their ISP domains are unreachable.
Page 230: Mac-Authentication Domain
Usage guidelines The MAC authentication critical voice VLAN on a port accommodates MAC authentication voice users that have failed authentication because none of the RADIUS servers in their ISP domain are reachable. Before you enable the MAC authentication critical voice VLAN on the port, make sure the following requirements are met: •...
Page 231: Mac-Authentication Guest-Vlan
Parameters domain-name: Specifies the name of an ISP domain, a case-insensitive string of 1 to 255 characters. Usage guidelines The global authentication domain applies to all MAC authentication-enabled ports. An authentication domain specified in Layer 2 Ethernet interface view or Layer 2 aggregate interface view applies only to the port.
Page 232: Mac-Authentication Guest-Vlan Auth-Period
passwords entered. You can deploy a limited set of network resources in the MAC authentication guest VLAN. For example, a software server for downloading software and system patches. You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN on a port. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.
Page 233: Mac-Authentication Guest-Vsi
Related commands display mac-authentication mac-authentication guest-vlan mac-authentication guest-vsi Use mac-authentication guest-vsi to configure a MAC authentication guest VSI on a port. Use undo mac-authentication guest-vsi to restore the default. Syntax mac-authentication guest-vsi guest-vsi-name undo mac-authentication guest-vsi Default No MAC authentication guest VSI exists on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view...
Page 234: Mac-Authentication Guest-Vsi Auth-Period
mac-authentication guest-vsi auth-period Use mac-authentication guest-vsi auth-period to set the interval at which the device authenticates users in the MAC authentication guest VSI. Use undo mac-authentication guest-vsi auth-period to restore the default. Syntax mac-authentication guest-vsi auth-period period-value undo mac-authentication guest-vsi auth-period Default The device authenticates users in the MAC authentication guest VSI every 30 seconds.
Page 235: Mac-Authentication Max-User
Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The MAC authentication multi-VLAN mode prevents an authenticated online user from service interruption caused by VLAN changes on a port. When the port receives a packet sourced from the user in a VLAN not matching the existing MAC-VLAN mapping, the device neither logs off the user nor reauthenticates the user.
Page 236: Mac-Authentication Offline-Detect Enable
Usage guidelines Set the maximum number of concurrent MAC authentication users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent MAC authentication users. Examples # Configure Ten-GigabitEthernet 1/0/1 to support a maximum of 32 concurrent MAC authentication users.
Page 237: Mac-Authentication Parallel-With-Dot1X
mac-authentication parallel-with-dot1x Use mac-authentication parallel-with-dot1x to enable parallel processing of MAC authentication and 802.1X authentication on a port. Use undo mac-authentication parallel-with-dot1x to restore the default. Syntax mac-authentication parallel-with-dot1x undo mac-authentication parallel-with-dot1x Default Parallel processing of MAC authentication and 802.1X authentication is disabled on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view...
Page 238: Mac-Authentication Re-Authenticate
mac-authentication re-authenticate Use mac-authentication re-authenticate to enable the periodic MAC reauthentication feature on a port. Use undo mac-authentication re-authenticate to disable the periodic MAC reauthentication feature on a port. Syntax mac-authentication re-authenticate undo mac-authentication re-authenticate Default The periodic MAC reauthentication feature is disabled on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view...
Page 239: Mac-Authentication Timer (Interface View)
Default The keep-online feature is disabled on a port. The device logs off online MAC authentication users if no server is reachable for MAC reauthentication. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The keep-online feature keeps authenticated MAC authentication users online when no server is...
Page 240: Mac-Authentication Timer (System View)
Parameters auth-delay auth-delay-time: Specifies the delay time for MAC authentication in seconds. The value range is 1 to 180. reauth-period reauth-period-value: Specifies the port-specific periodic MAC reauthentication timer in seconds. The value range is 60 to 7200. Usage guidelines When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered.
Page 241 • The quiet timer is 60 seconds. • The global periodic MAC reauthentication timer is 3600 seconds. • The server timeout timer is 100 seconds. Views System view Predefined user roles network-admin mdc-admin Parameters offline-detect offline-detect-value: Specifies the offline detect timer in the range of 60 to 2147483647, in seconds.
Page 242: Mac-Authentication User-Name-Format
mac-authentication user-name-format Use mac-authentication user-name-format to configure the type of user accounts for MAC authentication users. Use undo mac-authentication user-name-format to restore the default. Syntax mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } string ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] } undo mac-authentication user-name-format Default...
Page 243: Reset Mac-Authentication Critical Vlan
Examples # Configure a shared account for MAC authentication users, and set the username to abc and password to plaintext string of xyz. system-view [Sysname] mac-authentication user-name-format fixed account abc password simple xyz # Use MAC-based user accounts for MAC authentication users. Each MAC address must be in the hexadecimal notation with hyphens, and letters are in upper case.
Page 244: Reset Mac-Authentication Critical-Voice-Vlan
Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies a user by its MAC address. If you do not specify this option, the command removes all users from the MAC authentication critical VSI on the port. Examples # Remove the user with MAC address 1-1-1 from the MAC authentication critical VSI on Ten-GigabitEthernet 1/0/1.
Page 245: Reset Mac-Authentication Guest-Vlan
reset mac-authentication guest-vlan Use reset mac-authentication guest-vlan to remove users from the MAC authentication guest VLAN on a port. Syntax reset mac-authentication guest-vlan interface interface-type interface-number [ mac-address mac-address ] Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies a user by its MAC address.
Page 246: Reset Mac-Authentication Statistics
Examples # Remove the user with MAC address 1-1-1 from the MAC authentication guest VSI on Ten-GigabitEthernet 1/0/1. reset mac-authentication guest-vsi interface ten-gigabitethernet 1/0/1 mac-address 1-1-1 Related commands display mac-authentication mac-authentication guest-vsi reset mac-authentication statistics Use reset mac-authentication statistics to clear MAC authentication statistics. Syntax reset mac-authentication statistics [ interface interface-type interface-number ] Views...
Page 247: Aging-Time
Portal commands aging-time Use aging-time to set the aging time for MAC-trigger entries. Use undo aging-time to restore the default. Syntax aging-time seconds undo aging-time Default The aging time for MAC-trigger entries is 300 seconds. Views MAC binding server view Predefined user roles network-admin mdc-admin...
Page 248: Authentication-Timeout
authentication-timeout Use authentication-timeout to specify the authentication timeout, which is the maximum amount of time the device waits for portal authentication to complete after receiving a MAC binding query response. Use undo authentication-timeout to restore the default. Syntax authentication-timeout minutes undo authentication-timeout Default The authentication timeout time is 3 minutes.
Page 249: Default-Logon-Page
Predefined user roles network-admin mdc-admin Parameters retries: Specifies the maximum number of MAC binding query attempts, in the range of 1 to 10. interval interval: Specifies the query interval in the range of 1 to 60 seconds. Usage guidelines If the device does not receive a response from the MAC binding server after the maximum number is reached, the device determines that the MAC binding server is unreachable.
Page 250: Display Portal
Usage guidelines You must edit the default authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device. After you use the default-logon-page command to specify the file, the device decompresses the file to get the authentication pages.
Page 251 Pre-auth domain: abc User-dhcp-only: Enabled Pre-auth IP pool: ab Max Portal users: Not configured Bas-ip: Not configured User detection : Type: ICMP Interval: 300s Attempts: 5 Idle time: 180s Action for server detection: Server type Server name Action Web server fail-permit Portal server fail-permit...
Page 252 Field Description Portal authentication status on the interface: • Disabled—Portal authentication is disabled. • Enabled—Portal authentication is enabled. Portal status • Authorized—The portal authentication server or portal Web server is unreachable. The interface allows users to have network access without authentication. Authentication mode enabled on the interface: •...
Page 253: Display Portal Mac-Trigger-Server
portal enable portal free-all except destination portal ipv6 free-all except destination portal ipv6 layer3 source portal layer3 source portal web-server display portal mac-trigger-server Use display portal mac-trigger-server to display information about MAC binding servers. Syntax display portal mac-trigger-server { all | name server-name } Views Any view Predefined user roles...
Page 254 Aging time : 300 seconds Free-traffic threshold : 0 bytes NAS-Port-Type : Not configured Binding retry times Binding retry interval : 1 seconds Authentication timeout : 3 minutes # Display information about the MAC binding server ms1. display portal mac-trigger-server name ms1 Portal mac-trigger server: ms1 Version : 2.0...
Page 255: Display Portal Packet Statistics
display portal packet statistics Use display portal packet statistics to display packet statistics for portal authentication servers. Syntax display portal packet statistics [ server server-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Page 256 NTF_USER_NOTIFY AFF_NTF_USER_NOTIFY Table 24 Command output Field Description Portal server Name of the portal authentication server. Invalid packets Number of invalid packets. Pkt-Type Packet type. Total Total number of packets. Drops Number of dropped packets. Errors Number of packets that carry error information. Challenge request packet the portal authentication server sent to the REQ_CHALLENGE access device.
Page 257: Display Portal Rule
Field Description User information notification packet the access device sent to the portal NTF_USER_NOTIFY authentication server. NTF_USER_NOTIFY acknowledgment packet the portal authentication AFF_NTF_USER_NOTIFY server sent to the access device. Related commands reset portal packet statistics display portal rule Use display portal rule to display portal filtering rules. Syntax In standalone mode: display portal rule { all | dynamic | static } { interface interface-type interface-number [ slot...
Page 258 Rule 1 Type : Static Action : Permit Protocol : Any Status : Active Source: : 0.0.0.0 Mask : 0.0.0.0 Port : Any : 0000-0000-0000 Interface : Vlan-interface100 VLAN : 100 Destination: : 192.168.0.111 Mask : 255.255.255.255 Port : Any Rule 2 Type : Dynamic...
Page 259 Source: : 0.0.0.0 Mask : 0.0.0.0 Interface : Vlan-interface100 VLAN : Any Destination: : 0.0.0.0 Mask : 0.0.0.0 IPv6 portal rules on Vlan-interface100: Rule 1 Type : Static Action : Permit Protocol : Any Status : Active Source: : :: Prefix length Port : Any...
Page 260 Protocol : TCP Destination: : :: Prefix length Port : 80 Rule 4: Type : Static Action : Deny Status : Active Source: : :: Prefix length Interface : Vlan-interface100 VLAN : 100 Destination: : :: Prefix length Author ACL: Number : 3001 Rule 5:...
Page 261: Display Portal Server
Field Description Status of the portal filtering rule: • Active—The portal filtering rule is effective. Status • Unactuated—The portal filtering rule is not activated. Source Source information of the portal filtering rule. Source IP address. Mask Subnet mask of the source IPv4 address. Prefix length Prefix length of the source IPv6 address.
Page 262: Display Portal User
Usage guidelines If you do not specify the server-name argument, this command displays information about all portal authentication servers. Examples # Display information about the portal authentication server pts. display portal server pts Portal server: pts Type : IMC : 192.168.0.111 VPN instance : Not configured...
Page 263 Syntax display portal user { all | interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address | pre-auth [ interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address ] } [ verbose ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator...
Page 264 000d-88f8-0eac 3.3.3.3 Vlan-interface200 Authorization information: DHCP IP pool: N/A User profile: N/A Session group profile: N/A ACL number: 3001 Inbound CAR: CIR 3072 bps 3072 bps (inactive) Outbound CAR: CIR 3072 bps 3072 bps (inactive) # Display information about preauthentication portal users. ...
Page 265 Field Description MPLS L3VPN instance to which the portal user belongs. If the portal user VPN instance is on a public network, this field displays N/A. MAC address of the portal user. IP address of the portal user. VLAN VLAN where the portal user resides. Interface Access interface of the portal user.
Page 266 Basic: Current IP address: 50.50.50.3 Original IP address: 30.30.30.2 Username: user1@hrss User ID: 0x28000002 Access interface: Vlan-interface20 Service-VLAN/Customer-VLAN: -/- MAC address: 0000-0000-0001 Domain: hrss VPN instance: N/A Status: Online Portal server: test Portal authentication method: Direct AAA: Realtime accounting interval: 60s, retry times: 3 Idle cut: 180 sec, 10240 bytes, direction: Inbound Session duration: 500 sec, remaining: 300 sec Remaining traffic: 10240000 bytes...
Page 267 Field Description Public VLAN/Private VLAN to which the portal user belongs. If no VLAN is Service-VLAN/Customer-VLAN configured for the portal user, this field displays -/-. MAC address MAC address of the portal user. Domain ISP domain name for portal authentication. MPLS L3VPN instance to which the portal user belongs.
Page 268 Field Description Authorized inbound CAR: • CIR—Committed information rate in bps. • PIR—Peak information rate in bps. • active—The authorized inbound CAR is applied to the user access Inbound CAR interface successfully. • inactive—The authorized inbound CAR is not applied to the user access interface.
Page 269: Display Portal Web-Server
Field Description This field is not supported in the current software version. level-n uplink packets/bytes Packet and byte statistics of the upstream traffic at the accounting level n. The number n is in the range of 1 to 8. This field is not supported in the current software version. level-n downlink packets/bytes Packet and byte statistics of the downstream traffic at the accounting level n.
Page 270: Display Web-Redirect Rule
Table 29 Command output Field Description Portal Web server type. This field always displays IMC, which indicates the IMC Type server. Portal Web server Name of the portal Web server. URL of the portal Web server. URL parameters URL parameters for the portal Web server. VPN instance Name of the MPLS L3VPN where the portal Web server resides.
Page 271 Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays Web redirect rules for the active MPU. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device.
Page 272: If-Match
Table 30 Command output Field Description Rule Number of the Web redirect rule. Type of the Web redirect rule: • Static—Static Web redirect rule, generated when the Web redirect feature takes effect. Type • Dynamic—Dynamic Web redirect rule, generated when a user visits a redirect webpage.
Page 273 Parameters original-url url-string: Specifies a URL string to match the URL in HTTP requests of a portal user. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters. redirect-url url-string: Specifies the URL to which the user is redirected. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.
Page 274: Ip (Mac Binding Server View)
system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 redirect-url http://192.168.0.1 Related commands display portal web-server portal free-rule url-parameter ip (MAC binding server view) Use ip to specify the IP address of a MAC binding server. Use undo ip to restore the default. Syntax ip ipv4-address [ vpn-instance ipv4-vpn-instance-name ] [ key { cipher | simple } string ] undo ip...
Page 275: Ip (Portal Authentication Server View)
Examples # Specify the IP address of the MAC binding server as 192.168.0.111 and the plaintext key as portal. system-view [Sysname] portal mac-trigger-server mts [Sysname-portal-mac-trigger-server-mts] ip 192.168.0.111 key simple portal Related commands display portal mac-trigger-server ip (portal authentication server view) Use ip to specify the IP address of an IPv4 portal authentication server.
Page 276: Ipv6
Examples # Configure the IP address of IPv4 portal authentication server pts as 192.168.0.111 and the plaintext key as portal. system-view [Sysname] portal server pts [Sysname-portal-server-pts] ip 192.168.0.111 key simple portal Related commands display portal server portal server ipv6 Use ipv6 to specify the IP address of an IPv6 portal authentication server.
Page 277: Nas-Port-Type
Do not configure the same IPv6 address and MPLS L3VPN for different portal authentication servers. Examples # Configure the IP address of IPv6 portal authentication server pts as 2000::1 and the plaintext key as portal. system-view [Sysname] portal server pts [Sysname-portal-server-pts] ipv6 2000::1 key simple portal Related commands display portal server...
Page 278: Port (Mac Binding Server View)
port (MAC binding server view) Use port to set the UDP port number the MAC binding server uses to listen for MAC binding query packets. Use undo port to restore the default. Syntax port port-number undo port Default The MAC binding server listens for MAC binding query packets on UDP port 50100. Views MAC binding server view Predefined user roles...
Page 279: Portal { Bas-Ip | Bas-Ipv6 } (Interface View)
Predefined user roles network-admin mdc-admin Parameters port-number: Specifies a destination UDP port number the device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534. Usage guidelines The specified port must be the port that listens to portal packets on the portal authentication server. Examples # Set the destination UDP port number to 50000 for the device to send unsolicited portal packets to portal authentication server pts.
Page 280: Portal { Ipv4-Max-User | Ipv6-Max-User } (Interface View)
ipv6-address: Specifies BAS-IPv6 for portal packets sent to the portal authentication server. This attribute must be the IPv6 address of an interface on the device. It cannot be a multicast address, an all-0 address, or a link-local address. Usage guidelines If the device runs Portal 2.0, unsolicited portal packets (such as a logout notification packet) sent to the portal authentication server must carry the BAS-IP attribute.
Page 281: Portal Apply Mac-Trigger-Server
Usage guidelines If the specified maximum number is smaller than the number of current online portal users on the interface, the limit can be set successfully. The limit does not impact the online portal users. However, the device does not allow new portal users to log in from the interface until the number drops down below the limit.
Page 282: Portal Apply Web-Server (Interface View)
Related commands portal mac-trigger-server portal apply web-server (interface view) Use portal [ ipv6 ] apply web-server to specify a portal Web server. The device redirects the HTTP requests sent by unauthenticated portal users to the portal Web server. Use undo portal [ ipv6 ] apply web-server to restore the default. Syntax portal [ ipv6 ] apply web-server server-name [ fail-permit ] undo portal [ ipv6 ] apply web-server...
Page 283: Portal Authorization Strict-Checking
portal authorization strict-checking Use portal authorization strict-checking to enable strict checking on portal authorization information. Use undo portal authorization strict-checking to disable strict checking on portal authorization information. Syntax portal authorization { acl | user-profile } strict-checking undo portal authorization { acl | user-profile } strict-checking Default Strict checking on portal authorization information is disabled.
Page 284: Portal Device-Id
mdc-admin Parameters ipv4-address: Specifies the IP address of an IPv4 online portal user. all: Specifies IPv4 and IPv6 online portal users on all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. If you specify this option, this command logs out all IPv4 and IPv6 online portal users on the interface. ipv6 ipv6-address: Specifies the IP address of an IPv6 online portal user.
Page 285: Portal Domain (Interface View)
portal domain (interface view) Use portal [ ipv6 ] domain to specify a portal authentication domain on an interface. All portal users accessing through the interface must use the authentication domain. Use undo portal [ ipv6 ] domain to delete the configured portal authentication domain. Syntax portal [ ipv6 ] domain domain-name undo portal [ ipv6 ] domain...
Page 286: Portal Fail-Permit Server
Default Portal authentication is disabled. Views Interface view Predefined user roles network-admin mdc-admin Parameters ipv6: Enables IPv6 portal authentication. Do not specify this keyword for IPv4 portal authentication. method: Specifies an authentication mode: • direct—Direct authentication. • layer3—Cross-subnet authentication. • redhcp—Re-DHCP authentication.
Page 287: Portal Free-All Except Destination
Views Interface view Predefined user roles network-admin mdc-admin Parameters ipv6: Specifies an IPv6 portal authentication server. Do not specify this keyword for an IPv4 portal authentication server. server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Page 288: Portal Free-Rule
mdc-admin Parameters ipv4-network-address: Specifies an IPv4 portal authentication subnet address. mask-length: Specifies the subnet mask length for the authentication subnet address, in the range of 0 to 32. mask: Specifies the subnet mask in dotted decimal format. Usage guidelines Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules).
