background image

72 

When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines: 

 

The source and destination RADIUS attributes in a rule must use the same data type. 

 

The source and destination RADIUS attributes in a rule cannot use the same name. 

 

A source RADIUS attribute can be converted only by one criterion, packet type or direction. 

 

One source RADIUS attribute cannot be converted to multiple destination attributes. 

If you do not specify a source RADIUS attribute, the 

undo

 

attribute

 

convert 

command deletes all 

RADIUS attribute conversion rules. 

Examples 

# In RADIUS DAS view, configure a RADIUS attribute conversion rule to replace the 
Ab-Server-String attribute in the received DAE packets with the Cd-User-Roles attribute. 

<Sysname> system-view 

[Sysname] radius dynamic-author server 

[Sysname-radius-da-server] attribute convert Ab-Server-String to Cd-User-Roles received 

Related commands 

attribute translate 

attribute convert (RADIUS scheme view) 

Use 

attribute convert

 to configure a RADIUS attribute conversion rule. 

Use 

undo attribute convert

 to delete RADIUS attribute conversion rules. 

Syntax 

attribute  convert

 

src-attr-name

 

to

 

dest-attr-name

  { { 

access-accept

  | 

access-request

  | 

accounting

 } * | { 

received

 | 

sent

 } * } 

undo attribute convert

 [ 

src-attr-name

 ] 

Default 

No RADIUS attribute conversion rules exist. The system processes RADIUS attributes according to 
the principles of the standard RADIUS protocol. 

Views 

RADIUS scheme view 

Predefined user roles 

network-admin 

mdc-admin 

Parameters 

src-attr-name

: Specifies the source RADIUS attribute by its name, a case-insensitive string of 1 to 63 

characters. The attribute must be supported by the system. 

dest-attr-name

: Specifies the destination RADIUS attribute by its name, a case-insensitive string of 1 

to 63 characters. The attribute must be supported by the system.

 

access-accept

: Specifies the RADIUS Access-Accept packets. 

access-request

: Specifies the RADIUS Access-Request packets.

 

accounting

: Specifies the RADIUS accounting packets. 

received

: Specifies the received RADIUS packets.

 

sent

: Specifies the sent RADIUS packets. 

Summary of Contents for FlexNetwork 7500 Series

Page 1: ...HPE FlexNetwork 7500 Switch Series Security Command Reference Part number 5200 1951a Software version 7500 CMW710 R7557P01 Document version 6W101 20171020 ...

Page 2: ...nd 12 212 Commercial Computer Software Computer Software Documentation and Technical Data for Commercial Items are licensed to the U S Government under vendor s standard commercial license Links to third party websites take you outside the Hewlett Packard Enterprise website Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise ...

Page 3: ...rization attribute ISP domain view 25 display domain 26 domain 30 domain default enable 31 domain if unknown 32 nas id bind vlan 33 service type ISP domain view 33 session time include idle time 34 state ISP domain view 35 user address type 36 Local user commands 37 access limit 37 authorization attribute local user view user group view 38 bind attribute 40 company 41 description 42 display local ...

Page 4: ...dius attribute extended 90 radius dscp 92 radius dynamic author server 92 radius nas ip 93 radius scheme 94 radius session control client 95 radius session control enable 96 radius server test profile 97 reset radius statistics 98 reset stop accounting buffer for RADIUS 98 retry 99 retry realtime accounting 100 retry stop accounting RADIUS scheme view 101 secondary accounting RADIUS scheme view 10...

Page 5: ...43 display ldap scheme 144 ip 145 ipv6 146 ldap attribute map 147 ldap scheme 148 ldap server 149 login dn 149 login password 150 map 151 protocol version 152 search base dn 152 search scope 153 server timeout 154 user parameters 154 RADIUS server commands 155 display radius server active client 155 display radius server active user 156 radius server activate 157 radius server client 158 802 1X co...

Page 6: ... critical vlan 212 mac authentication critical vsi 213 mac authentication critical voice vlan 214 mac authentication domain 215 mac authentication guest vlan 216 mac authentication guest vlan auth period 217 mac authentication guest vsi 218 mac authentication guest vsi auth period 219 mac authentication host mode 219 mac authentication max user 220 mac authentication offline detect enable 221 mac ...

Page 7: ...ee rule 273 portal free rule destination 275 portal free rule source 276 portal ipv6 free all except destination 277 portal ipv6 layer3 source 278 portal ipv6 user detect 279 portal layer3 source 280 portal local web server 281 portal log enable 282 portal mac trigger server 283 portal max user 284 portal nas id profile 284 portal nas port id format 285 portal outbound filter enable 288 portal pre...

Page 8: ...trol commands 336 display password control 336 display password control blacklist 337 password control aging composition history length enable 338 password control aging 339 password control alert before expire 341 password control complexity 341 password control composition 342 password control enable 344 password control expired user login 345 password control history 345 password control length...

Page 9: ... pki certificate request status 400 display pki crl domain 402 fqdn 403 ip 404 ldap server 405 locality 406 organization 406 organization unit 407 pki abort certificate request 407 pki certificate access control policy 408 pki certificate attribute group 409 pki delete certificate 410 pki domain 411 pki entity 412 pki export 413 pki import 420 pki request certificate 424 pki retrieve certificate 4...

Page 10: ... 460 display ssh client source 462 exit 462 get 463 help 463 ls 464 mkdir 465 put 465 pwd 466 quit 466 remove 467 rename 467 rmdir 468 scp 468 scp ipv6 471 scp ipv6 suite b 474 scp suite b 476 sftp 478 sftp client ipv6 source 480 sftp client source 481 sftp ipv6 482 sftp ipv6 suite b 485 sftp suite b 486 ssh client ipv6 source 488 ssh client source 489 ssh2 489 ssh2 ipv6 492 ssh2 ipv6 suite b 495 ...

Page 11: ...ser 532 display attack defense flood statistics ip 533 display attack defense flood statistics ipv6 534 display attack defense policy 536 display attack defense policy ip 540 display attack defense policy ipv6 542 display attack defense scan attacker ip 544 display attack defense scan attacker ipv6 545 display attack defense scan victim ip 547 display attack defense scan victim ipv6 548 display at...

Page 12: ...ood threshold 598 TCP attack prevention commands 600 tcp anti naptha enable 600 tcp check state interval 600 tcp state 601 IP source guard commands 603 display ip source binding 603 display ip verify source excluded 604 display ipv6 source binding 606 display ipv6 source binding pd 607 ip source binding interface view 609 ip source binding system view 610 ip verify source 611 ip verify source excl...

Page 13: ... 637 arp filter source 637 ARP filtering commands 637 arp filter binding 637 ARP packet sender IP address checking commands 638 arp sender ip range 638 ND attack defense commands 640 Source MAC consistency check commands 640 ipv6 nd check log enable 640 ipv6 nd mac check enable 640 ND attack detection commands 641 display ipv6 nd detection statistics 641 ipv6 nd detection enable 642 ipv6 nd detect...

Page 14: ...ize 679 macsec validation mode 680 mka apply policy 681 mka enable 682 mka policy 682 mka priority 683 mka psk 684 replay protection enable 685 replay protection window size 686 reset mka session 687 reset mka statistics 687 validation mode 688 802 1X client commands 689 display dot1x supplicant 689 dot1x supplicant anonymous identify 690 dot1x supplicant eap method 691 dot1x supplicant enable 692...

Page 15: ...9 Document conventions and icons 711 Conventions 711 Network topology icons 712 Support and other resources 713 Accessing Hewlett Packard Enterprise Support 713 Accessing updates 713 Websites 714 Customer self repair 714 Remote support 714 Documentation feedback 714 Index 716 ...

Page 16: ... ID profiles exist The device uses the device name set by using the sysname command as the NAS ID Views System view Predefined user roles network admin mdc admin Parameters profile name Specifies the NAS ID profile name a case insensitive string of 1 to 31 characters Usage guidelines Configure a NAS ID profile to maintain NAS ID and VLAN bindings on the device During RADIUS authentication the devi...

Page 17: ...er type Views System view Predefined user roles network admin mdc admin Parameters ftp FTP users http HTTP users https HTTPS users ssh SSH users telnet Telnet users max sessions Specifies the maximum number of concurrent login users The value range is 1 to 32 for FTP SSH and Telnet services and is 1 to 64 for HTTP and HTTPS services Usage guidelines After the maximum number of concurrent login use...

Page 18: ...he command line authorization feature is enabled the accounting server records only authorized commands that have been successfully executed Command line accounting can use only a remote HWTACACS server Examples In ISP domain test perform command line accounting based on HWTACACS scheme hwtac Sysname system view Sysname domain test Sysname isp test accounting command hwtacacs scheme hwtac Related ...

Page 19: ...r connections It does not provide the statistics function that the accounting feature generally provides You can specify one primary default accounting method and multiple backup default accounting methods When the primary method is invalid the device attempts to use the backup methods in sequence For example the accounting default radius scheme radius scheme name local none command specifies the ...

Page 20: ...he accounting of dual stack users Sysname system view Sysname domain test Sysname isp test accounting dual stack separate accounting lan access Use accounting lan access to specify accounting methods for LAN users Use undo accounting lan access to restore the default Syntax In non FIPS mode accounting lan access broadcast radius scheme radius scheme name1 radius scheme radius scheme name2 local no...

Page 21: ...s not perform accounting when both of the previous methods are invalid The following guidelines apply to broadcast accounting The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the same time If the primary server is unavailable in a scheme the device sends accounting requests to the secondary servers of the scheme in the order the se...

Page 22: ... admin mdc admin Parameters hwtacacs scheme hwtacacs scheme name Specifies an HWTACACS scheme by its name a case insensitive string of 1 to 32 characters local Performs local accounting none Does not perform accounting radius scheme radius scheme name Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines Accounting is not supported for FTP SFTP and ...

Page 23: ...eme radius scheme name1 radius scheme radius scheme name2 local none local none none radius scheme radius scheme name local none undo accounting portal In FIPS mode accounting portal broadcast radius scheme radius scheme name1 radius scheme radius scheme name2 local local radius scheme radius scheme name local undo accounting portal Default The default accounting methods of the ISP domain are used...

Page 24: ...sends accounting requests to the secondary servers of the scheme in the order the servers are configured The accounting result is determined by the primary broadcast RADIUS scheme The accounting result from the backup scheme is used as reference only If the primary scheme does not return any result the device considers the accounting as a failure Examples In ISP domain test perform local accountin...

Page 25: ...isp test accounting quota out online accounting start fail Use accounting start fail to configure access control for users that encounter accounting start failures Use undo accounting start fail to restore the default Syntax accounting start fail offline online undo accounting start fail Default The device allows users that encounter accounting start failures to stay online Views ISP domain view P...

Page 26: ... times argument is 1 to 255 and the default value is 1 offline Logs off users that have failed all their accounting update attempts online Allows users that have failed all their accounting update attempts to stay online Examples In ISP domain test configure the device to allow users that have failed all their accounting update attempts to stay online Sysname system view Sysname domain test Sysnam...

Page 27: ...authentication method is used for all users that support this method and do not have an authentication method configured You can specify one primary default authentication method and multiple backup default authentication methods When the primary method is invalid the device attempts to use the backup methods in sequence For example the authentication default radius scheme radius scheme name local...

Page 28: ... radius scheme radius scheme name Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines You can specify one primary authentication method and multiple backup authentication methods When the primary method is invalid the device attempts to use the backup methods in sequence For example the authentication lan access radius scheme radius scheme name lo...

Page 29: ...uthentication login hwtacacs scheme hwtacacs scheme name radius scheme radius scheme name local ldap scheme ldap scheme name local local radius scheme radius scheme name hwtacacs scheme hwtacacs scheme name local undo authentication login Default The default authentication methods of the ISP domain are used for login users Views ISP domain view Predefined user roles network admin mdc admin Paramet...

Page 30: ...me system view Sysname domain test Sysname isp test authentication login local In ISP domain test perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup Sysname system view Sysname domain test Sysname isp test authentication login radius scheme rd local Related commands authentication default hwtacacs scheme ldap scheme local user radius scheme ...

Page 31: ...s methods are invalid Examples In ISP domain test perform local authentication for ONU users Sysname system view Sysname domain test Sysname isp test authentication onu local In ISP domain test perform RADIUS authentication for ONU users based on scheme rd and use local authentication as the backup Sysname system view Sysname domain test Sysname isp test authentication onu radius scheme rd local R...

Page 32: ...ication and no authentication The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid The device does not perform authentication when both of the previous methods are invalid Examples In ISP domain test perform local authentication for portal users Sysname system view Sysname domain test Sysname isp test authentication portal local I...

Page 33: ... see RBAC configuration in Fundamentals Configuration Guide You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid Examples In ISP domain test perform user role authentication based on HWTACACS scheme tac Sysname system view Sysname super authentication mode scheme Sysname domain test Sysname isp test authent...

Page 34: ...s have access to the entered commands but it does not control whether the user roles have obtained authorization to these commands If a command is permitted by the access permission but denied by command authorization this command cannot be executed You can specify one primary command authorization method and multiple backup command authorization methods When the default authorization method is in...

Page 35: ...cs scheme hwtacacs scheme name Specifies an HWTACACS scheme by its name a case insensitive string of 1 to 32 characters local Performs local authorization none Does not perform authorization The following default authorization information applies after users pass authentication Non login users can access the network Login users obtain the level 0 user role Login users include the Telnet FTP SFTP S...

Page 36: ...ples In ISP domain test use RADIUS scheme rd as the primary default authorization method and use local authorization as the backup Sysname system view Sysname domain test Sysname isp test authorization default radius scheme rd local Related commands hwtacacs scheme local user radius scheme authorization lan access Use authorization lan access to specify authorization methods for LAN users Use undo...

Page 37: ...erform local authorization for LAN users Sysname system view Sysname domain test Sysname isp test authorization lan access local In ISP domain test perform RADIUS authorization for LAN users based on scheme rd and use local authorization as the backup Sysname system view Sysname domain test Sysname isp test authorization lan access radius scheme rd local Related commands authorization default loca...

Page 38: ... only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme You can specify one primary authorization method and multiple backup authorization methods When the default authorization method is invalid the device attempts to use the backup authorization methods in sequence For example the authorization login radius scheme radius scheme name local none c...

Page 39: ...kes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme You can specify one primary authorization method and multiple backup authorization methods When the default authorization method is invalid the device attempts to use the backup authorization methods in sequence For example the authorization portal radius scheme radius scheme name l...

Page 40: ...oups No other authorization attributes exist Views ISP domain view Predefined user roles network admin mdc admin Parameters acl acl number Specifies an ACL to filter traffic for users The value range for the acl number argument is 2000 to 5999 Typically the attribute applies to authenticated users If you configure the attribute in a portal preauthentication domain the ACL applies before portal aut...

Page 41: ...ent is 1 to 64 This option is applicable only to portal users url url string Specifies a redirect URL for users Users are redirected to the URL the first time they access the network after they pass authentication The url string argument is a case sensitive string of 1 to 255 characters This option is applicable only to LAN users user group user group name Specifies a user group for users The user...

Page 42: ... accounting scheme Local Accounting start failure action Online Accounting update failure action Online Accounting quota out policy Offline Service type HSI Session time Exclude idle time Dual stack accounting method Merge Authorization attributes Idle cut Disabled IGMP access number 4 MLD access number 4 Domain dm State Active Login authentication scheme RADIUS rad Login authorization scheme HWTA...

Page 43: ...ing scheme Default accounting methods Login authentication scheme Authentication methods for login users Login authorization scheme Authorization methods for login users Login accounting scheme Accounting methods for login users Super authentication scheme Authentication methods for obtaining another user role without reconnecting to the device Command authorization scheme Command line authorizati...

Page 44: ...cluding HSI STB and VoIP Session time Online duration sent to the server for users that went offline due to connection failure or malfunction Include idle time The online duration includes the idle timeout period Exclude idle time The online duration does not include the idle timeout period Dual stack accounting method Accounting method for dual stack users Merge Merges IPv4 data with IPv6 data fo...

Page 45: ... of MLD groups that an IPv6 user is authorized to join concurrently domain Use domain to create an ISP domain and enter its view or enter the view of an existing ISP domain Use undo domain to delete an ISP domain Syntax domain isp name undo domain isp name Default A system defined ISP domain exists The domain name is system Views System view Predefined user roles network admin mdc admin Parameters...

Page 46: ... Use domain default enable to specify the default ISP domain Users without any domain name included in the usernames are considered in the default domain Use undo domain default enable to restore the default Syntax domain default enable isp name undo domain default enable Default The default ISP domain is the system defined ISP domain system Views System view Predefined user roles network admin md...

Page 47: ...me must meet the following requirements The name cannot contain a forward slash backslash vertical bar quotation marks colon asterisk question mark left angle bracket right angle bracket or at sign The name cannot be d de def defa defau defaul default i if if if u if un if unk if unkn if unkno if unknow or if unknown Usage guidelines The device chooses an authentication domain for each user in the...

Page 48: ...fier Specifies a NAS ID a case sensitive string of 1 to 31 characters vlan id Specifies a VLAN ID in the range of 1 to 4094 Usage guidelines You can configure multiple NAS ID and VLAN bindings in a NAS ID profile A NAS ID can be bound with more than one VLAN but a VLAN can be bound with only one NAS ID If you configure multiple bindings for the same VLAN the most recent configuration takes effect ...

Page 49: ...ature of the access module is enabled to improve the performance of the multicast module When the VoIP service is specified the QoS module increases the priority of voice traffic to reduce the transmission delay for IP phone users For 802 1X users the system uses the HSI service forcibly even if the STB or VoIP service is specified You can configure only one service type for an ISP domain Examples...

Page 50: ... same as the actual online duration If the session time include idle time command is used the device adds the idle timeout period The online duration sent to the server is longer than the actual online duration of the user If the undo session time include idle time command is used the device excludes the idle timeout period from the actual online duration The online duration sent to the server is ...

Page 51: ...er address type to specify the user address type in the ISP domain Use undo user address type to restore the default Syntax user address type ds lite ipv6 nat64 private ds private ipv4 public ds public ipv4 undo user address type Default No user address type is specified for the ISP domain Views ISP domain view Predefined user roles network admin mdc admin Parameters ds lite Specifies the DS Lite ...

Page 52: ...efined user roles network admin mdc admin Parameters max user number Specifies the maximum number of concurrent logins in the range of 1 to 1024 Usage guidelines This command takes effect only when local accounting is configured for the local user The command does not apply to FTP SFTP or SCP users These users do not support accounting For this command to take effect on network access users you al...

Page 53: ...is 2000 to 5999 After passing authentication a local user can access the network resources specified by this ACL For portal users only basic ACLs ACL 2000 to ACL 2999 and advanced ACLs ACL 3000 to ACL 3999 take effect idle cut minutes Specifies an idle timeout period in minutes The value range for the minutes argument is 1 to 120 An online user is logged out if its idle period exceeds the specifie...

Page 54: ...rmation for the working directory To make sure the user have only the user roles authorized by using this command use the undo authorization attribute user role command to remove the default user role The security audit user role has access to the commands for managing security log files and security log file system To display all the accessible commands of the security audit user role use the dis...

Page 55: ...hrough the bound interface This option applies only to LAN and portal users mac mac address Specifies the MAC address of the user in the format H H H This option applies only to LAN and portal users vlan vlan id Specifies the VLAN to which the user belongs The vlan id argument is in the range of 1 to 4094 This option applies only to LAN and portal users Usage guidelines To perform local authentica...

Page 56: ...ured Examples Bind IP address 3 3 3 3 with network access user abc Sysname system view Sysname local user abc class network Sysname luser network abc bind attribute ip 3 3 3 3 Related commands display local user company Use company to specify the company of a local guest Use undo company to restore the default Syntax company company name undo company Default No company is specified for a local gue...

Page 57: ... Sysname system view Sysname local user 123 class network Sysname luser network 123 description Manager of MSC company Related commands display local user display local user Use display local user to display the local user configuration and online user statistics Syntax display local user class manage network guest idle cut disable enable service type ftp http https lan access onu portal ssh telne...

Page 58: ...se sensitive string of 1 to 55 characters The name must meet the following requirements Cannot contain the domain name Cannot contain any of the following characters forward slash backslash vertical bar colon asterisk question mark left angle bracket right angle bracket and at sign Cannot be a al or all vlan vlan id Specifies all local users in a VLAN The vlan id argument is in the range of 1 to 4...

Page 59: ...rtment security Sponsor email Sam aa com Description A guest from company cc Validity period Start date and time 2016 04 01 08 00 00 Expiration date and time 2017 04 03 18 00 00 Total 3 local users matched Table 2 Command output Field Description State Status of the local user active or blocked Service type Service types that the local user can use Access limit Whether the concurrent login limit i...

Page 60: ...assword must contain Minimum number of characters from each type in a password Password complexity Password complexity checking policy Reject a password that contains the username or the reverse of the username Reject a password that contains any character repeated consecutively three or more times Maximum login attempts Maximum number of consecutive failed login attempts Action for exceeding logi...

Page 61: ... user group all Total 2 user groups matched User group system Authorization attributes Work directory flash User group jj Authorization attributes Idle timeout 2 minutes Work directory flash ACL number 2000 VLAN ID 2 Password control configurations Password aging 2 days Table 3 Command output Field Description User group User group name Authorization attributes Authorization attributes of the user...

Page 62: ...consecutively three or more times Maximum login attempts Maximum number of consecutive failed login attempts Action for exceeding login attempts Action to take on the user that failed to log in after using up all login attempts email Use email to configure an email address for a local guest Use undo email to restore the default Syntax email email string undo email Default No email address is confi...

Page 63: ...dmin Parameters name string Specifies the local guest name a case sensitive string of 1 to 255 characters Examples Configure the name as abc Snow for local guest abc Sysname system view Sysname local user abc class network guest Sysname luser network guest abc full name abc Snow Related commands display local user group Use group to assign a local user to a user group Use undo group to restore the...

Page 64: ...y is configured for the email notifications of local guest information Views System view Predefined user roles network admin mdc admin Parameters to Specifies the email recipient guest Specifies the local guest sponsor Specifies the guest sponsor body body string Configures the body content The body string argument is a case sensitive string of 1 to 255 characters subject sub string Configures the...

Page 65: ...t Syntax local guest email sender email address undo local guest email sender Default No email sender address is configured for the email notifications of local guests sent by the device Views System view Predefined user roles network admin mdc admin Parameters email address Specifies the email sender address a case sensitive string of 1 to 255 characters Usage guidelines If you do not specify the...

Page 66: ...ard SMTP protocol and start with smtp Usage guidelines If you execute this command multiple times the most recent configuration takes effect Examples Specify the SMTP server at smtp www test com smtp to send local guest email notifications Sysname system view Sysname local guest email smtp server smtp www test com smtp Related commands local guest email format local guest email sender local guest ...

Page 67: ...mm and ss arguments are optional For example enter 1 to indicate 1 00 00 A value of 0 indicates 00 00 00 to Specifies the end date and time of the validity period expiration date Specifies the expiration date in the format of MM DD YYYY or YYYY MM DD The value range for the MM argument is 1 to 12 The value range for the DD argument varies with the specified month The value range for the YYYY argum...

Page 68: ...a al or all to Specifies the email recipient guest Specifies the local guest sponsor Specifies the guest sponsor Usage guidelines Device managers can use this command to inform local guests or guest sponsors of the guest password and validity period information Examples Send an email to notify local guest abc of the guest password and validity period information Sysname local guest send email user...

Page 69: ...k access user that accesses network resources through the device Network access users can use LAN access portal and ONU services guest Guest that can access network resources through the device during a specific validity period Guests can use LAN and portal services all Specifies all users service type Specifies the local users that use a specific type of service ftp FTP users http HTTP users http...

Page 70: ...lt The local user auto delete feature is disabled Views System view Predefined user roles network admin mdc admin Usage guidelines This feature enables the device to examine the validity of local users at fixed time periods of 10 minutes and automatically delete expired local users Examples Enable the local user auto delete feature Sysname system view Sysname local user auto delete enable Related ...

Page 71: ... With FTP user name and password ftp username password serve r path filename Without FTP user name and password ftp server path filename Specify an FTP server by IP address or hostname The device ignores the domain name in the FTP user name For example specify the file path as ftp 1 1 1 1 1 1 user user csv or ftp 1 1 1 1 user user csv Examples Export local guest account information to the guest cs...

Page 72: ...e enter 1 to indicate 1 00 00 A value of 0 indicates 00 00 00 auto create group Enables the device to automatically create user groups for the imported local guests if the groups in the imported information do not exist on the device If you do not specify this keyword the device adds all imported local guests to the system defined user group named system override Enables the device to override the...

Page 73: ...as tftp 1 1 1 1 user user csv FTP With FTP user name and password ftp username password serve r path filename Without FTP user name and password ftp server path filename Specify an FTP server by IP address or hostname The device ignores the domain name in the FTP user name For example specify the file path as ftp 1 1 1 1 1 1 user user csv or ftp 1 1 1 1 user user csv Examples Import guest account ...

Page 74: ...s you enter the interactive mode to set a plaintext password In non FIPS mode a device management user for which no password is specified can pass authentication after entering the correct username and passing attribute checks To enhance security configure a password for each device management user In FIPS mode a password is required for a device management user to pass authentication You must set...

Page 75: ...tive string of 1 to 63 characters Its encrypted form is a case sensitive string of 1 to 117 characters Usage guidelines As a best practice to enhance security configure a password for each network access user Examples Set the password to 123456TESTuser in plaintext form for network access user user1 Sysname system view Sysname local user user1 class network Sysname luser network user1 password sim...

Page 76: ...rvice type lan access https onu ssh terminal portal undo service type lan access https onu ssh terminal portal Default A local user is not authorized to use any service Views Local user view Predefined user roles network admin mdc admin Parameters ftp Authorizes the user to use the FTP service The authorized directory can be modified by using the authorization attribute work directory command http...

Page 77: ...partment string undo sponsor department Default No department is specified for the guest sponsor of a local guest Views Local guest view Predefined user roles network admin mdc admin Parameters department string Specifies the department name a case sensitive string of 1 to 127 characters Examples Specify the department as test for the guest sponsor of local guest abc Sysname system view Sysname lo...

Page 78: ...ommands display local user sponsor full name Use sponsor full name to specify the guest sponsor name for a local guest Use undo sponsor full name to restore the default Syntax sponsor full name name string undo sponsor full name Default No guest sponsor name is specified for a local guest Views Local guest view Predefined user roles network admin mdc admin Parameters name string Specifies the gues...

Page 79: ...state to prevent the local user from requesting network services Examples Place device management user user1 in blocked state Sysname system view Sysname local user user1 class manage Sysname luser manage user1 state block Related commands display local user user group Use user group to create a user group and enter its view or enter the view of an existing user group Use undo user group to delete...

Page 80: ...t date start time to expiration date expiration time from start date start time to expiration date expiration time undo validity datetime Default The validity period for a local user does not expire Views Network access user view Predefined user roles network admin mdc admin Parameters from Specifies the validity start date and time for the user If you do not specify this option the command define...

Page 81: ...re specified the expiration date and time must be later than the validity start date and time When only the from option is specified the user is valid since the specified date and time When only the to option is specified the user is valid until the specified date and time When the RADIUS server feature is enabled on the device the RADIUS user data for authentication is automatically generated fro...

Page 82: ...rs interval interval Specifies the time interval for retransmitting an accounting on packet in seconds The value range for the interval argument is 1 to 15 and the default setting is 3 send send times Specifies the maximum number of accounting on packet transmission attempts The value range for the send times argument is 1 to 255 and the default setting is 50 Usage guidelines The accounting on fea...

Page 83: ... extended accounting on feature is applicable to LAN users The user data is saved to the cards through which the users access the device When the extended accounting on feature is enabled the device automatically sends an accounting on packet to the RADIUS server after a card reboot device not reboot The packet contains the card identifier Upon receiving the accounting on packet the RADIUS server ...

Page 84: ...atches Login Service attribute values 50 51 and 52 for SSH FTP and terminal services respectively Usage guidelines Use the loose check method only when the server does not issue Login Service attribute values 50 51 and 52 for SSH FTP and terminal users Examples Configure the Login Service attribute check method as loose for SSH FTP and terminal users in RADIUS scheme radius1 Sysname system view Sy...

Page 85: ...c format to configure the MAC address format for RADIUS attribute 31 Use undo attribute 31 mac format to restore the default Syntax attribute 31 mac format section six three separator separator character lowercase uppercase undo attribute 31 mac format Default A MAC address is in the format of HH HH HH HH HH HH The MAC address is separated by hyphens into six sections with letters in upper case Vi...

Page 86: ...efault No RADIUS attribute conversion rules exist The system processes RADIUS attributes according to the principles of the standard RADIUS protocol Views RADIUS DAS view Predefined user roles network admin mdc admin Parameters src attr name Specifies the source RADIUS attribute by its name a case insensitive string of 1 to 63 characters The attribute must be supported by the system dest attr name...

Page 87: ...ute convert RADIUS scheme view Use attribute convert to configure a RADIUS attribute conversion rule Use undo attribute convert to delete RADIUS attribute conversion rules Syntax attribute convert src attr name to dest attr name access accept access request accounting received sent undo attribute convert src attr name Default No RADIUS attribute conversion rules exist The system processes RADIUS a...

Page 88: ...adius1 configure a RADIUS attribute conversion rule to replace the Hw Server String attribute of received RADIUS packets with the Ab User Roles attribute Sysname system view Sysname radius scheme radius1 Sysname radius radius1 attribute convert Hw Server String to Ab User Roles received Related commands attribute translate attribute reject RADIUS DAS view Use attribute reject to configure a RADIUS...

Page 89: ...iew Sysname radius dynamic author server Sysname radius da server attribute reject Connect Info sent Related commands attribute translate attribute reject RADIUS scheme view Use attribute reject to configure a RADIUS attribute rejection rule Use undo attribute reject to delete RADIUS attribute rejection rules Syntax attribute reject attr name access accept access request accounting received sent u...

Page 90: ...tribute from the RADIUS packets to be sent Sysname system view Sysname radius scheme radius1 Sysname radius radius1 attribute reject Connect Info sent Related commands attribute translate attribute remanent volume Use attribute remanent volume to set the data measurement unit for the Remanent_Volume attribute Use undo attribute remanent volume to restore the default Syntax attribute remanent volum...

Page 91: ...s RADIUS DAS view RADIUS scheme view Predefined user roles network admin mdc admin Usage guidelines To cooperate with RADIUS servers of different vendors enable the RADIUS attribute translation feature Configure RADIUS attribute conversion rules and rejection rules to ensure that RADIUS attributes in the packets exchanged between the device and the server are supported by both sides Examples Enabl...

Page 92: ... is a string of 1 to 64 characters In FIPS mode the encrypted form of the key is a string of 15 to 117 characters The plaintext form of the key is a string of 15 to 64 characters The plaintext string must contain characters from digits uppercase letters lowercase letters and special characters vpn instance vpn instance name Specifies an MPLS L3VPN instance to which the RADIUS DAC belongs The vpn i...

