AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa session-limit Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method.
accounting command Use accounting command to specify the command line accounting method. Use undo accounting command to restore the default. Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command Default The default accounting method of the ISP domain is used for command line accounting. Views ISP domain view Predefined user roles...
[Sysname-isp-test] accounting login radius-scheme rd local Related commands • accounting default • hwtacacs scheme • local-user • radius scheme authentication default Use authentication default to specify the default authentication method for an ISP domain. Use undo authentication default to restore the default. Syntax In non-FIPS mode: authentication...
command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid. Examples # Configure the default authentication method for ISP domain test to use RADIUS scheme rd and use local authentication as the backup.
Usage guidelines You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication).
Usage guidelines You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid. If you specify a scheme to provide the method for user role authentication, the method applies only to users whose user role is in the format of level-n.
mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.
Page 18
In FIPS mode: authorization default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authorization default Default The default authorization method of an ISP domain is local. Views ISP domain view Predefined user roles...
authorization login Use authorization login to configure the authorization method for login users. Use undo authorization login to restore the default. Syntax In non-FIPS mode: authorization login hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization login In FIPS mode:...
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization login local # In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization login radius-scheme rd local Related commands •...
Syntax domain isp-name undo domain isp-name Default There is a system-defined ISP domain named system. Views System view Predefined user roles network-admin mdc-admin Parameters isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Views System view Predefined user roles network-admin mdc-admin Parameters isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines There can be only one default ISP domain. The specified ISP domain must already exist. An ISP domain cannot be deleted when it is the default ISP domain.
Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected. Examples # Place the ISP domain test in blocked state. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] state block Related commands display domain Local user commands...
authorization-attribute Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user. Use undo authorization-attribute to restore the default. Syntax authorization-attribute { acl acl-number | idle-cut minute | user-role role-name | vlan vlan-id | work-directory directory-name } *...
• For FTP users, only the authorization attributes user-role and work-directory are effective. • For other types of local users, no authorization attribute is effective. Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency.
Page 27
user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters that does not contain the domain name. vlan vlan-id: Specifies all local users in a VLAN. The value range for the vlan-id argument is 1 to 4094.
Field Description minimum password length is displayed in parentheses. This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: Password composition • Minimum number of character types that the password must contain.
ACL Number: 2000 VLAN ID: Password control configurations: Password aging: Enabled (2 days) Table 3 Command output Field Description Idle TimeOut Idle timeout period, in minutes. Work Directory Directory that FTP, SFTP, or SCP users in the group can access. ACL Number Authorization ACL.
Predefined user roles network-admin mdc-admin Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. Examples # Assign device management user 111 to user group abc. <Sysname> system-view [Sysname] local-user 111 class manage [Sysname-luser-manage-111] group abc Related commands display local-user local-user...
Examples # Add a device management user named user1. <Sysname> system-view [Sysname] local-user user1 class manage [Sysname-luser-manage-user1] Related commands • display local-user • service-type password Use password to configure a password for a local user. Use undo password to delete the password of a local user. Syntax In non-FIPS mode: password [ { hash | simple } password ]...
In non-FIPS mode, a non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user. In FIPS mode, only password-protected users can pass authentication. Device management users support plaintext and hashed passwords. For security purposes, all passwords, including passwords configured in plain text, are saved in hashed text.
telnet: Authorizes the user to use the Telnet service. terminal: Authorizes the user to use the terminal service and log in from a console port. Usage guidelines You can assign multiple service types to a user. Examples # Authorize the device management user user1 to use the Telnet and FTP services. <Sysname>...
user-group Use user-group to create a user group and enter user group view. Use undo user-group to delete a user group. Syntax user-group group-name undo user-group group-name Default There is a user group named system in the system. Views System view Predefined user roles network-admin mdc-admin...
Default The accounting-on feature is disabled. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the seconds argument is 1 to 15, and the default setting is 3 seconds. send send-times: Specifies the maximum number of accounting-on packet transmission attempts.
mdc-admin Parameters loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services. strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively. Usage guidelines Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.
<Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet Related commands display radius scheme display radius scheme Use display radius scheme to display the configuration of RADIUS schemes. Syntax display radius scheme [ radius-scheme-name ] Views Any view Predefined user roles network-admin network-operator...
Page 38
Server Quiet Period(minutes) Realtime Accounting Interval(minutes) : 12 NAS IP Address : Not configured : Not configured User Name Format : without-domain ------------------------------------------------------------------ RADIUS Scheme Name : rad2 Index : 1 Primary Auth Server: Host name: radius.com : 82.0.0.37 Port: 1812 State: Active VPN : 1 Primary Acct Server:...
Field Description Service port number of the server. If no port number is specified, this field Port displays the default port number. State Status of the server: active or blocked. VPN to which the server belongs. If no VPN is specified for the server, this field displays Not configured.
Field Description Dropped Packet Number of discarded packets. Check Failures Number of packets with checksum errors. Related commands reset radius statistics key (RADIUS scheme view) Use key to set the shared key for secure RADIUS communication. Use undo key to restore the default. Syntax key { accounting | authentication } { cipher | simple } string undo key { accounting | authentication }...
Examples # For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting simple ok Related commands display radius scheme nas-ip (RADIUS scheme view) Use nas-ip to specify a source IP address for outgoing RADIUS packets. Use undo nas-ip to delete a source IP address for outgoing RADIUS packets.
If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. As a best practice, configure a loopback interface address as the source IP address for outgoing RADIUS packets. A RADIUS scheme can have only one source IP address for outgoing RADIUS packets.
In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Page 45
Default No primary RADIUS authentication server is specified. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters host-name: Specifies the hostname of the primary RADIUS authentication server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server. port-number: Specifies the service port number of the primary RADIUS authentication server.
A newly specified public-network source IPv4 address overwrites the previous address. Each VPN can have a maximum of one private-network source IPv4 address. When you use both the nas-ip and radius nas-ip commands, the following guidelines apply: • The setting configured by the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.
Syntax radius scheme radius-scheme-name undo radius scheme radius-scheme-name Default No RADIUS scheme is defined. Views System view Predefined user roles network-admin mdc-admin Parameters radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be used by more than one ISP domain at the same time. The device supports a maximum of 16 RADIUS schemes.
retry Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Use undo retry to restore the default. Syntax retry retry-times undo retry Default The maximum number of RADIUS packet transmission attempts is 3. Views RADIUS scheme view Predefined user roles...
undo retry realtime-accounting Default The maximum number of accounting attempts is 5. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255. Usage guidelines Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period from the NAS, it considers that a line or device failure has occurred, and stops accounting for the user.
Page 51
Default No secondary RADIUS accounting server is specified. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters host-name: Specifies the hostname of the secondary RADIUS accounting server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server. port-number: Specifies the service port number of the secondary RADIUS accounting server.
If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either. Examples # For RADIUS scheme radius1, specify a secondary accounting server with the IP address 10.110.1.1 and the UDP port 1813.
Page 53
key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS authentication server. • cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 117 characters. In FIPS mode, the key is a string of 15 to 117 characters.
• vpn-instance (RADIUS scheme view) security-policy-server Use security-policy-server to specify a security policy server. Use undo security-policy-server to remove a security policy server. Syntax security-policy-server ipv4-address [ vpn-instance vpn-instance-name ] undo security-policy-server { ipv4-address [ vpn-instance vpn-instance-name ] | all } Default No security policy server is specified.
Default All types of notifications for RADIUS are enabled. Views System view Predefined user roles network-admin mdc-admin Parameters accounting-server-down: Sends a notification when the RADIUS accounting server becomes unreachable. accounting-server-up: Sends a notification when the RADIUS accounting server becomes reachable. authentication-error-threshold: Sends a notification when the number of authentication failures exceeds the specified threshold.
Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication server. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state. Usage guidelines During an authentication or accounting process, the device first tries to communicate with the primary server if the primary server is in active state.
Predefined user roles network-admin mdc-admin Parameters accounting: Sets the status of a secondary RADIUS accounting server. authentication: Sets the status of a secondary RADIUS authentication server. host-name: Specifies the hostname of a secondary RADIUS server, a case-insensitive string of 1 to 253 characters.
Syntax timer quiet minutes undo timer quiet Default The server quiet timer period is 5 minutes in a RADIUS scheme. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters minutes: Specifies the server quiet period in minutes, in the range of 1 to 255. Usage guidelines Make sure the server quiet timer is set correctly.
Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Usage guidelines When the real-time accounting interval configured on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval. When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server.
Usage guidelines If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval. The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300 seconds.