Page 289 Predefined user roles network-admin mdc-admin Parameters rule-number: Specifies a portal-free rule number. The value range for this argument is 0 to 4294967295. destination: Specifies the destination information. source: Specifies the source information. ip ipv4-address: Specifies an IPv4 address for the portal-free rule. { mask-length | mask }: Specifies the subnet mask of the IPv4 address.
Page 290: Portal Free-Rule Destination
• Specify the source IP address as 2000::1/64, the destination IP address as 2001::1, and the destination TCP port number as 23. • Specify the interface as VLAN-interface 1. system-view [Sysname] portal free-rule 2 destination ipv6 2001::1 128 tcp 23 source ip 2000::1 64 interface vlan-interface 1 With this rule, users in subnet 2000::1/64 do not need to pass portal authentication on VLAN-interface 1 when they access services provided on TCP port 23 of host 2001::1.
Page 291: Portal Free-Rule Source
The configured host name cannot contain only asterisks (*).  The fuzzy match feature takes effect only on HTTP or HTTPS requests initiated by Web browsers. You cannot configure two destination-based portal-free rules with the same destination information. Otherwise the system prompts you that the same rule already exists. Examples # Configure a destination-based portal-free rule: specify the rule number as 4 and host name as www.abc.com.
Page 292: Portal Ipv6 Free-All Except Destination
Examples # Configure source-based portal-free rule: specify the rule number as 3, source MAC address as 1-1-1, and source VLAN ID as 10. This rule allows the portal user whose source MAC address is 1-1-1 from VLAN 10 to access network resources without authentication. ...
Page 293: Portal Ipv6 Layer3 Source
[Sysname–Vlan-interface2] portal ipv6 free-all except destination 1::2 16 Related commands display portal portal ipv6 layer3 source Use portal ipv6 layer3 source to configure an IPv6 portal authentication source subnet. Use undo portal ipv6 layer3 source to delete IPv6 portal authentication source subnets. Syntax portal ipv6 layer3 source ipv6-network-address prefix-length undo portal ipv6 layer3 source [ ipv6-network-address ]...
Page 294: Portal Ipv6 User-Detect
portal ipv6 user-detect Use portal ipv6 user-detect to enable online detection of IPv6 portal users. Use undo portal user-detect to disable online detection of IPv6 portal users. Syntax portal ipv6 user-detect type { icmpv6 | nd } [ retry retries ] [ interval interval ] [ idle time ] undo portal ipv6 user-detect Default Online detection of IPv6 portal users is disabled.
Page 295: Portal Layer3 Source
If firewall policies on the access device filter out ICMPv6 packets, ICMPv6 detection might fail and result in the logout of portal users. Make sure the access device does not block ICMPv6 packets before you enable ICMPv6 detection on an interface. Examples # Enable online detection of IPv6 portal users on VLAN-interface 100.
Page 296: Portal Local-Web-Server
Examples # Configure an IPv4 portal authentication source subnet of 10.10.10.0/24 on VLAN-interface 2. system-view [Sysname] interface vlan-interface 2 [Sysname–Vlan-interface2] portal layer3 source 10.10.10.0 24 Related commands display portal portal free-all except destination portal local-web-server Use portal local-web-server to create an HTTP- or HTTPS-based local portal Web service and enter its view, or enter the view of the existing HTTP- or HTTPS-based local portal Web service.
Page 297: Portal Log Enable
To specify a new SSL server policy for HTTPS, first execute the undo form of this command to delete the existing HTTPS-based local portal Web service. When you specify the listening TCP port number for the HTTPS-based local portal Web service, follow these restrictions and guidelines: •...
Page 298: Portal Mac-Trigger Server
Default Portal user login and logout logging is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This feature logs information about portal user login and logout events, including the username, IP address, user's MAC address, interface name, VLAN, and reason for login failure. For portal log messages to be sent correctly, you must also configure the information center on the device.
Page 299: Portal Max-User
[Sysname-portal-mac-trigger-server-mts] Related commands display portal mac-trigger-server portal apply mac-trigger-server portal max-user Use portal max-user to set the maximum number of total portal users allowed in the system. Use undo portal max-user to restore the default. Syntax portal max-user max-number undo portal max-user Default The total number of portal users allowed in the system is not limited.
Page 300: Portal Nas-Port-Id Format
Syntax portal nas-id-profile profile-name undo portal nas-id-profile Default No NAS-ID profile is specified for an interface. Views Interface view Predefined user roles network-admin mdc-admin Parameters profile-name: Specifies the name of a NAS-ID profile, a case-insensitive string of 1 to 31 characters. Usage guidelines A NAS-ID profile defines the binding relationship between VLANs and NAS-IDs.
Page 301 Predefined user roles network-admin mdc-admin Parameters 1: Uses format 1 for the NAS-Port-Id attribute. 2: Uses format 2 for the NAS-Port-Id attribute. 3: Uses format 3 for the NAS-Port-Id attribute. 4: Uses format 4 for the NAS-Port-Id attribute. Usage guidelines The NAS-Port-Id format supported by RADIUS servers varies by vendor.
Page 302 Identifier description of the access node, a string not AccessNodeIdentifier longer than 50 characters without spaces. ANI_frame Frame number of the access node, in the range of 0 to 31. ANI_slot Slot number of the access node, in the range of 0 to 127. Subslot number of the access node, in the range of 0 to ANI_subslot ANI_port...
Page 303: Portal Outbound-Filter Enable
Format 2 is SlotID00IfNOVlanID. • SlotID—Slot number, a string of 2 characters. • IfNO—Slot number, a string of 3 characters. • VlanID—VLAN ID, a string of 9 characters. Format 3 is SlotID00IfNOVlanIDDHCPoption. • SlotID—Slot number, a string of 2 characters. •...
Page 304: Portal Pre-Auth Domain
Other outgoing packets on the interface are dropped. Examples # Enable outgoing packets filtering on VLAN-interface 20. system-view [Sysname] interface vlan-interface 20 [Sysname–Vlan-interface20] portal outbound-filter enable portal pre-auth domain Use portal [ ipv6 ] pre-auth domain to specify a preauthentication domain for portal users. Use undo portal [ ipv6 ] pre-auth domain to restore the default.
Page 305: Portal Pre-Auth Ip-Pool
• You create the ISP domain after specifying it as the preauthentication domain. • You delete the specified ISP domain and then re-create it. If you change the preauthentication domain on an interface, the interface uses the new preauthentication domain for both new and existing preauthentication users. If authorization attributes in the preauthentication domain are modified, the modified attributes take effect only on new preauthentication users.
Page 306: Portal Refresh Enable
Usage guidelines You must use this command to specify a preauthentication IP address pool on a portal-enabled interface in the following situation: • Portal users access the network through a subinterface of the portal-enabled interface. • The subinterface does not have an IP address. •...
Page 307: Portal Roaming Enable
Usage guidelines When the Rule ARP or ND entry feature is enabled for portal clients, ARP or ND entries for portal clients are Rule entries after the clients come online. The Rule ARP or ND entries will not age out and will be deleted immediately after the portal clients go offline.
Page 308: Portal Server
portal server Use portal server to create a portal authentication server and enter its view, or enter the view of an existing portal authentication server. Use undo portal server to delete the specified portal authentication server. Syntax portal server server-name undo portal server server-name Default No portal authentication servers exist.
Page 309 undo portal user-detect Default Online detection of IPv4 portal users is disabled. Views Interface view Predefined user roles network-admin mdc-admin Parameters type: Specifies the detection type. • arp—ARP detection. • icmp—ICMP detection. retry retries: Specifies the maximum number of detection attempts, in the range of 1 to 10. The default value is 3.
Page 310: Portal User-Dhcp-Only (Interface View)
[Sysname–Vlan-interface100] portal user-detect type arp retry 5 interval 10 idle 300 Related commands display portal portal user-dhcp-only (interface view) Use portal user-dhcp-only to allow only users with DHCP-assigned IP addresses to pass portal authentication. Use undo portal user-dhcp-only to restore the default. Syntax portal [ ipv6 ] user-dhcp-only undo portal [ ipv6 ] user-dhcp-only...
Page 311: Portal Web-Server
undo portal web-proxy port { port-number | all } Default No port numbers of Web proxy servers are specified. Proxied HTTP requests are dropped. Views System view Predefined user roles network-admin mdc-admin Parameters port-number: Specifies the port number of a Web proxy server. The value range for this argument is 1 to 65535.
Page 312: Reset Portal Packet Statistics
Default No portal Web servers exist. Views System view Predefined user roles network-admin mdc-admin Parameters server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines The portal Web server pushes portal authentication pages to portal users during authentication. The access device redirects HTTP requests of unauthenticated portal users to the portal Web server.
Page 313: Server-Detect (Portal Authentication Server View)
Related commands display portal packet statistics server-detect (portal authentication server view) Use server-detect to enable portal authentication server detection. After server detection is enabled for a portal authentication server, the device periodically detects portal packets from the server to identify its reachability status. Use undo server-detect to disable portal authentication server detection.
Page 314: Server-Detect (Portal Web Server View)
[Sysname] portal server pts [Sysname-portal-server-pts] server-detect timeout 600 log Related commands portal server server-detect (portal Web server view) Use server-detect to enable portal Web server detection. Use undo server-detect to disable portal Web server detection. Syntax server-detect [ interval interval ] [ retry retries ] { log | trap } * undo server-detect Default Portal Web server detection is disabled.
Page 315: Server-Type
Related commands portal web-server server-type Use server-type to specify the type of a portal authentication server or portal Web server. Use undo server-type to restore the default. Syntax server-type imc undo server-type Default The type of the portal authentication server and portal Web server is IMC. Views Portal authentication server view Portal Web server view...
Page 316: Tcp-Port
Default The type of the MAC binding server is IMC. Views MAC binding server view Predefined user roles network-admin mdc-admin Parameters imc: Specifies the MAC binding server type as IMC. Examples # Specify the type of MAC binding server as imc. ...
Page 317 • Do not configure the HTTPS listening port number as the default HTTP listening port number • Do not configure the same listening port number for HTTP and HTTPS. • For the HTTPS-based local portal Web service and other services that use HTTPS: If they use the same SSL server policy, they can use the same TCP port number to listen to ...
Page 318: Url-Parameter
[Sysname-portal-websvr-wbs] url http://www.test.com/portal Related commands display portal web-server url-parameter Use url-parameter to configure the parameters carried in the URL of a portal Web server. The access device redirects a portal user by sending the URL with the parameters to the user. Use undo url-parameter to delete the parameters carried in the URL of the portal Web server.
Page 319: User-Sync
Usage guidelines You can configure multiple URL parameters. If you execute this command multiple times to configure the same URL parameter, the most recent configuration takes effect. After you configure the URL parameters, the access device sends the portal Web server URL with these parameters to portal users.
Page 320: Version
undo user-sync Default Portal user synchronization is disabled for a portal authentication server. Views Portal authentication server view Predefined user roles network-admin mdc-admin Parameters timeout timeout: Specifies a detection timeout for synchronization packets, in the range of 60 to 18000 seconds. Usage guidelines After this feature is enabled, the device replies to and periodically detects the synchronization packets from the portal authentication server.
Page 321: Vpn-Instance
undo version Default The version of the portal protocol is 1. Views MAC binding server view Predefined user roles network-admin mdc-admin Parameters version-number: Specifies the portal protocol version in the range of 1 to 3. Usage guidelines The specified portal protocol version must be the that required by the MAC binding server. Examples # Configure the device to use portal protocol version 2 to communicate with MAC binding server mts.
Page 322: Web-Redirect Url
Usage guidelines A portal Web server belongs to only one MPLS L3VPN instance. Examples # Specify MPLS L3VPN instance abc for portal Web server wbs. system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] vpn-instance abc web-redirect url Use web-redirect url to enable the Web redirect feature. Use undo web-redirect url to disable the Web redirect feature.
Page 323: Display Port-Security
Port security commands display port-security Use display port-security to display port security configuration, operation information, and statistics for ports. Syntax display port-security [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays port security information for all ports.
Page 324 Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 32 Current secure MAC addresses Authorization : Permitted NAS-ID profile : Not configured Free VLANs : Not configured Open authentication : Disabled Table 31 Command output Field Description Port security...
Page 325 Field Description Port security mode: • noRestrictions. • autoLearn. • macAddressWithRadius. • macAddressElseUserLoginSecure. • macAddressElseUserLoginSecureExt. • secure. • Port mode userLogin. • userLoginSecure. • userLoginSecureExt. • macAddressOrUserLoginSecure. • macAddressOrUserLoginSecureExt. • userLoginWithOUI. For more information about port security modes, see Security Configuration Guide.
Page 326: Display Port-Security Mac-Address Block
Field Description VLANs in which packets will not trigger authentication. Free VLANs If you do not configure free VLANs, this field displays Not configured. Open authentication Whether open authentication mode is enabled on the port. display port-security mac-address block Use display port-security mac-address block to display information about blocked MAC addresses.
Page 327: Display Port-Security Mac-Address Security
Table 32 Command output Field Description MAC ADDR Blocked MAC address. Port having received frames with the blocked MAC Port address being the source address. VLAN ID ID of the VLAN to which the port belongs. number mac address(es) found Number of blocked MAC addresses.
Page 328: Port-Security Access-User Log Enable
--- Number of secure MAC addresses: 1 --- Table 33 Command output Field Description MAC ADDR Secure MAC address. VLAN ID ID of the VLAN to which the port belongs. Type of the MAC address. This field displays Secure for a secure STATE MAC address.
Page 329: Port-Security Authentication Open
Usage guidelines As a best practice, disable this feature to prevent excessive output of logs for port security users. If you do not specify any parameters, this command enables all logging functions for port security users. Examples # Enable logging for intrusion protection. ...
Page 330: Port-Security Authentication Open Global
Examples # Enable open authentication mode on Ten-GigabitEthernet 1/0/1. system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] port-security authentication open Related commands display dot1x connection display mac-authentication connection port-security authentication open global port-security authentication open global Use port-security authentication open global to enable global open authentication mode. Use undo port-security authentication open global to disable global open authentication mode.
Page 331: Port-Security Authorization Ignore
Related commands display dot1x connection display mac-authentication connection port-security authentication open port-security authorization ignore Use port-security authorization ignore to configure a port to ignore the authorization information received from the authentication server (a RADIUS server or the local device). Use undo port-security authorization ignore to restore the default. Syntax port-security authorization ignore undo port-security authorization ignore...
Page 332: Port-Security Enable
Default The authorization-fail-offline feature is disabled. The device does not log off users that fail authorization. Views System view Predefined user roles network-admin mdc-admin Parameters quiet-period: Enables the quiet timer for 802.1X or MAC authentication users that are logged off by the authorization-fail-offline feature.
Page 333: Port-Security Free-Vlan
undo port-security enable Default Port security is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines You must disable global 802.1X and MAC authentication before you enable port security on a port. Enabling or disabling port security resets the following security settings to the default: •...
Page 334: Port-Security Intrusion-Mode
mdc-admin Parameters vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of start-vlan-id to end-vlan-id. The value range for VLAN IDs is 1 to 4094. The end VLAN ID must be equal to or greater than the start VLAN Usage guidelines This command allows packets from the specified VLANs to not trigger 802.1X or MAC authentication on a port configured with any of the following features:...
Page 335: Port-Security Mac-Address Aging-Type Inactivity
Predefined user roles network-admin mdc-admin Parameters blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This action implements illegal traffic filtering on the port. A blocked MAC address is restored to normal after being blocked for 3 minutes, which is not user configurable.
Page 336: Port-Security Mac-Address Dynamic
Usage guidelines This command enables the device to periodically detect traffic data from secure MAC addresses. If only the aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the secure MAC addresses. When you use the aging timer together with the inactivity aging feature, the aging timer restarts once traffic data is detected from the secure MAC addresses.
Page 337: Port-Security Mac-Address Security
lost at reboot. Use this command when you want to clear all sticky MAC addresses after a device reboot. You can display dynamic secure MAC addresses by using the display port-security mac-address security command. The undo port-security mac-address dynamic command converts all dynamic secure MAC addresses on the port to sticky MAC addresses.
Page 338 vlan vlan-id: Specifies the VLAN to which the secure MAC address belongs. The value range for the vlan-id argument is 1 to 4094. Usage guidelines Secure MAC addresses are MAC addresses configured or learned in autoLearn mode, and if saved, can survive a device reboot.
Page 339: Port-Security Mac-Limit
port-security mac-limit Use port-security mac-limit to set the maximum number of MAC addresses that port security allows for specific VLANs on a port. Use undo port-security mac-limit to restore the default. Syntax port-security mac-limit max-number per-vlan vlan-id-list undo port-security mac-limit per-vlan vlan-id-list Default The maximum number is 2147483647.
Page 340: Port-Security Mac-Move Permit
Related commands display dot1x display mac-authentication port-security mac-move permit Use port-security mac-move permit to enable MAC move on the device. Use undo port-security mac-move permit to disable MAC move on the device. Syntax port-security mac-move permit undo port-security mac-move permit Default MAC move is disabled on the device.
Page 341 Default Port security does not limit the number of secure MAC addresses on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters max-count: Specifies the maximum number of secure MAC addresses that port security allows on the port.
Page 342: Port-Security Nas-Id-Profile
port-security nas-id-profile Use port-security nas-id-profile to apply a NAS-ID profile to global or port-based port security. Use undo port-security nas-id-profile to restore the default. Syntax port-security nas-id-profile profile-name undo port-security nas-id-profile Default No NAS-ID profile is applied to port security globally or on any port. Views System view Layer 2 Ethernet interface view...
Page 343: Port-Security Oui
Syntax port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } undo port-security ntk-mode Default The NTK feature is not configured on a port and all frames are allowed to be sent. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin...
Page 344: Port-Security Port-Mode
Predefined user roles network-admin mdc-admin Parameters index-value: Specifies the OUI index, in the range of 1 to 16. oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value. Usage guidelines You can configure multiple OUI values.
Page 345 Parameters Keyword Security mode Description A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, the MAC addresses are added to the secure MAC address table as secure MAC addresses.
Page 346 Keyword Security mode Description This mode is the combination of the userLoginSecure and macAddressWithRadius modes. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. In this mode, the port performs 802.1X authentication first.
Page 347: Port-Security Timer Autolearn Aging
system-view [Sysname] port-security enable [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] port-security port-mode secure # Change the port security mode of Ten-GigabitEthernet 1/0/1 to userLogin. [Sysname-Ten-GigabitEthernet1/0/1] undo port-security port-mode [Sysname-Ten-GigabitEthernet1/0/1] port-security port-mode userlogin Related commands display port-security port-security max-mac-count port-security timer autolearn aging Use port-security timer autolearn aging to set the secure MAC aging timer.
Page 348: Port-Security Timer Disableport
When a short aging time (less than 60 seconds) works with inactivity aging, do not assign a large value to the maximum number of secure MAC addresses on a port. A large value in this case might affect device performance. Examples # Set the secure MAC aging timer to 30 minutes.
Page 349: Snmp-Agent Trap Enable Port-Security
Related commands display port-security port-security intrusion-mode snmp-agent trap enable port-security Use snmp-agent trap enable port-security to enable SNMP notifications for port security. Use undo snmp-agent trap enable port-security to disable SNMP notifications for port security. Syntax snmp-agent trap enable port-security [ address-learned | dot1x-failure | dot1x-logoff | dot1x-logon | intrusion | mac-auth-failure | mac-auth-logoff | mac-auth-logon ] * undo snmp-agent trap enable port-security [ address-learned | dot1x-failure | dot1x-logoff | dot1x-logon | intrusion | mac-auth-failure | mac-auth-logoff | mac-auth-logon ] *...