Page 93: ...cifies the unit as kilobyte mega byte Specifies the unit as megabyte packet Specifies the unit for data packets giga packet Specifies the unit as giga packet kilo packet Specifies the unit as kilo packet mega packet Specifies the unit as mega packet one packet Specifies the unit as one packet Usage guidelines The data flow and packet measurement units for traffic statistics must be the same as con...

Page 94: ...s the configuration of all RADIUS schemes Examples Display the configuration of all RADIUS schemes Sysname display radius scheme Total 1 RADIUS schemes RADIUS scheme name radius1 Index 0 Primary authentication server Host name Not configured IP 2 2 2 2 Port 1812 VPN vpn1 State Active Test profile 132 Probe username test Probe interval 60 minutes Weight 40 Primary accounting server Host name Not co...

Page 95: ...ute Remanent Volume unit Mega server load sharing Enabled Attribute 31 MAC format hh hh hh hh hh hh Table 6 Command output Field Description Index Index number of the RADIUS scheme Primary authentication server Information about the primary authentication server Primary accounting server Information about the primary accounting server Second authentication server Information about the secondary au...

Page 96: ... response timeout period in seconds Retransmission times Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server Retransmission Times for Accounting Update Maximum number of accounting attempts Server Quiet Period minutes Quiet period for the servers in minutes Realtime Accounting Interval seconds Interval for sending real time accounting updates in seconds Stop accou...

Page 97: ...device distributes traffic among multiple servers for load sharing Attribute 31 MAC format MAC address format for RADIUS attribute 31 display radius statistics Use display radius statistics to display RADIUS packet statistics Syntax display radius statistics Views Any view Predefined user roles network admin network operator mdc admin mdc operator Examples Display RADIUS packet statistics Sysname ...

Page 98: ...s for which responses were received Packet Without Response Number of packets for which no responses were received Access Rejects Number of Access Reject packets Dropped Packet Number of discarded packets Check Failures Number of packets with checksum errors Related commands reset radius statistics display stop accounting buffer for RADIUS Use display stop accounting buffer to display information ...

Page 99: ...ion ID Username First sending time Attempts rad1 1000326232325010 abc 23 27 16 08 31 2015 19 aaa 1000326232326010 abc 23 33 01 08 31 2015 20 Table 8 Command output Field Description First sending time Time when the stop accounting request was first sent Attempts Number of attempts that were made to send the stop accounting request Related commands reset stop accounting buffer for RADIUS retry retr...

Page 100: ...command apply to all servers in the scheme Make sure the settings match the shared keys configured on the RADIUS servers The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command Examples In RADIUS scheme radius1 set the shared key to ok in plaintext form for secure accounting communication Sysname system view Sysname radius scheme radius...

Page 101: ...ce IP address for outgoing RADIUS packets to avoid RADIUS packet loss caused by physical port errors If you use both the nas ip command and radius nas ip command the following guidelines apply The setting configured by using the nas ip command in RADIUS scheme view applies only to the RADIUS scheme The setting configured by using the radius nas ip command in system view applies to all RADIUS schem...

Page 102: ...accounting to restore the default Syntax primary accounting host name ipv4 address ipv6 ipv6 address port number key cipher simple string vpn instance vpn instance name weight weight value undo primary accounting Default The primary RADIUS accounting server is not specified Views RADIUS scheme view Predefined user roles network admin mdc admin Parameters host name Specifies the host name of the pr...

Page 103: ...S accounting server are the same as those configured on the server Two accounting servers specified for a scheme primary or secondary cannot have identical VPN instance host name IP address and port number settings The shared key configured by using this command takes precedence over the shared key configured with the key accounting command If the specified server resides on an MPLS L3VPN specify ...

Page 104: ...value range for the UDP port number is 1 to 65535 The default setting is 1812 key Specifies the shared key for secure communication with the primary RADIUS authentication server cipher Specifies the key in encrypted form simple Specifies the key in plaintext form For security purposes the key specified in plaintext form will be stored in encrypted form string Specifies the key This argument is cas...

Page 105: ...e primary authentication command to modify or delete the primary authentication server during an authentication process communication with the primary server times out When the RADIUS server load sharing feature is disabled the device tries to communicate with an active server that has the highest priority for authentication When the RADIUS server load sharing feature is enabled the device perform...

Page 106: ...ddress type ipv6 IPv6 address type ipv6 prefix IPv6 address prefix type octets Octet type string String type Usage guidelines To support the proprietary RADIUS attributes of other vendors perform the following tasks 1 Use this command to define the attributes as extended RADIUS attributes 2 Use the attribute convert command to map the extended RADIUS attributes to attributes supported by the syste...

Page 107: ...dmin Parameters ipv6 Specifies the IPv6 RADIUS packets If you do not specify this keyword the command sets the DSCP priority for the IPv4 RADIUS packets dscp value Specifies the DSCP priority of RADIUS packets in the range of 0 to 63 A larger value represents a higher priority Usage guidelines Use this command to set the DSCP priority in the ToS field of RADIUS packets for changing their transmiss...

Page 108: ...cate online users Examples Enable the RADIUS DAS feature and enter RADIUS DAS view Sysname system view Sysname radius dynamic author server Sysname radius da server Related commands client port radius nas ip Use radius nas ip to specify a source IP address for outgoing RADIUS packets Use undo radius nas ip to delete a source IP address for outgoing RADIUS packets Syntax radius nas ip ipv4 address ...

Page 109: ...AS the server drops the packet As a best practice specify a loopback interface address as the source IP address for outgoing RADIUS packets to avoid RADIUS packet loss caused by physical port errors If you use both the nas ip command and radius nas ip command the following guidelines apply The setting configured by using the nas ip command in RADIUS scheme view applies only to the RADIUS scheme Th...

Page 110: ...ated commands display radius scheme radius session control client Use radius session control client to specify a RADIUS session control client Use undo radius session control client to remove the specified RADIUS session control clients Syntax radius session control client ip ipv4 address ipv6 ipv6 address key cipher simple string vpn instance vpn instance name undo radius session control client a...

Page 111: ...the RADIUS server as a session control client to the device The device matches a session control packet to a session control client based on the IP address and VPN instance and then uses the shared key of the matched client to validate the packet The device searches the session control client settings prior to searching all RADIUS scheme settings for finding a server with matching settings This pr...

Page 112: ... admin mdc admin Parameters profile name Specifies the name of the test profile which is a case sensitive string of 1 to 31 characters username name Specifies the username in the detection packets The name argument is a case sensitive string of 1 to 253 characters password Specifies the user password in the detection packets If you do not specify a user password the device randomly generates a use...

Page 113: ...t profile abc username admin password simple abc123 interval 10 Related commands primary authentication RADIUS scheme view secondary authentication RADIUS scheme view reset radius statistics Use reset radius statistics to clear RADIUS statistics Syntax reset radius statistics Views User view Predefined user roles network admin mdc admin Examples Clear RADIUS statistics Sysname reset radius statist...

Page 114: ...nonresponded RADIUS stop accounting requests buffered for user user0001 test Sysname reset stop accounting buffer user name user0001 test Clear nonresponded RADIUS stop accounting requests buffered from 0 0 0 to 23 59 59 on August 31 2015 Sysname reset stop accounting buffer time range 0 0 0 08 31 2015 23 59 59 08 31 2015 Related commands display stop accounting buffer for RADIUS stop accounting b...

Page 115: ...ecks the total amount of time it has taken to transmit the RADIUS packet If the amount of time has reached 300 seconds the device stops sending the RADIUS request to the next RADIUS server As a best practice consider the number of RADIUS servers when you configure the maximum number of packet transmission attempts and the RADIUS server response timeout period Examples In RADIUS scheme radius1 set ...

Page 116: ...counting attempts is 5 set by using the retry realtime accounting command In the above case the device generates an accounting request every 12 minutes and retransmits the request if it sends the request but receives no response within 3 seconds If the device receives no response after transmitting the request three times it considers the accounting attempt a failure and makes another accounting a...

Page 117: ...l five transmission attempts in this round are used the device buffers the request and starts another round of retransmission If 20 consecutive rounds of attempts fail the device discards the request Examples Set the maximum number of stop accounting request transmission attempts to 1000 for RADIUS scheme radius1 Sysname system view Sysname radius scheme radius1 Sysname radius radius1 retry stop a...

Page 118: ...eight weight value Specifies a weight value for the RADIUS server The value range for the weight value argument is 0 to 100 and the default value is 0 The value 0 indicates that the RADIUS server will not be used for load sharing This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme A larger weight value represents a higher capacity to process a...

Page 119: ...ius radius2 secondary accounting 10 110 1 2 1813 Related commands display radius scheme key RADIUS scheme view primary accounting RADIUS scheme view vpn instance RADIUS scheme view secondary authentication RADIUS scheme view Use secondary authentication to specify a secondary RADIUS authentication server Use undo secondary authentication to remove a secondary RADIUS authentication server Syntax se...

Page 120: ...This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme A larger weight value represents a higher capacity to process authentication requests Usage guidelines Make sure the port number and shared key settings of each secondary RADIUS authentication server are the same as those configured on the corresponding server A RADIUS scheme supports a maxim...

Page 121: ...enable to disable the RADIUS server load sharing feature Syntax server load sharing enable undo server load sharing enable Default The RADIUS server load sharing feature is disabled Views RADIUS scheme view Predefined user roles network admin mdc admin Usage guidelines Use the RADIUS server load sharing feature to dynamically distribute the workload over multiple servers regardless of their server...

Page 122: ... Default All RADIUS SNMP notifications are disabled Views System view Predefined user roles network admin mdc admin Parameters accounting server down Specifies notifications to be sent when the RADIUS accounting server becomes unreachable accounting server up Specifies notifications to be sent when the RADIUS accounting server becomes reachable authentication error threshold Specifies notification...

Page 123: ... status of a primary RADIUS server Syntax state primary accounting authentication active block Default A primary RADIUS server is in active state Views RADIUS scheme view Predefined user roles network admin mdc admin Parameters accounting Specifies the primary RADIUS accounting server authentication Specifies the primary RADIUS authentication server active Specifies the active state the normal ope...

Page 124: ...thentication block Related commands display radius scheme radius server test profile server load sharing enable state secondary state secondary Use state secondary to set the status of a secondary RADIUS server Syntax state secondary accounting authentication host name ipv4 address ipv6 ipv6 address port number vpn instance vpn instance name active block Default A secondary RADIUS server is in act...

Page 125: ...uthentication or accounting attempt a failure When the RADIUS server load sharing feature is enabled the device checks the weight value and number of currently served users only for servers in active state The most appropriate active server is selected for communication This command can affect the RADIUS server status detection feature when a valid test profile is specified for a secondary RADIUS ...

Page 126: ...p accounting requests destined for the server are not buffered Examples Enable buffering of RADIUS stop accounting requests to which no responses have been received Sysname system view Sysname radius scheme radius1 Sysname radius radius1 stop accounting buffer enable Related commands display stop accounting buffer for RADIUS reset stop accounting buffer for RADIUS timer quiet RADIUS scheme view Us...

Page 127: ...ounting interval is 12 minutes Views RADIUS scheme view Predefined user roles network admin mdc admin Parameters interval Specifies the real time accounting interval in the range of 0 to 71582 second Specifies the measurement unit as second If you do not specify this keyword the real time accounting interval is measured in minutes Usage guidelines When the real time accounting interval on the devi...

Page 128: ... the RADIUS server in a period of time after sending a RADIUS request it resends the request so that the user has more opportunity to obtain the RADIUS service The NAS uses the RADIUS server response timeout timer to control the transmission interval If the client times out during the authentication process the user is immediately logged off To avoid user logoffs the value multiplied by the follow...

Page 129: ...server Usage guidelines A username is generally in the userid isp name format of which the isp name argument is used by the device to determine the ISP domain to which a user belongs Some earlier RADIUS servers however cannot recognize a username containing an ISP domain name Before sending a username including a domain name to such a RADIUS server the device must remove the domain name This comma...

Page 130: ...s name a case sensitive string of 1 to 31 characters Usage guidelines The VPN instance specified for a RADIUS scheme applies to all authentication and accounting servers in that scheme If a VPN instance is also configured for an individual RADIUS server the VPN instance specified for the RADIUS scheme does not take effect on that server Examples Specify VPN instance test for RADIUS scheme radius1 ...

Page 131: ... as kilo packet mega packet Specifies the unit as mega packet one packet Specifies the unit as one packet Usage guidelines The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers Otherwise accounting results might be incorrect Examples In HWTACACS scheme hwt1 set the data flow and packet measurement units for traffic stati...

Page 132: ...display hwtacacs scheme Total 1 HWTACACS schemes HWTACACS Scheme Name hwtac Index 0 Primary Auth Server Host name Not configured IP 2 2 2 2 Port 49 State Active VPN Instance 2 Single connection Enabled Primary Author Server Host name Not configured IP 2 2 2 2 Port 49 State Active VPN Instance 2 Single connection Disabled Primary Acct Server Host name Not configured IP Not Configured Port 49 State ...

Page 133: ... MPLS L3VPN instance to which the HWTACACS server or scheme belongs If no VPN instance is specified for the server or scheme this field displays Not configured Single connection Single connection status Enabled Establish only one TCP connection for all users to communicate with the server Disabled Establish a TCP connection for each user to communicate with the server NAS IP Address Source IP addr...

Page 134: ...low response packets 0 Malformed response packets 0 Continue packets 1 Continue abort packets 0 Pending request packets 0 Timeout packets 0 Unknown type response packets 0 Dropped response packets 0 Primary authorization server 111 8 0 244 Round trip time 1 seconds Request packets 1 Response packets 1 PassAdd response packets 1 PassReply response packets 0 Failure response packets 0 Error response...

Page 135: ...ckets including plaintext passwords Number of request packets that include plaintext passwords Request packets including ciphertext passwords Number of request packets that include ciphertext passwords Response packets Total number of received response packets Pass response packets Number of response packets indicating successful authentication Failure response packets Number of response packets i...

Page 136: ... request packets Success response packets Number of accounting success response packets Related commands reset hwtacacs statistics display stop accounting buffer for HWTACACS Use display stop accounting buffer to display information about buffered HWTACACS stop accounting requests to which no responses have been received Syntax display stop accounting buffer hwtacacs scheme hwtacacs scheme name Vi...

Page 137: ... address Specifies an IPv4 address which must be an address of the device The IP address cannot be 0 0 0 0 255 255 255 255 a class D address a class E address or a loopback address ipv6 ipv6 address Specifies an IPv6 address which must be a unicast address of the device and cannot be a loopback address or a link local address vpn instance vpn instance name Specifies an MPLS L3VPN instance to which...

Page 138: ...ource IP addresses Each VPN instance can have only one private network source IPv4 address and one private network source IPv6 address in system view Examples Specify IP address 129 10 10 1 as the source address for HWTACACS packets Sysname system view Sysname hwtacacs nas ip 129 10 10 1 Related commands nas ip HWTACACS scheme view hwtacacs scheme Use hwtacacs scheme to create an HWTACACS scheme a...

Page 139: ...entication Specifies the shared key for secure HWTACACS authentication communication authorization Specifies the shared key for secure HWTACACS authorization communication cipher Specifies the key in encrypted form simple Specifies the key in plaintext form For security purposes the key specified in plaintext form will be stored in encrypted form string Specifies the key This argument is case sens...

Page 140: ...tacacs nas ip command is not configured the source IP address is the primary IP address of the outbound interface Views HWTACACS scheme view Predefined user roles network admin mdc admin Parameters ipv4 address Specifies an IPv4 address which must be an address of the device The IP address cannot be 0 0 0 0 255 255 255 255 a class D address a class E address or a loopback address ipv6 ipv6 address...

Page 141: ...ess for outgoing HWTACACS packets Sysname system view Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 nas ip 10 1 1 1 Related commands hwtacacs nas ip primary accounting HWTACACS scheme view Use primary accounting to specify the primary HWTACACS accounting server Use undo primary accounting to restore the default Syntax primary accounting host name ipv4 address ipv6 ipv6 address port number key...

Page 142: ...guidelines Make sure the port number and shared key settings of the primary HWTACACS accounting server are the same as those configured on the server Two accounting servers specified for a scheme primary or secondary cannot have identical VPN instance host name IP address and port number settings As a best practice specify the single connection keyword to reduce TCP connections for improving syste...

Page 143: ... to 373 characters The plaintext form of the key is a string of 1 to 255 characters In FIPS mode the encrypted form of the key is a string of 15 to 373 characters The plaintext form of the key is a string of 15 to 255 characters The plaintext string must contain digits uppercase letters lowercase letters and special characters single connection The device and the primary HWTACACS authentication se...

Page 144: ... authorization Use primary authorization to specify the primary HWTACACS authorization server Use undo primary authorization to restore the default Syntax primary authorization host name ipv4 address ipv6 ipv6 address port number key cipher simple string single connection vpn instance vpn instance name undo primary authorization Default The primary HWTACACS authorization server is not specified Vi...

Page 145: ...he primary HWTACACS authorization server are the same as those configured on the server Two authorization servers specified for a scheme primary or secondary cannot have identical VPN instance host name IP address and port number settings As a best practice specify the single connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single co...

Page 146: ...n received Syntax reset stop accounting buffer hwtacacs scheme hwtacacs scheme name Views User view Predefined user roles network admin mdc admin Parameters hwtacacs scheme hwtacacs scheme name Specifies an HWTACACS scheme by its name a case insensitive string of 1 to 32 characters Examples Clear nonresponded stop accounting requests buffered for HWTACACS scheme hwt1 Sysname reset stop accounting ...

Page 147: ...me hwtacacs hwt1 retry stop accounting 300 Related commands display stop accounting buffer for HWTACACS timer response timeout HWTACACS scheme view secondary accounting HWTACACS scheme view Use secondary accounting to specify a secondary HWTACACS accounting server Use undo secondary accounting to remove a secondary HWTACACS accounting server Syntax secondary accounting host name ipv4 address ipv6 ...

Page 148: ...e name Specifies an MPLS L3VPN instance to which the secondary HWTACACS accounting server belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters If the server is on the public network do not specify this option Usage guidelines Make sure the port number and shared key settings of the secondary HWTACACS accounting server are the same as those configured on the serve...

Page 149: ...ddress of a secondary HWTACACS authentication server ipv6 ipv6 address Specifies the IPv6 address of a secondary HWTACACS authentication server port number Specifies the service port number of the secondary HWTACACS authentication server The value range for the TCP port number is 1 to 65535 The default setting is 49 key Specifies the shared key for secure communication with the secondary HWTACACS ...

Page 150: ... if the HWTACACS server supports the single connection method If the specified server resides on an MPLS L3VPN specify the VPN instance by using the vpn instance vpn instance name option The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme You can remove an authentication server only when it is not used for user authentication Removing...

Page 151: ...l authorization packets for all users If you do not specify this keyword the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user vpn instance vpn instance name Specifies an MPLS L3VPN instance to which the secondary HWTACACS authorization server belongs The vpn instance name argument is a case sensitive string of 1...

Page 152: ...enable to disable buffering of HWTACACS stop accounting requests to which no responses have been received Syntax stop accounting buffer enable undo stop accounting buffer enable Default The device buffers HWTACACS stop accounting requests to which no responses have been received Views HWTACACS scheme view Predefined user roles network admin mdc admin Usage guidelines This command enables the devic...

Page 153: ...minutes Specifies the server quiet period in minutes in the range of 1 to 255 Examples In HWTACACS scheme hwt1 set the server quiet timer to 10 minutes Sysname system view Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 timer quiet 10 Related commands display hwtacacs scheme timer realtime accounting HWTACACS scheme view Use timer realtime accounting to set the real time accounting interval Use...

Page 154: ...interval 1 to 99 3 minutes 100 to 499 6 minutes 500 to 999 12 minutes 1000 or more 15 minutes or longer Examples In HWTACACS scheme hwt1 set the real time accounting interval to 51 minutes Sysname system view Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 timer realtime accounting 51 Related commands display hwtacacs scheme timer response timeout HWTACACS scheme view Use timer response timeout...

Page 155: ...domain name is included in the usernames sent to an HWTACACS server Views HWTACACS scheme view Predefined user roles network admin mdc admin Parameters keep original Sends the username to the HWTACACS server as the username is entered with domain Includes the ISP domain name in the username sent to the HWTACACS server without domain Excludes the ISP domain name from the username sent to the HWTACA...

Page 156: ...rk Views HWTACACS scheme view Predefined user roles network admin mdc admin Parameters vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 characters Usage guidelines The VPN instance specified for an HWTACACS scheme applies to all servers in that scheme If a VPN instance is also configured for an individual HWTACACS server the VPN instance specified f...

Page 157: ...ap in an LDAP scheme If you execute this command multiple times the most recent configuration takes effect If you specify another attribute map or change the mapping entries the new settings are effective only on the LDAP authorization that occurs after your operation Examples Specify LDAP attribute map map1 in LDAP scheme test Sysname system view Sysname ldap scheme test Sysname ldap test attribu...

Page 158: ...zation server Use authorization server to specify the LDAP authorization server for an LDAP scheme Use undo authorization server to restore the default Syntax authorization server server name undo authorization server Default No LDAP authorization server is specified for an LDAP scheme Views LDAP scheme view Predefined user roles network admin mdc admin Parameters server name Specifies the name of...

Page 159: ...ers If you do not specify an LDAP scheme this command displays the configuration of all LDAP schemes Examples Display the configuration of all LDAP schemes Sysname display ldap scheme Total 1 LDAP schemes LDAP scheme name aaa Authentication server aaa IP 1 1 1 1 Port 111 VPN instance Not configured LDAP protocol version LDAPv3 Server timeout interval 10 seconds Login account DN Not configured Base...

Page 160: ...r VPN instance MPLS L3VPN instance to which the LDAP server belongs If no VPN instance is specified this field displays Not configured LDAP protocol version LDAP version LDAPv2 or LDAPv3 Server timeout interval LDAP server timeout period in seconds Login account DN DN of the administrator Base DN Base DN for user search Search scope User DN search scope including all level All subdirectories singl...

Page 161: ...server is on the public network do not specify this option Usage guidelines The LDAP service port configured on the device must be consistent with the service port of the LDAP server If you change the IP address and port number of the LDAP server the change is effective only on the LDAP authentication that occurs after the change Examples Specify the IP address and port number as 192 168 0 10 and ...

Page 162: ...f you change the IP address and port number of the LDAP server the change is effective only on the LDAP authentication that occurs after the change Examples Specify the IPv6 address and port number as 1 2 3 4 and 4300 for LDAP server ccc Sysname system view Sysname ldap server ccc Sysname ldap server ccc ipv6 1 2 3 4 port 4300 Related commands ldap server ldap attribute map Use ldap attribute map ...

Page 163: ...me and enter its view or enter the view of an existing LDAP scheme Use undo ldap scheme to delete an LDAP scheme Syntax ldap scheme ldap scheme name undo ldap scheme ldap scheme name Default No LDAP schemes exist Views System view Predefined user roles network admin mdc admin Parameters ldap scheme name Specifies the LDAP scheme name a case insensitive string of 1 to 32 characters Usage guidelines...

Page 164: ...n Parameters server name Specifies the LDAP server name a case insensitive string of 1 to 64 characters Examples Create an LDAP server named ccc and enter LDAP server view Sysname system view Sysname ldap server ccc Sysname ldap server ccc Related commands display ldap scheme login dn Use login dn to specify the administrator DN Use undo login dn to restore the default Syntax login dn dn string un...

Page 165: ...e the administrator password for binding with the LDAP server during LDAP authentication Use undo login password to restore the default Syntax login password cipher simple string undo login password Default No administrator password is configured Views LDAP server view Predefined user roles network admin mdc admin Parameters cipher Specifies a password in encrypted form simple Specifies a password...

Page 166: ...ue argument represents the position where the partial string starts The prefix is a case insensitive string of 1 to 7 characters such as cn The delimiter value argument represents the position where the partial string ends such as a comma If you do not specify the prefix prefix value delimiter delimiter value option the mapping entry uses the entire value string of the LDAP attribute aaa attribute...

Page 167: ...DAPv2 v3 Specifies the LDAP version LDAPv3 Usage guidelines For successful LDAP authentication the LDAP version used by the device must be consistent with the version used by the LDAP server If you change the LDAP version the change is effective only on the LDAP authentication that occurs after the change A Microsoft LDAP server supports only LDAPv3 Examples Specify the LDAP version as LDAPv2 for ...

Page 168: ...er ccc Sysname ldap server ccc search base dn dc ldap dc com Related commands display ldap scheme ldap server search scope Use search scope to specify the user search scope Use undo search scope to restore the default Syntax search scope all level single level undo search scope Default The user search scope is all level Views LDAP server view Predefined user roles network admin mdc admin Parameter...

Page 169: ...onds Views LDAP server view Predefined user roles network admin mdc admin Parameters time interval Specifies the LDAP server timeout period in the range of 5 to 20 seconds Usage guidelines If you change the LDAP server timeout period the change is effective only on the LDAP authentication that occurs after the change Examples Set the LDAP server timeout period to 15 seconds for LDAP server ccc Sys...

Page 170: ...ithout domain Specifies the format of the username to be sent to the server The with domain keyword means that the username contains the domain name and the without domain keyword means that the username does not contain the domain name user object class object class name Specifies the user object class for user search The object class name argument represents a class value a case insensitive stri...

Page 171: ...y view Predefined user roles network admin network operator mdc admin mdc operator Parameters user name Specifies a RADIUS user name a case sensitive string of 1 to 55 characters The name must meet the following requirements Cannot contain a domain name Cannot contain any of the following characters forward slash backslash vertical bar colon asterisk question mark left angle bracket right angle br...

Page 172: ... 00 Username 456 Description A networkaccess user from company cc Authorization attributes VLAN ID 2 ACL number 3000 Validity period Expiration time 2016 04 03 18 00 00 Table 15 Command output Field Description Username RADIUS user name Description Description of the RADIUS user Authorization attributes Authorization attributes of the RADIUS user VLAN ID Authorization VLAN ACL number Authorization...

Page 173: ...tivate Related commands display radius server active client display radius server active user radius server client Use radius server client to configure a RADIUS client Use undo radius server client to delete a RADIUS client Syntax radius server client ip ipv4 address key cipher simple string undo radius server client all ip ipv4 address Default No RADIUS clients are specified Views System view Pr...

Page 174: ...same as the source IP address for outgoing RADIUS packets specified on the RADIUS client The shared key of a RADIUS client must be the same as the setting on the RADIUS client Execute this command multiple times to configure multiple RADIUS clients Examples Configure a RADIUS client whose IP address is 2 2 2 2 and shared key is test in plaintext Sysname system view Sysname radius server client ip ...

Page 175: ...port specific 802 1X information Usage guidelines If you do not specify the sessions keyword or the statistics keyword this command displays all information about 802 1X including session information statistics and settings Examples Display all information about 802 1X Sysname display dot1x Global 802 1X parameters 802 1X authentication Enabled CHAP authentication Enabled Max tx period 30 s Handsh...

Page 176: ...line users 4294967295 User IP freezing Disabled Reauth period 0 s Send Packets Without Tag Disabled Max Attempts Fail Number 0 Guest VSI Not configured Auth Fail VSI Not configured Critical VSI Not configured Add Guest VSI delay Disabled EAPOL packets Tx 3 Rx 3 Sent EAP Request Identity packets 1 EAP Request Challenge packets 1 EAP Success packets 1 EAP Failure packets 0 Received EAPOL Start packe...

Page 177: ...ification packet to a client EAD assistant function Whether EAD assistant is enabled URL Redirect URL for unauthenticated users using a Web browser to access the network Free IP Network segment accessible to unauthenticated users EAD timeout EAD rule timer in minutes Domain delimiter Domain delimiters supported by the device Online 802 1X wired users Number of wired online 802 1X users including u...

Page 178: ...riggered 802 1X guest VLAN assignment delay is enabled ALL Both EAPOL triggered and new MAC triggered 802 1X guest VLAN assignment delays are enabled Disabled 802 1X guest VLAN assignment delay is disabled Re auth server unreachable Whether to log off online 802 1X users or keep them online when no server is reachable for 802 1X reauthentication Max online users Maximum number of concurrent 802 1X...

Page 179: ...ts Number of received EAPOL LogOff packets EAP Response Identity packets Number of received EAP Response Identity packets EAP Response Challenge packets Number of received EAP Response MD5 Challenge packets Error packets Number of received error packets Online 802 1X users Number of online 802 1X users on the port including users that have passed 802 1X authentication and users that are performing...

Page 180: ...C address The mac address argument represents the MAC address of the user in the form of H H H If you do not specify an 802 1X user this command displays all online 802 1X user information user name name string Specifies an 802 1X user by its name The name string argument represents the username a case sensitive string of 1 to 253 characters If you do not specify an 802 1X user this command displa...

Page 181: ...s before 802 1X authentication Authorization untagged VLAN Untagged VLAN authorized to the user Authorization tagged VLAN list Tagged VLANs authorized to the user Authorization VSI VSIs authorized to the user Authorization ACL ID ACL authorized to the user Authorization CAR This field is not supported in the current software version Authorization CAR attributes assigned by the server If no authori...

Page 182: ...ommand displays MAC address information of 802 1X users in the specified 802 1X VLAN or VSI on all ports Usage guidelines This command displays rough statistics It might not fully display the specified information when a large number of 802 1X users perform authentication frequently Examples Display MAC address information of 802 1X users in the 802 1X Auth Fail VLAN on all ports Sysname display d...

Page 183: ... or VSI information for 802 1X users The Type argument has the following values Auth Fail VLAN Auth Fail VSI Critical VLAN Critical VSI Guest VLAN Guest VSI Aging time MAC address aging time in seconds This field displays N A if the MAC addresses do not age out MAC addresses Number of matching MAC addresses on a port xxxx xxxx xxxx MAC address Related commands dot1x auth fail vlan dot1x auth fail ...

Page 184: ...access user log enable to enable logging for 802 1X users Use undo dot1x access user log enable to disable logging for 802 1X users Syntax dot1x access user log enable abnormal logoff failed login normal logoff successful login undo dot1x access user log enable abnormal logoff failed login normal logoff successful login Default Logging for 802 1X users is disabled Views System view Predefined user...

Page 185: ...yntax dot1x after mac auth max attempt max attempts undo dot1x after mac auth max attempt Default The number of 802 1X authentication attempts for MAC authenticated users is not limited on a port Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network admin mdc admin Parameters max attempts Specifies a number in the range of 1 to 50 Usage guidelines The...

Page 186: ...guidelines The access device terminates or relays EAP packets In EAP termination mode The access device re encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server The device performs either CHAP or PAP authentication with the RADIUS server In this mode the RADIUS server supports only MD5 Challenge EAP authentication and the username and passwo...

Page 187: ...thernet interface view Layer 2 aggregate interface view Predefined user roles network admin mdc admin Parameters authfail vlan id Specifies the ID of the 802 1X Auth Fail VLAN on the port The value range for the VLAN ID is 1 to 4094 Make sure the VLAN has been created Usage guidelines An 802 1X Auth Fail VLAN accommodates users that have failed 802 1X authentication for any reason other than unrea...