Examples # Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] user-name-format without-domain Related commands display radius scheme vpn-instance (RADIUS scheme view) Use vpn-instance to specify a VPN for a RADIUS scheme.
Use undo data-flow-format to restore the default. Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default Traffic is counted in bytes and packets.
Page 63
Parameters hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, the command displays the configuration of all HWTACACS schemes. statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the HWTACACS scheme.
Page 64
Single-connection: Disabled Primary Acct Server: Host name: tacacs.com : 82.0.0.37 Port: 49 State: Active VPN Instance: 1 Single-connection: Disabled VPN Instance : Not configured NAS IP Address : Not configured Server Quiet Period(minutes) Realtime Accounting Interval(minutes) : 12 Response Timeout Interval(seconds) Username Format : without-domain ------------------------------------------------------------------...
Field Description Realtime Accounting Real-time accounting interval, in minutes. Interval(minutes) Response Timeout Interval(seconds) HWTACACS server response timeout period, in seconds. Format for the usernames sent to the HWTACACS server. Possible values include: • with-domain—Includes the domain name. Username Format • without-domain—Excludes the domain name.
• Zero or one public-network source IPv4 address. • Private-network source IPv4 addresses. A newly specified public-network source IPv4 address overwrites the previous address. Each VPN can have a maximum of one private-network source IPv4 address. When you use both the nas-ip and hwtacacs nas-ip commands, the following guidelines apply: •...
[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&! # Set the shared key for secure HWTACACS authorization communication to 123456TESTautr&! in plain text. [Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&! # Set the shared key for secure HWTACACS accounting communication to 123456TESTacct&! in plain text. [Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&! Related commands display hwtacacs scheme...
• The setting in HWTACACS scheme view takes precedence over the setting in system view. If you execute the command multiple times, the most recent configuration takes effect. Examples # Set the source address for outgoing HWTACACS packets to 10.1.1.1 for HWTACACS scheme hwt1.
device establishes a new TCP connection each time it exchanges accounting packets with the primary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
Page 71
Predefined user roles network-admin mdc-admin Parameters host-name: Specifies the hostname of the primary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server. port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authorization server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Two authorization servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines You can configure a maximum of 16 secondary HWTACACS accounting servers for an HWTACACS scheme.
Page 76
Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters host-name: Specifies the hostname of the secondary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server. port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
Examples # Specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1 <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple 123456TESTauth&! Related commands •...
single-connection: The device and the secondary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user.
Default The server quiet timer period is 5 minutes in an HWTACACS scheme. Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters minutes: Specifies the server quiet period in minutes, in the range of 1 to 255. Examples # Set the server quiet timer to 10 minutes. <Sysname>...
Table 8 Recommended real-time accounting intervals Number of users Real-time accounting interval 1 to 99 3 minutes 100 to 499 6 minutes 500 to 999 12 minutes 1000 or more 15 minutes or longer Examples # Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1. <Sysname>...
user-name-format (HWTACACS scheme view) Use user-name-format to specify the format of the username to be sent to an HWTACACS server. Use undo user-name-format to restore the default. Syntax user-name-format { keep-original | with-domain | without-domain } undo user-name-format Default The ISP domain name is included in the usernames sent to an HWTACACS server. Views HWTACACS scheme view Predefined user roles...
Page 82
Syntax vpn-instance vpn-instance-name undo vpn-instance Default The HWTACACS scheme belongs to the public network. Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters vpn-instance-name: Specifies the name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN specified by using this command takes effect on all servers in the HWTACACS scheme for which no VPN is specified.
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Table 9 Command output Field Description Password control Whether the password control feature is enabled. Whether password expiration is enabled and, if enabled, the Password aging expiration time. Whether the minimum password length restriction feature is enabled Password length and, if enabled, the setting. Whether the password composition restriction feature is enabled Password composition and, if enabled, the settings.
Usage guidelines If you do not specify any arguments, this command displays information about all users in the password control blacklist. If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist. You can use this command to view information about these users in the blacklist.
mdc-admin Parameters aging: Enables the password expiration feature. composition: Enables the password composition restriction feature. history: Enables the password history feature. length: Enables the minimum password length restriction feature. Usage guidelines To enable a specific password control feature, first enable the global password control feature. The system stops recording history passwords after you execute the undo password-control history enable command, but it does not delete the prior records.
Views System view, user group view, local user view Predefined user roles network-admin mdc-admin Parameters aging-time: Specifies the password expiration time in days, in the range of 1 to 365. Usage guidelines The expiration time depends on the view: • The time in system view has global significance and applies to all user groups.
Default The default is 7 days. Views System view Predefined user roles network-admin mdc-admin Parameters alert-time: Specifies the number of days before a user password expires during which the user is notified of the pending password expiration. The value range is 1 to 30. Usage guidelines This command is effective only for non-FTP users.
user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough. Usage guidelines The password complexity checking policy depends on the view: •...
Page 90
Predefined user roles network-admin mdc-admin Parameters type-number type-number: Specifies the minimum number of character types that a password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode. The following character types are available: •...
• If no policy is configured for the user group, the system uses the global policy. The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of passwords. Examples # Specify that all passwords must each contain at least four character types and at least five characters for each type.
commands. The configuration for network access user passwords can be displayed. The first password configured for device management users must contain at least four different characters. Examples # Enable the password control feature globally. <Sysname> system-view [Sysname] password-control enable Related commands •...
password-control history Use password-control history to set the maximum number of history password records for each user. Use undo password-control history to restore the default. Syntax password-control history max-record-num undo password-control history Default The maximum number of history password records for each user is 4. Views System view Predefined user roles...
Page 94
undo password-control length Default In non-FIPS mode, the global minimum password length is 10 characters. In FIPS mode, the global minimum password length is 15 characters. In both non-FIPS and FIPS modes, the minimum password length for a user group equals the global setting.
• password-control length enable password-control login idle-time Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, you can no longer use this account to log in to the device. Use undo password-control login idle-time to restore the default.
Page 96
• The locking period is 1 minute. The login-attempt settings for a user group equal the global settings. The login-attempt settings for a local user equal those for the user group to which the local user belongs. Views System view, user group view, local user view Predefined user roles network-admin mdc-admin...
The password-control login-attempt command takes effect immediately after being executed, and can affect the users already in the password control blacklist. Examples # Allow a maximum of four consecutive login failures on a user account, and disable the user account if the limit is reached. <Sysname>...
Syntax password-control super aging aging-time undo password-control super aging Default A super password expires after 90 days. Views System view Predefined user roles network-admin mdc-admin Parameters aging-time: Specifies the super password expiration time in days in the range of 1 to 365. Examples # Set the super passwords to expire after 10 days.
Parameters type-number type-number: Specifies the minimum number of character types that a super password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode. type-length type-length: Specifies the minimum number of characters for each character type. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode.
• password-control length password-control update-interval Use password-control update-interval to set the minimum password update interval, which is the minimum interval at which users can change their passwords. Use undo password-control update-interval to restore the default. Syntax password-control update-interval interval undo password-control update-interval Default The minimum password update interval is 24 hours.
Parameters user-name name: Specifies the username of a user account to be removed from the password control blacklist. The name argument is a case-sensitive string of 1 to 55 characters. Usage guidelines You can use this command to remove a user account that is blacklisted due to excessive login failures.
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Page 103
Key type: RSA Time when key pair created: 15:40:48 2013/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2013/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D 426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA 1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7 9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03 92D8C6D940890BF4290203010001 # Display all local DSA public keys. <Sysname>...
Page 104
35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display all local ECDSA public keys. <Sysname> display public-key local ecdsa public ============================================= Key name: ecdsakey (default) Key type: ECDSA Time when key pair created: 15:42:04 2013/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF 68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2013/05/12 Key code:...
DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display the public key of the local ECDSA key pair ecdsa1. <Sysname> display public-key local ecdsa public name ecdsa1 ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2013/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1 AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58...
Page 106
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name. name publickey-name: Displays detailed information about a peer public key, including its key code. The publickey-name argument specifies the peer public key name, a case-sensitive string of 1 to 64 characters.
--------------------------- 1024 idrsa 1024 10.1.1.1 Table 14 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits. Name Name of the peer public key. Related commands • public-key peer • public-key peer import sshkey peer-public-key end Use peer-public-key end to exit public key view to system view and save the configured peer public key.
[Sysname-pkey-public-key-key1] peer-public-key end [Sysname] Related commands • display public-key local public • display public-key peer • public-key peer public-key local create Use public-key local create to create local asymmetric key pairs. Syntax public-key local create { dsa | ecdsa | rsa } [ name key-name ] Default No local asymmetric key pair exists.