Page 350 Related commands display port-security port-security enable...
Page 351: Display Password-Control
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Page 352: Display Password-Control Blacklist
Table 34 Command output Field Description Password control Whether the password control feature is enabled. Whether password expiration is enabled and, if enabled, the aging Password aging time. Whether the minimum password length restriction feature is enabled Password length and, if enabled, the setting. Whether the password composition restriction feature is enabled Password composition and, if enabled, the settings.
Page 353: Password-Control { Aging | Composition | History | Length } Enable
ipv6 ipv6-address: Specifies the IPv6 address of a user. Usage guidelines If you do not specify any parameters, this command displays information about all users in the password control blacklist. The users' IP addresses and user accounts are added to the password control blacklist when the users fail authentication.
Page 354: Password-Control Aging
Predefined user roles network-admin mdc-admin Parameters aging: Enables the password expiration feature. composition: Enables the password composition restriction feature. history: Enables the password history feature. length: Enables the minimum password length restriction feature. Usage guidelines For a specific password control feature to take effect, make sure the global password control and the specific password control feature are both enabled.
Page 355 undo password-control aging Default A password expires after 90 days. The password aging time for a user group equals the global setting. The password aging time for a local user equals that of the user group to which the local user belongs.
Page 356: Password-Control Alert-Before-Expire
password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default The default is 7 days.
Page 357: Password-Control Composition
Views System view User group view Local user view Predefined user roles network-admin mdc-admin Parameters same-character: Refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough. user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
Page 358 The password using the global composition policy must contain a minimum of one character type and a minimum of one character for each type. In FIPS mode: The password using the global composition policy must contain a minimum of four character types and a minimum of one character for each type.
Page 359: Password-Control Enable
# Specify that the password of device management user abc must contain a minimum of four character types and a minimum of five characters for each type. [Sysname] local-user abc class manage [Sysname-luser-manage-abc] password-control composition type-number 4 type-length 5 Related commands display local-user display password-control display user-group...
Page 360: Password-Control Expired-User-Login
password-control expired-user-login Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires. Use undo password-control expired-user-login to restore the defaults. Syntax password-control expired-user-login delay delay times times undo password-control expired-user-login Default A user can log in three times within 30 days after the password expires.
Page 361: Password-Control Length
Predefined user roles network-admin mdc-admin Parameters max-record-number: Specifies the maximum number of history password records for each user. The value range is 2 to 15. Usage guidelines When the number of history password records reaches the maximum number, the subsequent history record overwrites the earliest one.
Page 362: Password-Control Login Idle-Time
Local user view Predefined user roles network-admin mdc-admin Parameters length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode, and 15 to 32 in FIPS mode. Usage guidelines The minimum length setting depends on the view: •...
Page 363: Password-Control Login-Attempt
Default The maximum account idle time is 90 days. Views System view Predefined user roles network-admin mdc-admin Parameters idle-time: Specifies the maximum account idle time in days. The value range is 0 to 365. 0 means no restriction for account idle time. Usage guidelines If a user account is idle for this period of time, the account becomes invalid and can no longer be used to log in to the device.
Page 364 mdc-admin Parameters login-times: Specifies the maximum number of consecutive login failures. The value range is 2 to 10. exceed: Specifies an action to be taken for the user who fails to log in after making the maximum number of attempts. •...
Page 365: Password-Control Super Aging
# Display the password control blacklist. The output shows that the user account is on the blacklist, and its status is lock. [Sysname] display password-control blacklist Username: test IP: 192.168.44.1 Login failures: 4 Lock flag: lock Blacklist items matched: 1. # Verify that the user at 192.168.44.1 cannot use this user account to log in.
Page 366: Password-Control Super Composition
mdc-admin Parameters aging-time: Specifies the super password aging time in days, in the range of 1 to 365. Examples # Set the super passwords to expire after 10 days. system-view [Sysname] password-control super aging 10 Related commands display password-control password-control aging password-control super composition Use password-control super composition to configure the composition policy for super...
Page 367: Password-Control Super Length
Examples # Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type. system-view [Sysname] password-control super composition type-number 4 type-length 5 Related commands display password-control password-control composition password-control super length Use password-control super length to set the minimum length for super passwords.
Page 368: Reset Password-Control Blacklist
Syntax password-control update-interval interval undo password-control update-interval Default The minimum password update interval is 24 hours. Views System view Predefined user roles network-admin mdc-admin Parameters interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval.
Page 369: Reset Password-Control History-Record
reset password-control blacklist user-name test Are you sure to delete the specified user in blacklist? [Y/N]: Related commands display password-control blacklist reset password-control history-record Use reset password-control history-record to delete history password records. Syntax reset password-control history-record [ super [ role role-name ] | user-name user-name ] Views User view Predefined user roles...
Page 370: Accept-Lifetime Utc
Keychain commands accept-lifetime utc Use accept-lifetime utc to set the receiving lifetime for a key of a keychain in absolute time mode. Use undo accept-lifetime to restore the default. Syntax accept-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date } undo accept-lifetime Default...
Page 371: Accept-Tolerance
system-view [Sysname] keychain abc mode absolute [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] accept-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21 accept-tolerance Use accept-tolerance to set a tolerance time for accept keys in a keychain. Use undo accept-tolerance to restore the default. Syntax accept-tolerance { value | infinite } undo accept-tolerance Default...
Page 372: Default-Send-Key
undo authentication-algorithm Default No authentication algorithm is specified for a key. Views Key view Predefined user roles network-admin mdc-admin Parameters hmac-md5: Specifies the HMAC-MD5 authentication algorithm. hmac-sha-256: Specifies the HMAC-SHA-256 authentication algorithm. md5: Specifies the MD5 authentication algorithm. Usage guidelines If an application does not support the authentication algorithm specified for a key, the application cannot use the key for packet authentication.
Page 373: Display Keychain
Examples # Specify key 1 in keychain abc as the default send key. system-view [Sysname] keychain abc mode absolute [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] default-send-key display keychain Use display keychain to display keychain information. Syntax display keychain [ name keychain-name [ key key-id ] ] Views Any view Predefined user roles...
Page 374 Accept status : Active Key ID Key string : $c$3$vuJpEX3Lah7xcSR2uqmrTK2IZQJZguJh3g== Algorithm : md5 Send lifetime : 01:00:01 2015/01/25 to 01:00:00 2015/01/27 Send status : Inactive Accept lifetime : 01:00:00 2015/01/22 to 01:00:00 2015/01/27 Accept status : Active Table 36 Command output Field Description Mode...
Page 375: Keychain
Parameters key-id: Specifies a key ID in the range of 0 to 281474976710655. Usage guidelines The keys in a keychain must have different key IDs. Examples # Create key 1 and enter its view. system-view [Sysname] keychain abc mode absolute [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] keychain...
Page 376: Key-String
key-string Use key-string to configure a key string for a key. Use undo key-string to restore the default. Syntax key-string { cipher | plain } string undo key-string Default No key string is configured for a key. Views Key view Predefined user roles network-admin mdc-admin...
Page 377: Tcp-Algorithm-Id
Predefined user roles network-admin mdc-admin Parameters start-time: Specifies the start time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59. start-date: Specifies the start date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.
Page 378: Tcp-Kind
mdc-admin Parameters hmac-md5: Specifies the HMAC-MD5 authentication algorithm, which provides a key length of 16 bytes. md5: Specifies the MD5 authentication algorithm, which provides a key length of 16 bytes. algorithm-id: Specifies an algorithm ID in the range of 1 to 63. Usage guidelines If an application uses keychain authentication during TCP connection establishment, the incoming and outgoing TCP packets will carry the TCP Enhanced Authentication Option.
Page 379 system-view [Sysname] keychain abc mode absolute [Sysname-keychain-abc] tcp-kind 252...
Page 380: Display Public-Key Local Public
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Page 381 2DA4C04EF5AE0835090203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 15:40:48 2011/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2011/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D 426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA 1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7 9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03 92D8C6D940890BF4290203010001...
Page 382 DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display all local ECDSA public keys. display public-key local ecdsa public ============================================= Key name: ecdsakey (default) Key type: ECDSA Time when key pair created: 15:42:04 2011/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF 68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B ============================================= Key name: ecdsa1...
Page 383: Display Public-Key Peer
Key code: 308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display the public key of the local ECDSA key pair ecdsa1. display public-key local ecdsa public name ecdsa1 ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2011/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1...
Page 384 Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters brief: Displays brief information about all peer host public keys. The brief information includes only the key type, key modulus, and key name. name publickey-name: Displays detailed information about a peer host public key, including its key code.
Page 385: Peer-Public-Key End
Type Modulus Name --------------------------- 1024 idrsa 1024 10.1.1.1 Table 39 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits. Name Name of the peer host public key. Related commands public-key peer public-key peer import sshkey peer-public-key end Use peer-public-key end to exit public key view to system view and save the configured peer host public key.
Page 386: Public-Key Local Create
[Sysname-pkey-public-key-key1]0001 [Sysname-pkey-public-key-key1] peer-public-key end [Sysname] Related commands display public-key local public display public-key peer public-key peer public-key local create Use public-key local create to create local key pairs. Syntax In non-FIPS mode: public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name key-name ] In FIPS mode: public-key local create { dsa | ecdsa [ secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name...
Page 387 Type Default name dsakey ecdsakey ECDSA Usage guidelines The key algorithm must be the same as required by the security application. When you create an RSA or DSA key pair, enter an appropriate key modulus length at the prompt. The longer the key modulus length, the higher the security, and the longer the key generation time. When you create an ECDSA key pair, choose the appropriate elliptic curve.
Page 388 ...++++++ .++++++ ..++++++++ ..++++++++ Create the key pair successfully. # Create a local DSA key pair with the default name. system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 389: Public-Key Local Destroy
..+..+....+.....+...+..+....+..+..+....+..+...+..+..+..+....+..+......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the name ecdsa1. system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys... Create the key pair successfully. # In FIPS mode, create a local RSA key pair with the default name. ...
Page 390 Views System view Predefined user roles network-admin mdc-admin Parameters dsa: Specifies the DSA key pair type. ecdsa: Specifies the ECDSA key pair type. rsa: Specifies the RSA key pair type. name key-name: Specifies a local key pair by its name, a case-insensitive string of 1 to 64 characters.
Page 391: Public-Key Local Export Dsa
Related commands public-key local create public-key local export dsa Use public-key local export dsa to export a local DSA host public key. Syntax public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles network-admin...
Page 392 system-view [Sysname] public-key local export dsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "dsa-key-2011/05/12" AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxw vA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakd MdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local DSA key pair with the default name in OpenSSH format. ...
Page 393: Public-Key Local Export Ecdsa
Related commands public-key local create public-key peer import sshkey public-key local export ecdsa Use public-key local export ecdsa to export a local ECDSA host public key. Syntax public-key local export ecdsa [ name key-keyname ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles...
Page 394: Public-Key Local Export Rsa
system-view [Sysname] public-key local export ecdsa openssh key.pub # Display the host public key of the local ECDSA key pair with the default name in SSH 2.0 format. system-view [Sysname] public-key local export ecdsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "ecdsa-sha2-nistp256-2014/07/06"...
Page 395 For more information about file names, see Fundamentals Configuration Guide. If you do not specify a file name, this command displays the key on the monitor screen. Usage guidelines You can use this command to export a local RSA host public key before distributing it to a peer device.
Page 396: Public-Key Peer
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDevEbyF93xHUJucJWqRc1r8fhzQ9lSVprCI6ATZeDYyR1J00fBQ8XY+ q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8b a8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ== ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local RSA key pair rsa1 in OpenSSH format. system-view [Sysname] public-key local export rsa name rsa1 openssh ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDevEbyF93xHUJucJWqRc1r8fhzQ9lSVprCI6ATZeDYyR1J00fBQ8XY+ q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8b a8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ== rsa-key Related commands public-key local create public-key peer import sshkey...
Page 397: Public-Key Peer Import Sshkey
system-view [Sysname] public-key peer key1 Enter public key view. Return to system view with "peer-public-key end" command. [Sysname-pkey-public-key-key1] Related commands display public-key local public display public-key peer peer-public-key end public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from a public key file. Use undo public-key peer to remove a peer host public key.
Page 398 Related commands display public-key peer public-key local export dsa public-key local export ecdsa public-key local export rsa...
Page 399: Attribute
PKI commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure a rule to filter certificates based on an attribute in the certificate issuer name, subject name, or alternative subject name field.
Page 400: Ca Identifier
An attribute rule is a combination of an attribute-value pair with an operation keyword, as listed in Table Table 42 Combinations of attribute-value pairs and operation keywords Operation FQDN/IP The DN contains the specified Any FQDN or IP address contains the specified attribute attribute value.
Page 401: Certificate Request Entity
Views PKI domain view Predefined user roles network-admin mdc-admin Parameters name: Specifies the trusted CA by its name, a case-sensitive string of 1 to 63 characters. Usage guidelines To obtain a CA certificate in a PKI domain, you must specify the trusted CA name. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the CA server specified for the PKI domain.
Page 402: Certificate Request From
• State and country where the entity resides. • FQDN. • IP address. You can specify only one PKI entity for a PKI domain. If you execute this command multiple times, the most recent configuration takes effect. Examples # Specify PKI entity en1 for certificate request in PKI domain aaa. ...
Page 403 Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ password { cipher | simple } string ] | manual } undo certificate request mode Default The certificate request mode is manual. Views PKI domain view Predefined user roles network-admin mdc-admin...
Page 404: Certificate Request Polling
certificate request polling Use certificate request polling to set the polling interval and the maximum number of attempts to query certificate request status. Use undo certificate request polling to restore the defaults. Syntax certificate request polling { count count | interval interval } undo certificate request polling { count | interval } Default The polling interval is 20 minutes, and the maximum number of attempts is 50.
Page 405: Common-Name
undo certificate request url Default The URL of the certificate request reception authority is not specified. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters url-string: Specifies the URL of the certificate request reception authority, a case-sensitive string of 1 to 511 characters.
Page 406: Country
Predefined user roles network-admin mdc-admin Parameters common-name-sting: Specifies a common name, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set the username of the PKI entity as the common name. Examples # Set the common name to test for PKI entity en. ...
Page 407: Crl Url
Default CRL checking is enabled. Views PKI domain view Predefined user roles network-admin mdc-admin Usage guidelines A CRL is a list of revoked certificates signed and published by a CA. Revoked certificates should no longer be trusted. Enable CRL checking to ensure that the device only accepts certificates that have not been revoked by the issuing CA.
Page 408: Display Pki Certificate Access-Control-Policy
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the CRL repository is on the public network, do not specify this option. Usage guidelines To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL repository in the following order: CRL repository specified in the PKI domain by using this command.
Page 409: Display Pki Certificate Attribute-Group
Usage guidelines If you do not specify a policy name, this command displays information about all certificate-based access control policies. Examples # Display information about certificate-based access control policy mypolicy. display pki certificate access-control-policy mypolicy Access control policy name: mypolicy Rule 1 deny mygroup1...
Page 410 Parameters group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you do not specify a certificate attribute group, this command displays information about all certificate attribute groups. Examples # Display information about certificate attribute group mygroup. ...
Page 411: Display Pki Certificate Domain
display pki certificate domain Use display pki certificate domain to display information about certificates. Syntax display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] } Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
Page 412 5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, O=docm, OU=rnd, CN=rootca Validity Not Before: Jan 6 02:51:41 2011 GMT Not After : Dec 7 03:12:05 2013 GMT Subject: C=cn, O=ccc, OU=ppp, CN=rootca Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c4:fd:97:2c:51:36:df:4c:ea:e8:c8:70:66:f0: 28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40:...
Page 413 52:e1:99:b3:de:73:8b:ad:a8:04:f9:a1:f9:0d:67: d8:95:e2:26:a4:0b:c2:8c:63:32:5d:38:3e:fd:b7: 4a:83:69:0e:3e:24:e4:ab:91:6c:56:51:88:93:9e: 12:a4:30:ad:ae:72:57:a7:ba:fb:bc:ac:20:8a:21: 46:ea:e8:93:55:f3:41:49:e9:9d:cc:ec:76:13:fd: a5:8d:cb:5b:45:08:b7:d1:c5:b5:58:89:47:ce:12: bd:5c:ce:b6:17:2f:e0:fc:c0:3e:b7:c4:99:31:5b: 8a:f0:ea:02:fd:2d:44:7a:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs...
Page 414 dd:a0:2c:c0:aa:16:81:aa:d9:33:ca:01:75:94:92:44:05:1a: 65:41:fa:1e:41:b5:8a:cc:2b:09:6e:67:70:c4:ed:b4:bc:28: 04:50:a6:33:65:6d:49:3c:fc:a8:93:88:53:94:4c:af:23:64: cb:af:e3:02:d1:b6:59:5f:95:52:6d:00:00:a0:cb:75:cf:b4: 50:c5:50:00:65:f4:7d:69:cc:2d:68:a4:13:5c:ef:75:aa:8f: 3f:ca:fa:eb:4d:d5:5d:27:db:46:c7:f4:7d:3a:b2:fb:a7:c9: de:18:9d:c1 # Display brief information about all peer certificates in the PKI domain aaa. display pki certificate domain aaa peer Total peer certificates: 1 Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7 Subject Name: CN=sldsslserver # Display detailed information about a peer certificate in the PKI domain aaa. ...
Page 415: Display Pki Certificate Request-Status
Netscape Cert Type: SSL Server X509v3 Subject Alternative Name: DNS:docm.com X509v3 Subject Key Identifier: 3C:76:95:9B:DD:C2:7F:5F:98:83:B7:C7:A0:F8:99:1E:4B:D7:2F:26 X509v3 CRL Distribution Points: Full Name: URI:http://s03130.ccc.sec.com:447/ssl.crl Signature Algorithm: sha1WithRSAEncryption 61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3: 31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59: 36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c: 85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5: 17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72: ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2: ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8: f0:a5 Related commands pki domain pki retrieve-certificate display pki certificate request-status Use display pki certificate request-status to display certificate request status.
Page 416 Character name Symbol Character name Symbol Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe Usage guidelines If you do not specify a PKI domain, this command displays the certificate request status for all PKI domains. Examples # Display certificate request status for PKI domain aaa.
Page 417: Display Pki Crl Domain
Related commands certificate request polling pki domain pki retrieve-certificate display pki crl domain Use display pki crl domain to display information about the CRL saved at the local for a PKI domain. Syntax display pki crl domain domain-name Views Any view Predefined user roles network-admin network-operator...
Page 418: Fqdn
X509v3 Authority Key Identifier: keyid:49:25:DB:07:3A:C4:8A:C2:B5:A0:64:A5:F1:54:93:69:14:51:11:EF Revoked Certificates: Serial Number: CDE626BF7A44A727B25F9CD81475C004 Revocation Date: Apr 28 01:37:52 2011 GMT CRL entry extensions: Invalidity Date: Apr 28 01:37:49 2011 GMT Serial Number: FCADFA81E1F56F43D3F2D3EF7EB56DE5 Revocation Date: Apr 28 01:33:28 2011 GMT CRL entry extensions: Invalidity Date: Apr 28 01:33:09 2011 GMT Signature Algorithm: sha1WithRSAEncryption...
