Page 1: Command Reference
Security Command Reference Abstract This document describes the commands and command syntax options available for the HP A Series products. This document is intended for network planners, field technical support and servicing engineers, and network administrators who work with HP A Series products.
Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...
Page 3: Table Of Contents
Contents AAA configuration commands ······································································································································· 1 General AAA configuration commands ························································································································· 1 aaa nas-id profile (available only on the A5500 EI) ··························································································· 1 access-limit enable ··················································································································································· 1 accounting command ·············································································································································· 2 accounting default ···················································································································································· 3 accounting lan-access ·············································································································································· 3 accounting login ······················································································································································· 4 accounting optional ·················································································································································...
Page 4 (RADIUS scheme view) ····························································································· 68 timer response-timeout (RADIUS scheme view) ·································································································· 69 user-name-format (RADIUS scheme view) ··········································································································· 70 vpn-instance (RADIUS scheme view) (available only on the A5500 EI) ·························································· 71 HWTACACS configuration commands ······················································································································· 71 data-flow-format (HWTACACS scheme view) ···································································································· 71 display hwtacacs ···················································································································································...
Page 5 ······················································································································ 126 Portal configuration commands ································································································································· 127 display portal acl (available only on the A5500 EI) ······················································································· 127 display portal connection statistics (available only on the A5500 EI) ·························································· 129 display portal free-rule ········································································································································ 132 display portal interface ······································································································································· 133 display portal local-server ··································································································································...
Page 6 (available only on the A5500 EI) ··············································································· 159 portal web-proxy port ········································································································································· 160 reset portal connection statistics (available only on the A5500 EI) ······························································· 161 reset portal server statistics (available only on the A5500 EI) ······································································· 161 reset portal tcp-cheat statistics ····························································································································...
Page 7 password-control login-attempt ·························································································································· 195 password-control password update interval ····································································································· 196 password-control super aging ···························································································································· 197 password-control super composition ················································································································· 198 password-control super length ··························································································································· 198 reset password-control blacklist ························································································································· 199 reset password-control history-record ················································································································ 199 HABP configuration commands ································································································································· 201 display habp ························································································································································...
Page 8 pki domain ··························································································································································· 236 pki entity ······························································································································································· 236 pki import-certificate ············································································································································ 237 pki request-certificate domain ···························································································································· 238 pki retrieval-certificate ········································································································································· 238 pki retrieval-crl domain ······································································································································· 239 pki validate-certificate ········································································································································· 239 root-certificate fingerprint ··································································································································· 240 rule (PKI CERT ACP view) ··································································································································· 241 state·······································································································································································...
Page 9 SFTP client configuration commands·························································································································· 280 bye ········································································································································································ 280 cd ·········································································································································································· 280 cdup ······································································································································································ 281 delete ···································································································································································· 281 dir ·········································································································································································· 282 display sftp client source ···································································································································· 283 exit ········································································································································································ 283 get ········································································································································································· 284 help ······································································································································································· 284 ls ············································································································································································ 285 mkdir ····································································································································································· 286 put ·········································································································································································...
Page 10 ··································································································································· 333 ipv6 nd detection trust ········································································································································ 334 reset ipv6 nd detection statistics ························································································································ 335 URPF configuration commands (available only on the A5500 EI) ········································································ 336 ip urpf ··································································································································································· 336 Support and other resources ····································································································································· 337 Contacting HP ······························································································································································...
Page 11: Aaa Configuration Commands
NOTE: vpn-instance-name The vpn-instance keyword and the vpn-instance command (in RADIUS or HWTACACS scheme view) are available only on the A5500 EI Switch Series. General AAA configuration commands aaa nas-id profile (available only on the A5500 EI) Syntax aaa nas-id profile profile-name...
Page 12: Accounting Command
Default level 2: System level Parameters max-user-number: Maximum number of users, in the range 1 to 2147483646. Description Use the access-limit enable command to enable the limit on the number of users in an ISP domain and set the allowed maximum number. After the number of users reaches the maximum number allowed, no more users will be accepted.
Page 13: Accounting Default
[Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac accounting default Syntax accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting default View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.
Page 14: Accounting Login
View ISP domain view Default level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters. Description Use the accounting lan-access command to configure the accounting method for LAN users. Use the undo accounting lan-access command to restore the default.
Page 15: Accounting Optional
none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters. Description Use the accounting login command to configure the accounting method for login users. Use the undo accounting login command to restore the default. By default, the default accounting method for the ISP domain is used for login users.
Page 16: Accounting Portal
NOTE: After you configure the accounting optional command, the setting by the access-limit command in local user view is not effective. Examples # Enable the accounting optional feature for users in domain test. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting optional accounting portal Syntax accounting portal { local | none | radius-scheme radius-scheme-name [ local ] }...
Page 17: Authentication Default
authentication default Syntax authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius- scheme radius-scheme-name [ local ] } undo authentication default View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.
Page 18: Authentication Login
Default level 2: System level Parameters local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters. Description Use the authentication lan-access command to configure the authentication method for LAN users. Use the undo authentication lan-access command to restore the default.
Page 19: Authentication Portal
Description Use the authentication login command to configure the authentication method for login users (users logging in through the console or AUX port or accessing through Telnet or FTP). Use the undo authentication login command to restore the default. By default, the default authentication method for the ISP domain is used for login users. The specified RADIUS or HWTACACS scheme must have been configured.
Page 20: Authentication Super
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication portal local # Configure ISP domain test to use RADIUS scheme rd for authentication of portal users and use local authentication as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication portal radius-scheme rd local authentication super Syntax authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name }...
Page 21: Authorization Command
authorization command Syntax authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none } undo authorization command View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.
Page 22: Authorization Lan-Access
View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and other login users can access only the commands of Level 0.
Page 23: Authorization Login
Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Page 24: Authorization Portal
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters. Description Use the authorization login command to configure the authorization method for login users (users logging in through the console or AUX port or accessing through Telnet or FTP). Use the undo authorization login command to restore the default.
Page 25: Authorization-Attribute User-Profile
The specified RADIUS scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. Related commands: local-user, authorization default, and radius scheme. Examples # Configure ISP domain test to use local authorization for portal users.
Page 26: Cut Connection
cut connection Syntax cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id } [ slot slot-number ] View System view Default level...
Page 27: Display Connection
An interface that is configured with a mandatory authentication domain treats users of the corresponding access type as users in the mandatory authentication domain. For example, if you configure an 802.1X mandatory authentication domain on an interface, the interface will use the domain’s AAA methods for all its 802.1X users.
Page 28 |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 29: Display Domain
Total 1 connection matched. Slot: Total 0 connection matched. Slot: Total 0 connection matched. Table 1 Output description Field Description Username of the connection, in the format Username username@domain IPv4 address of the user IPv6 IPv6 address of the user Access User access type Authorization ACL group.