Page 109
The name of a key pair must be unique among all manually named key pairs that use the same key algorithm, but can be the same as a key pair that uses a different key algorithm. If a name conflict occurs, the system asks whether you want to overwrite the existing key pair.
Page 110
..+..+..+........+..+.......+..+....+.....+...+..+....+..+..+....+..+...+..+..+..+....+..+......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the default name. <Sysname> system-view [Sysname] public-key local create ecdsa Generating Keys... Create the key pair successfully. # Create a local RSA key pair with the name rsa1. <Sysname>...
The range of public key modulus is (2048 ~ 2048). It will take a few minutes.Press CTRL+C to abort. Input the modulus length [default = 2024]: Generating Keys..++++++ .++++++ ..++++++++ ..++++++++ Create the key pair successfully. # In FIPS mode, create a local DSA key pair with the default name. <Sysname>...
Usage guidelines To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs: • An intrusion event has occurred. • The storage media of the device is replaced. • The local certificate has expired. For more information about local certificates, see Security Configuration Guide.
Page 113
Predefined user roles network-admin mdc-admin Parameters name key-name: Specifies the name of a local DSA key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is provided, the command displays or exports the host public key of the local DSA key pair with the default name.
vA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakd MdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local DSA key pair with the default name in OpenSSH format. <Sysname> system-view [Sysname] public-key local export dsa openssh ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxw vA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakd MdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= dsa-key...
Page 115
Syntax In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } [ filename ] In FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles...
# Display the host public key of the local RSA key pair with the default name in SSH2.0 format. <Sysname> system-view [Sysname] public-key local export rsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "rsa-key-2013/05/12" AAAAB3NzaC1yc2EAAAADAQABAAAAgQDapKr+/gTCyWZyabuCJuJjMeMPQaj/kixzOCCAl+hDMmEGMrSfddq/b YcbgM7Buit1AgB3x0dFyTPi85DcCznTW4goPXAKFjuzCbGfj4chakSr+/aj1k3rM+XOvyvPJilneKJqhPT0xd v4tlas+mLNloY0dImbwS2kwE71rgg1CQ== ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local RSA key pair with the default name in OpenSSH format.
Execute the peer-public-key end command to save the public key and return to system view. The public key you type in the public key view must be in a correct format. If your device is an HPE device, use the display public-key local public command to display and record its public key.
Page 118
Predefined user roles network-admin mdc-admin Parameters keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters. filename: Specifies the name of the file for saving the local host public key. The file name is a string of case-insensitive characters excluding ./ and ../.
PKI commands The PKI feature is available in Release 2137 and later versions. The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
• The alternative subject name can contain multiple FQDNs and IP addresses but zero DNs. An attribute rule is a combination of an attribute-value pair with an operation keyword, as listed Table Table 17 Combinations of attribute-value pairs and operation keywords Operation FQDN/IP The DN contains the specified...
Views PKI domain view Predefined user roles network-admin mdc-admin Parameters name: Specifies the name of the trusted CA, a case-sensitive string of 1 to 63 characters. Usage guidelines To obtain a CA certificate, you must specify the trusted CA name. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the same CA server.
• State and country where the entity resides. • FQDN. • IP address. You can specify only one PKI entity for a PKI domain. If you configure this command for a PKI domain multiple times, the most recent configuration takes effect. Examples # Specify PKI entity en1 for certificate request in PKI domain aaa.
Page 123
Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ password { cipher | simple } password ] | manual } undo certificate request mode Default The certificate request mode is manual. Views PKI domain view Predefined user roles network-admin mdc-admin...
certificate request polling Use certificate request polling to set the polling interval and the maximum number of attempts to query certificate request status. Use undo certificate request polling to restore the defaults. Syntax certificate request polling { count count | interval minutes } undo certificate request polling { count | interval } Default The polling interval is 20 minutes, and the maximum number of attempts is 50.
Syntax certificate request url url-string [ vpn-instance vpn-instance-name ] undo certificate request url Default The URL of the certificate request reception authority is not specified. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters url-string: Specifies the URL of the certificate request reception authority, a case-sensitive string of 1 to 511 characters.
Default No common name is set for a PKI entity. Views PKI entity view Predefined user roles network-admin mdc-admin Parameters common-name-sting: Specifies a common name, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set the username of the PKI entity as the common name. Examples # Specify test as the common name of the PKI entity en.
Use undo crl check enable to disable CRL checking. Syntax crl check enable undo crl check enable Default CRL checking is enabled. Views PKI domain view Predefined user roles network-admin mdc-admin Usage guidelines A CA signs and publishes a list of revoked certificates, which is called CRL. Revoked certificates should no longer be trusted.
Parameters url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 511 characters. The URL format is ldap://server_location or http://server_location. The URL length is restricted by the CLI string limitation or the url-string parameter, whichever is smaller. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
mdc-operator Parameters policy-name: Specifies a certificate-based access control policy by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you do not specify a policy name, this command displays information about all certificate-based access control policies. Examples # Display information about the certificate-based access control policy mypolicy.
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you do not specify a certificate attribute group, this command displays information about all certificate attribute groups.
Page 131
Syntax display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] } Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Page 132
28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40: 4a:9e:8d:c0:cb:d9:10:9b:61:eb:0c:e0:22:ce:f6: 57:7c:bb:bb:1b:1d:b6:81:ad:90:77:3d:25:21:e6: 7e:11:0a:d8:1d:3c:8e:a4:17:1e:8c:38:da:97:f6: 6d:be:09:e3:5f:21:c5:a0:6f:27:4b:e3:fb:9f:cd: c1:91:18:ff:16:ee:d8:cf:8c:e3:4c:a3:1b:08:5d: 84:7e:11:32:5f:1a:f8:35:25:c0:7e:10:bd:aa:0f: 52:db:7b:cd:5d:2b:66:5a:fb Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 6d:b1:4e:d7:ef:bb:1d:67:53:67:d0:8f:7c:96:1d:2a:03:98: 3b:48:41:08:a4:8f:a9:c1:98:e3:ac:7d:05:54:7c:34:d5:ee: 09:5a:11:e3:c8:7a:ab:3b:27:d7:62:a7:bb:bc:7e:12:5e:9e: 4c:1c:4a:9f:d7:89:ca:20:46:de:c5:b3:ce:36:ca:5e:6e:dc: e7:c6:fe:3f:c5:38:dd:d5:a3:36:ad:f4:3d:e6:32:7f:48:df: 07:f0:a2:32:89:86:72:22:cd:ed:e5:0f:95:df:9c:75:71:e7: fe:34:c5:a0:64:1c:f0:5c:e4:8f:d3:00:bd:fa:90:b6:64:d8: 88:a6 # Display information about te local certificates in the PKI domain aaa. <Sysname> display pki certificate domain aaa local Certificate: Data: Version: 3 (0x2)
Page 133
Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 91:95:51:DD:BF:4F:55:FA:E4:C4:D0:10:C2:A1:C2:99:AF:A5:CB:30 X509v3 Authority Key Identifier: keyid:DF:D2:C9:1A:06:1F:BC:61:54:39:FE:12:C4:22:64:EB:57:3B:11:9F X509v3 Subject Alternative Name: email:fips@ccc.com...
Page 134
Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7 Subject Name: CN=sldsslserver # Display detailed information about a peer certificate in the PKI domain aaa. <Sysname> display pki certificate domain aaa peer serial 9a0337eb2156ba1f5476e4d754a5a9f7 Certificate: Data: Version: 3 (0x2) Serial Number: 9a:03:37:eb:21:56:ba:1f:54:76:e4:d7:54:a5:a9:f7 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, O=ccc, OU=sec, CN=ssl Validity Not Before: Oct 15 01:23:06 2010 GMT Not After : Jul 26 06:30:54 2012 GMT...
Domain name: domain1 Status: Pending Key usage: General Remain polling attempts: 10 Next polling attempt after : 1191 seconds Certificate Request Transaction 2 Domain name: domain2 Status: Pending Key usage: Signature Remain polling attempts: 10 Next polling attempt after : 188 seconds Table 20 Command output Field Description...
Page 137
Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Field Description Issuer Name of the CA that issued the CRL. Last Update Most recent CRL update time. Next Update Next CRL update time. X509v3 Authority Key Identifier X509v3 ID of the CA that issues the CRL. Key ID. keyid This field identifies the key pair used to sign the CRL.
