HP A-U200 Command Reference Manual
  1. Manuals
  2. Brands
  3. HP Manuals
  4. IP Access Controllers
  5. A-U200
  6. Command reference manual
HP A-U200 Command Reference Manual

HP A-U200 Command Reference Manual

Unified threat management products
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
HP A-U200
Unified Threat Management Products
Access Control Command Reference
Part number: 5998-2676
Software version: R5116P20
Document version: 6PW100-20111216

Advertisement

Table of Contents
loading

Related Manuals for HP A-U200

Summary of Contents for HP A-U200

  • Page 1 HP A-U200 Unified Threat Management Products Access Control Command Reference Part number: 5998-2676 Software version: R5116P20 Document version: 6PW100-20111216...
  • Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3: Table Of Contents

    Contents ACL configuration commands ····································································································································· 1   acl ·············································································································································································· 1   acl copy ····································································································································································· 2   acl name ···································································································································································· 3   description ································································································································································· 3   display acl ································································································································································· 4   display time-range ···················································································································································· 5   reset acl counter ······················································································································································· 6  ...
  • Page 4 portal server method ············································································································································· 49   reset portal connection statistics ·························································································································· 50   reset portal server statistics ··································································································································· 50   reset portal tcp-cheat statistics ······························································································································ 50   web-redirect ··························································································································································· 51   AAA configuration commands ·································································································································· 53   AAA configuration commands ····································································································································· 53  ...
  • Page 5 (HWTACACS scheme view) ··················································································· 134   timer response-timeout (HWTACACS scheme view) ······················································································· 135   user-name-format (HWTACACS scheme view) ································································································ 136   Support and other resources ·································································································································· 137   Contacting HP ······························································································································································ 137   Subscription service ············································································································································ 137  ...
  • Page 6 Related information ······················································································································································ 137   Documents ···························································································································································· 137   Websites ······························································································································································· 137   Conventions ·································································································································································· 138   Index ········································································································································································ 140  ...

  • Page 7: Acl Configuration Commands

    ACL configuration commands Syntax acl number acl-number [ name acl-name ] [ match-order { auto | config } ] undo acl { all | name acl-name | number acl-number } View System view Default level 2: System level Parameters number acl-number: Specifies the number of an IPv4 access control list (ACL): •...

  • Page 8: Acl Copy

    [Sysname-acl-basic-2000] # Create IPv4 basic ACL 2001 with the name flow, and enter its view. <Sysname> system-view [Sysname] acl number 2001 name flow [Sysname-acl-basic-2001-flow] acl copy Syntax acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name } View System view Default level...

  • Page 9: Acl Name

    acl name Syntax acl name acl-name View System view Default level 2: System level Parameters acl-name: Specifies an IPv4 ACL name, a case-insensitive string of 1 to 32 characters. It must start with an English letter. The IPv4 ACL must already exist. Description Use the acl name command to enter the view of an IPv4 ACL that has a name.

  • Page 10: Display Acl

    [Sysname] acl number 2000 [Sysname-acl-basic-2000] description This is an IPv4 basic ACL. display acl Syntax display acl { acl-number | all | name acl-name } View Any view Default level 1: Monitor level Parameters acl-number: Specifies an ACL by its number: 2000 to 2999 for IPv4 basic ACLs •...

  • Page 11: Display Time-Range

    Field Description named flow The name of the ACL is flow. "-none-" means the ACL is not named. 3 rules The ACL contains three rules. The match order for the ACL is auto, which sorts ACL rules in depth-first order. match-order is auto This field is not present when the match order is config.

  • Page 12: Reset Acl Counter

    Table 2 Output description Field Description Current time Current system time Configuration and status of the time range, including its name, Time-range status (active or inactive), and start time and end time. reset acl counter Syntax reset acl counter { acl-number | all | name acl-name } View User view Default level...
  • Page 13 Default level 2: System level Parameters rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0.

  • Page 14: Rule (Ipv4 Advanced Acl View)

    [Sysname-acl-ethernetframe-4000] rule permit type 0806 ffff [Sysname-acl-ethernetframe-4000] rule deny type 8035 ffff rule (IPv4 advanced ACL view) Syntax rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * } | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port...
  • Page 15 Parameters Function Description The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 Specifies a DSCP dscp dscp (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), priority cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).
  • Page 16 Parameters Function Description Parameters specific to TCP. { ack ack-value | Specifies one or fin fin-value | psh The value for each argument can be 0 (flag bit not set) or 1 (flag more TCP flags psh-value | rst bit set). including ACK, FIN, rst-value | syn For example, a rule configured with ack 1 psh 0 may match...

  • Page 17: Rule (Ipv4 Basic Acl View)

    Description Use the rule command to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule.
  • Page 18 undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] * View IPv4 basic ACL view Default level 2: System level Parameters rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID.

  • Page 19: Rule Comment

    [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255 [Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255 [Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Sysname-acl-basic-2000] rule deny source any rule comment Syntax rule rule-id comment text undo rule rule-id comment View IPv4 basic/advanced ACL view, Ethernet frame header ACL view Default level 2: System level Parameters...