Page 419 Syntax fqdn fqdn-name-string undo fqdn Default No FQDN is set for a PKI entity. Views PKI entity view Predefined user roles network-admin mdc-admin Parameters fqdn-name-string: Specifies an FQDN, a case-sensitive string of 1 to 255 characters in the format hostname@domainname. Usage guidelines An FQDN uniquely identifies a PKI entity on a network.
Page 420: Ldap-Server
Usage guidelines Use this command to assign an IP address to a PKI entity or specify an interface for the entity. The interface's primary IPv4 address will be used as the IP address of the PKI entity. If you specify an interface, make sure the interface is assigned an IP address before the PKI entity requests a certificate.
Page 421: Locality
[Sysname] pki domain aaa [Sysname-pki-domain-aaa] ldap-server host 10.0.0.1 # Specify LDAP server 10.0.0.11 in VPN instance vpn1 for PKI domain aaa. Set the port number to 333. system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] ldap-server host 10.0.0.11 port 333 vpn-instance vpn1 Related commands pki retrieve-certificate pki retrieve-crl...
Page 422: Organization-Unit
Default No organization name is set for a PKI entity. Views PKI entity view Predefined user roles network-admin mdc-admin Parameters org-name: Specifies an organization name, a case-sensitive string of 1 to 63 characters. No comma can be included. Examples # Set the organization name to abc for PKI entity en. ...
Page 423: Pki Certificate Access-Control-Policy
Syntax pki abort-certificate-request domain domain-name Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 50 Special characters Character name...
Page 424: Pki Certificate Attribute-Group
Default No certificate-based access control policies exist. Views System view Predefined user roles network-admin mdc-admin Parameters policy-name: Specifies a policy name, a case-insensitive string of 1 to 31 characters. Usage guidelines A certificate-based access control policy contains a set of access control rules that permit or deny access to the device based on the attributes in the requesting client's certificate.
Page 425: Pki Delete-Certificate
Usage guidelines A certificate attribute group is a set of attribute rules configured by using the attribute command. Each attribute rule defines a matching criterion for an attribute in the issuer name, subject name, or alternative subject name field of certificates. A certificate attribute group must be associated with an access control rule (a permit or deny statement configured by using the rule command).
Page 426: Pki Domain
serial serial-num: Specifies a peer certificate by its serial number, a case-insensitive string of 1 to 127 characters. If you do not specify a serial number, this command removes all peer certificates in the PKI domain. Usage guidelines When you remove the CA certificate in a PKI domain, the system also removes the local certificates, peer certificates, and the CRL in the PKI domain.
Page 427: Pki Entity
Default No PKI domains exist. Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 52 Special characters Character name Symbol Character name...
Page 428: Pki Export
Parameters entity-name: Specifies a name for a PKI entity, a case-insensitive string of 1 to 31 characters. Usage guidelines A PKI entity includes the identity information that can be used by a CA to identify a certificate applicant. You can configure multiple attributes for a PKI entity, such as common name, organization, organization unit, locality, state, country, FQDN, and IP address.
Page 429 all: Specifies both CA and local certificates. The RA certificate is excluded. ca: Specifies the CA certificate. local: Specifies the local certificates or the local certificates and their private keys. passphrase p12-key: Specifies a password for encrypting the private key of a local PKCS12 certificate.
Page 430 When you export the local certificates or all certificates in PEM format, you must specify the cryptographic algorithm and the challenge password for the private key. If you do not specify the cryptographic algorithm and the challenge password, this command does not export the private keys of the local certificates.
Page 431 ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0 CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOcGtpQG9w ZW5jYS5vcmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0cDovL3Rp dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6 Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12 X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK 7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw== -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes: ...
Page 432 %The signature usage local certificate: Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D subject=/C=CN/O=OpenCA Labs/OU=Users/CN=chktest chktest issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd -----BEGIN CERTIFICATE----- MIIEqjCCA5KgAwIBAgILAOhID4rI04kBfYgwDQYJKoZIhvcNAQELBQAwRTELMAkG A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0MjYxMzMxMjlaFw0xMjA0MjUxMzMxMjla ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy...
Page 433 4oBgl6M0SMsHhe9nF5UCAwEAAaOCAVowggFWMA8GA1UdEwEB/wQFMAMBAf8wCwYD VR0PBAQDAgEGMB0GA1UdDgQWBBQzEQ58yIC54wxodp6JzZvn/gx0CDAfBgNVHSME GDAWgBQzEQ58yIC54wxodp6JzZvn/gx0CDAZBgNVHREEEjAQgQ5wa2lAb3BlbmNh Lm9yZzAZBgNVHRIEEjAQgQ5wa2lAb3BlbmNhLm9yZzCBgQYIKwYBBQUHAQEEdTBz MDIGCCsGAQUFBzAChiZodHRwOi8mdcGl0YW4vcGtpL3B1Yi9jYWNlcnQvY2FjZXJ0 LmNydDAeBggrBgEFBQcwAYYSaHR0cDovL3RpdGFuOjI1NjAvMB0GCCsGAQUFBzAM hhFodHRwOi8mdcGl0YW46ODMwLzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vMTky LjE2OC40MC4xMjgvcGtpL3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBCwUA A4IBAQC0q0SSmvQNfa5ELtRKYF62C/Y8QTLbk6lZDTZuIzN15SGKQcbNM970ffCD Lk1zosyEVE7PLnii3bZ5khcGO3byyXfluAqRyOGVJcudaw7uIQqgv0AJQ+zaQSHi d4kQf5QWgYkQ55/C5puOmcMRgCbMpR2lYkqXLDjTIAZIHRZ/sTp6c+ie2bFxi/YT 3xYbO0wDMuGOKJJpsyKTKcbG9NdfbDyFgzEYAobyYqAUB3C0/bMfBduwhQWKSoYE 6vZsPGAEisCmAl3dIp49jPgVkixoShraYF1jLsWzJGlzem8QvWYzOqKEDwq3SV0Z cXK8gzDBcsobcUMkwIYPAmd1kAPX -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes: ...
Page 434 W2Lp9Xk4nZVIpVV76CkNe8/C+Id00GCRUUVQFSMvo7Pded76bmYX2KzJSz+DlMqy TdVrgG9Fp6XTFO80aKJGe6NapsfhJHKS+Q7mL0XpXeMONgK+e3dX7rsDxsY7hF+j 0gwsHrjV7kWvwJvDlhzGW6xbpr4DRmdcao19Cr6o= -----END CERTIFICATE----- # Export the CA certificate in the PKI domain to a file named cacert in PEM format. system-view [Sysname] pki export domain domain1 pem ca filename cacert # Display the CA certificate or the CA certificate chain in the PKI domain on the terminal. ...
Page 435: Pki Import
-----END CERTIFICATE----- # Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format. The password for the private keys is 123. system-view [Sysname] pki export domain domain1 p12 local passphrase 123 filename cert-lo.der # Export all certificates in the PKI domain to a file named cert-all.p7b in PKCS12 format.
Page 436 Usage guidelines Use this command to import a certificate in the following situations: • The CRL repository is not specified or the CA server does not support SCEP. • The certificate is packed with the server generated key pair in a single file. Only certificate files in PKCS12 or PEM format can contain key pairs.
Page 437 If a matching key pair is found, the device asks whether you want to overwrite the existing key pair on the device. If no match is found, the device asks you to enter a key pair name (defaulting to the PKI domain name).
Page 438 +8wqac8jETwwM0UZ1NGJ50JJz1QYIzMbcrw+S5WlPxACTIz1cldlBlb1kpc+7mcX 4W+MxFzsL88IJ99T72eu4iUNsy26g0BZMAcc1sJA3A4w9RNhfs9hSG43S3hAh5li JPp720LfYBlkQHn/MgMCZASWDJ5G0eSXQt9QymHAth4BiT9v7zetnQqf4q8plfd/ Xqd9zEFlBPpoJFtJqXwxHUCKgw6kJeC4CxHvi9ZCJU/upg9IpiguFPoaDOPia+Pm GbRqSyy55clVde5GOccGN1DZ94DW7AypazgLpBbrkIYAdjFPRmq+zMOdyqsGMTNj jnheI5l784pNOAKuGi0i/uXmRRcfoMh6qAnK6YZGS7rOLC9CfPmy8fgY+/Sl9d9x Q00ruO1psxzh9c2YfuaiXFIx0auKl6o5+ZZYn7Rg/xy2Y0awVP+dO925GoAcHO40 cCl6jA/HsGAU9HkpwKHL35lmBDRLEzQeBFcaGwSm1JvRfE4tkJM7+Uz2QHJOfP10 0VLqMgxMlpk3TvBWgzHGJDe7TdzFCDPMPhod8pi4P8gGXmQd01PbyQ== -----END RSA PRIVATE KEY----- Bag Attributes localKeyID: 01 00 00 00 subject=/CN=sldsslserver issuer=/C=cn/O=ccc/OU=sec/CN=ssl -----BEGIN CERTIFICATE----- MIICjzCCAfigAwIBAgIRAJoDN+shVrofVHbk11SlqfcwDQYJKoZIhvcNAQEFBQAw NzELMAkGA1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYD VQQDEwNzc2wwHhcNMTAxMDE1MDEyMzA2WhcNMTIwNzI2MDYzMDU0WjAXMRUwEwYD VQQDEwxzbGRzc2xzZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLP N3aTKV7NDndIOk0PpiikYPgxVih/geMXR3iYaANbcvRX07/FMDINWHJnBAZhCDvp rFO552loGiPyl0wmFMK12TSL7sHvrxr0OdrFrqtWlbW+DsNGNcFSKZy3RvIngC2k ZZqBeFPUytP185JUhbOrVaUDlisZi6NNshcIjd2BAgMBAAGjgbowgbcwHwYDVR0j BBgwFoAUmoMpEynZYoPLQdR1LlKhZjg8kBEwDgYDVR0PAQH/BAQDAgP4MBEGCWCG SAGG+EIBAQQEAwIGQDASBgNVHREECzAJggdoM2MuY29tMB0GA1UdDgQWBBQ8dpWb 3cJ/X5iDt8eg+JkeS9cvJjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vczAzMTMw LmgzYy5odWF3ZWktM2NvbS5jb206NDQ3L3NzbC5jcmwwDQYJKoZIhvcNAQEFBQAD gYEAYS15x0kW474lu4twNzEy5dPjMSwtwfm/UK01S8GQjGV5tl9ZNiTHFGNEFx7k zxBp/JPpcFM8hapAfrVHdQ/wstq0pVDdBkrVF6XKIBks6XgCvRl32gcaQt9yrQd9 5RbWdetuBljudjFj25airYO2u7pLeVmdWWx3WVvZBzOo8KU= -----END CERTIFICATE----- Bag Attributes: ...
Page 439: Pki Request-Certificate
Please input the password:******** Local certificate already exist, confirm to overwrite it? [Y/N]:y The PKI domain already has a CA certificate. If it is overwritten, local certificates, peer certificates and CRL of this domain will also be deleted. Overwrite it? [Y/N]:y The system is going to save the key pair.
Page 440: Pki Retrieve-Certificate
password password: Sets the password for certificate revocation, a case-sensitive string of 1 to 31 characters. The password is contained in the certificate request and must be provided if the certificate is revoked. pkcs10: Displays BASE64-encoded PKCS#10 certificate request information, which can be used to request a certificate by an out-of-band means, like phone, disk, or email.
Page 441 Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 56 Special characters Character name Symbol Character name Symbol Tilde...
Page 442: Pki Retrieve-Crl
system-view [Sysname] pki retrieve-certificate domain aaa peer en1 Related commands display pki certificate pki delete-certificate pki retrieve-crl Use pki retrieve-crl to obtain CRLs and save them locally. Syntax pki retrieve-crl domain domain-name Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
Page 443: Pki Storage
Examples # Obtain CRLs from the CRL repository. system-view [Sysname] pki retrieve-crl domain aaa Related commands crl url ldap server pki storage Use pki storage to specify the storage path for the certificates or CRLs. Use undo pki storage to restore the default. Syntax pki storage { certificates | crls } dir-path undo pki storage { certificates | crls }...
Page 444: Pki Validate-Certificate
system-view [Sysname] pki storage crls pki-new pki validate-certificate Use pki validate-certificate to verify the validity of certificates. Syntax pki validate-certificate domain domain-name { ca | local } Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 58 Special characters...
Page 445 [Sysname] pki validate-certificate domain aaa ca Verifying certificate..Serial Number: f6:3c:15:31:fe:bb:ec:94:dc:3d:b9:3a:d9:07:70:e5 Issuer: C=cn O=ccc OU=ppp CN=rootca Subject: C=cn O=abc OU=test CN=aca Verify result: OK Verifying certificate..Serial Number: 5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6 Issuer: C=cn O=ccc OU=ppp CN=rootca Subject: C=cn O=ccc OU=ppp CN=rootca Verify result: OK # Verify the local certificates in PKI domain aaa.
Page 446: Public-Key Dsa
Related commands crl check pki domain public-key dsa Use public-key dsa to specify a DSA key pair for certificate request. Use undo public-key to restore the default. Syntax public-key dsa name key-name [ length key-length ] undo public-key Default No key pair is specified for certificate request. Views PKI domain view Predefined user roles...
Page 447: Public-Key Ecdsa
Related commands pki import public-key local create public-key ecdsa Use public-key ecdsa to specify an ECDSA key pair for certificate request. Use undo public-key to restore the default. Syntax In non-FIPS mode: public-key ecdsa name key-name [ secp192r1 | secp256r1 | secp384r1 | secp521r1 ] undo public-key In FIPS mode: public-key ecdsa name key-name [ secp256r1 | secp384r1 | secp521r1 ]...
Page 448: Public-Key Rsa
The specified elliptic curve takes effect only if you specify a nonexistent key pair. The device will automatically create the key pair by using the specified name and curve before submitting a certificate request. The curve parameter is ignored if the specified key pair already exists or is already contained in an imported certificate.
Page 449: Root-Certificate Fingerprint
Usage guidelines You can specify a nonexistent key pair in this command. You can get a key pair in any of the following ways: • Use the public-key local create command to generate a key pair. • An application triggers the device to generate a key pair. •...
Page 450 undo root-certificate fingerprint Default No fingerprint is set for verifying the root CA certificate. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters md5: Sets an MD5 fingerprint. sha1: Sets an SHA1 fingerprint. string: Sets the fingerprint in hexadecimal notation. If you specify the MD5 keyword, the fingerprint is a string of 32 characters.
Page 451: Rule
system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 Related commands certificate request mode pki import pki retrieve-certificate rule Use rule to create an access control rule. Use undo rule to remove an access control rule. Syntax rule [ id ] { deny | permit } group-name undo rule id Default No access control rules exist.
Page 452: Source
Examples # Create rule 1 to permit all certificates that match certificate attribute group mygroup. system-view [Sysname] pki certificate access-control-policy mypolicy [Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup Related commands attribute display pki certificate access-control-policy pki certificate attribute-group source Use source to specify the source IP address for PKI protocol packets. Use undo source to restore the default.
Page 453: State
system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] source ipv6 1::8 # Use the IP address of VLAN-interface 1 as the source IP address for PKI protocol packets. system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] source ip interface vlan-interface 1 # Use the IPv6 address of VLAN-interface 1 as the source IPv6 address for PKI protocol packets. ...
Page 454 Default No extensions for certificates are specified. A certificate can be used for SSL clients, and SSL servers. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters ssl-client: Specifies the SSL client certificate extension so the SSL client can use the certificates. ssl-server: Specifies the SSL server certificate extension so the SSL server can use the certificates.
Page 455: Display Ssh Server
SSH commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Page 456: Display Ssh User-Information
Field Description SSH authentication-timeout Authentication timeout timer. SSH server key generating interval Minimum interval for updating the RSA server key pair. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer.
Page 457: Free Ssh
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If you do not specify an SSH user, this command displays information about all SSH users. Usage guidelines This command displays information only about SSH users that are configured by using the ssh user command on the SSH server.
Page 458: Scp Server Enable
Syntax free ssh { user-ip { ip-address | ipv6 ipv6-address } [ port port-number ] | user-pid pid-number | username username } Views User view Predefined user roles network-admin mdc-admin Parameters user-ip: Specifies the user IP address of the SSH sessions to be disconnected. ip-address: Specifies the user IPv4 address of the SSH sessions to be disconnected.
Page 459: Sftp Server Enable
Default The SCP server is disabled. Views System view Predefined user roles network-admin mdc-admin Examples # Enable the SCP server. system-view [Sysname] scp server enable Related commands display ssh server sftp server enable Use sftp server enable to enable the SFTP server. Use undo sftp server enable to disable the SFTP server.
Page 460: Ssh Server Acl
undo sftp server idle-timeout Default The idle timeout timer is 10 minutes for SFTP connections. Views System view Predefined user roles network-admin mdc-admin Parameters time-out-value: Specifies an idle timeout timer in the range of 1 to 35791 minutes. Usage guidelines If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection.
Page 461: Ssh Server Acl-Deny-Log Enable
Usage guidelines The ACL specified in this command filters IPv4 SSH clients' connection requests. Only the IPv4 SSH clients that the ACL permits can access the device. If the specified ACL does not exist or contains no rules, all IPv4 SSH clients can access the device. The ACL takes effect only on SSH connections that are initiated after the ACL configuration.
Page 462: Ssh Server Authentication-Retries
Related commands ssh server acl ssh server ipv6 acl ssh server authentication-retries Use ssh server authentication-retries to set the maximum number of authentication attempts for SSH users. Use undo ssh server authentication-retries to restore the default. Syntax ssh server authentication-retries retries undo ssh server authentication-retries Default The maximum number of authentication attempts is 3 for SSH users.
Page 463: Ssh Server Authentication-Timeout
ssh server authentication-timeout Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server. Use undo ssh server authentication-timeout to restore the default. Syntax ssh server authentication-timeout time-out-value undo ssh server authentication-timeout Default The SSH user authentication timeout timer is 60 seconds. Views System view Predefined user roles...
Page 464: Ssh Server Dscp
Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command is not available in FIPS mode. The undo form of this command restores the default setting whether you specify the enable keyword or not. This configuration does not affect logged-in users. It affects only users that attempt to log in after the configuration.
Page 465: Ssh Server Enable
[Sysname] ssh server dscp 30 ssh server enable Use ssh server enable to enable the Stelnet server. Use undo ssh server enable to disable the Stelnet server. Syntax ssh server enable undo ssh server enable Default The Stelnet server is disabled. Views System view Predefined user roles...
Page 466: Ssh Server Ipv6 Dscp
mac mac-acl-number: Specifies a Layer 2 ACL by its number in the range of 4000 to 4999. Usage guidelines The ACL specified in this command filters IPv6 SSH clients' connection requests. Only the IPv6 SSH clients that the ACL permits can access the device. If the specified ACL does not exist or contains no rules, all IPv6 SSH clients can access the device.
Page 467: Ssh Server Pki-Domain
ssh server pki-domain Use ssh server pki-domain to specify a PKI domain for an SSH server. Use undo ssh server pki-domain to restore the default. Syntax ssh server pki-domain domain-name undo ssh server pki-domain Default No PKI domain is specified for an SSH server. Views System view Predefined user roles...
