HP A-U200 Скачать руководство пользователя

Страница: 15 / 148

Parameters Function

Description

dscp

dscp

Specifies a DSCP
priority

The

dscp

argument can be a number in the range of 0 to 63, or in

words,

af11

(10),

af12

(12),

af13

(14),

af21

(18),

af22

(20),

af23

(22),

af31

(26),

af32

(28),

af33

(30),

af41

(34),

af42

(36),

af43

(38),

cs1

(8),

cs2

(16),

cs3

(24),

cs4

(32),

cs5

(40),

cs6

(48),

cs7

(56),

default

(0), or

(46).

logging

Logs matching
packets

This function requires that the module that uses the ACL supports
logging.

reflective

Specifies that the
rule be reflective

A rule with the

reflective

keyword can be defined only for TCP, UDP,

or ICMP packets and can only be a permit statement.

vpn-instance

vpn-instance-na

Applies the rule to
packets in a VPN

instance

The

vpn-instance-name

argument takes a case-sensitive string of 1 to

31 characters.
If no VPN instance is specified, the rule applies only to non-VPN

packets.

fragment

Applies the rule to
only non-first
fragments

Without this keyword, the rule applies to all fragments and
non-fragments.

time-range

time-range-nam
e

Specifies a time
range for the rule

The

time-range-name

argument takes a case-insensitive string of 1 to

32 characters. It must start with an English letter. If the time range is not

configured, the system creates the rule; however, the rule using the

time range can take effect only after you configure the timer range.

NOTE:

If you provide the

precedence

tos

keyword in addition to the

dscp

keyword, only the

dscp

keyword

takes effect.

If the

protocol

argument takes

tcp

(6) or

udp

(7), set the parameters shown in

Table 4

TCP/UDP-specific parameters for IPv4 advanced ACL rules

Parameters

Function

Description

source-port

operator port1

[

port2

]

Specifies one or
more UDP or TCP

source ports

The

operator

argument can be

(lower than),

(greater than),

(equal to),

neq

(not equal to), or

range

(inclusive range).

The

port1

and

port2

arguments are TCP or UDP port numbers in

the range of 0 to 65535.

port2

is needed only when the

operator

argument is

range

TCP port numbers can be represented as:

chargen

(19),

bgp

(179),

cmd

(514),

daytime

(13),

discard

(9),

domain

(53),

echo

(7),

exec

(512),

finger

(79),

ftp

(21),

ftp-data

(20),

gopher

(70),

hostname

(101),

irc

(194),

klogin

(543),

kshell

(544),

(513),

lpd

(515),

nntp

(119),

pop2

(109),

pop3

(110),

smtp

(25),

sunrpc

(111),

tacacs

(49),

talk

(517),

telnet

(23),

time

(37),

uucp

(540),

whois

(43), and

www

(80).

UDP port numbers can be represented as:

biff

(512),

bootpc

(68),

bootps

(67),

discard

(9),

dns

(53),

dnsix

(90),

echo

(7),

mobilip-ag

(434),

mobilip-mn

(435),

nameserver

(42),

netbios-dgm

(138),

netbios-ns

(137),

netbios-ssn

(139),

ntp

(123),

rip

(520),

snmp

(161),

snmptrap

(162),

sunrpc

(111),

syslog

(514),

tacacs-ds

(65),

talk

(517),

tftp

(69),

time

(37),

who

(513), and

xdmcp

(177).

destination-port

operator port1

[

port2

]

Specifies one or
more UDP or TCP

destination ports

Содержание A-U200

Страница 1: ...HP A U200 Unified Threat Management Products Access Control Command Reference Part number 5998 2676 Software version R5116P20 Document version 6PW100 20111216 ...

Страница 2: ...MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompan...

Страница 3: ... session aging time 24 session checksum 25 session persist acl 25 Connection limit configuration commands 27 connection limit apply policy 27 connection limit policy 27 display connection limit policy 28 limit 29 Portal configuration commands 31 display portal acl 31 display portal connection statistics 33 display portal free rule 36 display portal interface 37 display portal server 38 display por...

Страница 4: ...and 63 authorization default 64 authorization lan access 65 authorization login 66 authorization portal 67 authorization ppp 68 authorization attribute user profile 69 cut connection 69 display connection 71 display domain 73 domain 75 domain default enable 76 idle cut enable 76 ip pool 77 nas id bind vlan 78 self service url enable 78 state ISP domain view 79 Local user configuration commands 80 ...

Страница 5: ...IUS scheme view 117 timer response timeout RADIUS scheme view 118 user name format RADIUS scheme view 118 HWTACACS configuration commands 119 data flow format HWTACACS scheme view 119 display hwtacacs 120 display stop accounting buffer for HWTACACS 123 hwtacacs nas ip 123 hwtacacs scheme 124 key HWTACACS scheme view 125 nas ip HWTACACS scheme view 125 primary accounting HWTACACS scheme view 126 pr...

Страница 6: ...iv Related information 137 Documents 137 Websites 137 Conventions 138 Index 140 ...

Страница 7: ...first order The depth first order differs with ACL categories For more information see ACL and QoS Configuration Guide config Compares ACL rules in ascending order of rule ID The rule with a smaller ID has higher priority If no match order is specified the config order applies by default all Deletes all IPv4 ACLs Description Use the acl command to create an IPv4 ACL and enter its view If the ACL h...

Страница 8: ...y as the source ACL Available value ranges include 2000 to 2999 for IPv4 basic ACLs 3000 to 3999 for IPv4 advanced ACLs 4000 to 4999 for Ethernet frame header ACLs name dest acl name Assigns a unique name to the IPv4 ACL you are creating The dest acl name takes a case insensitive string of 1 to 32 characters It must start with an English letter and to avoid confusion it cannot be all For this ACL ...

Страница 9: ... flow Sysname system view Sysname acl name flow Sysname acl basic 2001 flow description Syntax description text undo description View IPv4 basic advanced ACL view Ethernet frame header ACL view Default level 2 System level Parameters text ACL description a case sensitive string of 1 to 127 characters Description Use the description command to configure a description for an ACL Use the undo descrip...

Страница 10: ...r Description Use the display acl command to display the IPv4 ACL configuration and match statistics This command displays ACL rules in config or depth first order whichever is configured Examples Display all IPv4 configuration and match statistics Sysname display acl all Basic ACL 2000 named flow 3 rules ACL s step is 5 rule 0 permit rule 5 permit source 1 1 1 1 0 2 times matched rule 10 permit v...

Страница 11: ...ht occur when you modify a rule in an ACL that has been applied rule 10 comment This rule is used in VPN rd The description of ACL rule 10 is This rule is used in VPN rd display time range Syntax display time range time range name all View Any view Default level 1 Monitor level Parameters time range name Specifies a time range name a case insensitive string of 1 to 32 characters It must start with...