Syntax ip { ip-address | interface interface-type interface-number } undo ip Default No IP address is assigned to the PKI entity. Views PKI entity view Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies an IPv4 address. interface interface-type interface-number: Specifies an interface by its type and number. The primary IPv4 address of the interface will be used as the IP address of the PKI entity.
port port-number: Specifies the port number of the LDAP server. The value range is 1 to 65535, and the default is 389. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the LDAP server is on the public network, do not specify this option.
Examples # Specify pukras as the locality of the PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] locality pukras organization Use organization to set an organization name for a PKI entity. Use undo organization to remove the configuration. Syntax organization org-name undo organization...
mdc-admin Parameters org-unit-name: Specifies an organization unit name, a case-sensitive string of 1 to 63 characters. No comma can be included. Examples # Specify rdtest as the organization unit name for the PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] organization-unit rdtest pki abort-certificate-request Use pki abort-certificate-request to abort the certificate request for a PKI domain.
pki certificate access-control-policy Use pki certificate access-control-policy to create a certificate-based access control policy and enter its view. Use undo pki certificate access-control-policy to remove a certificate-based access control policy. Syntax pki certificate access-control-policy policy-name undo pki certificate access-control-policy policy-name Default No certificate-based access control policies exist.
Predefined user roles network-admin mdc-admin Parameters group-name: Specifies a group name, a case-insensitive string of 1 to 31 characters. Usage guidelines A certificate attribute group is a set of attribute rules configured by using the attribute command. Each attribute rule defines a matching criterion for an attribute in the issuer name, subject name, or alternative subject name field of certificates.
Usage guidelines When you remove the CA certificate in a PKI domain, the system also removes the local certificates, peer certificates, and the CRL in the PKI domain. Examples # Remove the CA certificate in the PKI domain aaa. <Sysname> system-view [Sysname] pki delete-certificate domain aaa ca Local certificates, peer certificates and CRL will also be deleted while deleting the CA certificate.
mdc-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
pki export Use pki export to export the CA certificate and the local certificates in a PKI domain to local files or display them on a terminal. Syntax pki export domain domain-name der { all | ca | local } filename filename pki export domain domain-name p12 { all | local } passphrase p12passwordstring filename filename pki export domain domain-name pem { { all | local } [ { 3des-cbc | aes-128-cbc | aes-192-cbc |...
Page 148
• If the PKI domain has a CA certificate chain, this command exports the certificate chain to a file or displays it on the terminal. When you export the local certificates, the local file names might not be the same as specified in the command.
Page 149
[Sysname] pki export domain domain1 pem ca filename cacert # Export the local certificates and their private keys in the PKI domain to a file named local.pem in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111. <Sysname>...
MIIB8DCCAVkCEQD2PBUx/rvslNw9uTrZB3DlMA0GCSqGSIb3DQEBBQUAMDoxCzAJ BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEPMA0GA1UEAxMG cm9mdcGNhMB4XDTExMDEwNjAyNTY1OFoXDTEzMTIwNDAzMTMxMFowNzELMAkGA1UE BhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQwwCgYDVQQDEwNhY2Ew gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOeklR7DpeEV72N1OLz+dydIDTx0 zVZDdPxF1gQYWSfIBwwFKJEyQ/4y8VIfDIm0EGTM4dsOX/QFwudhl/Czkio3dWLh Q1y5XCJy68vQKrB82WZ2mah5Nuekus3LSZZBoZKTAOY5MCCMFcULM858dtSq15Sh xF7tKSeAT7ARlJxTAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEADJQCo6m0RNup0ewa ItX4XK/tYcJXAQWMA0IuwaWpr+ofqVVgYBPwVpYglhJDOuIZxKdR2pfQOA4f35wM Vz6kAujLATsEA1GW9ACUWa5PHwVgJk9BDEXhKSJ2e7odmrg/iROhJjc1NMV3pvIs CuFiCLxRQcMGhCNHlOn4wuydssc= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIB8jCCAVsCEFxy3MSlQ835MrnBkI/dUPYwDQYJKoZIhvcNAQEFBQAwOjELMAkG A1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ8wDQYDVQQDEwZy b290Y2EwHhcNMTEwMTA2MDI1MTQxWhcNMTMxMjA3MDMxMjA1WjA6MQswCQYDVQQG EwJjbjEMMAoGA1UEChMDaDNjMQwwCgYDVQQLEwNoM2MxDzANBgNVBAMTBnJvb3Rj YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxP2XLFE230zq6MhwZvAomOxa 7tc1r4bESXZu3UBKno3Ay9kQm2HrDOAizvZXfLu7Gx22ga2Qdz0lIeZ+EQrYHTyO pBcejDjal/ZtvgnjXyHFoG8nS+P7n83BkRj/Fu7Yz4zjTKMbCF2EfhEyXxr4NSXA fhC9qg9S23vNXStmWvsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBtsU7X77sdZ1Nn 0I98lh0qA5g7SEEIpI+pwZjjrH0FVHw01e4JWhHjyHqrOyfXYqe7vH4SXp5MHEqf 14nKIEbexbPONspebtznxv4/xTjd1aM2rfQ95jJ/SN8H8KIyiYZyIs3t5Q+V35x1 cef+NMWgZBzwXOSP0wC9+pC2ZNiIpg== -----END CERTIFICATE----- # Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format.
Page 154
Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Page 155
• If the local certificate to be imported contains a key pair, the system asks you to enter the challenge password used for encrypting the private key. When you import a local certificate file that contains a key pair, you can choose to update the domain with the key pair.
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt8QSMetQ70GONiFh7iJkvGQ8nC15zCF1 cqC/RcJhE/88LkKyQcu9j+Tz8Bk9Qj2UPaZdrk8fOrgtBsa7lZ+UO3j3l30q84l+ HjWq8yxVLRQahU3gqJze6pGR2l0s76u6GRyCX/zizGrHKqYlNnxK44NyRZx2klQ2 tKQAfpXCPIkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBWsaMgRbBMtYNrrYCMjY6g c7PBjvajVOKNUMxaDalePmXfKCxl91+PKM7+i8I/zLcoQO+sHbva26a2/C4sNvoJ 2QZs6GtAOahP6CDqXC5VuNBU6eTKNKjL+mf6uuDeMxrlDNha0iymdrXXVIp5cuIu fl7xgArs8Ks6aXDXM1o4DQ== -----END CERTIFICATE----- Please input the password:******** Local certificate already exist, confirm to overwrite it? [Y/N]:y The PKI domain already has a CA certificate. If it is overwritten, local certificates, peer certificates and CRL of this domain will also be deleted. Overwrite it? [Y/N]:y The system is going to save the key pair.
password password: Sets the password for certificate revocation, a case-sensitive string of 1 to 31 characters. The password is contained in the certificate request and must be provided if the certificate is revoked. pkcs10: Displays BASE64-encoded PKCS#10 certificate request information, which can be used to request a certificate by an out-of-band means, like phone, disk, or email.
Page 159
Predefined user roles network-admin mdc-admin Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
pki retrieve-crl Use pki retrieve-crl to obtain CRLs and save them locally. Syntax pki retrieve-crl domain domain-name Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Syntax pki storage { certificates | crls } dir-path undo pki storage { certificates | crls } Default The storage path for the certificates and CRLs is the PKI directory on the storage media of the device. Views System view Predefined user roles network-admin mdc-admin...
Page 162
Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Parameters name key-name: Specifies a key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name contains only letters, digits, and hyphens (-). length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and the default is 1024.
Page 165
Predefined user roles network-admin mdc-admin Parameters encryption: Specifies a key pair for encryption. name encryption-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. The key pair name contains only letters, digits, and hyphens (-). signature: Specifies a key pair for signing. name encryption-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters.
[Sysname-pki-domain-aaa] public-key rsa encryption name rsa1 length 2048 [Sysname-pki-domain-aaa] public-key rsa signature name sig1 length 2048 Related commands • pki import • public-key local create (see Security Command Reference) root-certificate fingerprint Use root-certificate fingerprint to set the fingerprint for verifying the validity of the CA root certificate.
If you specify the fingerprint in the PKI domain, the device automatically verifies the fingerprint of the CA certificate to be imported or obtained against that configured in the domain. If the two fingerprints do not match, the device rejects the CA certificate. If no fingerprint is specified in the domain, the device asks you to manually verify the fingerprint of the CA certificate.
Usage guidelines When you create an access control rule, you can associate it with a nonexistent certificate attribute group. The system determines that a certificate matches an access control rule when either of the following conditions exists: • The associated certificate attribute group does not exist. •...