Page 468: Ssh Server Rekey-Interval
Views System view Predefined user roles network-admin mdc-admin Parameters port-number: Specifies a port number in the range of 1 to 65535. Usage guidelines If you modify the SSH port number when the SSH server is enabled, the SSH service is restarted and all SSH connections are terminated after the modification.
Page 469: Ssh User
The system starts to count down the configured minimum update interval after the first SSH1 user logs in to the server. If a new SSH1 user logs in to the server after the interval, the system performs the following operations: Updates the RSA server key pair.
Page 470 • scp: Specifies the service type SCP. • sftp: Specifies the service type SFTP. • stelnet: Specifies the service type Stelnet. • netconf: Specifies the service type NETCONF. authentication-type: Specifies an authentication method for the SSH user. • password: Specifies password authentication. This authentication method provides easy and fast encryption, but it is vulnerable.
Page 471: Ssh Client Commands
In either case, the local user or the SSH user configured on the remote authentication server must have the same username as the SSH user. For an SFTP or SCP user, the working directory depends on the authentication method. • If the authentication method is publickey or password-publickey, the working directory is specified by the authorization-attribute command in the associated local user view.
Page 472: Cdup
Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command has the same function as the exit and quit commands. Examples # Terminate the connection with the SFTP server. sftp> bye Use cd to change the working directory on the SFTP server. Syntax cd [ remote-path ] Views...
Page 473: Delete
Predefined user roles network-admin mdc-admin Example # Return to the upper-level directory from the current working directory /test1. sftp> cd test1 Current Directory is:/test1 sftp> pwd Remote working directory: /test1 sftp> cdup Current Directory is:/ sftp> pwd Remote working directory: / sftp>...
Page 474 Predefined user roles network-admin mdc-admin Parameters server-ip ip-address: Specifies the IP address of the server whose public key information will be deleted. If you do not specify a server IP address, this command deletes the public keys of all servers from the client's public key file.
Page 475: Display Sftp Client Source
-rwxrwxrwx 301 Dec 18 14:11 010.pub -rwxrwxrwx 301 Dec 18 14:12 011.pub -rwxrwxrwx 301 Dec 18 14:12 012.pub # Display detailed information about the files and subdirectories under the current directory, excluding the files and subdirectories with names starting with dots (.). sftp>...
Page 476 mdc-operator Parameters server-ip ip-address: Specifies the IP address of the server whose public key information will be displayed. If you do not specify a server IP address, this command displays the public keys of all servers saved in the client's public key file. Usage guidelines When a user connects to an unauthenticated server and selects to save the server's public key, the server public key will be saved to the public key file.
Page 477: Display Ssh Client Source
Field Description Type of the public key: • dsa—DSA public key. • ecdsa-sha2-nistp256—256-bit ECDSA public key created by using Key type the secp256r1 curve. • ecdsa-sha2-nistp384—384-bit ECDSA public key created by using the secp384r1 curve. • rsa—RSA public key. Key length Length of the public key, in bits.
Page 478: Help
mdc-admin mdc-operator Usage guidelines This command has the same function as the bye and quit commands. Examples # Terminate the SFTP connection. sftp> exit Use get to download a file from the SFTP server and save it locally. Syntax get remote-file [ local-file ] Views SFTP client view...
Page 479 Usage guidelines This command has the same function as entering the question mark (?). Examples # Display help information on the SFTP client. sftp> help Available commands: Quit sftp cd [path] Change remote directory to 'path' cdup Change remote directory to the parent directory delete path Delete remote file dir [-a|-l][path]...
Page 480: Mkdir
remote-path: Specifies the name of the directory to be queried. If you do not specify this argument, the command displays information about the files and subdirectories under the current working directory. Usage guidelines If you do not specify both of the –a and –l keywords, this command displays the names of the files and subdirectories under a directory.
Page 481: Quit
Views SFTP client view Predefined user roles network-admin mdc-admin Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name of a file on an SFTP server. If you do not specify this argument, the file will be remotely saved with the same name as the local file. Examples # Upload the local file startup.bak to the SFTP server and save it as startup01.bak.
Page 482: Remove
mdc-admin mdc-operator Usage guidelines This command has the same function as the bye and exit commands. Examples # Terminate the SFTP connection. sftp> quit remove Use remove to delete a file from the SFTP server. Syntax remove remote-file Views SFTP client view Predefined user roles network-admin...
Page 483: Rmdir
Examples # Change the name of a file on the SFTP server from temp1.c to temp2.c. sftp> dir aa.pub temp1.c sftp> rename temp1.c temp2.c sftp> dir aa.pub temp2.c rmdir Use rmdir to delete a directory from the SFTP server. Syntax rmdir remote-path Views SFTP client view...
Page 484 sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ { public-key keyname | server-pki-domain domain-name } | source { interface interface-type interface-number | ip ip-address } ] * [ user username [ password password ] ] Views...
Page 485 • 3des-cbc: Specifies the encryption algorithm 3des-cbc. • aes128-cbc: Specifies the encryption algorithm aes128-cbc. • aes128-ctr: Specifies the encryption algorithm aes128-ctr. • aes128-gcm: Specifies the encryption algorithm aes128-gcm. • aes192-ctr: Specifies the encryption algorithm aes192-ctr. • aes256-cbc: Specifies the encryption algorithm aes256-cbc. •...
Page 486: Scp Ipv6
user username: Specifies an SCP username, a case-sensitive string of 1 to 80 characters. If the username contains an ISP domain name, use the pureusername@domain format. The pureusername argument is a string of 1 to 55 characters. The domain argument is a string of 1 to 24 characters.
Page 487 scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain domain-name } | prefer-compress zlib prefer-ctos-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex...
Page 488 public key algorithm is used, you must specify this option for the client to get the correct local certificate. prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib.
Page 489: Scp Ipv6 Suite-B
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (<...
Page 490 pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ipv6 ipv6-address } ] * Views User view Predefined user roles network-admin mdc-admin Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
Page 491: Scp Suite-B
• interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IPv6 address of the IPv6 SCP packets. • ipv6 ipv6-address: Specifies a source IPv6 address. Usage guidelines Table 64 Suite B algorithms Security Key exchange Encryption algorithm...
Page 492 source-file-name: Specifies the name of the source file, a case-sensitive string of 1 to 255 characters. destination-file-name: Specifies the name of the target file, a case-sensitive string of 1 to 255 characters. If you do not specify this argument, the target file uses the same file name as the source file.
Page 493: Sftp
sftp Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view. Syntax In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |...
Page 494 • x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp256. • x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp384. • pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument is a case-insensitive string of 1 to 31 characters. When the x509v3 public key algorithm is used, you must specify this option for the client to get the correct local certificate.
Page 495: Sftp Client Ipv6 Source
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha2-256. Supported algorithms are the same as the client-to-server HMAC algorithms (see the prefer-ctos-hmac keyword). dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48.
Page 496: Sftp Client Source
Default The source IPv6 address for SFTP packets is not configured. The SFTP client automatically selects an IPv6 address for SFTP packets in compliance with RFC 3484. Views System view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a source interface by its type and number. The SFTP packets use the longest-matching IPv6 address of the specified interface as their source address.
Page 497: Sftp Ipv6
Parameters interface interface-type interface-number: Specifies a source interface by its type and number. The SFTP packets use the primary IPv4 address of the interface as their source address. ip ip-address: Specifies a source IPv4 address. Usage guidelines This command takes effect on all SFTP connections. The source IPv4 address specified in the sftp command takes effect only on the current SFTP connection.
Page 498 mdc-admin Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
Page 499 • md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. • sha2-256: Specifies the HMAC algorithm hmac-sha2-256. • sha2-512: Specifies the HMAC algorithm hmac-sha2-512. prefer-kex: Specifies the preferred key exchange algorithm.
Page 500: Sftp Ipv6 Suite-B
• Preferred key exchange algorithm: dh-group14-sha1. • Preferred server-to-client encryption algorithm: aes128-cbc. • Preferred client-to-server HMAC algorithm: sha1. • Preferred server-to-client HMAC algorithm: sha1-96. • Preferred compression algorithm: zlib. sftp ipv6 2000::1 prefer-kex dh-group14-sha1 prefer-stoc-cipher aes128-cbc prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib public-key svkey Username: sftp ipv6 suite-b Use sftp ipv6 suite-b to establish a connection to an IPv6 SFTP server based on Suite B algorithms...
Page 501: Sftp Suite-B
server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate. prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. dscp dscp-value: Specifies the DSCP value in the IPv6 SFTP packets.
Page 502 Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
Page 503: Ssh Client Ipv6 Source
Examples # Use the 128-bit Suite B algorithms to establish a connection to SFTP server 10.1.1.2. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively. sftp 10.1.1.2 suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain Username ssh client ipv6 source Use ssh client ipv6 source to configure the source IPv6 address for SSH packets that are sent by...
Page 504: Ssh Client Source
ssh client source Use ssh client source to configure the source IPv4 address for SSH packets that are sent by the Stelnet client. Use undo ssh client source to restore the default. Syntax ssh client source { interface interface-type interface-number | ip ip-address } undo ssh client source Default The source IPv4 address for SSH packets is not configured.
Page 505 sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ dscp dscp-value | escape character | { public-key keyname | server-pki-domain domain-name } | source { interface interface-type interface-number | ip ip-address } ] * In FIPS mode:...
Page 506 prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128-ctr. Supported algorithms are des-cbc, 3des-cbc, aes128-cbc, aes128-ctr, aes128-gcm, aes192-ctr, aes256-cbc, aes256-ctr, and aes256-gcm, in ascending order of security strength and computation time. • 3des-cbc: Specifies the encryption algorithm 3des-cbc. •...
Page 507: Ssh2 Ipv6
characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). source: Specifies a source IPv4 address or source interface for SSH packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of SSH packets.
Page 508 prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ dscp dscp-value | escape character | { public-key keyname | server-pki-domain domain-name } | source { interface interface-type interface-number | ipv6 ipv6-address } ] * In FIPS mode:...
Page 509 prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128-ctr. Supported algorithms are des-cbc, 3des-cbc, aes128-cbc, aes128-ctr, aes128-gcm, aes192-ctr, aes256-cbc, aes256-ctr, and aes256-gcm, in ascending order of security strength and computation time.
Page 510: Ssh2 Ipv6 Suite-B
public-key keyname: Specifies the server by its host public key that the client uses to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters. server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters.
Page 511 domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type interface-number | ipv6 ipv6-address } ] * Views User view Predefined user roles network-admin mdc-admin Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
Page 512: Ssh2 Suite-B
Usage guidelines Table 68 Suite B algorithms Security Key exchange Encryption algorithm Public key algorithm level algorithm and HMAC algorithm x509v3-ecdsa-sha2-nistp256 128-bit ecdh-sha2-nistp256 aes128-gcm x509v3-ecdsa-sha2-nistp384 192-bit ecdh-sha2-nistp384 aes256-gcm x509v3-ecdsa-sha2-nistp384 ecdh-sha2-nistp256 aes128-gcm x509v3-ecdsa-sha2-nistp256 Both ecdh-sha2-nistp384 aes256-gcm x509v3-ecdsa-sha2-nistp384 The combination of an escape character and a dot (.) works as an escape sequence. This escape sequence is typically used to quickly terminate an SSH connection when the server reboots or malfunctions.
Page 513 suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see Table 128-bit: Specifies the 128-bit Suite B security level. 192-bit: Specifies the 192-bit Suite B security level.
Page 514: Display Ssh2 Algorithm
Examples # Use the 128-bit Suite B algorithms to establish a connection to Stelnet server 3.3.3.3. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively. ssh2 3.3.3.3 suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain Username SSH2 commands display ssh2 algorithm...
Page 515: Ssh2 Algorithm Cipher
ssh2 algorithm key-exchange ssh2 algorithm mac ssh2 algorithm public-key ssh2 algorithm cipher Use ssh2 algorithm cipher to specify encryption algorithms for SSH2. Use undo ssh2 algorithm cipher to restore the default. Syntax In non-FIPS mode: ssh2 algorithm cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } * undo ssh2 algorithm cipher In FIPS mode:...
Page 516: Ssh2 Algorithm Key-Exchange
system-view [Sysname] ssh2 algorithm cipher aes256-cbc Related commands display ssh2 algorithm ssh2 algorithm key-exchange ssh2 algorithm mac ssh2 algorithm public-key ssh2 algorithm key-exchange Use ssh2 algorithm key-exchange to specify key exchange algorithms for SSH2. Use undo ssh2 algorithm key-exchange to restore the default. Syntax In non-FIPS mode: ssh2...
Page 517: Ssh2 Algorithm Mac
system-view [Sysname] ssh2 algorithm key-exchange dh-group1-sha1 Related commands display ssh2 algorithm ssh2 algorithm cipher ssh2 algorithm mac ssh2 algorithm public-key ssh2 algorithm mac Use ssh2 algorithm mac to specify MAC algorithms for SSH2. Use undo ssh2 algorithm mac to restore the default. Syntax In non-FIPS mode: ssh2 algorithm mac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } *...
Page 518: Ssh2 Algorithm Public-Key
Related commands display ssh2 algorithm ssh2 algorithm cipher ssh2 algorithm key-exchange ssh2 algorithm public-key ssh2 algorithm public-key Use ssh2 algorithm public-key to specify public key algorithms for SSH2. Use undo ssh2 algorithm public-key to restore the default. Syntax In non-FIPS mode: ssh2 algorithm public-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } * undo ssh2 algorithm public-key...
Page 519 Related commands display ssh2 algorithm ssh2 algorithm cipher ssh2 algorithm key-exchange ssh2 algorithm mac...
Page 520: Ciphersuite
SSL commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ciphersuite Use ciphersuite to specify the cipher suites supported by an SSL server policy.
Page 521 ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256. ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256. ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
Page 522: Client-Verify
• Key exchange algorithms—Implement secure exchange of the keys used by the symmetric key algorithm and the MAC algorithm. Commonly used key exchange algorithms are usually asymmetric key algorithms, such as RSA. After the SSL server receives a cipher suite from a client, the server matches the received cipher suite against the cipher suits it supports.
Page 523: Display Crypto Version
Optional SSL client authentication—The SSL server does not require an SSL client to submit its digital certificate for identity authentication. • If an SSL client submits its certificate to the SSL server, the server authenticates the client identity. The client must pass authentication to access the server. •...
Page 524: Display Ssl Client-Policy
Examples # Display cryptographic library version information. display crypto version 7.1.1.1.1.57 Table 71 Command output Field Description Cryptographic library version information, in the 7.1.X format: • 7.1.1.1.1.57 The 7.1 segment represents Comware 700R001. • The X segment represents the cryptographic library version. display ssl client-policy Use display ssl client-policy to display SSL client policy information.
Page 525: Display Ssl Server-Policy
display ssl server-policy Use display ssl server-policy to display SSL server policy information. Syntax display ssl server-policy [ policy-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters.
Page 526: Pki-Domain (Ssl Server Policy View)
Default No PKI domain is specified for an SSL client policy. Views SSL client policy view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you specify a PKI domain for an SSL client policy, the SSL client that uses the SSL client policy will obtain its digital certificate through the specified PKI domain.
Page 527: Prefer-Cipher
Examples # Specify PKI domain server-domain for SSL server policy policy1. system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] pki-domain server-domain Related commands display ssl server-policy pki domain prefer-cipher Use prefer-cipher to specify a preferred cipher suite for an SSL client policy. Use undo prefer-cipher to restore the default.
Page 528 dhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256. dhe_rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA. dhe_rsa_aes_256_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
Page 529: Server-Verify Enable
• Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are usually symmetric key algorithms. When using a symmetric key algorithm, the SSL server and the SSL client must use the same key. • Message Authentication Code (MAC) algorithms—Calculate the MAC value for data to ensure integrity.
Page 530: Session
Examples # Enable the SSL client to use digital certificates to authenticate the SSL server. system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] server-verify enable Related commands display ssl client-policy session Use session to set the maximum number of sessions that the SSL server can cache and the timeout time for cached sessions.
Page 531: Ssl Client-Policy
ssl client-policy Use ssl client-policy to create an SSL client policy and enter its view, or enter the view of an existing SSL client policy. Use undo ssl client-policy to delete an SSL client policy. Syntax ssl client-policy policy-name undo ssl client-policy policy-name Default No SSL client policies exist.
Page 532: Ssl Server-Policy
Predefined user roles network-admin mdc-admin Usage guidelines The SSL session renegotiation feature enables the SSL client and server to reuse a previously negotiated SSL session for an abbreviated handshake. Disabling session renegotiation causes more computational overhead to the system but it can avoid potential risks.
Page 533: Ssl Version Disable
ssl version disable Use ssl version disable to disable the SSL server from using specific SSL protocol versions for session negotiation. Use undo ssl version disable restore the default. Syntax In non-FIPS mode: ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable undo ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable In FIPS mode: ssl version { tls1.0 | tls1.1 } * disable...
Page 534 version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 } undo version In FIPS mode: version { tls1.0 | tls1.1 | tls1.2 } undo version Default An SSL client policy uses SSL protocol version TLS 1.0. Views SSL client policy view Predefined user roles network-admin mdc-admin...
Page 535: Ack-Flood Action
Attack detection and prevention commands ack-flood action Use ack-flood action to specify global actions against ACK flood attacks. Use undo ack-flood action to restore the default. Syntax ack-flood action { drop | logging } * undo ack-flood action Default No global action is specified for ACK flood attacks. Views Attack defense policy view Predefined user roles...
Page 536: Ack-Flood Detect Non-Specific
Default IP address-specific ACK flood attack detection is not configured. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
Page 537: Ack-Flood Threshold
Syntax ack-flood detect non-specific undo ack-flood detect non-specific Default Global ACK flood attack detection is disabled. Views Attack defense policy view Predefined user roles network-admin mdc-admin Usage guidelines The global ACK flood attack detection applies to all IP addresses except those specified by the ack-flood detect command.
Page 538: Attack-Defense Local Apply Policy
Usage guidelines With global ACK flood attack detection configured, the device is in attack detection state. When the sending rate of ACK packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Page 539: Attack-Defense Login Block-Timeout
Each device can have only one attack defense policy applied. If you execute this command multiple times, the most recent configuration takes effect. Examples # Apply attack defense policy atk-policy-1 to the device. system-view [Sysname] attack-defense local apply policy atk-policy-1 Related commands attack-defense policy display attack-defense policy...
Page 540: Attack-Defense Login Max-Attempt
undo attack-defense login enable Default Login attack prevention is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines After a user fails the maximum number of login attempts, login attack prevention uses the blacklist to block the user from logging in during the block period. For login attack prevention to take effect, you must enable the global blacklist feature.
Page 541: Attack-Defense Login Reauthentication-Delay
The login failure counter for a user is reset after the user logs in successfully. If the device reboots, all login failure counters are reset. Examples # Set the maximum number of successive login failures to five. system-view [Sysname] attack-defense login max-attempt 5 Related commands attack-defense login enable attack-defense login reauthentication-delay...
Page 542: Attack-Defense Signature Log Non-Aggregate
undo attack-defense policy policy-name Default No attack defense policies exist. Views System view Predefined user roles network-admin mdc-admin Parameters policy-name: Assigns a name to the attack defense policy. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Page 543: Attack-Defense Tcp Fragment Enable
• Source and destination IP addresses. • VPN instance to which the victim IP address belongs. As a best practice, do not disable log aggregation. A large number of logs will consume the display resources of the console. Examples # Enable log non-aggregation for single-packet attack events. ...