Страница 12: ...CLs name acl name Specifies an IPv4 ACL by its name The acl name argument takes a case insensitive string of 1 to 32 characters It must start with an English letter Description Use the reset acl counter command to clear IPv4 ACL statistics Related commands display acl Examples Clear statistics for IPv4 basic ACL 2001 Sysname reset acl counter 2001 Clear statistics for IPv4 ACL flow Sysname reset a...

Страница 13: ..._SNAP frames The protocol type mask argument is a 16 bit hexadecimal number that represents a protocol type mask source mac sour addr source mask Matches a source MAC address range The sour addr argument represents a source MAC address and the sour mask argument represents a mask in H H H format time range time range name Specifies a time range for the rule The time range name argument is a case i...

Страница 14: ... deny Denies matching packets permit Allows matching packets to pass protocol Protocol carried by IPv4 It can be a number in the range of 0 to 255 or in words gre 47 icmp 1 igmp 2 ip ipinip 4 ospf 89 tcp 6 or udp 17 Table 3 describes the parameters that you can specify regardless of the value that the protocol argument takes Table 3 Match criteria and other rule information for IPv4 advanced ACL r...

Страница 15: ...range can take effect only after you configure the timer range NOTE If you provide the precedence or tos keyword in addition to the dscp keyword only the dscp keyword takes effect If the protocol argument takes tcp 6 or udp 7 set the parameters shown in Table 4 Table 4 TCP UDP specific parameters for IPv4 advanced ACL rules Parameters Function Description source port operator port1 port2 Specifies...

Страница 16: ...p message Specifies the ICMP message type and code The icmp type argument is in the range of 0 to 255 The icmp code argument is in the range of 0 to 255 The icmp message argument specifies a message name Supported ICMP message names and their corresponding type and code values are listed in Table 6 Table 6 ICMP message names supported in IPv4 advanced ACL rules ICMP message name ICMP message type ...

Страница 17: ...9 9 0 0 0 0 255 255 destination 202 38 160 0 0 0 0 255 destination port eq 80 logging Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for 192 168 1 0 24 Sysname system view Sysname acl number 3001 Sysname acl adv 3001 rule permit ip Sysname acl adv 3001 rule deny icmp destination 192 168 1 0 0 0 0 255 Create IPv4 advanced ACL rules to permit inbound and outbou...

Страница 18: ...case insensitive string of 1 to 32 characters It must start with an English letter If the time range is not configured the system creates the rule however the rule using the time range can take effect only after you configure the timer range vpn instance vpn instance name Applies the rule to packets in a VPN instance The vpn instance name argument takes a case sensitive string of 1 to 31 character...

Страница 19: ...es a comment about the ACL rule a case sensitive string of 1 to 127 characters Description Use the rule comment command to add a comment about an existing ACL rule or edit its comment to make the rule easy to understand Use the undo rule comment command to delete the ACL rule comment By default an IPv4 ACL rule has no rule comment Related commands display acl Examples Create a rule in IPv4 basic A...

Страница 20: ...0 step 2 time range Syntax time range time range name start time to end time days from time1 date1 to time2 date2 from time1 date1 to time2 date2 to time2 date2 undo time range time range name start time to end time days from time1 date1 to time2 date2 from time1 date1 to time2 date2 to time2 date2 View System view Default level 2 System level Parameters time range name Specifies a time range name...

Страница 21: ...ents in a time range Each time statement can take one of the following forms Periodic statement in the start time to end time days format A periodic statement recurs periodically on a day or days of the week Absolute statement in the from time1 date1 to time2 date2 format An absolute statement does not recur Compound statement in the start time to end time days from time1 date1 to time2 date2 form...

Страница 22: ...from 0 0 1 1 2010 to 23 59 12 31 2010 Create a compound time range t4 setting it to be active from 10 00 to 12 00 on Mondays and from 14 00 to 16 00 on Wednesdays in the period of January through June of the year 2010 Sysname system view Sysname time range t4 10 0 to 12 0 1 from 0 0 1 1 2010 to 23 59 1 31 2010 Sysname time range t4 14 0 to 16 0 3 from 0 0 6 1 2010 to 23 59 6 30 2010 ...

Страница 23: ...nges from 5 seconds to 100000 seconds Description Use the application aging time command to set the aging time for sessions of an application layer protocol Use the undo application aging time command to restore the default If no application layer protocol type is specified the command restores the session aging times for all the application layer protocols to the defaults The default session agin...

Страница 24: ...l find 2 Table 7 Output description Field Description Local IP Port IP address port number of the inside network Global IP Port IP address port number of the outside network MatchMode Match mode from session table to relationship table including Local Global and Either Local Indicates that the source IP address source port of a new session are matched against Local IP Port in the relation table Gl...

Страница 25: ...tain the number of dropped packets Examples Display statistics about all sessions Sysname display session statistics Current session s 593951 Current TCP session s 0 Half Open 0 Half Close 0 Current UDP session s 593951 Current ICMP session s 0 Current RAWIP session s 0 Current relation table s 50000 Session establishment rate 184503 s TCP Session establishment rate 0 s UDP Session establishment r...

Страница 26: ...ytes Received UDP Counts of received UDP packets and bytes Received ICMP Counts of received ICMP packets and bytes Received RAWIP Counts of received Raw IP packets and bytes Dropped TCP Counts of dropped TCP packets and bytes Dropped UDP Counts of dropped UDP packets and bytes Dropped ICMP Counts of dropped ICMP packets and bytes Dropped RAWIP Counts of dropped Raw IP packets and bytes display ses...

Страница 27: ...rt 192 168 1 55 768 Pro ICMP ICMP 1 VPN Instance VLAN ID VLL ID Initiator Source IP Port 192 168 1 18 1212 Dest IP Port 192 168 1 55 23 Pro TCP TCP 6 VPN Instance VLAN ID VLL ID Total find 2 Display detailed information about all sessions Sysname display session table verbose Initiator Source IP Port 192 168 1 19 137 Dest IP Port 192 168 1 255 137 VPN Instance VLAN ID VLL ID Responder Source IP Po...

Страница 28: ...nd INLINE that the session belongs to during Layer 2 forwarding App Application layer protocol FTP DNS MSN or QQ Unknown indicates protocol type of a non well known port State Session status Possible values are Accelerate SYN TCP EST FIN UDP OPEN UDP READY ICMP OPEN ICMP CLOSED RAWIP OPEN RAWIP READY Start Time Session establishment time TTL Remaining lifetime of the session in seconds VD name Nam...