Page 188: ...rt a case sensitive string of 1 to 31 characters Usage guidelines An 802 1X Auth Fail VSI accommodates users that have failed 802 1X authentication for any reason other than unreachable servers Users in the 802 1X Auth Fail VSI can access a limited set of network resources in the VXLAN associated with this VSI You can configure only one 802 1X Auth Fail VSI on a port The 802 1X Auth Fail VSIs on d...

Page 189: ...t respond to the EAP Request Identity packets of the device if they have received an EAP Failure packet As a result reauthentication fails for these clients when an authentication server is reachable This command enables the device to send EAP Success packets instead of EAP Failure packets to 802 1X clients when the client users are assigned to the 802 1X critical VLAN This operation ensures that ...

Page 190: ...ion about super VLANs see Layer 2 LAN Switching Configuration Guide On a port the 802 1X critical VLAN configuration is mutually exclusive with the 802 1X guest VSI 802 1X Auth Fail VSI and 802 1X critical VSI settings To delete a VLAN that has been configured as an 802 1X critical VLAN you must first use the undo dot1x critical vlan command Examples Specify VLAN 100 as the 802 1X critical VLAN on...

Page 191: ...amples Specify VSI vsiuser as the 802 1X critical VSI on Ten GigabitEthernet 1 0 1 Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 dot1x critical vsi vsiuser Related commands display dot1x dot1x critical voice vlan Use dot1x critical voice vlan to enable the 802 1X critical voice VLAN on a port Use undo dot1x critical voice vlan to restore the defau...

Page 192: ... undo dot1x domain delimiter to restore the default Syntax dot1x domain delimiter string undo dot1x domain delimiter Default The device supports only the at sign delimiter for 802 1X users Views System view Predefined user roles network admin mdc admin Parameters string Specifies a set of 1 to 16 domain name delimiters for 802 1X users No space is required between delimiters Available delimiters i...

Page 193: ...iews System view Predefined user roles network admin mdc admin Usage guidelines The EAD assistant feature enables the access device to redirect the HTTP or HTTPS requests of a user to a URL to download and install EAD client This feature eliminates the tedious job of the administrator to deploy EAD clients For the EAD assistant feature to take effect on a port you must set the port authorization m...

Page 194: ...ress segment also called a free IP mask Specifies an IP address mask mask length Specifies IP address mask length in the range of 1 to 32 all Removes all free IP addresses Usage guidelines With EAD assistant enabled on the device unauthenticated 802 1X users can access the network resources in the free IP segments before they pass 802 1X authentication Execute this command multiple times to config...

Page 195: ...on takes effect To redirect the HTTPS requests of 802 1X users use the http redirect https port command to specify the HTTPS redirect listening port For information about the http redirect https port command see HTTP redirect commands in Layer 3 IP Services Command Reference Examples Configure the redirect URL as http test com Sysname system view Sysname dot1x ead assistant url http test com Relat...

Page 196: ...d This command applies only to Ethernet ports of which the link type is hybrid Examples Enable the device to send 802 1X protocol packets out of Ten GigabitEthernet 1 0 1 without VLAN tags Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 dot1x eapol untag Related commands display dot1x dot1x guest vlan Use dot1x guest vlan to configure an 802 1X gues...

Page 197: ... commands display dot1x dot1x guest vlan delay Use dot1x guest vlan delay to enable 802 1X guest VLAN assignment delay on a port Use undo dot1x guest vlan delay to disable the specified 802 1X guest VLAN assignment delay on a port Syntax dot1x guest vlan delay eapol new mac undo dot1x guest vlan delay eapol new mac Default 802 1X guest VLAN assignment delay is disabled on a port Views Layer 2 Ethe...

Page 198: ...face ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 dot1x guest vlan delay eapol Related commands display dot1x dot1x guest vlan dot1x retry dot1x timer tx period dot1x guest vsi Use dot1x guest vsi to configure an 802 1X guest VSI on a port Use undo dot1x guest vsi to restore the default Syntax dot1x guest vsi guest vsi name undo dot1x guest vsi Default No 802 1X guest VSI exists on a...

Page 199: ...bled on a port Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network admin mdc admin Parameters eapol Specifies EAPOL triggered 802 1X guest VSI assignment delay This keyword takes effect if 802 1X authentication is triggered by EAPOL Start packets new mac Specifies new MAC triggered 802 1X guest VSI assignment delay This keyword takes effect if 802 1...

Page 200: ... handshake feature Syntax dot1x handshake undo dot1x handshake Default The online user handshake feature is enabled Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network admin mdc admin Usage guidelines The online user handshake feature enables the device to periodically send EAP Request Identity packets to the client for verifying the connectivity st...

Page 201: ...es This command enables the device to reply to 802 1X clients EAP Response Identity packets with EAP Success packets during the online handshake process Use this command only if 802 1X clients will go offline without receiving EAP Success packets from the device Examples Enable the 802 1X online user handshake reply feature on Ten GigabitEthernet 1 0 1 Sysname system view Sysname interface ten gig...

Page 202: ...ly on the network where the iNode client and IMC server are used Examples Enable the online user handshake security feature on Ten GigabitEthernet 1 0 1 Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 dot1x handshake secure Related commands display dot1x dot1x handshake dot1x mac binding Use dot1x mac binding to add an 802 1X MAC address binding ent...

Page 203: ...trictions exist Users not in the binding entries will fail authentication even after users in the binding entries go offline New 802 1X MAC address binding entries are not allowed Examples Add an 802 1X MAC address binding entry on Ten GigabitEthernet 1 0 1 Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 dot1x mac binding 000a eb29 75f1 Related comm...

Page 204: ...ding entries are not allowed Examples Enable 802 1X MAC address binding on Ten GigabitEthernet 1 0 1 Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 dot1x mac binding enable Related commands dot1x dot1x mac binding dot1x port method dot1x mandatory domain Use dot1x mandatory domain to specify a mandatory 802 1X authentication domain on a port Use un...

Page 205: ...iews Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network admin mdc admin Parameters max number Specifies the maximum number of concurrent 802 1X users on a port The value range is 1 to 4294967295 Usage guidelines Set the maximum number of concurrent 802 1X users on a port to prevent the system resources from being overused When the maximum number is reach...

Page 206: ...t1x timer tx period command to set the interval for sending multicast EAP Request Identity packets Examples Enable the multicast trigger feature on Ten GigabitEthernet 1 0 1 Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 dot1x multicast trigger Related commands display dot1x dot1x timer tx period dot1x unicast trigger dot1x port control Use dot1x p...

Page 207: ...sname Ten GigabitEthernet1 0 1 dot1x port control unauthorized force Related commands display dot1x dot1x port method Use dot1x port method to specify an access control method for the port Use undo dot1x port method to restore the default Syntax dot1x port method macbased portbased undo dot1x port method Default MAC based access control applies Views Layer 2 Ethernet interface view Layer 2 aggrega...

Page 208: ...twork admin mdc admin Usage guidelines When a client fails 802 1X authentication the device must wait a period of time before it can process authentication requests from the client You can use the dot1x timer quiet period command to set the quiet timer Examples Enable the quiet timer and set the quiet timer to 100 seconds Sysname system view Sysname dot1x quiet period Sysname dot1x timer quiet per...

Page 209: ...dic reauthentication interval to 1800 seconds Sysname system view Sysname dot1x timer reauth period 1800 Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 dot1x re authenticate Related commands display dot1x dot1x timer dot1x re authenticate manual Use dot1x re authenticate manual to manually reauthenticate all online 802 1X users on a port Syntax dot1x re authenticate m...

Page 210: ...o server is reachable for 802 1X reauthentication Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network admin mdc admin Usage guidelines This feature keeps authenticated 802 1X users online when no server is reachable for 802 1X reauthentication Examples Enable the keep online feature on Ten GigabitEthernet 1 0 1 for 802 1X reauthentication Sysname sy...

Page 211: ...ut value command for the EAP Request MD5 Challenge packet The access device stops retransmitting the request if it has made the maximum number of request transmission attempts but still received no response Examples Set the maximum number of attempts to 9 for sending an authentication request to a client Sysname system view Sysname dot1x retry 9 Related commands display dot1x dot1x timer dot1x tim...

Page 212: ...meout timer in seconds The value range for the tx period value argument is 1 to 120 Usage guidelines In most cases the default settings are sufficient You can edit the timers depending on the network conditions In a low speed network increase the client timeout timer In a vulnerable network set the quiet timer to a high value In a high performance network with quick authentication response set the...

Page 213: ...he interval at which the network device sends multicast EAP Request Identity packets to detect clients that cannot actively request authentication The change to the periodic reauthentication timer applies to the users that have been online only after the old timer expires Other timer changes take effect immediately on the device Examples Set the server timeout timer to 150 seconds Sysname system v...

Page 214: ...auth period 60 Related commands dot1x timer dot1x unicast trigger Use dot1x unicast trigger to enable the 802 1X unicast trigger feature Use undo dot1x unicast trigger to disable the 802 1X unicast trigger feature Syntax dot1x unicast trigger undo dot1x unicast trigger Default The 802 1X unicast trigger feature is disabled Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Pred...

Page 215: ... view Layer 2 aggregate interface view Predefined user roles network admin mdc admin Usage guidelines This command prevents 802 1X generated IPSG bindings from being updated because of user IP changes For information about IP source guard commands see IP source guard commands Examples Enable 802 1X user IP freezing on Ten GigabitEthernet 1 0 1 Sysname system view Sysname interface ten gigabitether...

Page 216: ...02 1X guest VSI on a port Syntax reset dot1x guest vsi interface interface type interface number mac address mac address Views User view Predefined user roles network admin mdc admin Parameters interface interface type interface number Specifies a port by its type and number mac address mac address Specifies the MAC address of an 802 1X user in the guest VSI If you do not specify this option the c...

Page 217: ...ype interface number Specifies a port by its type and number If you do not specify a port this command clears 802 1X statistics on all ports Examples Clear 802 1X statistics on Ten GigabitEthernet 1 0 1 Sysname reset dot1x statistics interface ten gigabitethernet 1 0 1 Related commands display dot1x ...

Page 218: ...ntication information including the global settings port specific settings MAC authentication statistics and online user statistics Examples Display all MAC authentication settings and statistics Sysname display mac authentication Global MAC authentication parameters MAC authentication Enabled Username format MAC address in lowercase xxxxxxxxxxxx Username mac Password Not configured Offline detect...

Page 219: ...rname For example MAC address in lowercase xxxxxxxxxxxx indicates that the MAC address is in the hexadecimal notation without hyphens and letters are in lower case If a shared account is used this field displays Fixed account Username Username for MAC authentication If MAC based accounts are used this field displays mac The device uses the MAC address of each user as the username and password for ...

Page 220: ...domain specified for the port Auth delay timer Whether MAC authentication delay is enabled on the port Auth delay period MAC authentication delay timer Periodic reauth Whether periodic MAC reauthentication is enabled on the port Reauth period Periodic MAC reauthentication timer on the port Re auth server unreachable Action taken when no server is reachable for MAC reauthentication Logoff Logs off ...

Page 221: ...successful authentication attempts MAC address MAC address of the online user Auth state User status Authenticated The user has passed MAC authentication Unauthenticated The user failed MAC authentication display mac authentication connection Use display mac authentication connection to display information about online MAC authentication users Syntax In standalone mode display mac authentication c...

Page 222: ...C authentication user information user name user name Specifies an online MAC authentication user by its username The user name is a case sensitive string of 1 to 55 characters and it can include the domain name If you do not specify an online MAC authentication user this command displays all online MAC authentication user information Examples In standalone mode Display information about all onlin...

Page 223: ...isplays N A Termination action Action attribute assigned by the server to terminate the user session Default Logs off the online authenticated user when the session timeout timer expires This attribute does not take effect when periodic MAC reauthentication is enabled and the periodic reauthentication timer is shorter than the session timeout timer Radius request Reauthenticates the online user wh...

Page 224: ...ess guest vlan Total MAC addresses 10 Interface Ten GigabitEthernet1 0 1 Guest VLAN 3 Aging time N A MAC addresses 8 0800 2700 9427 0800 2700 2341 0800 2700 2324 0800 2700 2351 0800 2700 5627 0800 2700 2251 0800 2700 8624 0800 2700 3f51 Interface Ten GigabitEthernet1 0 2 Guest VLAN 5 Aging time 30 sec MAC addresses 2 0801 2700 9427 0801 2700 2341 Display MAC address information of MAC authenticati...

Page 225: ...guest vsi mac authentication Use mac authentication to enable MAC authentication globally or on a port Use undo mac authentication to disable MAC authentication globally or on a port Syntax mac authentication undo mac authentication Default MAC authentication is disabled globally or on any port Views System view Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles...

Page 226: ... for login failures of MAC authentication users logoff Specifies logs generated for logoffs of MAC authentication users successful login Specifies logs generated for successful logins of MAC authentication users Usage guidelines As a best practice disable this feature to prevent excessive output of logs for MAC authentication users If you do not specify any parameters this command enables all logg...

Page 227: ...ermines that the IP MAC combination of the user is valid The server will record the IP MAC combination of the user If the user IP address is changed at the next authentication the user cannot pass authentication This command takes effect only on MAC authentication users that use static IP addresses Users that obtain IP addresses through DHCP are not affected Do not configure this command together ...

Page 228: ... authentication critical VSI settings The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS servers If a MAC authentication user fails local authentication after RADIUS authentication the user is not assigned to the critical VLAN Before you delete a VLAN that has been set as a MAC authentication critical VLAN use the undo mac authentication critical vlan c...

Page 229: ...figuration is mutually exclusive with the MAC authentication guest VLAN and MAC authentication critical VLAN settings Examples Configure VSI vpna as the MAC authentication critical VSI on Ten GigabitEthernet 1 0 1 Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 mac authentication critical vsi vpna Related commands display mac authentication reset ma...

Page 230: ...1 0 1 Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 mac authentication critical voice vlan Related commands display mac authentication lldp enable Layer 2 LAN Switching Command Reference lldp global enable Layer 2 LAN Switching Command Reference reset mac authentication critical voice vlan voice vlan enable Layer 2 LAN Switching Command Reference ...

Page 231: ...tion domain on Ten GigabitEthernet 1 0 1 Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 mac authentication domain aabbcc Related commands display mac authentication domain default enable mac authentication guest vlan Use mac authentication guest vlan to configure a MAC authentication guest VLAN on a port Use undo mac authentication guest vlan to restore the default Sy...

Page 232: ...ion guest vlan 100 Related commands display mac authentication reset mac authentication guest vlan mac authentication guest vlan auth period Use mac authentication guest vlan auth period to set the interval at which the device authenticates users in the MAC authentication guest VLAN Use undo mac authentication guest vlan auth period to restore the default Syntax mac authentication guest vlan auth ...

Page 233: ...at have failed MAC authentication for any reason other than server unreachable For example the VSI accommodates users with invalid passwords entered You can deploy a limited set of network resources in the VXLAN that is associated with the guest VSI For example a software server for downloading software and system patches You can configure only one MAC authentication guest VSI on a port The MAC au...

Page 234: ...lue range is 1 to 3600 in seconds Examples Set the authentication interval to 150 seconds for users in the MAC authentication guest VSI on Ten GigabitEthernet 1 0 1 Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 mac authentication guest vsi auth period 150 Related commands display mac authentication mac authentication guest vsi mac authentication h...

Page 235: ...o delay and interference It is typically applicable to IP phone users Examples Enable MAC authentication multi VLAN mode on Ten GigabitEthernet 1 0 1 Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 mac authentication host mode multi vlan Related commands display mac authentication mac authentication max user Use mac authentication max user to set th...

Page 236: ...ax mac authentication offline detect enable undo mac authentication offline detect enable Default MAC authentication offline detection is enabled on a port Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network admin mdc admin Usage guidelines This command allows the device to log out a user if the device does not receive any packets from the user with...

Page 237: ...e port to perform MAC authentication before it is assigned to the 802 1X guest VLAN use the dot1x guest vlan delay new mac command to delay assigning the port to the 802 1X guest VLAN For information about the dot1x guest vlan delay new mac command see 802 1X commands Do not enable MAC authentication delay on the port This operation will delay MAC authentication after 802 1X authentication is trig...

Page 238: ...server such as the ACL and VLAN To set the periodic reauthentication timer use the mac authentication timer reauth period command in system view or in Ethernet interface view Examples Enable the periodic MAC reauthentication feature on Ten GigabitEthernet 1 0 1 and set the global periodic reauthentication timer to 1800 seconds Sysname system view Sysname mac authentication timer reauth period 1800...

Page 239: ... re authenticate server unreachable keep online Related commands display mac authentication mac authentication timer interface view Use mac authentication timer to configure a MAC authentication timer on a port Use undo mac authentication timer to restore the default of a MAC authentication timer Syntax mac authentication timer auth delay auth delay time reauth period reauth period value undo mac ...

Page 240: ...c MAC reauthentication on a port use the mac authentication re authenticate command A change to the port specific periodic reauthentication timer applies to online users only after the old timer expires The device selects a periodic reauthentication timer for MAC reauthentication in the following order 1 Server assigned reauthentication timer 2 Port specific reauthentication timer 3 Global reauthe...

Page 241: ...e detect timer assign the same value to the MAC address aging timer by using the mac address timer command This operation prevents a MAC authenticated user from being offline within the offline detect timer due to MAC address entry expiration Quiet timer Sets the interval that the device must wait before the device can perform MAC authentication for a user that has failed MAC authentication All pa...

Page 242: ...pecified in plaintext form will be stored in encrypted form string Specifies the password Its plaintext form is a case sensitive string of 1 to 63 characters Its encrypted form is a case sensitive string of 1 to 117 characters mac address Uses MAC based user accounts for MAC authentication users You can also specify the format of username and password by using the following keywords with hyphen In...

Page 243: ...nterface type interface number mac address mac address Views User view Predefined user roles network admin mdc admin Parameters interface interface type interface number Specifies a port by its type and number mac address mac address Specifies a user by its MAC address If you do not specify this option the command removes all users from the MAC authentication critical VLAN on the port Examples Rem...

Page 244: ...entication critical voice vlan to remove MAC authentication users from the MAC authentication critical voice VLAN on a port Syntax reset mac authentication critical voice vlan interface interface type interface number mac address mac address Views User view Predefined user roles network admin mdc admin Parameters interface interface type interface number Specifies a port by its type and number mac...

Page 245: ...ess 1 1 1 from the MAC authentication guest VLAN on Ten GigabitEthernet 1 0 1 Sysname reset mac authentication guest vlan interface ten gigabitethernet 1 0 1 mac address 1 1 1 Related commands display mac authentication mac authentication guest vlan reset mac authentication guest vsi Use reset mac authentication guest vsi to remove users from the MAC authentication guest VSI on a port Syntax reset...

Page 246: ...MAC authentication statistics Syntax reset mac authentication statistics interface interface type interface number Views User view Predefined user roles network admin mdc admin Parameters interface interface type interface number Specifies a port by its type and number If you do not specify a port this command clears both global and port specific MAC authentication statistics Examples Clear MAC au...

Page 247: ...thentication enabled the device generates a MAC trigger entry for a user when the device detects traffic from the user for the first time The MAC trigger entry records the following information MAC address of the user Interface index VLAN ID Traffic statistics Aging timer When the aging time expires the device deletes the MAC trigger entry The device re creates a MAC trigger entry for the user whe...

Page 248: ... MAC binding query response from the MAC binding server the device starts a timeout timer for portal authentication When the timer expires the device deletes the MAC trigger entry for the user Examples Specify the authentication timeout as 10 minutes Sysname system view Sysname portal mac trigger server mts Sysname portal mac trigger server mts authentication timeout 10 Related commands display po...

Page 249: ...umber of MAC binding query attempts to 3 and the query interval to 60 seconds Sysname system view Sysname portal mac trigger server mts Sysname portal mac trigger server mts binding retry 3 interval 60 Related commands display portal mac trigger server default logon page Use default logon page to specify the default authentication page file for the local portal Web service Use undo default logon p...

Page 250: ...rtal local web server http Sysname portal local websvr http default logon page pagefile1 zip Related commands portal local web server display portal Use display portal to display portal configuration and portal running state Syntax display portal interface interface type interface number Views Any view Predefined user roles network admin network operator mdc admin mdc operator Parameters interface...

Page 251: ...erver Not configured Authentication domain Not configured Pre auth domain Not configured User dhcp only Disabled Pre auth IP pool Not configured Max Portal users Not configured Bas ipv6 Not configured User detection Not configured Action for server detection Server type Server name Action Layer3 source network IP address Prefix length Destination authentication subnet IP address Prefix length Tabl...

Page 252: ... IP address pool specified for portal users before authentication Max Portal users Maximum number of portal users allowed on an interface Bas ip BAS IP attribute of the portal packets sent to the portal authentication server Bas ipv6 BAS IPv6 attribute of the portal packets sent to the portal authentication server User detection Configuration for online detection of portal users on the interface i...

Page 253: ...rameters all Specifies all MAC binding servers name server name Specifies a MAC binding server by its name a case sensitive string of 1 to 32 characters Examples Display information about all MAC binding servers Sysname display portal mac trigger server all Portal mac trigger server ms1 Version 2 0 Server type IMC IP 10 1 1 1 Port 100 VPN instance Not configured Aging time 120 seconds Free traffic...

Page 254: ...MC which indicates the HPE IMC server IP IP address of the MAC binding server Port UDP port number on which the MAC binding server listens for MAC binding query packets VPN instance MPLS L3VPN instance where the MAC binding server resides Aging time Aging time in seconds A MAC trigger entry is aged out when the aging time expires Free traffic threshold This field is not supported is the current so...

Page 255: ... from portal authentication servers If you do not specify the server server name option this command displays packet statistics for all portal authentication servers Examples Display packet statistics for portal authentication server pts Sysname display portal packet statistics server pts Portal server pts Invalid packets 0 Pkt Type Total Drops Errors REQ_CHALLENGE 3 0 0 ACK_CHALLENGE 3 0 0 REQ_AU...

Page 256: ...entication server sent to the access device after receiving an authentication acknowledgment packet NTF_LOGOUT Forced logout notification packet the access device sent to the portal authentication server REQ_INFO Information request packet ACK_INFO Information acknowledgment packet NTF_USERDISCOVER User discovery notification packet the portal authentication server sent to the access device NTF_US...

Page 257: ...generated after users pass portal authentication These rules allow packets with specific source IP addresses to pass the interface static Displays static portal filtering rules which are generated after portal authentication is enabled The interface filters packets by these rules when portal authentication is enabled interface interface type interface number Specifies an interface by its type and ...

Page 258: ...ask 255 255 255 255 Port Any Rule 2 Type Dynamic Action Permit Status Active Source IP 2 2 2 2 MAC 000d 88f8 0eab Interface Vlan interface100 VLAN 100 Author ACL Number 3001 Rule 3 Type Static Action Redirect Status Active Source IP 0 0 0 0 Mask 0 0 0 0 Interface Vlan interface100 VLAN 100 Protocol TCP Destination IP 0 0 0 0 Mask 0 0 0 0 Port 80 Rule 4 Type Static Action Deny Status Active ...

Page 259: ...Active Source IP Prefix length 0 Port Any MAC 0000 0000 0000 Interface Vlan interface100 VLAN 100 Destination IP 3000 1 Prefix length 64 Port Any Rule 2 Type Dynamic Action Permit Status Active Source IP 3000 1 MAC 0015 e9a6 7cfe Interface Vlan interface100 VLAN 100 Author ACL Number 3001 Rule 3 Type Static Action Redirect Status Active Source IP Prefix length 0 Interface Vlan interface100 VLAN 10...

Page 260: ...portal filtering rules and IPv6 portal filtering rules are numbered separately Type Type of the portal filtering rule Static Static portal filtering rule Dynamic Dynamic portal filtering rule Action Action triggered by the portal filtering rule Permit The interface allows packets to pass Redirect The interface redirects packets Deny The interface forbids packets to pass Match pre auth ACL The inte...

Page 261: ...on IP address Port Destination transport layer port number Mask Subnet mask of the destination IPv4 address Prefix length Prefix length of the destination IPv6 address Author ACL Authorized ACL assigned to authenticated portal users This field is displayed only for a dynamic portal filtering rule Pre auth ACL Authorized ACL assigned to preauthentication portal users This field is displayed only fo...

Page 262: ...ere the portal authentication server resides Port Listening port on the portal authentication server Server detection Parameters for portal authentication server detection Detection timeout in seconds Actions log and trap triggered by the reachability status change of the portal authentication server User synchronization User idle timeout in seconds for portal user synchronization Status Reachabil...

Page 263: ... about preauthentication portal users A preauthentication user is a user who is authorized with the authorization attributes in a preauthentication domain before portal authentication If you do not specify the pre auth keyword this command displays information about authenticated portal users verbose Displays detailed information about portal users Examples Display information about all portal use...

Page 264: ...ace 000a eb29 75f2 18 18 0 4 200 Route Aggregation100 State Online VPN instance N A Authorization information User profile quew active Session group profile pt1 active ACL number 3000 active Inbound CAR CIR 3072 bps PIR 3072 bps inactive Outbound CAR CIR 3072 bps PIR 3072 bp inactive Table 27 Command output Field Description Total portal users Total number of portal users Username Name of the user...

Page 265: ...e The authorized session group profile is applied to the user access interface successfully inactive The authorized session group profile is not applied to the user access interface or the session group profile does not exist on the device ACL number Authorized ACL N A No ACL is authorized active The authorized ACL is applied to the user access interface successfully inactive The authorized ACL is...

Page 266: ...R CIR 64000bps PIR 640000bps Outbound CAR CIR 64000bps PIR 640000bps ACL number 3000 inactive User profile portal active Session group profile N A Max multicast addresses 4 Multicast address list 1 2 3 1 1 34 33 1 3 123 123 3 4 5 6 7 2 2 2 2 3 3 3 3 4 4 4 4 User group 1 Id 1 Flow statistic Uplink packets bytes 7 546 Downlink packets bytes 0 0 ITA level 1 uplink packets bytes 0 0 downlink packets b...

Page 267: ...ubnet authentication AAA AAA information about the portal user Realtime accounting interval Interval for sending real time accounting updates and the maximum number of accounting attempts If the real time accounting is not authorized this field displays N A Idle cut Idle timeout period and the minimum traffic threshold If idle cut is not authorized this field displays N A direction Direction of us...

Page 268: ...orized user profile is applied to the user access interface successfully inactive The authorized user profile is not applied to the user access interface or the user profile does not exist on the device Session group profile This field is not supported in the current software version Authorized session group profile N A No session group profile is authorized active The authorized session group pro...

Page 269: ...ortal web server server name Views Any view Predefined user roles network admin network operator mdc admin mdc operator Parameters server name Specifies a portal Web server by its name a case sensitive string of 1 to 32 characters Usage guidelines If you do not specify the server name argument this command displays information about all portal Web servers Examples Display information about portal ...

Page 270: ...enabled and the server is unreachable IPv6 status Current state of the IPv6 portal Web server Up This value indicates one of the following conditions Portal Web server detection is disabled Portal Web server detection is enabled and the server is reachable Down Portal Web server detection is enabled and the server is unreachable Captive bypass This field is not supported in the current software ve...

Page 271: ...IRF member device The slot number argument represents the slot number of the card If you do not specify a card this command displays Web redirect rules for the global active MPU In IRF mode Examples Display all Web redirect rules on VLAN interface 100 Sysname display web redirect rule interface vlan interface 100 IPv4 web redirect rules on vlan interface 100 Rule 1 Type Dynamic Action Permit Statu...

Page 272: ... address Prefix length Prefix length of the source IPv6 address VLAN Source VLAN If not specified this field displays Any Protocol Transport layer protocol permitted by the Web redirect rule This field always displays TCP Destination Destination information in the Web redirect rule Port Destination transport layer port number The default port number is 80 if match Use if match to configure a match...

Page 273: ...o 255 characters The User Agent string in HTTP or HTTPS requests includes information about hardware manufacturer operating system browser and search engine Usage guidelines A URL redirection match rule matches HTTP or HTTPS requests by user requested URL or User Agent information and redirects the matching HTTP or HTTPS requests to the specified redirection URL For a user to successfully access a...

Page 274: ...PN instance name a case sensitive string of 1 to 31 characters If the MAC binding server belongs to the public network do not specify this option key Specifies a shared key to be used to authenticate packets between the device and the MAC binding server Portal packets exchanged between the device and MAC binding server carry an authenticator that is generated with the shared key The receiver uses ...

Page 275: ...he VPN instance name a case sensitive string of 1 to 31 characters If the portal authentication server belongs to the public network do not specify this option key Specifies a shared key for communication with the portal authentication server Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key The rece...

Page 276: ...v6 vpn instance name argument represents the VPN instance name a case sensitive string of 1 to 31 characters If the portal authentication server belongs to the public network do not specify this option key Specifies a shared key for communication with the portal authentication server Portal packets exchanged between the access device and the portal authentication server carry an authenticator that...

Page 277: ... port type Default The NAS Port Type value carried in RADIUS requests is 0 Views MAC binding server view Predefined user roles network admin mdc admin Parameters value Specifies the NAS Port Type value in the range of 1 to 255 Usage guidelines Some MAC binding servers identify MAC based quick portal authentication by a specific NAS Port Type value in received RADIUS requests To communicate with su...

Page 278: ... as the query listening port number configured on the MAC binding server Examples Set the UDP port number to 1000 for MAC binding server pts to listen for MAC binding query packets sysname system view sysname portal mac trigger server mts sysname portal mac trigger server mts port 1000 Related commands display portal mac trigger server port portal authentication server view Use port to set the des...

Page 279: ... bas ipv6 to restore the default Syntax portal bas ip ipv4 address bas ipv6 ipv6 address undo portal bas ip bas ipv6 Default The BAS IP attribute of an IPv4 portal reply packet sent to the portal authentication server is the source IPv4 address of the packet The BAS IPv6 attribute of an IPv6 portal reply packet sent to the portal authentication server is the source IPv6 address of the packet The B...

Page 280: ...owing conditions are met The portal authentication server is an HPE IMC server or the portal authentication mode on the interface is re DHCP The portal device IP address specified on the portal authentication server is not the IP address of the portal packet output interface Examples On interface VLAN interface 100 configure the BAS IP attribute as 2 2 2 2 for portal packets sent to the portal aut...

Page 281: ...g server Use undo portal apply mac trigger server to restore the default Syntax portal apply mac trigger server server name undo portal apply mac trigger server Default No MAC binding server is specified Views Interface view Predefined user roles network admin mdc admin Parameters server name Specifies a MAC binding server by its name a case sensitive string of 1 to 32 characters Usage guidelines ...

Page 282: ...ready exist fail permit Enables the portal fail permit feature on the interface The portal fail permit feature allows portal users to access the Internet without authentication when the portal Web server is unreachable Usage guidelines You can enable both IPv4 and IPv6 portal authentication on an interface Therefore you can specify both an IPv4 portal Web server and an IPv6 portal Web server on th...