  • Page 20: Time-Range

    Parameters step-value: ACL rule numbering step, in the range of 1 to 20. Description Use the step command to set a rule numbering step for an ACL. The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5.
  • Page 21 off-day for Saturday and Sunday. • • daily for the whole week. from time1 date1: Specifies the start time and date of an absolute statement. The time1 argument specifies the time of the day in hh:mm format (24-hour clock). Its value is in the range of 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range of 1 to 12, DD is the day of the month with the range depending on MM, and YYYY is the year in the calendar in the range of 1970 to 2100.
  • Page 22 # Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays and Sundays of the year 2010. <Sysname> system-view [Sysname] time-range t3 8:0 to 12:0 off-day from 0:0 1/1/2010 to 23:59 12/31/2010 # Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from 14:00 to 16:00 on Wednesdays in the period of January through June of the year 2010.

  • Page 23: Session Management Commands

    Session management commands application aging-time Syntax application aging-time { dns | ftp | msn | qq | sip } time-value undo application aging-time [ dns | ftp | msn | qq | sip ] View System view Default level 2: System level Parameters dns: Specifies the aging time for DNS sessions.

  • Page 24: Display Session Statistics

    Default level 2: System level Parameters vd-name vd-name: Displays the relationship table entries of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines. Description Use the display session relation-table command to display relationship table entries.
  • Page 25 View Any view Default level 2: System level Parameters vd-name vd-name: Displays the session statistics of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines.

  • Page 26: Display Session Table

    Field Description Current TCP session(s) Number of TCP sessions Half-Open Number of TCP sessions in the half-open state Half-Close Number of TCP sessions in the half-close state Current UDP session(s) Number of UDP sessions Current ICMP session(s) Number of ICMP sessions Current RAWIP session(s) Number of Raw IP sessions Current relation table(s)
  • Page 27 verbose: Displays detailed information about sessions. Without this keyword, the command displays brief information about the specified sessions. Description Use the display session table command to display information about sessions. If no argument is specified, the command displays all sessions. •...
  • Page 28 Pro: TCP(6) App: TELNET State: TCP-EST Start time: 2009-03-17 09:30:33 TTL: 3600s Root Zone(in): Management Zone(out): Local Received packet(s)(Init): 1173 packet(s) 47458 byte(s) Received packet(s)(Reply): 1168 packet(s) 61845 byte(s) Total find: 2 Table 9 Output description Field Description Initiator: Session information of the initiator Responder: Session information of the responder Transport layer protocol, TCP, UDP, ICMP, or Raw IP...

  • Page 29: Reset Session

    reset session Syntax reset session [ vd-name vd-name ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type { icmp | raw-ip | tcp | udp } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] View User view Default level...

  • Page 30: Session Aging-Time

    Default level 2: System level Parameters vd-name vd-name: Clears the session statistics of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines.

  • Page 31: Session Checksum

    Use the undo session aging-time command to restore the default. If no keyword is specified, the command restores the session aging times for all protocol states to the defaults. The defaults value is 30 seconds. Examples # Set the aging time for TCP sessions in the SYN_SENT or SYN_RCV state to 60 seconds. <Sysname>...
  • Page 32 Parameters acl-number: ACL number, in the range 2000 to 3999. aging-time time-value: Specifies the aging time for persistent sessions, in hours. The value of the time-value argument is in the range of 0 to 360 and defaults to 24. A value of 0 means the persistent sessions are never aged.

  • Page 33: Connection Limit Configuration Commands

    Connection limit configuration commands connection-limit apply policy Syntax connection-limit apply policy policy-number undo connection-limit apply policy policy-number View System view Default level 2: System level Parameters policy-number: Number for an existing connection limit policy, which can only be 0. Description Use the connection-limit apply policy command to apply a connection limit policy.

  • Page 34: Display Connection-Limit Policy

    Description Use the connection-limit policy command to create a connection limit policy and enter connection limit policy view. Use the undo connection-limit policy command to delete a specific or all connection limit policies. A connection limit policy contains a set of rules that limit the number of connections of a specific user. By default, a connection limit policy uses the default connection limit settings.

  • Page 35: Limit

    Connection-limit policy 0, refcount 1, 2 limits limit 0 source any amount dns 100 http 200 tcp 300 other 400 rate 100 shared limit 1 source 1.1.1.0 24 amount tcp 100 bandwidth 200 shared # Display information about all connection limit policies. <Sysname>...
  • Page 36 Therefore, take the match order into consideration when assigning the rules IDs. HP recommends arranging the rule by limit granularity and limit range in ascending order.

  • Page 37: Portal Configuration Commands

    Portal configuration commands display portal acl Syntax display portal acl { all | dynamic | static } interface interface-type interface-number View Any view Default level 1: Monitor level Parameters all: Displays all portal access control lists (ACLs), including dynamic ones and static ones. dynamic: Displays dynamic portal ACLs, namely, ACLs generated after a user passes portal authentication.
  • Page 38 Source: : 0.0.0.0 Mask : 0.0.0.0 : 0000-0000-0000 Interface : any VLAN Protocol Destination: : 0.0.0.0 Mask : 0.0.0.0 Rule 2 Inbound interface : GigabitEthernet0/0 Type : dynamic Action : permit Source: : 2.2.2.2 Mask : 255.255.255.255 : 000d-88f8-0eab Interface : GigabitEthernet0/0 VLAN Protocol Destination:...

