HP FlexFabric 7900 Switch Series Security Command Reference Part number: 5998-4296 Software version: Release 2109 Document version: 6W100-20140122...
Page 2
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Page 6
ike keychain ························································································································································· 163 ike limit ································································································································································· 163 ike nat-keepalive ·················································································································································· 164 ike profile ····························································································································································· 165 ike proposal ························································································································································· 165 keychain ······························································································································································· 166 local-identity ························································································································································· 167 match local address (IKE keychain view)·········································································································· 168 ...
Page 7
················································································································································ 221 fips mode enable ················································································································································· 221 fips self-test ··························································································································································· 223 Support and other resources ·································································································································· 225 Contacting HP ······························································································································································ 225 Subscription service ············································································································································ 225 Related information ······················································································································································ 225 Documents ···························································································································································· 225 ...
AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa session-limit Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method.
<Sysname> system-view [Sysname] aaa session-limit ftp 4 accounting command Use accounting command to specify the command line accounting method. Use undo accounting command to restore the default. Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command Default The default accounting method of the ISP domain is used for command line accounting. Views ISP domain view Predefined user roles...
Page 10
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting default In FIPS mode: accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }...
RADIUS server is invalid, and does not perform accounting when both of the previous methods are invalid. Examples # Configure ISP domain test to use local accounting for login users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting login local # Configure ISP domain test to use RADIUS scheme rd for login user accounting and use local accounting as the backup.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
undo authentication login Default The default authentication method of the ISP is used for login users. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication.
Page 15
Use undo authentication super to restore the default. Syntax authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } undo authentication super Default The default authentication method of the ISP domain is used for user role authentication. Views ISP domain view Predefined user roles network-admin Parameters...
authorization command Use authorization command to specify the command authorization method. Use undo authorization command to restore the default. Syntax In non-FIPS mode: authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none } undo authorization command In FIPS mode:...
[Sysname-isp-test] authorization command local # Configure ISP domain test to use HWTACACS scheme hwtac for command authorization and use local authorization as the backup authorization method. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization command hwtacacs-scheme hwtac local Related commands authorization accounting (Fundamentals Command Reference) •...
Usage guidelines The default authorization method is used for all users who support this method and do not have a specific authorization method are configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one authorization method and multiple backup authorization methods.
Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. After passing authentication, FTP, SFTP, and SCP users use the root directory of the device as the work directory but cannot access it, and other login users get the default user role.
Use undo authorization-attribute to restore the default of an authorization attribute. Syntax authorization-attribute idle-cut minute [ flow ] undo authorization-attribute idle-cut Default No authorization attribute is configured for users in the ISP domain and the idle cut function is disabled. Views ISP domain view Predefined user roles...
Page 21
Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines If no ISP domain is specified, the command displays the configuration of all ISP domains. Examples # Display the configuration of all ISP domains. <Sysname> display domain Total 2 domain(s) Domain:system State: Active...
Usage guidelines All ISP domains are in active state when they are created. The system has a predefined ISP domain named system. You can modify but not remove its configuration. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command.
[Sysname] domain test [Sysname-isp-test] quit [Sysname] domain default enable test Related commands display domain • domain • state (ISP domain view) Use state to set the status of an ISP domain. Use undo state to restore the default. Syntax state { active | block } undo state Default An ISP domain is in active state.
Local user commands access-limit Use access-limit to set the maximum number of concurrent logins using the local user name. Use undo access-limit to restore the default. Syntax access-limit max-user-number undo access-limit Default The number of concurrent logins using the local user name is not limited. Views Local user view Predefined user roles...
Page 26
Default No authorization ACL, idle timeout period, or authorized VLAN is configured for the local users. FTP, SFTP, or SCP users have the root directory of the NAS set as the working directory, but they do not have the access permission to the root directory. The local users created by a network-admin or level- 1 5 user are assigned the network-operator user role.
Related commands display local-user • display user-group • display local-user Use display local-user to display the local user configuration and online user statistics. Syntax display local-user [ class manage | idle-cut { disable | enable } | service-type { ftp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] Views Any view...
Page 28
Bind Attributes: Authorization Attributes: Work Directory: flash: User Role List: network-admin Password control configurations: Password aging: Enabled (3 days) Table 2 Command output Field Description State Status of the local user: active or blocked. Service types that the local user can use, including FTP, SSH, Telnet, and Service Type terminal.
display user-group Use display user-group to display the user group configuration. Syntax display user-group [ group-name ] Views Any view Predefined user roles network-admin network-operator Parameters group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines If no user group name is specified, the command displays the configuration of all user groups.
Field Description This field appears only when password length control is enabled. The Password length minimum password length is displayed in parentheses. This field appears only when password composition checking is enabled. It also displays the following information in parentheses: Password composition •...
local-user Use local-user to add a local user and enter local user view. Use undo local-user to remove local users. Syntax local-user user-name [ class manage ] undo local-user { user-name class manage | all [ service-type { ftp | ssh | telnet | terminal } | class manage ] } Default No local user exists.
Page 32
Syntax In non-FIPS mode: password [ { hash | simple } password ] undo password In FIPS mode: password Default • In non-FIPS mode, there is no password configured for a local user and a local user can pass authentication after entering the correct username and passing attribute checks. In FIPS mode, there is no password configured for a local user and a local user cannot pass •...
[Sysname-luser-manage-test] password Password: Confirm : Related commands display local-user • local-user password-display-mode • service-type Use service-type to specify the service types that a local user can use. Use undo service-type to delete service types configured for a local user. Syntax In non-FIPS mode: service-type { ftp | { ssh | telnet | terminal } * } undo service-type { ftp | { ssh | telnet | terminal } * }...
Related commands display local-user state (local user view) Use state to set the status of a local user. Use undo state to restore the default. Syntax state { active | block } undo state Default A local user is in active state. Views Local user view Predefined user roles...
Views System view Predefined user roles network-admin Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.
send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50. Usage guidelines The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device or card reboot.