Page 283: ...er roles network admin mdc admin Parameters acl Enables strict checking on authorized ACLs user profile Enables strict checking on authorized user profiles This keyword is not supported in the current software version Usage guidelines A checking fails when the authorized ACL does not exist on the device or the ACL fails to be deployed Examples Enable strict checking on authorized ACLs on VLAN inte...

Page 284: ... portal device id Use portal device id to specify the device ID Use undo portal device id to restore the default Syntax portal device id device id undo portal device id Default A device is not configured with a device ID Views System view Predefined user roles network admin mdc admin Parameters device id Specifies a device ID for the device a case sensitive string of 1 to 63 characters Usage guide...

Page 285: ...sers domain name Specifies an ISP authentication domain by its name a case insensitive string of 1 to 255 characters Usage guidelines You can specify both an IPv4 portal authentication domain and an IPv6 portal authentication domain on an interface Do not specify the ipv6 keyword for IPv4 portal users Examples Specify the authentication domain as my domain for IPv4 portal users on VLAN interface 1...

Page 286: ...on mode You can enable both IPv4 and IPv6 portal authentication on an interface Do not add a portal authentication enabled Ethernet interface to an aggregation group Otherwise portal authentication cannot take effect on the interface Examples Enable direct IPv4 portal authentication on VLAN interface 100 Sysname system view Sysname interface vlan interface 100 Sysname Vlan interface100 portal enab...

Page 287: ...l permit for at most one portal authentication server and one portal Web server on an interface If you execute this command multiple times the most recent configuration takes effect Examples Enable portal fail permit for portal authentication server pts1 on VLAN interface 100 Sysname system view Sysname interface vlan interface 100 Sysname Vlan interface100 portal fail permit server pts1 Related c...

Page 288: ...only the authentication destination subnet takes effect Examples Configure an IPv4 portal authentication destination subnet of 11 11 11 0 24 on VLAN interface 2 Portal users need to pass authentication to access this subnet and can access other subnets without authentication Sysname system view Sysname interface vlan interface 2 Sysname Vlan interface2 portal free all except destination 11 11 11 0...

Page 289: ...n which the portal free rule takes effect Usage guidelines You can specify both the source and destination keyword for a portal free rule If you specify only one keyword the other keyword does not act as a filtering criterion If you specify both a source port number and a destination port number for a portal free rule the two port numbers must belong to the same transport layer protocol If you do ...

Page 290: ...ee rule number The value range for this argument is 0 to 4294967295 destination Specifies the destination host host name Specifies the destination host by its name a case insensitive string of 1 to 253 characters Valid characters are letters digits hyphens underscores _ dots and asterisks The host name string cannot be ip and ipv6 all Specifies all portal free rules Usage guidelines You can config...

Page 291: ...source MAC address source interface and source VLAN Use undo portal free rule to delete a specific or all portal free rules Syntax portal free rule rule number source interface interface type interface number mac mac address vlan vlan id undo portal free rule rule number all Default No source based portal free rules exist Views System view Predefined user roles network admin mdc admin Parameters r...

Page 292: ... Interface view Predefined user roles network admin mdc admin Parameters ipv6 network address Specifies an IPv6 portal authentication destination subnet prefix length Specifies the prefix length of the IPv6 subnet in the range of 0 to 128 Usage guidelines Portal users on the interface are authenticated when accessing the specified authentication destination subnet except IP addresses and subnets s...

Page 293: ...ce subnets configured only packets from IPv6 users on the authentication source subnets can trigger portal authentication If an unauthenticated IPv6 user is not on any authentication source subnet the access device discards all the user s packets that do not match any portal free rule If you do not specify the ipv6 network address argument in the undo portal ipv6 layer3 source command this command...

Page 294: ...r within the idle time the device detects the user s online status as follows ICMPv6 detection Sends ICMPv6 requests to the user at configurable intervals to detect the user status If the device receives a reply within the maximum number of detection attempts it considers that the user is online and stops sending detection packets Then the device resets the idle timer and repeats the detection pro...

Page 295: ...4 portal authentication source subnet is configured Portal users from any IPv4 subnet must pass portal authentication Views Interface view Predefined user roles network admin mdc admin Parameters ipv4 network address Specifies an IPv4 portal authentication source subnet address mask length Specifies the subnet mask length of the IPv4 address in the range of 0 to 32 mask Specifies the subnet mask i...

Page 296: ...entication information with clients https Specifies the HTTPS based local portal Web service which uses HTTPS to exchange authentication information with clients ssl server policy policy name Specifies an existing SSL server policy for HTTPS The policy name is a case insensitive string of 1 to 31 characters tcp port port number Specifies the listening TCP port number for the HTTPS based local port...

Page 297: ...l Web service and enter its view Sysname system view Sysname portal local web server http Sysname portal local websvr http quit Create an HTTPS based local portal Web service and associate SSL server policy policy1 with the service Sysname system view Sysname portal local web server https ssl server policy policy1 Sysname portal local websvr https quit Change the SSL server policy to policy2 Sysna...

Page 298: ...e portal user log enable portal mac trigger server Use portal mac trigger server to create a MAC binding server and enter its view or enter the view of an existing MAC binding server Use undo portal mac trigger server to delete the MAC binding server Syntax portal mac trigger server server name undo portal mac trigger server server name Default No MAC binding servers exist Views System view Predef...

Page 299: ...tal number smaller than the number of current online portal users on the device this command still takes effect The online users are not affected by this command but the system forbids new portal users to log in This command sets the maximum number of online IPv4 and IPv6 portal users in all Make sure the total number of the maximum IPv4 and IPv6 portal users allowed on all interfaces does not exc...

Page 300: ...ion Guide If an interface is specified with a NAS ID profile the interface prefers to use the bindings defined in the profile If no NAS ID profile is specified for an interface or no matching binding is found in the specified profile the device uses the device name as the interface NAS ID Examples Specify NAS ID profile aaa for VLAN interface 2 Sysname system view Sysname interface vlan interface ...

Page 301: ...cation of the access line on the BRAS Its format is NAS_slot NAS_subslot NAS_port XPI XCI Field Description NAS_slot Slot number of the BRAS in the range of 0 to 31 NAS_subslot Subslot number of the BRAS in the range of 0 to 31 NAS_Port Port number of the BRAS in the range of 0 to 63 XPI XCI For ATM interfaces XPI is VPI in the range of 0 to 255 XCI is VCI in the range of 0 to 65535 For Ethernet i...

Page 302: ...de id string are filled with 0s except for the ANI_XPI and ANI_XCI fields Examples of format 1 NAS Port Id Description atm 31 31 7 255 65535 0 0 0 0 0 0 The subscriber interface is an ATM interface The slot number is 31 the BRAS subslot number is 31 the BRAS port number is 7 the VPI is 255 and the VCI is 65535 eth 31 31 7 1234 2345 0 0 0 0 0 0 The subscriber interface is an Ethernet interface The ...

Page 303: ... Sysname portal nas port id format 1 portal outbound filter enable Use portal ipv6 outbound filter enable to enable outgoing packets filtering on a portal enabled interface Use undo portal ipv6 outbound filter enable to disable outgoing packets filtering on the portal enabled interface Syntax portal ipv6 outbound filter enable undo portal ipv6 outbound filter enable Default Outgoing packets filter...

Page 304: ...s question marks left angle brackets right angle brackets and at signs Usage guidelines After you configure a preauthentication domain on a portal enabled interface the device authorizes users on the interface as follows 1 After an unauthenticated user obtains an IP address the user is assigned authorization attributes such as ACL configured for the preauthentication domain An unauthenticated user...

Page 305: ... address users cannot trigger portal authentication Do not set the destination address to any If you set the destination address to any all packets will be permitted to pass and therefore users can access any resources before portal authentication Examples Create preauthentication domain abc for VLAN interface 1 Sysname system view Sysname interface vlan interface 1 Sysname Vlan interface1 portal ...

Page 306: ...ve existed and been correctly configured Examples Create IPv4 address pool abc for VLAN interface 100 Sysname system view Sysname interface vlan interface 100 Sysname Vlan interface100 portal pre auth ip pool abc Related commands dhcp server ip pool Layer 3 IP Services Command Reference display portal ipv6 dhcp pool Layer 3 IP Services Command Reference portal refresh enable Use portal refresh arp...

Page 307: ...fresh arp enable portal roaming enable Use portal roaming enable to enable portal roaming Use undo portal roaming enable to disable portal roaming Syntax portal roaming enable undo portal roaming enable Default Portal roaming is disabled An online portal user cannot roam in its VLAN Views System view Predefined user roles network admin mdc admin Usage guidelines Portal roaming applies only to port...

Page 308: ...for the portal authentication server IP address of the server Destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server MPLS L3VPN where the portal authentication server resides Pre shared key for communication between the access device and the server Server detection feature You can configure multiple portal authentication servers for an...

Page 309: ...rocess when the timer expires If the device receives no reply after the maximum number of detection attempts the device logs out the user ARP detection Sends ARP requests to the user and detects the ARP entry status of the user at configurable intervals If the ARP entry of the user is refreshed within the maximum number of detection attempts the device considers that the user is online and stops d...

Page 310: ...4 portal users Usage guidelines With this feature enabled users with static IP addresses cannot pass portal authentication to get online To ensure that IPv6 users can pass portal authentication when this feature is enabled disable the temporary IPv6 address feature on terminal devices Otherwise IPv6 users will use temporary IPv6 addresses to access the IPv6 network and will fail portal authenticat...

Page 311: ...y Auto Discovery WPAD protocol to discover Web proxy servers you must perform the following tasks on the device Specify the port numbers of the Web proxy servers on the device Configure portal free rules to allow user packets destined for the IP address of the WPAD server to pass without authentication If portal users enable Web proxy in their browsers the users must add the IP address of the port...

Page 312: ...r wbs and enter its view Sysname system view Sysname portal web server wbs Sysname portal websvr wbs Related commands display portal web server portal apply web server reset portal packet statistics Use reset portal packet statistics to clear packet statistics for portal authentication servers Syntax reset portal packet statistics server server name Views User view Predefined user roles network ad...

Page 313: ...d a trap message after detecting reachability status change of the portal authentication server to the NMS The trap message contains the name and the current state of the portal authentication server Usage guidelines The portal authentication server detection feature takes effect only when the device has a portal enabled interface To test server reachability by detecting heartbeat packets you must...

Page 314: ... send a log message after detecting reachability status change of the portal Web server The log message contains the name the original state and the current state of the portal Web server trap Configures the device to send a trap message after detecting reachability status change of the portal Web server to the NMS The trap message contains the name and the current state of the portal Web server U...

Page 315: ...he portal server type as IMC Usage guidelines Specify the portal server type on the device with the server type the device actually uses Examples Specify the type of portal authentication server as imc Sysname system view Sysname portal server pts Sysname portal server pts server type imc Specify the type of portal Web server as imc Sysname system view Sysname portal web server pts Sysname portal ...

Page 316: ...or HTTPS is the TCP port number set by the portal local web server command Views Local portal Web service view Predefined user roles network admin mdc admin Parameters port number Specifies the listening TCP port number in the range of 1 to 65535 Usage guidelines To use the local portal Web service make sure the port number in the portal Web server URL and the port number configured in this comman...

Page 317: ...o restore the default Syntax url url string undo url Default No URL is specified for a portal Web server Views Portal Web server view Predefined user roles network admin mdc admin Parameters url string Specifies a URL for the portal Web server a case sensitive string of 1 to 256 characters Usage guidelines This command specifies a URL that can be accessed through standard HTTP or HTTPS The URL sho...

Page 318: ...s determined by the following keyword you specify original url Specifies the URL of the original webpage that a portal user visits source address Specifies the user IP address source mac Specifies the user MAC address encryption Specifies the encryption algorithm to encrypt the MAC address of the user aes Specifies the AES algorithm des Specifies the DES algorithm key Specifies a key for encryptio...

Page 319: ...eter the redirection URL carries the encrypted value for the parameter Execute the url parameter usermac source mac encryption des key simple 12345678 command Then the access device sends to the user with MAC address 1111 1111 1111 the URL http www test com portal usermac xxxxxxxxx userip 1 1 1 1 userurl http www test co m welcome where xxxxxxxxx represents the encrypted user MAC address Examples ...

Page 320: ...ynchronization detection timeout configured on the access device Deleting a portal authentication server on the device also deletes the user synchronization configuration for the server If you execute this command multiple times the most recent configuration takes effect For information of the users considered as nonexistent on the portal authentication server the device deletes the information af...

Page 321: ...c trigger server mts Sysname portal mac trigger server mts version 2 Related commands display portal mac trigger server portal mac trigger server vpn instance Use vpn instance to specify an MPLS L3VPN instance for a portal Web server Use undo vpn instance to restore the default Syntax vpn instance vpn instance name undo vpn instance Default A portal Web server belongs to the public network Views P...

Page 322: ...begins with http or https a string of 1 to 256 characters interval interval Specifies the time interval at which the user is redirected to the specified URL It is in the range of 60 to 86400 seconds The default interval is 86400 seconds Usage guidelines With Web direct enabled on an interface a user on the interface is first redirected to the specified URL before the user can access an external ne...

Page 323: ...mation for all ports Examples Display port security information for all ports Sysname display port security Global port security parameters Port security Enabled AutoLearn aging time 0 min Disableport timeout 20 s MAC move Denied Authorization fail Online NAS ID profile Not configured Dot1x failure trap Disabled Dot1x logon trap Disabled Dot1x logoff trap Enabled Intrusion trap Disabled Address le...

Page 324: ...1x failure trap Whether SNMP notifications for 802 1X authentication failures are enabled Dot1x logon trap Whether SNMP notifications for 802 1X authentication successes are enabled Dot1x logoff trap Whether SNMP notifications for 802 1X authenticated user logoffs are enabled Intrusion trap Whether SNMP notifications for intrusion protection are enabled If they are enabled the device sends SNMP no...

Page 325: ...ress Adds the source MAC address of the illegal packet to the blocked MAC address list DisablePort Shuts down the port that receives illegal packets permanently DisablePortTemporarily Shuts down the port that receives illegal packets for some time NoAction Does not perform intrusion protection Learning mode Secure MAC address learning mode Dynamic Sticky Aging type Secure MAC address aging type Pe...

Page 326: ... operator Parameters interface interface type interface number Specifies a port by its type and number vlan vlan id Specifies a VLAN by its ID The value range is 1 to 4094 count Displays only the count of the blocked MAC addresses Usage guidelines If you do not specify any parameters this command displays information about all blocked MAC addresses Examples In standalone mode Display information a...

Page 327: ... mdc operator Parameters interface interface type interface number Specifies a port by its type and number vlan vlan id Specifies a VLAN by its ID The value range is 1 to 4094 count Displays only the count of the secure MAC addresses Usage guidelines Secure MAC addresses are those that are automatically learned by the port in autoLearn mode or configured by the port security mac address security c...

Page 328: ...o not age out and this field displays Not aged Number of secure MAC addresses Number of secure MAC addresses stored Related commands port security mac address security port security access user log enable Use port security access user log enable to enable logging for port security users Use undo port security access user log enable to disable logging for port security users Syntax port security ac...

Page 329: ...w Layer 2 aggregate interface view Predefined user roles network admin mdc admin Usage guidelines This command enables access users 802 1X or MAC authentication users of a port to come online and access the network even if they use nonexistent usernames or incorrect passwords Access users that come online in open authentication mode are called open users Authorization and accounting are not availa...

Page 330: ...sers 802 1X or MAC authentication users to come online and access the network even if they use nonexistent usernames or incorrect passwords Access users that come online in open authentication mode are called open users Authorization and accounting are not available for open users To display open user information use the following commands display dot1x connection open display mac authentication c...

Page 331: ...ion the server performs authorization based on the authorization attributes configured for the user account For example the server can assign a VLAN If you do not want the port to use such authorization attributes for users use this command to ignore the authorization information from the server Examples Configure Ten GigabitEthernet 1 0 1 to ignore the authorization information from the authentic...

Page 332: ...ation A user fails ACL authorization in the following situations The device fails to authorize the specified ACL to the user The server assigns a nonexistent ACL to the user If this feature is disabled the device does not log off users that fail ACL authorization However the device outputs messages to report the failure For the quiet period keyword to take effect complete the following tasks For 8...

Page 333: ...Sysname system view Sysname port security enable Related commands display port security dot1x dot1x port control dot1x port method mac authentication port security free vlan Use port security free vlan to configure free VLANs for port security Use undo port security free vlan to restore the default Syntax port security free vlan vlan id list undo port security free vlan vlan id list Default No fre...

Page 334: ...erLoginSecure macAddressOrUserLoginSecureExt macAddressElseUserLoginSecureExt Execute this command multiple times to specify multiple free VLANs for port security Examples Configure free VLANs for port security on Ten GigabitEthernet 1 0 1 Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 port security free vlan 2 3 Related commands display port secur...

Page 335: ...isabled by the intrusion protection feature use the undo shutdown command Examples Configure Ten GigabitEthernet 1 0 1 to block the source MAC addresses of illegal frames after intrusion protection detects the illegal frames Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 port security intrusion mode blockmac Related commands display port security d...

Page 336: ...the port security timer autolearn aging command This command takes effect only on sticky MAC addresses and dynamic secure MAC addresses Examples Enable inactivity aging for secure MAC addresses on Ten GigabitEthernet 1 0 1 Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 port security mac address aging type inactivity Related commands display port se...

Page 337: ...y to add a secure MAC address Use undo port security mac address security to remove a secure MAC address Syntax In Layer 2 Ethernet interface view port security mac address security sticky mac address vlan vlan id undo port security mac address security sticky mac address vlan vlan id In system view port security mac address security sticky mac address interface interface type interface number vla...

Page 338: ...these MAC addresses by using the undo port security mac address security command Change the port security mode Disable the port security feature You cannot change the type of a secure address entry that has been added or add two entries that are identical except for their entry type For example you cannot add the port security mac address security sticky 1 1 1 vlan 10 entry when a port security ma...

Page 339: ...cess a port through specific VLANs Use this command to prevent resource contentions among MAC addresses and ensure reliable performance for each access user on the port When the number of MAC addresses in a VLAN on the port reaches the upper limit the device denies any subsequent MAC addresses in the VLAN on the port Port security allows the access of the following types of MAC addresses MAC addre...

Page 340: ...t on the device the authentication session is deleted from the first port The user is reauthenticated on the new port If MAC move is disabled 802 1X or MAC users authenticated on one port cannot pass authentication after they move to another port 802 1X or MAC authenticated users cannot move between ports on a device if the number of online users on the authentication server local or remote has re...

Page 341: ...the port In any other mode that enables 802 1X MAC authentication or both this command sets the maximum number of authenticated MAC addresses on the port The actual maximum number of concurrent users that the port accepts equals the smaller of the following values The value set by using this command The maximum number of concurrent users allowed by the authentication mode in use For example in use...

Page 342: ...and VLAN bindings You can create a NAS ID profile by using the aaa nas id profile command The device selects a NAS ID profile for a port in the following order 1 The port specific NAS ID profile 2 The NAS ID profile applied globally If no NAS ID profile is applied or no matching binding is found in the selected profile the device uses the device name as the NAS ID Examples Apply NAS ID profile aaa...

Page 343: ...elines The NTK feature checks the destination MAC addresses in outbound frames This feature allows frames to be sent only to devices passing authentication preventing illegal devices from intercepting network traffic Examples Set the NTK mode of Ten GigabitEthernet 1 0 1 to ntkonly allowing the port to forward received packets only to devices passing authentication Sysname system view Sysname inte...

Page 344: ... port allows only one 802 1X user and one user whose MAC address matches one of the configured OUI values Examples Configure an OUI value of 000d2a and set the index to 4 Sysname system view Sysname port security oui index 4 mac address 000d 2a10 0033 Related commands display port security port security port mode Use port security port mode to set the port security mode of a port Use undo port sec...

Page 345: ...cation users to log in Upon receiving a non 802 1X frame a port in this mode performs only MAC authentication Upon receiving an 802 1X frame the port performs MAC authentication and then if MAC authentication fails 802 1X authentication mac else userlogin se cure ext macAddressElseUse rLoginSecureExt Same as the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 8...

Page 346: ...n this mode also permits frames from a user whose MAC address contains a specific OUI In this mode the port performs OUI check at first If the OUI check fails the port performs 802 1X authentication The port permits frames that pass OUI check or 802 1X authentication NOTE The autolearn secure and userlogin withoui keywords are not supported on Layer 2 aggregate interfaces Usage guidelines To chang...

Page 347: ...is keyword the command sets the aging timer in minutes for secure MAC addresses time value Specifies the aging timer The value range is 0 to 129600 if the unit is minute To disable the aging timer set the timer to 0 The value range is 10 to 7776000 if the unit is second Usage guidelines The timer applies to all sticky secure MAC addresses and those automatically learned by a port The effective agi...

Page 348: ...security timer disableport to restore the default Syntax port security timer disableport time value undo port security timer disableport Default The port silence period is 20 seconds Views System view Predefined user roles network admin mdc admin Parameters time value Specifies the silence period in seconds during which the port remains disabled The value is in the range of 20 to 300 Usage guideli...

Page 349: ...ication failures dot1x logoff Specifies notifications about 802 1X user logoffs dot1x logon Specifies notifications about 802 1X authentication successes intrusion Specifies notifications about illegal frame detection mac auth failure Specifies notifications about MAC authentication failures mac auth logoff Specifies notifications about MAC authentication user logoffs mac auth logon Specifies noti...

Page 350: ...335 Related commands display port security port security enable ...

Page 351: ...password control configuration Sysname display password control Global password control configurations Password control Disabled Password aging Enabled 90 days Password length Enabled 10 characters Password composition Enabled 1 types 1 characters per type Password history Enabled max history records 4 Early notice on password expiration 7 days Maximum login attempts 3 Action for exceeding login a...

Page 352: ... to log in after the specified number of attempts Minimum interval between two updates Minimum password update interval Logins with aged password Number of times and maximum number of days a user can log in using an expired password Password complexity Whether the following password complexity checking is enabled username checking Checks whether a password contains the username or the reverse of t...

Page 353: ...e IP address Login failures Lock flag abcd 169 168 34 1 4 lock admin 192 168 34 1 1 unlock Table 35 Command output Field Description Blacklist items matched Number of blacklisted users IP address IP address of the user Login failures Number of login failures Lock flag Whether the user account is locked for the user unlock Not limited lock Disabled temporarily or permanently depending on the passwo...

Page 354: ...d but the minimum password length restriction feature is disabled the following rules apply In non FIPS mode a password must contain a minimum of 4 characters and a minimum of 4 characters must be different In FIPS mode a password must contain a minimum of 15 characters and a minimum of 4 characters must be different Examples Enable the password control feature globally Sysname system view Sysname...

Page 355: ...ler application scope has higher priority The system prefers to use the password aging time in local user view for a local user If no password aging time is configured for the local user the system uses the password aging time for the user group to which the local user belongs If no password aging time is configured for the user group the system uses the global password aging time Examples Globall...

Page 356: ... their passwords changed by the administrator Examples Configure the device to notify a user about pending password expiration 10 days before the user s password expires Sysname system view Sysname password control alert before expire 10 Related commands display password control password control complexity Use password control complexity to configure the password complexity checking policy Use und...

Page 357: ...on scope has higher priority The system prefers to use the password complexity checking policy in local user view for a local user If no policy is configured for the local user the system uses the policy for the user group to which the local user belongs If no policy is configured for the user group the system uses the global policy You can enable both username checking and repeated character chec...

Page 358: ...d composition policy depends on the view The policy in system view has global significance and applies to all user groups The policy in user group view applies to all local users in the user group The policy in local user view applies only to the local user A password composition policy with a smaller application scope has higher priority The system prefers to use the password composition policy i...

Page 359: ... feature is disabled globally In FIPS mode The password control feature is enabled globally and cannot be disabled Views System view Predefined user roles network admin mdc admin Usage guidelines A specific password control feature takes effect only after the global password control feature is enabled After the global password control feature is enabled you cannot display the password and super pa...

Page 360: ...mes times Specifies the maximum number of times a user can log in after the password expires The value range is 0 to 10 To deny users to log in after the password expires set the value to 0 Usage guidelines This command is effective only on non FTP login users An FTP user cannot continue to log in after its password expires Examples Allow a user to log in five times within 60 days after the passwo...

Page 361: ...mmand to clear the passwords manually Examples Set the maximum number of history password records for each user to 10 Sysname system view Sysname password control history 10 Related commands display password control password control history enable reset password control blacklist password control length Use password control length to set the minimum password length Use undo password control length...

Page 362: ...he user group to which the local user belongs If no minimum password length is configured for the user group the system uses the global minimum password length Examples Set the global minimum password length to 16 characters Sysname system view Sysname password control length 16 Set the minimum password length to 16 characters for the user group test Sysname user group test Sysname ugroup test pas...

Page 363: ...n attempt Use password control login attempt to configure the login attempt limit The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached Use undo password control login attempt to restore the default Syntax password control login attempt login times exceed lock lock time time unlock undo password control login attempt Def...

Page 364: ...password control blacklist When the maximum number of consecutive login failures is reached the login attempt limit feature is triggered Whether a blacklisted user and user account are locked depends on the locking setting If a user account is permanently locked for a user the user cannot use this account unless this account is removed from the password control blacklist To remove the user account...

Page 365: ...trol blacklist The output shows that the user account is on the blacklist and its status is lock Sysname display password control blacklist Username test IP 192 168 44 1 Login failures 2 Lock flag lock Blacklist items matched 1 Verify that after 3 minutes the user account is removed from the password control blacklist and the user at 192 168 44 1 can use this account Related commands display local...

Page 366: ...contain a minimum of one character type and a minimum of one character for each type In FIPS mode A super password must contain a minimum of four character types and a minimum of one character for each type Views System view Predefined user roles network admin mdc admin Parameters type number type number Specifies the minimum number of character types that a super password must contain The value r...

Page 367: ...mum super password length is 10 characters In FIPS mode The minimum super password length is 15 characters Views System view Predefined user roles network admin mdc admin Parameters length Specifies the minimum length of super passwords in characters The value range for this argument is 4 to 63 in non FIPS mode and 15 to 63 in FIPS mode Examples Set the minimum length of super passwords to 16 char...

Page 368: ...6 hours Sysname system view Sysname password control update interval 36 Related commands display password control reset password control blacklist Use reset password control blacklist to remove blacklisted users Syntax reset password control blacklist user name user name Views User view Predefined user roles network admin mdc admin Parameters user name user name Specifies the username of a user ac...

Page 369: ... or all super passwords role role name Specifies a user role name a case sensitive string of 1 to 63 characters If you do not specify this option the command deletes the history records of all super passwords user name user name Specifies the username of the user whose password records are to be deleted The user name argument is a case sensitive string of 1 to 55 characters Usage guidelines If you...

Page 370: ...omes valid to Specifies the end time and date end time Specifies the end time in the HH MM SS format The value range for this argument is 0 0 0 to 23 59 59 end date Specifies the end date in the MM DD YYYY or YYYY MM DD format The value range for YYYY is 2000 to 2035 Usage guidelines A key becomes a valid accept key when the following requirements are met A key string has been configured An authen...

Page 371: ...onfigured the start time and the end time configured in the accept lifetime utc command are extended for the period of the tolerance time If authentication information is changed information mismatch occurs on the local and peer devices and the service might be interrupted Use this command to ensure continuous packet authentication Examples Set the tolerance time to 100 seconds for accept keys in ...

Page 372: ... key 1 of keychain abc in absolute time mode Sysname system view Sysname keychain abc mode absolute Sysname keychain abc key 1 Sysname keychain abc key 1 authentication algorithm md5 default send key Use default send key to specify a key in a keychain as the default send key Use undo default send key to restore the default Syntax default send key undo default send key Default No key in a keychain ...

Page 373: ...If you do not specify a keychain this command displays information about all keychains key key id Specifies a key by its ID in the range of 0 to 281474976710655 If you do not specify a key this command displays information about all keys in a keychain Examples Display information about all keychains Sysname display keychain Keychain name abc Mode absolute Accept tolerance 0 TCP kind value 254 TCP ...

Page 374: ...hm Default send key ID ID of the default send key The status for the key is displayed in parentheses Key string Key string in encrypted form Algorithm Authentication algorithm for the key hmac md5 hmac sha 256 md5 Send lifetime Sending lifetime for the key Send status Status of the send key Active or Inactive Accept lifetime Receiving lifetime for the key Accept status Status of the accept key Act...

Page 375: ...ains exist Views System view Predefined user roles network admin mdc admin Parameters keychain name Specifies a keychain name a case sensitive string of 1 to 63 characters mode Specifies a time mode absolute Specifies the absolute time mode In this mode each time point during a key s lifetime is the UTC time and is not affected by the system s time zone or daylight saving time Usage guidelines You...

Page 376: ...sitive string of 33 o 373 characters Usage guidelines If the length of a plaintext key exceeds the length limit supported by an application the application uses the supported length of the key to authenticate packets Examples Set the key string to 123456 in plaintext form for key 1 Sysname system view Sysname keychain abc mode absolute Sysname keychain abc key 1 Sysname keychain abc key 1 key stri...

Page 377: ...the following requirements are met A key string has been configured An authentication algorithm has been specified The system time is within the specified sending lifetime To make sure only one key in a keychain is used at a time to authenticate packets to a peer set non overlapping sending lifetimes for the keys in the keychain Examples Set the sending lifetime for key 1 of keychain abc in absolu...

Page 378: ...5 3 command on the local device Examples Create keychain abc and set the algorithm ID to 1 for the HMAC MD5 authentication algorithm Sysname system view Sysname keychain abc mode absolute Sysname keychain abc tcp algorithm id hmac md5 1 tcp kind Use tcp kind to set the kind value in the TCP Enhanced Authentication Option Use undo tcp kind to restore the default Syntax tcp kind kind value undo tcp ...

Page 379: ...364 Sysname system view Sysname keychain abc mode absolute Sysname keychain abc tcp kind 252 ...

Page 380: ...letters digits and hyphens If you do not specify a key pair this command displays the public keys of all local key pairs of the specified type Usage guidelines You can copy and distribute the public key of a local key pair to peer devices You cannot display a host public key that has the default key pair name by specifying the name key name option To view a host public key that has the default key...

Page 381: ...072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE...

Page 382: ...8CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF 68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B 1D Key name ecdsa1 Key type ECDSA Time when key pair created 15 43 33 2011 05 12 Key code 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1 AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58 4D Display the public key o...

Page 383: ...729497D0EAD9105E3E76A Display the public key of the local ECDSA key pair ecdsa1 Sysname display public key local ecdsa public name ecdsa1 Key name ecdsa1 Key type ECDSA Time when key pair created 15 43 33 2011 05 12 Key code 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1 AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58 4D Table 37 Command outpu...