Page 544: Blacklist Ip
Syntax blacklist global enable undo blacklist global enable Default The global blacklist feature is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines If you enable the global blacklist feature, the blacklist feature is enabled on all interfaces. Examples # Enable the global blacklist feature.
Page 545: Blacklist Ipv6
timeout minutes: Specifies the aging time in minutes for the blacklist entry, in the range of 1 to 1000. If you do not specify this option, the blacklist entry never ages out. You must delete it manually. Usage guidelines The undo blacklist ip command deletes only manually added IPv4 blacklist entries. To delete dynamically added IPv4 blacklist entries, use the reset blacklist ip command.
Page 546: Blacklist Logging Enable
A blacklist entry with an aging time is not saved to the configuration file and cannot survive a reboot. You can use the display blacklist ipv6 command to display all effective IPv6 blacklist entries that are manually added. Examples # Add a blacklist entry for IPv6 address 2012::12:25 and set the aging time to 10 minutes for the entry.
Page 547: Blacklist User
# Add 192.168.1.2 to the blacklist. A log is output for the adding event. [Sysname] blacklist ip 192.168.100.12 %Mar 13 03:47:49:736 2013 Sysname BLS/5/BLS_ENTRY_ADD:SrcIPAddr(1003)=192.168.100.12; DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=--; TTL(1051)=; Reason(1052)=Configuration. # Delete 192.168.1.2 from the blacklist. A log is output for the deletion event. [Sysname] undo blacklist ip 192.168.100.12 %Mar 13 03:49:52:737 2013 Sysname BLS/5/BLS_ENTRY_DEL:SrcIPAddr(1003)=192.168.100.12;...
Page 548: Display Attack-Defense Flood Statistics Ip
display attack-defense flood statistics ip Use display attack-defense flood statistics ip to display IPv4 flood attack detection and prevention statistics. Syntax In standalone mode: display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ [ local ] [ slot slot-number ] ] [ count ] In IRF mode: display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood |...
Page 549: Display Attack-Defense Flood Statistics Ipv6
device. If you do not specify a card, this command displays IPv4 flood attack detection and prevention statistics for all cards. (In IRF mode.) count: Displays the number of matching protected IPv4 addresses. Usage guidelines The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.
Page 550 display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-flood | syn-ack-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ [ local ] [ slot slot-number ] ] [ count ] In IRF mode: display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-flood | syn-ack-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn...
Page 551: Display Attack-Defense Policy
Examples # (In standalone mode.) Display all IPv6 flood attack detection and prevention statistics. display attack-defense flood statistics ipv6 Slot 1: IPv6 address Detected on Detect type State Dropped 1::4 Local ACK-FLOOD Normal 1000 111111111 1::5 Local SYN-FLOOD Normal 1000 22222222 Slot 2:...
Page 552 mdc-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). If no attack defense policy is specified, this command displays brief information about all attack defense policies.
Page 553 UDP Snork Disabled Info UDP Fraggle Enabled Info IP option record route Disabled Info IP option internet timestamp Enabled Info IP option security Disabled Info IP option loose source routing Enabled Info IP option stream ID Disabled Info IP option strict source routing Disabled Info IP option route alert...
Page 554 HTTP flood 10000 80,8080 Enabled Flood attack defense for protected IP addresses: Address VPN instance Flood type Thres(pps) Actions Ports 1::1 FIN-FLOOD 192.168.1.1 SYN-ACK-FLOOD 10 1::1 FIN-FLOOD 2013:2013:2013:2013: DNS-FLOOD L,CV 2013:2013:2013:2013 Table 76 Command output Field Description Policy name Name of the attack defense policy. Locations to which the attack defense policy is applied: Local (Local Applied list indicates that the policy is applied to the device).
Page 555: Display Attack-Defense Policy Ip
Field Description Global prevention actions against the flood attack: • D—Dropping packets. Global actions • L—Logging. • -—Not configured. Ports that are protected against the flood attack. This field displays port Service ports numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-).
Page 556 In IRF mode: display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ count ] Views Any view Predefined user roles...
Page 557: Display Attack-Defense Policy Ipv6
Slot 1: IP address VPN instance Type Rate threshold(PPS) Dropped 123.123.123.123 -- SYN-ACK-FLOOD 100 4294967295 201.55.7.45 ICMP-FLOOD 192.168.11.5 DNS-FLOOD Slot 2: IP address VPN instance Type Rate threshold(PPS) Dropped # (In standalone mode.) Display the number of IPv4 addresses protected by flood attack detection and prevention in attack defense policy abc.
Page 558 Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). ack-flood: Specifies ACK flood attack.
Page 559: Display Attack-Defense Scan Attacker Ip
# (In standalone mode.) Display the number of IPv6 addresses protected by flood attack detection and prevention in attack defense policy abc. display attack-defense policy abc flood ipv6 count Slot 1: Totally 3 flood protected IP addresses. Slot 2: Totally 0 flood protected IP addresses.
Page 560: Display Attack-Defense Scan Attacker Ipv6
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify the device.
Page 561 Syntax In standalone mode: display attack-defense scan attacker ipv6 [ [ local ] [ slot slot-number ] ] [ count ] In IRF mode: display attack-defense scan attacker ipv6 [ [ local ] [ chassis chassis-number slot slot-number ] ] [ count ] Views Any view...
Page 562: Display Attack-Defense Scan Victim Ip
Table 81 Command output Field Description Totally 1 attackers Total number of IPv6 scanning attackers. IPv6 address IPv6 address of the attacker. MPLS L3VPN instance to which the attacker IPv6 address belongs. If the VPN instance attacker IPv6 address is on the public network, this field displays hyphens (--).
Page 563: Display Attack-Defense Scan Victim Ipv6
Usage guidelines If you do not specify any parameters, this command displays information about all IPv4 scanning attack victims. Examples # (In standalone mode.) Display information about all IPv4 scanning attack victims. display attack-defense scan victim ip Slot 1: IP address VPN instance Detected on...
Page 564 Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters local: Specifies the device. slot slot-number: Specifies a card by its slot number. This option is available only when you specify the device. If you do not specify a card, this command displays information about IPv6 scanning attack victims for all cards.
Page 565: Display Attack-Defense Statistics Local
Related commands display attack-defense scan attacker ipv6 scan detect display attack-defense statistics local Use display attack-defense statistics local to display attack detection and prevention statistics for the device. Syntax In standalone mode: display attack-defense statistics local [ slot slot-number ] In IRF mode: display attack-defense statistics local [ chassis chassis-number slot slot-number ] Views...
Page 566 UDP flood ICMP flood ICMPv6 flood DNS flood HTTP flood Signature attack defense statistics: AttackType AttackTimes Dropped IP option record route IP option security IP option stream ID IP option internet timestamp IP option loose source routing IP option strict source routing IP option route alert Fragment Impossible...
Page 567 ICMPv6 echo reply ICMPv6 group membership query ICMPv6 group membership report ICMPv6 group membership reduction ICMPv6 destination unreachable ICMPv6 time exceeded ICMPv6 parameter problem ICMPv6 packet too big Slot 2: Scan attack defense statistics: AttackType AttackTimes Dropped Port scan IP sweep Distribute port scan Flood attack defense statistics: AttackType...
Page 568: Display Blacklist Ip
TCP invalid flag TCP Land Winnuke UDP Bomb Snork Fraggle Large ICMPv6 ICMP echo request ICMP echo reply ICMP source quench ICMP destination unreachable ICMP redirect ICMP time exceeded ICMP parameter problem ICMP timestamp request ICMP timestamp reply ICMP information request ICMP information reply ICMP address mask request ICMP address mask reply...
Page 569 Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters source-ip-address: Specifies the IPv4 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
Page 570: Display Blacklist Ipv6
display blacklist ipv6 Use display blacklist ipv6 to display manually added IPv6 blacklist entries. Syntax display blacklist ipv6 [ source-ipv6-address [ vpn-instance vpn-instance-name ] | count ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters source-ipv6-address: Specifies the IPv6 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs.
Page 571: Display Blacklist User
Related commands blacklist ipv6 display blacklist user Use display blacklist user to display user blacklist entries. Syntax display blacklist user [ user-name ] [ count ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters user-name: Specifies a user by the username, a case-sensitive string of 1 to 55 characters. If you do not specify a user, this command displays all user blacklist entries.
Page 572: Dns-Flood Action
Related commands blacklist global enable blacklist user dns-flood action Use dns-flood action to specify global actions against DNS flood attacks. Use undo dns-flood action to restore the default. Syntax dns-flood action { drop | logging } * undo dns-flood action Default No global action is specified for DNS flood attacks.
Page 573 Default IP address-specific DNS flood attack detection is not configured. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
Page 574: Dns-Flood Detect Non-Specific
dns-flood detect non-specific Use dns-flood detect non-specific to enable global DNS flood attack detection. Use undo dns-flood detect non-specific to disable global DNS flood attack detection. Syntax dns-flood detect non-specific undo dns-flood detect non-specific Default Global DNS flood attack detection is disabled. Views Attack defense policy view Predefined user roles...
Page 575: Dns-Flood Threshold
mdc-admin Parameters port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. Usage guidelines The device detects only DNS packets destined for the specified ports.
Page 576: Exempt Acl
The global threshold applies to global DNS flood attack detection. Adjust the threshold according to the application scenarios. If the number of DNS packets sent to a protected DNS server is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
Page 577: Fin-Flood Action
• Destination IP address. • Source port. • Destination port. • Protocol. • L3VPN instance. • The fragment keyword for matching non-first fragments. If the specified ACL does not exist or does not contain a rule, attack detection exemption does not take effect.
Page 578: Fin-Flood Detect
Related commands fin-flood detect fin-flood detect non-specific fin-flood threshold fin-flood detect Use fin-flood detect to configure IP address-specific FIN flood attack detection. Use undo fin-flood detect to remove the IP address-specific FIN flood attack detection configuration. Syntax fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ] undo fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default...
Page 579: Fin-Flood Detect Non-Specific
system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] fin-flood detect ip 192.168.1.2 threshold 2000 Related commands fin-flood action fin-flood detect non-specific fin-flood threshold fin-flood detect non-specific Use fin-flood detect non-specific to enable global FIN flood attack detection. Use undo fin-flood detect non-specific to disable global FIN flood attack detection. Syntax fin-flood detect non-specific undo fin-flood detect non-specific...
Page 580: Http-Flood Action
Syntax fin-flood threshold threshold-value undo fin-flood threshold Default The global threshold is 1000 for triggering FIN flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of FIN packets sent to an IP address per second.
Page 581: Http-Flood Detect
Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters drop: Drops subsequent HTTP packets destined for the victim IP addresses. logging: Enables logging for HTTP flood attack events. Examples # Specify drop as the global action against HTTP flood attacks in attack defense policy atk-policy-1. ...
Page 582: Http-Flood Detect Non-Specific
port port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.
Page 583: Http-Flood Port
mdc-admin Usage guidelines The global HTTP flood attack detection applies to all IP addresses except for those specified by the http-flood detect command. The global detection uses the global trigger threshold set by the http-flood threshold command and global actions specified by the http-flood action command. Examples # Enable global HTTP flood attack detection in attack defense policy atk-policy-1.
Page 584: Http-Flood Threshold
Related commands http-flood action http-flood detect http-flood detect non-specific http-flood threshold Use http-flood threshold to set the global threshold for triggering HTTP flood attack prevention. Use undo http-flood threshold to restore the default. Syntax http-flood threshold threshold-value undo http-flood threshold Default The global threshold is 1000 for triggering HTTP flood attack prevention.
Page 585: Icmp-Flood Action
icmp-flood action Use icmp-flood action to specify global actions against ICMP flood attacks. Use undo icmp-flood action to restore the default. Syntax icmp-flood action { drop | logging } * undo icmp-flood action Default No global action is specified for ICMP flood attacks. Views Attack defense policy view Predefined user roles...
Page 586: Icmp-Flood Detect Non-Specific
Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
Page 587: Icmp-Flood Threshold
Views Attack defense policy view Predefined user roles network-admin mdc-admin Usage guidelines The global ICMP flood attack detection applies to all IP addresses except for those specified by the icmp-flood detect ip command. The global detection uses the global trigger threshold set by the icmp-flood threshold command and global actions specified by the icmp-flood action command.
Page 588: Icmpv6-Flood Action
The global threshold applies to global ICMP flood attack detection. Adjust the threshold according to the application scenarios. If the number of ICMP packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services.
Page 589: Icmpv6-Flood Detect Ipv6
icmpv6-flood detect ipv6 Use icmpv6-flood detect ipv6 to configure IPv6 address-specific ICMPv6 flood attack detection. Use undo icmpv6-flood detect ipv6 to remove the IPv6 address-specific ICMPv6 flood attack detection configuration. Syntax icmpv6-flood detect ipv6 ipv6-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ] undo icmpv6-flood detect ipv6 ipv6-address [ vpn-instance vpn-instance-name ] Default...
Page 590: Icmpv6-Flood Detect Non-Specific
Related commands icmpv6-flood action icmpv6-flood detect non-specific icmpv6-flood threshold icmpv6-flood detect non-specific Use icmpv6-flood detect non-specific to enable global ICMPv6 flood attack detection. Use undo icmpv6-flood detect non-specific to disable global ICMPv6 flood attack detection. Syntax icmpv6-flood detect non-specific undo icmpv6-flood detect non-specific Default Global ICMPv6 flood attack detection is disabled.
Page 591: Reset Attack-Defense Policy Flood
Default The global threshold is 1000 for triggering ICMPv6 flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of ICMPv6 packets sent to an IP address per second. Usage guidelines With global ICMPv6 flood attack detection configured, the device is in attack detection state.
Page 592: Reset Attack-Defense Statistics Local
Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). ip: Specifies protected IPv4 addresses. ipv6: Specifies protected IPv6 addresses.
Page 593: Reset Blacklist Ipv6
Predefined user roles network-admin mdc-admin Parameters source-ip-address: Specifies the IPv4 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
Page 594: Reset Blacklist Statistics
reset blacklist statistics Use reset blacklist statistics to clear blacklist statistics. Syntax reset blacklist statistics Views User view Predefined user roles network-admin mdc-admin Usage guidelines This command resets the counter for dropped packets for all blacklist entries. Examples # Clear blacklist statistics. ...
Page 595: Rst-Flood Detect
[Sysname-attack-defense-policy-atk-policy-1] rst-flood action drop Related commands rst-flood detect rst-flood detect non-specific rst-flood threshold rst-flood detect Use rst-flood detect to configure IP address-specific RST flood attack detection. Use undo rst-flood detect to remove the IP address-specific RST flood attack detection configuration. Syntax rst-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]...
Page 596: Rst-Flood Detect Non-Specific
Examples # Configure RST flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1. system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] rst-flood detect ip 192.168.1.2 threshold 2000 Related commands rst-flood action rst-flood detect non-specific rst-flood threshold rst-flood detect non-specific Use rst-flood detect non-specific to enable global RST flood attack detection. Use undo rst-flood detect non-specific to disable global RST flood attack detection.
Page 597: Scan Detect
Use undo rst-flood threshold to restore the default. Syntax rst-flood threshold threshold-value undo rst-flood threshold Default The global threshold is 1000 for triggering RST flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of RST packets sent to an IP address per second.
Page 598 Default No scanning attack detection is configured. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters level: Specifies the level of the scanning attack detection. low: Specifies the low level. This level provides basic scanning attack detection. It has a low false alarm rate but many scanning attacks cannot be detected.
Page 599: Signature { Large-Icmp | Large-Icmpv6 } Max-Length
blacklist global enable signature { large-icmp | large-icmpv6 } max-length Use signature { large-icmp | large-icmpv6 } max-length to set the maximum length of safe ICMP or ICMPv6 packets. A large ICMP or ICMPv6 attack occurs if an ICMP or ICMPv6 packet larger than the specified length is detected.
Page 600 signature detect { ip-option-abnormal | ping-of-death | teardrop } action { drop | logging } * undo signature detect { ip-option-abnormal | ping-of-death | teardrop } signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request } [ action { { drop | logging } * | none } ] undo...
Page 601 • redirect: Specifies the ICMP redirect type. • source-quench: Specifies the ICMP source quench type. • time-exceeded: Specifies the ICMP time exceeded type. • timestamp-reply: Specifies the ICMP timestamp reply type. • timestamp-request: Specifies the ICMP timestamp request type. icmpv6-type: Specifies an ICMPv6 packet attack by the packet type. You can specify the packet type by a number or a keyword: •...
Page 602: Signature Level Action
teardrop: Specifies the teardrop attack. tiny-fragment: Specifies the tiny fragment attack. traceroute: Specifies the traceroute attack. udp-bomb: Specifies the UDP bomb attack. winnuke: Specifies the WinNuke attack. action: Specifies the actions against the single-packet attack. If you do not specify this keyword, the default action of the attack level to which the single-packet attack belongs is used.
Page 603: Signature Level Detect
Parameters high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level. info: Specifies the informational level. For example, large ICMP packet attack is on this level. low: Specifies the low level. For example, the traceroute attack is on this level. medium: Specifies the medium level.
Page 604: Syn-Ack-Flood Action
Parameters high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level. info: Specifies the informational level. For example, large ICMP packet attack is on this level. low: Specifies the low level. For example, the traceroute attack is on this level. medium: Specifies the medium level.
Page 605: Syn-Ack-Flood Detect
Examples # Specify drop as the global action against SYN-ACK flood attacks in attack defense policy atk-policy-1. system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood action drop Related commands syn-ack-flood detect syn-ack-flood detect non-specific syn-ack-flood threshold syn-ack-flood detect Use syn-ack-flood detect to configure IP address-specific SYN-ACK flood attack detection. Use undo syn-ack-flood detect to remove the IP address-specific SYN-ACK flood attack detection configuration.
Page 606: Syn-Ack-Flood Detect Non-Specific
Usage guidelines With SYN-ACK flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of SYN-ACK packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Page 607: Syn-Ack-Flood Threshold
Related commands syn-ack-flood action syn-ack-flood detect syn-ack-flood threshold syn-ack-flood threshold Use syn-ack-flood threshold to set the global threshold for triggering SYN-ACK flood attack prevention. Use undo syn-ack-flood threshold to restore the default. Syntax syn-ack-flood threshold threshold-value undo syn-ack-flood threshold Default The global threshold is 1000 for triggering SYN-ACK flood attack prevention.
Page 608: Syn-Flood Action
syn-flood action Use syn-flood action to specify global actions against SYN flood attacks. Use undo syn-flood action to restore the default. Syntax syn-flood action { drop | logging } * undo syn-flood action Default No global action is specified for SYN flood attacks. Views Attack defense policy view Predefined user roles...
Page 609: Syn-Flood Detect Non-Specific
Predefined user roles network-admin mdc-admin Parameters ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
Page 610: Syn-Flood Threshold
Views Attack defense policy view Predefined user roles network-admin mdc-admin Usage guidelines The global SYN flood attack detection applies to all IP addresses except for those specified by the syn-flood detect command. The global detection uses the global trigger threshold set by the syn-flood threshold command and global actions specified by the syn-flood action command.
Page 611: Udp-Flood Action
The global threshold applies to global SYN flood attack detection. Adjust the threshold according to the application scenarios. If the number of SYN packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services.