Examples # In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet Related commands display radius scheme display radius scheme Use display radius scheme to display the configuration of RADIUS schemes.
Page 38
Accounting-On function : Enabled retransmission times retransmission interval(seconds) Timeout Interval(seconds) Retransmission Times Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) Realtime Accounting Interval(minutes) : 22 NAS IP Address : 1.1.1.1 User Name Format : with-domain ------------------------------------------------------------------ Table 4 Command output Field Description Index...
Field Description Account Update Number of accounting update packets. Account Stop Number of stop-accounting packets. Terminate Request Number of packets for logging off users forcibly. Set Policy Number of packets for updating user authorization information. Packet With Response Number of packets for which responses were received. Packet Without Response Number of packets for which no responses were received.
A plaintext shared key is a string of 15 to 64 characters that must contain digits, uppercase letters, lowercase letters, and special characters. Usage guidelines The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers.
If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. HP recommends you to configure a loopback interface address as the source IP address for outgoing RADIUS packets.
key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS accounting server. cipher string: Sets a ciphertext shared key. The string argument is case sensitive. • In non-FIPS mode, the key is a string of 1 to 1 17 characters. In FIPS mode, the key is a string of 15 to 1 17 characters.
Page 44
Default No primary RADIUS authentication server is specified. Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server. port-number: Specifies the service port number of the primary RADIUS authentication server, a UDP port number in the range of 1 to 65535.
secondary authentication (RADIUS scheme view) • radius nas-ip Use radius nas-ip to specify a source address for outgoing RADIUS packets. Use undo radius nas-ip to delete a source address for outgoing RADIUS packets. Syntax radius nas-ip ipv4-address undo radius nas-ip ipv4-address Default The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.
Use undo radius session-control enable to restore the default. Syntax radius session-control enable undo radius session-control enable Default The session-control feature is disabled and the UDP port 1812 is closed. Views System view Predefined user roles network-admin Usage guidelines The session-control feature enables the device to receive RADIUS session-control packets on UDP port 1812 from a RADIUS server that runs on IMC.
Usage guidelines Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response • timeout period, it retransmits the RADIUS request. •...
with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command). In this case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds.
In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters. Usage guidelines Make sure that the port number and shared key settings of each secondary RADIUS accounting server are the same as those configured on the corresponding server.
Page 51
undo secondary authentication [ ipv4-address [ port-number ] ] Default No secondary RADIUS authentication server is specified. Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server. port-number: Sets the service port number of the secondary RADIUS authentication server, a UDP port number in the range of 1 to 65535.
# Specify two secondary authentication servers for RADIUS scheme radius2, with the server IP addresses of 10.1 10.1.1 and 10.1 10.1.2, and the UDP port number of 1812. <Sysname> system-view [Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary authentication 10.110.1.1 1812 [Sysname-radius-radius2] secondary authentication 10.110.1.2 1812 Related commands display radius scheme •...
Page 53
Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS. Syntax snmp-agent trap enable radius accounting-server-down accounting-server-up authentication-error-threshold | authentication-server-down | authentication-server-up ] * undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] * Default All types of notifications for RADIUS are enabled.
state primary Use state primary to set the status of a primary RADIUS server. Syntax state primary { accounting | authentication } { active | block } Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles...
Syntax state secondary { accounting | authentication } [ ipv4-address [ port-number ] ] { active | block } Default Every secondary RADIUS server specified in a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the status of a secondary RADIUS accounting server.
Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default The server quiet period is 5 minutes. Views RADIUS scheme view Predefined user roles network-admin Parameters minutes: Specifies the server quiet period in minutes, in the range of 1 to 255. Usage guidelines Make sure the server quiet timer is set correctly.
Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Usage guidelines When the real-time accounting interval configured on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval. When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server.
Usage guidelines If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
Examples # Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] user-name-format without-domain Related commands display radius scheme HWTACACS commands data-flow-format (HWTACACS scheme view) Use data-flow-format to set the data flow and packet measurement units for traffic statistics.
Related commands display hwtacacs scheme display hwtacacs scheme Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes. Syntax display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ] Views Any view Predefined user roles network-admin network-operator Parameters hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Username Format : with-domain ------------------------------------------------------------------ Table 7 Command output Field Description Index Index number of the HWTACACS scheme. Primary Auth Server Primary HWTACACS authentication server. Primary Author Server Primary HWTACACS authorization server. Primary Acct Server Primary HWTACACS accounting server. Secondary Auth Server Secondary HWTACACS authentication server.
Default The source IP address of a packet sent to the server is the IP address of the outbound interface. Views System view Predefined user roles network-admin Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
Predefined user roles network-admin Parameters hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines An HWTACACS scheme can be referenced by more than one ISP domain at the same time. You can configure up to 16 HWTACACS schemes. Examples # Create an HWTACACS scheme named hwt1 and enter its view.
A plaintext shared key is a string of 1 to 255 characters. • In FIPS mode: A ciphertext shared key is a string of 15 to 373 characters. A plaintext shared key is a string of 15 to 255 characters that must contain digits, uppercase letters, lowercase letters, and special characters.
Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Usage guidelines The source IP address of the HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server.
TCP connection each time it exchanges accounting packets with the primary accounting server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Page 67
TCP connection each time it exchanges authentication packets with the primary authentication server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
TCP connection each time it exchanges authorization packets with the primary authorization server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Usage guidelines Make sure that the port number and shared key settings of the primary HWTACACS authorization server are the same as those configured on the server. Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.
TCP connection each time it exchanges accounting packets with the secondary accounting server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings. You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Page 73
TCP connection each time it exchanges authorization packets with the secondary authorization server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Examples # Specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&! Related commands •...
Syntax timer realtime-accounting minutes undo timer realtime-accounting Default The real-time accounting interval is 12 minutes. Views HWTACACS scheme view Predefined user roles network-admin Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.
Default The HWTACACS server response timeout time is 5 seconds. Views HWTACACS scheme view Predefined user roles network-admin Parameters seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds. Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.
Page 77
recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server. If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain.
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Password composition: Enabled (1 types, 1 characters per type) Table 9 Command output Field Description Password control Whether the password control feature is enabled. Whether password expiration is enabled and, if enabled, the Password aging expiration time. Whether the minimum password length restriction function is enabled Password length and, if enabled, the setting.
ip ipv4-address: Specifies the IPv4 address of a user. Usage guidelines With no arguments provided, this command displays information about all users in the password control blacklist. If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist.
Views System view Predefined user roles network-admin Parameters aging: Enables the password expiration function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function. Usage guidelines To enable a specific password control function, first enable the global password control feature. The system stops recording history passwords after you execute the undo password-control history enable command, but it does not delete the prior records.
Page 82
Syntax password-control aging aging-time undo password-control aging Default A password expires after 90 days. The password expiration time for a user group equals the global setting, and the password expiration time for a local user equals that of the user group to which the local user belongs.
password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default The default is 7 days.
Views System view, user group view, local user view Predefined user roles network-admin Parameters same-character: Refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough. user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
Page 85
Default In non-FIPS mode, the password using the global composition policy must contain at least one character type and at least one character for each type. In FIPS mode, the password using the global composition policy must contain at least four character types and at least one character for each type.
type-length type-length: Specifies the minimum number of characters for each type in the password. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode. Usage guidelines The password composition policy depends on the view: The policy in system view has global significance and applies to all user groups.
Default In non-FIPS mode, the password control feature is disabled globally. In FIPS mode, the password control feature is enabled globally and cannot be disabled. Views System view Predefined user roles network-admin Usage guidelines A specific password control function takes effect only after the global password control feature is enabled.
times times: Sets the maximum number of times a user can log in after the password expires. The value range is 0 to 10, and 0 means that a user cannot log in after the password expires. Usage guidelines This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires.
Related commands display password-control • password-control history enable • • reset password-control blacklist password-control length Use password-control length to set the minimum password length. Use undo password-control length to restore the default. Syntax password-control length length undo password-control length Default In non-FIPS mode, the global minimum password length is 10 characters.
<Sysname> system-view [Sysname] password-control length 16 # Set the minimum password length to 16 characters for user group test. [Sysname] user-group test [Sysname-ugroup-test] password-control length 16 [Sysname-ugroup-test] quit # Set the minimum password length to 16 characters for device management user abc. [Sysname] local-user abc class manage [Sysname-luser-manage-abc] password-control length 16 Related commands...
Related commands display password-control password-control login-attempt Use password-control login-attempt to specify the maximum number of consecutive failed login attempts and the action to be taken when a user fails to log in after the specified number of attempts. Use undo password-control login-attempt to restore the default. Syntax password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] undo password-control login-attempt...
Page 92
If no policy is configured for the local user, the system uses the policy for the user group to which the • local user belongs. If no policy is configured for the user group, the system uses the global policy. •...
display password-control • • display password-control blacklist display user-group • reset password-control blacklist • password-control super aging Use password-control super aging to set the expiration time for super passwords. Use undo password-control super aging to restore the default. Syntax password-control super aging aging-time undo password-control super aging Default A super password expires after 90 days.
In FIPS mode, a super password must contain at least four character types and at least one character for each type. Views System view Predefined user roles network-admin Parameters type-number type-number: Specifies the minimum number of character types that a super password must contain.
Parameters length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63 in non-FIPS mode, and 15 to 63 in FIPS mode. Examples # Set the minimum length of super passwords to 16 characters. <Sysname>...
reset password-control blacklist Use reset password-control blacklist to remove a specified user or all users from the password control blacklist. Syntax reset password-control blacklist [ user-name name ] Views User view Predefined user roles network-admin Parameters user-name name: Specifies the user to be removed from the password control blacklist. The name argument is the username, a case-sensitive string of 1 to 55 characters.
Page 97
Usage guidelines With no arguments or keywords specified, this command deletes the history password records of all local users. Without the role role name option, this command deletes the history records of all super passwords. Examples # Clear the history password records of all local users (enter Y to confirm). <Sysname>...
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Page 99
Key name: serverkey (default) Key type: RSA Time when key pair created: 15:40:48 2013/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2013/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D 426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA 1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7 9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03 92D8C6D940890BF4290203010001 # Display all local DSA public keys.
Page 100
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display all local ECDSA public keys. <Sysname> display public-key local ecdsa public ============================================= Key name: ecdsakey (default) Key type: ECDSA Time when key pair created: 15:42:04 2013/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF 68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2013/05/12...
Page 101
308201B83082012C06072A8648CE3804013082013F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display the public key of the local ECDSA key pair ecdsa1. <Sysname> display public-key local ecdsa public name ecdsa1 ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2013/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1 AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58...
display public-key peer Use display public-key peer to display information about peer public keys. Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name.
Field Description Key code Public key string. # Display brief information about all peer public keys. <Sysname> display public-key peer brief Type Modulus Name --------------------------- 1024 idrsa 1024 10.1.1.1 Table 14 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits.
[Sysname-pkey-public-key-key1]30819F300D06092A864886F70D010101050003818D0030818902818 100C0EC8014F82515F6335A0A [Sysname-pkey-public-key-key1]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E 719D1643135877E13B1C531B4 [Sysname-pkey-public-key-key1]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B 952ADF6B80EB5F52698FCF3D6 [Sysname-pkey-public-key-key1]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050 BD4A9B1DDE675AC30CB020301 [Sysname-pkey-public-key-key1]0001 [Sysname-pkey-public-key-key1] peer-public-key end [Sysname] Related commands • display public-key local public display public-key peer • • public-key peer public-key local create Use public-key local create to create local asymmetric key pairs. Syntax public-key local create { dsa | ecdsa | rsa } [ name key-name ] Default...
Page 105
The key pairs are automatically saved and can survive system reboots. Table 16 A comparison of different types of asymmetric key pairs Type Number of key pairs Modulus length HP recommendation • In non-FIPS mode: If you specify a key pair name, the •...
Page 106
.++++++ ..++++++++ ..++++++++ Create the key pair successfully. # Create a local DSA key pair with the default name. <Sysname> system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
...+....+..+...+..+..+..+....+..+......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the name ecdsa1. <Sysname> system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys... Create the key pair successfully. # In FIPS mode, create a local RSA key pair with the default name. <Sysname>...
Page 108
Views System view Predefined user roles network-admin Parameters dsa: Specifies the DSA type. ecdsa: Specifies the ECDSA type. rsa: Specifies the RSA type. name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys the specified type of local key pairs that take the default names.
public-key local export dsa Use public-key local export dsa to display local DSA host public keys in a specific format, or export the key in a specific format to a file. Syntax public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles...
Page 110
# Display the host public key of the local DSA key pair with the default name in SSH2.0 format. <Sysname> system-view [Sysname] public-key local export dsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "dsa-key-2013/05/12" AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxw vA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakd MdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= ---- END SSH2 PUBLIC KEY ----...
Related commands public-key local create • public-key peer import sshkey • public-key local export rsa Use public-key local export rsa to display the local RSA host public key in a specific format, or export the key to a specific file. Syntax In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } [ filename ]...
Page 112
On the peer device, use the public-key peer import sshkey command to import the host public key from the file. SSH1.5, SSH2.0 and OpenSSH are different public key formats. Choose the proper format that is supported on the device where you import the host public key. In FIPS mode, the device only supports SSH2.0 and OpenSSH.
Execute the peer-public-key end command to save the public key and return to system view. The public key you type in the public key view must be in a correct format. If your device is an HP device, use the display public-key local public command to display and record its public key.
Page 114
Use undo public-key peer to remove the specified peer host public key. Syntax public-key peer keyname import sshkey filename undo public-key peer keyname Default The device has no peer public key. Views System view Predefined user roles network-admin Parameters keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters. filename: Specifies the name of the file for saving the local host public key.
IPsec commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces.
received algorithm against all its local algorithms until a match is found. To ensure a successful IKE negotiation, the IPsec transform sets specified at both ends of the tunnel must have at least one same AH authentication algorithm. Examples # Create an IPsec transform set, and specify the AH authentication algorithm for the transform set as HMAC-SHA1.
Page 117
Predefined user roles network-admin network-operator Parameters policy: Displays information about IPv4 IPsec policies. policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535. Usage guidelines If you do not specify any parameters, this command displays information about all IPsec policies.
Page 118
ESP SPI: 12345 (0x00003039) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Table 17 Command output Field Description IPsec Policy IPsec policy name. Interface Interface applied with the IPsec policy. Sequence number Sequence number of the IPsec policy entry. Negotiation mode of the IPsec policy: •...
Related commands ipsec policy display ipsec sa Use display ipsec sa to display information about IPsec SAs. Syntax display ipsec sa [ brief | count | interface interface-type interface-number | policy policy-name [ seq-number ] | remote ip-address ] Views Any view Predefined user roles network-admin...
Page 120
Field Description Stateful failover status of the IPsec SA: active or backup. Status In standalone mode, this field displays –. # Display the number of IPsec SAs. <Sysname> display ipsec sa count Total IPsec SAs count: 4 # Display information about all IPsec SAs. <Sysname>...
Page 121
Field Description Encapsulation mode Encapsulation mode, transport or tunnel. Perfect forward secrecy (PFS) used by the IPsec policy for negotiation: • 768-bit Diffie-Hellman group (dh-group1) • 1024-bit Diffie-Hellman group (dh-group2) Perfect Forward Secrecy • 1536-bit Diffie-Hellman group (dh-group5) • 2048-bit Diffie-Hellman group (dh-group14) •...
display ipsec statistics Use display ipsec statistics to display IPsec packet statistics. Syntax display ipsec statistics [ tunnel-id tunnel-id ] Views Any view Predefined user roles network-admin network-operator Parameters tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels.
Parameters transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets. Examples # Display information about all IPsec transform sets. <Sysname>...
Page 125
Syntax display ipsec tunnel { brief | count | tunnel-id tunnel-id } Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about IPsec tunnels. count: Displays the number of IPsec tunnels. tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295. Usage guidelines IPsec transmits data in a secure channel established between two endpoints (such as two security gateways).
Field Description Perfect forward secrecy (PFS) used by the IPsec policy for negotiation: • 768-bit Diffie-Hellman group (dh-group1) • 1024-bit Diffie-Hellman group (dh-group2) Perfect Forward Secrecy • 1536-bit Diffie-Hellman group (dh-group5) • 2048-bit Diffie-Hellman group (dh-group14) • 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) SA's SPI SPIs of the inbound and outbound SAs.
IP header. You can use the transport mode when end-to-end security protection is required (the secured transmission start and end points are the actual start and end points of the data). The transport mode is typically used for protecting host-to-host communications. •...
Usage guidelines In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority. For a manual IPsec policy, the first specified ESP authentication algorithm takes effect. To make sure •...
aes-cbc-192: Uses AES algorithm in CBC mode, which uses a 192-bit key. aes-cbc-256: Uses AES algorithm in CBC mode, which uses a 256-bit key. des-cbc: Uses the DES algorithm in CBC mode, which uses a 64-bit key. null: Uses the NULL algorithm, which means encryption is not performed. Usage guidelines You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
Usage guidelines The IKE profile referenced by an IPsec policy defines the parameters used for IKE negotiation. An IPsec policy can reference only one IKE profile and they cannot reference any IKE profile that is already referenced by another IPsec policy. Examples # Specify IPsec policy policy1 to reference IKE profile profile1.
Related commands ipsec anti-replay window ipsec anti-replay window Use ipsec anti-replay window to set the anti-replay window size. Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The anti-replay window size is 64. Views System view Predefined user roles...
IPsec policy that is already applied to the interface. An IKE-based IPsec policy can be applied to multiple interfaces. However, HP recommends that you apply an IKE-based IPsec policy to only one interface. A manual IPsec policy can be applied to only one interface.
network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets. All packets failing the checking are discarded, improving the network security. Examples # Enable ACL checking for de-encapsulated IPsec packets. <Sysname> system-view [Sysname] ipsec decrypt-check enable ipsec logging packet enable Use ipsec logging packet enable to enable logging for IPsec packets.
Views Interface view Predefined user roles network-admin Parameters clear: Clears the DF bit for outer IP headers. In this case, the encapsulated IPsec packets can be fragmented. copy: Copies the DF bit of the original IP headers to the outer IP headers. set: Sets the DF bit for outer IP headers.
Parameters clear: Clears the DF bit for outer IP headers. In this case, the encapsulated IPsec packets can be fragmented. copy: Copies the DF bit of the original IP headers to the outer IP headers. set: Sets the DF bit for outer IP headers. In this case, the encapsulated IPsec packets cannot be fragmented.
You cannot change the SA setup mode of an existing IPsec policy. • • An IPsec policy is a set of IPsec policy entries that have the same name but different sequence numbers. In the same IPsec policy, an IPsec policy entry with a smaller sequence number has a higher priority.
A source interface can be bound to multiple IPsec policies. HP recommends that you use a stable interface, such as a Loopback interface, as a source interface. Examples # Bind the IPsec policy map to source interface Loopback 1 1.
traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560 to 4294967295 kilobytes. When traffic on an SA reaches this value, the SA expires. Usage guidelines You can also configure IPsec SA lifetimes in IPsec policy view. The device prefers the IPsec SA lifetimes configured in IPsec policy view over the global IPsec SA lifetimes.
Examples # Set the IPsec SA idle timeout to 600 seconds. <Sysname> system-view [Sysname] ipsec sa idle-time 600 Related commands display ipsec sa • sa idle-time • ipsec transform-set Use ipsec transform-set to create an IPsec transform set and enter IPsec transform set view. Use undo ipsec transform-set to delete an IPsec transform set.
Syntax local-address ipv4-address undo local-address Default The primary IPv4 address of the interface to which the IPsec policy is applied is used as the local IPv4 address. Views IPsec policy view Predefined user roles network-admin Parameters ipv4-address: Specifies the local IPv4 address for the IPsec tunnel. Usage guidelines The remote IP address on the IKE negotiation initiator must be the same as the local address on the IKE negotiation responder.
Predefined user roles network-admin Parameters dh-group1: Uses 768-bit Diffie-Hellman group. dh-group2: Uses 1024-bit Diffie-Hellman group. dh-group5: Uses 1536-bit Diffie-Hellman group. dh-group14: Uses 2048-bit Diffie-Hellman group. dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group. Usage guidelines In terms of security and necessary calculation time, the following groups are in descending order: 2048-bit and 256-bit subgroup Diffie-Hellman group (dh-group24), 2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group (dh-group2), and 768-bit Diffie-Hellman group (dh-group1).
ah: Specifies the AH protocol. Usage guidelines The two tunnel ends must use the same security protocol in the IPsec transform set. Examples # Specify the AH protocol for the IPsec transform set. <Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] protocol ah qos pre-classify Use qos pre-classify to enable the QoS pre-classify feature.
Page 144
Default No remote IP address is specified for the IPsec tunnel. Views IPsec policy view Predefined user roles network-admin Parameters hostname: Specifies the remote host name, a case-insensitive string of 1 to 253 characters. The host name can be resolved to an IP address by the DNS server. ipv4-address: Specifies a remote IPv4 address.
Examples # Clear all IPsec SAs. <Sysname> reset ipsec sa # Clear the inbound and outbound IPsec SAs for the triplet of SPI 123, remote IP address 10.1.1.2, and security protocol AH. <Sysname> reset ipsec sa spi 10.1.1.2 ah 123 # Clear all IPsec SAs for the remote IP address 10.1.1.2.
Default The SA lifetime of an IPsec policy is the current global SA lifetime. Views IPsec policy view Predefined user roles network-admin Parameters time-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds. traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295 kilobytes.
sa idle-time Use sa idle-time to set the IPsec SA idle timeout for an IPsec policy. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted. Use undo sa idle-time to restore the default. Syntax sa idle-time seconds undo sa idle-time...
Views IPsec policy view Predefined user roles network-admin Parameters inbound: Specifies an SPI for inbound SAs. outbound: Specifies an SPI for outbound SAs. ah: Uses AH. esp: Uses ESP. spi-number: Specifies a Security parameters index (SPI) in the range of 256 to 4294967295. Usage guidelines This command applies to only manual IPsec policies.
Predefined user roles network-admin Parameters inbound: Sets a key string for inbound IPsec SAs. outbound: Sets a key string for outbound IPsec SAs. ah: Uses AH. esp: Uses ESP. cipher: Sets a ciphertext key. simple: Sets a plaintext key. key-value: Specifies a case-sensitive key string. If cipher is specified, it must be a string of 1 to 373 characters.
Page 153
Default An IPsec policy references no ACL. Views IPsec policy view Predefined user roles network-admin Parameters acl-number: Specifies an ACL by its number in the range of 3000 to 3999. name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. aggregation: Specifies the data protection mode as aggregation.
Examples To enable SNMP notifications when an IPsec tunnel is created, execute the following commands: # Enable SNMP notifications for IPsec globally. <Sysname> system-view [Sysname] snmp-agent trap enable ipsec global # Enable SNMP notifications for events of creating IPsec tunnels. [Sysname] snmp-agent trap enable ipsec tunnel-start transform-set Use transform-set to reference an IPsec transform set for an IPsec policy.
Page 156
Related commands ipsec policy • ipsec transform-set •...
IKE commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces.
authentication-method Use authentication-method to specify an authentication method to be used in an IKE proposal. Use undo authentication-method to restore the default. Syntax authentication-method pre-share undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles network-admin...
In FIPS mode: dh group14 undo dh Default In non-FIPS mode, group1, the 768-bit Diffie-Hellman group, is used. In FIPS mode, group14, the 2048-bit Diffie-Hellman group, is used. Views IKE proposal view Predefined user roles network-admin Parameters group1: Uses the 768-bit Diffie-Hellman group. group14: Uses the 2048-bit Diffie-Hellman group.
Usage guidelines This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, the command displays the default IKE proposal. Examples # Display the configuration information about all IKE proposals. <Sysname>...
Page 161
Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000. remote-address remote-address: Displays detailed information about IKE SAs with the specified remote address. Usage guidelines If you do not specify any parameter, the command displays a summary about all IKE SAs. Examples # Display information about the current IKE SAs.
Page 162
Authentication-algorithm: SHA1 Encryption-algorithm: AES-CBC-128 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected # Display detailed information about the IKE SA with the remote address of 4.4.4.5. <Sysname> display ike sa verbose remote-address 4.4.4.5 --------------------------------------------- Connection ID: 2 Profile: prof1...
Field Description Authentication-method Authentication method used by the IKE proposal. Authentication algorithm used by the IKE proposal: • Authentication-algorithm MD5—HMAC-MD5 algorithm. • SHA1—HMAC-SHA1 algorithm. Encryption-algorithm Encryption algorithm used by the IKE proposal. Life duration(sec) Lifetime of the IKE SA in seconds. Remaining key duration(sec) Remaining lifetime of the IKE SA in seconds.
When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply. It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection does not occur during a DPD retry.
When the user (for example, a dial-up user) at the local end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, HP recommends that you set the IKE negotiation mode to aggressive at the local end.
Examples # Specify that IKE negotiation operates in main mode. <Sysname> system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] exchange-mode main Related commands display ike proposal ike dpd Use ike dpd to enable sending DPD messages. Use undo ike dpd to disable the DPD feature. Syntax ike dpd interval interval-seconds [ retry seconds ] { on-demand | periodic } undo ike dpd interval...
Examples # Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond. <Sysname> system-view [Sysname] ike dpd interval 10 retry 5 on-demand Related commands ike identity Use ike identity to specify the global identity used by the local end during IKE negotiations. Use undo ike identity to remove the configuration and restore the default.
ike invalid-spi-recovery enable Use ike invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery. Use undo ike invalid-spi-recovery enable to restore the default. Syntax ike invalid-spi-recovery enable undo ike invalid-spi-recovery enable Default SPI recovery is disabled. Views System view Predefined user roles network-admin Usage guidelines...
Views System view Predefined user roles network-admin Parameters seconds: Specifies the number of seconds between IKE keepalives, in the range of 20 to 28800. Usage guidelines To detect the status of the peer, configure IKE DPD instead of the IKE keepalive function, unless IKE DPD is not supported on the peer.
The keepalive timeout time configured at the local end must be longer than the keepalive interval configured at the peer. Since it seldom occurs that more than three consecutive packets are lost on a network, you can set the keepalive timeout timer to three times as long as the keepalive interval. Examples # Set the keepalive timeout time to 20 seconds.
Use undo ike limit to restore the default. Syntax ike limit { max-negotiating-sa negotiation-limit | max-sa sa-limit } undo ike limit { max-negotiating-sa | max-sa } Default There is no limit to the maximum number of IKE SAs. Views System view Predefined user roles network-admin Parameters...
Predefined user roles network-admin Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300. Usage guidelines This command takes effect only for a device behind a NAT server. When the device resides behind a NAT server, the IKE gateway behind the NAT server needs to send NAT keepalive packets to its peer IKE gateway to keep the NAT session alive.
undo ike proposal proposal-number Default The system has an IKE proposal that is used as the default IKE proposal. This proposal has the lowest priority and uses the following settings: Encryption algorithm—DES-CBC in non-FIPS mode and AES-CBC- 1 28 in FIPS mode. •...
Syntax keychain keychain-name undo keychain keychain-name Default No IKE keychain is specified for an IKE profile. Views IKE profile view Predefined user roles network-admin Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. Usage guidelines An IKE profile can reference up to six IKE keychains.
Parameters address ipv4-address: Uses an IPv4 address as the local ID. dn: Uses the DN in the local certificate as the local ID. fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
Usage guidelines Use this command to specify which address or interface can use the IKE keychain for IKE negotiation. Specify the local address configured in IPsec policy view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that references the IPsec policy.
2.2.2.10 command for IKE profile B. For peer 2.2.2.2, IKE profile A is preferred because IKE profile A was configured earlier. To use IKE profile B for the peer, you can use this command to restrict the application scope of IKE profile B to address 2.2.2.2. Examples # Create IKE profile prof1.
To make sure only one IKE profile is matched for a peer, do not configure the same peer ID for two or more IKE profiles. If you configure the same peer ID for two or more IKE profiles, which IKE profile is selected for IKE negotiation is unpredictable.
simple-key: Specifies a plaintext key. In non-FIPS mode, it is a case-sensitive string of 1 to 128 characters. In FIPS mode, it is a case-sensitive string of 15 to 128 characters, and it must contain uppercase and lowercase letters, digits, and special characters. cipher: Specifies a pre-shared key in cipher text.
Usage guidelines To determine the priority of an IKE keychain, the device examines the existence of the match local address command before examining the priority number. An IKE keychain with the match local address command configured has a higher priority than an IKE keychain that does not have the match local address command configured.
Use undo proposal to remove the IKE proposal references. Syntax proposal proposal-number&<1-6> undo proposal Default An IKE profile references no IKE proposals and uses the IKE proposals configured in system view for IKE negotiation. Views IKE profile view Predefined user roles network-admin Parameters proposal-number&<1-6>: Specifies up to six IKE proposal numbers, each in the range of 1 to 65535.
Usage guidelines When you delete an IKE SA, the device automatically sends a notification to the peer. Examples # Display the current IKE SAs. <Sysname> display ike sa Total IKE SAs: Connection-ID Remote Flag ---------------------------------------------------------- 202.38.0.2 RD|ST IPSEC 202.38.0.3 RD|ST IPSEC Flags: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT...
Use undo sa duration to restore the default. Syntax sa duration seconds undo sa duration Default The IKE SA lifetime is 86400 seconds. Views IKE proposal view Predefined user roles network-admin Parameters seconds: Specifies the IKE SA lifetime in seconds, in the range of 60 to 604800. Usage guidelines If the communicating peers are configured with different IKE SA lifetime settings, the smaller setting takes effect.
Page 184
Views System view Predefined user roles network-admin Parameters attr-not-support: Specifies SNMP notifications for attribute-unsupported failures. auth-failure: Specifies SNMP notifications for authentication failures. cert-type-unsupport: Specifies SNMP notifications for certificate-type-unsupported failures. cert-unavailable: Specifies SNMP notifications for certificate-unavailable failures. decrypt-failure: Specifies SNMP notifications for decryption failures. encrypt-failure: Specifies SNMP notifications for encryption failures.
SSH commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Field Description SSH server key generating interval SSH server key pair update interval. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server function is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer. # Display the SSH server sessions.
Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. Usage guidelines This command only displays information about SSH users configured by using the ssh user command on the SSH server.
Predefined user roles network-admin Examples # Enable the SFTP server function. <Sysname> system-view [Sysname] sftp server enable Related commands display ssh server sftp server idle-timeout Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections on an SFTP server. Use undo sftp server idle-timeout to restore the default.
Syntax ssh server acl acl-number undo ssh server acl Default An SSH server allows all IPv4 SSH clients to access the server. Views System view Predefined user roles network-admin Parameters acl-number: Specifies an ACL number in the range of 2000 to 4999. Usage guidelines You can use this command to filter the IPv4 SSH clients' request packets by referencing an ACL: If the ACL has rules configured, only the IPv4 SSH clients whose request packets match the permit...
Views System view Predefined user roles network-admin Parameters times: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to 5. Usage guidelines You can set this limit to prevent malicious hacking of usernames and passwords. This configuration takes effect only on the users at next login.
Usage guidelines If a user does not finish the authentication when the timeout timer expires, the connection cannot be established. You can set a small value for the timeout timer to prevent malicious occupation of TCP connections while authentications are suspended. Examples # Set the SSH user authentication timeout timer to 10 seconds.
Use undo ssh server dscp to restore the default. Syntax ssh server dscp dscp-value undo ssh server dscp Default The DSCP value in IPv4 packets sent by the SSH server is 48. Views System view Predefined user roles network-admin Parameters dscp-value: Specifies the DSCP value in the outbound IPv4 packets, in the range of 0 to 63.
Related commands display ssh server ssh server rekey-interval Use ssh server rekey-interval to set an interval for updating the RSA server key pair. Use undo ssh server rekey-interval to restore the default. Syntax ssh server rekey-interval hours undo ssh server rekey-interval Default The interval for updating the RSA server key pair is 0, and the system does not update the RSA server key pair.
Page 194
undo ssh user username In FIPS mode: ssh user username service-type { all | scp | sftp | stelnet } authentication-type { password | password-publickey assign publickey keyname } undo ssh user username Default No SSH users exist. Views System view Predefined user roles network-admin Parameters...
If the authentication method is password, you do not need to execute this command to configure them unless you want to use the display ssh user-information command to display all SSH users, including the password-only SSH users, for centralized management. If you use the ssh user command to configure a host public key for a user who has already had a host public key, the new one overwrites the old one.
Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the exit and quit commands. Examples # Terminate the connection with the SFTP server. sftp> bye <Sysname> Use cd to change the working path on an SFTP server. Syntax cd [ remote-path ] Views...
Predefined user roles network-admin Example # Return to the upper-level directory from the current working directory /test1. sftp> cd test1 Current Directory is:/test1 sftp> pwd Remote working directory: /test1 sftp> cdup Current Directory is:/ sftp> pwd Remote working directory: / sftp>...
Parameters -a: Displays the names of the files and sub-directories under a directory. -l: Displays detailed information about the files and sub-directories under a directory in the form of a list. remote-path: Specifies the name of the directory to be queried. If this argument is not specified, the command displays detailed information about the files and sub-directories under the current working directory.
Examples # Display the source IP address configured for the SFTP client. <Sysname> display sftp client source The source IP address of the SFTP client is 192.168.0.1 Related commands sftp client source display ssh client source Use display ssh client source to display the source IP address or source interface configured for the Stelnet client.
Use get to download a file from an SFTP server and save it locally. Syntax get remote-file [ local-file ] Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file.
Page 201
dir [-a|-l][path] Display remote directory listing List all filenames List filename including the specific information of the file exit Quit sftp get remote-path [local-path] Download file help Display this help text ls [-a|-l][path] Display remote directory List all filenames List filename including the specific information of the file mkdir path Create remote directory...
pubkey2 pubkey1 pub1 new1 new2 pub2 # Display detailed information about the files and sub-directories under the current working directory in the form of a list. sftp> ls -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx...
Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name of a file on an SFTP server. Usage guidelines If the remote-file argument is not specified, the file will be remotely saved with the same name as the local one.
sftp> quit <Sysname> remove Use remove to delete the specified files from an SFTP server. Syntax remove remote-file Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies the files to delete from an SFTP server. Usage guidelines This command functions as the delete command. Examples # Delete the file temp.c from the SFTP server.
rmdir Use rmdir to delete the specified directories from an SFTP server. Syntax rmdir remote-path Views SFTP client view Predefined user roles network-admin Parameters remote-path: Specifies the directories to delete from an SFTP server. Examples # Delete the sub-directory temp1 under the current directory on the SFTP server. sftp>...
Page 206
put: Uploads the file. source-file-path: Specifies the directory of the source file. destination-file-path: Specifies the directory of the target file. If this argument is not specified, the directory names of the source and target files are same. identity-key: Specifies the public key algorithm for the client, either dsa or rsa. The default is dsa. If the server uses publickey authentication, this keyword must be specified.
ip ip-address: Specifies a source IPv4 address. Usage guidelines When the client's authentication method is publickey, the client must get the local private key for digital signature. Because the publickey authentication uses either RSA or DSA algorithm, you must specify an algorithm (by using the identity-key keyword) in order to get the correct data for the local private key.
Page 208
dsa: Specifies the public key algorithm dsa. • • rsa: Specifies the public key algorithm rsa. prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm.
specify a public key algorithm (by using the identity-key keyword) in order to get the correct data for the local private key. Examples # Connect an SFTP client to the IPv4 SFTP server 10.1.1.2 and specify the public key of the server as svkey. The SFTP client uses publickey authentication.
Examples # Specify the source IP address for the SFTP client as 192.168.0.1. <Sysname> system-view [Sysname] sftp client source ip 192.168.0.1 Related commands display sftp client source ssh client source Use ssh client source to specify the source IPv4 address or source interface for the Stelnet client. Use undo ssh client source to remove the configuration.
Page 212
sha1: Specifies the HMAC algorithm hmac-sha1. • • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode and dh-group14 in FIPS mode. Algorithm dh-group14 features stronger security but costs more time in calculation than dh-group1.
IP source guard commands The IP source guard function is available on Layer 2 and Layer 3 Ethernet interfaces and VLAN interfaces. The term "interface" in this chapter collectively refers to these types of interfaces. You can use the port link-mode command to configure an Ethernet port as a Layer 2 or Layer 3 interface (see Layer 2—LAN Switching Configuration Guide).
Page 214
slot slot-number: Displays IPv4 source guard binding entries for a card. The slot-number argument specifies the number of the slot that holds the card. (In standalone mode.) chassis chassis-number slot slot-number: Displays IPv4 source guard binding entries for a card on an IRF member device.
ip source binding (interface view) Use ip source binding to configure a static IPv4 source guard binding entry on an interface. Use undo ip source binding to remove the static IPv4 source guard binding entries configured on an interface. Syntax ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ] undo ip source binding { all | ip-address ip-address | ip-address ip-address mac-address mac-address...
Related commands display ip source binding • ip source binding (system view) • ip source binding (system view) Use ip source binding to configure a global static IPv4 source guard binding entry. Use undo ip source binding to remove one or all global static IPv4 source guard binding entries. Syntax ip source binding ip-address ip-address mac-address mac-address undo ip source binding { all | ip-address ip-address mac-address mac-address }...
Page 217
Syntax ip verify source { ip-address | ip-address mac-address | mac-address } undo ip verify source Default The IPv4 source guard function is disabled on an interface. Views Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, VLAN interface view Predefined user roles network-admin Parameters...
Page 218
<Sysname> system-view [Sysname] interface fortygige 1/0/1 [Sysname-FortyGigE1/0/1] ip verify source ip-address mac-address # Enable IPv4 source guard on VLAN-interface 100 to filter packets received on the interface by using source IPv4 and MAC addresses of IPv4 source guard binding entries. <Sysname>...
ARP attack protection commands Unresolvable IP attack protection commands arp source-suppression enable Use arp source-suppression enable to enable the ARP source suppression function. Use undo arp source-suppression enable to restore the default. Syntax arp source-suppression enable undo arp source-suppression enable Default The ARP source suppression function is disabled.
Views System view Predefined user roles network-admin Parameters limit-value: Sets the maximum number of unresolvable packets that can be processed in 5 seconds. It is in the range of 2 to 1024. Usage guidelines If the number of unresolvable packets from a host within 5 seconds exceeds a specific threshold, the device stops processing packets from that host until the 5 seconds elapse.
arp detection validate Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line. Use undo arp detection validate to disable ARP packet validity check. If no keyword is specified, this command deletes all objects.
Usage guidelines This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify any interface, the command displays statistics for all interfaces. Examples # Display the ARP detection statistics for all interfaces. <Sysname>...
Page 225
Predefined user roles network-admin Parameters interface interface-type interface-number: Clears the ARP detection statistics of a specific interface. Usage guidelines If you do not specify any interface, this command clears the statistics of all interfaces. Examples # Clear the ARP detection statistics of all interfaces. <Sysname>...
uRPF commands display ip urpf Use display ip urpf to display uRPF configuration. Syntax In standalone mode: display ip urpf [ slot slot-number ] In IRF mode: display ip urpf [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin network-operator Parameters...
ip urpf Use ip urpf to enable uRPF. Use undo ip urpf to disable uRPF. Syntax ip urpf { loose | strict } undo ip urpf Default uRPF is disabled. Views System view Predefined user roles network-admin Parameters loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
FIPS commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator Examples # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled.
Page 229
After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode: Automatic reboot • Select the automatic reboot method. The system automatically performs the following tasks: Create a default FIPS configuration file named fips-startup.cfg. Specify the default file as the startup configuration file.
Examples # Enable FIPS mode, and choose the automatic reboot method to enter FIPS mode. <Sysname> system-view [Sysname] fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically.
Page 231
Usage guidelines To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. A successful self-test requires that all cryptographic algorithms pass the self-test. If the self-test fails, the card where the self-test process exists reboots.
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 234
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Index A B C D E F G H I K L M N P Q R S T U dir,190 display arp detection,216 session-limit,1 display arp detection statistics,216 access-limit,18 display arp source-suppression,213 accounting command,2 display domain,13 accounting default,2 display fips status,221 accounting login,4...
Page 236
fips mode enable,221 local-address,133 fips self-test,223 local-identity,167 local-user,24 ls,194 get,193 group,23 match local address (IKE keychain view),168 match local address (IKE profile view),169 help,193 match remote,170 hwtacacs nas-ip,54 mkdir,195 hwtacacs scheme,55 nas-ip (HWTACACS scheme view),57 dpd,159 nas-ip (RADIUS scheme view),34 identity,160 ike invalid-spi-recovery enable,161...
Page 237
public-key local create,97 secondary authentication (HWTACACS scheme view),64 public-key local destroy,100 secondary authentication (RADIUS scheme view),43 public-key local export dsa,102 secondary authorization,65 public-key local export rsa,104 security acl,145 public-key peer,106 security-policy-server,45 public-key peer import sshkey,106 service-type,26 put,195 sftp,200 pwd,196 sftp client source,202 sftp server enable,180...