Make sure there is a route between the source IP address and the CA server. You can specify only one source IP address in a PKI domain. If you configure this command multiple times, the most recent configuration takes effect. Examples # Specify 111.1.1.8 as the source IP address for PKI protocol packets.
Page 170
Default No extension is specified. A certificate can be used for all applications, including IKE, SSL clients, and SSL servers. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters ike: Specifies the IKE certificate extension so IKE peers can use the certificates. ssl-client: Specifies the SSL client certificate extension so the SSL clients can use the certificates.
SSL commands The SSL feature is available in Release 2137 and later versions. The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
rsa_aes_128_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit AES_CBC, and the MAC algorithm SHA. rsa_aes_256_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 256-bit AES_CBC, and the MAC algorithm SHA. rsa_des_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm DES_CBC, and the MAC algorithm SHA.
Default The SSL server does not authenticate SSL clients. Views SSL server policy view Predefined user roles network-admin mdc-admin Usage guidelines The SSL client and server use digital certificates to authenticate each other. For more information about digital certificates, see Security Configuration Guide. If you execute the client-verify enable command, an SSL client must send its own digital certificate to the SSL server for authentication.
PKI domain: client-domain Preferred ciphersuite: RSA_AES_128_CBC_SHA Server-verify: enabled Table 22 Command output Field Description Indicates whether the client is enabled to use digital certificates to Server-verify authenticate servers. display ssl server-policy Use display ssl server-policy to display SSL server policy information. Syntax display ssl server-policy [ policy-name ] Views...
pki-domain Use pki-domain to specify a PKI domain for an SSL client policy or an SSL server policy. Use undo pki-domain to restore the default. Syntax pki-domain domain-name undo pki-domain Default No PKI domain is specified for an SSL client policy or an SSL server policy. Views SSL client policy view, SSL server policy view Predefined user roles...
Page 176
prefer-cipher dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } undo prefer-cipher In FIPS mode: prefer-cipher dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha } undo prefer-cipher Default In non-FIPS mode: The preferred cipher suite of an SSL client policy is rsa_rc4_128_md5. In FIPS mode: The preferred cipher suite of an SSL client policy is rsa_aes_128_cbc_sha.
• Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are usually symmetric key algorithms, such as DES_CBC, 3DES_EDE_CBC, AES_CBC, and RC4. When using a symmetric key algorithm, the SSL server and the SSL client must use the same key. •...
Examples # Enable the SSL client to use digital certificates to authenticate SSL servers. <Sysname> system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] server-verify enable Related commands display ssl client-policy session cachesize Use session cachesize to set the maximum number of sessions that the SSL server can cache. Use undo session cachesize to restore the default.
Syntax ssl client-policy policy-name undo ssl client-policy policy-name Default No SSL client policies exist on the device. Views System view Predefined user roles network-admin mdc-admin Parameters policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.
Parameters policy-name: Specifies a name for the SSL server policy, a case-insensitive string of 1 to 31 characters. Usage guidelines This command creates an SSL server policy for which you can configure SSL parameters such as a PKI domain and supported cipher suits. An SSL server policy takes effect only after it is associated with an application such as HTTPS.
version Use version to specify an SSL version for an SSL client policy. Use undo version to restore the default. Syntax In non-FIPS mode: version { ssl3.0 | tls1.0 } undo version In FIPS mode: version tls1.0 undo version Default The SSL protocol version for an SSL client policy is TLS 1.0.
IPsec commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces.
Examples # Create an IPsec transform set, and specify the AH authentication algorithm for the transform set as HMAC-SHA1. <Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1 description Use description to configure description for an IPsec policy. Use undo description to restore the default. Syntax description text undo description...
Page 184
mdc-admin mdc-operator Parameters policy: Displays information about IPv4 IPsec policies. policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535. Usage guidelines •...
ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Table 24 Command output Field Description IPsec Policy IPsec policy name. Interface Interface applied with the IPsec policy. Sequence number Sequence number of the IPsec policy entry. Negotiation mode of the IPsec policy: •...
display ipsec sa Use display ipsec sa to display information about IPsec SAs. Syntax display ipsec sa [ brief | count | interface interface-type interface-number | policy policy-name [ seq-number ] | remote ip-address ] Views Any view Predefined user roles network-admin network-operator mdc-admin...
Page 187
<Sysname> display ipsec sa count Total IPsec SAs count: 4 # Display information about all IPsec SAs. <Sysname> display ipsec sa ------------------------------- Interface: Vlan-interface1 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: manual ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Path MTU: 1427 Tunnel: local...
Field Description • 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) Path MTU Path MTU of the IPsec SA. Tunnel Local and remote addresses of the IPsec tunnel. local address Local end IP address of the IPsec tunnel. remote address Remote end IP address of the IPsec tunnel. Flow Information about the data flow protected by the IPsec tunnel.
Page 189
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels. Usage guidelines If you do not specify any parameters, this command displays statistics for all IPsec packets.
Loopback limit exceeded: 0 Table 27 Command output Field Description Received/sent packets Number of received/sent IPsec-protected packets. Received/sent bytes Number of bytes of received/sent IPsec-protected packets. Dropped packets (received/sent) Number of dropped IPsec-protected packets (received/sent). No available SA Number of dropped packets due to lack of available IPsec SA. Wrong SA Number of dropped packets due to wrong IPsec SA.
Page 192
Parameters brief: Displays brief information about IPsec tunnels. count: Displays the number of IPsec tunnels. tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295. Usage guidelines IPsec transmits data in a secure channel established between two endpoints (such as two security gateways).
Page 193
Tunnel ID: 1 Status: active Perfect forward secrecy: SA's SPI: outbound: 6000 (0x00001770) [AH] inbound: 5000 (0x00001388) [AH] outbound: 8000 (0x00001f40) [ESP] inbound: 7000 (0x00001b58) [ESP] Tunnel: local address: 1.2.3.1 remote address: 2.2.2.2 Flow: as defined in ACL3100 # Display information about IPsec tunnel 1. <Sysname>...
Field Description Range of data flow protected by the IPsec tunnel that is established as defined in ACL 3001 manually. This information shows that the IPsec tunnel protects all data flows defined by ACL 3001. encapsulation-mode Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.
[Sysname-ipsec-transform-set-tran1] encapsulation-mode transport Related commands ipsec transform-set esp authentication-algorithm Use esp authentication-algorithm to specify an authentication algorithm for ESP. Use undo esp authentication-algorithm to remove all authentication algorithms specified for ESP. Syntax In non-FIPS mode: esp authentication-algorithm { md5 | sha1 } * undo esp authentication-algorithm In FIPS mode: esp authentication-algorithm sha1...
[Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 Related commands ipsec transform-set ike-profile Use ike-profile to specify an IKE profile for an IPsec policy. Use undo ike-profile to remove the configuration. Syntax ike-profile profile-name undo ike-profile Default An IPsec policy does not reference any IKE profile, and the device selects an IKE profile configured in system view for negotiation.
Default IPsec anti-replay checking is enabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not necessary but consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste.
Usage guidelines Changing the anti-replay window size affects only the IPsec SAs negotiated later. In some cases, some service data packets might be received in a very different order than their original order, and the IPsec anti-replay function might drop them as replayed packets, affecting normal communications.
Usage guidelines After logging for IPsec packets is enabled, the device outputs a log when an IPsec packet is discarded due to, for example, lack of inbound SA, AH/ESP authentication failure, or ESP encryption failure. A log contains the source and destination IP addresses, SPI, and sequence number of the packet, and the reason it was discarded.
Related commands ipsec global-df-bit ipsec global-df-bit Use ipsec global-df-bit to set the DF bit for outer IP headers of encapsulated IPsec packets on all interfaces. Use undo ipsec global-df-bit to restore the default. Syntax ipsec global-df-bit { clear | copy | set } undo ipsec global-df-bit Default The DF bit of original IP headers is copied to the outer IP headers for encapsulated IPsec packets.
Default No IPsec policy is created. Views System view Predefined user roles network-admin mdc-admin Parameters policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535. isakmp: Establishes IPsec SAs through IKE negotiation.
Syntax ipsec policy policy-name local-address interface-type interface-number undo ipsec policy policy-name local-address Default No IPsec policy is bound to a source interface. Views System view Predefined user roles network-admin mdc-admin Parameters policy: Specifies an IPv4 IPsec policy. policy-name: Name of an IPsec policy, a case-insensitive string of 1 to 63 characters. local-address interface-type interface-number: Specifies the shared source interface by its type and number.
Syntax ipsec sa global-duration { time-based seconds | traffic-based kilobytes } undo ipsec sa global-duration { time-based | traffic-based } Default The time-based global lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 bytes. Views System view Predefined user roles network-admin mdc-admin Parameters...
Default The global IPsec SA idle timeout function is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds. Usage guidelines This function applies only to IPsec SAs negotiated by IKE. The IPsec SA idle timeout can also be configured in IPsec policy view, which takes precedence over the global IPsec SA timeout.
Examples # Create an IPsec transform set named tran1 and enter its view. <Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-transform-set-tran1] Related commands display ipsec transform-set local-address Use local-address to configure the local IP address for the IPsec tunnel. Use undo local-address to restore the default. Syntax local-address ipv4-address undo local-address...
Default The IPsec transform set uses the ESP protocol. Views IPsec transform set view Predefined user roles network-admin mdc-admin Parameters ah: Specifies the AH protocol. ah-esp: Specifies using the ESP protocol first and then using the AH protocol. ah: Specifies the AH protocol. Usage guidelines The two tunnel ends must use the same security protocol in the IPsec transform set.
[Sysname-ipsec-policy-manual-policy1-100] qos pre-classify remote-address Use remote-address to configure the remote IP address for the IPsec tunnel. Use undo remote-address to restore the default. Syntax remote-address { host-name | ipv4-address } undo remote-address { host-name | ipv4-address } Default No remote IP address is specified for the IPsec tunnel. Views IPsec policy view Predefined user roles...
An outbound SA is uniquely identified by an SA triplet and an inbound SA is uniquely identified by an SPI. To clear IPsec SAs by specifying a triplet in the outbound direction, you should provide the remote IP address, the security protocol, and the SPI. To clear IPsec SAs by specifying a triplet in the inbound direction, you should provide the SPI and use any valid values for the other two parameters.
sa duration Use sa duration to set an SA lifetime for an IPsec policy. Use undo sa duration to remove the SA lifetime. Syntax sa duration { time-based seconds | traffic-based kilobytes } undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy is the current global SA lifetime.
Page 214
Syntax sa hex-key authentication { inbound | outbound } { ah | esp } { cipher | simple } key-value undo sa hex-key authentication { inbound | outbound } { ah | esp } Default No authentication key is configured for manual IPsec SAs. Views IPsec policy view Predefined user roles...
sa hex-key encryption Use sa encryption-hex to configure a hexadecimal encryption key for manual IPsec SAs. Use undo sa encryption-hex to remove the hexadecimal encryption key. Syntax sa hex-key encryption { inbound | outbound } esp { cipher | simple } key-value undo sa hex-key encryption { inbound | outbound } esp Default No encryption key is configured for manual IPsec SAs.
Related commands • display ipsec sa • sa string-key sa idle-time Use sa idle-time to set the IPsec SA idle timeout for an IPsec policy. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted. Use undo sa idle-time to restore the default.
Default No SPI is configured for IPsec SAs. Views IPsec policy view Predefined user roles network-admin mdc-admin Parameters inbound: Specifies an SPI for inbound SAs. outbound: Specifies an SPI for outbound SAs. ah: Uses AH. esp: Uses ESP. spi-number: Specifies a Security parameters index (SPI) in the range of 256 to 4294967295. Usage guidelines This command applies to only manual IPsec policies.
Predefined user roles network-admin mdc-admin Parameters inbound: Sets a key string for inbound IPsec SAs. outbound: Sets a key string for outbound IPsec SAs. ah: Uses AH. esp: Uses ESP. cipher: Sets a ciphertext key. simple: Sets a plaintext key. key-value: Specifies a case-sensitive key string.
Page 219
Default An IPsec policy references no ACL. Views IPsec policy view Predefined user roles network-admin mdc-admin Parameters acl-number: Specifies an ACL by its number in the range of 3000 to 3999. name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. aggregation: Specifies the data protection mode as aggregation.
[Sysname] snmp-agent trap enable ipsec global # Enable SNMP notifications for events of creating IPsec tunnels. [Sysname] snmp-agent trap enable ipsec tunnel-start transform-set Use transform-set to reference an IPsec transform set for an IPsec policy. Use undo transform-set to remove the IPsec transform set referenced by an IPsec policy. Syntax transform-set transform-set-name&<1-6>...
IKE commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces.
Use undo authentication-method to restore the default. Syntax authentication-method { dsa-signature | pre-share | rsa-signature } undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles network-admin mdc-admin Parameters dsa-signature: Specifies the DSA signatures as the authentication method.
Page 224
Syntax certificate domain domain-name undo certificate domain domain-name Default No PKI domains are specified for signature authentication. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. Usage guidelines This command is available in Release 2137 and later versions.
Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal. Use undo dh to restore the default. Syntax In non-FIPS mode: dh { group1 | group14 | group2 | group24 | group5 } undo dh In FIPS mode: dh group14...
Syntax display ike proposal Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, the command displays the default IKE proposal. Examples # Display the configuration information about all IKE proposals.
Page 227
Syntax display ike sa [ verbose [ connection-id connection-id | remote-address remote-address [ vpn-instance vpn-name ] ] ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000.
Page 228
Connection ID: 2 Outside VPN: 1 Inside VPN: 1 Profile: prof1 Transmitting entity: Initiator --------------------------------------------- Local IP: 4.4.4.4 Local ID type: IPV4_ADDR Local ID: 4.4.4.4 Remote IP: 4.4.4.5 Remote ID type: IPV4_ADDR Remote ID: 4.4.4.5 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: SHA1 Encryption-algorithm: AES-CBC-128 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main...
NAT traversal: Not detected Table 33 Command output Field Description Connection ID Identifier of the IKE SA. VPN instance name of the MPLS L3VPN to which the receiving Outside VPN interface belongs. VPN instance name of the MPLS L3VPN to which the protected data Inside VPN belongs.
Predefined user roles network-admin mdc-admin Parameters interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300. • If the on-demand keyword is specified, this parameter specifies the number of seconds during which no IPsec packet is received before DPD is triggered if the local end has IPsec traffic to send.
In FIPS mode, an IKE proposal uses the 128-bit AES encryption algorithm in CBC mode. Views IKE proposal view Predefined user roles network-admin mdc-admin Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption.
Views IKE profile view Predefined user roles network-admin mdc-admin Parameters aggressive: Specifies the aggressive mode. main: Specifies the main mode. Usage guidelines As a best practice, specify the aggressive mode at the local end if the following conditions are met: •...
retry seconds: Specifies the number of seconds between DPD retries if the DPD message fails. The value for the second argument is from 1 to 60 seconds, and it defaults to 5 seconds. on-demand: Sends DPD messages on demand. periodic: Sends DPD messages at regular intervals. Usage guidelines DPD is triggered periodically or on-demand.
Usage guidelines The global identity can be used by the device for all IKE SA negotiations, and the local identity (set by the local-identity command) can be used only by the device that uses the IKE profile. In pre-shared key authentication, you cannot set the DN as the identity. Examples # Set the IP address 2.2.2.2 as the identity.
ike keepalive interval Use ike keepalive interval to enable sending IKE keepalives and set the sending interval. Use undo ike keepalive interval to restore the default. Syntax ike keepalive interval seconds undo ike keepalive interval Default No IKE keepalives are sent. Views System view Predefined user roles...
Predefined user roles network-admin mdc-admin Parameters seconds: Specifies the number of seconds between IKE keepalives. The value is in the range of 20 to 28800. Usage guidelines If the local end receives no keepalive packets from the peer during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
Examples # Create IKE keychain key1 and enter its view. <Sysname> system-view [Sysname] ike keychain key1 [Sysname-ike-keychain-key1] Related commands • authentication-method • pre-shared-key ike limit Use ike limit to set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs.
ike nat-keepalive Use ike nat-keepalive to set the NAT keepalive interval. Use undo ike nat-keepalive to restore the default. Syntax ike nat-keepalive seconds undo ike nat-keepalive Default The NAT keepalive interval is 20 seconds. Views System view Predefined user roles network-admin mdc-admin Parameters...
Examples # Create IKE profile 1 and enter its view. <Sysname> system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] ike proposal Use ike proposal to create an IKE proposal and enter IKE proposal view. Use undo ike proposal to delete an IKE proposal. Syntax ike proposal proposal-number undo ike proposal proposal-number...
<Sysname> system-view [Sysname] ike proposal 1 [Sysname-ike-proposal-1] Related commands display ike proposal ike signature-identity from-certificate Use ike signature-identity from-certificate to configure the local device to obtain the identity information from the local certificate for signature authentication. Use undo ike signature-identity from-certificate to restore the default. Syntax ike signature-identity from-certificate undo ike signature-identity from-certificate...
Syntax keychain keychain-name undo keychain keychain-name Default No IKE keychain is specified for an IKE profile. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. Usage guidelines An IKE profile can reference up to six IKE keychains.
Parameters address ipv4-address: Uses an IPv4 address as the local ID. dn: Uses the DN in the local certificate as the local ID. fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.
vpn-instance vpn-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To specify an IP address on the public network, do not specify this option. Usage guidelines Use this command to specify which address or interface can use the IKE keychain for IKE negotiation.
Usage guidelines Use this command to specify which address or interface can use the IKE profile for IKE negotiation. Specify the local address configured in IPsec policy view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that references the IPsec policy.
• address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address. • fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKE profile matching. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
mdc-admin Parameters address: Specifies a peer by its address. ipv4-address: Specifies the IPv4 address of the peer. mask: Specifies the mask in dotted decimal notation. The default mask is 255.255.255.255. mask-length: Specifies the mask length in the range of 0 to 32. The default mask length is 32. hostname host-name: Specifies a peer by its hostname, a case-sensitive string of 1 to 255 characters.
Views IKE keychain view Predefined user roles network-admin mdc-admin Parameters priority number: Specifies a priority number in the range of 1 to 65535. The lower the priority number, the higher the priority. Usage guidelines To determine the priority of an IKE keychain, the device examines the existence of the match local address command before examining the priority number.
<Sysname> system-view [Sysname] ike profile prof1 [Sysname-ike-profile-prof1] priority 10 proposal Use proposal to specify the IKE proposals for an IKE profile to reference. Use undo proposal to remove the IKE proposal references. Syntax proposal proposal-number&<1-6> undo proposal Default An IKE profile references no IKE proposals and uses the IKE proposals configured in system view for IKE negotiation.
Predefined user roles network-admin mdc-admin Parameters connection-id connection-id: Specifies the connection ID of the IKE SA to be cleared, in the range of 1 to 2000000000. Usage guidelines When you delete an IKE SA, the device automatically sends a notification to the peer. Examples # Display the current IKE SAs.
Related commands snmp-agent trap enable ike sa duration Use sa duration to set the IKE SA lifetime for an IKE proposal. Use undo sa duration to restore the default. Syntax sa duration seconds undo sa duration Default The IKE SA lifetime is 86400 seconds. Views IKE proposal view Predefined user roles...
Page 251
invalid-id invalid-proposal | invalid-protocol invalid-sign no-sa-failure | proposal-add | proposal–delete | tunnel-start | tunnel-stop | unsupport-exch-type ] * Default All SNMP notifications for IKE are enabled. Views System view Predefined user roles network-admin mdc-admin Parameters attr-not-support: Specifies SNMP notifications for attribute-unsupported failures. auth-failure: Specifies SNMP notifications for authentication failures.
SSH commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Field Description SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer.
mdc-admin mdc-operator Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. Usage guidelines This command only displays information about SSH users configured by using the ssh user command on the SSH server.
Predefined user roles network-admin mdc-admin Examples # Enable the SCP server. <Sysname> system-view [Sysname] scp server enable Related commands display ssh server sftp server enable Use sftp server enable to enable the SFTP server. Use undo sftp server enable to restore the default. Syntax sftp server enable undo sftp server enable...
Views System view Predefined user roles network-admin mdc-admin Parameters time-out-value: Specifies an idle timeout timer in the range of 1 to 35791 minutes. Usage guidelines If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection.
• The specified ACL does not have any rules. The ACL takes effect only on SSH connections that are initiated after the ACL configuration. If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure ACL 2001 and permit only the users at 1.1.1.1 to initiate SSH connections to the server. <Sysname>...
[Sysname] ssh server authentication-retries 4 Related commands display ssh server ssh server authentication-timeout Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server. Use undo ssh server authentication-timeout to restore the default. Syntax ssh server authentication-timeout time-out-value undo ssh server authentication-timeout Default The authentication timeout timer is 60 seconds.
Views System view Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command is not available in FIPS mode. This configuration does not affect logged-in users. It affects only new SSH users. Examples # Enable the SSH server to support SSH1 clients. <Sysname>...
ssh server enable Use ssh server enable to enable the Stelnet server. Use undo ssh server enable to restore the default. Syntax ssh server enable undo ssh server enable Default The Stelnet server is disabled. Views System view Predefined user roles network-admin mdc-admin Examples...
Updating the RSA server key pair periodically prevents malicious hacking to the key pair and enhances security of the SSH connections. This command takes effect only on the SSH clients that use SSH1 client software. Examples # Set the RSA server key pair update interval to 3 hours. <Sysname>...
Page 262
• password: Specifies password authentication. This authentication method provides easy and fast encryption, but it is vulnerable. It can work with AAA to implement user authentication, authorization, and accounting. • any: Specifies either password authentication or publickey authentication. • password-publickey: Specifies both password authentication and publickey authentication (featuring higher security) if the client runs SSH2, and specifies either type of authentication if the client runs SSH1.
Examples # Create an SSH user named user1, and specify the service type as sftp and the authentication method as password-publickey for the user. Assign the host public key key1 to the user. <Sysname> system-view [Sysname] ssh user user1 service-type sftp authentication-type password-publickey assign publickey key1 # Create a local device management user named user1, specify the password as 123456TESTplat&! in plain text and the service type as ssh for the user.
Views SFTP client view Predefined user roles network-admin mdc-admin Parameters remote-path: Specifies the name of a directory on the server. Usage guidelines You can use the cd .. command to return to the upper-level directory. You can use the cd / command to return to the root directory of the system. Examples # Change the working directory to new1.
Syntax delete remote-file Views SFTP client view Predefined user roles network-admin mdc-admin Parameters remote-file: Specifies a file. Usage guidelines This command has the same function as the remove command. Examples # Delete the file temp.c from the server. sftp> delete temp.c Removing /temp.c Use dir to display information about the files and subdirectories under a directory.
pub1 new1 new2 pub2 # Display detailed information about the files and subdirectories under the current working directory in a list. sftp> dir –l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup...
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command only displays the Stelnet client's source IP address that is configured by using the ssh client source command. The default source IP address of the Stelnet client is not provided in the command output. Examples # Display the source IP address configured for the Stelnet client.
Views SFTP client view Predefined user roles network-admin mdc-admin Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file. If you do not specify this argument, the file will be saved locally with the same name as the file on the server.
Page 269
List all filenames List filename including the specific information of the file mkdir path Create remote directory put local-path [remote-path] Upload file Display remote working directory quit Quit sftp rename oldpath newpath Rename remote file remove path Delete remote file rmdir path Delete remote empty directory Synonym for help...
startup01.bak 100% 1424 1.4KB/s 00:00 Use pwd to display the current working directory of an SFTP server. Syntax Views SFTP client view Predefined user roles network-admin mdc-admin Examples # Display the current working directory of the SFTP server. sftp> pwd Remote working directory: / The output shows that the current working directory is the root directory.
Predefined user roles network-admin mdc-admin Parameters remote-file: Specifies a file. Usage guidelines This command has the same function as the delete command. Examples # Delete the file temp.c from the SFTP server. sftp> remove temp.c Removing /temp.c rename Use rename to change the name of a file or directory on an SFTP server. Syntax rename old-name new-name Views...
mdc-admin Parameters remote-path: Specifies a directory. Examples # Delete the subdirectory temp1 under the current directory on the SFTP server. sftp> rmdir temp1 Use scp to establish a connection to an IPv4 SCP server and transfer files with the server. Syntax In non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name...
Page 274
• rsa: Specifies the public key algorithm rsa. prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128.
• Preferred client-to-server HMAC algorithm sha1. • Preferred server-to-client HMAC algorithm sha1-96. • Preferred compression algorithm zlib. <Sysname> scp 200.1.1.1 get abc.txt prefer-kex dh-group14 prefer-stoc-cipher aes128 prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib publickey svkey sftp Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view. Syntax In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |...
Page 276
• 3des: Specifies the encryption algorithm 3des-cbc. • aes128: Specifies the encryption algorithm aes128-cbc. • aes256: Specifies the encryption algorithm aes256-cbc. • des: Specifies the encryption algorithm des-cbc. prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. Algorithms sha1 and sha1-96 provide stronger security but cost more computation time than md5 and md5-96.
sftp client source Use sftp client source to specify the source IPv4 address for SFTP packets. Use undo sftp client source to restore the default. Syntax sftp client source { interface interface-type interface-number | ip ip-address } undo sftp client source Default The source IP address for SFTP packets is not configured.
Default The source IP address for SSH packets is not configured. The SSH packets use the primary IPv4 address of the output interface specified in the routing entry as their source IP address. Views System view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a source interface by its type and number.
Page 279
Views User view Predefined user roles network-admin mdc-admin Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
Page 280
dscp dscp-value: Specifies the DSCP value in the IPv4 SSH packets sent by the SSH client, in the range of 0 to 63. The default value is 48. The DSCP value determines the transmission priority of the packet. escape character: Specifies an escape character. By default, the escape character is a tilde (~). publickey keyname: Specifies the host public key of the server, which is used to authenticate the server.
IP source guard commands The IPSG feature is available on Layer 2 and Layer 3 Ethernet interfaces and VLAN interfaces. The term "interface" in this chapter collectively refers to these types of interfaces. You can use the port link-mode command to configure an Ethernet port as a Layer 2 or Layer 3 interface (see Layer 2—LAN Switching Configuration Guide).
Usage guidelines If you do not specify any parameter, the command displays the following bindings: • Static and dynamic IPv4SG bindings on all interfaces on the public network. • Global static IPv4SG bindings. In standalone mode, if you specify neither an interface nor a card, the command displays IPv4SG bindings obtained by the switching fabric modules from all interfaces.
Syntax ip source binding ip-address ip-address mac-address mac-address undo ip source binding { all | ip-address ip-address mac-address mac-address } Default No global static IPv4SG binding exists. Views System view Predefined user roles network-admin mdc-admin Parameters ip-address ip-address: Specifies the IPv4 address for the static binding. The IPv4 address cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address.
Page 285
Parameters ip-address: Filters incoming packets by source IPv4 addresses. ip-address mac-address: Filters incoming packets by source IPv4 addresses and source MAC addresses. mac-address: Filters incoming packets by source MAC addresses. Usage guidelines The matching criterion in this command applies only to dynamic IPSG. Static IPv4SG uses static bindings configured by using the ip source binding command.
Examples # Configure the device to perform three ARP blackhole route probes. <Sysname> system-view [Sysname] arp resolving-route probe-count 3 arp resolving-route probe-interval Use arp resolving-route probe-interval to set the interval at which the device probes ARP blackhole routes. Use undo arp resolving-route probe-interval to remove the configuration. Syntax arp resolving-route probe-interval interval undo arp resolving-route probe-interval...
Examples # Enable the ARP source suppression feature. <Sysname> system-view [Sysname] arp source-suppression enable Related commands display arp source-suppression arp source-suppression limit Use arp source-suppression limit to set the maximum number of unresolvable packets that can be received from a device in 5 seconds. Use undo arp source-suppression limit to restore the default.
Predefined user roles network-admin network-operator Examples # Display information about ARP source suppression configuration. <Sysname> display arp source-suppression ARP source suppression is enabled Current suppression limit: 100 Table 38 Command output Field Description Maximum number of unresolvable packets that can be received from a Current suppression limit host in 5 seconds.
Examples # Set the maximum ARP packet rate to 50 pps on FortyGigE 1/0/1. <Sysname> system-view [Sysname] interface fortygige 1/0/1 [Sysname-FortyGigE1/0/1] arp rate-limit 50 arp rate-limit log enable Use arp rate-limit log enable to enable logging for ARP packet rate limit. Use undo arp rate-limit log enable to disable logging for ARP packet rate limit.
Views System view Predefined user roles network-admin mdc-admin Parameters Seconds: Specifies an interval in the range of 1 to 86400 seconds. Usage guidelines To change the default interval and activate it, you must enable ARP packet rate limit and enable sending of notifications or log messages for ARP packet rate limit.
Examples # Enable SNMP notifications for ARP packet rate limit. <Sysname> system-view [Sysname] snmp-agent trap enable arp rate-limit Source MAC-based ARP attack detection commands The source MAC-based ARP attack detection feature is available in Release 2137 and later versions. arp source-mac Use arp source-mac to enable the source MAC-based ARP attack detection feature and specify a handling method.
arp source-mac aging-time Use arp source-mac aging-time to set the aging time for ARP attack entries. Use undo arp source-mac aging-time to restore the default. Syntax arp source-mac aging-time time undo arp source-mac aging-time Default The aging time for ARP attack entries is 300 seconds. Views System view Predefined user roles...
Usage guidelines If you do not specify a MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses. Examples # Exclude a MAC address from source MAC-based ARP attack detection. <Sysname> system-view [Sysname] arp source-mac exclude-mac 2-2-2 arp source-mac threshold Use arp source-mac threshold to set the threshold for source MAC-based ARP attack detection.
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ARP attack entries for the active MPU.
Predefined user roles network-admin mdc-admin Usage guidelines Configure this feature on gateways. The gateways can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. Examples # Enable ARP packet source MAC address consistency check. <Sysname>...
Authorized ARP commands The authorized ARP feature is available in Release 2137 and later versions. arp authorized enable Use arp authorized enable to enable authorized ARP on an interface. Use undo arp authorized enable to restore the default. Syntax arp authorized enable undo arp authorized enable Default Authorized ARP is disabled on the interface.
[Sysname] interface fortygige 1/0/1 [Sysname-FortyGigE1/0/1] arp detection trust arp detection validate Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line. Use undo arp detection validate to disable ARP packet validity check. If no keyword is specified, this command deletes all objects.
Usage guidelines This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify any interface, the command displays statistics for all interfaces. Examples # Display the ARP detection statistics for all interfaces. <Sysname>...
Parameters interface interface-type interface-number: Clears the ARP detection statistics of a specific interface. Usage guidelines If you do not specify any interface, this command clears the statistics of all interfaces. Examples # Clear the ARP detection statistics of all interfaces. <Sysname>...
arp filter source Use arp filter source to enable ARP gateway protection for a gateway. Use undo arp filter source to disable ARP gateway protection for a gateway. Syntax arp filter source ip-address undo arp filter source ip-address Default ARP gateway protection is disabled. Views Layer 2 Ethernet interface view, Layer 2 aggregate interface view Predefined user roles...
Page 305
Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies a permitted sender IP address. mac-address: Specifies a permitted sender MAC address. Usage guidelines You can configure a maximum of eight ARP permitted entries on an interface. You cannot configure both the arp filter source and arp filter binding commands on the same interface.
uRPF commands display ip urpf Use display ip urpf to display uRPF configuration. Syntax In standalone mode: display ip urpf [ slot slot-number ] In IRF mode: display ip urpf [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin...
Page 307
Use undo ip urpf to disable uRPF. Syntax ip urpf { loose | strict } undo ip urpf Default uRPF is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
FIPS commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled.
Page 309
After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode: • Automatic reboot Select the automatic reboot method. The system automatically performs the following tasks: a. Create a default FIPS configuration file named fips-startup.cfg. b.
Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically. Enter username(1-55 characters): root Enter password(15-63 characters): Confirm password: Waiting for reboot...
Page 311
Examples # Trigger a self-test on the cryptographic algorithms. <Sysname> system-view [Sysname] fips self-test FIPS Known-Answer Tests are running ... Slot 10 in chassis 1: Starting Known-Answer tests in the user space. Known-answer test for SHA1 passed. Known-answer test for SHA224 passed. Known-answer test for SHA256 passed.
Attack detection and prevention commands attack-defense tcp fragment enable Use attack-defense tcp fragment enable to enable TCP fragment attack prevention. Use undo attack-defense tcp fragment enable to disable TCP fragment attack prevention. Syntax attack-defense tcp fragment enable undo attack-defense tcp fragment enable Default TCP fragment attack prevention is enabled.
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Index A B C D E F G H I K L M N O P Q R S T U V aaa session-limit,1 bye,255 access-limit,16 accounting command,2 ca identifier,112 accounting default,2 cd,255 accounting login,3 cdup,256 accounting-on enable,26 certificate domain,215 ah authentication-algorithm,174 certificate request entity,113 arp active-ack enable,288...
Page 318
display password-control blacklist,76 ike profile,230 display pki certificate access-control-policy,120 ike proposal,231 display pki certificate attribute-group,121 ike signature-identity from-certificate,232 display pki certificate domain,122 ike-profile,189 display pki certificate request-status,127 ip,130 display pki crl,128 ip source binding (interface view),274 display public-key local public,94 ip source binding (system view),275 display public-key peer,97 ip urpf,298...