Page 384: ... key peer command or the public key peer import sshkey command to configure a peer host public key on the local device Examples Display detailed information about the peer host public key idrsa Sysname display public key peer name idrsa Key name idrsa Key type RSA Key modulus 1024 Key code 30819F300D06092A864886F70D010101050003818D0030818902818100C5971581A78B5388 B3C9063EC6B53D395A6704D9752B6F9B7B...

Page 385: ...ore saving it If the key is not in the correct format the system discards the key and displays an error message If the key is valid for example the key was displayed by the display public key local public command the system saves the key Examples Exit public key view and save the configured peer host public key Sysname system view Sysname public key peer key1 Enter public key view Return to system...

Page 386: ... ecdsa Specifies the ECDSA key pair type secp192r1 Uses the secp192r1 curve to create a 192 bit ECDSA key pair The secp192r1 curve is used by default in non FIPS mode secp256r1 Uses the secp256r1 curve to create a 256 bit ECDSA key pair The secp256r1 curve is used by default in FIPS mode secp384r1 Uses the secp384r1 curve to create a 384 bit ECDSA key pair secp521r1 Uses the secp521r1 curve to cre...

Page 387: ...urs the system asks whether you want to overwrite the existing key pair The key pairs are automatically saved and can survive system reboots Table 41 A comparison of different types of asymmetric key algorithms Type Generated key pairs Modulus key length RSA In non FIPS mode One host key pair if you specify a key pair name One server key pair and one host key pair if you do not specify a key pair ...

Page 388: ...erating Keys Create the key pair successfully Create a local RSA key pair with the name rsa1 Sysname system view Sysname public key local create rsa name rsa1 The range of public key modulus is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Create a local DSA key...

Page 389: ...s CTRL C to abort Input the modulus length default 2028 Generating Keys Create the key pair successfully In FIPS mode create a local DSA key pair with the default name Sysname system view Sysname public key local create dsa The range of public key modulus is 2048 2048 It will take a few minutes Press CTRL C to abort Input the modulus length default 2028 Create the key pair successfully Related com...

Page 390: ...s see Security Configuration Guide Examples Destroy the local RSA key pairs with the default names Sysname system view Sysname public key local destroy rsa Confirm to destroy the key pair Y N y Destroy the local DSA key pair with the default name Sysname system view Sysname public key local destroy dsa Confirm to destroy the key pair Y N y Destroy the local ECDSA key pair with the default name Sys...

Page 391: ...e guidelines You can use this command to export a local DSA host public key before distributing it to a peer device To distribute a local DSA host public key to a peer device 1 Save the exported local host public key to a file by using one of the following methods Use the public key local export dsa name key name openssh ssh2 command to export the local host public key and then copy and paste the ...

Page 392: ...f the local DSA key pair dsa1 in OpenSSH format to the file dsa1 pub Sysname system view Sysname public key local export dsa name dsa1 openssh dsa1 pub Display the host public key of the local DSA key pair dsa1 in SSH 2 0 format Sysname system view Sysname public key local export dsa name dsa1 ssh2 BEGIN SSH2 PUBLIC KEY Comment dsa key 2011 05 12 AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9 5...

Page 393: ...me this command displays the key on the monitor screen Usage guidelines You can use this command to export a local ECDSA host public key before distributing it to a peer device To distribute a local ECDSA host public key to a peer device 1 Save the exported ECDSA host public key to a file by using one of the following methods Use the public key local export ecdsa name key name openssh ssh2 command...

Page 394: ...t sshkey public key local export rsa Use public key local export rsa to export a local RSA host public key Syntax In non FIPS mode public key local export rsa name key name openssh ssh1 ssh2 filename In FIPS mode public key local export rsa name key name openssh ssh2 filename Views System view Predefined user roles network admin mdc admin Parameters name key name Specifies a local RSA key pair by ...

Page 395: ...H Examples Export the host public key of the local RSA key pair with the default name in OpenSSH format to the file key pub Sysname system view Sysname public key local export rsa openssh key pub Display the host public key of the local RSA key pair with the default name in SSH 2 0 format Sysname system view Sysname public key local export rsa ssh2 BEGIN SSH2 PUBLIC KEY Comment rsa key 2011 05 12 ...

Page 396: ...delete a peer host public key Syntax public key peer keyname undo public key peer keyname Default No peer host public keys exist Views System view Predefined user roles network admin mdc admin Parameters keyname Specifies a key name a case sensitive string of 1 to 64 characters Usage guidelines After you execute this command to enter the public key view type the public key Spaces and carriage retu...

Page 397: ...me Specifies a public key file by its name a case insensitive string The name cannot be all dots hostkey serverkey dsakey or ecdsakey and cannot start with a slash or contain and The file name can contain 1 to 128 characters For more information about file names see Fundamentals Configuration Guide Usage guidelines After you configure this command the system automatically transforms the host publi...

Page 398: ...383 Related commands display public key peer public key local export dsa public key local export ecdsa public key local export rsa ...

Page 399: ... Predefined user roles network admin mdc admin Parameters id Specifies a rule ID in the range of 1 to 16 alt subject name Specifies the alternative subject name field fqdn Specifies the FQDN attribute ip Specifies the IP address attribute dn Specifies the DN attribute issuer name Specifies the issuer name field subject name Specifies the subject name field ctn Specifies the contain operation equ S...

Page 400: ... subject name field of the certificate contains the DN attribute The DN attribute value contains the abc string A certificate matches an attribute group if it matches all attribute rules in the group Examples Create a certificate attribute group and enter its view Sysname system view Sysname pki certificate attribute group mygroup Configure an attribute rule to match certificates that contain the ...

Page 401: ...Sysname system view Sysname pki domain aaa Sysname pki domain aaa ca identifier new ca certificate request entity Use certificate request entity to specify the PKI entity for certificate request Use undo certificate request entity to restore the default Syntax certificate request entity entity name undo certificate request entity Default No PKI entity is specified for certificate request Views PKI...

Page 402: ...e request from to restore the default Syntax certificate request from ca ra undo certificate request from Default The type of certificate request reception authority is not specified Views PKI domain view Predefined user roles network admin mdc admin Parameters ca Sends certificate requests to the CA ra Sends certificate requests to the RA Usage guidelines The CA server determines whether the CA o...

Page 403: ...est can be submitted to a CA in offline or online mode In online mode a certificate request can be automatically or manually submitted Auto request mode A PKI entity automatically obtains the CA certificate and submits a certificate request to the CA when both of the following conditions exist An associated application IKE for example performs identity authentication No certificate is available fo...

Page 404: ...ueries the CA server for the certificate request status The periodic query operation stops until the PKI entity obtains the certificate or the maximum number of query attempts is reached If the maximum number of query attempts is reached the certificate request fails If the CA server automatically approves certificate requests the PKI entity can obtain the certificate immediately after it submits ...

Page 405: ...ot specify this option Usage guidelines The certificate request URL contains the location of the certificate request reception authority server and the path of the application script on the server in the format http server_location cgi_script_location Examples Set the certificate request URL to http 169 254 0 1 certsrv mscep mscep dll Sysname system view Sysname pki domain a Sysname pki domain a c...

Page 406: ...untry code of a PKI entity Use undo country to restore the default Syntax country country code string undo country Default No country code is set for a PKI entity Views PKI entity view Predefined user roles network admin mdc admin Parameters country code string Specifies a country code a case sensitive string of two characters Examples Set the country code to CN for PKI entity en Sysname system vi...

Page 407: ...check enable Related commands pki import pki retrieve certificate pki validate certificate crl url Use crl url to specify the URL of the CRL repository Use undo crl url to restore the default Syntax crl url url string vpn instance vpn instance name undo crl url Default The URL of the CRL repository is not specified Views PKI domain view Predefined user roles network admin mdc admin Parameters url ...

Page 408: ...device must connect to the LDAP server to obtain the CRL If the LDAP URL does not contain the address of the LDAP server use the ldap server command to configure the server address in the PKI domain Examples Set the URL of the CRL repository to http 169 254 0 30 Sysname system view Sysname pki domain aaa Sysname pki domain aaa crl url http 169 254 0 30 Set the URL of the CRL repository to ldap 169...

Page 409: ...le 1 deny mygroup1 Rule 2 permit mygroup2 Access control policy name mypolicy2 Rule 1 deny mygroup3 Rule 2 permit mygroup4 Table 43 Command output Field Description Total PKI certificate access control policies Total number of certificate based access control policies permit Permit certificates that match the attribute group in the access control rule deny Deny certificates that match the attribut...

Page 410: ...roup1 Attribute 1 subject name dn ctn abc Attribute 2 issuer name fqdn nctn app Attribute group name mygroup2 Attribute 1 subject name dn ctn def Attribute 2 issuer name fqdn nctn fqd Table 44 Command output Field Description Total PKI certificate attribute groups Total number of certificate attribute groups ctn Contain operation nctn Not contain operation equ Equal operation nequ Not equal operat...

Page 411: ... the CA certificate local Specifies the local certificates peer Specifies the peer certificates serial serial num Specifies the serial number of a peer certificate Usage guidelines If you specify the CA keyword this command displays information about all CA certificates in the domain If the domain has RA certificates the RA certificates are also displayed If you specify the local keyword this comm...

Page 412: ...e Algorithm sha1WithRSAEncryption 6d b1 4e d7 ef bb 1d 67 53 67 d0 8f 7c 96 1d 2a 03 98 3b 48 41 08 a4 8f a9 c1 98 e3 ac 7d 05 54 7c 34 d5 ee 09 5a 11 e3 c8 7a ab 3b 27 d7 62 a7 bb bc 7e 12 5e 9e 4c 1c 4a 9f d7 89 ca 20 46 de c5 b3 ce 36 ca 5e 6e dc e7 c6 fe 3f c5 38 dd d5 a3 36 ad f4 3d e6 32 7f 48 df 07 f0 a2 32 89 86 72 22 cd ed e5 0f 95 df 9c 75 71 e7 fe 34 c5 a0 64 1c f0 5c e4 8f d3 00 bd fa ...

Page 413: ...C4 D0 10 C2 A1 C2 99 AF A5 CB 30 X509v3 Authority Key Identifier keyid DF D2 C9 1A 06 1F BC 61 54 39 FE 12 C4 22 64 EB 57 3B 11 9F X509v3 Subject Alternative Name email fips ccc com X509v3 Issuer Alternative Name email pki openca org Authority Information Access CA Issuers URI http titan pki pub cacert cacert crt OCSP URI http titan 2560 1 3 6 1 5 5 7 48 12 URI http titan 830 X509v3 CRL Distributi...

Page 414: ... Serial Number 9a 03 37 eb 21 56 ba 1f 54 76 e4 d7 54 a5 a9 f7 Signature Algorithm sha1WithRSAEncryption Issuer C cn O ccc OU sec CN ssl Validity Not Before Oct 15 01 23 06 2010 GMT Not After Jul 26 06 30 54 2012 GMT Subject CN sldsslserver Subject Public Key Info Public Key Algorithm rsaEncryption Public Key 1024 bit Modulus 00 c2 cf 37 76 93 29 5e cd 0e 77 48 3a 4d 0f a6 28 a4 60 f8 31 56 28 7f ...

Page 415: ... 07 1a 42 df 72 ad 07 7d e5 16 d6 75 eb 6e 06 58 ee 76 31 63 db 96 a2 ad 83 b6 bb ba 4b 79 59 9d 59 6c 77 59 5b d9 07 33 a8 f0 a5 Related commands pki domain pki retrieve certificate display pki certificate request status Use display pki certificate request status to display certificate request status Syntax display pki certificate request status domain domain name Views Any view Predefined user r...

Page 416: ...uest status Certificate Request Transaction 1 Domain name domain1 Status Pending Key usage General Remain polling attempts 10 Next polling attempt after 1191 seconds Certificate Request Transaction 2 Domain name domain2 Status Pending Key usage Signature Remain polling attempts 10 Next polling attempt after 188 seconds Table 47 Command output Field Description Certificate Request Transaction numbe...

Page 417: ...me cannot contain the special characters listed in Table 48 Table 48 Special characters Character name Symbol Character name Symbol Tilde Dot Asterisk Left angle bracket Backslash Right angle bracket Vertical bar Quotation marks Colon Apostrophe Usage guidelines Use this command to determine whether a certificate has been revoked Examples Display information about the CRL saved at the local for PK...

Page 418: ...1 7c 77 d9 00 0f 9e 99 03 65 9e 0c 9c 16 22 ef 4a 40 ec 59 40 60 53 4a fc 8e 47 57 23 e0 75 0a a4 1c 0e 2f 3d e0 b2 87 4d 61 8a 4a cb cb 37 af 51 bd 53 78 76 a1 16 3d 0b 89 01 91 61 52 d0 6f 5c 09 59 15 be b8 68 65 0c 5d 1b a1 f8 42 04 ba aa Table 49 Command output Field Description Version CRL version number Signature Algorithm Signature algorithm used by the CA to sign the CRL Issuer Name of the...

Page 419: ...I entity en Sysname system view Sysname pki entity en Sysname pki entity en fqdn abc pki domain com ip Use ip to assign an IP address to a PKI entity Use undo ip to restore the default Syntax ip ip address interface interface type interface number undo ip Default No IP address is assigned to the PKI entity Views PKI entity view Predefined user roles network admin mdc admin Parameters ip address Sp...

Page 420: ...st hostname Specifies an LDAP server by its IPv4 address IPv6 address or domain name The domain name is a case sensitive string of 1 to 255 characters port port number Specifies the port number of the LDAP server The value range is 1 to 65535 and the default is 389 vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 characters If the LDAP ...

Page 421: ...restore the default Syntax locality locality name undo locality Default No locality is set for a PKI entity Views PKI entity view Predefined user roles network admin mdc admin Parameters locality name Specifies a locality a case sensitive string of 1 to 63 characters No comma can be included You can set a city name as the locality Examples Set the locality to pukras for PKI entity en Sysname syste...

Page 422: ...e for a PKI entity Use undo organization unit to restore the default Syntax organization unit org unit name undo organization unit Default No organization unit name is set for a PKI entity Views PKI entity view Predefined user roles network admin mdc admin Parameters org unit name Specifies an organization unit name a case sensitive string of 1 to 63 characters No commas can be included Examples S...

Page 423: ...fore the CA issues the certificate Use the display pki certificate request status command to display the certificate request status Examples Abort the certificate request for PKI domain 1 Sysname system view Sysname pki abort certificate request domain 1 The certificate request is in process Confirm to abort it Y N y Related commands display pki certificate request status pki request certificate d...

Page 424: ...em view Sysname pki certificate access control policy mypolicy Sysname pki cert acp mypolicy Related commands display pki certificate access control policy rule pki certificate attribute group Use pki certificate attribute group to create a certificate attribute group and enter its view or enter the view of an existing certificate attribute group Use undo pki certificate attribute group to remove ...

Page 425: ...ysname pki certificate attribute group mygroup Sysname pki cert attribute group mygroup Related commands attribute display pki certificate attribute group rule pki delete certificate Use pki delete certificate to remove certificates from a PKI domain Syntax pki delete certificate domain domain name ca local peer serial serial num Views System view Predefined user roles network admin mdc admin Para...

Page 426: ...tificates and CRL will also be deleted while deleting the CA certificate Confirm to delete the CA certificate Y N y Sysname Remove the local certificates in PKI domain aaa Sysname system view Sysname pki delete certificate domain aaa local Sysname Remove all peer certificates in PKI domain aaa Sysname system view Sysname pki delete certificate domain aaa peer Sysname Display information about all ...

Page 427: ...angle bracket Vertical bar Quotation marks Colon Apostrophe Usage guidelines When you remove a PKI domain the certificates and the CRL in the domain are also removed Examples Create a PKI domain named aaa and enter its view Sysname system view Sysname pki domain aaa Sysname pki domain aaa pki entity Use pki entity to create a PKI entity and enter its view or enter the view of an existing PKI entit...

Page 428: ...rtificates in a PKI domain Syntax pki export domain domain name der all ca local filename filename pki export domain domain name p12 all local passphrase p12 key filename filename pki export domain domain name pem all local 3des cbc aes 128 cbc aes 192 cbc aes 256 cbc des cbc pem key ca filename filename Views System view Predefined user roles network admin mdc admin Parameters domain name Specifi...

Page 429: ... local file the local file name might be different from the file name specified in the command The file name depends on the usage of the key pair contained in the certificate The following example uses certificate as the file name for saving an exported local certificate If the local certificate contains an RSA signing key pair the local file name is certificate signature If the local certificate ...

Page 430: ...ert lo der Export all certificates in the PKI domain to a file named cert all p7b in DER format Sysname system view Sysname pki export domain domain1 der all filename cert all p7b Export the CA certificate in the PKI domain to a file named cacert in PEM format Sysname system view Sysname pki export domain domain1 pem ca filename cacert Export the local certificates and their private keys in the PK...

Page 431: ...DNd no0id18SZidApfCZL8zoMWEFI163JZSarv H5Kbb063dxXfbsqX9Noxggh0gD8dK 7X7 rTJuuhTWVof5gxSUJp aCCdvSKg0lvJY tJeXoaznrINVw3SuXJ Ax8GEw END CERTIFICATE Bag Attributes friendlyName localKeyID 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes No Attributes BEGIN ENCRYPTED PRIVATE KEY MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIAbfcE KoYYoCAggA MBEGBSsOAwIHBAjB UsJM07JRQSCAoA...

Page 432: ...cmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0cDovL3Rp dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6 Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD VR0fBDUwMzAxoC gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB tgD8c0b n4v F36sJjY1fRFSr4gPLIxZhPWhTrqsCd QMELRCDNHDxvt3 1NEG12 X6BVjLcKXKH EQe0fn...

Page 433: ...CHCvKHfTJr4gVSSa7i4I aQ6AItrI6q99WlkN e IE5U1UE4ZhcsIiFJG IvG7S8 f9liWQ2CImy hjgFCD9nqSLN8wUzP7O2SdLVlUb5z4FR6VISZdgTFE8j7ko2HtUs HVSg0nm114EwPtPMMbHefcuQ6b82y1M dWfVxBN9K03lN4tZNfPWwLSRrPvjUzBG dKtjf3 IFdV7 tUMy9JJSpt4iFt1h7SZPcOoGp1ZW YUR30I7YnFE 9Yp 46KWT8 bk7j0STRnZX xMy 9E52uHkLdW1ET3TXralLMYt 4jg4M0jUvoi3GS2Kbo czsUn gKgqwYnxVfRSvt8d6GBYrpF2tMFS9LEyngPKXExd m4mAryuT5PhdFTkb1B190Lp UIBjk3IXnr...

Page 434: ...EGIN CERTIFICATE MIIB8DCCAVkCEQD2PBUx rvslNw9uTrZB3DlMA0GCSqGSIb3DQEBBQUAMDoxCzAJ BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEPMA0GA1UEAxMG cm9mdcGNhMB4XDTExMDEwNjAyNTY1OFoXDTEzMTIwNDAzMTMxMFowNzELMAkGA1UE BhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQwwCgYDVQQDEwNhY2Ew gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOeklR7DpeEV72N1OLz dydIDTx0 zVZDdPxF1gQYWSfIBwwFKJEyQ 4y8VIfDIm0EGTM4dsOX QFwudhl Czk...

Page 435: ...ame filename Views System view Predefined user roles network admin mdc admin Parameters domain name Specifies a PKI domain by its name a case insensitive string of 1 to 31 characters The domain name cannot contain the special characters listed in Table 54 Table 54 Special characters Character name Symbol Character name Symbol Tilde Dot Asterisk Left angle bracket Backslash Right angle bracket Vert...

Page 436: ... CA certificate chain but the CA certificate already exists in a PKI domain you can directly import the certificates You can import the CA certificate to a PKI domain when either of the following conditions is met The CA certificate to be imported is the root CA certificate or contains the certificate chain with the root certificate The CA certificate contains a certificate chain without the root ...

Page 437: ...oes not contain the root certificate Sysname system view Sysname pki import domain bbb pem ca filename aca_pem cer Sysname Import local certificate file local ca p12 in PKCS12 format to PKI domain bbb The certificate file contains a key pair Sysname system view Sysname pki import domain bbb p12 local filename local ca p12 Please input challenge password Sysname Import the local certificate in PEM ...

Page 438: ...185JUhbOrVaUDlisZi6NNshcIjd2BAgMBAAGjgbowgbcwHwYDVR0j BBgwFoAUmoMpEynZYoPLQdR1LlKhZjg8kBEwDgYDVR0PAQH BAQDAgP4MBEGCWCG SAGG EIBAQQEAwIGQDASBgNVHREECzAJggdoM2MuY29tMB0GA1UdDgQWBBQ8dpWb 3cJ X5iDt8eg JkeS9cvJjA BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vczAzMTMw LmgzYy5odWF3ZWktM2NvbS5jb206NDQ3L3NzbC5jcmwwDQYJKoZIhvcNAQEFBQAD gYEAYS15x0kW474lu4twNzEy5dPjMSwtwfm UK01S8GQjGV5tl9ZNiTHFGNEFx7k zxBp JPpcFM8hapAfrVHd...

Page 439: ...rt key Related commands display pki certificate public key dsa public key ecdsa public key rsa pki request certificate Use pki request certificate to submit a local certificate request or generate a certificate request in PKCS 10 format Syntax pki request certificate domain domain name password password pkcs10 filename filename Views System view Predefined user roles network admin mdc admin Parame...

Page 440: ...ot saved in the configuration file Examples Display information about the certificate request in PKCS 10 format Sysname system view Sysname pki request certificate domain aaa pkcs10 Request for general certificate BEGIN NEW CERTIFICATE REQUEST MIIBTDCBtgIBADANMQswCQYDVQQDEwJqajCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAw5Drj8ofs9THA4ezkDcQPBy8pvH1kumampPsJmx8sGG52NFtbrDTnTT5 ALx3LJijB3d ndKpcHT DfbJVD...

Page 441: ...n already has local certificates or peer certificates you can still perform the obtain operation and the obtained local certificates or peer certificates overwrite the existing ones If RSA is used a PKI domain can have two local certificates one for signing and the other for encryption Certificates for different purposes do not overwrite each other The obtained CA certificate local certificates an...

Page 442: ... the CRL repository is specified by using the crl url command The device can obtain CRLs from the CRL repository through the HTTP LDAP or SCEP protocol Which protocol is used depends on the configuration of the CRL repository in the PKI domain If the specified URL of the CRL repository is in HTTP format the device obtains CRLs through the HTTP protocol If the specified URL of the CRL repository is...

Page 443: ...Specifies a storage path for CRLs dir path Specifies a storage path a case sensitive string which cannot start with a slash or contain two dots plus a slash The dir path argument specifies an absolute path or a relative path and the path must exist Usage guidelines In standalone mode The specified storage path must be on the active MPU In IRF mode The specified storage path must be on the global a...

Page 444: ... guidelines Generally certificates are automatically verified when you request obtain or import them or when an application uses PKI You can also use this command to manually verify a certificate in the following aspects Whether the certificate is issued by a trusted CA Whether the certificate has expired Whether the certificate is revoked This check is performed only if CRL checking is enabled Wh...

Page 445: ...cate Serial Number 5c 72 dc c4 a5 43 cd f9 32 b9 c1 90 8f dd 50 f6 Issuer C cn O ccc OU ppp CN rootca Subject C cn O ccc OU ppp CN rootca Verify result OK Verify the local certificates in PKI domain aaa Sysname system view Sysname pki validate certificate domain aaa local Verifying certificate Serial Number bc 05 70 1f 0e da 0d 10 16 1e Issuer C CN O sec OU software CN bca Subject O OpenCA Labs OU...

Page 446: ...nexistent key pair in this command A key pair can be obtained in any of the following ways Use the public key local create command to generate a key pair An application triggers the device to generate a key pair Use the pki import command to import a certificate containing a key pair A PKI domain can have key pairs using only one type of cryptographic algorithm DSA ECDSA or RSA If you configure a ...

Page 447: ...hens secp192r1 Uses the secp192r1 curve to generate the key pair The secp192r1 curve is used by default in non FIPS mode secp256r1 Uses the secp256r1 curve to generate the key pair The secp256r1 curve is used by default in FIPS mode secp384r1 Uses the secp384r1 curve to generate the key pair secp521r1 Uses the secp521r1 curve to generate the key pair Usage guidelines You can specify a nonexistent ...

Page 448: ... key name length key length undo public key Default No key pair is specified for certificate request Views PKI domain view Predefined user roles network admin mdc admin Parameters encryption Specifies a key pair for encryption name encryption key name Specifies a key pair name a case insensitive string of 1 to 64 characters The key pair name can contain only letters digits and hyphens signature Sp...

Page 449: ...e will automatically create the key pair by using the specified name and length before submitting a certificate request The length key length option is ignored if the specified key pair already exists or is already contained in an imported certificate Examples Specify 2048 bit general purpose RSA key pair abc for certificate request Sysname system view Sysname pki domain aaa Sysname pki domain aaa...

Page 450: ...do not match or if no fingerprint is configured in the PKI domain the device rejects the CA certificate and the local certificate request fails The fingerprint configured by this command is also used for root CA certificate verification when the device performs the following operations Imports the CA certificate as requested by the pki import command Obtains the CA certificate as requested by the ...

Page 451: ... certificates that match the associated attribute group group name Specifies a certificate attribute group by its name a case insensitive string of 1 to 31 characters Usage guidelines When you create an access control rule you can associate it with a nonexistent certificate attribute group The system determines that a certificate matches an access control rule when either of the following conditio...

Page 452: ...address Specifies a source IPv4 address ipv6 ip address Specifies a source IPv6 address interface interface type interface number Specifies an interface by its type and number The interface s primary IP address or the lowest IPv6 address will be used as the source IP address for PKI protocol packets Usage guidelines Use this command to specify the source IP address for PKI protocol packets You can...

Page 453: ...he state or province name for a PKI entity Use undo state to restore the default Syntax state state name undo state Default No state name or province name is set for a PKI entity Views PKI entity view Predefined user roles network admin mdc admin Parameters state name Specifies a state or province by its name a case sensitive string of 1 to 63 characters No comma can be included Examples Set the s...

Page 454: ...l server Specifies the SSL server certificate extension so the SSL server can use the certificates Usage guidelines If you do not specify any keywords for the undo usage command this command removes all certificate extensions The extension options contained in a certificate depends on the CA policy and might be different from those specified in the PKI domain Examples Specify the SSL client certif...

Page 455: ...dc admin mdc operator Parameters session Specifies the SSH server sessions status Specifies the SSH server status Examples Display the SSH server status Sysname display ssh server status Stelnet server Disable SSH version 2 0 SSH authentication timeout 60 second s SSH server key generating interval 0 hour s SSH authentication retries 3 time s SFTP server Disable SFTP server Idle Timeout 10 minute ...

Page 456: ...crypt State Retries Serv Username 184 0 2 0 aes128 cbc Established 1 Stelnet abc 123 Table 60 Command output Field Description UserPid User process ID SessID Session ID Ver Protocol version of the SSH server Encrypt Encryption algorithm used on the SSH server State Session state Init Initialization Ver exchange Version negotiation Keys exchange Key exchange Auth request Authentication request Serv...

Page 457: ...tal ssh users 2 Username Authentication type User public key name Service type yemx password Stelnet SFTP test publickey pubkey SFTP Table 61 Command output Field Description Total ssh users Total number of SSH users Authentication type Authentication methods Password authentication Publickey authentication Password publickey authentication Any authentication User public key name Public key name o...

Page 458: ... user process ID of an SSH session use the display ssh server session command username username Specifies the username of the SSH session to be disconnected To view the username of an SSH session use the display ssh server session command Examples Disconnect the SSH sessions with user IPv4 address 192 168 15 45 Sysname free ssh user ip 192 168 15 45 Releasing SSH connection Continue Y N y Disconne...

Page 459: ... disable the SFTP server Syntax sftp server enable undo sftp server enable Default The SFTP server is disabled Views System view Predefined user roles network admin mdc admin Examples Enable the SFTP server Sysname system view Sysname sftp server enable Related commands display ssh server sftp server idle timeout Use sftp server idle timeout to set the idle timeout timer for SFTP connections on an...

Page 460: ...SFTP connections Sysname system view Sysname sftp server idle timeout 500 Related commands display ssh server ssh server acl Use ssh server acl to specify an ACL to control IPv4 SSH connections to the server Use undo ssh server acl to restore the default Syntax ssh server acl advanced acl number basic acl number mac mac acl number undo ssh server acl Default No ACLs are specified and all IPv4 SSH ...

Page 461: ...ts that are denied by the SSH login control ACL Use undo ssh server acl deny log enable to disable logging for SSH login attempts that are denied by the SSH login control ACL Syntax ssh server acl deny log enable undo ssh server acl deny log enable Default Logging is disabled for SSH login attempts that are denied by the SSH login control ACL Views System view Predefined user roles network admin m...

Page 462: ... attempts prevents malicious hacking of usernames and passwords If the total number of authentication attempts exceeds the upper limit specified in this command further authentication is not allowed For any authentication an authentication attempt is a publickey or password authentication process For password publickey authentication an authentication attempt contains both a publickey authenticati...

Page 463: ...delines If a user does not finish the authentication when the timeout timer expires the connection cannot be established To prevent malicious occupation of TCP connections set the authentication timeout timer to a small value Examples Set the authentication timeout timer to 10 seconds for SSH users Sysname system view Sysname ssh server authentication timeout 10 Related commands display ssh server...

Page 464: ...lay ssh server ssh server dscp Use ssh server dscp to set the DSCP value in the IPv4 SSH packets that the SSH server sends to SSH clients Use undo ssh server dscp to restore the default Syntax ssh server dscp dscp value undo ssh server dscp Default The DSCP value is 48 in IPv4 SSH packets Views System view Predefined user roles network admin mdc admin Parameters dscp value Specifies the DSCP value...

Page 465: ... ipv6 acl Use ssh server ipv6 acl to specify an ACL to control IPv6 SSH connections to the server Use undo ssh server ipv6 acl to restore the default Syntax ssh server ipv6 acl ipv6 advanced acl number basic acl number mac mac acl number undo ssh server ipv6 acl Default No ACLs are specified and all IPv6 SSH clients can initiate SSH connections to the server Views System view Predefined user roles...

Page 466: ...acl6 ipv6 basic 2001 rule permit source 1 1 64 Sysname acl6 ipv6 basic 2001 quit Sysname ssh server ipv6 acl ipv6 2001 Related commands display ssh server ssh server ipv6 dscp Use ssh server ipv6 dscp to set the DSCP value in the IPv6 SSH packets that the SSH server sends to SSH clients Use undo ssh server ipv6 dscp to restore the default Syntax ssh server ipv6 dscp dscp value undo ssh server ipv6...

Page 467: ...name is a case insensitive string of 1 to 31 characters excluding characters listed in Table 62 Table 62 Invalid characters for a PKI domain name Character name Symbol Character name Symbol Tilde Dot Asterisk Left angle bracket Backslash Right angle bracket Vertical bar Quotation marks Colon Apostrophe Examples Specify PKI domain serverpkidomain for the SSH server Sysname system view Sysname ssh s...