Page 30 Related commands: access-limit enable, domain, and state. Examples # Display the configuration information of all ISP domains. <Sysname> display domain Domain : system State : Active Access-limit : Disabled Accounting method : Required Default authentication scheme : local Default authorization scheme : local Default accounting scheme : local...
Page 31: Domain
Field Description Lan-access authorization scheme Authentication method for LAN users Lan-access accounting scheme Accounting method for LAN users Domain User Template Template for users in the domain Idle-cut Whether idle cut is enabled Self-service Whether self service is enabled User-profile Default authorization user profile domain Syntax...
Page 32: Idle-Cut Enable
View System view Default level 3: Manage level Parameters isp-name: Name of the ISP domain, a string of 1 to 24 characters. Description Use the domain default enable command to specify the default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain. Use the undo domain default enable command to restore the default.
Page 33: Nas-Id Bind Vlan (Available Only On The A5500 Ei)
# Enable the idle cut function and set the idle timeout period to 50 minutes and the traffic threshold to 1024 bytes for ISP domain test. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] idle-cut enable 50 1024 nas-id bind vlan (available only on the A5500 EI) Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id View...
Page 34: Self-Service-Url Enable
self-service-url enable Syntax self-service-url enable url-string undo self-service-url enable View ISP domain view Default level 2: System level Parameters url-string: URL of the self-service server for changing user password, a string of 1 to 64 characters. It must start with http:// and contain no question mark. Description Use the self-service-url enable command to enable the self-service server location function and specify the URL of the self-service server for changing user password.
Page 35: Local User Configuration Commands
Default level 2: System level Parameters active: Places the ISP domain in the active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in the blocked state to prevent users in the ISP domain from requesting network services.
Page 36: Authorization-Attribute (Local User View/User Group View)
This limit is not effective for FTP users because accounting is not available for FTP users. Related commands: display local-user. Examples # Limit the maximum number of concurrent users of local user account abc to 5. <Sysname> system-view [Sysname] local-user abc [Sysname-luser-abc] access-limit 5 authorization-attribute (local user view/user group view) Syntax...
Page 37: Bind-Attribute
vlan vlan-id: Specifies the authorized VLAN. vlan-id is in the range 1 to 4094. After passing authentication, a local user can access the resources in this VLAN. work-directory directory-name: Specifies the work directory, if the user or users use the FTP or SFTP service.
Page 38: Display Local-User
ip ip-address: Specifies the IP address of the user. This keyword and argument combination is applicable to 802.1X users only. location: Specifies the port binding attribute of the user. This keyword and argument combination is applicable to LAN users only. port slot-number subslot-number port-number: Specifies the port to which the user is bound.
Page 39 ftp—FTP users.  lan-access—Users accessing the network through Ethernet, such as 802.1X users.  portal—Portal users.  ssh—SSH users.  telnet—Telnet users.  terminal—Users logging in through the console port or AUX port.  state { active | block }: Specifies local users in the state of active or blocked. A local user in the active state can access network services, but a local user in the blocked state cannot.
Page 40: Display User-Group
Acl ID: 2000 Vlan ID: User Profile: prof1 Expiration date: 12:12:12-2018/09/16 Password-Aging: Enabled(30 day(s)) Password-Length: Enabled(4 characters) Password-Composition: Enabled(4 type(s), 2 character(s) per type) Total 1 local user(s) matched. Table 3 Output description Field Description Slot IRF member ID State Status of the local user, Active or Block Service types that the local user can use, including ServiceType...
Page 41: Expiration-Date (Local User View)
Default level 2: System level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 42: Group
0 to 59. YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-201 1/2/2 equals to 02:02:00-201 1/02/02. Description Use the expiration-date command to configure the expiration time of a local user.
Page 43: Local-User
local-user Syntax local-user user-name undo local-user { user-name | all [ service-type { ftp | lan-access | portal | ssh | telnet | terminal } ] } View System view Default level 3: Manage level Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name.
Page 44: Password
Default level 2: System level Parameters auto: Displays the password of a local user in the mode that is specified for the user by using the password command. cipher-force: Displays the passwords of all local users in cipher text. Description Use the local-user password-display-mode command to set the password display mode for all local users.
Page 45: Service-Type
Description Use the password command to configure a password for a local user and specify whether to display the password in cipher text or plain text. Use the undo password command to delete the password of a local user. If you configure the local-user password-display-mode cipher-force command, all existing local user passwords will be displayed in cipher text, regardless of the configuration of the password command.
Page 46: State(Local User View)
Description Use the service-type command to specify the service types that a user can use. Use the undo service-type command to delete one or all service types configured for a user. By default, a user is authorized with no service. Examples # Authorize user user1 to use the Telnet service.
Page 47: Radius Configuration Commands
View System view Default level 3: Manage level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use the user-group command to create a user group and enter its view. Use the undo user-group command to remove a user group. A user group consists of a group of local users and has a set of local user attributes.
Page 48: Attribute 25 Car
Description Use the accounting-on enable command to enable the accounting-on feature and specify the retransmission interval and the maximum number of transmission attempts. After doing so, when the device reboots, an accounting-on message will be sent to the RADIUS server to log out the online users of the device.
Page 49: Data-Flow-Format (Radius Scheme View)
Examples # Specify to interpret RADIUS attribute 25 as CAR parameters. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] attribute 25 car data-flow-format (RADIUS scheme view) Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo- packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } View...
Page 50 Default level 2: System level Parameters radius-scheme-name: RADIUS scheme name. slot slot-number: Specifies the member number of the switch in the IRF fabric, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF fabric.
Page 51 Encryption Key : N/A VPN instance : N/A Auth Server Encryption Key : 123 Acct Server Encryption Key : N/A Accounting-On packet disable, send times : 5 , interval : 3s Interval for timeout(second) Retransmission times for timeout Interval for realtime accounting(minute) : 12 Retransmission times of realtime-accounting packet Retransmission times of stop-accounting packet...
Page 52: Display Radius Statistics
Field Description Interval for realtime Interval for realtime accounting in minutes accounting(minute) Retransmission times of Retransmission times of realtime-accounting packet realtime-accounting packet Retransmission times of stop- Retransmission times of stop-accounting packet accounting packet Quiet-interval(min) Quiet interval for the primary server Username format Format of the usernames to be sent to the RADIUS server Data flow unit...
Page 53 Slot 1:state statistic(total=4096): DEAD = 18000 AuthProc = 0 AuthSucc = 0 AcctStart = 0 RLTSend = 0 RLTWait = 0 AcctStop = 0 OnLine = 0 Stop = 0 StateErr = 0 Received and Sent packets statistic: Sent PKT total = 1547 Received PKT total = 23 Resend Times...
Page 54 Table 5 Output description Field Description slot IRF member ID state statistic State statistics DEAD Number of idle users AuthProc Number of users waiting for authentication AuthSucc Number of users who have passed authentication Number of users for whom accounting has been AcctStart started Number of users for whom the system sends real-...
Page 55: Display Stop-Accounting-Buffer
Field Description Succ Number of acknowledgement messages Set policy result Number of responses to the Set policy packets Number of messages that have been sent by RADIUS sent messages statistic RADIUS Auth accept Number of accepted authentication packets Auth reject Number of rejected authentication packets EAP auth replying Number of replying packets of EAP authentication...
Page 56: Key (Radius Scheme View)
user-name user-name: Specifies a user by the username, a case-sensitive string of 1 to 80 characters. Whether the user-name argument should include the domain name depends on the setting by the user- name-format command for the RADIUS scheme. slot slot-number: Specifies the member number of the switch in the IRF fabric, which you can display with the display irf command.
Page 57: Nas Device-Id (Available Only On The A5500 Ei)
# Set the shared key for accounting packets to ok for RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting ok nas device-id (available only on the A5500 EI) Syntax nas device-id device-id undo nas device-id View...
Page 58: Nas-Backup-Ip (Available Only On The A5500 Ei)
[Sysname] nas device-id 1 Warning: This command will cut all user connections on this device. Continue? [Y The other device for stateful failover must be configured to use the device ID of 2. nas-backup-ip (available only on the A5500 EI) Syntax nas-backup-ip ip-address...
Page 59: Nas-Ip (Radius Scheme View)
Examples # For the device working in stateful failover mode, specify the source IP address and backup source IP address for RADIUS packets as 2.2.2.2 and 3.3.3.3, respectively. <Sysname> system-view [Sysname] radius scheme aaa [Sysname-radius-aaa] nas-ip 2.2.2.2 [Sysname-radius-aaa] nas-backup-ip 3.3.3.3 On the backup device, you need to specify the source IP address and backup source IP address for RADIUS packets as 3.3.3.3 and 2.2.2.2 respectively.
Page 60: Primary Accounting (Radius Scheme View)
Examples # Set the IP address for the device to use as the source address of the RADIUS packets to 10.1.1.1. <Sysname> system-view [Sysname] radius scheme test1 [Sysname-radius-test1] nas-ip 10.1.1.1 primary accounting (RADIUS scheme view) Syntax primary accounting { ip-address [ port-number | key string | vpn-instance vpn-instance-name ] * | ipv6 ipv6-address [ port-number | key string ] * } undo primary accounting View...
Page 61: Primary Authentication (Radius Scheme View)
device will look for a server in active state from scratch: the new primary server is evaluated at first and then the secondary servers according to the order in which they are configured. If you remove an accounting server being used by online users, the device cannot send real-time accounting requests and stop-accounting requests anymore for the users, and does not buffer the stop- accounting requests.
Page 62: Radius Client
By default, no primary RADIUS authentication/authorization server is specified. After creating a RADIUS scheme, you are supposed to configure the IP address and UDP port of each RADIUS server (primary/secondary authentication/authorization or accounting server). Ensure that at least one authentication/authorization server and one accounting server are configured, and that the RADIUS service port settings on the device are consistent with the port settings on the RADIUS servers.
Page 63: Radius Nas-Backup-Ip (Available Only On The A5500 Ei)
Examples # Enable the listening port of the RADIUS client. <Sysname> system-view [Sysname] radius client enable radius nas-backup-ip (available only on the A5500 EI) Syntax radius nas-backup-ip ip-address [ vpn-instance vpn-instance-name ] undo radius nas-backup-ip View...
Page 64: Radius Nas-Ip
You can specify up to 16 backup source IP addresses, which can include one public-network IP address at most. A newly specified public-network backup source IP address overwrites the previous one. Each VPN can have only one private-network backup source IP address specified at most. A private-network backup source IP address newly specified for a VPN overwrites the previous one.
Page 65: Radius Scheme
Specifying a source address for outgoing RADIUS packets can avoid the situation where the packets sent back by the RADIUS server cannot reach the device as the result of a physical interface failure. You can specify up to 16 source IP addresses, including one public-network IP address at most. A newly specified public-network source IP address overwrites the previous one.
Page 66: Radius Trap
Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] radius trap Syntax radius trap { accounting-server-down | authentication-error-threshold | authentication-server-down } undo radius trap { accounting-server-down | authentication-error-threshold | authentication-server- down } View System view...
Page 67: Reset Radius Statistics
reset radius statistics Syntax reset radius statistics [ slot slot-number ] View User view Default level 2: System level Parameters slot slot-number: Specifies the member number of the switch in the IRF fabric, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF fabric.
Page 68: Retry
members and numbering conditions in the current IRF fabric. If no IRF fabric exists, the slot-number argument is the current device number. Description Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests for which no responses have been received. Related commands: stop-accounting-buffer enable, retry stop-accounting, user-name-format, and display stop-accounting-buffer.
Page 69: Retry Realtime-Accounting
retry realtime-accounting Syntax retry realtime-accounting retry-times undo retry realtime-accounting View RADIUS scheme view Default level 2: System level Parameters retry-times: Maximum number of accounting attempts, in the range 1 to 255. Description Use the retry realtime-accounting command to set the maximum number of accounting attempts. Use the undo retry realtime-accounting command to restore the default.
Page 70: Retry Stop-Accounting (Radius Scheme View)
retry stop-accounting (RADIUS scheme view) Syntax retry stop-accounting retry-times undo retry stop-accounting View RADIUS scheme view Default level 2: System level Parameters retry-times: Maximum number of stop-accounting attempts, in the range 10 to 65535. Description Use the retry stop-accounting command to set the maximum number of stop-accounting attempts. Use the undo retry stop-accounting command to restore the default.
Page 71 Default level 2: System level Parameters ipv4-address: IPv4 address of the secondary accounting server, in dotted decimal notation. The default is 0.0.0.0. ipv6 ipv6-address: IPv6 address of the secondary accounting server. port-number: UDP port number of the secondary accounting server, which ranges from 1 to 65535 and defaults to 1813.
Page 72: Secondary Authentication (Radius Scheme View)
NOTE: The shared key configured by this command takes precedence over that configured by the key string accounting command. Related commands: key, radius scheme, state, and vpn-instance (RADIUS scheme view). Examples # Specify the secondary accounting server and UDP port number for RADIUS scheme radius1. <Sysname>...
Page 73 Use the undo secondary authentication command to remove the configuration. By default, no secondary RADIUS authentication/authorization server is specified. To configure multiple secondary RADIUS authentication/authorization servers, execute this command repeatedly. After the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary RADIUS authentication/authorization server configured earlier has a higher priority) and tries to communicate with it.
Page 74: Security-Policy-Server