Page 612: Udp-Flood Detect
udp-flood detect Use udp-flood detect to configure IP address-specific UDP flood attack detection. Use undo udp-flood detect to remove the IP address-specific UDP flood attack detection configuration. Syntax udp-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ] undo udp-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default...
Page 613: Udp-Flood Detect Non-Specific
Related commands udp-flood action udp-flood detect non-specific udp-flood threshold udp-flood detect non-specific Use udp-flood detect non-specific to enable global UDP flood attack detection. Use undo udp-flood detect non-specific to disable global UDP flood attack detection. Syntax udp-flood detect non-specific undo udp-flood detect non-specific Default Global UDP flood attack detection is disabled.
Page 614 Default The global threshold is 1000 for triggering UDP flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of UDP packets sent to an IP address per second. Usage guidelines With global UDP flood attack detection configured, the device is in attack detection state.
Page 615: Tcp Attack Prevention Commands
TCP attack prevention commands tcp anti-naptha enable Use tcp anti-naptha enable to enable Naptha attack prevention. Use undo tcp anti-naptha enable to disable Naptha attack prevention. Syntax tcp anti-naptha enable undo tcp anti-naptha enable Default Naptha attack prevention is disabled. Views System view Predefined user roles...
Page 616: Tcp State
Views System Predefined user roles network-admin mdc-admin Parameter interval: Specifies the check interval in the range of 1 to 60 seconds. Usage guidelines This command takes effect after you enable Naptha attack prevention. After you enable Naptha attack prevention, the device checks the number of TCP connections in each state at intervals.
Page 617 connection-limit number: Specifies the maximum number of TCP connections, in the range of 0 to 500. The value of 0 represents that the device does not accelerate the aging of the TCP connections in a state. Usage guidelines This command takes effect after you enable Naptha attack prevention. If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in the state.
Page 618: Ip Source Guard Commands
IP source guard commands display ip source binding Use display ip source binding to display IPv4SG bindings. Syntax In standalone mode: display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ arp-snooping | dhcp-relay | dhcp-server | dhcp-snooping | dot1x ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] In IRF mode: display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ arp-snooping |...
Page 619: Display Ip Verify Source Excluded
argument represents the slot number of the card. If you do not specify a card, this command displays IPv4SG bindings for the global active MPU. (In IRF mode.) Examples # Display all IPSG bindings on the public network. display ip source binding Total entries found: 5 IP Address MAC Address...
Page 620 display ip verify source excluded [ vlan start-vlan-id [ to end-vlan-id ] ] [ slot slot-number ] In IRF mode: display ip verify source excluded [ vlan start-vlan-id [ to end-vlan-id ] ] [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin...
Page 621: Display Ipv6 Source Binding
Field Description End VLAN ID of the VLAN range that has been configured to be End VLAN ID excluded from IPSG filtering. Whether the excluded VLAN configuration takes effect: • Active—The configuration takes effect. Status • Inactive—The configuration does not take effect. Related commands ip verify source exclude display ipv6 source binding...
Page 622: Display Ipv6 Source Binding Pd
interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6SG address bindings for the active MPU. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device.
Page 623 Syntax In standalone mode: display ipv6 source binding pd [ vpn-instance vpn-instance-name ] [ prefix prefix/prefix-length ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] In IRF mode: display ipv6 source binding pd [ vpn-instance vpn-instance-name ] [ prefix prefix/prefix-length ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ] Views...
Page 624: Ip Source Binding (Interface View)
Table 91 Command output Field Description Total entries found Total number of IPv6SG prefix bindings. IPv6 prefix IPv6 prefix and prefix length in the IPv6SG prefix binding. MAC address in the IPv6SG prefix binding. MAC address This field displays N/A if the MAC address is invalid. Interface to which the IPv6SG prefix binding belongs.
Page 625: Ip Source Binding (System View)
Usage guidelines Static IPv4SG bindings on an interface implement the following functions: • Filter incoming IPv4 packets on the interface. • Check user validity by cooperating with the ARP attack detection feature. You cannot configure static IPv4SG bindings on a service loopback interface. Examples # Configure a static IPv4SG binding on Ten-GigabitEthernet 1/0/1.
Page 626: Ip Verify Source
Related commands display ip source binding ip source binding (interface view) ip verify source Use ip verify source to enable IPv4SG on an interface. Use undo ip verify source to disable IPv4SG on an interface. Syntax ip verify source { ip-address | ip-address mac-address | mac-address } undo ip verify source Default The IPv4SG feature is disabled on an interface.
Page 627: Ip Verify Source Exclude
# Enable IPv4SG on Layer 3 Ethernet interface Ten-GigabitEthernet 1/0/2 and verify the source IPv4 address and MAC address for dynamic IPSG. system-view [Sysname] interface ten-gigabitethernet 1/0/2 [Sysname-Ten-GigabitEthernet1/0/2] ip verify source ip-address mac-address # Enable IPv4SG on Layer 3 Ethernet interface Ten-GigabitEthernet 1/0/2 and verify the source MAC address for dynamic IPSG.
Page 628: Ipv6 Source Binding (Interface View)
Related commands display ip verify source excluded ipv6 source binding (interface view) Use ipv6 source binding to configure a static IPv6SG binding. Use undo ipv6 source binding to delete the static IPv6SG bindings configured on an interface. Syntax ipv6 source binding { ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address } undo ipv6 source binding { all | ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address }...
Page 629: Ipv6 Source Binding (System View)
ipv6 source binding (system view) Use ipv6 source binding to configure a global static IPv6SG binding. Use undo ipv6 source binding to delete one or all global static IPv6SG bindings. Syntax ipv6 source binding ip-address ipv6-address mac-address mac-address undo ipv6 source binding { all | ip-address ipv6-address mac-address mac-address } Default No global static IPv6SG bindings exist.
Page 630 Views Layer 2 Ethernet interface view Layer 3 Ethernet interface view VLAN interface view Predefined user roles network-admin mdc-admin Parameters ip-address: Filters incoming packets by source IPv6 addresses. ip-address mac-address: Filters incoming packets by source IPv6 addresses and source MAC addresses.
Page 631: Arp Attack Protection Commands
ARP attack protection commands Unresolvable IP attack protection commands arp resolving-route enable Use arp resolving-route enable to enable ARP blackhole routing. Use undo arp resolving-route enable to disable ARP blackhole routing. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP blackhole routing is enabled.
Page 632: Arp Resolving-Route Probe-Interval
Views System view Predefined user roles network-admin mdc-admin Parameters count: Sets the number of probes, in the range of 1 to 25. Examples # Configure the device to perform five ARP blackhole route probes for each unresolved IP address. system-view [Sysname] arp resolving-route probe-count 5 Related commands arp resolving-route enable...
Page 633: Arp Source-Suppression Enable
arp source-suppression enable Use arp source-suppression enable to enable the ARP source suppression feature. Use undo arp source-suppression enable to disable the ARP source suppression feature. Syntax arp source-suppression enable undo arp source-suppression enable Default The ARP source suppression feature is disabled. Views System view Predefined user roles...
Page 634: Display Arp Source-Suppression
Usage guidelines If unresolvable packets received from an IP address within 5 seconds exceed the limit, the device stops processing the packets from that IP address until the 5 seconds elapse. Examples # Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.
Page 635: Arp Rate-Limit Log Enable
undo arp rate-limit Default The ARP packet rate limit feature is enabled on an interface. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Layer 3 Ethernet interface view Layer 3 aggregate interface view Predefined user roles network-admin mdc-admin Parameters pps: Specifies the upper limit for ARP packet rate in pps.
Page 636: Arp Rate-Limit Log Interval
configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide. Examples # Enable logging for ARP packet rate limit. system-view [Sysname] arp rate-limit log enable arp rate-limit log interval Use arp rate-limit log interval to set the notification and log message sending interval for ARP packet rate limit.
Page 637: Source Mac-Based Arp Attack Detection Commands
Syntax snmp-agent trap enable arp [ rate-limit ] undo snmp-agent trap enable arp [ rate-limit ] Default SNMP notifications for ARP is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters rate-limit: Specifies the ARP packet rate limit feature. Usage guidelines After you enable SNMP notifications for ARP, the device generates a notification that includes the highest threshold-crossed ARP packet rate within the sending interval.
Page 638: Arp Source-Mac Aging-Time
Parameters filter: Specifies the filter handling method. monitor: Specifies the monitor handling method. Usage guidelines Configure this feature on the gateways. This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device generates an ARP attack entry for the MAC address.
Page 639: Arp Source-Mac Exclude-Mac
arp source-mac exclude-mac Use arp source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection. Use undo arp source-mac exclude-mac to remove the excluded MAC addresses from source MAC-based ARP attack detection. Syntax arp source-mac exclude-mac mac-address&<1-64> undo arp source-mac exclude-mac [ mac-address&<1-64>...
Page 640: Display Arp Source-Mac
Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range for this argument is 1 to 5000. Examples # Set the threshold for source MAC-based ARP attack detection to 30. system-view [Sysname] arp source-mac threshold 30 display arp source-mac Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP...
Page 641: Arp Packet Source Mac Consistency Check Commands
Table 93 Command output Field Description Source-MAC Source MAC address of the attack. VLAN ID ID of the VLAN in which the attack was detected. Interface Interface on which the attack was detected. Aging-time Aging time for the ARP attack entry, in minutes. ARP packet source MAC consistency check commands arp valid-check enable...
Page 642: Authorized Arp Commands
Syntax arp active-ack [ strict ] enable undo arp active-ack [ strict ] enable Default The ARP active acknowledgement feature is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters strict: Enables strict mode for ARP active acknowledgement. Usage guidelines Configure this feature on gateways to prevent user spoofing.
Page 643: Arp Attack Detection Commands
Predefined user roles network-admin mdc-admin Examples # Enable authorized ARP on VLAN-interface 200. system-view [Sysname] interface vlan-interface 200 [Sysname-Vlan-interface200] arp authorized enable ARP attack detection commands arp detection enable Use arp detection enable to enable ARP attack detection. Use undo arp detection enable to disable ARP attack detection. Syntax arp detection enable undo arp detection enable...
Page 644: Arp Detection Port-Match-Ignore
Syntax arp detection log enable undo arp detection log enable Default ARP attack detection logging is disabled. Views System view Predefined user roles network-admin mdc-admin Examples # Enable ARP attack detection logging. system-view [Sysname] arp detection log enable arp detection port-match-ignore Use arp detection port-match-ignore to ignore ingress ports of ARP packets during user validity check.
Page 645: Arp Detection Rule
arp detection rule Use arp detection rule to configure a user validity check rule. Use undo arp detection rule to delete a user validity check rule. Syntax arp detection rule rule-id { deny | permit } ip { ip-address [ mask ] | any } mac { mac-address [ mask ] | any } [ vlan vlan-id ] undo arp detection rule [ rule-id ] Default...
Page 646: Arp Detection Trust
[Sysname-vlan2] arp detection enable Related commands arp detection enable arp detection trust Use arp detection trust to configure an interface as an ARP trusted interface or configure an AC as an ARP trusted AC. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust...
Page 647: Arp Restricted-Forwarding Enable
Views System view Predefined user roles network-admin mdc-admin Parameters dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
Page 648: Display Arp Detection
[Sysname-vlan2] arp restricted-forwarding enable display arp detection Use display arp detection to display the VLANs and VSIs that are enabled with ARP attack detection. Syntax display arp detection Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display the VLANs and VSIs that are enabled with ARP attack detection. ...
Page 649: Reset Arp Detection Statistics
Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays ARP attack detection statistics for all interfaces and all Ethernet service instances on the interfaces. service-instance instance-id: Specifies an Ethernet service instance by its ID. If you do not specify an Ethernet service instance, this command displays ARP attack detection statistics for all Ethernet service instances on the specified interface.
Page 650: Arp Scanning And Fixed Arp Commands
Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears ARP attack detection statistics for all interfaces and all Ethernet service instances on the interfaces. service-instance instance-id: Specifies an Ethernet service instance by its ID.
Page 651: Arp Scan
To delete a static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command. Examples # Convert existing dynamic ARP entries to static ARP entries. ...
Page 652: Arp Gateway Protection Commands
[Sysname-Vlan-interface2] arp scan # Configure the device to scan neighbors in an address range. system-view [Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] arp scan 1.1.1.1 to 1.1.1.20 ARP gateway protection commands arp filter source Use arp filter source to enable ARP gateway protection for a gateway. Use undo arp filter source to disable ARP gateway protection for a gateway.
Page 653: Arp Packet Sender Ip Address Checking Commands
Syntax arp filter binding ip-address mac-address undo arp filter binding ip-address Default ARP filtering is disabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies a permitted sender IP address. mac-address: Specifies a permitted sender MAC address.
Page 654 Views VLAN view Predefined user roles network-admin mdc-admin Parameters start-ip-address: Specifies the start IP address. end-ip-address: Specifies the end IP address. The end IP address must be higher than or equal to the start IP address. Usage guidelines The gateway discards an ARP packet if its sender IP address is not within the allowed IP address range.
Page 655: Nd Attack Defense Commands
ND attack defense commands Source MAC consistency check commands ipv6 nd check log enable Use ipv6 nd check log enable to enable the ND logging feature. Use undo ipv6 nd check log enable to restore the default. Syntax ipv6 nd check log enable undo ipv6 nd check log enable Default The ND logging feature is disabled.
Page 656: Nd Attack Detection Commands
Views System view Predefined user roles network-admin mdc-admin Usage guidelines Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.
Page 657: Ipv6 Nd Detection Enable
Table 95 Command output Field Description Interface Input interface of the ND messages. Packets dropped Number of ND messages dropped by ND attack detection. ipv6 nd detection enable Use ipv6 nd detection enable to enable ND attack detection. This feature checks the ND message validity.
Page 658: Reset Ipv6 Nd Detection Statistics
mdc-admin Examples # Configure Ten-GigabitEthernet 1/0/1 as an ND trusted interface. system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] ipv6 nd detection trust # Configure Bridge-Aggregation 1 as an ND trusted interface. system-view [Sysname] interface bridge-aggregation 1 [Sysname-Bridge-Aggregation1] ipv6 nd detection trust reset ipv6 nd detection statistics Use reset ipv6 nd detection statistics to clear ND attack detection statistics.
Page 659: Display Ipv6 Nd Raguard Statistics
Parameters policy-name: Specifies an RA guard policy by its name. The policy name is a case-sensitive string of 1 to 31 characters. If you do not specify a policy, this command displays the configuration of all RA guard policies. Examples # Display the configuration of all RA guard policies.
Page 660: If-Match Acl
Syntax display ipv6 nd raguard statistics [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays RA guard statistics for all interfaces. Examples # Display RA guard statistics.
Page 661: If-Match Autoconfig Managed-Address-Flag
Predefined user roles network-admin mdc-admin Parameters ipv6-acl-number: Specifies an IPv6 basic ACL by its number in the range of 2000 to 2999. name ipv6-acl-name: Specifies an IPv6 basic ACL by its name, a case-insensitive string of 1 to 63 characters. The name must start with an English letter. To avoid confusion, the name cannot be all. Usage guidelines RA guard uses the ACL match criterion to match the IP address of the RA message sender.
Page 662: If-Match Autoconfig Other-Flag
Examples # Specify on as the M flag match criterion for the RA guard policy policy1. system-view [Sysname] ipv6 nd raguard policy policy1 [Sysname-raguard-policy-policy1] if-match autoconfig managed-address-flag on if-match autoconfig other-flag Use if-match autoconfig other-flag to specify an O flag match criterion. Use undo if-match autoconfig other-flag to delete the O flag match criterion.
Page 663: If-Match Prefix
Default No maximum or minimum hop limit match criterion exists. Views RA guard policy view Predefined user roles network-admin mdc-admin Parameters maximum: Specifies the maximum advertised hop limit. An RA message passes the check if its current hop limit is not higher than the maximum advertised hop limit. minimum: Specifies the minimum advertised hop limit.
Page 664: If-Match Router-Preference
Usage guidelines An RA message passes the check if the advertised prefixes in the message match the prefixes set by the ACL. If the specified ACL does not exist or does not contain a rule, the prefix match criterion does not take effect.
Page 665: Ipv6 Nd Raguard Apply Policy
Examples # Specify medium as the router preference match criterion for the RA guard policy policy1. system-view [Sysname] ipv6 nd raguard policy policy1 [Sysname-raguard-policy-policy1] if-match router-preference maximum medium ipv6 nd raguard apply policy Use ipv6 nd raguard apply policy to apply an RA guard policy to a VLAN. Use undo ipv6 nd raguard apply policy to remove the RA guard policy from a VLAN.
Page 666: Ipv6 Nd Raguard Policy
undo ipv6 nd raguard log enable Default The RA guard logging feature is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This command allows a device to generate logs when it detects forged RA messages. The log information helps administrators locate and solve problems.
Page 667: Ipv6 Nd Raguard Role
Parameters policy-name: Assigns a name to the RA guard policy. The name is a case-sensitive string of 1 to 31 characters. Examples # Create RA guard policy policy1 and enter its view. system-view [Sysname] ipv6 nd raguard policy policy1 [Sysname-raguard-policy-policy1] Related commands display ipv6 nd raguard policy...
Page 668: Reset Ipv6 Nd Raguard Statistics
reset ipv6 nd raguard statistics Use reset ipv6 nd raguard statistics to clear RA guard statistics. Syntax reset ipv6 nd raguard statistics [ interface interface-type interface-number ] Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears RA guard statistics for all interfaces.
Page 669: Ipv4 Urpf Commands
IPv4 uRPF commands display ip urpf Use display ip urpf to display uRPF configuration. Syntax In standalone mode: display ip urpf [ slot slot-number ] In IRF mode: display ip urpf [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin network-operator...
Page 670 Use undo ip urpf to disable uRPF. Syntax ip urpf { loose [ allow-default-route ] | strict [ allow-default-route ] } undo ip urpf Default uRPF is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
Page 671: Ipv6 Urpf Commands
IPv6 uRPF commands display ipv6 urpf Use display ipv6 urpf to display IPv6 uRPF configuration. Syntax In standalone mode: display ipv6 urpf [ slot slot-number ] In IRF mode: display ipv6 urpf [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin network-operator...
Page 672 Use undo ipv6 urpf to disable IPv6 uRPF. Syntax ipv6 urpf { loose | strict } [ allow-default-route ] undo ipv6 urpf Default IPv6 uRPF is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters loose: Enables loose IPv6 uRPF check. To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry.
Page 673: Mff Commands
MFF commands display mac-forced-forwarding interface Use display mac-forced-forwarding interface to display MFF port configuration. Syntax display mac-forced-forwarding interface Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display MFF port configuration. display mac-forced-forwarding interface Network Port: XGE1/0/1 XGE1/0/2 User Port:...
Page 674: Mac-Forced-Forwarding
mdc-admin mdc-operator Parameters vlan-id: Specifies a VLAN by its ID. Examples # Display the MFF configuration for VLAN 2. display mac-forced-forwarding vlan 2 VLAN 2 Mode: Manual/Single Gateway: -------------------------------------------------------------------------- 192.168.1.42 000f-e200-8046 Server: -------------------------------------------------------------------------- 192.168.1.48 192.168.1.49 Table 101 Command output Field Description VLAN 2...
Page 675: Mac-Forced-Forwarding Gateway Probe
mdc-admin Parameters default-gateway gateway-ip: Specifies the IP address of the default gateway. Usage guidelines For MFF to take effect, make sure ARP snooping is enabled on the device. For a network (or VLAN) with IP addresses manually configured, the gateway IP address must be manually configured.
Page 676: Mac-Forced-Forwarding Network-Port
mac-forced-forwarding network-port Use mac-forced-forwarding network-port to configure the Ethernet port as a network port. Use undo mac-forced-forwarding network-port to restore the default. Syntax mac-forced-forwarding network-port undo mac-forced-forwarding network-port Default The Ethernet port is a user port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin...
Page 677 undo mac-forced-forwarding server server-ip&<1-10> Default No server IP address is specified. Views VLAN view Predefined user roles network-admin mdc-admin Parameters server-ip&<1-10>: Specifies a space-separated list of up to 10 server IP addresses. Usage guidelines You need to maintain a server list on the MFF device to ensure communication between the servers and clients.
Page 678: Fips Commands
FIPS commands display fips status Use display fips status to display the FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display the FIPS mode state. display fips status FIPS mode is enabled.
Page 679 After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode: • Automatic reboot Select the automatic reboot method. The system automatically performs the following tasks: a. Create a default FIPS configuration file named fips-startup.cfg. b.
Page 680: Fips Self-Test
Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically. Enter username(1-55 characters): root Enter password(15-63 characters): Confirm password: Waiting for reboot...
Page 681 Examples # Trigger a self-test on the cryptographic algorithms. system-view [Sysname] fips self-test Cryptographic Algorithms Known-Answer Tests are running ... CPU 0 of slot 0 in chassis 0: Starting Known-Answer tests in the user space. Known-answer test for SHA1 passed. Known-answer test for SHA224 passed.
Page 682 Known-answer test for DSA(signature/verification) passed. Known-answer test for random number generator passed. Known-Answer tests in the user space passed. Starting Known-Answer tests in the kernel. Known-answer test for AES passed. Known-answer test for HMAC-SHA1 passed. Known-answer test for SHA1 passed. Known-answer test for GCM passed.
Page 683: Macsec Commands
MACsec commands confidentiality-offset Use confidentiality-offset to set the MACsec confidentiality offset in an MKA policy. Use undo confidentiality-offset to restore the default. Syntax confidentiality-offset offset-value undo confidentiality-offset Default The MACsec confidentiality offset is 0. The entire frame is encrypted. Views MKA policy view Predefined user roles network-admin...
Page 684 Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays MACsec information on all ports. verbose: Displays detailed MACsec information. If you do not specify this keyword, the command displays brief MACsec information.
Page 685 Table 102 Command output Field Description Status of MACsec desire on the port: • Yes. Protect frames • If the port does not have an MKA principal actor, this field displays N/A. MKA policy applied to the port. This field displays N/A if the port is not enabled with MACsec desire. Active MKA policy This field is not available if the port is enabled with MACsec desire but is not applied an MKA policy.
Page 686: Display Mka Policy
Field Description Packet number for outbound traffic. SA number. The minimum received packet number allowed by SAK. Related commands mka apply policy display mka policy Use display mka policy to display MKA policy information. Syntax display mka { default-policy | policy [ name policy-name ] } Views Any view Predefined user roles...
Page 687: Display Mka Session
Field Description ConfOffset Confidentiality offset in bytes. Validation mode: • Check. Validation • Strict. Related commands mka policy mka apply policy display mka session Use display mka session to display MKA session information. Syntax display mka session [ interface interface-type interface-number | local-sci sci-id ] [ verbose ] Views Any view Predefined user roles...
Page 688 # Display detailed MKA session information on GigabitEthernet 1/0/1. display mka session interface gigabitethernet 1/0/1 verbose Interface GigabitEthernet1/0/1 Tx-SCI : 000C29F6A4380004 Priority Capability: 3 CKN for participant: ABCD Key server : Yes MI (MN) : D7B00EDA353242704CC6B0DB (7) Live peers Potential peers Principal actor : Yes...
Page 689 Field Description Whether the MKA instance is the principal actor. MKA instance refers to the operation entity of the MKA protocol on a port. A Principal actor port might have multiple MKA instances. The principal actor is the MKA instance in active state. MKA session status: •...
Page 690: Display Mka Statistics
Field Description Key identifier of the previous SAK, a string of hexadecimal digits that contains the key server's 12-byte MI and KN. This field displays N/A in the following situations: Previous SAK KI • The MKA instance is not the principal actor. •...
Page 691: Macsec Confidentiality-Offset
Table 105 Command output Field Description MKPDUs with invalid CKN Number of received MKA packets with invalid CKNs. MKPDUs with invalid ICV Number of MKA packets that failed ICV check. MKPDUs with Rx error Number of received error MKA packets. CKN for participant CAK name of the MKA instance.
Page 692: Macsec Desire
Examples # Set the MACsec confidentiality offset to 30 bytes on GigabitEthernet 1/0/1. system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] macsec confidentiality-offset 30 Related commands confidentiality-offset display macsec display mka session mka apply policy macsec desire Use macsec desire to enable MACsec desire. The port expects MACsec protection for outbound frames.
Page 693: Macsec Replay-Protection Enable
Use undo macsec mka-session log enable to disable MKA session logging. Syntax macsec mka-session log enable undo macsec mka-session log enable Default MKA session logging is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This command enables the device to generate logs for MKA session changes, such as peer aging and SAK updates.
Page 694: Macsec Replay-Protection Window-Size
If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the MACsec replay protection configuration in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except MACsec replay protection) of the MKA policy are effective on the port.
Page 695: Macsec Validation Mode
If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the replay protection window size in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except the replay protection window size) of the MKA policy are effective on the port.
Page 696: Mka Apply Policy
[Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] macsec validation mode strict Related commands display macsec mka apply policy validation mode mka apply policy Use mka apply policy to apply an MKA policy to a port. Use undo mka apply policy to remove the MKA policy from a port. Syntax mka apply policy policy-name undo mka apply policy...
Page 697: Mka Enable
display mka policy replay-protection enable replay-protection window-size validation mode mka enable Use mka enable to enable MKA on a port. Use undo mka enable to disable MKA on a port. Syntax mka enable undo mka enable Default MKA is disabled on a port. Views Ethernet interface view Predefined user roles...
Page 698: Mka Priority
Views System view Predefined user roles network-admin mdc-admin Parameters policy-name: Specifies the name of an MKA policy, a case-sensitive string of 1 to 16 characters. Usage guidelines MKA policy provides a centralized method for configuring MACsec confidentiality offset, validation mode, replay protection, and replay protection window size. The system supports multiple MKA policies.
Page 699 Parameters priority-value: Specifies the priority value, in the range of 0 to 255. The priority is inversely related to its value. Usage guidelines If you use 802.1 X-generated CAK, the access device port automatically becomes the key server. If you use a preshared key as the CAK, the port that has higher priority (lower priority value) becomes the key server.
Page 700: Replay-Protection Enable
Usage guidelines The CAK can be either generated during 802.1X or manually configured at the CLI. The manually configured CAK takes precedence over the 802.1X-generated key. When 802.1X is not enabled on MACsec ports, you can execute this command to configure a preshared key on each MACsec port.
Page 701: Replay-Protection Window-Size
system-view [Sysname] mka policy abcd [Sysname-mka-policy-abcd] replay-protection enable Related commands macsec replay-protection enable mka apply policy replay-protection window-size replay-protection window-size Use replay-protection window-size to set the MACsec replay protection window size in an MKA policy. Use undo replay-protection window-size to restore the default. Syntax replay-protection window-size size-value undo replay-protection window-size...
Page 702: Reset Mka Session
Related commands macsec replay-protection window-size macsec replay-protection enable mka apply policy reset mka session Use reset mka session to reset MKA sessions on ports. Syntax reset mka session [ interface interface-type interface-number ] Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number.
Page 703: Validation Mode
Examples # Clear MKA statistics on GigabitEthernet 1/0/1. reset mka statistics interface gigabitethernet 1/0/1 Related commands display mka statistics validation mode Use validation mode to set a MACsec validation mode in an MKA policy. Use undo validation mode to restore the default. Syntax validation mode { check | strict } undo validation mode...
Page 704: X Client Commands
802.1X client commands display dot1x supplicant Use display dot1x supplicant to display 802.1X client authentication information. Syntax display dot1x supplicant [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays 802.1X client authentication information for all interfaces.
Page 705: Dot1X Supplicant Anonymous Identify
Field Description Anonymous 802.1X client anonymous identifier. identifier SSL client policy SSL client policy used by the 802.1X client feature. 802.1X client authentication state: • Init—The authentication process starts. • Connecting—The 802.1X client is connecting to the authenticator. FSM state •...
Page 706: Dot1X Supplicant Eap-Method
• TTLS-GTC. If the MD5-Challenge EAP authentication is used, the configured 802.1X client anonymous identifier does not take effect. The device uses the 802.1X client username at the first authentication phase. Do not configure the 802.1X client anonymous identifier if the vendor-specific authentication server cannot identify anonymous identifiers.
Page 707: Dot1X Supplicant Enable
[Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x supplicant eap-method peap-gtc Related commands display dot1x supplicant dot1x supplicant enable dot1x supplicant enable Use dot1x supplicant enable to enable the 802.1X client feature. Use undo dot1x supplicant enable to disable the 802.1X client feature. Syntax dot1x supplicant enable undo dot1x supplicant enable...
Page 708: Dot1X Supplicant Password
Default An Ethernet interface uses the interface's MAC address for 802.1X client authentication. If the interface's MAC address is unavailable, the interface uses the device's MAC address for 802.1X client authentication. Views Ethernet interface view Predefined user roles network-admin mdc-admin Parameters mac-address: Specifies a MAC address in the format of H-H-H, excluding multicast, all-zero, and all-F MAC addresses.
Page 709: Dot1X Supplicant Ssl-Client-Policy
Parameters cipher: Specifies a password in encrypted form. simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form. string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 127 characters. Its encrypted form is a case-sensitive string of 1 to 201 characters.
Page 710: Dot1X Supplicant Username
If the MD5-Challenge authentication is used, the device does not use an SSL client policy during the authentication process. Examples #Specify SSL client policy policy_1 to be used by an 802.1X client-enabled device on Ten-GigabitEthernet 1/0/1. system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x supplicant ssl-client-policy policy_1 Related commands display dot1x supplicant...
Page 711 [Sysname-Ten-GigabitEthernet1/0/1] dot1x supplicant username aaa Related commands display dot1x supplicant dot1x domain-delimiter dot1x supplicant enable...
Page 712: Web Authentication Commands
Web authentication commands display web-auth Use display web-auth to display Web authentication configuration and running status on interfaces. Syntax display web-auth [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays Web authentication configuration for all interfaces.
Page 713: Display Web-Auth Free-Ip
Field Description Web-auth domain ISP domain used by Web authentication. Auth-Fail VLAN for Web authentication. This field displays Not Auth-fail VLAN configured if no Auth-Fail VLAN is configured. Interval of Web authentication user detection. This field displays Not Offline-detect configured if online detection for Web authentication users is disabled. Max online users Maximum number of Web authentication users allowed on the interface.
Page 714: Display Web-Auth User
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters server-name: Specifies a Web authentication server name, a case-sensitive string of 1 to 32 characters. If you do not specify a Web authentication server, this command displays information about all Web authentication servers. Examples # Display information about Web authentication server aaa.
Page 715 network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information about online Web authentication users on all interfaces. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays online Web authentication user information for all cards.
Page 716: Redirect-Wait-Time
Default No IP address or port number is specified for a Web authentication server. Views Web authentication server view Predefined user roles network-admin mdc-admin Parameters ipv4-address: Specifies the IPv4 address of the Web authentication server. This IP address is that of a Layer 3 interface on the access device and must be routable to and from the Web authentication user.
Page 717 Default The redirection wait time is 5 seconds. Views Web authentication server view Predefined user roles network-admin mdc-admin Parameters period: Specifies the redirection wait time in the range of 1 to 90 seconds. Usage guidelines After a user passes Web authentication and is assigned an authorization VLAN, the user might need to change the IP address of the authentication client.
Page 718: Url-Parameter
The IP address and port number in the URL must be the same as the IP address and port number of the Web authentication server. Examples # Specify http://192.168.1.1/portal/ as the redirection URL for Web authentication server wbs. system-view [Sysname] web-auth server wbs [Sysname-web-auth-server-wbs] url http://192.168.1.1:80/portal/ Related commands...
Page 719: Web-Auth Auth-Fail Vlan
When you configure the parameter-name argument in this command, you must use the URL parameter name supported by the Web browser. Different Web browsers support different URL parameter names. Examples # Add parameters userip and userurl to the redirection URL of portal Web server wbs. ...
Page 720: Web-Auth Domain
Examples # Specify VLAN 5 as Web authentication Auth-Fail VLAN on Ten-GigabitEthernet 1/0/1. system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname–Ten-GigabitEthernet1/0/1] port link-type hybrid [Sysname–Ten-GigabitEthernet1/0/1] mac-vlan enable [Sysname–Ten-GigabitEthernet1/0/1] web-auth auth-fail vlan 5 Related commands display web-auth web-auth domain Use web-auth domain to specify an authentication domain for Web authentication users on an interface.
Page 721: Web-Auth Free-Ip
Syntax web-auth enable apply server server-name undo web-auth enable Default Web authentication is disabled. Views Layer 2 Ethernet interface view Predefined user roles network-admin mdc-admin Parameters server-name: Specifies the Web authentication server name, a case-sensitive string of 1 to 32 characters.
Page 722: Web-Auth Max-User
Parameters ip-address: Specifies the Web authentication-free subnet address. mask-length: Specifies the mask length of the Web authentication-free subnet address, in the range of 0 to 32. mask: Specifies a mask for the Web authentication-free subnet in dotted decimal notation. all: Specifies all Web authentication-free subnets. User guidelines Web authentication users can access resources in Web authentication-free subnets without being authenticated.
Page 723: Web-Auth Offline-Detect
[Sysname-Ten-GigabitEthernet1/0/1] web-auth max-user 32 Related commands display web-auth web-auth offline-detect Use web-auth offline-detect to enable online detection of Web authentication users. Use undo web-auth max-user to disable online detection of Web authentication users. Syntax web-auth offline-detect interval interval undo web-auth offline-detect interval Default Online detection of Web authentication users is disabled.
Page 724: Web-Auth Server
Default No Web proxy server port numbers are configured on the device. Views System view Predefined user roles network-admin mdc-admin Parameters port number: Specifies a Web proxy server TCP port number, in the range of 1 to 65535. all: Specifies all Web proxy server TCP port numbers. User guidelines By default, proxied HTTP requests cannot trigger Web authentication but are silently dropped.
Page 725 Predefined user roles network-admin mdc-admin Parameters server-name: Specifies a Web authentication server name, a case-sensitive string of 1 to 32 characters. User guidelines In Web authentication server view, you can configure the following parameters and features for the Web authentication server: •...
Page 726: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional.
Page 727: Network Topology Icons
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 728: Support And Other Resources
Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: www.hpe.com/support/AccessToSupportMaterials IMPORTANT: Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements.
Page 729: Websites
Websites Website Link Networking websites Hewlett Packard Enterprise Information Library for www.hpe.com/networking/resourcefinder Networking Hewlett Packard Enterprise Networking website www.hpe.com/info/networking Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty General websites Hewlett Packard Enterprise Information Library www.hpe.com/info/enterprise/docs Hewlett Packard Enterprise Support Center...
Page 730 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 731: Index
Index A B C D E F G H I K L M N O P Q R S T U V W arp source-mac aging-time,623 arp source-mac exclude-mac,624 device-id,66 arp source-mac threshold,624 aaa nas-id profile,1 arp source-suppression enable,618 session-limit,2 arp source-suppression limit,618 accept-lifetime...
Page 732 bind-attribute,40 display blacklist ip,553 display blacklist ipv6,555 binding-retry,233 blacklist global enable,528 display blacklist user,556 blacklist ip,529 display crypto version,508 display domain,26 blacklist ipv6,530 blacklist logging enable,531 display dot1x,160 blacklist user,532 display dot1x connection,164 bye,456 display dot1x mac-address,167 display dot1x supplicant,689 display fips status,663 identifier,385...
Page 733 display public-key peer,368 dot1x handshake reply enable,186 display radius scheme,79 dot1x handshake secure,186 display radius statistics,82 dot1x mac-binding,187 display radius-server active-client,155 dot1x mac-binding enable,188 display radius-server active-user,156 dot1x mandatory-domain,189 display sftp client source,460 dot1x max-user,190 display ssh client server-public-key,460 dot1x multicast-trigger,190 display ssh client source,462...
Page 734 http-flood port,568 key-string,361 http-flood threshold,569 hwtacacs nas-ip,122 ldap attribute-map,147 hwtacacs scheme,123 ldap scheme,148 ldap server,149 icmp-flood action,570 ldap-server,405 icmp-flood detect ip,570 local-guest email format,49 icmp-flood detect non-specific,571 local-guest email sender,50 icmp-flood threshold,572 local-guest email smtp-server,51 icmpv6-flood action,573 local-guest generate,51 icmpv6-flood detect ipv6,574 local-guest send-email,53...
Page 735 macsec replay-protection window-size,679 storage,428 macsec validation mode,680 validate-certificate,429 map,151 pki-domain (SSL client policy view),510 mka apply policy,681 pki-domain (SSL server policy view),511 enable,682 port,86 policy,682 port (MAC binding server view),263 priority,683 port (portal authentication server view),263 psk,684 portal { bas-ip | bas-ipv6 } (interface view),264 portal { ipv4-max-user | ipv6-max-user } (interface mkdir,465...
Page 736 port-security mac-address aging-type inactivity,320 replay-protection window-size,686 reset arp detection statistics,634 port-security mac-address dynamic,321 port-security mac-address security,322 reset attack-defense policy flood,576 port-security mac-limit,324 reset attack-defense statistics local,577 reset blacklist ip,577 port-security mac-move permit,325 port-security max-mac-count,325 reset blacklist ipv6,578 port-security nas-id-profile,327 reset blacklist statistics,579 port-security ntk-mode,327...
Page 737 secondary accounting (RADIUS scheme view),102 ssh server rekey-interval,453 user,454 secondary authentication (HWTACACS scheme view),134 ssh2,489 secondary authentication (RADIUS scheme ssh2 algorithm cipher,500 view),104 ssh2 algorithm key-exchange,501 secondary authorization,135 ssh2 algorithm mac,502 send-lifetime utc,361 ssh2 algorithm public-key,503 server-detect (portal authentication server view),298 ssh2 ipv6,492...
Page 738 udp-flood detect non-specific,598 version,518 udp-flood threshold,598 version,305 url,702 vpn-instance,306 url,302 vpn-instance (HWTACACS scheme view),141 url-parameter,703 vpn-instance (RADIUS scheme view),115 url-parameter,303 usage,438 web-auth auth-fail vlan,704 user-address-type,36 web-auth domain,705 user-group,64 web-auth enable,705 user-name-format (HWTACACS scheme view),140 web-auth free-ip,706 user-name-format (RADIUS scheme view),114 web-auth max-user,707 user-parameters,154...

HP FlexNetwork 7500 Series Command Reference Manual

Quick Links

Related Manuals for HP FlexNetwork 7500 Series

Summary of Contents for HP FlexNetwork 7500 Series