Page 468: ...name system view Sysname ssh server port 1025 ssh server rekey interval Use ssh server rekey interval to set the minimum interval for updating the RSA server key pair Use undo ssh server rekey interval to restore the default Syntax ssh server rekey interval interval undo ssh server rekey interval Default The minimum interval for updating the RSA server key pair is 0 hours The system does not updat...

Page 469: ...e an SSH user Syntax In non FIPS mode ssh user username service type all netconf scp sftp stelnet authentication type password any password publickey publickey assign pki domain domain name publickey keyname 1 6 undo ssh user username In FIPS mode ssh user username service type all netconf scp sftp stelnet authentication type password password publickey assign pki domain domain name publickey keyn...

Page 470: ...lic keys in advance publickey keyname 1 6 Specifies a space separated list of up to six SSH client public keys The keyname argument represents the SSH client s public key configured on the server It is a case sensitive string of 1 to 64 characters The server uses the client s public key to check the validity of the client If the public key file of the client is changed you must update the client s...

Page 471: ...thentication for login The server uses the PKI domain of its own certificate to verify the client s certificate The command configuration does not affect logged in users It affects only users that attempt to log in after the configuration Examples Create an SSH user named user1 Specify the service type as sftp and the authentication method as password publickey for the user Assign the host public ...

Page 472: ...th Views SFTP client view Predefined user roles network admin mdc admin Parameters remote path Specifies the name of a directory on the server Usage guidelines You can use the cd command to return to the upper level directory You can use the cd command to return to the root directory of the system Examples Change the working directory to new1 sftp cd new1 Current Directory is new1 sftp pwd Remote ...

Page 473: ...tax delete remote file Views SFTP client view Predefined user roles network admin mdc admin Parameters remote file Specifies a file by its name Usage guidelines This command has the same function as the remove command Examples Delete file temp c from the SFTP server sftp delete temp c Removing temp c delete ssh client server public key Use delete ssh client server public key to delete server publi...

Page 474: ... user roles network admin mdc admin Parameters a Displays detailed information about files and subdirectories under a directory in a list including the files and subdirectories with names starting with dots l Displays detailed information about the files and subdirectories under a directory in a list excluding the files and subdirectories with names starting with dots remote path Specifies the nam...

Page 475: ...r the SFTP client Syntax display sftp client source Views Any view Predefined user roles network admin network operator mdc admin mdc operator Examples Display the source IP address configured for the SFTP client Sysname display sftp client source The source IP address of the SFTP client is 192 168 0 1 The source IPv6 address of the SFTP client is 2 2 2 2 Related commands sftp client ipv6 source s...

Page 476: ...10 153 124 209 Key type ecdsa sha2 nistp256 Key length 256 Key code AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAOGpJfwJExK eYb53KKqmrZ0V XnYZKZEchyN9ax1IBt toIXHeW5NfBE5ymeklPSNgQNhcndkU 422fT15UmgM Server address 2 2 2 1 Key type rsa Key length 1024 Key code AAAAB3NzaC1yc2EAAAADAQABAAAAgQDIUrHbeLx W7xElB1Ny3zeA8 uV9K6sj1p dSlhx5XcOatdNMoD sioYgSsy9IxKZPqBs vadqx wCCB5 T2GLLu2qgaT0P9J v ...

Page 477: ...source IP address configured for the Stelnet client Syntax display ssh client source Views Any view Predefined user roles network admin network operator mdc admin mdc operator Examples Display the source IP address configured for the Stelnet client Sysname display ssh client source The source IP address of the SSH client is 192 168 0 1 The source IPv6 address of the SSH client is 2 2 2 2 Related c...

Page 478: ...meters remote file Specifies the name of a file on the SFTP server local file Specifies the name for the local file If you do not specify this argument the file will be saved locally with the same name as the file on the SFTP server Examples Download file temp1 c and save it as temp c locally sftp get temp1 c temp c Fetching temp1 c to temp c temp c 100 1424 1 4KB s 00 00 help Use help to display ...

Page 479: ...e specific information of the file mkdir path Create remote directory put local path remote path Upload file pwd Display remote working directory quit Quit sftp rename oldpath newpath Rename remote file remove path Delete remote file rmdir path Delete remote empty directory Synonym for help ls Use ls to display information about the files and subdirectories under a directory Syntax ls a l remote p...

Page 480: ...rwxrwxrwx 2 1 1 512 Dec 18 14 12 rwxrwxrwx 1 1 1 301 Dec 18 14 11 010 pub rwxrwxrwx 1 1 1 301 Dec 18 14 12 011 pub rwxrwxrwx 1 1 1 301 Dec 18 14 12 012 pub Display detailed information about the files and subdirectories under the current working directory excluding the files and subdirectories with names starting with dots sftp ls l rwxrwxrwx 1 1 1 301 Dec 18 14 11 010 pub rwxrwxrwx 1 1 1 301 Dec ...

Page 481: ... put startup bak startup01 bak Uploading startup bak to startup01 bak startup01 bak 100 1424 1 4KB s 00 00 pwd Use pwd to display the current working directory of the SFTP server Syntax pwd Views SFTP client view Predefined user roles network admin mdc admin Examples Display the current working directory of the SFTP server sftp pwd Remote working directory The output shows that the current working...

Page 482: ...ameters remote file Specifies a file by its name Usage guidelines This command has the same function as the delete command Examples Delete file temp c from the SFTP server sftp remove temp c Removing temp c rename Use rename to change the name of a file or directory on the SFTP server Syntax rename old name new name Views SFTP client view Predefined user roles network admin mdc admin Parameters ol...

Page 483: ...prefer compress zlib prefer ctos cipher 3des cbc aes128 cbc aes128 ctr aes128 gcm aes192 ctr aes256 cbc aes256 ctr aes256 gcm des cbc prefer ctos hmac md5 md5 96 sha1 sha1 96 sha2 256 sha2 512 prefer kex dh group exchange sha1 dh group1 sha1 dh group14 sha1 ecdh sha2 nistp256 ecdh sha2 nistp384 prefer stoc cipher 3des cbc aes128 cbc aes128 ctr aes128 gcm aes192 ctr aes256 cbc aes256 ctr aes256 gcm...

Page 484: ...of the client The default is dsa in non FIPS mode and is rsa in FIPS mode If the server uses publickey authentication you must specify this keyword The client generates the digital signature or certificate by using the local private key that is associated with the specified algorithm dsa Specifies the public key algorithm dsa ecdsa sha2 nistp256 Specifies the ECDSA algorithm with 256 bit key stren...

Page 485: ...gorithm diffie hellman group14 sha1 ecdh sha2 nistp256 Specifies the key exchange algorithm ecdh sha2 nistp256 ecdh sha2 nistp384 Specifies the key exchange algorithm ecdh sha2 nistp384 prefer stoc cipher Specifies the preferred server to client encryption algorithm The default is aes128 ctr Supported algorithms are the same as the client to server encryption algorithms see the prefer ctos cipher ...

Page 486: ...xt from the server The SCP client uses publickey authentication Use the following algorithms Preferred key exchange algorithm dh group14 sha1 Preferred server to client encryption algorithm aes128 cbc Preferred client to server HMAC algorithm sha1 Preferred server to client HMAC algorithm sha1 96 Preferred compression algorithm zlib Sysname scp 200 1 1 1 get abc txt prefer kex dh group14 sha1 pref...

Page 487: ...put interface by its type and number for SCP packets This option is used only when the server uses a link local address to provide the SCP service for the client The specified output interface on the SCP client must have a link local address get Downloads the file put Uploads the file source file name Specifies the name of the source file a case sensitive string of 1 to 255 characters destination ...

Page 488: ...the HMAC algorithm hmac md5 md5 96 Specifies the HMAC algorithm hmac md5 96 sha1 Specifies the HMAC algorithm hmac sha1 sha1 96 Specifies the HMAC algorithm hmac sha1 96 sha2 256 Specifies the HMAC algorithm hmac sha2 256 sha2 512 Specifies the HMAC algorithm hmac sha2 512 prefer kex Specifies the preferred key exchange algorithm The default is ecdh sha2 nistp256 Supported algorithms are dh group ...

Page 489: ...the client to correctly get the server s certificate you must specify the server s PKI domain on the client by using the server pki domain domain name option The client uses the CA certificate stored in the specified PKI domain to verify the server s certificate and does not need to save the server s public key before authentication If you do not specify the server s PKI domain the client uses the...

Page 490: ...rd is specified all algorithms in Suite B are used For more information about the Suite B algorithms see Table 64 128 bit Specifies the 128 bit Suite B security level 192 bit Specifies the 192 bit Suite B security level pki domain domain name Specifies the PKI domain of the client s certificate The domain name argument represents the PKI domain name a case insensitive string of 1 to 31 characters ...

Page 491: ...erverpkidomain respectively Sysname scp ipv6 2000 1 get abc txt suite b 192 bit pki domain clientpkidomain server pki domain serverpkidomain Username scp suite b Use scp suite b to establish a connection to an SCP server based on Suite B algorithms and transfer files with the server Syntax scp server port number vpn instance vpn instance name put get source file name destination file name suite b ...

Page 492: ...mpress Specifies the preferred compression algorithm for data compression between the server and the client By default compression is not supported zlib Specifies the compression algorithm zlib source Specifies a source IP address or source interface for SCP packets By default the device uses the primary IPv4 address of the output interface in the routing entry as the source address of SCP packets...

Page 493: ...s hmac sha1 sha1 96 sha2 256 sha2 512 prefer kex dh group14 sha1 ecdh sha2 nistp256 ecdh sha2 nistp384 prefer stoc cipher aes128 cbc aes128 ctr aes128 gcm aes192 ctr aes256 cbc aes256 ctr aes256 gcm prefer stoc hmac sha1 sha1 96 sha2 256 sha2 512 public key keyname server pki domain domain name source interface interface type interface number ip ip address Views User view Predefined user roles net...

Page 494: ...m aes256 ctr aes256 gcm Specifies the encryption algorithm aes256 gcm des cbc Specifies the encryption algorithm des cbc prefer ctos hmac Specifies the preferred client to server HMAC algorithm The default is sha2 256 Supported algorithms are md5 md5 96 sha1 sha1 96 sha2 256 and sha2 512 in ascending order of security strength and computation time md5 Specifies the HMAC algorithm hmac md5 md5 96 S...

Page 495: ...ess of this interface is the source IPv4 address of the SFTP packets ip ip address Specifies a source IPv4 address Usage guidelines If the client and the server have negotiated to use certificate authentication the client must verify the server s certificate For the client to correctly get the server s certificate you must specify the server s PKI domain on the client by using the server pki domai...

Page 496: ...command and the sftp ipv6 command the source IPv6 address specified in the sftp ipv6 command takes effect If you execute this command multiple times the most recent configuration takes effect Examples Specify 2 2 2 2 as the source IPv6 address for SFTP packets Sysname system view Sysname sftp client ipv6 source ipv6 2 2 2 2 Related commands display sftp client source sftp client source Use sftp cl...

Page 497: ...prefer compress zlib prefer ctos cipher 3des cbc aes128 cbc aes128 ctr aes128 gcm aes192 ctr aes256 cbc aes256 ctr aes256 gcm des cbc prefer ctos hmac md5 md5 96 sha1 sha1 96 sha2 256 sha2 512 prefer kex dh group exchange sha1 dh group1 sha1 dh group14 sha1 ecdh sha2 nistp256 ecdh sha2 nistp384 prefer stoc cipher 3des cbc aes128 cbc aes128 ctr aes128 gcm aes192 ctr aes256 cbc aes256 ctr aes256 gcm...

Page 498: ... sha2 nistp256 x509v3 ecdsa sha2 nistp384 Specifies the public key algorithm x509v3 ecdsa sha2 nistp384 pki domain domain name Specifies the PKI domain of the client s certificate The domain name argument is a case insensitive string of 1 to 31 characters When the x509v3 public key algorithm is used you must specify this option for the client to get the correct local certificate prefer compress Sp...

Page 499: ...key of the server that the client uses to authenticate the server The keyname argument is a case insensitive string of 1 to 64 characters server pki domain domain name Specifies the PKI domain for verifying the server s certificate The domain name argument represents the PKI domain name a case insensitive string of 1 to 31 characters Invalid characters are tildes asterisks backslashes vertical bar...

Page 500: ...ce to which the server belongs The vpn instance name argument represents the VPN instance name a case sensitive string of 1 to 31 characters i interface type interface number Specifies an output interface by its type and number for IPv6 SFTP packets The specified outgoing interface must have a link local address This option is used only when the server uses a link local address to provide the SFTP...

Page 501: ...ddress of the IPv6 SFTP packets ipv6 ipv6 address Specifies a source IPv6 address Usage guidelines Table 66 Suite B algorithms Security level Key exchange algorithm Encryption algorithm and HMAC algorithm Public key algorithm 128 bit ecdh sha2 nistp256 aes128 gcm x509v3 ecdsa sha2 nistp256 x509v3 ecdsa sha2 nistp384 192 bit ecdh sha2 nistp384 aes256 gcm x509v3 ecdsa sha2 nistp384 Both ecdh sha2 ni...

Page 502: ...ecify the server s PKI domain the client uses the PKI domain of its own certificate to verify the server s certificate prefer compress Specifies the preferred compression algorithm for data compression between the server and the client By default compression is not supported zlib Specifies the compression algorithm zlib dscp dscp value Specifies the DSCP value in the IPv4 SFTP packets The value ra...

Page 503: ... with RFC 3484 Views System view Predefined user roles network admin mdc admin Parameters interface interface type interface number Specifies a source interface by its type and number The SSH packets use the longest matching IPv6 address of the specified interface as their source address ipv6 ipv6 address Specifies a source IPv6 address Usage guidelines This command takes effect on all IPv6 Stelne...

Page 504: ... command takes effect on all Stelnet connections The source IPv4 address specified in the ssh2 command takes effect only on the current Stelnet connection If you specify the source IPv4 address both in this command and the ssh2 command the source IPv4 address specified in the ssh2 command takes effect If you execute this command multiple times the most recent configuration takes effect Examples Sp...

Page 505: ...Specifies the port number of the server in the range 1 to 65535 The default is 22 vpn instance vpn instance name Specifies the MPLS L3VPN instance to which the server belongs The vpn instance name argument represents the VPN instance name a case sensitive string of 1 to 31 characters identity key Specifies a public key algorithm for publickey authentication of the client The default is dsa in non ...

Page 506: ...1 dh group1 sha1 dh group14 sha1 ecdh sha2 nistp256 and ecdh sha2 nistp384 in ascending order of security strength and computation time dh group exchange sha1 Specifies the key exchange algorithm diffie hellman group exchange sha1 dh group1 sha1 Specifies the key exchange algorithm diffie hellman group1 sha1 dh group14 sha1 Specifies the key exchange algorithm diffie hellman group14 sha1 ecdh sha2...

Page 507: ...st specify the server s PKI domain on the client by using the server pki domain domain name option The client uses the CA certificate stored in the specified PKI domain to verify the server s certificate and does not need to save the server s public key before authentication If you do not specify the server s PKI domain the client uses the PKI domain of its own certificate to verify the server s c...

Page 508: ...stance vpn instance name Specifies the MPLS L3VPN instance to which the server belongs The vpn instance name argument represents the VPN instance name a case sensitive string of 1 to 31 characters i interface type interface number Specifies an output interface by its type and number for IPv6 SSH packets This option is used only when the server uses a link local address to provide the Stelnet servi...

Page 509: ...96 Specifies the HMAC algorithm hmac sha1 96 sha2 256 Specifies the HMAC algorithm hmac sha2 256 sha2 512 Specifies the HMAC algorithm hmac sha2 512 prefer kex Specifies the preferred key exchange algorithm The default is ecdh sha2 nistp256 Supported algorithms are dh group exchange sha1 dh group1 sha1 dh group14 sha1 ecdh sha2 nistp256 and ecdh sha2 nistp384 in ascending order of security strengt...

Page 510: ...r the escape sequence in the next line As a best practice use the default escape character Do not use any characters in SSH usernames as the escape character If the client and the server have negotiated to use certificate authentication the client must verify the server s certificate For the client to correctly get the server s certificate you must specify the server s PKI domain on the client by ...

Page 511: ...shes vertical bars colons dots angle brackets quotation marks and apostrophes server pki domain domain name Specifies the PKI domain for verifying the server s certificate The domain name argument represents the PKI domain name a case insensitive string of 1 to 31 characters Invalid characters are tildes asterisks backslashes vertical bars colons dots angle brackets quotation marks and apostrophes...

Page 512: ...se the 192 bit Suite B algorithms to establish a connection to Stelnet server 2000 1 Specify the client s PKI domain and the server s PKI domain as clientpkidomain and serverpkidomain respectively Sysname ssh2 ipv6 2000 1 suite b 192 bit pki domain clientpkidomain server pki domain serverpkidomain Username ssh2 suite b Use ssh2 suite b to establish a connection to an IPv4 Stelnet server based on S...

Page 513: ...rity of the packet escape character Specifies a case sensitive escape character By default the escape character is a tilde source Specifies a source IP address or source interface for SSH packets By default the device uses the primary IPv4 address of the output interface in the routing entry as the source address of SSH packets As a best practice to ensure successful Stelnet connections specify a ...

Page 514: ...xchange algorithms ecdh sha2 nistp256 ecdh sha2 nistp384 dh group exchan ge sha1 dh group14 sha1 dh group1 sha1 Public key algorithms x509v3 ecdsa sha2 nistp256 x509v3 ecdsa sha2 nistp384 e cdsa sha2 nistp256 ecdsa sha2 nistp384 rsa dsa Encryption algorithms aes128 ctr aes192 ctr aes256 ctr aes128 gcm aes256 gcm aes128 cbc 3des cbc aes256 cbc des cbc MAC algorithms sha2 256 sha2 512 sha1 md5 sha1 ...

Page 515: ...of priority for algorithm negotiation Views System view Predefined user roles network admin mdc admin Parameters 3des cbc Specifies the encryption algorithm 3des cbc aes128 cbc Specifies the encryption algorithm aes128 cbc aes128 ctr Specifies the encryption algorithm aes128 ctr aes128 gcm Specifies the encryption algorithm aes128 gcm aes192 ctr Specifies the encryption algorithm aes192 ctr aes256...

Page 516: ...istp256 ecdh sha2 nistp384 dh group14 sha1 dh group exchange sha1 and dh group1 sha1 in descending order of priority for algorithm negotiation Views System view Predefined user roles network admin mdc admin Parameters dh group exchange sha1 Specifies the key exchange algorithm diffie hellman group exchange sha1 dh group1 sha1 Specifies the key exchange algorithm diffie hellman group1 sha1 dh group...

Page 517: ...512 sha1 md5 sha1 96 and md5 96 in descending order of priority for algorithm negotiation Views System view Predefined user roles network admin mdc admin Parameters md5 Specifies the HMAC algorithm hmac md5 md5 96 Specifies the HMAC algorithm hmac md5 96 sha1 Specifies the HMAC algorithm hmac sha1 sha1 96 Specifies the HMAC algorithm hmac sha1 96 sha2 256 Specifies the HMAC algorithm hmac sha2 256...

Page 518: ...ecdsa sha2 nistp256 ecdsa sha2 nistp384 rsa and dsa in descending order of priority for algorithm negotiation Views System view Predefined user roles network admin mdc admin Parameters dsa Specifies the public key algorithm dsa ecdsa sha2 nistp256 Specifies the ECDSA algorithm with 256 bit key strength ecdsa sha2 nistp384 Specifies the ECDSA algorithm with 384 bit key strength rsa Specifies the pu...

Page 519: ...504 Related commands display ssh2 algorithm ssh2 algorithm cipher ssh2 algorithm key exchange ssh2 algorithm mac ...

Page 520: ..._128_sha undo ciphersuite In FIPS mode ciphersuite ecdhe_ecdsa_aes_128_cbc_sha256 ecdhe_ecdsa_aes_256_cbc_sha384 ecdhe_ecdsa_aes_128_gcm_sha256 ecdhe_ecdsa_aes_256_gcm_sha384 ecdhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_128_gcm_sha256 ecdhe_rsa_aes_256_cbc_sha384 ecdhe_rsa_aes_256_gcm_sha384 rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha256 rsa_aes_256_cbc_sha rsa_aes_256_cbc_sha256 undo ciphersuite Defaul...

Page 521: ...C2 and MAC algorithm MD5 exp_rsa_rc4_md5 Specifies the export cipher suite that uses key exchange algorithm RSA data encryption algorithm RC4 and MAC algorithm MD5 rsa_3des_ede_cbc_sha Specifies the cipher suite that uses key exchange algorithm RSA data encryption algorithm 3DES_EDE_CBC and MAC algorithm SHA rsa_aes_128_cbc_sha Specifies the cipher suite that uses key exchange algorithm RSA data e...

Page 522: ...Sysname ssl server policy policy1 ciphersuite dhe_rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha Related commands display ssl server policy prefer cipher client verify Use client verify to enable mandatory or optional SSL client authentication Use undo client verify to restore the default Syntax client verify enable optional undo client verify enable Default SSL client authentication is disabled The SSL ...

Page 523: ...the following operations Verifies the certificate chain presented by the client Checks that the certificates in the certificate chain except the root CA certificate are not revoked Examples Enable mandatory SSL client authentication Sysname system view Sysname ssl server policy policy1 Sysname ssl server policy policy1 client verify enable Enable optional SSL client authentication Sysname system v...

Page 524: ...ew Predefined user roles network admin network operator mdc admin mdc operator Parameters policy name Specifies an SSL client policy by its name a case insensitive string of 1 to 31 characters If you do not specify a policy name this command displays information about all SSL client policies Examples Display information about the SSL client policy policy1 Sysname display ssl client policy policy1 ...

Page 525: ...policy1 Sysname display ssl server policy policy1 SSL server policy policy1 PKI domain server domain Ciphersuites DHE_RSA_AES_128_CBC_SHA RSA_AES_128_CBC_SHA Session cache size 600 Caching timeout 3600 seconds Client verify Enabled Table 73 Command output Field Description Caching timeout Session cache timeout time in seconds Client verify SSL client authentication mode including Disabled SSL clie...

Page 526: ... policy policy1 Sysname ssl client policy policy1 pki domain client domain Related commands display ssl client policy pki domain pki domain SSL server policy view Use pki domain to specify a PKI domain for an SSL server policy Use undo pki domain to restore the default Syntax pki domain domain name undo pki domain Default No PKI domain is specified for an SSL server policy Views SSL server policy ...

Page 527: ...c2_md5 exp_rsa_rc4_md5 rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha256 rsa_aes_256_cbc_sha rsa_aes_256_cbc_sha256 rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha undo prefer cipher In FIPS mode prefer cipher ecdhe_ecdsa_aes_128_cbc_sha256 ecdhe_ecdsa_aes_128_gcm_sha256 ecdhe_ecdsa_aes_256_cbc_sha384 ecdhe_ecdsa_aes_256_gcm_sha384 ecdhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_128_gcm_s...

Page 528: ... and MAC algorithm SHA384 ecdhe_rsa_aes_256_gcm_sha384 Specifies the cipher suite that uses key exchange algorithm ECDHE RSA data encryption algorithm 256 bit AES_GCM and MAC algorithm SHA384 exp_rsa_des_cbc_sha Specifies the export cipher suite that uses key exchange algorithm RSA data encryption algorithm DES_CBC and MAC algorithm SHA exp_rsa_rc2_md5 Specifies the export cipher suite that uses k...

Page 529: ...kes effect Examples Configure SSL client policy policy1 to support the key exchange algorithm RSA data encryption algorithm 128 bit AES_CBC and MAC algorithm SHA Sysname system view Sysname ssl client policy policy1 Sysname ssl client policy policy1 prefer cipher rsa_aes_128_cbc_sha Related commands ciphersuite display ssl client policy server verify enable Use server verify enable to enable the S...

Page 530: ...oles network admin mdc admin Parameters cachesize size Sets the maximum number of cached sessions in the range of 100 to 20480 timeout time Sets the session cache timeout in the range of 1 to 4294967295 seconds Usage guidelines The SSL server caches SSL sessions to reuse negotiated session parameters to simplify SSL handshake Use this command to limit the maximum number and timeout time for cached...

Page 531: ...icy for which you can configure SSL parameters that the client uses to establish a connection to the server The parameters include a PKI domain and a preferred cipher suite An SSL client policy takes effect only after it is associated with an application such as DDNS Examples Create an SSL client policy named policy1 and enter its view Sysname system view Sysname ssl client policy policy1 Sysname ...

Page 532: ...g SSL server policy Use undo ssl server policy to delete an SSL server policy Syntax ssl server policy policy name undo ssl server policy policy name Default No SSL server policies exist Views System view Predefined user roles network admin mdc admin Parameters policy name Specifies a name for the SSL server policy a case insensitive string of 1 to 31 characters Usage guidelines This command creat...

Page 533: ...ser roles network admin mdc admin Parameters ssl3 0 Specifies SSL 3 0 tls1 0 Specifies TLS 1 0 tls1 1 Specifies TLS 1 1 Usage guidelines To enhance system security you can disable the SSL server from using specific SSL protocol versions SSL 3 0 TLS 1 0 and TLS 1 1 for session negotiation Disabling an SSL protocol version does not affect the availability of earlier SSL protocol versions For example...

Page 534: ...SL 3 0 tls1 0 Specifies TLS 1 0 tls1 1 Specifies TLS 1 1 tls1 2 Specifies TLS 1 2 Usage guidelines To ensure security do not specify SSL 3 0 for an SSL client policy If you execute this command multiple times the most recent configuration takes effect Examples Set the SSL protocol version to TLS 1 0 for SSL client policy policy1 Sysname system view Sysname ssl client policy policy1 Sysname ssl cli...

Page 535: ...ecify drop as the global action against ACK flood attacks in attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 ack flood action drop Related commands ack flood threshold ack flood detect ack flood detect non specific ack flood detect Use ack flood detect to configure IP address specific ACK flood attack dete...

Page 536: ...rops subsequent ACK packets destined for the protected IP address logging Enables logging for ACK flood attack events none Takes no action Usage guidelines With ACK flood attack detection configured for an IP address the device is in attack detection state When the sending rate of ACK packets to the IP address reaches the threshold the device enters prevention state and takes the specified actions...

Page 537: ...se policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 ack flood detect non specific Related commands ack flood action ack flood detect ack flood threshold ack flood threshold Use ack flood threshold to set the global threshold for triggering ACK flood attack prevention Use undo ack flood threshold to restore the default Syn...

Page 538: ...olicy 1 ack flood threshold 100 Related commands ack flood action ack flood detect ack flood detect non specific attack defense local apply policy Use attack defense local apply policy to apply an attack defense policy to the device Use undo attack defense local apply policy to restore the default Syntax attack defense local apply policy policy name undo attack defense local apply policy Default N...

Page 539: ...ck defense login block timeout Default The block period is 60 minutes Views System view Predefined user roles network admin mdc admin Parameters minutes Specifies the block period in minutes in the range of 1 to 2880 Usage guidelines After a user fails the maximum number of login attempts login attack prevention triggers the blacklist module to add the user s IP address to the blacklist The block ...

Page 540: ...attack defense login max attempt to set the maximum number of successive login failures for each user Use undo attack defense login max attempt to restore the default Syntax attack defense login max attempt max attempt undo attack defense login max attempt Default Login attack prevention detects a login attack if a user fails three successive login attempts Views System view Predefined user roles ...

Page 541: ...elay accepting a login request from a user who has failed a login attempt Views System view Predefined user roles network admin mdc admin Parameters seconds Specifies the delay period in seconds in the range of 4 to 60 Usage guidelines The login delay feature delays the device to accept a login request from a user after the user fails a login attempt This feature can slow down login dictionary att...

Page 542: ...efense apply policy display attack defense policy attack defense signature log non aggregate Use attack defense signature log non aggregate to enable log non aggregation for single packet attack events Use undo attack defense signature log non aggregate to restore the default Syntax attack defense signature log non aggregate undo attack defense signature log non aggregate Default Log non aggregati...

Page 543: ... Views System view Predefined user roles network admin mdc admin Usage guidelines This command enables the device to drop attack TCP fragments to prevent TCP fragment attacks that the packet filter cannot detect As defined in RFC 1858 attack TCP fragments refer to the following TCP fragments First fragments in which the TCP header is smaller than 20 bytes Non first fragments with a fragment offset...

Page 544: ...ntry Use undo blacklist ip to delete an IPv4 blacklist entry Syntax blacklist ip source ip address vpn instance vpn instance name timeout minutes undo blacklist ip source ip address vpn instance vpn instance name Default No IPv4 blacklist entries exist Views System view Predefined user roles network admin mdc admin Parameters source ip address Specifies an IPv4 address for the blacklist entry Pack...

Page 545: ... IPv6 blacklist entry Use undo blacklist ipv6 to delete an IPv6 blacklist entry Syntax blacklist ipv6 source ipv6 address vpn instance vpn instance name timeout minutes undo blacklist ipv6 source ipv6 address vpn instance vpn instance name Default No IPv6 blacklist entries exist Views System view Predefined user roles network admin mdc admin Parameters source ipv6 address Specifies an IPv6 address...

Page 546: ...able logging for the blacklist feature Syntax blacklist logging enable undo blacklist logging enable Default Logging is disabled for the blacklist feature Views System view Predefined user roles network admin mdc admin Usage guidelines With logging enabled for the blacklist feature the system outputs logs in the following situations A blacklist entry is manually added A blacklist entry is dynamica...

Page 547: ...list user user name timeout minutes undo blacklist user user name Default No user blacklist entries exist Views System view Predefined user roles network admin mdc admin Parameters user name Specifies a user by the username a case sensitive string of 1 to 55 characters Packets sourced from this user will be dropped timeout minutes Specifies the aging time for the blacklist entry in the range of 1 ...

Page 548: ...lood Specifies RST flood attack syn ack flood Specifies SYN ACK flood attack syn flood Specifies SYN flood attack udp flood Specifies UDP flood attack ip address Specifies a protected IPv4 address If you do not specify an IPv4 address this command displays flood attack detection and prevention statistics for all protected IPv4 addresses vpn instance vpn instance name Specifies the MPLS L3VPN insta...

Page 549: ...000 165467998 In standalone mode Display the number of IPv4 addresses that are protected against flood attacks Sysname display attack defense flood statistics ip count Slot 1 Totally 2 flood entries Slot 2 Totally 1 flood entries Table 74 Command output Field Description IP address Protected IPv4 address VPN MPLS L3VPN instance to which the protected IPv4 address belongs If the protected IPv4 addr...

Page 550: ...ttack detection and prevention statistics for all protected IPv6 addresses vpn instance vpn instance name Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters Do not specify this option if the protected IPv6 address is on the public network local Specifies the device slot slot number Specifies ...

Page 551: ...entries Table 75 Command output Field Description IPv6 address Protected IPv6 address VPN MPLS L3VPN instance to which the protected IPv6 address belongs If the protected IPv6 address is on the public network this field displays hyphens Detected on Where the attack is detected the device Local Detect type Type of the detected flood attack State Whether the device is attacked Attacked Normal PPS Nu...