security-policy-server Syntax security-policy-server ip-address undo security-policy-server { ip-address | all } View RADIUS scheme view Default level 2: System level Parameters ip-address: Specifies a security policy server by its IP address. all: Specifies all security policy servers. Description Use the security-policy-server command to specify a security policy server for a RADIUS scheme. Use the undo security-policy-server command to remove one or all security policy servers for a RADIUS scheme.
Page 75: State Primary
standard: Specifies the standard RADIUS server, which requires the RADIUS client end and RADIUS server to interact according to the regulation and packet format of the standard RADIUS protocol (RFC 2865/2866 or newer). Description Use the server-type command to configure the RADIUS server type. Use the undo server-type command to restore the default.
Page 76: State Secondary
Examples # Set the status of the primary server in RADIUS scheme radius1 to blocked. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] state primary authentication block state secondary Syntax state secondary { accounting | authentication } [ ip ipv4-address | ipv6 ipv6-address ] { active | block } View RADIUS scheme view Default level...
Page 77: Stop-Accounting-Buffer Enable (Radius Scheme View)
stop-accounting-buffer enable (RADIUS scheme view) Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable View RADIUS scheme view Default level 2: System level Parameters None Description Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests getting no responses. Use the undo stop-accounting-buffer enable command to disable the device from buffering stop- accounting requests getting no responses.
Page 78: Timer Realtime-Accounting (Radius Scheme View)
Parameters minutes: Server quiet period in minutes, in the ranges from 0 to 255. Description Use the timer quiet command to set the quiet timer for the servers, that is, the duration that the status of the servers stay blocked before resuming the active state. Use the undo timer quiet command to restore the default.
Page 79: Timer Response-Timeout (Radius Scheme View)
When the real-time accounting interval on the device is zero, the device will send online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server (if any) or will not send online user accounting information. Different real-time accounting intervals impose different performance requirements on the NAS and the RADIUS server.
Page 80: User-Name-Format (Radius Scheme View)
The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75. Related commands: radius scheme and retry. Examples # Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1. <Sysname>...
Page 81: Vpn-Instance (Radius Scheme View) (Available Only On The A5500 Ei)
[Sysname] radius scheme radius1 [Sysname-radius-radius1] user-name-format without-domain vpn-instance (RADIUS scheme view) (available only on the A5500 EI) Syntax vpn-instance vpn-instance-name undo vpn-instance View RADIUS scheme view Default level 2: System level Parameters vpn-instance-name: Name of a VPN instance, a string of 1 to 31 case-sensitive characters.
Page 82: Display Hwtacacs
Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Page 83 Description Use the display hwtacacs command to display the configuration information or statistics of HWTACACS schemes. If no HWTACACS scheme is specified, the command displays the configuration information of all HWTACACS schemes. If no slot number is specified, the command displays the configuration information of the HWTACACS scheme on the main processing unit.
Page 84 Table 7 Output description Field Description HWTACACS-server template name Name of the HWTACACS scheme IP address and port number of the primary authentication server. If no primary authentication Primary-authentication-server server is specified, the value of this field is 0.0.0.0:0. This rule is also applicable to the following eight fields.
Page 85: Display Stop-Accounting-Buffer
display stop-accounting-buffer Syntax display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a string of 1 to 32 characters.
Page 86: Hwtacacs Scheme
Default level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the source IP address belongs to. vpn- instance-name is a case-sensitive string of 1 to 31 characters.
Page 87: Key (Hwtacacs Scheme View)
Parameters hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters. Description Use the hwtacacs scheme command to create an HWTACACS scheme and enter HWTACACS scheme view. Use the undo hwtacacs scheme command to delete an HWTACACS scheme. By default, no HWTACACS scheme exists.
Page 88: Nas-Ip (Hwtacacs Scheme View)
nas-ip (HWTACACS scheme view) Syntax nas-ip ip-address undo nas-ip View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Description Use the nas-ip command to specify a source address for outgoing HWTACACS packets.
Page 89: Primary Authentication (Hwtacacs Scheme View)
Default level 2: System level Parameters ip-address: IP address of the primary HWTACACS accounting server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0. port-number: Port number of the primary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49.
Page 90: Primary Authorization
Parameters ip-address: IP address of the primary HWTACACS authentication server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0. port-number: Port number of the primary HWTACACS authentication server. It ranges from 1 to 65535 and defaults to 49. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the primary HWTACACS authentication server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.
Page 91: Reset Hwtacacs Statistics
port-number: Port number of the primary HWTACACS authorization server. It ranges from 1 to 65535 and defaults to 49. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the primary HWTACACS authorization server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this keyword and argument combination.
Page 92: Reset Stop-Accounting-Buffer
slot slot-number: Specifies the member number of the switch in the IRF fabric, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF fabric. If no IRF fabric exists, the slot-number argument is the current device number.
Page 93: Secondary Accounting (Hwtacacs Scheme View)
Default level 2: System level Parameters retry-times: Maximum number of stop-accounting request transmission attempts, in the range 1 to 300. Description Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts. Use the undo retry stop-accounting command to restore the default. By default, the maximum number of stop-accounting request transmission attempts is 100.
Page 94: Secondary Authentication (Hwtacacs Scheme View)
The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent. If you configure the command repeatedly, only the last configuration takes effect. If the server to be specified resides on an MPLS VPN, you also need to specify that VPN by using the vpn-instance vpn-instance-name keyword and argument combination to ensure normal communication with the server.
Page 95: Secondary Authorization
If the server to be specified resides on an MPLS VPN, you also need to specify that VPN by using the vpn-instance vpn-instance-name keyword and argument combination to ensure normal communication with the server. The VPN specified here takes precedence over the VPN specified for the RADIUS scheme. If you configure the command repeatedly, only the last configuration takes effect.
Page 96: Stop-Accounting-Buffer Enable (Hwtacacs Scheme View)
If you configure the command repeatedly, only the last configuration takes effect. You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets. Related commands: display hwtacacs, hwtacacs scheme, and vpn-instance (HWTACACS scheme view). Examples # Configure the secondary authorization server 10.163.155.13 with TCP port number 49.
Page 97: Timer Quiet (Hwtacacs Scheme View)
timer quiet (HWTACACS scheme view) Syntax timer quiet minutes undo timer quiet View HWTACACS scheme view Default level 2: System level Parameters minutes: Primary server quiet period, in minutes. It ranges from 1 to 255. Description Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state.
Page 98: Timer Response-Timeout (Hwtacacs Scheme View)
The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the HWTACACS server. A shorter interval requires higher performance. Use a longer interval when there are a large number of users (more than 1000, inclusive). Table 8 Recommended real-time accounting intervals Number of users Real-time accounting interval (minute)
Page 99: User-Name-Format (Hwtacacs Scheme View)
# Specify the device to remove the ISP domain name in the username sent to the HWTACACS servers for the HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] user-name-format without-domain vpn-instance (HWTACACS scheme view) (available only on the A5500 EI) Syntax vpn-instance vpn-instance-name undo vpn-instance...
Page 100: Radius Server Configuration Commands
View HWTACACS scheme view Default level 2: System level Parameters vpn-instance-name: Name of a VPN instance, a string of 1 to 31 case-sensitive characters. Description Use the vpn-instance command to specify a VPN instance for the HWTACACS scheme. Use the undo vpn-instance command to remove the configuration. The VPN specified here takes effect for all servers in the HWTACACS scheme for which no specific VPN instance is specified.
Page 101: Description (Radius-Server User View)
Related commands: radius-server user. Examples # Configure the authorized VLAN for RADIUS user user1 as VLAN 3. <Sysname> system-view [Sysname] radius-server user user1 [Sysname-rdsuser-user1] authorization-attribute vlan 3 description (RADIUS-server user view) Syntax description text undo description View RADIUS-server user view Default level 2: System level Parameters...
Page 102: Password (Radius-Server User View)
Parameters time: Expiration time of the RADIUS user, in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS- YYYY/MM/DD. HH:MM:SS indicates the time, where HH ranges from 0 to 23, MM and SS range from 0 to 59. YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month.
Page 103: Radius-Server Client-Ip
Description Use the password command to configure a password for the RADIUS user. Use the undo password command to delete the password of the RADIUS user. By default, no password is configured for the RADIUS user. Related commands: radius-server user. Examples # Set the password of user1 to 123456 and specify to display the password in simple text.
Page 104: Radius-Server User
Default level 2: System level Parameters ip-address: IPv4 address of the RADIUS client. key string: Shared key for communication with the RADIUS client, a case-sensitive string of 1 to 64 characters. all: Specifies all RADIUS clients. Description Use the radius-server client-ip command to specify a RADIUS client. Use the undo radius-server client-ip command to delete the specified RADIUS client or all RADIUS clients.
Page 105 If the access device is configured to send usernames that carry the domain name to the RADIUS server, the username of the RADIUS user configured here must contain the domain name. If not, the username of the RADIUS user configured here does not contain the domain name. Related commands: user-name-format (RADIUS scheme view).
Page 106: 802.1X Configuration Commands
802.1X configuration commands display dot1x Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular- expression ] View Any view Default level 1: Monitor level Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics.
Page 107 Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Reauth Period 3600 s The maximal retransmitting times EAD quick deploy configuration: EAD timeout: The maximum 802.1X user resource number is 1024 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up...
Page 108 Field Description Supp Timeout Client timeout timer in seconds Server Timeout Server timeout timer in seconds Maximum number of attempts for sending an authentication The maximal retransmitting times request to a client EAD quick deploy configuration EAD fast deployment configuration Redirect URL for unauthenticated users using a web browser to access the network Free IP...
Page 109: Dot1X
Field Description EAP Response/Identity Packets Number of received EAP-Response/Identity packets EAP Response/Challenge Packets Number of received EAP-Response/Challenge packets Error Packets Number of received error packets Authenticated user User that has passed 802.1X authentication Controlled User(s) amount Number of authenticated users on the port dot1x Syntax In system view:...
Page 110: Dot1X Authentication-Method
Examples # Enable 802.1X for ports GigabitEthernet 1/0/1, and GigabitEthernet 1/0/5 to GigabitEthernet 1/0/7. <Sysname> system-view [Sysname] dot1x interface gigabitethernet 1/0/1 gigabitethernet 1/0/5 to gigabitethernet 1/0/7 <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] dot1x [Sysname-GigabitEthernet1/0/1] quit [Sysname] interface gigabitethernet 1/0/5 [Sysname-GigabitEthernet1/0/5] dot1x [Sysname-GigabitEthernet1/0/5] quit [Sysname] interface gigabitethernet 1/0/6...
Page 111: Dot1X Auth-Fail Vlan
The network access device relays or terminates EAP packets: In EAP termination mode, the access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server, and performs either CHAP or PAP authentication with the RADIUS server. PAP transports usernames and passwords in clear text.
Page 112: Dot1X Guest-Vlan
Use the undo dot1x auth-fail vlan command to restore the default. By default, no Auth-Fail VLAN is configured on a port. You must enable MAC-based VLAN for an Auth-Fail VLAN to take effect on a port that performs MAC- based access control. When you change the access control method from MAC-based to port-based on a port that carries an Auth-Fail VLAN, the mappings between MAC addresses and the 802.1X Auth-Fail VLAN are removed.
Page 113: Dot1X Handshake
provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type. If no interface is specified, you configure an 802.1X guest VLAN for all Layer 2 Ethernet ports.
Page 114: Dot1X Handshake Secure
Use the undo dot1x handshake command to disable the function. By default, the function is enabled. HP recommends that you use the iNode client software to ensure the normal operation of the online user handshake function. Examples # Enable the online user handshake function.
Page 115: Dot1X Mandatory-Domain
HP recommends you use the iNode client software and iMC server to ensure the normal operation of the online user handshake security function. Related commands: dot1x handshake. Examples # Enable the online user handshake security function. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/4...
Page 116: Dot1X Max-User
# After 802.1X user usera passes authentication, execute the display connection command to display the user connection information on GigabitEthernet 1/0/1. For more information about the display connection command, see the chapter ―AAA configuration commands.‖ [Sysname-GigabitEthernet1/0/1] display connection interface gigabitethernet 1/0/1 Index=68 ,Username=usera@my-domian MAC=0015-e9a6-7cfe...
Page 117: Dot1X Multicast-Trigger
Related commands: display dot1x. Examples # Set the maximum number of concurrent 802.1X users on port GigabitEthernet 1/0/1 to 32. <Sysname> system-view [Sysname] dot1x max-user 32 interface gigabitethernet 1/0/1 <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] dot1x max-user 32 # Configure GigabitEthernet 1/0/2 through GigabitEthernet 1/0/5 each to support a maximum of 32 concurrent 802.1X users.
Page 118 dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ] undo dot1x port-control [ interface interface-list ] In Layer 2 Ethernet interface view: dot1x port-control { authorized-force | auto | unauthorized-force } undo dot1x port-control View System view, Layer 2 Ethernet interface view Default level 2: System level Parameters...
Page 119: Dot1X Port-Method
dot1x port-method Syntax In system view: dot1x port-method { macbased | portbased } [ interface interface-list ] undo dot1x port-method [ interface interface-list ] In Layer 2 Ethernet interface view: dot1x port-method { macbased | portbased } undo dot1x port-method View System view, Layer 2 Ethernet interface view Default level...
Page 120: Dot1X Quiet-Period
# Configure ports GigabitEthernet 1/0/2 through GigabitEthernet 1/0/5 to implement port-based access control. <Sysname> system-view [Sysname] dot1x port-method portbased interface gigabitethernet 1/0/2 to gigabitethernet 1/0/5 dot1x quiet-period Syntax dot1x quiet-period undo dot1x quiet-period View System view Default level 2: System level Parameters None Description...
Page 121: Dot1X Retry