Страница 29: ...pecified protocol type The protocol types include ICMP Raw IP TCP and UDP source port source port Clears the sessions with the specified source port of the initiator destination port destination port Clears the sessions with the specified destination port of the initiator vpn instance vpn instance name Clears the sessions of the specified VPN The vpn instance name argument is a case sensitive stri...

Страница 30: ...iew Default level 2 System level Parameters accelerate Specifies the aging time for the sessions in the accelerate queue fin Specifies the aging time for the TCP sessions in the FIN_WAIT state icmp closed Specifies the aging time for the ICMP sessions in the CLOSED state icmp open Specifies the aging time for the ICMP sessions in the OPEN state rawip open Specifies the aging time for the sessions ...

Страница 31: ...level Parameters all Enables checksum verification for TCP UDP and ICMP packets icmp Enables checksum verification for ICMP packets tcp Enables checksum verification for TCP packets udp Enables checksum verification for UDP packets Description Use the session checksum command to enable checksum verification for protocol packets Use the undo session checksum command to disable checksum verification...

Страница 32: ... specified ACL are considered persistent sessions Use the undo session persist command to remove the configuration By default no persistent session rule is specified Persistent sessions will not be removed because they are not matched with any packets within the aging time You can manually remove such sessions when necessary A persistent session rule can reference only one ACL Related commands res...

Страница 33: ... remove the application If a connection limit policy is applied you cannot add remove or modify the conneciton limit rules in the connection limit policy view A conneciton limit policy to be applied must contain at least one limit rule Related commands connection limit policy Examples Apply connection limit policy 0 Sysname system view Sysname connection limit apply policy 0 connection limit polic...

Страница 34: ...ts view Sysname system view Sysname connection limit policy 0 Sysname connection limit policy 0 display connection limit policy Syntax display connection limit policy policy number all View Any view Default level 1 Monitor level Parameters policy number Connection limit policy number which can only be 0 all Displays all connection limit policies Description Use the display connection limit policy ...

Страница 35: ...http ip tcp udp max connections max num per destination per source per source destination undo limit limit id View Connection limit policy view Default level 2 System level Parameters limit id ID of a rule in the connection limit policy which can only be 0 source ip Specifies the source IP address of the connections to be limited ip address mask length IP address and its mask length The mask lengt...

Страница 36: ...in ascending order Related commands connection limit policy display connection limit policy Examples Configure connection limit rule 1 for policy 1 to limit TCP connections sourced from 1 1 1 1 with the upper connection limit of 200 Sysname system view Sysname connection limit policy 0 Sysname connection limit policy 0 limit 1 source ip 1 1 1 1 32 protocol tcp max connections 200 Configure connect...

Страница 37: ...ated by related configurations interface interface type interface number Displays the ACLs on the specified interface Description Use the display portal acl command to display the ACLs on a specific interface Examples Display all ACLs on interface GigabitEthernet 0 0 Sysname display portal acl all interface gigabitethernet 0 0 GigabitEthernet0 0 portal ACL rule Rule 0 Inbound interface GigabitEthe...

Страница 38: ... ACL which is numbered from 0 in ascending order Inbound interface Interface to which portal ACLs are bound Type Type of the portal ACL Action Match action in the portal ACL Source Source information in the portal ACL IP Source IP address in the portal ACL Mask Subnet mask of the source IP address in the portal ACL MAC Source MAC address in the portal ACL Interface Source interface in the portal A...

Страница 39: ...ecifies an interface by its type and number Description Use the display portal connection statistics command to display portal connection statistics on a specific interface or all interfaces Examples Display portal connection statistics on interface GigabitEthernet 0 0 Sysname display portal connection statistics interface GigabitEthernet0 0 Interface GigabitEthernet0 0 User state statistics State...

Страница 40: ...MSG_SETPOLICY_RESULT 0 0 0 Table 12 Output description Field Description User state statistics Statistics on portal users State Name Name of a user state User Num Number of users VOID Number of users in void state DISCOVERED Number of users in discovered state WAIT_AUTHEN_ACK Number of users in wait_authen_ack state WAIT_AUTHOR_ACK Number of users in wait_author_ack state WAIT_LOGIN_ACK Number of ...

Страница 41: ...entication request timeout message MSG_TMR_AUTHEN Authentication timeout message MSG_TMR_AUTHOR Authorization timeout message MSG_TMR_LOGIN Accounting start timeout message MSG_TMR_LOGOUT Accounting stop timeout message MSG_TMR_LEAVING Leaving timeout message MSG_TMR_NEWIP Public IP update timeout message MSG_TMR_USERIPCHANGE User IP change timeout message MSG_PORT_REMOVE Users of a Layer 2 port r...

Страница 42: ...P 2 2 2 0 Mask 255 255 255 0 MAC 0000 0000 0000 Interface any Vlan 0 Destination IP 0 0 0 0 Mask 0 0 0 0 Table 13 Output description Field Description Rule Number Number of the portal free rule Source Source information in the portal free rule IP Source IP address in the portal free rule Mask Subnet mask of the source IP address in the portal free rule MAC Source MAC address in the portal free rul...

Страница 43: ...ain my domain Authentication network address 0 0 0 0 mask 0 0 0 0 Table 14 Output description Field Description Interface portal configuration Portal configuration on the interface GigabitEthernet0 0 Status of the portal feature on the interface disabled enabled or running Portal server Portal server referenced by the interface Authentication type Authentication mode enabled on the interface Porta...

Страница 44: ...display portal server aaa Portal server 1 aaa IP 192 168 0 111 Key portal Port 50100 URL http 192 168 0 111 Table 15 Output description Field Description 1 Number of the portal server aaa Name of the portal server IP IP address of the portal server Key Key for portal authentication Not configured will be displayed if no key is configured Port Listening port on the portal server URL Address the pac...

Страница 45: ...rtal server statistics interface gigabitethernet 0 0 Interface GigabitEthernet0 0 Server name st Invalid packets 0 Pkt Name Total Discard Checkerr REQ_CHALLENGE 3 0 0 ACK_CHALLENGE 3 0 0 REQ_AUTH 3 0 0 ACK_AUTH 3 0 0 REQ_LOGOUT 1 0 0 ACK_LOGOUT 1 0 0 AFF_ACK_AUTH 3 0 0 NTF_LOGOUT 1 0 0 REQ_INFO 6 0 0 ACK_INFO 6 0 0 NTF_USERDISCOVER 0 0 0 NTF_USERIPCHANGE 0 0 0 AFF_NTF_USERIPCHANGE 0 0 0 ACK_NTF_LO...

Страница 46: ...rver REQ_INFO Information request message ACK_INFO Information acknowledgment message NTF_USERDISCOVER User discovery notification message the portal server sends to the access device NTF_USERIPCHANGE User IP change notification message the access device sends to the portal server AFF_NTF_USERIPCHANGE User IP change success notification message the portal server sends to the access device ACK_NTF_...

Страница 47: ...ckets Packets Sent Number of sent packets Packets Retransmitted Number of retransmitted packets Packets Dropped Number of dropped packets HTTP Packets Sent Number of HTTP packets sent Connection State Statistics of connections in various state ESTABLISHED Number of connections in ESTABLISHED state CLOSE_WAIT Number of connections in CLOSE_WAIT state LAST_ACK Number of connections in LAST ACK state...

Страница 48: ...net0 0 Index 3 State ONLINE SubState INVALID ACL 3000 Work mode Primary MAC IP Vlan Interface 000d 88f8 0eac 2 2 2 3 0 GigabitEthernet0 0 Total 2 user s matched 2 listed Table 18 Output description Field Description Index Index of the portal user State Current status of the portal user SubState Current sub status of the portal user ACL Authorization ACL of the portal user Work mode Working mode of...

Страница 49: ...ation subnets This command is only applicable for Layer 3 authentication The portal authentication subnet for direct authentication is any source IP address and the portal authentication subnet for re DHCP authentication is the one determined by the private IP address of the interface By default the portal authentication subnet is 0 0 0 0 0 meaning that users in all subnets are to be authenticated...

Страница 50: ...ortal users on an interface Then the device uses the specified authentication domain for authentication authorization and accounting AAA of the portal users on the interface Use the undo portal domain command to restore the default By default no authentication domain is specified for an interface Related commands display portal interface Examples Configure the authentication domain for portal user...

Страница 51: ... follow these guidelines If you specify both a source IP address and a source MAC address in a portal free rule the IP address must be a host address with a 32 bit mask Otherwise the specified MAC address does not take effect If you specify both a VLAN and an interface in a portal free rule the interface must belong to the VLAN You cannot configure a portal free rule to have the same filtering cri...

Страница 52: ...number of portal users allowed in the system to 100 Sysname system view Sysname portal max user 100 portal nas id Syntax portal nas id nas identifier undo portal nas id View Interface view Default level 2 System level Parameters nas identifier NAS ID a case sensitive string of 1 to 16 characters This value is used as the value of the NAS Identifier attribute in the RADIUS request to be sent to the...

Страница 53: ...guration By default an interface is not specified with any NAS ID profile If an interface is specified with a NAS ID profile the interface prefers to use the binding defined in the profile If no NAS ID profile is specified for an interface or no matching binding is found in the specified profile If a NAS ID is configured using the portal nas id command the device uses the configured NAS ID as that...

Страница 54: ...rt url View System view Default level 2 System level Parameters server name Name of the portal server a case sensitive string of 1 to 32 characters ip address IP address of the portal server key string Shared key for communication with the portal server a case sensitive string of 1 to 16 characters port id Destination port number used when the device sends unsolicited messages to the portal server...

Страница 55: ...er method Syntax portal server server name method direct layer3 redhcp undo portal View Interface view Default level 2 System level Parameters server name Name of the portal server a case sensitive string of 1 to 32 characters method Specifies the authentication mode to be used direct Direct authentication layer3 Layer 3 authentication redhcp Re DHCP authentication Description Use the portal serve...

Страница 56: ... 0 0 Sysname reset portal connection statistics interface gigabitethernet0 0 reset portal server statistics Syntax reset portal server statistics all interface interface type interface number View User view Default level 1 Monitor level Parameters all Specifies all interfaces interface interface type interface number Specifies an interface by its type and number Description Use the reset portal se...

Страница 57: ... redirection interval a user on the interface will be forced to access a specific Web page when the user accesses network resources through Web for the first time After a specific period of time namely the redirection interval if the user sends a Web access request again the system will push the specified Web page to the user again Use the undo web redirect command to restore the default By defaul...

Страница 58: ...52 Sysname GigabitEthernet0 0 web redirect url http 192 0 0 1 interval 3600 ...

Страница 59: ...ion Use the aaa nas id profile command to create a NAS ID profile and enter its view A NAS ID profile maintains the bindings between NAS IDs and VLANs Use the undo aaa nas id profile command to remove a NAS ID profile Related commands nas id bind vlan Examples Create a NAS ID profile named aaa Sysname system view Sysname aaa nas id profile aaa Sysname nas id prof aaa access limit enable Syntax acc...

Страница 60: ... connections for ISP domain test Sysname system view Sysname domain test Sysname isp test access limit enable 500 accounting command Syntax accounting command hwtacacs scheme hwtacacs scheme name undo accounting command View ISP domain view Default level 2 System level Parameters hwtacacs scheme hwtacacs scheme name Specifies an HWTACACS scheme by its name which is a case insensitive string of 1 t...

Страница 61: ...n Use the undo accounting default command to restore the default By default the default accounting method of an ISP domain is local The specified RADIUS or HWTACACS scheme must have been configured The default accounting method will be used for all users that support the specified accounting method and have no specific accounting method configured Local accounting is only for monitoring and contro...

Страница 62: ...Related commands local user accounting default and radius scheme Examples Configure ISP domain test to use local accounting for LAN users Sysname system view Sysname domain test Sysname isp test accounting lan access local Configure ISP domain test to use RADIUS accounting scheme rd for LAN users and use local accounting as the backup Sysname system view Sysname domain test Sysname isp test accoun...

Страница 63: ... and radius scheme Examples Configure ISP domain test to use local accounting for login users Sysname system view Sysname domain test Sysname isp test accounting login local Configure ISP domain test to use RADIUS accounting scheme rd for login users and use local accounting as the backup Sysname system view Sysname domain test Sysname isp test accounting login radius scheme rd local accounting op...

Страница 64: ...stem level Parameters local Performs local accounting none Does not perform any accounting radius scheme radius scheme name Specifies a RADIUS scheme by its name which is a case insensitive string of 1 to 32 characters Description Use the accounting portal command to configure the accounting method for portal users Use the undo accounting portal command to restore the default By default the defaul...

Страница 65: ... ppp command to configure the accounting method for PPP users Use the undo accounting ppp command to restore the default By default the default accounting method for the ISP domain is used for PPP users The specified RADIUS or HWTACACS scheme must have been configured Related commands local user accounting default hwtacacs scheme and radius scheme Examples Configure ISP domain test to use local ac...

Страница 66: ...d of an ISP domain is local The specified RADIUS or HWTACACS scheme must have been configured The default authentication method will be used for all users that support the specified authentication method and have no specific authentication method configured Related commands local user hwtacacs scheme and radius scheme Examples Configure the default authentication method for ISP domain test to use ...

Страница 67: ...name system view Sysname domain test Sysname isp test authentication lan access radius scheme rd local authentication login Syntax authentication login hwtacacs scheme hwtacacs scheme name local local none radius scheme radius scheme name local undo authentication login View ISP domain view Default level 2 System level Parameters hwtacacs scheme hwtacacs scheme name Specifies an HWTACACS scheme by...

Страница 68: ...evel Parameters local Performs local authentication none Does not perform any authentication radius scheme radius scheme name Specifies a RADIUS scheme by its name which is a case insensitive string of 1 to 32 characters Description Use the authentication portal command to configure the authentication method for portal users Use the undo authentication portal command to restore the default By defa...

Страница 69: ...authentication ppp command to configure the authentication method for PPP users Use the undo authentication ppp command to restore the default By default the default authentication method for the ISP domain is used for PPP users The specified RADIUS or HWTACACS scheme must have been configured Related commands local user authentication default hwtacacs scheme and radius scheme Examples Configure I...

Страница 70: ...must have been configured With command line authorization configured a user who has logged in to the device can execute only the commands with a level lower than or equal to that of the local user Related commands local user authorization default and hwtacacs scheme Examples Configure ISP domain test to use local command line authorization Sysname system view Sysname domain test Sysname isp test a...

Страница 71: ...tion method will be used for all users that support the specified authorization method and have no specific authorization method are configured The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme Related commands local user hwtacacs scheme and radius scheme Examples Configure the default autho...

Страница 72: ...me domain test Sysname isp test authorization lan access radius scheme rd local authorization login Syntax authorization login hwtacacs scheme hwtacacs scheme name local local none radius scheme radius scheme name local undo authorization login View ISP domain view Default level 2 System level Parameters hwtacacs scheme hwtacacs scheme name Specifies an HWTACACS scheme by its name which is a case ...

Страница 73: ... portal Syntax authorization portal local none radius scheme radius scheme name local undo authorization portal View ISP domain view Default level 2 System level Parameters local Performs local authorization none Does not perform any authorization exchange In this case an authenticated portal user can access the network directly radius scheme radius scheme name Specifies a RADIUS scheme by its nam...

Страница 74: ...ocal Performs local authorization none Does not perform any authorization exchange In this case an authenticated PPP user can access the network directly radius scheme radius scheme name Specifies a RADIUS scheme by its name which is a case insensitive string of 1 to 32 characters Description Use the authorization ppp command to configure the authorization method for PPP users Use the undo authori...

Страница 75: ...se the undo authorization attribute user profile command to restore the default By default an ISP domain has no default authorization user profile After a user of an ISP domain passes authentication if the server or the access device in the case of local authentication does not authorize any user profile to the ISP domain the system uses the user profile specified by the authorization attribute us...

Страница 76: ...user is in the default domain or the mandatory authentication domain vlan vlan id Specifies the user connections of a VLAN vlan id is in the range 1 to 4094 Description Use the cut connection command to tear down the specified user connections forcibly This command applies to only LAN access portal and PPP user connections For 802 1X users whose usernames carry the version number or contain spaces...

Страница 77: ...hat use the username The user name argument is a case sensitive string of 1 to 80 characters For a username entered without a domain name the system assumes that the user is in the default domain name or the mandatory authentication domain vlan vlan id Specifies the user connections of a VLAN vlan id is in the range 1 to 4094 Description Use the display connection command to display information ab...

Страница 78: ...sname display connection Index 1 Username telnet system IP 10 0 0 1 Total 1 connection s matched Display information about AAA user connections using the index of 0 Sysname display connection ucibindex 0 Index 0 Username telnet system IP 10 0 0 1 Access Admin AuthMethod PAP Port Type Virtual Port Name N A Initial VLAN 999 Authorized VLAN 20 ACL Group Disable User Profile N A CAR Disable Priority D...

Страница 79: ...Downlink average rate display domain Syntax display domain isp name View Any view Default level 1 Monitor level Parameters isp name Name of an existing ISP domain a string of 1 to 24 characters Description Use the display domain command to display the configuration information of ISP domains If you do not specify any ISP domain the command displays the configuration information of all ISP domains ...

Страница 80: ...e ISP domain can request network services and users in a blocked ISP domain cannot Access limit Limit on the number of user connections If there is no limit on the number the value of this field is Disabled Accounting method Indicates whether accounting is required If accounting is required when no accounting server is available or communication with the accounting server fails user connections wi...

Страница 81: ... Manage level Parameters isp name ISP domain name a case insensitive string of 1 to 24 characters that contains no forward slash backward slash colon asterisk question mark less than sign greater than sign or the sign Description Use the domain isp name command to create an ISP domain and enter ISP domain view Use the undo domain command to remove an ISP domain By default there is a system predefi...

Страница 82: ...tem There can be only one default ISP domain The specified domain must already exist otherwise users without a domain name in the username cannot pass authentication To delete the ISP domain that is used as the default ISP domain you must change it to a non default ISP domain first by using the domain default disable command Related commands domain state and display domain Examples Create a new IS...

Страница 83: ...vice Related commands domain Examples Enable the idle cut function and set the idle timeout period to 50 minutes and the traffic threshold to 1024 bytes for ISP domain test Sysname system view Sysname domain test Sysname isp test idle cut enable 50 1024 ip pool Syntax ip pool pool number low ip address high ip address undo ip pool pool number View ISP domain view Default level 2 System level Param...

Страница 84: ...h a VLAN Use the undo nas id bind vlan command to remove a NAS ID VLAN binding By default no NAS ID VLAN binding exists In a NAS ID profile view you can configure multiple NAS ID VLAN bindings A NAS ID can be bound with more than one VLAN but one VLAN can be bound with only one NAS ID If you bind a VLAN with different NAS IDs only the last binding takes effect Related commands aaa nas id profile E...

Страница 85: ...service server location function and specify the URL of the self service server for changing user password to http 10 153 89 94 selfservice Sysname system view Sysname domain test Sysname isp test self service url enable http 10 153 89 94 selfservice state ISP domain view Syntax state active block undo state View ISP domain view Default level 2 System level Parameters active Places the ISP domain ...

Страница 86: ...ntly use the same local user account This command takes effect only when local accounting is used for the user account This limit is not effective for FTP users because accounting is not available for FTP users Related commands display local user Examples Limit the maximum number of concurrent users of local user account abc to 5 Sysname system view Sysname local user abc Sysname luser abc access ...

Страница 87: ...r profile keyword depends on the device model vlan vlan id Specifies the authorized VLAN vlan id is in the range 1 to 4094 After passing authentication a local user can access the resources in this VLAN work directory directory name Specifies the work directory if the user or users use the FTP or SFTP service directory name is a case insensitive string of 1 to 135 characters The directory must alr...

Страница 88: ... length of the calling number and the sub calling number cannot be more than 62 characters ip ip address Specifies the IP address of the user This option is applicable to only 802 1X users location port slot number subslot number port number Specifies the port to which the user is bound The slot number argument is in the range 0 to 255 the subslot number argument is in the range 0 to 15 and the po...

Страница 89: ...fault level 1 Monitor level Parameters idle cut disable enable Specifies local users with the idle cut function disabled or enabled service type Specifies the local users that use a specified type of service ftp FTP users lan access Users accessing the network through Ethernet such as 802 1X users portal Portal users ppp PPP users ssh SSH users telnet Telnet users terminal Users logging in through...

Страница 90: ...al user can use including FTP LAN PPP Portal SSH Telnet and terminal Access limit Whether to limit the number of user connections that use the current username Current AccessNum Current number of user connections that use the current username Max AccessNum Maximum number of user connections that use the current username Bind attributes Binding attributes of the local user VLAN ID VLAN to which the...

Страница 91: ...bc Sysname display user group abc The contents of user group abc Authorization attributes Idle cut 120 min Work Directory cfa0 Level 1 Acl Number 2000 Vlan ID 1 User Profile 1 Callback number 1 Total 1 user group s matched expiration date local user view Syntax expiration date time undo expiration date View Local user view Default level 3 Manage level Parameters time Expiration time of the local u...

Страница 92: ...device checks whether the current system time is between the validity time and the expiration time If so it permits the user to access the network Otherwise it denies the access request of the user Related commands validity date Examples Set the expiration time of user abc to 12 10 20 on May 31 2008 Sysname system view Sysname local user abc Sysname luser abc expiration date 12 10 20 2008 05 31 gr...

Страница 93: ...the users of a type ftp FTP users lan access Users accessing the network through an Ethernet such as 802 1X users portal Portal users ppp PPP users ssh SSH users telnet Telnet users terminal Users logging in through the console port or AUX port Description Use the local user command to add a local user and enter local user view Use the undo local user command to remove the specified local users By...

Страница 94: ...g local user passwords will always be displayed in cipher text no matter how you configure the local user password display mode command or the password command The passwords configured after you restore the display mode to auto by using the local user password display mode auto command however are displayed as defined by the password command Related commands display local user and password Example...

Страница 95: ...cters in cipher text For a password of 24 characters if the system can decrypt the password the system treats it as a password in cipher text Otherwise the system treats it as a password in plain text Related commands display local user and local user password display mode Examples Set the password of local user user1 to 123456 and set the display mode to plain text Sysname system view Sysname loc...

Страница 96: ...l user view Default level 2 System level Parameters active Places the local user in active state to allow the local user to request network services block Places the local user in blocked state to prevent the local user from requesting network services Description Use the state command to set the status of a local user Use the undo state command to restore the default By default a local user is in...

Страница 97: ... or more local users cannot be removed The system predefined user group system cannot be removed but you can change its configurations Related commands display user group Examples Create a user group named abc and enter its view Sysname system view Sysname user group abc Sysname ugroup abc RADIUS configuration commands accounting on enable Syntax accounting on enable interval seconds send send tim...

Страница 98: ...als Command Reference Related commands radius scheme Examples Enable the accounting on feature for RADIUS authentication scheme radius1 and set the retransmission interval to 5 seconds and the transmission attempts to 15 Sysname system view Sysname radius scheme radius1 Sysname radius radius1 accounting on enable interval 5 send 15 attribute 25 car Syntax attribute 25 car undo attribute 25 car Vie...

Страница 99: ... set the traffic statistics unit for data flows or packets Use the undo data flow format command to restore the default By default the unit for data flows is byte and that for data packets is one packet The unit for data flows and that for packets must be consistent with those on the RADIUS server Otherwise accounting cannot be performed correctly Related commands display radius scheme Examples Se...

Страница 100: ...1 Port 1812 State active Encryption Key N A IP 1 1 3 1 Port 1812 State active Encryption Key N A Second Acct Server IP 1 1 2 1 Port 1813 State block Encryption Key N A Auth Server Encryption Key 123 Acct Server Encryption Key N A Accounting On packet disable send times 50 interval 3s Interval for timeout second 3 Retransmission times for timeout 3 Interval for realtime accounting minute 12 Retrans...

Страница 101: ...thenticating accounting packets in cipher text or plain text Accounting On packet disable The accounting on feature is disabled Output information of the accounting on feature varies by device send times Retransmission times of accounting on packets interval Interval at which the device retransmits accounting on packets Interval for timeout second RADIUS server response timeout period in seconds R...

Страница 102: ...Sent PKT total 1547 Received PKT total 23 Resend Times Resend total 1 508 2 508 Total 1016 RADIUS received packets statistic Code 2 Num 15 Err 0 Code 3 Num 4 Err 0 Code 5 Num 4 Err 0 Code 11 Num 0 Err 0 Running statistic RADIUS received messages statistic Normal auth request Num 24 Err 0 Succ 24 EAP auth request Num 0 Err 0 Succ 0 Account request Num 4 Err 0 Succ 4 Account off request Num 503 Err ...

Страница 103: ...tication AcctStart Number of users for whom accounting has been started RLTSend Number of users for whom the system sends real time accounting packets RLTWait Number of users waiting for real time accounting AcctStop Number of users in accounting waiting stopped state OnLine Number of online users Stop Number of users in stop state Received and Sent packets statistic Statistics for packets receive...

Страница 104: ...ts of responses to the Set policy packets RADIUS sent messages statistic Statistics for sent RADIUS messages Auth accept Number of accepted authentication packets Auth reject Number of rejected authentication packets EAP auth replying Number of replying packets of EAP authentication Account success Number of accounting succeeded packets Account failure Number of accounting failed packets Server ct...

Страница 105: ...ent should include the domain name depends on the setting configured by the user name format command for the RADIUS scheme Description Use the display stop accounting buffer command to display information about the stop accounting requests buffered in the device NOTE If the device sends a stop accounting request to a RADIUS server but receives no response it retransmits it up to a certain number o...

Страница 106: ...s Use the undo key command to restore the default By default no shared key is configured The shared keys specified during the configuration of the RADIUS servers if any take precedence The shared keys configured on the device must match those configured on the RADIUS servers Related commands display radius scheme Examples For RADIUS scheme radius1 set the shared key for authenticating authenticati...

Страница 107: ...dress of any managed NAS If yes the server processes the packet If not the server drops the packet The source IP address specified for outgoing RADIUS packets must be of the same IP version as the IP addresses of the RADIUS servers in the RADIUS scheme Otherwise the source IP address configuration does not take effect A RADIUS scheme can have only one source IP address for outgoing RADIUS packets ...

Страница 108: ...erver the communication with the primary server will time out and the device will look for a server in active state from the new primary server on If you remove an accounting server being used by users the device cannot send real time accounting requests and stop accounting requests anymore for the users and does not buffer the stop accounting requests NOTE The shared key configured by this comman...

Страница 109: ...an authentication process is in progress the communication with the primary server will time out and the device will look for a server in active state from the new primary server on NOTE The shared key configured by this command takes precedence over that configured by using the key authentication key command Related commands key Examples For RADIUS scheme radius1 set the IP address of the primary...

Страница 110: ... nas ip ipv4 address undo radius nas ip View System view Default level 2 System level Parameters ipv4 address IPv4 address in dotted decimal notation It must be an address of the device and cannot be 0 0 0 0 255 255 255 255 a class D address a class E address or a loopback address Description Use the radius nas ip command to specify a source address for outgoing RADIUS packets Use the undo radius ...

Страница 111: ...do radius scheme command to delete a RADIUS scheme By default no RADIUS scheme is defined A RADIUS scheme can be referenced by more than one ISP domain at the same time A RADIUS scheme referenced by ISP domains cannot be removed Related commands display radius scheme Examples Create a RADIUS scheme named radius1 and enter RADIUS scheme view Sysname system view Sysname radius scheme radius1 Sysname...

Страница 112: ...ders that the RADIUS server is reachable again and also sends a trap message The ratio of the number of failed transmission attempts to the total number of authentication request transmission attempts reaches the threshold Examples Enable the device to send traps in response to accounting server reachability changes Sysname system view Sysname radius trap accounting server down reset radius statis...

Страница 113: ...me format command for the RADIUS scheme Description Use the reset stop accounting buffer command to clear the buffered stop accounting requests for which no responses have been received Related commands stop accounting buffer enable and display stop accounting buffer Examples Clear the stop accounting requests buffered for user user0001 test Sysname reset stop accounting buffer user name user0001 ...

Страница 114: ...Syntax retry realtime accounting retry times undo retry realtime accounting View RADIUS scheme view Default level 2 System level Parameters retry times Maximum number of accounting attempts in the range 1 to 255 Description Use the retry realtime accounting command to set the maximum number of accounting attempts Use the undo retry realtime accounting command to restore the default By default the ...

Страница 115: ...ter transmitting the request three times it considers the accounting attempt a failure and makes another accounting attempt If five consecutive accounting attempts fail the device cuts the user connection Related commands retry timer response timeout and timer realtime accounting Examples Set the maximum number of accounting attempts to 10 for RADIUS scheme radius1 Sysname system view Sysname radi...

Страница 116: ...us1 Sysname system view Sysname radius scheme radius1 Sysname radius radius1 retry stop accounting 1000 secondary accounting RADIUS scheme view Syntax secondary accounting ipv4 address port number undo secondary accounting View RADIUS scheme view Default level 2 System level Parameters ipv4 address IPv4 address of the secondary accounting server port number Service port number of the secondary acc...

Страница 117: ...ing server to 10 1 10 1 1 the UDP port to 1813 Sysname system view Sysname radius scheme radius1 Sysname radius radius1 secondary accounting 10 110 1 1 1813 For RADIUS scheme radius2 specify two secondary accounting servers with the server IP addresses of 10 1 10 1 1 and 10 1 10 1 2 and the UDP port number of 1813 Sysname system view Sysname radius scheme radius2 Sysname radius radius2 secondary a...

Страница 118: ... communication with the secondary server will time out and the device will look for a server in active state from the primary server on NOTE The shared key configured by this command takes precedence over that configured by using the key accounting key command Related commands key and state Examples For RADIUS scheme radius1 set the IP address of the secondary authentication authorization server t...

Страница 119: ...ver type extended standard undo server type View RADIUS scheme view Default level 2 System level Parameters extended Specifies the extended RADIUS server generally IMC which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the proprietary RADIUS protocol standard Specifies the standard RADIUS server which requires the RADIUS cli...

Страница 120: ... of the primary server to blocked starts a quiet timer for the server and then tries to communicate with a secondary server in active state a secondary RADIUS server configured earlier has a higher priority When the quiet timer of the primary server times out the status of the server changes to active automatically If you set the status of the server to blocked before the quiet timer times out the...

Страница 121: ...r of a server times out the status of the server changes to active automatically If you set the status of the server to blocked before the quiet timer times out the status of the server cannot change back to active automatically unless you set the status to active manually If all configured secondary servers are unreachable the device considers the authentication or accounting attempt a failure Re...

Страница 122: ...g request but the current server is unreachable the device sends the request to the next server in active state without changing the current server s status As a result when the device needs to send a request of the same type for another user it still tries to send the request to the current server because the current server is in active state Description Use the timer quiet command to set the qui...

Страница 123: ...val When the real time accounting interval on the device is zero the device sends online user accounting information to the RADIUS accounting server at the real time accounting interval configured on the server if any or does not send online user accounting information Different real time accounting intervals impose different performance requirements on the NAS and the RADIUS server A shorter inte...

Страница 124: ... opportunity to obtain the RADIUS service The NAS uses the RADIUS server response timeout timer to control the transmission interval The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75 Related commands retry Examples Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1 Sysname sys...

Страница 125: ... EAP authentication the user name format command configured for a RADIUS scheme does not take effect and the device does not change the usernames from clients before forwarding them to the RADIUS server Related commands radius scheme Examples Specify the device to remove the domain name in the username sent to the RADIUS servers for the RADIUS scheme radius1 Sysname system view Sysname radius sche...

Страница 126: ...ACS scheme name statistics Displays the statistics for the HWTACACS servers specified in the HWTACACS scheme Without this keyword the command displays the configuration information of the HWTACACS scheme Description Use the display hwtacacs command to display the configuration information of HWTACACS schemes or the statistics for the HWTACACS servers specified in HWTACACS schemes If no HWTACACS sc...

Страница 127: ...entication server IP address and port number of the secondary authentication server Secondary authorization server IP address and port number of the secondary authorization server Secondary accounting server IP address and port number of the secondary accounting server Current authentication server IP address and port number of the currently used authentication server Current authorization server ...

Страница 128: ...onse restart number 0 HWTACACS authen client malformed access response number 0 HWTACACS authen client round trip time s 5 HWTACACS template gy primary authorization HWTACACS server open number 1 HWTACACS server close number 1 HWTACACS author client request packet number 1 HWTACACS author client response packet number 1 HWTACACS author client timeout number 0 HWTACACS author client packet dropped ...

Страница 129: ...CACS scheme The HWTACACS scheme name is a case insensitive string of 1 to 32 characters Description Use the display stop accounting buffer command to display information about buffered stop accounting requests Related commands reset stop accounting buffer stop accounting buffer enable and retry stop accounting Examples Display information about stop accounting requests buffered for HWTACACS scheme...

Страница 130: ...configured by the hwtacacs nas ip command in system view is for all HWTACACS schemes The setting in HWTACACS scheme view takes precedence Related commands nas ip Examples Set the IP address for the device to use as the source address of the HWTACACS packets to 129 10 10 1 Sysname system view Sysname hwtacacs nas ip 129 10 10 1 hwtacacs scheme Syntax hwtacacs scheme hwtacacs scheme name undo hwtaca...

Страница 131: ...a case sensitive string of 1 to 64 characters Description Use the key command to set the shared key for authenticating HWTACACS authentication authorization or accounting packets Use the undo key command to remove the configuration By default no shared key is configured The shared keys configured on the device must match those configured on the HWTACACS servers Related commands display hwtacacs Ex...

Страница 132: ...ACS server An HWTACACS server identifies a NAS by IP address Upon receiving an HWTACACS packet an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS If yes the server processes the packet If not the server drops the packet If you configure the command repeatedly only the last configuration takes effect NOTE The setting configured by the nas ip c...

Страница 133: ...ets Removing an accounting server affects only accounting processes that occur after the remove operation Related commands display hwtacacs Examples Specify the IP address and port number of the primary accounting server for HWTACACS scheme test1 as 10 163 155 12 and 49 Sysname system view Sysname hwtacacs scheme test1 Sysname hwtacacs test1 primary accounting 10 163 155 12 49 primary authenticati...

Страница 134: ... port number undo primary authorization View HWTACACS scheme view Default level 2 System level Parameters ip address IP address of the primary HWTACACS authorization server in dotted decimal notation The default is 0 0 0 0 port number Service port number of the primary HWTACACS authorization server It ranges from 1 to 65535 and defaults to 49 Description Use the primary authorization command to sp...

Страница 135: ...cation Specifies the HWTACACS authentication statistics authorization Specifies the HWTACACS authorization statistics Description Use the reset hwtacacs statistics command to clear HWTACACS statistics Related commands display hwtacacs Examples Clear all HWTACACS statistics Sysname reset hwtacacs statistics all reset stop accounting buffer for HWTACACS Syntax reset stop accounting buffer hwtacacs s...

Страница 136: ...ng request transmission attempts in the range 1 to 300 Description Use the retry stop accounting command to set the maximum number of stop accounting request transmission attempts Use the undo retry stop accounting command to restore the default By default the maximum number of stop accounting request transmission attempts is 100 Related commands reset stop accounting buffer and display stop accou...

Страница 137: ...accounting server only when it is not used by any active TCP connection to send accounting packets Removing an accounting server affects only accounting processes that occur after the remove operation Related commands display hwtacacs Examples Specify the IP address and port number of the secondary accounting server for HWTACACS scheme hwt1 as 10 163 155 12 with TCP port number 49 Sysname system v...

Страница 138: ...CACS scheme hwt1 as 10 163 155 13 with TCP port number 49 Sysname system view Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 secondary authentication 10 163 155 13 49 secondary authorization Syntax secondary authorization ip address port number undo secondary authorization View HWTACACS scheme view Default level 2 System level Parameters ip address IP address of the secondary HWTACACS authoriz...

Страница 139: ...er stop accounting requests to which no responses are received Use the undo stop accounting buffer enable command to disable the buffering function By default the device buffers stop accounting requests to which no responses are received Stop accounting requests affect the charge to users A NAS must make its best effort to send every stop accounting request to the HWTACACS accounting servers For e...

Страница 140: ...ry server quiet period is 5 minutes Related commands display hwtacacs Examples Set the quiet timer for the primary server to 10 minutes Sysname system view Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 timer quiet 10 timer realtime accounting HWTACACS scheme view Syntax timer realtime accounting minutes undo timer realtime accounting View HWTACACS scheme view Default level 2 System level Para...

Страница 141: ...utes for HWTACACS scheme hwt1 Sysname system view Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 timer realtime accounting 51 timer response timeout HWTACACS scheme view Syntax timer response timeout seconds undo timer response timeout View HWTACACS scheme view Default level 2 System level Parameters seconds HWTACACS server response timeout period in seconds in the range 1 to 300 Description U...

Страница 142: ...hich a user belongs Some earlier HWTACACS servers however cannot recognize a username including an ISP domain name Before sending a username including a domain name to such an HWTACACS server the device must remove the domain name This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server If an HWTACACS scheme defines that the username is sen...

Страница 143: ...egistering you will receive email notification of product enhancements new driver versions firmware updates and other product resources Related information Documents To find related documents browse to the Manuals page of the HP Business Support Center website http www hp com support manuals For related documentation navigate to the Networking section and select a networking category For a complet...

Страница 144: ...eparated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field names and menu items are in bold text For example the New User window appears cl...

Страница 145: ...irewall Represents a routing capable device such as a router or Layer 3 switch Represents a generic switch such as a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device ...

Страница 146: ...C connection limit apply policy 27 connection limit policy 27 cut connection 69 D data flow format HWTACACS scheme view 1 19 data flow format RADIUS scheme view 93 description 3 display acl 4 display connection 71 display connection limit policy 28 display domain 73 display hwtacacs 120 display local user 83 display portal acl 31 display portal connection statistics 33 display portal free rule 36 ...

Страница 147: ...statistics 106 reset session 23 reset session statistics 23 reset stop accounting buffer for HWTACACS 129 reset stop accounting buffer for RADIUS 106 retry 107 retry realtime accounting 108 retry stop accounting HWTACACS scheme view 130 retry stop accounting RADIUS scheme view 109 rule Ethernet frame header ACL view 6 rule IPv4 advanced ACL view 8 rule IPv4 basic ACL view 1 1 rule comment 13 S sec...

Страница 148: ...iew 1 17 timer response timeout HWTACACS scheme view 135 timer response timeout RADIUS scheme view 1 18 time range 14 U user group 90 user name format HWTACACS scheme view 136 user name format RADIUS scheme view 1 18 W web redirect 51 Websites 137 ...

Результаты поиска

Содержание A-U200

Отзывы:

Похожие инструкции для A-U200

Бренды по названию

Популярные бренды

HP A-U200, Справочник по командам

Результаты поиска

Содержание A-U200

Отзывы:

Похожие инструкции для A-U200

Бренды по названию

Популярные бренды