Page 552: ...name display attack defense policy abc Attack defense Policy Information Policy name abc Applied list Local Exempt IPv4 ACL Not configured Exempt IPv6 ACL vip Actions BS Block source L Logging D Drop N None Signature attack defense configuration Signature name Defense Level Actions Fragment Enabled Info L Impossible Enabled Info L Teardrop Disabled Info L Tiny fragment Disabled Info L IP option ab...

Page 553: ...s mask request Disabled Medium L D ICMP address mask reply Disabled Medium L D ICMPv6 echo request Enabled Medium L D ICMPv6 echo reply Disabled Medium L D ICMPv6 group membership query Disabled Medium L D ICMPv6 group membership report Disabled Medium L D ICMPv6 group membership reduction Disabled Medium L D ICMPv6 destination unreachable Enabled Medium L D ICMPv6 time exceeded Enabled Medium L D...

Page 554: ...ion Signature attack defense configuration Configuration information about single packet attack detection and prevention Signature name Type of the single packet attack Defense Whether attack detection is enabled Level Level of the single packet attack info low medium or high Currently no high level single packet attacks exist Scan attack defense configuration Configuration information about scann...

Page 555: ...d displays a hyphen Ports Ports that are protected against the flood attack This field displays port numbers only for the DNS and HTTP flood attacks For other flood attacks this field displays a hyphen Display brief information about all attack defense policies Sysname display attack defense policy Attack defense Policy Brief Information Policy Name Applied list P2 None p1 Local p12 Local Table 77...

Page 556: ...his command displays information about all protected IPv4 addresses vpn instance vpn instance name Specifies the MPLS L3VPN instance to which the IPv4 address belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters Do not specify this option if the IPv4 address is on the public network slot slot number Specifies a card by its slot number If you do not specify a card...

Page 557: ... is on the public network this field displays hyphens Type Type of the flood attack Rate threshold PPS Threshold for triggering the flood attack prevention in units of packets sent to the IP address per second If no rate threshold is set this field displays a hyphen Dropped Number of dropped attack packets If the prevention action is logging this field displays 0 display attack defense policy ipv6...

Page 558: ...to 31 characters Do not specify this option if the IPv6 address is on the public network slot slot number Specifies a card by its slot number If you do not specify a card this command displays information about IPv6 addresses protected by flood attack detection and prevention for all cards In standalone mode chassis chassis number slot slot number Specifies a card on an IRF member device The chass...

Page 559: ...ood attack prevention in units of packets sent to the IPv6 address per second If no rate threshold is set this field displays a hyphen Dropped Number of dropped attack packets If the prevention action is logging this field displays 0 display attack defense scan attacker ip Use display attack defense scan attacker ip to display information about IPv4 scanning attackers Syntax In standalone mode dis...

Page 560: ...in In standalone mode Display the number of IPv4 scanning attackers Sysname display attack defense scan attacker ip count Slot 1 Totally 1 attackers Slot 2 Totally 0 attackers Table 80 Command output Field Description Totally 1 attackers Total number of IPv4 scanning attackers IP address IPv4 address of the attacker VPN instance MPLS L3VPN instance to which the attacker s IPv4 address belongs If t...

Page 561: ...ember ID of the IRF member device The slot number argument represents the slot number of the card This option is available only when you specify the device If you do not specify a card this command displays information about IPv6 scanning attackers for all cards In IRF mode count Displays the number of matching IPv6 scanning attackers Usage guidelines If you do not specify any parameters this comm...

Page 562: ...de display attack defense scan victim ip local chassis chassis number slot slot number count Views Any view Predefined user roles network admin network operator mdc admin mdc operator Parameters local Specifies the device slot slot number Specifies a card by its slot number This option is available only when you specify the device If you do not specify a card this command displays information abou...

Page 563: ...ld Description Totally 1 victim IP addresses Total number of IPv4 scanning attack victims IP address IPv4 address of the victim VPN instance MPLS L3VPN instance to which the victim IPv4 address belongs If the victim IPv4 address is on the public network this field displays hyphens Detected on Where the attack is detected the device Local Duration min The amount of time the attack lasts in minutes ...

Page 564: ...ctims Usage guidelines If you do not specify any parameters this command displays information about all IPv6 scanning attack victims Examples In standalone mode Display information about all IPv6 scanning attack victims Sysname display attack defense scan victim ipv6 Slot 1 IPv6 address VPN instance Detected on Duration min 1002 20 Local 28 Slot 2 IPv6 address VPN instance Detected on Duration min...

Page 565: ...nd prevention statistics for all cards In standalone mode chassis chassis number slot slot number Specifies a card on an IRF member device The chassis number argument represents the member ID of the IRF member device The slot number argument represents the slot number of the card If you do not specify a card this command displays attack detection and prevention statistics for all cards In IRF mode...

Page 566: ...P options abnormal 3 0 Smurf 1 0 Ping of death 1 0 Traceroute 1 0 Large ICMP 1 0 TCP NULL flag 1 0 TCP all flags 1 0 TCP SYN FIN flags 1 0 TCP FIN only flag 1 0 TCP invalid flag 1 0 TCP Land 1 0 Winnuke 1 0 UDP Bomb 1 0 Snork 1 0 Fraggle 1 0 Large ICMPv6 1 0 ICMP echo request 1 0 ICMP echo reply 1 0 ICMP source quench 1 0 ICMP destination unreachable 1 0 ICMP redirect 2 0 ICMP time exceeded 3 0 IC...

Page 567: ...lood 1 0 ACK flood 1 0 SYN ACK flood 2 4200 RST flood 2 0 FIN flood 2 20 UDP flood 1 0 ICMP flood 1 0 ICMPv6 flood 1 0 DNS flood 1 0 HTTP flood 1 0 Signature attack defense statistics AttackType AttackTimes Dropped IP option record route 2 230 IP option security 2 0 IP option stream ID 3 0 IP option internet timestamp 4 1 IP option loose source routing 5 0 IP option strict source routing 2 0 IP op...

Page 568: ...1 1 ICMPv6 group membership query 1 0 ICMPv6 group membership report 1 0 ICMPv6 group membership reduction 1 0 ICMPv6 destination unreachable 1 0 ICMPv6 time exceeded 1 0 ICMPv6 parameter problem 1 0 ICMPv6 packet too big 1 0 Table 84 Command output Field Description AttackType Type of the attack AttackTimes Number of times that the attack occurred This command output displays only attacks that ar...

Page 569: ... 201 55 7 45 2013 1 Manual Never Display the number of manually added IPv4 blacklist entries Sysname display blacklist ip count Totally 3 blacklist entries Table 85 Command output Field Description IP address IPv4 address of the blacklist entry VPN instance MPLS L3VPN instance to which the blacklisted IPv4 address belongs If the blacklisted IPv4 address is on the public network this field displays...

Page 570: ...ou do not specify any parameters this command displays all manually added IPv6 blacklist entries Examples Display all IPv6 blacklist entries Sysname display blacklist ipv6 IPv6 address VPN instance Type TTL sec 1 4 Manual Never 2013 fe07 221a 4011 Manual 123 2013 fe07 221a 4011 Display the number of manually added IPv6 blacklist entries Sysname display blacklist ipv6 count Totally 3 blacklist entr...

Page 571: ... user Username Type TTL sec Dropped Alex Manual 10 353452 Bob Manual 123 4294967295 Cary Manual Never 14478 Display the number of user blacklist entries Sysname display blacklist user count Totally 3 blacklist entries Display the user blacklist entry for user Alex Sysname display blacklist user Alex Username Type TTL sec Dropped Alex Manual 10 353452 Table 87 Command output Field Description Usern...

Page 572: ...ify drop as the global action against DNS flood attacks in attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 dns flood action drop Related commands dns flood detect dns flood detect non specific dns flood threshold dns flood detect Use dns flood detect to configure IP address specific DNS flood attack detect...

Page 573: ...ge is 1 to 1000000 in units of DNS packets sent to the specified IP address per second action Specifies the actions when a DNS flood attack is detected If no action is specified the global actions set by the dns flood action command apply drop Drops subsequent DNS packets destined for the protected IP address logging Enables logging for DNS flood attack events none Takes no action Usage guidelines...

Page 574: ... uses the global trigger threshold set by the dns flood threshold command and global actions specified by the dns flood action command Examples Enable global DNS flood attack detection in attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 dns flood detect non specific Related commands dns flood action dns flo...

Page 575: ...mmands dns flood action dns flood detect dns flood detect non specific dns flood threshold Use dns flood threshold to set the global threshold for triggering DNS flood attack prevention Use undo dns flood threshold to restore the default Syntax dns flood threshold threshold value undo dns flood threshold Default The global threshold is 1000 for triggering DNS flood attack prevention Views Attack d...

Page 576: ...exempt acl ipv6 acl number name acl name undo exempt acl ipv6 Default Attack detection exemption is not configured Views Attack defense policy view Predefined user roles network admin mdc admin Parameters ipv6 Specifies an IPv6 ACL To specify an IPv4 ACL do not use this keyword acl number Specifies an ACL by its number 2000 to 2999 for basic ACLs 3000 to 3999 for advanced ACLs name acl name Specif...

Page 577: ...tack defense policy atk policy 1 exempt acl 2001 Related commands attack defense policy fin flood action Use fin flood action to specify global actions against FIN flood attacks Use undo fin flood action to restore the default Syntax fin flood action drop logging undo fin flood action Default No global action is specified for FIN flood attacks Views Attack defense policy view Predefined user roles...

Page 578: ...ensitive string of 1 to 31 characters Do not specify this option if the protected IP address is on the public network threshold threshold value Specifies the threshold for triggering FIN flood attack prevention The value range is 1 to 1000000 in units of FIN packets sent to the specified IP address per second action Specifies the actions when a FIN flood attack is detected If no action is specifie...

Page 579: ...fined user roles network admin mdc admin Usage guidelines The global FIN flood attack detection applies to all IP addresses except for those specified by the fin flood detect command The global detection uses the global trigger threshold set by the fin flood threshold command and global actions specified by the fin flood action command Examples Enable global FIN flood attack detection in attack de...

Page 580: ...reshold applies to global FIN flood attack detection Adjust the threshold according to the application scenarios If the number of FIN packets sent to a protected server such as an HTTP or FTP server is normally large set a large threshold A small threshold might affect the server services For a network that is unstable or susceptible to attacks set a small threshold Examples Set the global thresho...

Page 581: ...ss specific HTTP flood attack detection configuration Syntax http flood detect ip ipv4 address ipv6 ipv6 address vpn instance vpn instance name port port list threshold threshold value action drop logging none undo http flood detect ip ipv4 address ipv6 ipv6 address vpn instance vpn instance name Default IP address specific HTTP flood attack detection is not configured Views Attack defense policy ...

Page 582: ...te When the sending rate of HTTP packets to the IP address reaches the threshold the device enters prevention state and takes the specified actions When the rate is below the silence threshold three fourths of the threshold the device returns to the attack detection state You can configure HTTP flood attack detection for multiple IP addresses in one attack defense policy Examples Configure HTTP fl...

Page 583: ...lt Syntax http flood port port list undo http flood port Default The global HTTP flood attack prevention protects port 80 Views Attack defense policy view Predefined user roles network admin mdc admin Parameters port list Specifies a space separated list of up to 65535 port number items Each item specifies a port by its port number or a range of ports in the form of start port number to end port n...

Page 584: ...ending rate of HTTP packets to an IP address reaches the threshold the device enters prevention state and takes the specified actions When the rate is below the silence threshold three fourths of the threshold the device returns to the attack detection state The global threshold applies to global HTTP flood attack detection Adjust the threshold according to the application scenarios If the number ...

Page 585: ...tack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 icmp flood action drop Related commands icmp flood detect non specific icmp flood detect ip icmp flood threshold icmp flood detect ip Use icmp flood detect ip to configure IP address specific ICMP flood attack detection Use undo icmp flood detect ip to remove t...

Page 586: ...s With ICMP flood attack detection configured for an IP address the device is in attack detection state When the sending rate of ICMP packets to the IP address reaches the threshold the device enters prevention state and takes the specified actions When the rate is below the silence threshold three fourths of the threshold the device returns to the attack detection state You can configure ICMP flo...

Page 587: ...hold Use icmp flood threshold to set the global threshold for triggering ICMP flood attack prevention Use undo icmp flood threshold to restore the default Syntax icmp flood threshold threshold value undo icmp flood threshold Default The global threshold is 1000 for triggering ICMP flood attack prevention Views Attack defense policy view Predefined user roles network admin mdc admin Parameters thre...

Page 588: ...flood detect ip icmp flood detect non specific icmpv6 flood action Use icmpv6 flood action to specify global actions against ICMPv6 flood attacks Use undo icmpv6 flood action to restore the default Syntax icmpv6 flood action drop logging undo icmpv6 flood action Default No global action is specified for ICMPv6 flood attacks Views Attack defense policy view Predefined user roles network admin mdc a...

Page 589: ...ICMPv6 flood attack prevention The value range is 1 to 1000000 in units of ICMPv6 packets sent to the specified IP address per second action Specifies the actions when an ICMPv6 flood attack is detected If no action is specified the global actions set by the icmpv6 flood action command apply drop Drops subsequent ICMPv6 packets destined for the protected IPv6 address logging Enables logging for IC...

Page 590: ...esses except for those specified by the icmpv6 flood detect ipv6 command The global detection uses the global trigger threshold set by the icmpv6 flood threshold command and global actions specified by the icmpv6 flood action command Examples Enable global ICMPv6 flood attack detection in attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname atta...

Page 591: ...the threshold according to the application scenarios If the number of ICMPv6 packets sent to a protected server such as an HTTP or FTP server is normally large set a large threshold A small threshold might affect the server services For a network that is unstable or susceptible to attacks set a small threshold Examples Set the global threshold to 100 for triggering ICMPv6 flood attack prevention i...

Page 592: ...s for protected IPv6 addresses in attack defense policy abc Sysname reset attack defense policy abc flood protected ipv6 statistics Related commands display attack defense policy ip display attack defense policy ipv6 reset attack defense statistics local Use reset attack defense statistics local to clear attack detection and prevention statistics for the device Syntax reset attack defense statisti...

Page 593: ...ist ip reset blacklist ipv6 Use reset blacklist ipv6 to clear dynamic IPv6 blacklist entries Syntax reset blacklist ipv6 source ipv6 address vpn instance vpn instance name all Views User view Predefined user roles network admin mdc admin Parameters source ipv6 address Specifies the IPv6 address for a blacklist entry vpn instance vpn instance name Specifies the MPLS L3VPN instance to which the IPv6...

Page 594: ...tion Use rst flood action to specify global actions against RST flood attacks Use undo rst flood action to restore the default Syntax rst flood action drop logging undo rst flood action Default No global action is specified for RST flood attacks Views Attack defense policy view Predefined user roles network admin mdc admin Parameters drop Drops subsequent RST packets destined for the victim IP add...

Page 595: ...h the protected IP address belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters Do not specify this option if the protected IP address is on the public network threshold threshold value Specifies the threshold for triggering RST flood attack prevention The value range is 1 to 1000000 in units of RST packets sent to the specified IP address per second action Speci...

Page 596: ...ST flood attack detection is disabled Views Attack defense policy view Predefined user roles network admin mdc admin Usage guidelines The global RST flood attack detection applies to all IP addresses except for those specified by the rst flood detect command The global detection uses the global trigger threshold set by the rst flood threshold command and global actions specified by the rst flood a...

Page 597: ...ion state The global threshold applies to global RST flood attack detection Adjust the threshold according to the application scenarios If the number of RST packets sent to a protected server such as an HTTP or FTP server is normally large set a large threshold A small threshold might affect the server services For a network that is unstable or susceptible to attacks set a small threshold Examples...

Page 598: ...kets from the blacklisted IP addresses timeout minutes Specifies the aging timer in minutes for the dynamically added blacklist entries in the range of 1 to 1000 The default aging timer is 10 minutes drop Drops subsequent packets from detected scanning attack sources logging Enables logging for scanning attack events Usage guidelines To collaborate with the IP blacklist feature make sure the black...

Page 599: ...range for ICMP packets is 28 to 65534 The value range for ICMPv6 packets is 48 to 65534 Examples Set the maximum length of safe ICMP packets for large ICMP attack to 50000 bytes in attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 signature large icmp max length 50000 Related commands signature detect signat...

Page 600: ...code internet timestamp loose source routing record route route alert security stream id strict source routing action drop logging none undo signature detect ip option option code internet timestamp loose source routing record route route alert security stream id strict source routing signature detect ipv6 ext header ext header value action drop logging none undo signature detect ipv6 ext header n...

Page 601: ...fy the IP option by a number or a keyword option code Specifies the IP option in the range of 0 to 255 internet timestamp Specifies the timestamp option loose source routing Specifies the loose source routing option record route Specifies the record route option route alert Specifies the route alert option security Specifies the security option stream id Specifies the stream identifier option stri...

Page 602: ... in command output If the packet type does not have a corresponding keyword the number is displayed Examples Enable signature detection for the IP fragment attack and specify the prevention action as drop in attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 signature detect fragment action drop Related comma...

Page 603: ...el If you enable signature detection for a single packet attack also by using the signature detect command action parameters in the signature detect command take effect Examples Specify the action against informational level single packet attacks as drop in attack defense policy atk policy 1 Sysname system view Sysname attack defense policy 1 Sysname attack defense policy 1 signature level info ac...

Page 604: ...ature detect command action parameters in the signature detect command take effect To display the level to which a single packet attack belongs use the display attack defense policy command Examples Enable signature detection for informational level single packet attacks in attack defense policy atk policy 1 Sysname system view Sysname attack defense policy 1 Sysname attack defense policy 1 signat...

Page 605: ... is not configured Views Attack defense policy view Predefined user roles network admin mdc admin Parameters ip ipv4 address Specifies the IPv4 address to be protected The ip address argument cannot be all 1s or 0s ipv6 ipv6 address Specifies the IPv6 address to be protected vpn instance vpn instance name Specifies the MPLS L3VPN instance to which the protected IP address belongs The vpn instance ...

Page 606: ...detect non specific syn ack flood threshold syn ack flood detect non specific Use syn ack flood detect non specific to enable global SYN ACK flood attack detection Use undo syn ack flood detect non specific to disable global SYN ACK flood attack detection Syntax syn ack flood detect non specific undo syn ack flood detect non specific Default Global SYN ACK flood attack detection is disabled Views ...

Page 607: ... of SYN ACK packets to an IP address reaches the threshold the device enters prevention state and takes the specified actions When the rate is below the silence threshold three fourths of the threshold the device returns to the attack detection state The global threshold applies to global SYN ACK flood attack detection Adjust the threshold according to the application scenarios If the number of SY...

Page 608: ...policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 syn flood action drop Related commands syn flood detect syn flood detect non specific syn flood threshold syn flood detect Use syn flood detect to configure IP address specific SYN flood attack detection Use undo syn flood detect to remove the IP address specific SYN flood ...

Page 609: ...s none Takes no action Usage guidelines With SYN flood attack detection configured for an IP address the device is in attack detection state When the sending rate of SYN packets to the IP address reaches the threshold the device enters prevention state and takes the specified actions When the rate is below the silence threshold three fourths of the threshold the device returns to the attack detect...

Page 610: ... Use syn flood threshold to set the global threshold for triggering SYN flood attack prevention Use undo syn flood threshold to restore the default Syntax syn flood threshold threshold value undo syn flood threshold Default The global threshold is 1000 for triggering SYN flood attack prevention Views Attack defense policy view Predefined user roles network admin mdc admin Parameters threshold valu...

Page 611: ...s syn flood action syn flood detect syn flood detect non specific udp flood action Use udp flood action to specify global actions against UDP flood attacks Use undo udp flood action to restore the default Syntax udp flood action drop logging undo udp flood action Default No global action is specified for UDP flood attacks Views Attack defense policy view Predefined user roles network admin mdc adm...

Page 612: ...threshold threshold value Specifies the threshold for triggering UDP flood attack prevention The value range is 1 to 1000000 in units of UDP packets sent to the specified IP address per second action Specifies the actions when a UDP flood attack is detected If no action is specified the global actions set by the udp flood action command apply drop Drops subsequent UDP packets destined for the prot...

Page 613: ...IP addresses except for those specified by the udp flood detect command The global detection uses the global trigger threshold set by the udp flood threshold command and global actions specified by the udp flood action command Examples Enable global UDP flood attack detection in attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense...

Page 614: ...shold three fourths of the threshold the device returns to the attack detection state The global threshold applies to global UDP flood attack detection Adjust the threshold according to the application scenarios If the number of UDP packets sent to a protected server such as an HTTP or FTP server is normally large set a large threshold A small threshold might affect the server services For a netwo...

Page 615: ... in a state exceeds the limit the device will accelerate the aging of the TCP connections in that state The check interval is set by the tcp check state interval command The TCP connection limits are set by the tcp state command Examples Enable Naptha attack prevention Sysname system view Sysname tcp anti naptha enable Related commands tcp state tcp check state interval tcp check state interval Us...

Page 616: ...stem view Sysname tcp check state interval 40 Related commands tcp anti naptha enable tcp state tcp state Use tcp state to set the maximum number of TCP connections in a state Use undo tcp state to restore the default Syntax tcp state closing established fin wait 1 fin wait 2 last ack connection limit number undo tcp state closing established fin wait 1 fin wait 2 last ack connection limit Default...

Page 617: ...s This command takes effect after you enable Naptha attack prevention If the number of TCP connections in a state exceeds the limit the device will accelerate the aging of the TCP connections in the state Examples Set the maximum number of TCP connections in the ESTABLISHED state to 100 Sysname system view Sysname tcp state established connection limit 100 Related commands tcp anti naptha enable t...

Page 618: ...e string of 1 to 31 characters To display dynamic IPv4SG bindings for the public network do not specify a VPN instance arp snooping Specifies the ARP snooping module dhcp relay Specifies the DHCP relay agent module dhcp server Specifies the DHCP server module dhcp snooping Specifies the DHCP snooping module dot1x Specifies the 802 1X module To display dynamic IPv4SG bindings generated based on the...

Page 619: ...his field displays N A for a global IPv4SG binding VLAN VLAN information in the IPv4SG binding If the binding contains no VLAN information this field displays N A Type IPSG binding type Static Manually configured by using the ip source binding command Static bindings are for packet filtering in IPSG or used by other modules to provide security services ARP snooping Dynamically generated based on A...

Page 620: ...hassis chassis number slot slot number Specifies a card on an IRF member device The chassis number argument represents the member ID of the IRF member device The slot number argument represents the slot number of the card If you do not specify a card this command displays information for all cards In IRF mode Examples Display all source items that have been configured to be excluded from IPSG filt...

Page 621: ...address mac address mac address vlan vlan id interface interface type interface number chassis chassis number slot slot number Views Any view Predefined user roles network admin network operator mdc admin mdc operator Parameters static Displays static IPv6SG address bindings vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 characters To...

Page 622: ...ess IPv6 address in the IPv6SG address binding If no IPv6 address is bound in the binding this field displays N A MAC Address MAC address in the IPv6SG address binding If no MAC address is bound in the binding this field displays N A Interface Interface of the IPv6SG address binding This field displays N A for a global IPv6SG binding VLAN VLAN information in the IPv6SG address binding If the bindi...

Page 623: ... a MAC address this command displays IPv6SG prefix bindings for all MAC addresses vlan vlan id Specifies a VLAN ID in the range of 1 to 4094 If you do not specify a VLAN this command displays IPv6SG prefix bindings for all VLANs interface interface type interface number Specifies an interface by its type and number If you do not specify an interface this command displays IPv6SG prefix bindings for...

Page 624: ... ip source binding ip address ip address ip address ip address mac address mac address mac address mac address vlan vlan id undo ip source binding all ip address ip address ip address ip address mac address mac address mac address mac address vlan vlan id Default No static IPv4SG bindings exist on an interface Views Layer 2 Ethernet interface view Layer 3 Ethernet interface view VLAN interface vie...

Page 625: ...ete one or all global static IPv4SG bindings Syntax ip source binding ip address ip address mac address mac address undo ip source binding all ip address ip address mac address mac address Default No global static IPv4SG bindings exist Views System view Predefined user roles network admin mdc admin Parameters ip address ip address Specifies the IPv4 address for the static binding The IPv4 address ...

Page 626: ...G on an interface this feature uses static and dynamic IPv4SG bindings to match incoming packets on the interface Packets that match an IPv4SG binding are forwarded and packets that do not match any IPv4SG binding are discarded The matching criterion specified by this command applies only to dynamic IPSG Static IPv4SG uses static bindings configured by using the ip source binding command You canno...

Page 627: ...ndo ip verify source exclude vlan start vlan id to end vlan id Default No excluded source items are configured Views System view Predefined user roles network admin mdc admin Parameters vlan start vlan id to end vlan id Specifies excluded VLANs Value ranges for both the start vlan id and end vlan id arguments are 1 to 4094 The value for the end vlan id argument must be equal to or greater than the...

Page 628: ...he interface ip address ipv6 address Specifies an IPv6 address for the static binding The IPv6 address cannot be an all zero address a multicast address or a loopback address mac address mac address Specifies a MAC address for the static binding The MAC address must be in H H H format and cannot be all 0s all Fs a broadcast MAC address or a multicast MAC address Usage guidelines Static IPv6SG bind...

Page 629: ...dress Specifies the MAC address for the static binding The MAC address must be in H H H format and cannot be all 0s all Fs a broadcast MAC address or a multicast MAC address all Removes all global static IPv6SG bindings Usage guidelines A global static IPv6SG binding takes effect on all interfaces Examples Configure a global static IPv6SG binding Sysname system view Sysname ipv6 source binding ipv...

Page 630: ...terface Packets that match an IPv6SG binding are forwarded and packets that do not match any IPv6SG binding are discarded The matching criterion specified by this command applies only to dynamic IPv6SG Static IPv6SG uses static bindings configured by using the ipv6 source binding command You cannot enable dynamic IPv6SG on a service loopback interface Examples Enable IPv6SG on Layer 2 Ethernet int...

Page 631: ...e guidelines Configure this command on the gateways Examples Enable ARP blackhole routing Sysname system view Sysname arp resolving route enable Related commands arp resolving route probe count arp resolving route probe interval arp resolving route probe count Use arp resolving route probe count to set the number of ARP blackhole route probes for each unresolved IP address Use undo arp resolving r...

Page 632: ...val to set the interval at which the device probes ARP blackhole routes Use undo arp resolving route probe interval to restore the default Syntax arp resolving route probe interval interval undo arp resolving route probe interval Default The device probes ARP blackhole routes every 1 second Views System view Predefined user roles network admin mdc admin Parameters interval Specifies the probe inte...

Page 633: ...ppression feature Sysname system view Sysname arp source suppression enable Related commands display arp source suppression arp source suppression limit Use arp source suppression limit to set the maximum number of unresolvable packets that can be processed per source IP address within 5 seconds Use undo arp source suppression limit to restore the default Syntax arp source suppression limit limit ...

Page 634: ...ppression configuration Syntax display arp source suppression Views Any view Predefined user roles network admin network operator mdc admin mdc operator Examples Display information about the current ARP source suppression configuration Sysname display arp source suppression ARP source suppression is enabled Current suppression limit 100 Table 92 Command output Field Description Current suppressio...

Page 635: ...he ARP packet rate limit feature on Ten GigabitEthernet 1 0 1 and set the maximum ARP packet rate to 50 pps Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 arp rate limit 50 arp rate limit log enable Use arp rate limit log enable to enable logging for ARP packet rate limit Use undo arp rate limit log enable to disable logging for ARP packet rate lim...

Page 636: ...te of ARP packets received on an interface exceeds the limit Views System view Predefined user roles network admin mdc admin Parameters interval Specifies an interval in the range of 1 to 86400 seconds Usage guidelines To change the default interval and activate it you must enable ARP packet rate limit and enable sending notifications or log messages for ARP packet rate limit Examples Set the devi...

Page 637: ...NMP on the device For more information about SNMP configuration see the network management and monitoring configuration guide for the device Examples Enable SNMP notifications for ARP packet rate limit Sysname system view Sysname snmp agent trap enable arp rate limit Source MAC based ARP attack detection commands arp source mac Use arp source mac to enable the source MAC based ARP attack detection...

Page 638: ... information about the ARP logging feature see Layer 3 IP Services Configuration Guide If you do not specify any handling method in the undo arp source mac command the command disables this feature Examples Enable the source MAC based ARP attack detection feature and specify the filter handling method Sysname system view Sysname arp source mac filter arp source mac aging time Use arp source mac ag...

Page 639: ...f H H H 1 64 indicates that you can configure a maximum of 64 excluded MAC addresses Usage guidelines If you do not specify a MAC address the undo arp source mac exclude mac command removes all excluded MAC addresses Examples Exclude a MAC address from source MAC based ARP attack detection Sysname system view Sysname arp source mac exclude mac 001e 1200 0213 arp source mac threshold Use arp source...

Page 640: ...roles network admin network operator mdc admin mdc operator Parameters interface interface type interface number Specifies an interface by its type and number slot slot number Specifies a card by its slot number If you do not specify a card this command displays ARP attack entries for the active MPU In standalone mode chassis chassis number slot slot number Specifies a card on an IRF member device...

Page 641: ... arp valid check enable undo arp valid check enable Default ARP packet source MAC address consistency check is disabled Views System view Predefined user roles network admin mdc admin Usage guidelines Configure this feature on gateways The gateways can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body Examples Enable...

Page 642: ...successful based on the correct ARP resolution Examples Enable the ARP active acknowledgement feature Sysname system view Sysname arp active ack enable Authorized ARP commands arp authorized enable Use arp authorized enable to enable authorized ARP on an interface Use undo arp authorized enable to disable authorized ARP on an interface Syntax arp authorized enable undo arp authorized enable Defaul...

Page 643: ...etection enable undo arp detection enable Default ARP attack detection is disabled Views VLAN view VSI view Predefined user roles network admin mdc admin Examples Enable ARP attack detection for VLAN 2 Sysname system view Sysname vlan 2 Sysname vlan2 arp detection enable Enable ARP attack detection for VSI vsi1 Sysname system view Sysname vsi vsi1 Sysname vsi vsi1 arp detection enable Related comm...

Page 644: ...detection port match ignore to remove the configuration Syntax arp detection port match ignore undo arp detection port match ignore Default Ingress ports of ARP packets are checked for user invalidity Views System view Predefined user roles network admin mdc admin Usage guidelines This command configures ARP attack detection to ignore the ingress port information of ARP packets when the packets ar...

Page 645: ...n If you do not specify the mask the ip address argument specifies a host IP address any Matches any IP address mac mac address mask any Specifies the sender MAC address as the match criterion mac address Specifies a MAC address in the H H H format mask Specifies the MAC address mask in the H H H format If you do not specify the mask the argument specifies the host MAC address any Matches any MAC ...