  • Page 39: Display Portal Connection Statistics

    Field Description Authorization ACL of portal ACL. It is displayed only when the Type field has a value of Author ACL dynamic. Authorization ACL number assigned by the server. None indicates that the server did not Number assign any ACL. display portal connection statistics Syntax display portal connection statistics { all | interface interface-type interface-number }...
  • Page 40 MSG_LOGOUT_ACK MSG_LEAVING_ACK MSG_CUT_REQ MSG_AUTH_REQ MSG_LOGIN_REQ MSG_LOGOUT_REQ MSG_LEAVING_REQ MSG_ARPPKT MSG_TMR_REQAUTH MSG_TMR_AUTHEN MSG_TMR_AUTHOR MSG_TMR_LOGIN MSG_TMR_LOGOUT MSG_TMR_LEAVING MSG_TMR_NEWIP MSG_TMR_USERIPCHANGE MSG_PORT_REMOVE MSG_VLAN_REMOVE MSG_IF_REMOVE MSG_L3IF_SHUT MSG_IP_REMOVE MSG_ALL_REMOVE MSG_IFIPADDR_CHANGE MSG_SOCKET_CHANGE MSG_NOTIFY MSG_SETPOLICY MSG_SETPOLICY_RESULT Table 12 Output description Field Description User state statistics Statistics on portal users State-Name Name of a user state User-Num...
  • Page 41 Field Description Message statistics Statistics on messages Msg-Name Message type Total Total number of messages Number of erroneous messages Discard Number of discarded messages MSG_AUTHEN_ACK Authentication acknowledgment message MSG_AUTHOR_ACK Authorization acknowledgment message MSG_LOGIN_ACK Accounting acknowledgment message MSG_LOGOUT_ACK Accounting-stop acknowledgment message MSG_LEAVING_ACK Leaving acknowledgment message MSG_CUT_REQ...

  • Page 42: Display Portal Free-Rule

    display portal free-rule Syntax display portal free-rule [ rule-number ] View Any view Default level 1: Monitor level Parameters rule-number: Number of a portal-free rule, in the range of 0 to 15. Description Use the display portal free-rule command to display information about a specific portal-free rule or all portal-free rules.

  • Page 43: Display Portal Interface

    display portal interface Syntax display portal interface interface-type interface-number View Any view Default level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. Description Use the display portal interface command to display the portal configuration of an interface. Examples # Display the portal configuration of interface GigabitEthernet 0/0.

  • Page 44: Display Portal Server

    display portal server Syntax display portal server [ server-name ] View Any view Default level 1: Monitor level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. Description Use the display portal server command to display information about a specific portal server or all portal servers.
  • Page 45 Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. Description Use the display portal server statistics command to display portal server statistics on a specific interface or all interfaces. Note that with the all keyword specified, the command displays portal server statistics by interface and therefore statistics about a portal server referenced by more than one interface may be displayed repeatedly.

  • Page 46: Display Portal Tcp-Cheat Statistics

    Field Description Challenge acknowledgment message the access device sends to the portal ACK_CHALLENGE server REQ_AUTH Authentication request message the portal server sends to the access device Authentication acknowledgment message the access device sends to the portal ACK_AUTH server REQ_LOGOUT Logout request message the portal server sends to the access device ACK_LOGOUT Logout acknowledgment message the access device sends to the portal server Affirmation message the portal server sends to the access device after...

  • Page 47: Display Portal User

    Packets Sent: 0 Packets Retransmitted: 0 Packets Dropped: 0 HTTP Packets Sent: 0 Connection State: SYN_RECVD: 0 ESTABLISHED: 0 CLOSE_WAIT: 0 LAST_ACK: 0 FIN_WAIT_1: 0 FIN_WAIT_2: 0 CLOSING: 0 Table 17 Output description Field Description TCP Cheat Statistic TCP spoofing statistics Total Opens Total number of opened connections Resets Connections...
  • Page 48 Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. Description Use the display portal user command to display information about portal users on a specific interface or all interfaces. Examples # Display information about portal users on all interfaces. <Sysname>...

  • Page 49: Portal Auth-Network

    portal auth-network Syntax portal auth-network network-address { mask-length | mask } undo portal auth-network { network-address | all } View Interface view Default level 2: System level Parameters network-address: IP address of the authentication subnet. mask-length: Length of the subnet mask, in the range of 0 to 32. mask: Subnet mask, in dotted decimal notation.

  • Page 50: Portal Domain

    interface interface-type interface-number: Logs out all users on the specified interface. Description Use the portal delete-user command to log out users. Related commands: display portal user. Examples # Log out user 1.1.1.1. <Sysname> system-view [Sysname] portal delete-user 1.1.1.1 portal domain Syntax portal domain domain-name undo portal domain...

  • Page 51: Portal Max-User

    View System view Default level 2: System level Parameters rule-number: Number for the portal-free rule, in the range of 0 to 15. any: Imposes no limitation on the previous keyword. ip ip-address: Specifies an IP address. mask { mask-length | netmask }: Specifies the mask of the IP address, which can be in dotted decimal notation or an integer in the range of 0 to 32.

  • Page 52: Portal Nas-Id

    View System view Default level 2: System level Parameters max-number: Maximum number of online portal users allowed in the system. Description Use the portal max-user command to set the maximum number of online portal users allowed in the system. Use the undo portal max-user command to restore the default. By default, the maximum number of portal users allowed on the device is 512.

  • Page 53: Portal Nas-Id-Profile

    <Sysname> system-view [Sysname] interface gigabitethernet 0/0 [Sysname-GigabitEthernet0/0] portal nas-id 0002053110000460 portal nas-id-profile Syntax portal nas-id-profile profile-name undo portal nas-id-profile View Interface Default level 2: System level Parameters profile-name: Name of the profile that defines the binding relationship between VLANs and NAS IDs. The profile can be configured by using the aaa nas-id profile command.

  • Page 54: Portal Server

    Parameters ip-address: Source IP address to be specified for portal packets. This IP address must be a local IP address, and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Description Use the portal nas-ip command to configure the source IP address for portal packets to be sent. Use the undo portal nas-ip command to restore the default.

  • Page 55: Portal Server Method

    Using the undo portal server server-name command, you remove the specified portal server if the specified portal server exists and there is no user on the interfaces referencing the portal server. The configured portal server and its parameters can be removed or modified only when the portal server is not referenced by an interface.

  • Page 56: Reset Portal Connection Statistics

    reset portal connection statistics Syntax reset portal connection statistics { all | interface interface-type interface-number } View User view Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Description Use the reset portal connection statistics command to clear portal connection statistics on a specific interface or all interfaces.

  • Page 57: Web-Redirect

    View User view Default level 1: Monitor level Parameters None Description Use the reset portal tcp-cheat statistics command to clear TCP spoofing statistics. Examples # Clear TCP spoofing statistics. <Sysname> reset portal tcp-cheat statistics web-redirect Syntax web-redirect url url-string [ interval interval ] undo web-redirect View Interface view...
  • Page 58 [Sysname-GigabitEthernet0/0] web-redirect url http://192.0.0.1 interval 3600...

  • Page 59: Aaa Configuration Commands

    AAA configuration commands AAA configuration commands aaa nas-id profile Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name View System view Default level 2: System level Parameters profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters. Description Use the aaa nas-id profile command to create a NAS ID profile and enter its view.

  • Page 60: Accounting Command

    Parameters max-user-number: Maximum number of online users that the ISP domain can accommodate, in the range of 1 to 2147483646. Description Use the access-limit enable command to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users will be accepted. Use the undo access-limit enable command to restore the default.

  • Page 61: Accounting Default

    [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac accounting default Syntax accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting default View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a case-insensitive string of 1 to 32 characters.

  • Page 62: Accounting Login

    undo accounting lan-access View ISP domain view Default level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a case-insensitive string of 1 to 32 characters. Description Use the accounting lan-access command to configure the accounting method for LAN users.

  • Page 63: Accounting Optional

    local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a case-insensitive string of 1 to 32 characters. Description Use the accounting login command to configure the accounting method for login users (users logging in through the console, AUX, or Asyn port or accessing through Telnet).

  • Page 64: Accounting Portal

    communication with the current accounting server fails. However, the device will not send real-time accounting updates for the user anymore. The accounting optional feature applies to scenarios where accounting is not important. NOTE: After you configure the accounting optional command, the setting configured by the access-limit command in local user view is not effective.

  • Page 65: Accounting Ppp

    [Sysname] domain test [Sysname-isp-test] accounting portal radius-scheme rd local accounting ppp Syntax accounting ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting ppp View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a...

  • Page 66: Authentication Lan-Access

    undo authentication default View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a case-insensitive string of 1 to 32 characters.

  • Page 67: Authentication Login

    radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a case-insensitive string of 1 to 32 characters. Description Use the authentication lan-access command to configure the authentication method for LAN users. Use the undo authentication lan-access command to restore the default. By default, the default authentication method for the ISP domain is used for LAN users.

  • Page 68: Authentication Portal

    The specified RADIUS or HWTACACS scheme must have been configured. Related commands: local-user, authentication default, hwtacacs scheme, and radius scheme. Examples # Configure ISP domain test to use local authentication for login users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication login local # Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local authentication as the backup.

  • Page 69: Authentication Ppp

    [Sysname] domain test [Sysname-isp-test] authentication portal radius-scheme rd local authentication ppp Syntax authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authentication ppp View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a...

  • Page 70: Authorization Default

    undo authorization command View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated user can access only commands of Level 0.

  • Page 71: Authorization Lan-Access

    Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and other login users can access only the commands of Level 0.

  • Page 72: Authorization Login

    Description Use the authorization lan-access command to configure the authorization method for LAN users. Use the undo authorization lan-access command to restore the default. By default, the default authorization method for the ISP domain is used for LAN users. The specified RADIUS scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

  • Page 73: Authorization Portal

    By default, the default authorization method for the ISP domain is used for login users. The specified RADIUS or HWTACACS scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. Related commands: local-user, authorization default, hwtacacs scheme, and radius scheme.

  • Page 74: Authorization Ppp

    Examples # Configure ISP domain test to use local authorization for portal users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization portal local # Configure ISP domain test to use RADIUS scheme rd for authorization of portal users and use local authorization as the backup.

  • Page 75: Authorization-Attribute User-Profile

    [Sysname-isp-test] authorization ppp local # Configure ISP domain test to use RADIUS authorization scheme rd for PPP users and use local authorization as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization ppp radius-scheme rd local authorization-attribute user-profile Syntax authorization-attribute user-profile profile-name undo authorization-attribute user-profile View ISP domain view...
  • Page 76 View System view Default level 2: System level Parameters access-type: Specifies the user connections of the specified access type. dot1x: Indicates 802.1X authentication. • mac-authentication: Indicates MAC address authentication. • portal: Indicates portal authentication. • all: Specifies all user connections. domain isp-name: Specifies the user connections of an ISP domain.

  • Page 77: Display Connection

    display connection Syntax display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ] View Any view Default level 1: Monitor level Parameters...
  • Page 78 If the username does not contain the character @, the device displays the username in the format • username @mandatory authentication domain name. If the username contains the character @, the device displays the entered username. For example, • if a user entered the username aaa@123 at login and the name of the mandatory authentication domain is dom, the device displays the username aaa@123, rather than aaa@123@dom.

  • Page 79: Display Domain

    Total 0 connection matched. Table 19 Output description Field Description Username Username of the connection, in the format username@domain MAC address of the user IPv4 address of the user Access User access type ACL Group Authorization ACL group. Disable means no authorization ACL group is assigned. User Profile Authorization user profile CAR(kbps)
  • Page 80 Default accounting scheme : local Domain User Template: Idle-cut : Disabled Self-service : Disabled Authorization attributes : Domain : test State : Active Access-limit : Disabled Accounting method : Required Default authentication scheme : local Default authorization scheme : local Default accounting scheme : local Lan-access authentication scheme...

  • Page 81: Domain

    Field Description Indicates whether the idle cut function is enabled. With the idle cut function enabled for a domain, the system logs out any user in the Idle-cut domain whose traffic is less than the specified minimum traffic during the idle timeout period. Indicates whether the self service function is enabled.

  • Page 82: Domain Default Enable

    domain default enable Syntax domain default enable isp-name undo domain default enable View System view Default level 3: Manage level Parameters isp-name: Name of the ISP domain, a case-insensitive string of 1 to 24 characters. Description Use the domain default enable command to specify the default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain.

  • Page 83: Ip Pool

    flow: Minimum traffic during the idle timeout period in bytes. It ranges from 1 to 10240000 and defaults to 10240. Description Use the idle-cut enable command to enable the idle cut function and set the relevant parameters. With the idle cut function enabled for a domain, the device checks the traffic of each online user in the domain at the idle timeout interval, and logs out any user in the domain whose traffic during the idle timeout period is less than the specified minimum traffic.

  • Page 84: Nas-Id Bind Vlan

    <Sysname> system-view [Sysname] domain test [Sysname-isp-test] ip pool 0 129.102.0.1 129.102.0.10 nas-id bind vlan Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id View NAS ID profile view Default level 2: System level Parameters nas-identifier: NAS ID, a case-sensitive string of 1 to 20 characters vlan-id: ID of the VLAN to be bound with the NAS ID, in the range 1 to 4094.

  • Page 85: State (Isp Domain View)

    Parameters url-string: URL of the self-service server, a string of 1 to 64 characters that starts with http:// and contains no question mark. This URL was specified by the RADIUS server administrator during RADIUS server installation. Description Use the self-service-url enable command to enable the self-service server location function and specify the URL of the self-service server.

  • Page 86: Local User Configuration Commands

    <Sysname> system-view [Sysname] domain test [Sysname-isp-test] state block Local user configuration commands access-limit Syntax access-limit max-user-number undo access-limit View Local user view Default level 3: Manage level Parameters max-user-number: Maximum number of concurrent users of the current local user account, in the range 1 to 1024.
  • Page 87 Default level 3: Manage level Parameters acl acl-number: Specifies the authorization ACL. The ACL number must be in the range 2000 to 5999. After passing authentication, a local user is authorized to access the network resources specified by this ACL. callback-number callback-number: Specifies the authorization PPP callback number.

  • Page 88: Bind-Attribute

    A local user can play only one role at a moment. If you perform the role configuration repeatedly, only the last role configuration takes effect. Examples # Configure the authorized VLAN of local user abc as VLAN 2. <Sysname> system-view [Sysname] local-user abc [Sysname-luser-abc] authorization-attribute vlan 2 # Configure the authorized VLAN of user group abc as VLAN 3.

  • Page 89: Display Local-User

    Binding attribute checking does not take the service types of the users into account. A configured binding attribute is effective for all types of users. Be cautious when deciding which binding attributes should be configured for which type of local users. For example, an IP address binding is applicable to only 802.1X authentication that supports IP address upload.
  • Page 90 Examples # Display information about all local users. <Sysname> display local-user The contents of local user abc: State: Active ServiceType: telnet Access-limit: Enabled Current AccessNum: 0 Max AccessNum: User-group: system Bind attributes: IP address: 1.2.3.4 Bind location: 0/4/1 (SLOT/SUBSLOT/PORT) MAC address: 0001-0002-0003 Vlan ID: Authorization attributes:...

  • Page 91: Display User-Group

    display user-group Syntax display user-group [ group-name ] View Any view Default level 2: System level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use the display user-group command to display configuration information about one or all user groups. If you do not specify any user group name, the command displays information about all users groups.

  • Page 92: Group

    and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2008/2/2 equals to 02:02:00-2008/02/02. Description Use the expiration-date command to set the expiration time of a local user. Use the undo expiration-date command to remove the configuration.

  • Page 93: Local-User

    local-user Syntax local-user user-name undo local-user { user-name | all [ service-type { ftp | lan-access | portal | ppp | ssh | telnet | terminal } ] } View System view Default level 3: Manage level Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name.

  • Page 94: Password

    View System view Default level 2: System level Parameters auto: Displays the password of a local user in the mode that is specified for the user by using the password command. cipher-force: Displays the passwords of all local users in cipher text. Description Use the local-user password-display-mode command to set the password display mode for all local users.

  • Page 95: Service-Type

    must be a string of 1 to 63 characters that contains no blank space, for example, aabbcc. A password in cipher text must be a string of 24 or 88 characters, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!. Description Use the password command to configure a password for a local user and specify whether to display the password in cipher text or plain text.

  • Page 96: State (Local User View)

    Description Use the service-type command to specify the service types that a user can use. Use the undo service-type command to delete one or all service types configured for a user. By default, a user is authorized with no service. You can execute the service-type command repeatedly to specify multiple service types for a user.

  • Page 97: Radius Configuration Commands

    View System view Default level 3: Manage level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use the user-group command to create a user group and enter its view. Use the undo user-group command to remove a user group. A user group consists of a group of local users and has a set of local user attributes.

  • Page 98: Attribute 25 Car

    Description Use the accounting-on enable command to configure the accounting-on feature. This feature enables the device to, after rebooting, automatically send an accounting-on message to the RADIUS accounting server stipulated by the RADIUS scheme to stop accounting for and log out online users. Use the undo accounting-on enable command to disable the accounting-on feature.

  • Page 99: Data-Flow-Format (Radius Scheme View)

    [Sysname-radius-radius1] attribute 25 car data-flow-format (RADIUS scheme view) Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } View RADIUS scheme view Default level...
  • Page 100 Description Use the display radius scheme command to display the configuration information of RADIUS schemes. If you do not specify any RADIUS scheme, the command displays the configuration information of all RADIUS schemes. Related commands: radius scheme. Examples # Display the configuration information of all RADIUS schemes. <Sysname>...
  • Page 101 Field Description Type Type of the RADIUS server, extended or standard. Primary Auth Server Information about the primary authentication server. Primary Acct Server Information about the primary accounting server. Second Auth Server Information about the secondary authentication server. Second Acct Server Information about the secondary accounting server.

  • Page 102: Display Radius Statistics

    display radius statistics Syntax display radius statistics View Any view Default level 2: System level Parameters None Description Use the display radius statistics command to display statistics about RADIUS packets. Related commands: radius scheme. Examples # Display statistics about RADIUS packets. <Sysname>...
  • Page 103 Set policy result Num = 0 Err = 0 Succ = 0 RADIUS sent messages statistic: Auth accept Num = 10 Auth reject Num = 14 EAP auth replying Num = 0 Account success Num = 4 Account failure Num = 3 Server ctrl req Num = 0 RecError_MSG_sum = 0...
  • Page 104 Field Description Succ Number of messages that the device successfully processed Running statistic Statistics for RADIUS messages received and sent by the RADIUS module RADIUS received messages statistic Statistics for received RADIUS messages Normal auth request Counts of normal authentication requests EAP auth request Counts of EAP authentication requests Account request...

  • Page 105: Display Stop-Accounting-Buffer (For Radius)

    display stop-accounting-buffer (for RADIUS) Syntax display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } View Any view Default level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme.

  • Page 106: Key (Radius Scheme View)

    key (RADIUS scheme view) Syntax key { accounting | authentication } key undo key { accounting | authentication } View RADIUS scheme view Default level 2: System level Parameters accounting: Sets the shared key for authenticating RADIUS accounting packets. authentication: Sets the shared key for authenticating RADIUS authentication/authorization packets. key: Shared key, a case-sensitive string of 1 to 64 characters..

  • Page 107: Primary Accounting (Radius Scheme View)

    Default level 2: System level Parameters ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Description Use the nas-ip command to specify a source IP address for outgoing RADIUS packets. Use the undo nas-ip command to restore the default.

  • Page 108: Primary Authentication (Radius Scheme View)

    Parameters ipv4-address: IPv4 address of the primary accounting server. port-number: Service port number of the primary accounting server, a UDP port number in the range 1 to 65535. The default is 1813. Description Use the primary accounting command to specify the primary RADIUS accounting server. Use the undo primary accounting command to remove the configuration.

  • Page 109: Radius Client

    port-number: Service port number of the primary authentication/authorization server, a UDP port number in the range 1 to 65535. The default is 1812. Description Use the primary authentication command to specify the primary RADIUS authentication/authorization server. Use the undo primary authentication command to remove the configuration. By default, no primary RADIUS authentication/authorization server is specified.

  • Page 110: Radius Nas-Ip

    When the listening port of the RADIUS client is disabled: • No more stop-accounting requests of online users cannot be sent out or buffered, and the RADIUS server can no longer receive logoff requests from online users. After a user goes offline, the RADIUS server still has the user’s record during a certain period of time.

  • Page 111: Radius Scheme

    Examples # Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1. <Sysname> system-view [Sysname] radius nas-ip 129.10.10.1 radius scheme Syntax radius scheme radius-scheme-name undo radius scheme radius-scheme-name View System view Default level 3: Manage level Parameters...

  • Page 112: Reset Radius Statistics

    authentication-server-down: Sends traps when the reachability of the authentication server changes. Description Use the radius trap command to enable the trap function for RADIUS. Use the undo radius trap command to disable the trap function for RADIUS. By default, the trap function is disabled for RADIUS. With the trap function for RADIUS, a NAS sends a trap message in the following cases: •...

  • Page 113: Retry

    Default level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive string of 1 to 32 characters. session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters.

  • Page 114: Retry Realtime-Accounting

    Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request. If the number of transmission attempts exceeds the limit but the device still receives no response from the RADIUS server, the device considers the request a failure.

  • Page 115: Retry Stop-Accounting (Radius Scheme View)

    NOTE: The maximum number of accounting attempts, together with some other parameters, controls how the NAS sends accounting request packets. Suppose that the RADIUS server response timeout period is three seconds (set with the timer response-timeout command), the maximum number of RADIUS packet transmission attempts is three (set with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command).

  • Page 116: Secondary Accounting (Radius Scheme View)

    NOTE: The maximum number of stop-accounting attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets. Suppose that the RADIUS server response timeout period is three seconds (set with the timer response-timeout command), the maximum number of transmission attempts is five (set with the retry command), and the maximum number of stop-accounting attempts is 20 (set with the retry stop-accounting command).

  • Page 117: Secondary Authentication (Radius Scheme View)

    The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, the configuration fails. If you remove a secondary accounting server when the device has already sent a start-accounting request to the server, the communication with the secondary server will time out, and the device will look for a server in active state from the primary server on.

  • Page 118: Security-Policy-Server

    undo secondary authentication command remove secondary RADIUS authentication/authorization server. By default, no secondary RADIUS authentication/authorization server is specified. You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS scheme by executing this command repeatedly. After the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary RADIUS authentication/authorization server configured earlier has a higher priority) and tries to communicate with it.

  • Page 119: Server-Type

    all: Specifies all security policy servers. Description Use the security-policy-server command to specify a security policy server for a RADIUS scheme. Use the undo security-policy-server command to remove one or all security policy servers for a RADIUS scheme. By default, no security policy server is specified for a RADIUS scheme. You can specify up to eight security policy servers for a RADIUS scheme.

  • Page 120: State Primary

    state primary Syntax state primary { accounting | authentication } { active | block } View RADIUS scheme view Default level 2: System level Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication/authorization server. active: Specifies the active state, the normal operation state.

  • Page 121: Stop-Accounting-Buffer Enable (Radius Scheme View)

    Parameters accounting: Sets the status of the secondary RADIUS accounting server. authentication: Sets the status of the secondary RADIUS authentication/authorization server. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state. Description Use the state secondary command to set the status of a secondary RADIUS server. By default, every secondary RADIUS server specified in a RADIUS scheme is in active state.

  • Page 122: Timer Quiet (Radius Scheme View)

    Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission attempts reaches the configured limit.

  • Page 123: Timer Realtime-Accounting (Radius Scheme View)

    <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer quiet 10 timer realtime-accounting (RADIUS scheme view) Syntax timer realtime-accounting minutes undo timer realtime-accounting View RADIUS scheme view Default level 2: System level Parameters minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range 3 to 60. Description Use the timer realtime-accounting command to set the real-time accounting interval.

  • Page 124: Timer Response-Timeout (Radius Scheme View)

    timer response-timeout (RADIUS scheme view) Syntax timer response-timeout seconds undo timer response-timeout View RADIUS scheme view Default level 2: System level Parameters seconds: RADIUS server response timeout period in seconds, in the range 1 to 10. Description Use the timer response-timeout command to set the RADIUS server response timeout timer. Use the undo timer response-timeout command to restore the default.

  • Page 125: Hwtacacs Configuration Commands

    Description Use the user-name-format command to specify the format of the username to be sent to a RADIUS server. By default, the ISP domain name is included in the username. A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs.

  • Page 126: Display Hwtacacs

    Use the undo data-flow-format command to restore the default. By default, the unit for data flows is byte and that for data packets is one-packet. The unit for data flows and that for packets must be consistent with those on the HWTACACS server. Otherwise, accounting cannot be performed correctly.
  • Page 127 Current-authorization-server : 172.31.1.11:49 Current-accounting-server : 172.31.1.11:49 NAS-IP-address : 0.0.0.0 key authentication : 790131 key authorization : 790131 key accounting : 790131 Quiet-interval(min) Realtime-accounting-interval(min) : 12 Response-timeout-interval(sec) Acct-stop-PKT retransmit times : 100 Username format : with-domain Data traffic-unit Packet traffic-unit : one-packet -------------------------------------------------------------------- Table 25 Output description Field...
  • Page 128 HWTACACS server close number: 10 HWTACACS authen client access request packet number: 10 HWTACACS authen client access response packet number: 6 HWTACACS authen client unknown type number: 0 HWTACACS authen client timeout number: 4 HWTACACS authen client packet dropped number: 4 HWTACACS authen client access request change password number: 0 HWTACACS authen client access request login number: 5 HWTACACS authen client access request send authentication number: 0...

  • Page 129: Display Stop-Accounting-Buffer (For Hwtacacs)

    HWTACACS account client request EXEC number: 0 HWTACACS account client request network number: 0 HWTACACS account client request system event number: 0 HWTACACS account client request update number: 0 HWTACACS account client response error number: 0 HWTACACS account client round trip time(s): 0 display stop-accounting-buffer (for HWTACACS) Syntax display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name...

  • Page 130: Hwtacacs Scheme

    Description Use the hwtacacs nas-ip command to specify a source IP address for outgoing HWTACACS packets. Use the undo hwtacacs nas-ip command to remove the configuration. By default, the source IP address of a packet sent to the server is the IP address of the outbound interface. The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server.

  • Page 131: Key (Hwtacacs Scheme View)

    <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key (HWTACACS scheme view) Syntax key { accounting | authentication | authorization } key undo key { accounting | authentication | authorization } View HWTACACS scheme view Default level 2: System level Parameters accounting: Sets the shared key for authenticating HWTACACS accounting packets.

  • Page 132: Primary Accounting (Hwtacacs Scheme View)

    undo nas-ip View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Description Use the nas-ip command to specify a source address for outgoing HWTACACS packets.

  • Page 133: Primary Authentication (Hwtacacs Scheme View)

    Parameters ip-address: IP address of the primary HWTACACS accounting server in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49. Description Use the primary accounting command to specify the primary HWTACACS accounting server. Use the undo primary accounting command to remove the configuration.

  • Page 134: Primary Authorization

    By default, no primary HWTACACS authentication server is specified. The IP addresses of the primary and secondary authentication servers must be different. Otherwise, the configuration fails. If you configure the command repeatedly, only the last configuration takes effect. You can remove an authentication server only when it is not used by any active TCP connection to send authentication packets.

  • Page 135: Reset Hwtacacs Statistics

    Examples # Configure the IP address and port number of the primary authorization server for HWTACACS scheme hwt1 as 10.163.155.13 and 49. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 reset hwtacacs statistics Syntax reset hwtacacs statistics { accounting | all | authentication | authorization } View User view Default level...

  • Page 136: Retry Stop-Accounting (Hwtacacs Scheme View)

    Description Use the reset stop-accounting-buffer command to clear buffered stop-accounting requests that get no responses. Related commands: stop-accounting-buffer enable and display stop-accounting-buffer. Examples # Clear the stop-accounting requests buffered for HWTACACS scheme hwt1. <Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1 retry stop-accounting (HWTACACS scheme view) Syntax retry stop-accounting retry-times undo retry stop-accounting...

  • Page 137: Secondary Authentication (Hwtacacs Scheme View)

    Default level 2: System level Parameters ip-address: IP address of the secondary HWTACACS accounting server in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the secondary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49. Description Use the secondary accounting command to specify the secondary HWTACACS accounting server.

  • Page 138: Secondary Authorization

    Description Use the secondary authentication command to specify the secondary HWTACACS authentication server. Use the undo secondary authentication command to remove the configuration. By default, no secondary HWTACACS authentication server is specified. The IP addresses of the primary and secondary authentication servers must be different. Otherwise, the configuration fails.

  • Page 139: Stop-Accounting-Buffer Enable (Hwtacacs Scheme View)

    You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets. Removing an authorization server affects only authorization processes that occur after the remove operation. Related commands: display hwtacacs. Examples # Configure the secondary authorization server 10.163.155.13 with TCP port number 49.

  • Page 140: Timer Quiet (Hwtacacs Scheme View)

    timer quiet (HWTACACS scheme view) Syntax timer quiet minutes undo timer quiet View HWTACACS scheme view Default level 2: System level Parameters minutes: Primary server quiet period, in minutes. It ranges from 1 to 255. Description Use the timer quiet command to set the quiet timer for the primary server. When the primary server is found unreachable, the device changes the status of the server from active to blocked and keeps the server in blocked state until this timer expires.

  • Page 141: Timer Response-Timeout (Hwtacacs Scheme View)

    By default, the real-time accounting interval is 12 minutes. For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is for setting the interval. Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval.

  • Page 142: User-Name-Format (Hwtacacs Scheme View)

    [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] timer response-timeout 30 user-name-format (HWTACACS scheme view) Syntax user-name-format { keep-original | with-domain | without-domain } View HWTACACS scheme view Default level 2: System level Parameters keep-original: Sends the username to the HWTACACS server as it is input. with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.

  • Page 143: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...

  • Page 144: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
  • Page 145 Network topology icons Represents an unified threat management product. Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 146: Index

    Index A B C D E G H I K L N P R S T U W aaa nas-id profile,53 data-flow-format (HWTACACS scheme view),1 19 access-limit,80 data-flow-format (RADIUS scheme view),93 access-limit enable,53 description,3 accounting command,54 display acl,4 accounting default,55 display connection,71 accounting...
  • Page 147 hwtacacs scheme,124 reset portal tcp-cheat statistics,50 reset radius statistics,106 reset session,23 idle-cut enable,76 reset session statistics,23 pool,77 reset stop-accounting-buffer (for HWTACACS),129 reset stop-accounting-buffer (for RADIUS),106 retry,107 key (HWTACACS scheme view),125 retry realtime-accounting,108 key (RADIUS scheme view),100 retry stop-accounting (HWTACACS scheme view),130 retry stop-accounting (RADIUS scheme view),109...
  • Page 148 timer realtime-accounting (RADIUS scheme view),1 17 user-group,90 timer response-timeout (HWTACACS scheme user-name-format (HWTACACS scheme view),136 view),135 user-name-format (RADIUS scheme view),1 18 timer response-timeout (RADIUS scheme view),1 18 time-range,14 web-redirect,51 Websites,137...

Table of Contents