Description Use the dot1x re-authenticate command to enable the periodic online user re-authentication function. Use the undo dot1x re-authenticate command to disable the function. By default, the periodic online user re-authentication function is disabled. Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port.
Page 122: Dot1X Timer
Related commands: display dot1x. Examples # Set the maximum number of attempts for sending an authentication request to a client as 9. <Sysname> system-view [Sysname] dot1x retry 9 dot1x timer Syntax dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | reauth- period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx- period tx-period-value } undo dot1x timer { handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout |...
Page 123: Dot1X Unicast-Trigger
 Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client. Periodic re-authentication timer (reauth-period)—Sets the interval at which the network device  periodically re-authenticates online 802.1X users. To enable periodic online user re-authentication on a port, use the dot1x re-authenticate command.
Page 124: Reset Dot1X Statistics
Related commands: display dot1x, dot1x timer supp-timeout, and dot1x retry. Examples # Enable the unicast trigger function for interface GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] dot1x unicast-trigger reset dot1x statistics Syntax reset dot1x statistics [ interface interface-list ] View User view Default level...
Page 125: Ead Fast Deployment Configuration Commands
EAD fast deployment configuration commands dot1x free-ip Syntax dot1x free-ip ip-address { mask-address | mask-length } undo dot1x free-ip { ip-address { mask | mask-length } | all } View System view Default level 2: System level Parameters ip-address: Specifies a freely accessible IP address segment, also called "a free IP." mask: Specifies an IP address mask.
Page 126: Dot1X Url
Default level 2: System level Parameters ead-timeout-value: Specifies the EAD rule timer in minutes. The value ranges from 1 to 1440. Description Use the dot1x timer ead-timeout command to set the EAD rule timer. Use the undo dot1x timer ead-timeout command to restore the default. By default, the timer is 30 minutes.
Page 127 Related commands: display dot1x and dot1x free-ip. Examples # Configure the redirect URL as http://192.168.0.1. <Sysname> system-view [Sysname] dot1x url http://192.168.0.1...
Page 128: Mac Authentication Configuration Commands
MAC authentication configuration commands display mac-authentication Syntax display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to interface- type interface-number ] }&<1- 1 0>, where &<1- 1 0>...
Page 129 Current user number amounts to 0 Current domain: not configured, use default domain Silent Mac User info: MAC Addr From Port Port Index GigabitEthernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Max number of on-line users is 256 Current online user number is 0 MAC Addr Authenticate state...
Page 130: Mac-Authentication
Field Description Status of the link on port GigabitEthernet 1/0/1. In this GigabitEthernet1/0/1 is link-up example, the link is up. Whether MAC authentication is enabled on port MAC address authentication is enabled GigabitEthernet 1/0/1 MAC authentication statistics, including the number of Authenticate success: 0, failed: 0 successful and unsuccessful authentication attempts Maximum number of concurrent online users allowed...
Page 131: Mac-Authentication Domain
Description Use the mac-authentication command in system view to enable MAC authentication globally. Use the mac-authentication interface interface-list in system view to enable MAC authentication on a list of ports, or the mac-authentication command in interface view to enable MAC authentication on a port. Use the undo mac-authentication command in system view to disable MAC authentication globally.
Page 132: Mac-Authentication Guest-Vlan
Specifies a VLAN as the MAC authentication guest VLAN. The value range is from 1 to 4094. Ensure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see the Layer 2 LAN Switching Configuration Guide. Only the A5500 EI Switche Series — supports configuring super VLANs.
Page 133: Mac-Authentication Max-User
To use the MAC authentication guest VLAN function on a port, you must enable MAC-based VLAN on the port, in addition to enabling MAC authentication both globally and on the port. To delete a VLAN that has been set as a MAC authentication guest VLAN, remove the guest VLAN configuration first.
Page 134: Mac-Authentication User-Name-Format
View System view Default level 2: System level Parameters offline-detect offline-detect-value: Sets the offline detect timer, in the range 60 to 65535 seconds. This timer sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user.
Page 135 account name: Specifies the username for the shared account. The name takes a case-insensitive string of 1 to 55 characters. If no username is specified, the default name mac applies. password { cipher | simple } password: Specifies the password for the shared user account: The cipher option specifies an encrypted password, which is saved in cipher text.
Page 136: Reset Mac-Authentication Statistics
# Configure a shared account for MAC authentication users: set the username as abc and password as xyz, and display the password in cipher text. <Sysname> system-view [Sysname] mac-authentication user-name-format fixed account abc password cipher xyz [Sysname] display this mac-authentication user-name-format fixed account abc password cipher 5Q4$,*^18 N'Q=^Q`MAF4<1!! # Configure a shared account for MAC authentication users: set the username as abc and password as 5Q4$,*^18N'Q=^Q`MAF4<1!!, and display the password in cipher text.
Page 137: Portal Configuration Commands
Portal configuration commands NOTE:  The A5500 EI Switch Series supports both Layer 2 portal authentication and Layer 3 portal authentication. The A5500 SI Switch Series supports only Layer 2 portal authentication.  Among the A5500 Switch Series, only the A5500 EI Switch Series supports configuring and displaying VPN instances and the relevant parameters.
Page 138 Inbound interface : all Type : static Action : permit Source: : 0.0.0.0 Mask : 0.0.0.0 : 0000-0000-0000 Interface : any VLAN Protocol Destination: : 192.168.1.15 Mask : 255.255.255.255 Rule 1 Inbound interface : all Type : dynamic Action : permit Source: : 8.8.8.8 Mask...
Page 139: Display Portal Connection Statistics (Available Only On The A5500 Ei)
Number server did not assign any ACL. display portal connection statistics (available only on the A5500 EI) Syntax display portal connection statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]...
Page 140 View Any view Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Page 141 MSG_LOGIN_REQ MSG_LOGOUT_REQ MSG_LEAVING_REQ MSG_ARPPKT MSG_PORT_REMOVE MSG_VLAN_REMOVE MSG_IF_REMOVE MSG_IF_SHUT MSG_IF_DISPORTAL MSG_IF_UP MSG_ACL_RESULT MSG_CUT_L3IF MSG_IP_REMOVE MSG_ALL_REMOVE MSG_IFIPADDR_CHANGE MSG_SOCKET_CHANGE MSG_NOTIFY MSG_SETPOLICY MSG_SETPOLICY_RESULT Table 12 Output description Field Description User state statistics Statistics on portal users State-Name Name of a user state User-Num Number of users in a specific state Message statistics Statistics on messages Msg-Name...
Page 142: Display Portal Free-Rule
Field Description MSG_ARPPKT ARP message MSG_PORT_REMOVE Users-of-a-Layer-2-port-removed message MSG_VLAN_REMOVE VLAN user removed message Users-removed message, indicating the users on a MSG_IF_REMOVE Layer 3 interface were removed because the Layer 3 interface was removed. MSG_IF_SHUT Layer 3 interface shutdown message MSG_IF_DISPORTAL Portal-disabled-on-interface message MSG_IF_UP Layer 3 interface came up message...
Page 143: Display Portal Interface
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use the display portal free-rule command to display information about a specified portal-free rule or all portal-free rules. Related commands: portal free-rule. Examples # Display information about portal-free rule 1. <Sysname>...
Page 144 Description Use the display portal interface command to display the portal configuration of an interface. Examples # Display the portal configuration of VLAN-interface1. (supported by A5500 EI only) <Sysname> display portal interface vlan-interface 1 Interface portal configuration: Vlan-interface 1: Portal running...
Page 145: Display Portal Local-Server
Field Description ID number of the portal group to which the interface belongs. Portal backup-group If the interface does not belong to any portal group, None will be displayed. Authentication type Authentication mode enabled on the interface Authentication domain Mandatory authentication domain of the interface Authentication network Information of the portal authentication subnet address...
Page 146: Display Portal Server (Available Only On The A5500 Ei)
SSL server policy associated with the HTTPS service. Server policy If HTTP is configured, this field will be null. display portal server (available only on the A5500 EI) Syntax display portal server [ server-name ] [ | { begin | exclude | include } regular-expression ]...
Page 147: Display Portal Server Statistics (Available Only On The A5500 Ei)
Down—The portal server is referenced on an interface and the portal server detection function is enabled, but the portal server is unreachable. display portal server statistics (available only on the A5500 EI) Syntax display portal server statistics { all | interface interface-type interface-number } [ | { begin | exclude |...
Page 148 Description Use the display portal server statistics command to display portal server statistics on a specified interface or all interfaces. With the all keyword specified, the command displays portal server statistics by interface and therefore statistics about a portal server referenced by more than one interface may be displayed repeatedly. Examples # Display portal server statistics on VLAN-interface 1.
Page 149: Display Portal Tcp-Cheat Statistics
Field Description Authentication acknowledgment message the access device sends to the portal ACK_AUTH server REQ_LOGOUT Logout request message the portal server sends to the access device ACK_LOGOUT Logout acknowledgment message the access device sends to the portal server Affirmation message the portal server sends to the access device after receiving AFF_ACK_AUTH an authentication acknowledgement message NTF_LOGOUT...
Page 150 Examples # Display TCP spoofing statistics. <Sysname> display portal tcp-cheat statistics TCP Cheat Statistic: Total Opens: 0 Resets Connections: 0 Current Opens: 0 Packets Received: 0 Packets Sent: 0 Packets Retransmitted: 0 Packets Dropped: 0 HTTP Packets Sent: 0 Connection State: SYN_RECVD: 0 ESTABLISHED: 0 CLOSE_WAIT: 0...
Page 151: Display Portal User
display portal user Syntax display portal user { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression.
Page 152: Portal Auth-Fail Vlan
Total 2 user(s) matched, 2 listed. Table 19 Output description Field Description Index Index of the portal user State Current status of the portal user SubState Current sub-status of the portal user Authorization ACL of the portal user User’s working mode, which can be: ...
Page 153: Portal Auth-Network (Available Only On The A5500 Ei)
[Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port link-type hybrid [Sysname-GigabitEthernet1/0/1] mac-vlan enable [Sysname-GigabitEthernet1/0/1] portal auth-fail vlan 5 portal auth-network (available only on the A5500 EI) Syntax portal auth-network network-address { mask-length | mask } undo portal auth-network { network-address | all }...
Page 154: Portal Backup-Group (Available Only On The A5500 Ei)
(available only on the A5500 EI) Syntax portal backup-group group-id undo portal backup-group View Interface view Default level 2: System level Parameters group-id: Specify the portal group ID, in the range 1 to 256. Description Use the portal backup-group command to specify the portal group to which the interface belongs. The portal service backup interfaces in the same portal group back up the portal user data of each other.
Page 155: Portal Domain
Use the undo portal domain command to restore the default. By default, no authentication domain is specified for an interface. Related commands: display portal interface. Examples # Configure the authentication domain to be used for portal users on VLAN-interface 100 as my-domain. (Supported by A5500 EI only) <Sysname> system-view...
Page 156: Portal Free-Rule
Syntax On A5500 EI Switch Series: portal free-rule rule-number { destination { any | ip { ip-address mask { mask-length | netmask } | any } } | source { any | [ ip { ip-address mask { mask-length | netmask } | any } | mac mac-address | vlan vlan-...
Page 157: Portal Local-Server
No matter whether portal authentication is enabled or not, you can only add or remove a portal-free rule. You cannot modify it. For Layer 2 portal authentication, you can configure only portal-free rules that are from any source address to any or a specified destination address. With such a portal-free rule configured, users can access the specified address without portal authentication.
Page 158: Portal Local-Server Enable
For normal operation of portal authentication on a Layer 2 port, you must disable portal authentication on all Layer 3 interfaces and HP recommends disabling port security, guest VLAN of 802.1X, and EAD fast deployment of 802.1X on the port. For information about port security and 802.1X features, see the Security Configuration Guide.
Page 159: Portal Local-Server Ip
By default, no listening IP address is specified for the local portal server. HP recommends that you configure a loopback interface’s address as the listening IP address because: The status of a loopback interface is stable. This can avoid authentication page access failures ...
Page 160: Portal Move-Mode Auto
undo portal max-user View System view Default level 2: System level Parameters max-number: Specifies the maximum number of online portal users allowed in the system, in the range 1 to 3000. Description Use the portal max-user command to set the maximum number of online portal users allowed in the system.
Page 161: Portal Nas-Id-Profile (Available Only On The A5500 Ei)
Support for portal user moving applies to scenarios where hubs, Layer 2 switches, or APs exist between users and the access devices. Examples # Enable support for portal user moving. <Sysname> system-view [Sysname] portal move-mode auto portal nas-id-profile (available only on the A5500 EI) Syntax portal nas-id-profile profile-name undo portal nas-id-profile View Interface...
Page 162: Portal Nas-Ip (Available Only On The A5500 Ei)
(available only on the A5500 EI) Syntax portal nas-ip ip-address undo portal nas-ip View Interface view Default level 2: System level Parameters ip-address: Specifies the source IP address to be specified for portal packets. This IP address must be a local IP address, and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a...
Page 163: Portal Offline-Detect Interval
Description Use the portal nas-port-type command to specify the access port type (indicated by the NAS-Port-Type value) on the current interface. The specified NAS-Port-Type value will be carried in the RADIUS requests sent from the device to the RADIUS server. Use the undo portal nas-port-type command to restore the default.
Page 164: Portal Redirect-Url
# Configure the device to redirect a portal user to http://www.testpt.cn 3 seconds after the user passes portal authentication. <Sysname> system-view [Sysname] portal redirect-url http://www.testpt.cn wait-time 3 portal server (available only on the A5500 EI) Syntax portal server server-name ip ip-address [ key key-string | port port-id | url url-string | vpn-instance vpn- instance-name ] *...
Page 165 Default level 2: System level Parameters server-name: Specifies the name of the portal server, a case-sensitive string of 1 to 32 characters. ip ip-address: Specifies the IP address of the portal server. If you configure the local portal server, the IP address specified must be that of a Layer 3 interface on the device and can reach the portal clients.
Page 166: Portal Server Banner
# Configure the welcome banner of the default Web page provided by the local portal server as Welcome to Portal Authentication. <Sysname> system-view [Sysname] portal server banner Welcome to Portal Authentication portal server method (available only on the A5500 EI) Syntax portal server server-name method { direct | layer3 | redhcp } undo portal...
Page 167: Portal Server Server-Detect (Available Only On The A5500 Ei)
<Sysname> system-view [Sysname] interface vlan-interface 100 [Sysname–Vlan-interface100] portal server pts method direct portal server server-detect (available only on the A5500 EI) Syntax portal server server-name server-detect method { http | portal-heartbeat } * action { log | permit-all | trap } * [ interval interval ] [ retry retries ]...
Page 168 portal server is reachable; otherwise, it considers that the probe fails and the portal server is unreachable. This method is effective to only portal servers that support the portal heartbeat function. Currently, only the iMC portal server supports this function. To implement detection with this method, you also need to configure the portal server heartbeat function on the iMC portal server and make sure that the server heartbeat interval configured on the portal server is shorter than or equal to the probe interval configured on the device.
Page 169: Portal Server User-Sync (Available Only On The A5500 Ei)
<Sysname> system-view [Sysname] portal server pts server-detect method http portal-heartbeat action log permit- all trap interval 600 retry 2 portal server user-sync (available only on the A5500 EI) Syntax portal server server-name user-sync [ interval interval ] [ retry retries ]...
Page 170: Portal Web-Proxy Port
server and make sure that the user heartbeat interval configured on the portal server is shorter than or equal to the synchronization probe interval configured on the device. Deleting a portal server on the device will delete the portal user synchronization configuration with the portal server.
Page 171: Reset Portal Connection Statistics (Available Only On The A5500 Ei)
Examples # Clear portal connection statistics on VLAN-interface 1. <Sysname> reset portal connection statistics interface Vlan-interface1 reset portal server statistics (available only on the A5500 EI) Syntax reset portal server statistics { all | interface interface-type interface-number } View...
Page 172: Reset Portal Tcp-Cheat Statistics
Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Description Use the reset portal server statistics command to clear portal server statistics on a specified interface or all interfaces. Examples # Clear portal server statistics on VLAN-interface 1. <Sysname>...
Page 173: Port Security Configuration Commands
Port security configuration commands display port-security Syntax display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters Interface interface-list: Specifies Ethernet ports by an Ethernet port list in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1- 1 0>, where &<1- 1 0>...
Page 174 RALM logoff trap is enabled RALM logfailure trap is enabled AutoLearn aging time is 30 minutes Disableport Timeout: 20s OUI value: Index is 1, OUI value is 000d1a Index is 2, OUI value is 003c12 GigabitEthernet1/0/1 is link-down Port mode is userLoginWithOUI NeedToKnow mode is NeedToKnowOnly Intrusion Portection mode is DisablePort Max MAC address number is 50...
Page 175 Field Description Whether trapping for MAC authentication failure is enabled or not. If it RALM logfailure trap is enabled, the port sends trap information when a user fails MAC address authentication. Sticky MAC aging timer. The timer applies to all automatically learned or AutoLearn aging time manually configured sticky MAC addresses.
Page 176: Display Port-Security Mac-Address Block
display port-security mac-address block Syntax display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters interface interface-type interface-number: Specifies a port by its type and number.
Page 177: Display Port-Security Mac-Address Security
# Display information about all blocked MAC addresses in VLAN 30. <Sysname> display port-security mac-address block vlan 30 MAC ADDR From Port VLAN ID --- On slot 1, no mac address found --- 000f-3d80-0d2d GigabitEthernet1/0/1 --- On slot 2, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses of port GigabitEthernet1/0/1.
Page 178 Parameters interface interface-type interface-number: Specifies a port by its type and number. vlan vlan-id: Specifies a VLAN by its ID, which is in the range 1 to 4094. count: Displays only the count of the secure MAC addresses. |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 179: Port-Security Authorization Ignore
<Sysname> display port-security mac-address security interface gigabitethernet 1/0/1 vlan MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 000d-88f8-0577 Security GigabitEthernet1/0/1 NOAGED 1 mac address(es) found Table 22 Output description Field Description MAC ADDR Secure MAC address VLAN ID ID of the VLAN to which the port belongs Type of the MAC address added.
Page 180: Port-Security Enable
[Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port-security authorization ignore port-security enable Syntax port-security enable undo port-security enable View System view Default level 2: System level Parameters None Description Use the port-security enable command to enable port security. Use the undo port-security enable command to disable port security. By default, port security is disabled.
Page 181: Port-Security Mac-Address Security
View Layer 2 Ethernet interface view Default level 2: System level Parameters blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This implements illegal traffic filtering on the port. A blocked MAC address is restored to normal after being blocked for three minutes, which is fixed and cannot be changed.
Page 182 Default level 2: System level Parameters sticky: Specifies a sticky MAC address. If you do not provide this keyword, the command configures a static secure MAC address. mac-address: Specifies the secure MAC address, in the H-H-H format. interface interface-type interface-number: Specifies a Layer 2 Ethernet port by its type and number. vlan vlan-id: Specifies the VLAN to which the secure MAC address belongs.
Page 183: Port-Security Max-Mac-Count
[Sysname-GigabitEthernet1/0/1] port-security max-mac-count 100 [Sysname-GigabitEthernet1/0/1] port-security port-mode autolearn [Sysname-GigabitEthernet1/0/1] quit [Sysname] port-security mac-address security 0001-0001-0002 interface gigabitethernet 1/0/1 vlan 10 # Enable port security, set port GigabitEthernet 1/0/1 in autoLearn mode, and add a sticky MAC address 0001-0002-0003 in VLAN 4 in interface view. <Sysname>...
Page 184: Port-Security Ntk-Mode
[Sysname-GigabitEthernet1/0/1] port-security max-mac-count 100 port-security ntk-mode Syntax port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } undo port-security ntk-mode View Layer 2 Ethernet interface view Default level 2: System level Parameters ntk-withbroadcasts: Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses.
Page 185: Port-Security Port-Mode
Default level 2: System level Parameters oui-value: Specifies an Organizationally unique identifier (OUI) string, a 48-bit MAC address in the H-H-H format. The system automatically uses only the 24 high-order bits as the OUI value. index-value: Specifies the OUI index, in the range 1 to 16. Description Use the port-security oui command to configure an OUI value for user authentication.
Page 186 Parameters Keyword Security mode Description In this mode, a port can learn MAC addresses, and allows frames sourced from learned or configured the MAC addresses to pass. These dynamically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the port- security mac-address security command.
Page 187: Port-Security Timer Autolearn Aging
Keyword Security mode Description This mode is the combination of the userLoginSecure and macAddressWithRadius modes. macAddressOrUserL userlogin-secure-or-mac For wired users, the port performs MAC authentication oginSecure upon receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames. Similar to the macAddressOrUserLoginSecure mode userlogin-secure-or-mac- macAddressOrUserL except that a port in this mode supports multiple 802.1X...
Page 188: Port-Security Timer Disableport
undo port-security timer autolearn aging View System view Default level 2: System level Parameters time-value: Sets the aging timer in minutes for sticky MAC addresses. The value ranges from 0 to 129600. To disable the aging timer, set the timer to 0. Description Use the port-security timer autolearn aging command to set the sticky MAC aging timer.
Page 189: Port-Security Trap
Examples # Configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame and set the silence period to 30 seconds. <Sysname> system-view [Sysname] port-security timer disableport 30 [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily port-security trap Syntax port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion |...
Page 190 By default, port security traps are disabled. You can enable certain port security traps for monitoring user behaviors. Related commands: display port-security. Examples # Enable MAC address learning traps. <Sysname> system-view [Sysname] port-security trap addresslearned...
Page 191: User Profile Configuration Commands
User profile configuration commands display user-profile Syntax display user-profile [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 192: User-Profile Enable
Field Description User profile User profile name Authentication type of the user profile, which takes one of the following values: AuthType  DOT1X: 802.1X authentication  PORTAL: portal authentication Total user profiles Total number of user profiles that have been created Enabled user profiles Total number of user profiles that have been enabled user-profile enable...
Page 193 View System view Default level 2: System level Parameters profile-name: Assign a name for the use profile. The name is a, case-sensitive string of 1 to 31 characters. It can only contain English letters, numbers, and underlines, and it must start with an English letter. A user profile name must be globally unique.
Page 194: Password Control Configuration Commands
Password control configuration commands display password-control Syntax display password-control [ super ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters super: Displays the password control information of the super passwords. Without this keyword, the command displays the password control information for all passwords.
Page 195: Display Password-Control Blacklist
# Display the password control configuration information for super passwords. <Sysname> display password-control super Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 24 Output description Field Description Password control...
Page 196: Password
Default level 2: System level Parameters user-name name: Specifies a user by the name, which is a string of 1 to 80 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. |: Filters command output by specifying a regular expression.
Page 197: Password-Control Aging
View Local user view Default level 2: System level Parameters None Description Use the password command to set a password for a local user in interactive mode. Use the undo password command to remove the password for a local user. Valid characters for a local user password include uppercase letters A to Z, lowercase letters a to z, numbers 0 to 9, blank space, and these 31 symbols: ~`!@#$%^&*()_+-={}|[]\:‖;’<>,./.
Page 198: Password-Control Alert-Before-Expire
The setting in system view has global significance and applies to all user groups, the setting in user group view applies to all local users in the user group, and the setting in local user view applies to only the local user.
Page 199: Password-Control Authentication-Timeout
password-control authentication-timeout Syntax password-control authentication-timeout authentication-timeout undo password-control authentication-timeout View System view Default level 2: System level Parameters authentication-timeout: Specifies the user authentication timeout time in seconds, in the range 30 to 120. Description Use the password-control authentication-timeout command to set the user authentication timeout time. Use the undo password-control authentication-timeout command to restore the default.
Page 200: Password-Control Composition
By default, no user password complexity checking is performed, and a password can contain the username, the reverse of the username, or a character repeated three or more times consecutively. Related commands: display password-control. Examples # Configure the password complexity checking policy, refusing any password that contains the username or the reverse of the username.
Page 201: Password-Control { Aging | Composition | History | Length } Enable
# Set the minimum number of password composition types to 3 and the minimum number of characters of each password composition type to 5 for user group test. [Sysname] user-group test [Sysname-ugroup-test] password-control composition type-number 3 type-length 5 [Sysname-ugroup-test] quit # Set the minimum number of password composition types to 3 and the minimum number of characters of each password composition type to 5 for local user abc.
Page 202: Password-Control Enable
<Sysname> system-view [Sysname] password-control enable # Enable the password composition restriction function. [Sysname] password-control composition enable # Enable the password aging function. [Sysname] password-control aging enable # Enable the minimum password length restriction function. [Sysname] password-control length enable # Enable the password history function. [Sysname] password-control history enable password-control enable...
Page 203: Password-Control History
Default level 2: System level Parameters delay delay: Specifies the maximum number of days during which a user can log in using an expired password. It must be in the range 1 to 90. times times: Specifies the maximum number of times a user can log in after the password expires, in the range 0 to 10.
Page 204: Password-Control Length
password-control length Syntax password-control length length undo password-control length View System view, user group view, local user view Default level 2: System level Parameters length: Specifies the minimum password length in characters, in the range 4 to 32. Description Use the password-control length command to set the minimum password length. Use the undo password-control length command to restore the default.
Page 205: Password-Control Login-Attempt
View System view Default level 2: System level Parameters idle-time: Specifies the maximum account idle time, in the range 0 to 365, in days. 0 means no restriction for account idle time. Description Use the password-control login idle-time command to set the maximum account idle time. If a user account is idle for this period of time, it becomes invalid.
Page 206: Password-Control Password Update Interval
Use the undo password-control command to restore the default. By default, the maximum number of consecutive failed login attempts is three and a user failing to log in after the specified number of attempts must wait for one minute before trying again. If prohibited permanently, a user can log in only after you remove the user from the blacklist.
Page 207: Password-Control Super Aging
Default level 2: System level Parameters interval: Specifies the minimum password update interval, in the range 0 to 168, in hours. 0 means no requirements for password update interval. Description Use the password-control password update interval command to set the minimum password update interval—the minimum interval at which users can change their passwords.
Page 208: Password-Control Super Composition
password-control super composition Syntax password-control super composition type-number type-number [ type-length type-length ] undo password-control super composition View System view Default level 2: System level Parameters type-number type-number: Specifies the minimum number of composition types for super passwords, in the range 1 to 4. type-length type-length: Specifies the minimum number of characters of each composition type for super passwords, in the range 1 to 16.
Page 209: Reset Password-Control Blacklist
Description Use the password-control super length command to set the minimum length for super passwords. Use the undo password-control super length command to restore the default. By default, the minimum super password length is 10 characters. The setting for super passwords, if present, overrides that for all passwords. Related commands: password-control length.
Page 210 Parameters user-name name: Specifies the username of the user whose password records are to be deleted. name is a case-sensitive string of 1 to 80 characters. super: Deletes the history records of the super password specified by the level level combination or the history records of all super passwords.
Page 211: Habp Configuration Commands
HABP configuration commands display habp Syntax display habp [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 212: Display Habp Table
display habp table Syntax display habp table [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 213: Habp Client Vlan
Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 214: Habp Enable
Parameters vlan-id: Specifies the ID of the VLAN in which HABP packets are to be transmitted, in the range from 1 to 4094. Description Use the habp client vlan command to specify the VLAN to which the HABP client belongs. HABP packets will be transmitted within the VLAN.
Page 215: Habp Timer
Default level 2: System level Parameters vlan-id: Specifies the ID of the VLAN in which HABP packets are to be transmitted, in the range 1 to 4094. Description Use the habp server vlan command to configure HABP to work in server mode and specify the VLAN in which HABP packets are to be transmitted.
Page 216 [Sysname] habp timer 50...
Page 217: Public Key Configuration Commands
Public key configuration commands display public-key local public Syntax display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters dsa: Specifies a DSA key pair. rsa: Specifies an RSA key pair.
Page 218: Display Public-Key Peer
===================================================== Time of Key pair created: 19:59:17 2011/01/25 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12B2B1 EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE751EE0ECEF 659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 20:00:16 2011/01/25...
Page 219 View Any view Default level 1: Monitor level Parameters brief: Displays brief information about all peer public keys. name publickey-name: Displays information about a peer public key. publickey-name represents a public key by its name, a case-sensitive string of 1 to 64 characters. |: Filters command output by specifying a regular expression.
Page 220: Peer-Public-Key End
Spaces and carriage returns are allowed between characters. If the peer is an HP device, input the key data displayed by the display public-key local public command so that the key is format compliant.
Page 221: Public-Key-Code End
Examples # Enter public key code view and input the key. <Sysname> system-view [Sysname] public-key peer key1 [Sysname-pkey-public-key] public-key-code begin [Sysname-pkey-key- code]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC8014F82515F6335A0A [Sysname-pkey-key- code]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D1643135877E13B1C531B4 [Sysname-pkey-key- code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6B80EB5F52698FCF3D6 [Sysname-pkey-key- code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1DDE675AC30CB020301 [Sysname-pkey-key-code]0001 public-key-code end Syntax public-key-code end View Public key code view Default level 2: System level Parameters None...
Page 222: Public-Key Local Create
[Sysname-pkey-key-code] public-key-code end [Sysname-pkey-public-key] public-key local create Syntax public-key local create { dsa | rsa } View System view Default level 2: System level Parameters dsa: Specifies a DSA key pair. rsa: Specifies an RSA key pair. Description Use the public-key local create command to create local key pairs. The created local key pairs are saved automatically, and can survive a reboot.
Page 223: Public-Key Local Destroy
Generating Keys... public-key local destroy Syntax public-key local destroy { dsa | rsa } View System view Default level 2: System level Parameters dsa: Specifies a DSA key pair. rsa: Specifies an RSA key pair. Description Use the public-key local destroy command to destroy the local key pairs. Related commands: public-key local create.
Page 224: Public-Key Local Export Rsa
Description Use the public-key local export dsa command to display the local DSA public key on the screen or export it to a specified file. If you do not specify the filename argument, the command displays the local DSA public key on the screen;...
Page 225: Public-Key Peer
Parameters openssh: Uses the format of OpenSSH. ssh1: Uses the format of SSH1.5. ssh2: Uses the format of SSH2.0. filename: Specifies the name of the file for storing the host public key. For more information about file name, see the Fundamentals Configuration Guide. Description Use the public-key local export rsa command to display the local RSA host public key on the screen or export it to a specified file.
Page 226: Public-Key Peer Import Sshkey
Default level 2: System level Parameters keyname: Specifies the peer public key name, a case-sensitive string of 1 to 64 characters. Description Use the public-key peer command to specify a name for a peer public key and enter public key view. Use the undo public-key peer command to remove a peer public key.
Page 227 After execution of this command, the system automatically transforms the host public key in SSH1, SSH2.0 or OpenSSH format to PKCS format, and imports the key. This operation requires that you get a copy of the public key file from the peer through FTP or TFTP in advance. Related commands: display public-key peer.
Page 228: Pki Configuration Commands
PKI configuration commands attribute Syntax attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ} attribute-value undo attribute { id | all } View Certificate attribute group view Default level...
Page 229: Ca Identifier
<Sysname> system-view [Sysname] pki certificate attribute-group mygroup [Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc # Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc. [Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc # Create a certificate attribute rule, specifying that the IP address in the alternative subject name cannot be 10.0.0.1.
Page 230: Certificate Request From
Parameters entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters. Description Use the certificate request entity command to specify the entity for certificate request. Use the undo certificate request entity command to remove the configuration. By default, no entity is specified for certificate request.
Page 231: Certificate Request Polling
undo certificate request mode View PKI domain view Default level 2: System level Parameters auto: Requests certificates in auto mode. key-length: Length of the RSA keys in bits, in the range 512 to 2048. It is 1024 bits by default. cipher: Displays the password in cipher text.
Page 232: Certificate Request Url
interval minutes: Specifies the polling interval in minutes, in the range 5 to 168. Description Use the certificate request polling command to specify the certificate request polling interval and attempt limit. Use the undo certificate request polling command to restore the defaults. By default, the polling is executed every 20 minutes for up to 50 times.
Page 233: Common-Name
common-name Syntax common-name name undo common-name View PKI entity view Default level 2: System level Parameters name: Common name of an entity, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use the common-name command to configure the common name of an entity, which can be, for example, the user name.
Page 234: Crl Check
Examples # Set the country code of an entity to CN. <Sysname> system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] country CN crl check Syntax crl check { disable | enable } View PKI domain view Default level 2: System level Parameters disable: Disables CRL checking.
Page 235: Crl Url
Description Use the crl update-period command to set the CRL update period, that is, the interval at which a PKI entity with a certificate downloads the latest CRL from the LDAP server. Use the undo crl update-period command to restore the default. By default, the CRL update period depends on the next update field in the CRL file.
Page 236 View Any view Default level 2: System level Parameters ca: Displays the CA certificate. local: Displays the local certificate. domain-name: Name of the PKI domain, a string of 1 to 15 characters. request-status: Displays the status of a certificate request. |: Filters command output by specifying a regular expression.
Page 237: Display Pki Certificate Access-Control-Policy
CN=pki test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00D41D1F … Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS: hyf.xxyyzz.net X509v3 CRL Distribution Points: URI:http://1.1.1.1:447/myca.crl … … Signature Algorithm: md5WithRSAEncryption A3A5A447 4D08387D …...
Page 238: Display Pki Certificate Attribute-Group
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use the display pki certificate access-control-policy command to display information about certificate attribute-based access control policies.
Page 239: Display Pki Crl Domain
Description Use the display pki certificate attribute-group command to display information about certificate attribute groups. Examples # Display information about certificate attribute group mygroup. <Sysname> display pki certificate attribute-group mygroup attribute group name: mygroup attribute 1 subject-name attribute 2 issuer-name fqdn nctn Table 32 Output description...
Page 240 Description Use the display pki crl domain command to display the locally saved CRLs. Related commands: pki retrieval-crl and pki domain. Examples # Display the locally saved CRLs. <Sysname> display pki crl domain 1 Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN...
Page 241: Fqdn
fqdn Syntax fqdn name-str undo fqdn View PKI entity view Default level 2: System level Parameters name-str: Fully qualified domain name (FQDN) of an entity, a case-insensitive string of 1 to 127 characters. Description Use the fqdn command to configure the FQDN of an entity. Use the undo fqdn command to remove the configuration.
Page 242: Ldap-Server
By default, no IP address is specified for an entity. Examples # Configure the IP address of an entity as 1 1.0.0.1. <Sysname> system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] ip 11.0.0.1 ldap-server Syntax ldap-server ip ip-address [ port port-number ] [ version version-number ] undo ldap-server View PKI domain view...
Page 243: Organization
Parameters locality-name: Name for the geographical locality, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use the locality command to configure the geographical locality of an entity, which can be, for example, a city name. Use the undo locality command to remove the configuration.
Page 244: Pki Certificate Access-Control-Policy
View PKI entity view Default level 2: System level Parameters org-unit-name: Organization unit name for distinguishing different units in an organization, a case- insensitive string of 1 to 31 characters. No comma can be included. Description Use the organization-unit command to specify the name of the organization unit to which this entity belongs.
Page 245: Pki Certificate Attribute-Group
[Sysname] pki certificate access-control-policy mypolicy [Sysname-pki-cert-acp-mypolicy] pki certificate attribute-group Syntax pki certificate attribute-group group-name undo pki certificate attribute-group { group-name | all } View System view Default level 2: System level Parameters group-name: Name for the certificate attribute group, a case-insensitive string of 1 to 16 characters. It cannot be ―a‖, ―al‖, or ―all‖.
Page 246: Pki Domain
Description Use the pki delete-certificate command to delete the certificate locally stored for a PKI domain. Examples # Delete the local certificate for PKI domain cer. <Sysname> system-view [Sysname] pki delete-certificate local domain cer pki domain Syntax pki domain domain-name undo pki domain domain-name View System view...
Page 247: Pki Import-Certificate
Description Use the pki entity command to create a PKI entity and enter its view. Use the undo pki entity command to remove a PKI entity. By default, no entity exists. You can configure a variety of attributes for an entity in PKI entity view. An entity is intended only for convenience of reference by other commands.
Page 248: Pki Request-Certificate Domain
pki request-certificate domain Syntax pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ] View System view Default level 2: System level Parameters domain-name: Name of the PKI domain name, a string of 1 to 15 characters. password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters.
Page 249: Pki Retrieval-Crl Domain
Default level 2: System level Parameters ca: Retrieves the CA certificate. local: Retrieves the local certificate. domain-name: Name of the PKI domain used for certificate request. Description Use the pki retrieval-certificate command to retrieve a certificate from the server for certificate distribution. Related commands: pki domain.
Page 250: Root-Certificate Fingerprint
Default level 2: System level Parameters ca: Verifies the CA certificate. local: Verifies the local certificate. domain-name: Name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters. Description Use the pki validate-certificate command to verify the validity of a certificate. The focus of certificate validity verification will check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked.
Page 251: Rule (Pki Cert Acp View)
[Sysname] pki domain 1 [Sysname-pki-domain-1] root-certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E # Configure a SHA1 fingerprint for verifying the validity of the CA root certificate. [Sysname-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 rule (PKI CERT ACP view) Syntax rule [ id ] { deny | permit } group-name undo rule { id | all } View PKI certificate access control policy view...
Page 252 undo state View PKI entity view Default level 2: System level Parameters state-name: State or province name, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use the state command to specify the name of the state or province where an entity resides. Use the undo state command to remove the configuration.
Page 253: Ipsec Configuration Commands
IPsec configuration commands NOTE:  The A5500 EI Switch Series supports using IPsec to protect OSPFv3, IPv6 BGP, and RIPng.  The A5500 SI Switch Series supports using IPsec to protect RIPng. ah authentication-algorithm Syntax ah authentication-algorithm { md5 | sha1 }...
Page 254: Display Ipsec Policy
display ipsec policy Syntax display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include } regular- expression ] View Any view Default level 1: Monitor level Parameters brief: Displays brief information about all IPsec policies. name: Displays detailed information about a specific IPsec policy or IPsec policy group.
Page 255 Table 34 Output description Field Description IPsec-Policy-Name Name and sequence number of the IPsec policy separated by hyphen Negotiation mode of the IPsec policy, which can be: Mode manual: Manual mode Access control list (ACL) referenced by the IPsec policy ike-peer name IKE peer name Mapped Template...
Page 256: Display Ipsec Proposal
Table 35 Output description Field Description security data flow ACL referenced by the IPsec policy Interface Interface to which the IPsec policy is applied. Name of the protocol to which the IPsec policy is applied. (This Protocol field is not displayed when the IPsec policy is not applied to any routing protocol.) sequence number Sequence number of the IPsec policy.
Page 257: Display Ipsec Sa
<Sysname> display ipsec proposal IPsec proposal name: prop1 encapsulation mode: transport transform: esp-new ESP protocol: authentication md5-hmac-96, encryption des Table 36 Output description Field Description IPsec proposal name Name of the IPsec proposal encapsulation mode Encapsulation mode used by the IPsec proposal, transport or tunnel transform Security protocol(s) used by the IPsec proposal, AH, ESP, or both AH protocol...
Page 258 Examples # Display brief information about all SAs. <Sysname> display ipsec sa brief Src Address Dst Address Protocol Algorithm -------------------------------------------------------- — — E:DES; A:HMAC-MD5-96 — — E:DES; A:HMAC-MD5-96 Table 37 Output description Field Description Src Address Local IP address Dst Address Remote IP address Security parameter index Protocol...
Page 259: Display Ipsec Statistics
Table 38 Output description Field Description Interface Interface referencing the IPsec policy path MTU Maximum IP packet length supported by the interface Protocol Name of the protocol to which the IPsec policy is applied. IPsec policy name Name of IPsec policy used sequence number Sequence number of the IPsec policy mode...
Page 260 View Any view Default level 1: Monitor level Parameters tunnel-id integer: Specifies an IPsec tunnel by its ID, which is in the range 1 to 2000000000. |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 261: Display Ipsec Tunnel
not enough memory: 0 queue is full: 0 authentication has failed: 0 wrong length: 0 replay packet: 0 packet too long: 0 wrong SA: 0 Table 39 Output description Field Description Connection ID ID of the tunnel input/output security packets Counts of inbound and outbound IPsec protected packets input/output security bytes Counts of inbound and outbound IPsec protected bytes...
Page 262 include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use the display ipsec tunnel command to display IPsec tunnel information. Examples # Display information about IPsec tunnels. <Sysname>...
Page 263: Encapsulation-Mode
encapsulation-mode Syntax encapsulation-mode { transport | tunnel } undo encapsulation-mode View IPsec proposal view Default level 2: System level Parameters transport: Uses transport mode. tunnel: Uses tunnel mode. Description Use the encapsulation-mode command to set the encapsulation mode that the security protocol uses to encapsulate IP packets.
Page 264: Esp Encryption-Algorithm
Description Use the esp authentication-algorithm command to specify the authentication algorithm for ESP. Use the undo esp authentication-algorithm command to configure ESP not to perform authentication on packets. By default, the MD5 algorithm is used. Related commands: ipsec proposal, esp encryption-algorithm, proposal, and transform. Examples # Configure IPsec proposal prop1 to use ESP and specify SHA1 as the authentication algorithm for ESP.
Page 265: Ipsec Policy
ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication. The undo esp encryption-algorithm command takes effect only if no authentication algorithm is used. Related commands: ipsec proposal, esp authentication-algorithm, proposal, and transform. Examples # Configure IPsec proposal prop1 to use ESP and specify 3DES as the encryption algorithm for ESP.
Page 266: Ipsec Proposal
<Sysname> system-view [Sysname] ipsec policy policy1 101 manual [Sysname-ipsec-policy-manual-policy1-101] ipsec proposal Syntax ipsec proposal proposal-name undo ipsec proposal proposal-name View System view Default level 2: System level Parameters proposal-name: Name for the proposal, a case-insensitive string of 1 to 15 characters . Description Use the ipsec proposal command to create an IPsec proposal and enter its view.
Page 267: Reset Ipsec Sa
Description Use the proposal command to specify the IPsec proposals for the IPsec policy or IPsec profile to reference. Use the undo proposal command to remove an IPsec proposal reference by the IPsec policy or IPsec profile. By default, an IPsec policy or IPsec profile references no IPsec proposal. The IPsec proposals must already exist.
Page 268: Reset Ipsec Statistics
Examples # Clear all SAs. <Sysname> reset ipsec sa # Clear all SAs of IPsec policy template policy1. <Sysname> reset ipsec sa policy policy1 # Clear the SA of the IPsec policy with the name of policy1 and sequence number of 10. <Sysname>...
Page 269: Sa Encryption-Hex
ah: Uses AH. esp: Uses ESP. hex-key: Authentication key for the SA, in hexadecimal format. The length of the key is 16 bytes for MD5 and 20 bytes for SHA1. Description Use the sa authentication-hex command to configure an authentication key for an SA. Use the undo sa authentication-hex command to remove the configuration.
Page 270: Sa Spi
hex-key: Encryption key for the SA, in hexadecimal format. The length of the key is 8 bytes for DES and 24 bytes for 3DES. Description Use the sa encryption-hex command to configure an encryption key for an SA. Use the undo sa encryption-hex command to remove the configuration. This command applies to only manual IPsec policies.
Page 271: Sa String-Key
Use the undo sa spi command to remove the configuration. This command applies to only manual IPsec policies. When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs. For a manual IPsec policy for ACL-based IPsec, set different SPIs for different SAs. The SPI for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the SPI for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.
Page 272: Transform
Description Use the sa string-key command to set a key string for an SA. Use the undo sa string-key command to remove the configuration. This command applies to only manual IPsec policies. When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.
Page 273 Use the undo transform command to restore the default. By default, the ESP protocol is used. If ESP is used, the default encryption and authentication algorithms are DES and MD5 respectively. If AH is used, the default authentication algorithm is MD5. If both AH and ESP are used, AH takes the authentication algorithm of MD5 by default, and ESP takes the encryption algorithm of DES and uses no authentication algorithm by default.
Page 274: Ssh2.0 Configuration Commands
SSH2.0 configuration commands SSH2.0 server configuration commands display ssh server Syntax display ssh server { session | status } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters session: Displays the session information of the SSH server. status: Displays the status information of the SSH server.
Page 275: Display Ssh User-Information
SFTP Server: Disable SFTP Server Idle-Timeout: 10 minute(s) Table 41 Output description Field Description SSH Server Whether the SSH server function is enabled SSH protocol version SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2.0. SSH authentication-timeout Authentication timeout period SSH server key generating interval...
Page 276: Ssh Server Authentication-Retries
Parameters username: SSH username, a string of 1 to 80 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 277: Ssh Server Authentication-Timeout
Default level 3: Manage level Parameters times: Maximum number of authentication attempts, in the range 1 to 5. Description Use the ssh server authentication-retries command to set the maximum number of SSH connection authentication attempts. Use the undo ssh server authentication-retries command to restore the default. By default, the maximum number of SSH connection authentication attempts is 3.
Page 278: Ssh Server Compatible-Ssh1X Enable
Examples # Set the SSH user authentication timeout period to 10 seconds. <Sysname> system-view [Sysname] ssh server authentication-timeout 10 ssh server compatible-ssh1x enable Syntax ssh server compatible-ssh1x enable undo ssh server compatible-ssh1x View System view Default level 3: Manage level Parameters None Description...
Page 279: Ssh Server Rekey-Interval
Description Use the ssh server enable command to enable the SSH server function. Use the undo ssh server enable command to disable the SSH server function. By default, SSH server is disabled. Examples # Enable SSH server. <Sysname> system-view [Sysname] ssh server enable ssh server rekey-interval Syntax ssh server rekey-interval hours...
Page 280 ssh user username service-type { all | sftp } authentication-type { password | { any | password- publickey | publickey } assign publickey keyname work-directory directory-name } undo ssh user username View System view Default level 3: Manage level Parameters username: SSH username, a case-sensitive string of 1 to 80 characters.
Page 281: Ssh2.0 Client Configuration Commands
Related commands: display ssh user-information. Examples # Create an SSH user named user1, setting the service type as sftp, the authentication method as publickey, the working directory of the SFTP server as flash:, and assigning a public key named key1 to the user.
Page 282: Ssh Client Authentication Server
View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 283: Ssh Client First-Time Enable
View System view Default level 2: System level Parameters server: IP address or name of the server, a string of 1 to 80 characters. assign publickey keyname: Specifies the name of the host public key of the server, a string of 1 to 64 characters.
Page 284: Ssh Client Ipv6 Source
With first-time authentication, when an SSH client not configured with the server host public key accesses the server for the first time, the user can continue accessing the server, and save the host public key on the client. When accessing the server again, the client will use the saved server host public key to authenticate the server.
Page 285: Ssh Client Source
ssh client source Syntax ssh client source { ip ip-address | interface interface-type interface-number } undo ssh client source View System view Default level 3: Manage level Parameters ip ip-address: Specifies a source IPv4 address. interface interface-type interface-number: Specifies a source interface by its type and number. Description Use the ssh client source command to specify the source IPv4 address or source interface of the SSH client.
Page 286: Ssh2 Ipv6
A5500 EI Switch Series. If the server is on the public network, do not specify this keyword and argument combination. identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa. prefer-ctos-cipher: Preferred encryption algorithm from client to server, defaulted to aes128.
Page 287 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * View User view Default level 0: Visit level Parameters server: IPv6 address or host name of the server, a case-insensitive string of 1 to 46 characters. port-number: Port number of the server, in the range 0 to 65535.
Page 288 <Sysname> ssh2 ipv6 2000::1 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos- hmac md5 prefer-stoc-hmac sha1-96...
Page 289: Sftp Configuration Commands
SFTP configuration commands SFTP server configuration commands sftp server enable Syntax sftp server enable undo sftp server enable View System view Default level 3: Manage level Parameters None Description Use the sftp server enable command to enable SFTP server. Use the undo sftp server enable command to disable SFTP server. By default, SFTP server is disabled.
Page 290: Sftp Client Configuration Commands
Description Use the sftp server idle-timeout command to set the idle timeout period for SFTP user connections. Use the undo sftp server idle-timeout command to restore the default. By default, the idle timeout period is 10 minutes. Related commands: display ssh server. Examples # Set the idle timeout period for SFTP user connections to 500 minutes.
Page 291: Cdup
Parameters remote-path: Name of a path on the server. Description Use the cd command to change the working path on a remote SFTP server. With the argument not specified, the command displays the current working path. NOTE:  You can use the cd .. command to return to the upper-level directory. ...
Page 292: Dir
Parameters remote-file&<1- 1 0>: Names of files on the server. &<1- 1 0> means that you can provide up to 10 filenames, which are separated by space. Description Use the delete command to delete files from a server. This command functions as the remove command. Examples # Delete file temp.c from the server.
Page 293: Display Sftp Client Source
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2 -rwxrwxrwx 1 noone...
Page 294: Get
Parameters None Description Use the exit command to terminate the connection with a remote SFTP server and return to user view. This command functions as the bye and quit commands. Examples # Terminate the connection with the remote SFTP server. sftp-client>...
Page 295 Default level 3: Manage level Parameters all: Displays a list of all commands. command-name: Name of a command. Description Use the help command to display a list of all commands or the help information of an SFTP client command. With neither the argument nor the keyword specified, the command displays a list of all commands. Examples # Display the help information of the get command.
Page 296: Mkdir
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2 mkdir Syntax mkdir remote-path View SFTP client view Default level...
Page 297: Pwd
Local file:temp.c ---> Remote file: /temp1.c Uploading file successfully ended Syntax View SFTP client view Default level 3: Manage level Parameters None Description Use the pwd command to display the current working directory of a remote SFTP server. Examples # Display the current working directory of the remote SFTP server. sftp-client>...
Page 298: Remove
remove Syntax remove remote-file&<1- 1 0> View SFTP client view Default level 3: Manage level Parameters remote-file&<1- 1 0>: Names of files on an SFTP server. &<1- 1 0> means that you can provide up to 10 filenames, which are separated by space. Description Use the remove command to delete files from a remote server.
Page 299: Rmdir
1 to 31 characters. This keyword and argument combination is available only on the A5500 EI Switch Series. If the server is on the public network, do not specify this keyword and argument combination.
Page 300: Sftp Client Ipv6 Source
aes128: Encryption algorithm aes128-cbc.  des: Encryption algorithm des-cbc.  prefer-ctos-hmac: Preferred HMAC algorithm from client to server, defaulted to sha1-96. md5: HMAC algorithm hmac-md5.  md5-96: HMAC algorithm hmac-md5-96.  sha1: HMAC algorithm hmac-sha1.  sha1-96: HMAC algorithm hmac-sha1-96. ...
Page 301: Sftp Client Source
interface interface-type interface-number: Specifies a source interface by its type and number. Description Use the sftp client ipv6 source command to specify the source IPv6 address or source interface for an SFTP client. Use the undo sftp client ipv6 source command to remove the configuration. By default, an SFTP client uses the IPv6 address of the interface specified by the route of the device to access the SFTP server.
Page 302: Sftp Ipv6
sftp ipv6 Syntax sftp ipv6 server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * View...
Page 303 Preferred key exchange algorithm: dh-group1.  Preferred encryption algorithm from server to client: aes128.  Preferred HMAC algorithm from client to server: md5.  Preferred HMAC algorithm from server to client: sha1-96.  <Sysname> sftp ipv6 2:5::8:9 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos- hmac md5 prefer-stoc-hmac sha1-96 Input Username:...
Page 304: Ssl Configuration Commands
SSL configuration commands ciphersuite Syntax ciphersuite [ rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] * View SSL server policy view Default level 2: System level Parameters rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA.
Page 305: Client-Verify Enable
client-verify enable Syntax client-verify enable undo client-verify enable View SSL server policy view Default level 2: System level Parameters None Description Use the client-verify enable command to enable certificate-based SSL client authentication so that the SSL server authenticates the client by the client’s certificate during the SSL handshake process. Use the undo client-verify enable command to restore the default.
Page 306: Display Ssl Client-Policy
By default, an SSL server sends a close-notify alert message to the client and closes the connection without waiting for the close-notify alert message from the client. Related commands: display ssl server-policy. Examples # Set the SSL connection close mode to wait. <Sysname>...
Page 307: Display Ssl Server-Policy
Field Description SSL Version Version of the protocol used by the SSL client policy, SSL 3.0 or TLS 1.0 PKI Domain PKI domain of the SSL client policy Prefer Ciphersuite Preferred cipher suite of the SSL client policy Server-verify Whether server authentication is enabled for the SSL client policy display ssl server-policy Syntax display ssl server-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ]...
Page 308: Handshake Timeout
Session Cachesize: 500 Client-verify: disabled Table 46 Output description Field Description SSL Server Policy SSL server policy name PKI Domain PKI domain used by the SSL server policy Ciphersuite Cipher suites supported by the SSL server policy Handshake Timeout Handshake timeout time of the SSL server policy, in seconds Close mode of the SSL server policy, which can be: ...
Page 309: Pki-Domain
<Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] handshake timeout 3000 pki-domain Syntax pki-domain domain-name undo pki-domain View SSL server policy view, SSL client policy view Default level 2: System level Parameters domain-name: Name of a PKI domain, a case-insensitive string of 1 to 15 characters. Description Use the pki-domain command to specify a PKI domain for an SSL server policy or SSL client policy.
Page 310: Server-Verify Enable
Parameters rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA. rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA. rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.
Page 311: Session
By default, certificate-based SSL server authentication is enabled. Related commands: display ssl client-policy. Examples # Enable certificate-based SSL server authentication. <Sysname> system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] server-verify enable session Syntax session { cachesize size | timeout time } * undo session { cachesize | timeout } * View SSL server policy view...
Page 312: Ssl Client-Policy
ssl client-policy Syntax ssl client-policy policy-name undo ssl client-policy { policy-name | all } View System view Default level 2: System level Parameters policy-name: Specifies an SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be ―a‖, ―al‖, or ―all‖. all: Specifies all SSL client policies.
Page 313: Version
You cannot delete an SSL server policy that has been associated with one or more application layer protocols. Related commands: display ssl server-policy. Examples # Create SSL server policy policy1 and enter its view. <Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] version Syntax...
Page 314: Tcp Attack Protection Configuration Commands
TCP attack protection configuration commands display tcp status Syntax display tcp status [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 315: Tcp Syn-Cookie Enable
tcp syn-cookie enable Syntax tcp syn-cookie enable undo tcp syn-cookie enable View System view Default level 2: System level Parameters None Description Use the tcp syn-cookie enable command to enable the SYN Cookie feature to protect the device against SYN Flood attacks. Use the undo tcp syn-cookie enable command to disable the SYN Cookie feature.
Page 316: Ip Source Guard Configuration Commands
IP source guard configuration commands NOTE:  Layer 3 Ethernet interface In this chapter, the term refers to Ethernet interfaces working in Layer 3 mode. For Layer 2—LAN Switching Configuration Guide information about working mode switching, see the  The A5500 SI Switch Series does not support Layer 3 Ethernet interface. display ip check source Syntax display ip check source [ ipv6 ] [ interface interface-type interface-number | ip-address ip-address | mac-...
Page 317: Display User-Bind
With no parameters specified, the command displays the dynamic IPv4 IP source guard binding entries of all interfaces. On a switch in IRF mode, if you specify neither a port nor an IRF member, the command displays dynamic binding entries on all ports. For dynamic binding entries generated for a global interface (for example, a VLAN interface), the command displays only those on the master switch in the IRF fabric.
Page 318 View Any view Default level 1: Monitor level Parameters ipv6: Displays static IPv6 source guard binding entries. Without this keyword, the command displays static IPv4 binding entries. interface interface-type interface-number: Displays the static binding entries of the interface specified by its type and number.
Page 319: Ip Check Source
2002::2 GE1/0/1 Static_IPv6 0002-0002-0022 GE1/0/1 Static_IPv6 Table 49 Output description Field Description Total entries found Total number of found entries MAC address of the binding. N/A means that no MAC address is bound in the MAC Address entry. IP Address IP address of the binding.
Page 320: User-Bind (Layer 2 Ethernet Port View)
Examples # Configure dynamic IPv4 binding of packet source IP address and MAC address on Layer 2 Ethernet port GigabitEthernet 1/0/1 to filter packets based on the dynamically generated DHCP snooping entries. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] ip check source ip-address mac-address # Configure dynamic IPv4 binding of packet source IP address and MAC address on VLAN-interface 100 to filter packets based on the dynamically generated DHCP relay entries.
Page 321: User-Bind (System View)
You cannot configure a static binding on a port in an aggregation group or a service loopback group. Related commands: display user-bind. Examples # Configure a static IPv4 source guard binding on port GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] user-bind ip-address 192.168.0.1 mac-address 0001-0001- 0001 # Configure a static IPv6 source guard binding on port GigabitEthernet 1/0/1.
Page 322: User-Bind Uplink
does not allow you to configure another global static binding with IP address 1.1.1.1 and MAC address 2- 2-2. A global static binding applies to all the ports of the device. Global static bindings do not take effect on a port that has been configured with a port static binding, with the dynamic binding function, or as a global static binding exceptional port.
Page 323: Arp Attack Protection Configuration Commands
NOTE: The interfaces mentioned in this document are Layer 3 interfaces in a generic sense and Ethernet interfaces operating in route mode (for the HP A5500 EI Switch Series only). For more information Layer 2—LAN Switching Configuration about the operating mode of the Ethernet interface, see the Guide.
Page 324: Arp Source-Suppression Limit
View System view Default level 2: System level Parameters None Description Use the arp source-suppression enable command to enable the ARP source suppression function. Use the undo arp source-suppression enable command to disable the function. By default, the ARP source suppression function is disabled. Related commands: display arp source-suppression.
Page 325: Display Arp Source-Suppression
<Sysname> system-view [Sysname] arp source-suppression limit 100 display arp source-suppression Syntax display arp source-suppression [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 326: Arp Packet Rate Limit Configuration Commands
ARP packet rate limit configuration commands arp rate-limit Syntax arp rate-limit { disable | rate pps drop } undo arp rate-limit View Layer 2 Ethernet port view, Layer 2 aggregate interface view Default level 2: System level Parameters disable: Disables ARP packet rate limit. rate pps: Specifies the ARP packet rate in pps, in the range 5 to 100.
Page 327: Source Mac Address Based Arp Attack Detection Configuration Commands
Description Use the arp rate-limit information command to set the interval for sending trap and log messages when ARP packet rate exceeds the threshold rate. Use the undo arp rate-limit information command to restore the default. By default, the interval is 60 seconds. NOTE: This command must work in cooperation with the arp rate-limit command.
Page 328: Arp Anti-Attack Source-Mac Aging-Time
In monitor detection mode, the switch only displays a log message.  If no detection mode is specified in the undo arp anti-attack source-mac command, both detection modes are disabled. Examples # Enable filter-mode source MAC address based ARP attack detection <Sysname>...
Page 329: Arp Anti-Attack Source-Mac Threshold
Parameters mac-address&<1- 1 0>: Specifies a MAC address list. The mac-address argument indicates a protected MAC address in the format H-H-H. &<1- 1 0> indicates the number of protected MAC addresses that you can configure. Description Use the arp anti-attack source-mac exclude-mac command to configure protected MAC addresses that are excluded from ARP packet detection.
Page 330: Display Arp Anti-Attack Source-Mac
display arp anti-attack source-mac Syntax display arp anti-attack source-mac { slot slot-number | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters interface interface-type interface-number: Displays attacking MAC addresses detected on the interface. slot slot-number: Displays attacking MAC addresses detected on the specified device.
Page 331: Arp Packet Source Mac Address Consistency Check Configuration Commands
ARP packet source MAC address consistency check configuration commands arp anti-attack valid-check enable Syntax arp anti-attack valid-check enable undo arp anti-attack valid-check enable View System view Default level 2: System level Parameters None Description Use the arp anti-attack valid-check enable command to enable ARP packet source MAC address consistency check on the gateway.
Page 332: Arp Detection Configuration Commands
Parameters None Description Use the arp anti-attack active-ack enable command to enable the ARP active acknowledgement function. Use the undo arp anti-attack active-ack enable command to restore the default. By default, the ARP active acknowledgement function is disabled. This feature is configured on gateway devices to identify invalid ARP packets. Examples # Enable the ARP active acknowledgement function.
Page 333: Arp Detection Trust
arp detection trust Syntax arp detection trust undo arp detection trust View Layer 2 Ethernet port view, Layer 2 aggregate interface view Default level 2: System level Parameters None Description Use the arp detection trust command to configure the port as an ARP trusted port. Use the undo arp detection trust command to restore the default.
Page 334: Arp Restricted-Forwarding Enable
Description Use the arp detection validate command to configure ARP detection based on specified objects. You can specify one or more objects in one command line. Use the undo arp detection validate command to remove detected objects. If no keyword is specified, all the detected objects are removed.
Page 335: Display Arp Detection Statistics
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 336: Reset Arp Detection Statistics
Description Use the display arp detection statistics command to display statistics about ARP detection. This command only displays numbers of discarded packets. If no interface is specified, the statistics of all the interfaces will be displayed. Examples # Display the ARP detection statistics of all the interfaces. <Sysname>...
Page 337: Arp Automatic Scanning And Fixed Arp Configuration Commands
ARP automatic scanning and fixed ARP configuration commands arp fixup Syntax arp fixup View System view Default level 2: System level Parameters None Description Use the arp fixup command to change the existing dynamic ARP entries into static ARP entries. You can use this command again to change the dynamic ARP entries learned later into static ARP entries.
Page 338: Arp Gateway Protection Configuration Commands
Default level 2: System level Parameters start-ip-address: Specifies the start IP address of the scanning range. end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address. Description Use the arp scan command to enable ARP automatic scanning in the specified address range for neighbors.
Page 339: Arp Filtering Configuration Commands
Default level 2: System level Parameters ip-address: Specifies the IP address of a protected gateway. Description Use the arp filter source command to enable ARP gateway protection for a specified gateway. Use the undo arp filter source command to disable ARP gateway protection for a specified gateway. By default, ARP gateway protection is disabled.
Page 340 Examples # Configure an ARP filtering entry with permitted sender IP address 1.1.1.1 and MAC address 2-2-2. <Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] arp filter binding 1.1.1.1 2-2-2...
Page 341: Nd Attack Defense Configuration Commands
ND attack defense configuration commands Source MAC consistency check commands ipv6 nd mac-check enable Syntax ipv6 nd mac-check enable undo ipv6 nd mac-check enable View System view Default level 2: System level Parameters None Description Use the ipv6 nd mac-check enable command to enable source MAC consistency check for ND packets. Use the undo ipv6 nd mac-check enable command to disable source MAC consistency check for ND packets.
Page 342: Nd Detection Configuration Commands
ND detection configuration commands display ipv6 nd detection Syntax display ipv6 nd detection [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.
Page 343: Display Ipv6 Nd Detection Statistics
display ipv6 nd detection statistics Syntax display ipv6 nd detection statistics [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters interface interface-type interface-number: Displays ND detection statistics for the interface identified by interface-type interface-number.
Page 344: Ipv6 Nd Detection Trust
Default level 2: System level Parameters None Description Use the ipv6 nd detection enable command to enable ND detection in a VLAN to check ND packets for source spoofing. Use the undo ipv6 nd detection enable command to disable ND detection. By default, ND detection is disabled.
Page 345: Reset Ipv6 Nd Detection Statistics
<Sysname> system-view [Sysname] interface bridge-Aggregation 1 [Sysname-Bridge-Aggregation1] ipv6 nd detection trust reset ipv6 nd detection statistics Syntax reset ipv6 nd detection statistics [ interface interface-type interface-number ] View User view Default level 2: System level Parameters interface interface-type interface-number: Clears the statistics of the interface identified by interface-type interface-number.
Page 346: Urpf Configuration Commands (Available Only On The A5500 Ei)
NOTE:  The routing table size is decreased by half when URPF is enabled on the HP A5500 EI Switch Series.  To prevent loss of route entries and packets, you cannot enable URPF on the switch if the number of route entries the switch maintains exceeds half the routing table size.
Page 347: Support And Other Resources
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. ...
Page 348: Conventions
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 349 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 350: Index
Index A B C D E F G H I K L M N O P Q R S T U V authentication super,10 authorization command,1 1 aaa nas-id profile (available only on the A5500 EI),1 authorization default,1 1 access-limit,25 authorization lan-access,12 access-limit...
Page 351 dir,282 display public-key peer,208 display arp anti-attack source-mac,320 display radius scheme,39 display arp detection,324 display radius statistics,42 display arp detection statistics,325 display sftp client source,283 display arp source-suppression,315 display ssh client source,271 display connection,17 display ssh server,264 display domain,19 display ssh server-info,271 display dot1x,96...
Page 352 fqdn,231 nas device-id (available only on the A5500 EI),47 nas-backup-ip (available only on the A5500 EI),48 nas-id bind vlan (available only on the A5500 EI),23 get,284 nas-ip (HWTACACS scheme view),78 group,32 nas-ip (RADIUS scheme view),49 habp client vlan,203 organization,233 habp enable,204 organization-unit,233 habp server...
Page 353 portal auth-network (available only on the A5500 proposal,256 EI),143 public-key local create,212 portal backup-group (available only on the A5500 public-key local destroy,213 EI),144 public-key local export dsa,213 portal delete-user,144 public-key local export rsa,214 portal domain,145 public-key peer,215 portal free-rule,146 public-key peer import sshkey,216 portal local-server,147...
Page 354 retry stop-accounting (RADIUS scheme view),60 state secondary,66 rmdir,289 state(local user view),36 root-certificate fingerprint,240 stop-accounting-buffer enable (HWTACACS scheme view),86 rule (PKI CERT ACP view),241 stop-accounting-buffer enable (RADIUS scheme view),67 authentication-hex,258 encryption-hex,259 tcp syn-cookie enable,305 spi,260 timer quiet (HWTACACS scheme view),87 string-key,261 timer quiet (RADIUS scheme view),67 secondary accounting (HWTACACS scheme...

This manual is also suitable for:

A5500 si

HP A5500 EI Command Reference Manual

AAA Configuration Commands

802.1X Configuration Commands

EAD Fast Deployment Configuration Commands

MAC Authentication Configuration Commands

Portal Configuration Commands

Port Security Configuration Commands

User Profile Configuration Commands

Password Control Configuration Commands

HABP Configuration Commands

Public Key Configuration Commands

PKI Configuration Commands

Ipsec Configuration Commands

SSH2.0 Configuration Commands

Quick Links

Command Reference

Related Manuals for HP A5500 EI

Summary of Contents for HP A5500 EI