Page 646: ...igure Ten GigabitEthernet 1 0 1 as an ARP trusted interface Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 arp detection trust Configure Ethernet service instance 1 on Layer 2 Ethernet interface Ten GigabitEthernet 1 0 1 as an ARP trusted AC Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 service ins...

Page 647: ...ed Otherwise the packet is discarded Usage guidelines You can specify more than one object to be checked in one command line If no keyword is specified the undo arp detection validate command disables ARP packet validity check for all objects Examples Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets Sysname system view Sysname arp detection validate ds...

Page 648: ...attack detection Sysname display arp detection ARP detection is enabled in the following VLANs 1 2 4 5 ARP detection is enabled in the following VSIs vpna vsi 0000 0000 0031 vpnb vpnc vsi 0000 0000 00aa Related commands arp detection enable display arp detection statistics Use display arp detection statistics to display ARP attack detection statistics Syntax display arp detection statistics interf...

Page 649: ...dropped by ARP inspect checking Interface State IP Src MAC Dst MAC Inspect XGE1 0 1 U 40 0 0 78 XGE1 0 2 U 0 0 0 0 XGE1 0 3 T 0 0 0 0 XGE1 0 4 U 0 0 30 0 XGE1 0 5 srv1 U 0 10 20 0 XGE1 0 5 srv2 T 10 0 20 22 Table 94 Command output Field Description State State of an interface U ARP untrusted interface or AC T ARP trusted interface or AC Interface State Inbound interface or AC of ARP packets State ...

Page 650: ...ixup to convert existing dynamic ARP entries to static ARP entries Use undo arp fixup to convert valid static ARP entries to dynamic ARP entries and delete invalid static ARP entries Syntax arp fixup undo arp fixup Views System view Predefined user roles network admin mdc admin Usage guidelines The ARP conversion is a one time operation You can use this command again to convert the dynamic ARP ent...

Page 651: ...o the start IP address Usage guidelines ARP scanning automatically creates ARP entries for devices in the specified address range IP addresses already in existing ARP entries are not scanned If the interface s primary and secondary IP addresses are in the address range the sender IP address in the ARP request is the address on the smallest network segment If no address range is specified the devic...

Page 652: ...iew Layer 2 aggregate interface view Predefined user roles network admin mdc admin Parameters ip address Specifies the IP address of a protected gateway Usage guidelines You can enable ARP gateway protection for a maximum of eight gateways on an interface You cannot configure both the arp filter source and arp filter binding commands on the same interface Examples Enable ARP gateway protection for...

Page 653: ...he ARP packet is discarded You can configure a maximum of eight ARP permitted entries on an interface You cannot configure both the arp filter source and arp filter binding commands on the same interface Examples Enable ARP filtering and configure an ARP permitted entry Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 arp filter binding 1 1 1 1 0e10 ...

Page 654: ...l to the start IP address Usage guidelines The gateway discards an ARP packet if its sender IP address is not within the allowed IP address range If you execute this command multiple times the most recent configuration takes effect Examples Specify the sender IP address range 1 1 1 1 to 1 1 1 20 for ARP packet checking in VLAN 2 Sysname system view Sysname vlan 2 Sysname vlan2 arp sender ip range ...

Page 655: ...ter can then output log messages from different source modules to different destinations For more information about the information center see Network Management and Monitoring Configuration Guide As a best practice disable the ND logging feature to avoid excessive ND logs Examples Enable the ND logging feature Sysname system view Sysname ipv6 nd check log enable Related commands ipv6 nd mac check...

Page 656: ... detection statistics to display statistics for ND messages dropped by ND attack detection Syntax display ipv6 nd detection statistics interface interface type interface number Views Any view Predefined user roles network admin network operator mdc admin mdc operator Parameters interface interface type interface number Specifies an interface by its type and number If you do not specify an interfac...

Page 657: ...nable Default ND attack detection is disabled Views VLAN view Predefined user roles network admin mdc admin Examples Enable ND attack detection for VLAN 10 Sysname system view Sysname vlan 10 Sysname vlan10 ipv6 nd detection enable ipv6 nd detection trust Use ipv6 nd detection trust to configure an interface as an ND trusted interface Use undo ipv6 nd detection trust to restore the default Syntax ...

Page 658: ...et ipv6 nd detection statistics interface interface type interface number Views User view Predefined user roles network admin mdc admin Parameters interface interface type interface number Specifies an interface by its type and number If you do not specify an interface this command clears ND attack detection statistics for all interfaces Examples Clear all ND attack detection statistics Sysname re...

Page 659: ...y if match ACL Number of the ACL in the ACL match criterion if match ACL name Name of the ACL in ACL match criterion if match autoconfig managed address flag Match criterion of the advertised M flag on The value of the advertised M flag is 1 off The value of the advertised M flag is 0 if match autoconfig other flag Match criterion of the advertised O flag on The value of the advertised O flag is 1...

Page 660: ...display ipv6 nd raguard statistics RA messages dropped by RA guard Interface Dropped XGE1 0 1 78 XGE1 0 2 0 XGE1 0 3 32 XGE1 0 4 0 Table 97 Command output Field Description Interface Interface that received the dropped RA messages Dropped Number of RA messages dropped on the interface Related commands ipv6 nd raguard log enable reset ipv6 nd raguard statistics if match acl Use if match acl to spec...

Page 661: ...icy policy1 if match acl 2001 if match autoconfig managed address flag Use if match autoconfig managed address flag to specify an M flag match criterion Use undo if match autoconfig managed address flag to delete the M flag match criterion Syntax if match autoconfig managed address flag off on undo if match autoconfig managed address flag Default No M flag match criterion exists Views RA guard pol...

Page 662: ...cifies the advertised O flag as 1 Usage guidelines The O flag in an RA message determines whether a receiving host uses stateful autoconfiguration to obtain configuration information other than IPv6 address If the O flag is set to 1 the host uses stateful autoconfiguration for example uses a DHCPv6 server If the O flag is set to 0 the host uses stateless autoconfiguration Examples Specify on as th...

Page 663: ...l be dropped Examples Set the maximum hop limit match criterion to 128 for the RA guard policy policy1 Sysname system view Sysname ipv6 nd raguard policy policy1 Sysname raguard policy policy1 if match hop limit maximum 128 if match prefix Use if match prefix to specify a prefix match criterion Use undo if match prefix to delete the prefix match criterion Syntax if match prefix acl ipv6 acl number...

Page 664: ...lete the router preference match criterion Syntax if match router preference maximum high low medium undo if match router preference maximum Default No router preference match criterion exists Views RA guard policy view Predefined user roles network admin mdc admin Parameters high Sets the maximum router preference to high An RA message passes the check if its router preference is not higher than ...

Page 665: ...ies an RA guard policy by its name a case sensitive string of 1 to 31 characters If you do not specify a policy RA guard blocks RA messages on all interfaces in the VLAN except interfaces that are defined to be connected to routers Usage guidelines If an RA message has multiple VLAN tags RA guard uses the outermost VLAN tag to select the applied RA guard policy If the specified RA guard policy doe...

Page 666: ...e information center can then output log messages from different source modules to different destinations For more information about the information center see Network Management and Monitoring Configuration Guide Examples Enable the RA guard logging feature Sysname system view Sysname ipv6 nd raguard log enable Related commands display ipv6 nd raguard statistics reset ipv6 nd raguard statistics i...

Page 667: ...do ipv6 nd raguard role Default No role is specified for the device attached to the interface Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network admin mdc admin Parameters host Specifies the host role The interface attached to a host drops all received RA messages router Specifies the router role The interface attached to a router forwards all rece...

Page 668: ...r Views User view Predefined user roles network admin mdc admin Parameters interface interface type interface number Specifies an interface by its type and number If you do not specify an interface this command clears RA guard statistics for all interfaces Examples Clear RA guard statistics Sysname reset ipv6 nd raguard statistics Related commands display ipv6 nd raguard statistics ...

Page 669: ...umber argument represents the member ID of the IRF member device The slot number argument represents the slot number of the card If you do not specify a card this command displays uRPF configuration for all cards In IRF mode Examples In standalone mode Display uRPF configuration for the specified slot Sysname display ip urpf slot 1 Global uRPF configuration information failed Check type strict All...

Page 670: ...metric path and configure loose uRPF check for traffic that uses asymmetric path A symmetric path exists for a session if the PE uses the same interface to receive upstream traffic and send downstream traffic The path is asymmetric if the PE uses different interfaces to receive upstream traffic and send downstream traffic Typically symmetric path applies to traffic that goes through an ISP s PE in...

Page 671: ...ument represents the member ID of the IRF member device The slot number argument represents the slot number of the card If you do not specify a card this command displays IPv6 uRPF configuration for all cards In IRF mode Examples In standalone mode Display IPv6 uRPF configuration for the specified slot Sysname display ipv6 urpf slot 1 Global IPv6 uRPF configuration information failed Check type st...

Page 672: ...onfigure loose IPv6 uRPF check for traffic that uses asymmetric path A symmetric path exists for a session if the PE uses the same interface to receive upstream traffic and send downstream traffic The path is asymmetric if the PE uses different interfaces to receive upstream traffic and send downstream traffic Typically symmetric path applies to traffic that goes through an ISP s PE interface conn...

Page 673: ...n Sysname display mac forced forwarding interface Network Port XGE1 0 1 XGE1 0 2 User Port XGE1 0 3 XGE1 0 4 XGE1 0 5 Table 100 Command output Field Description Network Port List of network ports User Port List of user ports Related commands mac forced forwarding network port display mac forced forwarding vlan Use display mac forced forwarding vlan to display the MFF configuration for a VLAN Synta...

Page 674: ...ich the gateways belong Mode MFF operating mode Manual Manual Single gateway Single Gateway IP and MAC addresses of gateways If no address is learned this field displays N A Server Server IP addresses Related commands mac forced forwarding mac forced forwarding server mac forced forwarding Use mac forced forwarding to enable MFF Use undo mac forced forwarding to disable MFF Syntax mac forced forwa...

Page 675: ...an 2 Sysname vlan2 mac forced forwarding default gateway 1 1 1 1 Related commands mac forced forwarding server mac forced forwarding gateway probe Use mac forced forwarding gateway probe to enable periodic gateway probe Use undo mac forced forwarding gateway probe to disable periodic gateway probe Syntax mac forced forwarding gateway probe undo mac forced forwarding gateway probe Default Periodic ...

Page 676: ...e a port as a network port regardless of whether MFF is enabled for the VLAN of the port However the configuration takes effect only after MFF is enabled Link aggregation is supported by network ports in an MFF enabled VLAN but is not supported by user ports in the VLAN To cancel the network port configuration of a link aggregation member port in a MFF enabled VLAN remove the network port from the...

Page 677: ...from a server it searches the IP to MAC address entries it has stored Then the device replies with the requested MAC address to the server In this way packets from the server to a host are not forwarded by the gateway However packets from a host to the server are forwarded by the gateway MFF does not check whether the IP address of a server is on the same network segment as that of a gateway Inste...

Page 678: ...mmands fips mode enable fips mode enable Use fips mode enable to enable FIPS mode Use undo fips mode enable to disable FIPS mode Syntax fips mode enable undo fips mode enable Default FIPS mode is disabled Views System view Predefined user roles network admin mdc admin Usage guidelines After you enable FIPS mode and reboot the device the device operates in FIPS mode The FIPS device has strict secur...

Page 679: ...sword control policies A user role of network admin or mdc admin A service type of terminal h Delete the FIPS incompliant local user service types Telnet HTTP and FTP i Save the configuration file and specify it as the startup configuration file j Delete the original startup configuration file in binary format k Reboot the device After the fips mode enable command is executed the system prompts yo...

Page 680: ... automatically Continue Y N y Waiting for reboot After reboot the device will enter non FIPS mode Disable FIPS mode and choose the manual reboot method to enter non FIPS mode Sysname undo fips mode enable FIPS mode change requires a device reboot Continue Y N y The system will create a new startup configuration file for non FIPS mode and then reboot automatically Continue Y N n Change the configur...

Page 681: ...n passed Known answer test for random number generator passed Known Answer tests in the user space passed Starting Known Answer tests in the kernel Known answer test for AES passed Known answer test for HMAC SHA1 passed Known answer test for SHA1 passed Known answer test for GCM passed Known answer test for GMAC passed Known answer test for random number generator passed Known Answer tests in the ...

Page 682: ...Starting Known Answer tests in the kernel Known answer test for AES passed Known answer test for HMAC SHA1 passed Known answer test for SHA1 passed Known answer test for GCM passed Known answer test for GMAC passed Known answer test for random number generator passed Known Answer tests in the kernel passed Cryptographic Algorithms Known Answer Tests passed ...

Page 683: ...pecifies the number of bytes starting from the frame header MACsec encrypts only the bytes after the offset in a frame When an MKA policy is applied to a port the MACsec confidentiality offset in the policy overwrites the confidentiality offset previously configured on the port However MACsec uses the confidentiality offset propagated by the key server Examples Set the MACsec confidentiality offse...

Page 684: ...net1 0 1 Protect frames Yes Active MKA policy PL01 Replay protection Enabled Replay window size 0 frames Confidentiality offset 0 bytes Validation mode Check Display detailed MACsec information on GigabitEthernet 1 0 1 Sysname display macsec interface gigabitethernet 1 0 1 verbose Interface GigabitEthernet1 0 1 Protect frames Yes Active MKA policy PL01 Replay protection Enabled Replay window size ...

Page 685: ...displays N A Included SCI Whether the frame includes SCI tag Yes No If the port is not enabled with MACsec desire this field displays N A SCI conflict Whether the SCI in the received MKA packets is the same as the local SCI Yes The SCI in the received MKA packets is the same as the local SCI No No MKA packet is received or the SCI in the received MKA packets is different from the local SCI Cipher ...

Page 686: ...Specifies an MKA policy by policy name The policy name argument represents the MKA policy name a case sensitive string of 1 to 16 characters If you do not specify an MKA policy this command displays information about all MKA policies Examples Display information about all MKA policies Sysname display mka policy PolicyName ReplayProtection WindowSize ConfOffset Validation default policy Yes 0 0 Che...

Page 687: ...f you do not specify a port this command displays MKA session information on all ports local sci sci id Specifies a local SCI a case insensitive hexadecimal string of 16 characters verbose Displays detailed MKA session information If you do not specify this keyword the command displays brief MKA session information Examples Display brief MKA session information on GigabitEthernet 1 0 1 Sysname dis...

Page 688: ...0020000000106 Potential peer list MI MN Priority Capability Rx SCI DA58DC3Q4573543DBC6699F0 3 200 3 00E0021200000107 Table 104 Command output Field Description Tx SCI SCI for outbound traffic in hexadecimal notation Priority Key server priority in the range of 0 to 255 Capability MACsec capability 0 The port is MACsec incapable 1 The port supports integrity check only 2 The port supports integrity...

Page 689: ...isplays N A in the following situations The MKA instance is not the principal actor The SAK does not exist Current SAK AN SA number of the current SAK in use This field displays N A in the following situations The MKA instance is not the principal actor The SAK does not exist Current SAK KI Key identifier of the current SAK in use a string of hexadecimal digits that contains the key server s 12 by...

Page 690: ...ion display mka statistics Use display mka statistics to display MKA statistics on ports Syntax display mka statistics interface interface type interface number Views Any view Predefined user roles network admin network operator mdc admin mdc operator Parameters interface interface type interface number Specifies a port by its type and number If you do not specify a port this command displays MKA ...

Page 691: ...ACsec confidentiality offset on a port Use undo macsec confidentiality offset to restore the default Syntax macsec confidentiality offset offset value undo macsec confidentiality offset Default The MACsec confidentiality offset on the port is 0 The entire frame is encrypted Views Ethernet interface view Predefined user roles network admin mdc admin Parameters offset value Specifies the confidentia...

Page 692: ...tion for outbound frames Views Ethernet interface view Predefined user roles network admin mdc admin Usage guidelines This command allows a MACsec port to expect MACsec protection for outbound frames The key server determines whether MACsec protects the outbound frames MACsec protects the outbound frames of the port when the following requirements are met The key server is MACsec capable Both the ...

Page 693: ...nd Monitoring Configuration Guide As a best practice disable MKA session logging to prevent excessive log output Examples Enable MKA session logging Sysname system view Sysname macsec mka session log enable Related commands info center source Network Management and Monitoring Command Reference macsec replay protection enable Use macsec replay protection enable to enable MACsec replay protection on...

Page 694: ...o restore the default Syntax macsec replay protection window size size value undo macsec replay protection window size Default The MACsec replay protection window size is 0 on a port Frames are accepted only in the correct order Views Ethernet interface view Predefined user roles network admin mdc admin Parameters size value Specifies the replay protection window size in the range of 0 to 42949672...

Page 695: ...ore the default Syntax macsec validation mode check strict undo macsec validation mode Default The MACsec validation mode is check on a port Views Ethernet interface view Predefined user roles network admin mdc admin Parameters check Performs validation only and does not drop illegal frames strict Performs validation and drops illegal frames Usage guidelines To avoid data loss use the default vali...

Page 696: ...protection and replay protection window size When you apply an MKA policy to a port the MACsec parameter settings in the policy overwrite the MACsec parameters previously configured on the port Any modifications to the MKA policy take effect immediately When you remove the MKA policy from a port the MACsec parameter settings on the port restore to the default When you delete an MKA policy ports th...

Page 697: ...ncryption keys used by MACsec The enabling of MKA on a port triggers MKA negotiation After MKA negotiation succeeds an MKA session is successfully established Examples Enable MKA on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 mka enable Related commands display mka session mka policy Use mka policy to create an MKA policy and enter...

Page 698: ...r modify the system defined MKA policy default policy Examples Create an MKA policy named abcd and enter its view Sysname system view Sysname mka policy abcd Sysname mka policy abcd Related commands confidentiality offset display mka policy mka apply policy replay protection enable replay protection window size validation mode mka priority Use mka priority to set the MKA key server priority Use un...

Page 699: ...hernet1 0 1 mka priority 2 Related commands display mka session mka psk Use mka psk to set a preshared key as the CAK Use undo mka psk to restore the default Syntax mka psk ckn name cak cipher simple string undo mka psk Default No preshared key exists Views Ethernet interface view Predefined user roles network admin mdc admin Parameters ckn name Specifies the preshared key name a hexadecimal strin...

Page 700: ...erations when it runs the cipher suite Automatically increases the length of the CKN or CAK by zero padding if the CKN or CAK contains less than 32 characters Uses only the first 32 characters if the CKN or CAK contains more than 32 characters Examples Configure the CAK name as AB and set the CAK to 1234 in plain text on Gigabit Ethernet 1 0 1 Sysname system view Sysname interface gigabitethernet ...

Page 701: ...nge of 0 to 4294967295 frames Usage guidelines The MACsec replay protection window size allows a MACsec port to accept a number of out of order inbound frames Suppose the replay protection window size is a on a port After the port receives a packet with PN x it can accept only packets whose PN is greater than or equal to x a The replay protection window size takes effect only when the replay prote...

Page 702: ... all ports Usage guidelines This command first clears MKA sessions and then immediately triggers a new session establishment negotiation Examples Reset MKA sessions on GigabitEthernet 1 0 1 Sysname reset mka session interface gigabitethernet 1 0 1 Related commands display mka session reset mka statistics Use reset mka statistics to clear MKA statistics on ports Syntax reset mka statistics interfac...

Page 703: ...ers check Performs validation only and does not drop illegal frames strict Performs validation and drops illegal frames Usage guidelines To avoid data loss use the default validation mode check on the MACsec devices in case of MKA negotiation failure After you use the display macsec command to verify that MKA negotiation has succeeded change the validation mode to strict When an MKA policy is appl...

Page 704: ...displays 802 1X client authentication information for all interfaces Examples Display 802 1X client authentication information on Ten GigabitEthernet 1 0 1 Sysname display dot1x supplicant interface ten gigabitethernet 1 0 1 Ten GigabitEthernet1 0 1 Username aaa EAP method PEAP MSCHAPv2 Dot1x supplicant Enabled Anonymous identifier bbb SSL client policy policy_1 FSM state Init EAPOL Start packets ...

Page 705: ...ous identify Default No 802 1X client anonymous identifier exists Views Ethernet interface view Predefined user roles network admin mdc admin Parameters identifier Specifies an 802 1X client anonymous identifier a case sensitive string of 1 to 253 characters Usage guidelines At the first authentication phase packets sent to the authenticator are not encrypted The use of an 802 1X client anonymous ...

Page 706: ...1X client EAP authentication method Use undo dot1x supplicant eap method to restore the default Syntax dot1x supplicant eap method md5 peap gtc peap mschapv2 ttls gtc ttls mschapv2 undo dot1x supplicant eap method Default The MD5 Challenge authentication is used as the 802 1X client EAP authentication method Views Ethernet interface view Predefined user roles network admin mdc admin Parameters md5...

Page 707: ...ce view Predefined user roles network admin mdc admin Usage guidelines Make sure you have configured 802 1X authentication on the authenticator before you use this command Examples Enable the 802 1X client feature on a port Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 dot1x supplicant enable Related commands display dot1x supplicant dot1x supplic...

Page 708: ...s to pass 802 1X client authentication You can use either of the following methods to configure a unique MAC address for each 802 1X client enabled interface Execute the mac address command in Ethernet interface view Execute the dot1x supplicant mac address command For information about MACsec see Security Configuration Guide Examples Configure the 802 1X client MAC address for 802 1X client authe...

Page 709: ...1x supplicant ssl client policy policy name undo dot1x supplicant ssl client policy policy name Default An 802 1X client enabled device uses the default SSL client policy Views Ethernet interface view Predefined user roles network admin mdc admin Parameters policy name Specifies an SSL client policy by its name a case insensitive string of 1 to 31 characters Make sure the specified SSL client poli...

Page 710: ...rface view Predefined user roles network admin mdc admin Parameters username Specifies the 802 1X client username a case sensitive string of 1 to 253 characters Usage guidelines 802 1X client usernames can include domain names The supported domain name delimiters include the at sign backslash dot and forward slash Usernames that include domain names can use the format of username domain name domai...

Page 711: ...696 Sysname Ten GigabitEthernet1 0 1 dot1x supplicant username aaa Related commands display dot1x supplicant dot1x domain delimiter dot1x supplicant enable ...

Page 712: ...ce ten gigabitethernet 1 0 1 Global Web auth parameters Proxy Port Numbers Not configured Total online web auth users 1 Ten GigabitEthernet1 0 1 is link up Port role Authenticator Web auth domain my domain Auth Fail VLAN Not configured Offline detect Not configured Max online users 1024 Web auth enable Enabled Total online web auth users 1 Table 107 Command output Field Description Global Web auth...

Page 713: ...b authentication Enabled Disabled Total online web auth users Total number of online Web authentication users on the interface display web auth free ip Use display web auth free ip to display Web authentication free subnets Syntax display web auth free ip Views Any view Predefined user roles network admin network operator mdc admin mdc operator Examples Display Web authentication free subnets Sysn...

Page 714: ...escription Web auth server Name of the Web authentication server IP IP address of the Web authentication server Port Port number of the Web authentication server URL Redirection URL of the Web authentication server Redirect wait time Time before redirecting an authenticated user to the webpage requested by the user URL parameters Parameters in the redirection URL display web auth user Use display ...

Page 715: ...ut online Web authentication users on Ten GigabitEthernet 1 0 1 Sysname display web auth user interface ten gigabitethernet 1 0 1 Total online web auth users 1 User name user1 MAC address 0000 2700 b076 Access interface Ten GigabitEthernet 1 0 1 Initial VLAN 1 Authorization VLAN N A Authorization ACL ID N A Table 109 Command output Field Description Total online web auth users Total number of onli...

Page 716: ...ckets This can avoid impacting system performance when there are many network access requests The port number of the Web authentication server must be the same as the listening port of the local portal Web service For more information about the local portal Web service configuration see portal authentication in Security Configuration Guide If you execute this command multiple times the most recent...

Page 717: ...enticated users to 10 seconds Sysname system view Sysname web auth server wbs Sysname web auth server wbs redirect wait time 10 url Use url to specify the redirection URL for a Web authentication server Use undo url to restore the default Syntax url url string undo url Default No redirection URL is specified for a Web authentication server Views Web authentication server view Predefined user roles...

Page 718: ...ameters parameter name Specifies a URL parameter name a case sensitive string of 1 to 32 characters Content of the parameter is determined by the following keyword you specify original url Specifies the URL of the original webpage that a portal user visits source address Specifies the user IP address source mac Specifies the user MAC address value expression Specifies a custom case sensitive strin...

Page 719: ... Auth Fail VLAN ID in a range of 1 to 4094 The specified VLAN must already exist User guidelines After you configure this command on an interface users who failed Web authentication on the interface can access resources in the Auth Fail VLAN You must also configure the IP address of the server that provides the resources as an authentication free IP address To make the Auth Fail VLAN take effect y...

Page 720: ...s specified for Web authentication users on an interface Views Layer 2 Ethernet interface view Predefined user roles network admin mdc admin Parameters domain name Specifies an ISP authentication domain name a case insensitive string of 1 to 255 characters User guidelines After you configure this command the device uses the authentication domain for authentication authorization and accounting AAA ...

Page 721: ...ure the port security mode on the Layer 2 Ethernet interface enabled with Web authentication Examples Enable Web authentication and specify Web authentication server wbs on Ten GigabitEthernet 1 0 1 Sysname system view Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 web auth enable apply server wbs Related commands web auth server web auth free ip Use web auth free ip ...

Page 722: ...ax user to restore the default Syntax web auth max user max number undo web auth max user Default The maximum number of Web authentication users on an interface is 1024 Views Layer 2 Ethernet interface view Predefined user roles network admin mdc admin Parameters max number Specifies the maximum number of Web authentication users allowed on an interface The value range for this argument is 1 to 20...

Page 723: ... specified detection interval If no packet from the user is received within the interval the device logs out the user and notifies the RADIUS server to stop accounting for the user To prevent the device from mistakenly logging out users set the detection interval to be the same as the aging time of MAC address entries Examples On Ten GigabitEthernet 1 0 1 enable online detection of Web authenticat...

Page 724: ...ure authentication free rules to allow user packets destined for the IP address of the WPAD server to pass without authentication For Web authentication to support Web proxy You must add the port numbers of the Web proxy servers on the device Users must make sure their browsers that use a Web proxy server do not use the proxy server for the listening IP address of the local portal Web service Then...

Page 725: ...ication server view you can configure the following parameters and features for the Web authentication server IP address of the server Redirection URL Parameters to be carried in the redirection URL Examples Create a Web authentication server named wbs and enter its view Sysname system view Sysname web auth server wbs Sysname web auth server wbs Related commands web auth enable apply server ...

Page 726: ...ntax choices separated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field names and menu items are in Boldface For example the New User wind...

Page 727: ...epresents a wireless terminator unit Represents a wireless terminator Represents a mesh access point Represents omnidirectional signals Represents directional signals Represents a security product such as a firewall UTM multiservice security gateway or load balancing device Represents a security module such as a firewall load balancing NetStream SSL VPN IPS or ACG module Examples provided in this ...

Page 728: ...s provide a mechanism for accessing software updates through the product interface Review your product documentation to identify the recommended software update method To download product updates go to either of the following Hewlett Packard Enterprise Support Center Get connected with updates page www hpe com support e updates Software Depot website www hpe com support softwaredepot To view and u...

Page 729: ...r self repair CSR programs allow you to repair your product If a CSR part needs to be replaced it will be shipped directly to you so that you can install it at your convenience Some parts do not qualify for CSR Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR For more information about CSR contact your local service provider or ...

Page 730: ...number edition and publication date located on the front cover of the document For online help content include the product name product version help edition and publication date located on the legal notices page ...

Page 731: ...ac 622 arp source mac aging time 623 arp source mac exclude mac 624 arp source mac threshold 624 arp source suppression enable 618 arp source suppression limit 618 arp valid check enable 626 attack defense local apply policy 523 attack defense login block timeout 524 attack defense login enable 524 attack defense login max attempt 525 attack defense login reauthentication delay 526 attack defense ...

Page 732: ...y blacklist user 556 display crypto version 508 display domain 26 display dot1x 160 display dot1x connection 164 display dot1x mac address 167 display dot1x supplicant 689 display fips status 663 display hwtacacs scheme 116 display ip source binding 603 display ip urpf 654 display ip verify source excluded 604 display ipv6 nd detection statistics 641 display ipv6 nd raguard policy 643 display ipv6...

Page 733: ... 176 dot1x domain delimiter 177 dot1x ead assistant enable 178 dot1x ead assistant free ip 179 dot1x ead assistant url 179 dot1x eapol untag 180 dot1x guest vlan 181 dot1x guest vlan delay 182 dot1x guest vsi 183 dot1x guest vsi delay 184 dot1x handshake 185 dot1x handshake reply enable 186 dot1x handshake secure 186 dot1x mac binding 187 dot1x mac binding enable 188 dot1x mandatory domain 189 dot...

Page 734: ...e map 147 ldap scheme 148 ldap server 149 ldap server 405 local guest email format 49 local guest email sender 50 local guest email smtp server 51 local guest generate 51 local guest send email 53 locality 406 local user 53 local user auto delete enable 55 local user export 55 local user import 56 login dn 149 login password 150 ls 464 M mac authentication 210 mac authentication access user log en...

Page 735: ...ki domain SSL client policy view 510 pki domain SSL server policy view 511 port 86 port MAC binding server view 263 port portal authentication server view 263 portal bas ip bas ipv6 interface view 264 portal ipv4 max user ipv6 max user interface view 265 portal apply mac trigger server 266 portal apply web server interface view 267 portal authorization strict checking 268 portal delete user 268 po...

Page 736: ...rename 467 replay protection enable 685 replay protection window size 686 reset arp detection statistics 634 reset attack defense policy flood 576 reset attack defense statistics local 577 reset blacklist ip 577 reset blacklist ipv6 578 reset blacklist statistics 579 reset dot1x guest vlan 200 reset dot1x guest vsi 201 reset dot1x statistics 201 reset hwtacacs statistics 130 reset ipv6 nd detectio...

Page 737: ...ation timeout 448 ssh server compatible ssh1x enable 448 ssh server dscp 449 ssh server enable 450 ssh server ipv6 acl 450 ssh server ipv6 dscp 451 ssh server pki domain 452 ssh server port 452 ssh server rekey interval 453 ssh user 454 ssh2 489 ssh2 algorithm cipher 500 ssh2 algorithm key exchange 501 ssh2 algorithm mac 502 ssh2 algorithm public key 503 ssh2 ipv6 492 ssh2 ipv6 suite b 495 ssh2 su...

Page 738: ...RADIUS scheme view 114 user parameters 154 user sync 304 V validation mode 688 validity datetime 65 version 518 version 305 vpn instance 306 vpn instance HWTACACS scheme view 141 vpn instance RADIUS scheme view 115 W web auth auth fail vlan 704 web auth domain 705 web auth enable 705 web auth free ip 706 web auth max user 707 web auth offline detect 708 web auth proxy port 708 web auth server 709 ...

Reviews: